[House Hearing, 112 Congress]
[From the U.S. Government Printing Office]
IS TSA'S PLANNED PURCHASE OF CAT/BPSS A WISE USE OF TAXPAYER DOLLARS?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TRANSPORTATION SECURITY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
JUNE 19, 2012
__________
Serial No. 112-99
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] CONGRESS.#13
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
79-506 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Peter T. King, New York, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Daniel E. Lungren, California Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Michael T. McCaul, Texas Henry Cuellar, Texas
Gus M. Bilirakis, Florida Yvette D. Clarke, New York
Paul C. Broun, Georgia Laura Richardson, California
Candice S. Miller, Michigan Danny K. Davis, Illinois
Tim Walberg, Michigan Brian Higgins, New York
Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana
Joe Walsh, Illinois Hansen Clarke, Michigan
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Ben Quayle, Arizona Kathleen C. Hochul, New York
Scott Rigell, Virginia Janice Hahn, California
Billy Long, Missouri Vacancy
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
Michael J. Russell, Staff Director/Chief Counsel
Kerry Ann Watkins, Senior Policy Director
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON TRANSPORTATION SECURITY
Mike Rogers, Alabama, Chairman
Daniel E. Lungren, California Sheila Jackson Lee, Texas
Tim Walberg, Michigan Danny K. Davis, Illinois
Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana
Joe Walsh, Illinois, Vice Chair Vacancy
Robert L. Turner, New York Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
Amanda Parikh, Staff Director
Natalie Nixon, Deputy Chief Clerk
Vacant, Minority Subcommittee Lead
C O N T E N T S
----------
Page
Statements
The Honorable Mike Rogers, a Representative in Congress From the
State of Alabama, and Chairman, Subcommittee on Transportation
Security....................................................... 1
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas, and Ranking Member, Subcommittee on
Transportation Security........................................ 15
Witnesses
Mr. Kelly Hoggan, Assistant Administrator, Office Of Security
Capabilities, Transportation Security Administration:
Oral Statement................................................. 4
Prepared Statement............................................. 6
Mr. Stephen M. Lord, Director, Homeland Security and Justice
Issues, Government Accountability Office:
Oral Statement................................................. 9
Prepared Statement............................................. 11
For the Record
The Honorable Mike Rogers, a Representative in Congress From the
State of Alabama, and Chairman, Subcommittee on Transportation
Security:
Letter to John S. Pistole...................................... 2
IS TSA'S PLANNED PURCHASE OF CAT/BPSS A WISE USE OF TAXPAYER DOLLARS?
----------
Tuesday, June 19, 2012
U.S. House of Representatives,
Subcommittee on Transportation Security,
Committee on Homeland Security,
Washington, DC.
The subcommittee met, pursuant to call, at 2:17 p.m., in
Room 311, Cannon House Office Building, Hon. Mike Rogers
[Chairman of the subcommittee] presiding.
Present: Representatives Rogers, Walberg, Cravaack, and
Jackson Lee.
Mr. Rogers. This Committee on Homeland Security,
Subcommittee on Transportation Security will come to order. The
subcommittee is meeting today to examine whether TSA's
Credential Authentication Technology Boarding Pass Screening--
or Scanning System, commonly referred to as CAT/BPSS, is a
smart use of taxpayer's funds.
I want to thank our witnesses for being here today, and I
appreciate your time and energy in preparing for today's
hearing. I know it takes a lot of time and commitment, and I
appreciate that. We look forward to your testimony.
TSA has plans to purchase Credential Authentication
Technology Boarding Pass Scanning Systems, commonly referred to
as CAT/BPSS. You will hear me refer to it as the new technology
because it is easier to say than CAT/BPSS.
Eventually, the idea is to have this technology replace
today's manual travel document checking process with an
automated process. While the technology may assist screeners in
detecting fake IDs and boarding passes, TSA has not addressed
several fundamental weaknesses in the technology that could
render it ineffective.
As TSA attempts to rebrand itself as a threat-driven
agency, CAT/BPSS sticks out like a sore thumb. Here are three
of the problems we have identified with this looming purchase:
CAT/BPSS is not integrated into TSA's other security layers,
such as the terrorist watch list. No. 2, the costs of CAT/BPSS
have grown exponentially since TSA first started looking at
this. According to TSA figures, acquisition went from $35
million to $115 million, and projected life-cycle costs went
from $83 million to $150 million. Finally, TSA plans to
purchase over 1,000 of these units over a span of a few months.
That does not appear to be a risk-based approach. For those who
don't know, TSA already has a lot of extra equipment sitting in
storage. Mr. Hoggan, we don't need any more.
This hearing will provide an important opportunity to hear
more about TSA's plans for CAT/BPSS and examine whether the
technology makes us more secure and is a wise use of taxpayer's
dollars. Last week, I sent Administrator Pistole a letter
expressing my concerns with the technology. If there is no
objection, I want to insert that into the record at this time.
So ordered.
[The information follows:]
Letter From Chairman Mike Rogers to John S. Pistole
June 11, 2012.
Honorable John S. Pistole,
Administrator, Transportation Security Administration, 601 South 12th
Street, Arlington, VA 20598.
Dear Administrator Pistole: I am writing to express my concerns
regarding the TSA's plans to purchase and deploy Credential
Authentication Technology/Boarding Pass Scanning Systems (CAT/BPSS).
While CAT/BPSS may assist Transportation Security Officers in detecting
fraudulent or invalid IDs and boarding passes, there are a number of
weaknesses with this technology that call into question the benefit of
deploying up to 1,400 units. On May 30, 2012, I appreciated the
opportunity for my staff and I to receive a briefing and demonstration
of CAT/BPSS at the TSA's Systems Integration Facility (TSIF). However,
our discussion with the CAT/BPSS program team further reinforced our
concerns, as outlined below.
As you know, the Subcommittee on Transportation Security has held a
number of hearings on technology procurement reform at TSA. While we
are beginning to see some improvements, including greater transparency
with industry, I am concerned that CAT/BPSS falls short in the area of
requirements generation and collaboration with the Science and
Technology (S&T) Directorate. It appears that the development and
deployment of CAT/BPSS technology lacks two critical considerations:
(1) A thorough risk analysis of the threat scenarios that the
technology addresses and its associated cost-benefit, and (2) the
necessary system requirements to achieve risk-based operational
success.
I commend TSA's emphasis to move towards a more risk-based approach
to airport security, so I am puzzled by the apparent lack of risk and
cost-benefit analyses for the CAT/BPSS technology. My staff and I have
requested several times that TSA provide us an analysis of the
projected costs for the CAT/BPSS units, especially given that there is
a planned large-scale acquisition as early as 5 months from now. TSA
has provided neither cost projections nor cost threshold requirements
for the technology. Secondly, while the technology is claimed to be
part of a layered approach to airport security screening, we have not
seen any risk analysis that supports the role of this technology in the
overall security architecture. Specifically, the technology only
detects potentially fraudulent documents, and does little or nothing to
link these potentially fraudulent documents to terrorist-related
threats. CAT/BPSS provides no interconnectivity to other Government
threat databases, provides no protection against falsification of IDs
at the issuing source, and provides limited assurance that damaged or
misprinted, but valid IDs (or boarding passes) can be correctly
processed by the system.
I also commend TSA for its use of systems engineering principles in
developing a set of operational requirements for the CAT/BPSS
technology. However, I remain deeply concerned, due to the lack of
risk-based analyses, that some key requirements have been excluded.
Examples of missing requirements that have been observed include:
No requirement for interconnectivity to other security
systems within or external to the TSA system architecture.
No requirement for false alarm rates. Since only detection
rates and throughput rates are specified, the ``threshold
settings'' will likely be set to such a low rate that potential
threats will pass through undetected.
No requirement for human factors. How do we avoid false
confidence by the TSOs as they see repeated readings of
``PASS'' by the automated screens? How do we ensure that the
technology does not distract from the TSOs' ability to observe
passengers for behavioral cues?
No requirement for phasing in the technology, based on risk
and effectiveness. The acquisition plans call for a bulk
procurement of 1,400 CAT/BPSS units for deployment at 50% of
all lanes at all airports. Based on prior TSA technology
experiences, it would seem that a more phased, risk-based
procurement and implementation would be prudent.
As you are aware, I intend to hold a hearing on CAT/BP8S next week.
This hearing will provide TSA the opportunity to clarify the issues and
offer solutions for a path forward. In preparation for this hearing, I
request that TSA provide the following information by June 15, 2012:
Projected costs of CAT/BPSS, including per-limit costs and
projected life-cycle costs.
Requirements documents for CAT/BPSS.
Risk analyses conducted on CAT/BPSS, including quantitative
assessments of the terrorist-based threats that CAT/BPSS will
address, and its role in the overall TSA security system
architecture.
Delineation of the ways in which the S&T Directorate has
been engaged and what its expert feedback has been. At my visit
to the TSIF on May 30, 2012, the CAT/BPSS program team affirmed
there was some level of collaboration with S&T. Since that
time, the S&T Directorate has denied having a role in CAT/BPSS
development.
Thank you for your prompt and personal attention to this matter. I
appreciate your continuing efforts to secure the Nation's
transportation systems and look forward to working with you to improve
TSA's performance in carrying out its critical mission.
Sincerely,
Mike Rogers,
Chairman, Subcommittee on Transportation Security.
Mr. Rogers. Mr. Hoggan, while you are very new to this
position, this subcommittee has held a number of hearings on
technology procurement reform at TSA in which we identified a
long list of procurement problems and heard testimony from your
predecessor on the subject.
While we are beginning to see some general improvements, I
am concerned that CAT/BPSS falls into the same familiar pattern
of TSA procurement and completely misses the mark. At this
point, I think CAT/BPSS is a Band-aid measure to solving a
complex problem.
The travel document checker can't perform the way we want
it to--want him or her to do, so instead of revising training
standards, the management protocols and operational procedures,
TSA is looking for a quick fix. While an automated process
makes sense, TSA has not addressed flaws that plague the
technology, and more importantly, TSA checkpoints operation--
checkpoint operations as a whole.
Today, I expect concrete answers about the benefits and
gaps associated with CAT/BPSS and exactly what changed your
mind about it. Based on the information the committee received
late on Friday, you have decide to postpone procurement of this
technology until next year. I am encouraged by that news, but I
can assure that our oversight of this program and other
acquisitions will continue to be robust.
With that, I would ordinarily now turn to my Ranking
Member, Sheila Jackson Lee of Texas. She is involved in another
committee and will be here shortly, and we will pause when she
arrives to recognize her for an opening statement.
Now we are pleased to recognize our witnesses. By the way,
the other committee Members are reminded they can submit their
statements for the record. We are pleased to have two
distinguished witnesses before us today on this important
topic. Let me remind each of the witnesses that their entire
written statements will be submitted for the record.
Our first witness, Mr. Kelly Hoggan, currently serves as an
assistant administrator for the Office of Security Capabilities
at TSA, a position he assumed this past March. I think it was
April, wasn't it? April?
Mr. Hoggan. April 8.
Mr. Rogers. April 8. In this position, Mr. Hoggan is
responsible for the implementation and development of security
technologies across multiple modes of transportation. Mr.
Hoggan joined TSA in 2004 and has served in numerous leadership
positions, most recently as the regional director for the
Office of Global Strategies based in Singapore, where he was
responsible for overseeing TSA's regional tactical operations.
Mr. Hoggan is also served as the deputy administrative--
assistant administrator for the Office of Global Strategies and
a deputy assistant administrator for the Office of Security
Operations. The Chairman now recognizes Mr. Hoggan for 5
minutes for your own opening statement.
STATEMENT OF KELLY HOGGAN, ASSISTANT ADMINISTRATOR, OFFICE OF
SECURITY CAPABILITIES, TRANSPORTATION SECURITY ADMINISTRATION
Mr. Hoggan. Thank you, Chairman Rogers and distinguished
Members of the subcommittee. Thank you for the opportunity to
testify about the Transportation Security Administration's use
of technology to support a layered approach to securing the
Nation's transportation system, while ensuring freedom of
movement for people and commerce.
TSA's workforce responsibilities include security screening
of passengers and baggage at more than 450 airports in the
United States, facilitating air travel for 1.8 million people
per day. We also vet more than 14 million passenger
reservations, 13 million transportation workers against a
terrorist watch list every week.
One way in which our security approach continues evolving
is by investing in innovative technologies and pursuing
initiatives that further standardize and integrate equipment. I
appreciate the opportunity to discuss with the subcommittee
TSA's efforts to strengthen our multi-layered security system
through technology innovation.
As you know, last fall TSA began developing a strategy for
enhanced use of intelligence to help implement a risk-based
approach to transportation security. Our objective is to
mitigate risk in a way that effectively balances security
measures with privacy, civil rights, and civil liberty
concerns.
Through various risk-based security, or RBS, initiatives,
TSA is moving away from a one-size-fits-all security model and
close to its goal of providing the most effective
transportation security in the most efficient way possible.
Perhaps the most widely-known enhancement we are putting in
place is TSA PreCheck, which, like other RBS initiatives,
leverages our advancements in technology.
For example, we are able to leverage our secure-flight
technology in a manner that identifies lower risk passengers
and distinguishing them in a checkpoint through barcodes on
their boarding passes.
Another initiative we are currently testing in a handful of
airports is a credential authentication technology boarding
pass scanning system, or CAT/BPSS, to provide TSO's with an
effective tool to quickly detect fraudulent and altered
documents.
This equipment automatically and currently verifies
passenger boarding passes and IDs as they are presented to TSA
during the security checkpoint screening process.
Using CAT/BPSS, TSA can verify the authenticity of a
passenger's ID by comparing the format and security features of
a passenger's against a known set of security features for that
particular identity credential type.
Most legitimate forms of identification issued today
includes some forms of encoded data that is written into the
credential by the issuing authority in one or more widely-
accepted formats. The most common form of formats include one-
and two-dimensional bar codes, magnetic strips, embedded
circuits, machine readable text.
The formatted security features set for each credential
type were provided to the TSA by the credential issuers so that
TSA can compare the security features on the passenger ID with
the security features provided by the credential issuer.
TSA is currently conducting CAT/BPSS technology pilots in
San Juan, Houston Air Continental and Dulles Washington
Airports. During the process, TSA is evaluating the throughput
as well as determining the overall operational availability of
the various solutions.
If testing proves successful, CAT/BPSS units could replace
Travel Document Checker podiums in the entrance of airport
security checkpoints and the current manual lights and loupes
process for boarding pass authentication.
TSA is also in the process of upgrading currently deployed
AT X-ray systems as well as deploying next generation AT2
systems. This technology is used to screen carry-on luggage at
security checkpoints in addition to other upgrades to
streamline the baggage check process.
Next generation A2X-Ray units featured enhanced explosive
detection capabilities to help our officers detect new threats.
There are currently more than 1,400 AT units at 125 airports
with additional deployments for the remainder of the calendar
year 2012.
We are working close with DHS S&T and our qualified vendor
list to assess the AT2 system's capability to detect liquid,
aerosols, and gels, commonly known as LAGs, which could
expedite the secondary bag search process.
Bottle liquid scanners, or BLS, security screening systems
are used to detect potential liquids or gels threats while
differentiating between liquid explosives and common benign
liquids such as baby formula and insulin.
Next-generation BLS systems have the ability to detect a
wider range of explosive material and use light waves to screen
sealed containers for explosive liquids.
TSA recently deployed an additional 500 next-generation BLS
units to airports Nation-wide and now is a total of 1,200 at
350 airports. Going forward, TSA will continue its efforts to
strengthen this multi-layer security system through
technological advances.
Chairman Rogers, thank you, once again, for the opportunity
for today.
[The statement of Mr. Hoggan follows:]
Prepared Statement of Kelly Hoggan
June 19, 2012
Good afternoon Chairman Rogers, Ranking Member Jackson Lee, and
distinguished Members of the subcommittee. Thank you for the
opportunity to testify today about the Transportation Security
Administration's (TSA) use of technology to support our layered
approach to securing the Nation's transportation systems while ensuring
freedom of movement for people and commerce. TSA employs risk-based,
intelligence-driven measures to deter and prevent terrorist attacks and
to reduce vulnerabilities in the Nation's transportation systems. In
partnership with airport operators, airlines, and local law enforcement
agencies, TSA secures our Nation's commercial airports through a
variety of programs that create a multi-layered system of
transportation security to mitigate risk.
The TSA workforce operates on the front line, executing the
agency's transportation security responsibilities in support of the
Nation's counterterrorism efforts. These responsibilities include
security screening of passengers and baggage at over 450 airports in
the United States that facilitate air travel for 1.8 million people per
day; recurrently vetting over 13 million transportation workers against
the terrorist watch list each day; and conducting security regulation
compliance inspections and enforcement activities at airports, for
domestic and foreign air carriers, and for air cargo screening
operations throughout the United States and at last point of departure
locations internationally. In 2011, Transportation Security Officers
(TSOs) stopped more than 125,000 prohibited items at airport
checkpoints. Of those items, more than 1,300 were firearms.
Since our creation in the wake of the September 11 terrorist
attacks, TSA has evolved our security approach based on intelligence
and by examining how specific security procedures are carried out,
improving workforce efficiencies, investing in innovative technologies
and pursuing initiatives to further standardize and integrate
equipment. Following our Congressional mandate to keep the millions of
Americans who travel each day safe and secure across numerous modes of
transportation, TSA has strengthened security by creating successful
programs and deploying technologies that were not in place prior to
September 11, while also taking steps whenever possible to enhance the
passenger experience.
I am pleased to have an opportunity today to discuss with the
subcommittee TSA's technological innovations, which have strengthened
our multi-layered security system.
risk-based security (rbs) and tsa precheck
Last fall, TSA began developing a strategy for enhanced use of
intelligence and other information to support a more risk-based
approach in all facets of transportation, including passenger
screening, air cargo, and surface transportation. At its core, the
concept of RBS builds upon the work TSA has been doing throughout its
first decade of service to the Nation. Our objective is to mitigate the
risk of an attack against our transportation systems in a way that
effectively balances security measures with privacy, civil rights, and
civil liberties concerns while promoting the safe movement of people
and commerce.
Through various RBS initiatives, TSA is moving away from a one-
size-fits-all security model and closer to its goal of providing the
most effective transportation security in the most efficient way
possible. In the passenger screening context, RBS allows our dedicated
TSOs to focus more attention on those travelers we believe are more
likely to pose a risk to our transportation network while providing the
opportunity for expedited screening to those we consider pose less
risk. The most widely known risk-based security enhancement we are
putting in place is TSA PreCheckTM, which, like other RBS
initiatives, leverages our advancements in technology. Since first
implementing this idea last fall, TSA PreCheckTM has been
expanded to 15 airports, making it possible for eligible passengers
flying from these airports to experience expedited security screening
through TSA PreCheckTM. The feedback we've been receiving is
consistently positive. TSA pre-screens TSA PreCheckTM
passengers each time they fly through participating airports.
Currently, U.S. citizens flying domestically who are qualified frequent
fliers of American Airlines, Delta Air Lines, and Alaska Airlines, or
members of U.S. Customs and Border Protection's trusted traveler
programs such as Global Entry, may be eligible for expedited screening
at select checkpoints. TSA is actively working with other major air
carriers such as United Airlines, US Airways, and Jet Blue to expand
both the number of participating airlines and the number of airports
where expedited screening through TSA PreCheckTM is
provided. By the end of 2012, TSA plans to have TSA
PreCheckTM operating at over 30 of the Nation's busiest
airports.
TSA PreCheckTM travelers are able to divest fewer items,
which may include leaving on their shoes, jacket, and light outerwear
as well as other modifications to the standard screening process. As
always, TSA will continue to incorporate random and unpredictable
security measures throughout the security process. At no point are TSA
PreCheckTM travelers guaranteed expedited screening.
credential authentication technology/boarding pass scanning systems
TSA is currently evaluating a new technology to improve the
effectiveness of verifying and validating passengers' travel and
identity credentials (ID). This Credential Authentication Technology/
Boarding Pass Scanning System (CAT/BPSS), provides TSOs with an
effective tool to quickly detect fraudulent or altered IDs or boarding
passes, ensure that the identity information on the ID and boarding
pass match, and automatically identify passengers that have been
selected, under the RBS concept, for differentiated screening.
CAT/BPSS provides TSA with a greater ability to identify fraudulent
ID documents and can verify the authenticity of boarding passes. CAT/
BPSS compares the format and security features of the passenger ID
against a known set of security features for that particular identity
credential type. The most common security features are one and two
dimensional (1D, 2D) barcodes, magnetic stripes, embedded circuits, and
machine readable text.
TSA is currently concluding CAT/BPSS technology pilots at San Juan,
Houston, and Washington Dulles airports. During this technical
evaluation process, TSA is determining the overall operational
suitability of different vendor solutions. Prior to proceeding to the
field pilots each CAT/BPSS system were required to go through two
rounds of qualification testing plus two additional rounds of
regression testing, to remediate issues identified during qualification
testing, at the TSA Systems Integration Facility (TSIF).
If testing proves successful, CAT/BPSS units could replace the
Travel Document Checker podium at the entrance of airport security
checkpoints as well as the current manual method of ID and boarding
pass authentication with a more effective security measure.
advanced imaging technology
Advanced Imaging Technology (AIT) helps TSOs screen passengers for
metallic and non-metallic threats including weapons, explosives, and
other objects concealed under layers of clothing without physical
contact. Currently, there are more than 700 AIT units at nearly 190
airports. AIT is a critical component of TSA's risk-based security
approach. Consistent with recent U.S. Department of Homeland Security
(DHS), Office of Inspector General (OIG), and Government Accountability
Office (GAO) recommendations, TSA is implementing an action plan to
increase the level of available AIT screening capacity across the
Nation's aviation system. Where AIT is deployed and relied upon, TSA
has established a utilization target consistent with the recommendation
by OIG, and is meeting or exceeding that target.
TSA has developed and implemented an AIT instructor certification
curriculum for Security Training Instructors (STI) assigned at the
airports. These STIs are responsible for delivering AIT training as
airports receive the technology. A full training curriculum package,
including training kits and training aids, has been distributed to all
AIT airports and allows each airport to train as many operators as
required. Airports that have not received AIT units will receive the
training kit and aids when the equipment is installed.
In addition, introduction of Automated Target Recognition (ATR)
functionality eliminates the need for a remote Image Operator in all
new machines. ATR capability is being retrofitted on all existing
machines using millimeter-wave technology, and TSA is currently
completing the evaluation of ATR on Backscatter AIT systems. The ATR
software provides the same high level of detection and it allows for
more targeted pat-downs, because of the manner in which anomalies are
displayed. The introduction of ATR reduced the amount of time required
for initial operator training and certification. By using local airport
STIs to conduct this training, TSA has eliminated concerns about
training being a constraint in achieving our AIT utilization goal.
The availability of AIT equipment supports long-term needs while
increasing efficiencies at checkpoints with even more effective ATR
software and a reduced footprint, which will inform future deployment
strategies. In support of the increasing number of AIT units deployed
with ATR, TSA is developing a new training kit specifically designed to
support AIT ATR training and testing. Working with the Johns Hopkins
University Applied Physics Laboratory, TSA is also working to increase
the number of AIT testing scenarios under our Aviation Screening
Assessment Program (ASAP). TSA has been conducting a preliminary
assessment to develop and validate additional testing stimulants and
scenarios for use with the AIT ATR equipment. The intent is to
incorporate new scenarios and stimulants appropriate for use with AIT
ATR into ASAP's National-level testing framework. TSA is also working
with industry in order to enhance ATR and AIT hardware for greater
detection effectiveness.
automated wait time
Automated Wait Time (AWT) systems utilize technology to monitor and
track queuing traffic at the security checkpoint, enabling TSA to
reallocate resources to areas of higher congestion and priority as
needed. The AWT system includes the ability to display wait times to
the traveling public on monitors within airport checkpoints. TSA
preliminarily tested an AWT system at the TSIF and anticipates testing
it in airports in the coming months.
next generation advanced technology x-ray
TSA is in the process of upgrading currently deployed Advanced
Technology (AT) X-ray systems, as well as deploying next generation, or
AT-2 systems. This technology is used to screen carry-on luggage at the
security checkpoint. In addition to other upgrades that streamline the
bag check process, next generation AT X-ray units feature enhanced
explosive detection capabilities that enable TSA to detect additional
threats.
There are currently more than 1,400 AT units at over 125 airports.
These systems enhance security effectiveness and efficiency, and
deployments will continue through calendar year 2012. We are working
closely with the DHS Science and Technology Directorate (S&T) and our
qualified vendors to assess the AT-2 system's capability to detect
liquids, aerosols, and gels (LAG), which would provide the TSOs more
efficient tools to perform a targeted bag search.
shoe-scanning detection technology
Shoe-Scanning Detection (SSD) technology is an advanced technology
which would be capable of detecting both metallic and non-metallic
threats concealed in passenger footwear without requiring that
passengers to remove their footwear at the checkpoint. S&T recently
issued a Broad Agency Announcement that allows it to support private-
sector R&D research and development efforts to develop shoe-scanner
detection systems that meet TSA detection requirements.
bottled liquids scanners
Bottled Liquids Scanner (BLS) screening systems are used to detect
potential liquid or gel threats, which may be contained in a
passenger's property while differentiating between liquid explosives
and common, benign liquid such as baby formula and insulin. Next-
generation BLS screening systems have the ability to detect a wider
range of explosive materials and use light waves to screen sealed
containers for explosive liquids. TSA recently deployed an additional
500 next-generation BLS units to airports Nation-wide. These recent
deployments bring the total number of BLS units Nation-wide to over
1,200 at nearly 350 airports.
explosives trace detection
Explosives Trace Detection (ETD) technology is used at security
checkpoints around the country to screen passengers and their carry-on
baggage for traces of explosives. Officers may swab a piece of luggage
or passenger hands and place the swab inside the ETD unit to analyze
the content for the presence of potential explosive residue. TSA is
focusing on recapitalization efforts to perform life-cycle replacements
with more effective next-generation solutions. In addition, TSA is
expanding its use of ETD technology in airports as part of its layered
approach to aviation security. TSA is currently conducting pilot
testing on portable trace solutions to support more widespread usage of
this technology and working with S&T on the development of next-
generation ETDs.
explosives detection systems recapitalization and optimization
Over the next 5 years, a large number of Explosives Detection
Systems (EDS) will approach the end of their useful life and replacing
these aging units is a top priority. TSA will fund recapitalization
projects, which include the work required to remove the existing EDS as
well as minimal modifications to the Baggage Handling System
infrastructure associated with the replacement of the EDS and the
associated purchase and installation of the new EDS. TSA's plan to
replace the aging EDS fleet of equipment will be prioritized based on a
combination of age and maintenance data.
conclusion
TSA will continue to enhance its layered security approach through
state-of-the-art technologies, expanded use of existing and proven
technology, passenger pre-screening and other developments that will
continue to strengthen aviation security. Thank you for the opportunity
to appear before you today, and I look forward to answering your
questions.
Mr. Rogers. Thanks, Mr. Hoggan.
Our next witness is Mr. Steve Lord. Mr. Lord is a GAO
executive responsible for directing numerous engagements on
aviation and surface transportation issues and regularly
discusses these issues before Congress and at industry forums.
He has recently conducted in-depth reviews of the TSA's
passenger checked baggage and air-cargo screening operations.
Before his appointment to the Senior Executive Service in 2007,
he led GAO's work on a number of key international security,
finance, and trade issues.
Mr. Lord, we appreciate you appearing before this committee
on many occasions and look forward to your testimony today. The
Chairman now recognizes Mr. Lord for his statement.
STATEMENT OF STEPHEN M. LORD, DIRECTOR, HOMELAND SECURITY AND
JUSTICE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Lord. Thank you, Mr. Chairman. Chairman Rogers and
other distinguished Members of the committee, I am pleased to
be here today to discuss TSA's efforts to acquire this new
technology. I don't use the acronym either. Some of our past
work on TSA acquisitions which could inform the deliberations
over TSA's progress in procuring this:
This is an important issue as TSA acquisitions represent
billions of dollars in life-cycle costs and support a wide
range of missions. As you know, TSA started testing some of
this new technology to help verify passenger IDs and boarding
passes.
They plan to use this technology to eventually replace the
current process, the manual process, for inspecting and
detecting fraudulent or altered documents.
Today, I would like to discuss two specific issues. No. 1,
the status of the actual acquisition for this technology and
some broader challenges we have previously identified in TSA's
acquisition process that may be relevant for today's
discussion.
First, regarding the acquisition status, TSA is now
preparing to start a really important phase of the acquisitions
referred to an operational test and evaluation and that is the
one going to occur at three airports, Houston, Dulles, and San
Juan.
During the operational testing, TSA plans to assess the
system's performance in terms of three performance criteria,
detection capabilities, passenger throughput, and availability.
Those are referred to as key performance parameters.
According to the acquisition documents we reviewed, the
estimated life-cycle cost of the program is about $130 million
based on a procurement of 4,000 units over 20 years.
You have to understand 4,000 includes replacement costs.
Out of 1,400 referred to earlier, that is the planned buy, but
since they are only expected to last 7 or 8 years, you,
ultimately, have to replace them.
We reviewed the life-cycle cost estimate of the passenger
screening program and found the estimate to be reasonably
comprehensive and documented. We have clear criteria for
evaluating these life-cycle cost estimates.
However, we could not determine the credibility because the
current version does not include a risk analysis or independent
cost estimate as deemed by best practice.
We also noted that the assumed deflation rate over the life
of the program is 1 percent rather than the historical rate of
3 to 4 percent. So, thus, if a higher assumed inflation rate
was used, estimated program costs would definitely be higher.
More broadly, our prior work has identified three
consistent challenges that are worth noting as this TSA
acquisition unfolds. Our prior work emphasizes the importance
of establishing and meeting clear program requirements, No. 2,
properly overseeing and testing the technologies you are
procuring.
No. 3, developing sound acquisition program baselines to
benchmark progress and meeting initial costs, schedule, and
performance targets. We previously reported that DHS and TSA
have faced challenges in developing requirements when acquiring
new screening technologies.
For example, in June 2010, we reported that more than half
of the 15 DHS reviewed, awarded contracts to initiate
acquisitions without required approval of key acquisition
documents. The good news for CAT/BPSS is it does have some of
these key documents. On the other hand, as I noted earlier, we
have some concerns about the credibility of the life-cycle cost
estimate.
In closing, this hearing provides an excellent opportunity
to ask some broader questions about the TSA procurement. First,
how will TSA ensure that this new system addresses the security
of vulnerabilities it previously identified with the fraudulent
IDs?
Second, what confidence does TSA have in its unit cost
estimate? Third, how does the screening technology fit into
TSA's broader acquisition--I am sorry, aviation security
strategy? Finally, what cost-benefit analysis, if any, is being
used to guide TSA decision-makers?
Mr. Chairman, this concludes my remarks. I look forward to
responding to any questions you may have. Thank you.
[The statement of Mr. Lord follows:]
Prepared Statement of Stephen M. Lord
June 19, 2012
aviation security.--status of tsa's acquisition of technology for
screening passenger identification and boarding passes
Chairman Rogers, Ranking Member Jackson Lee, and Members of the
committee: I am pleased to be here today to discuss our past work
examining the Transportation Security Administration's (TSA) progress
and challenges in developing and acquiring technologies to address
aviation security needs. TSA's acquisition programs represent billions
of dollars in life-cycle costs and support a wide range of aviation
security missions and investments. Within the Department of Homeland
Security (DHS), the Science and Technology Directorate (S&T) and TSA
have responsibilities for researching, developing, and testing and
evaluating new technologies, including airport checkpoint screening
technologies. Specifically, S&T is responsible for the basic and
applied research and advanced development of new technologies, while
TSA, through its Passenger Screening Program, identifies the need for
new checkpoint screening technologies and provides input to S&T during
the research and development of new technologies, which TSA then
procures and deploys.
TSA screens more than 600 million air passengers per year through
approximately 2,300 security checkpoint lanes at about 450 airports
Nation-wide, and must attempt to balance its aviation security mission
with concerns about efficiency and the privacy of the traveling public.
The agency relies upon multiple layers of security to deter, detect,
and disrupt persons posing a potential risk to aviation security. Part
of its checkpoint security controls include a manual review and
comparison by a travel document checker of each person's boarding pass
and identification, such as passports or State-issued driver's
licenses. However, concerns have been raised about security
vulnerabilities in this process. For example, in 2006, a university
student created a website that enabled individuals to create fake
boarding passes. In addition, in 2011, a man was convicted of stowing
away aboard an aircraft after using an expired boarding pass with
someone else's name on it to fly from New York to Los Angeles. Recent
news reports have also highlighted the apparent ease of ordering high-
quality counterfeit driver's licenses from China. We have previously
reported on significant fraud vulnerabilities in the passport issuance
process and on difficulties in detecting fraudulent identity
documentation, such as driver's licenses.\1\
---------------------------------------------------------------------------
\1\ GAO, State Department: Significant Vulnerabilities in the
Passport Issuance Process, GAO-09-681T (Washington, DC: May 5, 2009),
and Transportation Worker Identification Credential: Internal Control
Weaknesses Need to Be Corrected to Help Achieve Security Objectives,
GAO-11-657 (Washington, DC: May 10, 2011). We also have on-going
classified work looking at the effectiveness of the travel document
checker at detecting fraudulent documents, which we expect to finalize
later this summer.
---------------------------------------------------------------------------
In response to these vulnerabilities, and as part of its broader
effort to improve security and increase efficiency, TSA began
developing technology designed to automatically verify boarding passes
and to better identify altered or fraudulent passenger identification
documents. TSA plans for this technology, known as Credential
Authentication Technology/Boarding Pass Scanning Systems (CAT/BPSS), to
eventually replace the current procedure used by travel document
checkers to detect fraudulent or altered documents. However, we have
previously reported that DHS and TSA have experienced challenges in
managing their acquisition efforts, including implementing technologies
that did not meet intended requirements and were not appropriately
tested and evaluated, and have not consistently included completed
analyses of costs and benefits before technologies were implemented.\2\
---------------------------------------------------------------------------
\2\ For example, see GAO, Homeland Security: DHS and TSA Face
Challenges Overseeing Acquisition of Screening Technologies, GAO-12-
644T (Washington, DC: May 9, 2012).
---------------------------------------------------------------------------
Since DHS's inception in 2003, we have designated implementing and
transforming DHS as high-risk because DHS had to transform 22
agencies--several with major management challenges--into one
department.\3\ This high-risk area includes challenges in strengthening
DHS's management functions, including acquisitions; the effect of those
challenges on DHS's mission implementation; and challenges in
integrating management functions within and across the department and
its components. DHS currently has several plans and efforts under way
to address the high-risk designation as well as the more specific
challenges related to acquisition and program implementation that we
have previously identified. For example, DHS provided us with its
Integrated Strategy for High-Risk Management in June 2012, which
includes management initiatives and corrective actions to address
acquisition management challenges, among other management areas. We
will continue to monitor and assess DHS's implementation and
transformation efforts through our on-going and planned work, including
the 2013 high-risk update that we expect to issue in early 2013.
---------------------------------------------------------------------------
\3\ GAO, High-Risk Series: An Update, GAO-11-278 (Washington, DC:
Feb. 16, 2011).
---------------------------------------------------------------------------
My statement today focuses on: (1) The status of TSA's CAT/BPSS
acquisition and the extent to which the related life-cycle cost
estimate is consistent with best practices, and (2) challenges we have
previously identified in TSA's acquisition process to manage, test,
acquire, and deploy screening technologies. This statement also
provides information on issues for possible Congressional oversight
related to CAT/BPSS.
This statement is based on reports and testimonies we issued from
October 2009 through May 2012 related to TSA's efforts to manage, test,
acquire, and deploy various technology programs.\4\ In addition, we
obtained updated information in June 2012 from TSA on the status of its
efforts to implement our recommendations from these reports. For our
past work, we reviewed program schedules, planning documents, testing
reports, and other acquisition documentation. For some of the programs
we discuss in this testimony, we conducted site visits to a range of
facilities, such as National laboratories, airports, and other
locations to observe research, development, and testing efforts. We
also conducted interviews with DHS component program managers and DHS
Science and Technology Directorate officials to discuss issues related
to individual programs. More detailed information on the scope and
methodology from our previous work can be found within each specific
report. In addition, this statement contains new information we
obtained from TSA in June 2012 on the status of its CAT/BPSS
acquisition. We reviewed key acquisition documents--including the
mission needs statement (September 2008), request for proposal (April
2011), operational requirements document (August 2011), life-cycle cost
estimate (November 2011), and acquisition program baseline (November
2011)--interviewed officials from TSA's Office of Security
Capabilities, and viewed a demonstration of the CAT/BPSS test units. We
compared the life-cycle cost estimate with best practices from our Cost
Estimating and Assessment Guide to determine whether the official cost
estimates were comprehensive (i.e., include all costs), accurate, well-
documented, and credible.\5\ We conducted all of our work in accordance
with generally accepted Government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings based on our
audit objectives. We discussed new information in this statement with
TSA officials and incorporated their comments as appropriate.
---------------------------------------------------------------------------
\4\ See the related products list at the end of this statement.
Examples of these technology programs include advanced imaging
technology (AIT)--commonly referred to as a full-body scanner--that
screens passengers for metallic and non-metallic threats including
weapons, explosives, and other objects concealed under layers of
clothing; explosives detection systems, which use X-rays with computer-
aided imaging to automatically recognize the characteristic signatures
of threat explosives; and explosives trace detection machines, in which
a human operator (e.g., a baggage screener) uses chemical analysis to
manually detect traces of explosive materials' vapors and residue.
\5\ GAO, GAO Cost Estimating and Assessment Guide: Best Practices
for Developing and Managing Capital Program Costs, GAO-09-3SP
(Washington, DC: March 2009).
---------------------------------------------------------------------------
In summary, TSA has completed its initial testing of the CAT/BPSS
technology and has begun operational testing at three airports. We
found the project's associated life-cycle cost estimate to be
reasonably comprehensive and well-documented, although we are less
confident in its accuracy due to questions about the assumed inflation
rate. In addition, we could not evaluate its credibility because the
current version does not include an independent cost estimate or an
assessment of how changing key assumptions and other factors would
affect the estimate. Our past work has identified three key challenges
related to TSA's efforts to acquire and deploy technologies to address
homeland security needs: (1) Developing and meeting technology program
requirements, (2) overseeing and conducting testing of new screening
technologies, and (3) developing acquisition program baselines to
establish initial cost, schedule, and performance parameters.
cat/bpss is in the operational testing and evaluation phase, and the
life-cycle cost estimate is not fully consistent with best practices
CAT/BPSS, which is part of TSA's Passenger Screening Program, has
undergone initial testing and is in the operational testing and
evaluation phase of acquisition, according to TSA. The goal of CAT/BPSS
is to deploy a computerized system that will read and analyze data and
embedded security features on every passenger's identification and some
boarding passes, and to identify fraudulent credentials and boarding
passes. In 2011, TSA conducted qualification testing of this system at
its System Integration Facility at Washington Reagan National Airport,
including testing the systems against more than 530 genuine and
fraudulent documents, such as State-issued driver's licenses,
passports, and military identification cards, according to TSA. The
technology is designed to automatically compare a passenger's
identification with a set of embedded security features to seek to
identify indicators of fraud and concurrently ensure that the
information on the identification and boarding pass matches. This
system is intended to help ensure that identity credentials and
boarding passes presented at the checkpoint have not been tampered with
or fraudulently produced, and that the information on the boarding pass
matches that of the identity credential. According to TSA, CAT/BPSS is
to compare identity credentials with an internal database of more than
2,400 templates for various types of credentials and to check for
certain embedded security features, then alert the operator of any
discrepancies.
In September 2011, TSA awarded contracts for approximately $3.2
million, which included the purchase of 30 units from three different
vendors.\6\ In April 2012, TSA began deploying units to three
airports--George Bush Intercontinental in Houston, Luis Munoz Marin
International in San Juan, and Washington Dulles International--in
preparation for initial operational testing. TSA officials said that
those airports were selected, in part, because of their high passenger
volume and experience with detecting fraudulent documents. In
preparation for initial testing, TSA tested the performance of its
current process for comparison purposes. TSA is also training personnel
on the CAT/BPSS systems, collecting preliminary data on system
performance and availability, and assessing the adequacy of the concept
of operations and standard operating procedures. According to TSA
officials, these efforts will allow travel document checkers at the
three airports to test the three systems in an operational environment
and provide feedback on the systems' performance. During operational
testing, TSA plans to assess the systems' performance against key
performance parameters for detection, passenger throughput, and
availability. Once operational testing is complete, TSA plans to
produce a system evaluation report and recommend whether to move
forward with the acquisition or make modifications. Vendors that
successfully exit the operational testing phase will be eligible to
compete for a contract to produce 1,400 units, according to TSA.
---------------------------------------------------------------------------
\6\ According to TSA, the $3.2 million included costs for
maintenance, database updates, and training, among other things.
---------------------------------------------------------------------------
According to the life-cycle cost estimate for the Passenger
Screening Program, of which CAT/BPSS is a part, the estimated 20-year
life-cycle cost of CAT/BPSS is approximately $130 million based on a
procurement of 4,000 units.\7\ As highlighted in our Cost Estimating
and Assessment Guide, a reliable cost estimate has four
characteristics--it is comprehensive, well-documented, accurate, and
credible.\8\ We reviewed TSA's November 2011 life-cycle cost estimate
for the Passenger Screening Program and compared it with the four
characteristics. Based on our assessment, the life-cycle cost estimate
is reasonably comprehensive and well-documented. Regarding accuracy,
the cost estimate assumes a 1 percent inflation rate from fiscal years
2015 through 2029, as compared with the historic inflation rates
calculated for fiscal years 2009 through 2014, which ranged from 3.3 to
4.5 percent. If a larger inflation rate were used, costs would be much
higher than what are currently estimated. In addition, we cannot make a
determination as to the credibility of the life-cycle cost estimate as
it does not include a risk and uncertainty analysis or an independent
cost estimate. The risk assessment would quantify risks and identify
effects of changing key cost driver assumptions and factors.\9\ In the
cost estimate, TSA indicates that it is pursuing the acquisition of
risk analysis capability and plans on having such capabilities in time
for the next life-cycle cost estimate. Likewise, there is no evidence
that an independent cost estimate was conducted by a group outside the
acquiring organization to determine whether other estimating methods
would produce similar results. TSA officials indicated that the agency
is updating its life-cycle cost estimate to include a risk and
uncertainty analysis and independent cost estimate, but the document
has not yet been approved.
---------------------------------------------------------------------------
\7\ This includes an initial procurement of 1,400 units in fiscal
year 2013, and an additional 2,600 replacement units by fiscal year
2029.
\8\ GAO-09-3SP. The DHS Cost Analysis Division has implemented our
Cost Estimating and Assessment Guide as the standard for cost
estimating at DHS.
\9\ DHS did not approve the life-cycle cost estimate due to the
lack of risk and sensitivity analysis, according to TSA.
---------------------------------------------------------------------------
The agency plans to expand the CAT/BPSS deployment schedule
following successful implementation and testing in the selected airport
environments. As of June 2012, TSA officials estimated that this could
occur as soon as the end of this calendar year, depending on the
results of the operational testing and evaluation phase.
previously identified challenges tsa faces in overseeing acquisition of
screening technologies
Our past work has identified three key challenges related to TSA's
efforts to acquire and deploy technologies to address homeland security
needs: (1) Developing and meeting technology program requirements, (2)
overseeing and conducting testing of new screening technologies, and
(3) developing acquisition program baselines to establish initial cost,
schedule, and performance parameters.
We have previously reported that DHS and TSA have faced challenges
in developing and meeting program requirements when acquiring screening
technologies, and that program performance cannot be accurately
assessed without valid baseline requirements established at the program
start. In June 2010, for example, we reported that more than half of
the 15 DHS programs we reviewed awarded contracts to initiate
acquisition activities without component or Department approval of
documents essential to planning acquisitions, setting operational
requirements, or establishing acquisition program baselines.\10\ We
made a number of recommendations to help address issues related to
these procurements. DHS generally agreed with these recommendations
and, to varying degrees, has begun taking actions to address them. We
currently have on-going work related to this area and we plan to report
the results later this fall.\11\ At the program level, in May 2012, we
reported that TSA did not fully follow DHS acquisition policies when
acquiring advanced imaging technology (AIT), or body scanners, which
resulted in DHS approving full AIT deployment without full knowledge of
TSA's revised specifications.\12\
---------------------------------------------------------------------------
\10\ GAO, Department of Homeland Security: Assessments of Selected
Complex Acquisitions, GAO-10-588SP (Washington, DC: June 30, 2010).
Three of 15 were TSA programs.
\11\ We are conducting this work at the request of the Senate
Committee on Homeland Security and Governmental Affairs and the
Subcommittee on Oversight, Investigations, and Management of the House
Committee on Homeland Security.
\12\ See GAO-12-644T, in which we publicly reported some of the
findings and recommendations from our January 2012 classified report on
TSA's procurement and deployment of AIT, commonly referred to as full-
body scanners, at airport checkpoints.
---------------------------------------------------------------------------
We have also reported on DHS and TSA challenges in overseeing and
testing new screening technologies, which can lead to costly redesign
and rework at a later date. Addressing such problems before moving to
the acquisition phase can help agencies better manage costs. For
example, in October 2009, we reported that TSA had deployed explosives
trace portals, a technology for detecting traces of explosives on
passengers at airport checkpoints, in January 2006 even though TSA
officials were aware that tests conducted during 2004 and 2005 on
earlier models of the portals suggested the portals did not demonstrate
reliable performance in an airport environment. As a result, we found
that TSA procured and deployed a technology that met evolving
requirements, but not the initial requirements included in its key
acquisition requirements document that the agency initially determined
were necessary to enhance the aviation system. We recommended that TSA
develop a road map that outlines vendors' progress in meeting all key
performance parameters. DHS agreed with our recommendation and has
begun taking action to address it.\13\ In June 2006, TSA halted
deployment of the explosives trace portals because of performance
problems and high installation costs. In our 2009 report, we
recommended that, to the extent feasible, TSA ensure that tests are
completed before deploying new checkpoint screening technologies to
airports. DHS concurred with the recommendation and has taken action to
address it, such as requiring more recent technologies to complete both
laboratory and operational tests prior to deployment.
---------------------------------------------------------------------------
\13\ GAO, Aviation Security: DHS and TSA Have Researched,
Developed, and Begun Deploying Passenger Checkpoint Screening
Technologies, but Continue to Face Challenges, GAO-10-128 (Washington,
DC: Oct. 7, 2009).
---------------------------------------------------------------------------
DHS and TSA have also experienced challenges identifying
acquisition program baselines, which include program schedules and
costs. Our prior work has found that realistic acquisition program
baselines with stable requirements for cost, schedule, and performance
are among the factors that are important to successful acquisitions
delivering capabilities within cost and schedule. We also found that
program performance metrics for cost and schedule can provide useful
indicators of the health of acquisition programs. For example, we
reported in April 2012 that TSA has not had a DHS-approved acquisition
program baseline since the inception of the Electronic Baggage
Screening Program (EBSP) more than 8 years ago.\14\ Further, DHS did
not require TSA to complete an acquisition program baseline until
November 2008. According to TSA officials, they have twice submitted an
acquisition program baseline to DHS for approval--first in November
2009 and again in February 2011. An approved baseline would provide DHS
with additional assurances that TSA's approach is appropriate and that
the capabilities being pursued are worth the expected costs. In
November 2011, because TSA did not have a fully-developed life-cycle
cost estimate as part of its acquisition program baseline for the EBSP,
DHS instructed TSA to revise the life-cycle cost estimates as well as
its procurement and deployment schedules to reflect budget constraints.
DHS officials told us that they could not approve the acquisition
program baseline as written because TSA's estimates were significantly
over budget. TSA officials stated that TSA is currently working with
DHS to amend the draft program baseline and plans to resubmit the
revised acquisition program baseline before the next Acquisition Review
Board meeting, which is planned for July or August 2012. Establishing
and approving a program baseline, as DHS and TSA plan to do for the
EBSP, could help DHS assess the program's progress in meeting its goals
and achieve better program outcomes.
---------------------------------------------------------------------------
\14\ GAO, Checked Baggage Screening: TSA Has Deployed Optimal
Systems at the Majority of TSA-Regulated Airports, but Could Strengthen
Cost Estimates, GAO-12-266 (Washington, DC: Apr. 27, 2012).
---------------------------------------------------------------------------
Our prior work on TSA acquisition management identified oversight
problems that have led to cost increases, delivery delays, and other
operational challenges for certain assets, such as EBSP, but TSA has
also taken several steps to improve its acquisition management. For
example, while we continue to find that some TSA acquisition programs
do not have key documents needed for properly managing acquisitions,
CAT/BPSS has a DHS-approved mission needs statement, operational
requirements document, and acquisition program baseline.\15\
---------------------------------------------------------------------------
\15\ The life-cycle cost estimate was approved by TSA but not by
DHS.
---------------------------------------------------------------------------
congressional oversight issues
This hearing provides an opportunity for Congressional stakeholders
to focus a dialogue on how to continue a sufficient level of oversight
of the CAT/BPSS acquisition and implementation and other key components
of the Passenger Screening Program. For example, relevant questions
that could be raised include the following:
To what extent, if any, have key performance parameters
changed during the course of the acquisition, and how will
these changes affect security and efficiency at the checkpoint?
What would be TSA's strategy if vendors have difficulty meeting
the key performance parameters?
How will TSA ensure that implementation of the system
addresses the security vulnerabilities previously identified?
What confidence does TSA have in its cost estimates and how
is the agency mitigating the risk of cost escalation or
schedule delays?
In managing limited resources to mitigate a potentially
unlimited range of security threats, how does CAT/BPSS fit into
TSA's broader aviation security strategy? What cost-benefit and
related analyses, if any, are being used to guide TSA decision
makers?
These types of questions and related issues warrant on-going
consideration by TSA management and continued oversight by
Congressional stakeholders.
Chairman Rogers, Ranking Member Jackson Lee, and Members of the
committee, this concludes my prepared statement. I look forward to
responding to any questions that you may have.
Mr. Rogers. I thank the gentleman.
The Chairman now recognizes the Ranking Member for her
opening statement.
Ms. Jackson Lee. Chairman, thank you for hosting this
hearing and, as I indicated to you, two committees that I love
the most, Judiciary and Homeland Security and, particularly
these subcommittees seem to have an uncanny ability to overlap
their committee meetings, particularly mark-ups.
So let me thank the two witnesses and the Chairman for
holding this hearing and I would like to have a rhetorical
response back to the rhetorical question which is the title of
this hearing that indicates whether it is a wise use and I
think, to Mr. Hoggan and Mr. Lord, the chief responsibility of
the hearing today is for you to answer that question.
I have an answer, I think it is wise, but I think the
Chairman's inquiry is appropriate, in terms of the procurement
or the utilization of funds or the technology and contractor,
whether or not we are at the best level of efficiencies to
ensure that we get the job done.
I hope that I will be able to secure some answers on that
very point. So I thank the Chairman for holding today's hearing
and I know, from our discussions, that we share the same
commitment to securing our Nation's transportation systems. We
also share the same commitment to ensuring that technologies
procured by the Department are acquired after a robust testing
and evaluation process.
Today marks the fourth hearing the subcommittee is holding
regarding the procurement practices at the Department and
transportation and security technologies.
I might add that I have often said that I am interested in
small, minority, women-owned businesses. I don't know if they
have a chance to be engaged in this procurement process and the
question is would they have been better? Is this a small
business or a large business? I would be interested in knowing
that.
Although I welcome the delivered oversight of procurement
practices carried by this committee, I respectfully reassert my
request that we hold a hearing evaluating TSA's in-cabin
security efforts and I look forward to working with the
Chairman on determining that.
That is an assessment of TSA's work if they have that
ability and as well, airlines and what they are doing for in-
cabin security. As we learned on September 11, if all else
fails, the cabin of an airplane may become our last line of
defense.
Today, we will hear from the Transportation Security
Commission Government Accountability Office regarding the
procurement goals by TSA on CAT/BPSS. This system has been
deployed for testing at three major airports since last April.
As of today, TSA is still working on reviewing the data it
gathered from testing and evaluating this technology in real-
life conditions. This is a critical step in assessing the
effectiveness of any piece of technology. As we learned from
the puffer machines, what works in the lab may not work in
real-life and this is a large and looming question.
I look forward to hearing from TSA about its preliminary
findings on the performance of this technology and what you
will do next.
I also look forward to hearing about the risk analysis TSA
conducted on the use of fraudulent documents by potential
terrorists. Last year the media exposed an incident in which a
24-year-old man was arrested after attempting to board a flight
from a Los Angeles airport to Atlanta using outdated boarding
passes.
What was even more alarming was the fact that this same
individual had already navigated layers of security at JFK and
boarded a flight using an outdated boarding pass to fly to Los
Angeles International Airport. This incident underscored the
need for additional training and technology to enable TSOs to
detect fraudulent documents.
This is a learning and growing process. We want it to be a
learning and growing process by saving the lives of Americans.
I think TSA is committed to that, and I think this technology
is one aspect of making good on that promise of securing the
homeland.
Since that incident, TSA has been working to identify
technological solutions to resolve the problem of detecting
fraudulent documents. The system we will hear about today, CAT/
BPSS, may be one possible technological solution.
Science is not perfect. Testing a new technology is part of
the TAFF--test, test, test, improve the technology, test, test,
test, improve the technology and save lives. There is nothing
wrong with that.
I look forward to today's testimony from GAO and TSA that
we have already heard, and I thank you for your testimony. I
hope each will shed light and has shed light on the procurement
process and--identify the type of technology needed to address
the vulnerability.
As we know, this subcommittee has been particularly
interested in ensuring that the procurement goals set forth by
the Department are administered by the under secretary of
management and those at TSA.
Last fall, Mr. Chairman, you held three hearings that
examined the practices used to evaluate, procure, and deploy
technology across our transportation system. During these
hearings we heard from former homeland security officials. They
testified about the need for greater cooperation between the
business and Government in developing contract requirements for
major research projects.
While this is an interesting thought, as you know, the
Federal Acquisition Regulations have strict rules about the
depth and breadth of permissible discussions between Government
and industry prior to the announcement of a contracting
opportunity. I think those hearings also made clear that this
administration has taken action on how TSA and S&T can improve
this collaboration. Congress needs to support and encourage
efforts to ensure that Government is more efficient, genuinely
meets the needs of its customers, the American taxpayers, and
use our dollars in a fiscally responsible way.
Unfortunately, under our budgetary constraints, we may lose
the opportunity to get the best technology. Mr. Chairman, we
cannot use money to fill every security gap, but we cannot
ignore money in terms of what the needs are for new technology.
So I look forward to assessing the procurement problem and
as well to solving the problem if there is one, but to make
sure that everything we do is to secure the homeland and to
save lives.
With that, Mr. Chairman, I yield back.
Mr. Rogers. I thank the gentlelady. Now we will turn to
questions.
Before I start my questions I wanted to share something
with Mr. Hoggan, which is not your fault, but it is something
you should be aware of that your staff has done.
If you will look up on the screens, you will see written
testimony that was strikingly similar to testimony we got from
your predecessor a year ago. That testimony was from a
different hearing on a different topic. All of the highlighted
content on this page up on the screen was recycled from that
hearing. So they basically took your predecessor's testimony
from a hearing a year ago and gave it to you to regurgitate
again this year.
Slide 2, if they can get that up there--guess not--there it
is. This slide shows that 7 pages of the testimony TSA was--
dedicated less than a paragraph to the specific topic of this
hearing, and of that, some of the material was also recycled.
This testimony also does not address any of the questions this
committee has raised in the past month, including questions I
specifically raised in a letter to Mr. Pistole.
I try not to waste your time, and I hope you will have your
committee make sure they don't waste our time, because it is
disrespectful.
With that, as you know, we talked briefly yesterday and I
am pleased about the turn of events with your postponement.
About 5 or 6 weeks ago, I along with a number of staff members
from both sides of the aisle went out to the TSIF to be briefed
by your staff on this new technology. As a result, we found
what it could do, but also had real questions about what it
couldn't do and couldn't get our questions answered
satisfactorily. We are concerned about the cost.
So we wrote the letter to Administrator Pistole and it is
my understanding that you all have now postponed it for the
third time. I want to know if you agree with the statement that
if it had not been postponed and we had gone ahead with the
procurement, with its limitations, it would have been a waste
of money to do that.
Mr. Hoggan. Sir, I wouldn't have proposed going forward
with procurement as it exists today with the information I know
from OT&E.
Mr. Rogers. That is what I thought.
Well, I am glad. I am glad you came in and recognized that
we don't need to be wasting any money. The fact is that, as you
know, and I have talked with Administrator Pistole about this
on numerous occasions, the public is just outraged by what they
see with TSA and a lot of the wasteful money that has been
spent in the past. They are looking for us to be better
stewards and also to be a little bit more threat-based in our
approach and not treat everybody like terrorists.
So it has got a lot of problems, but one of them has been
the money. In these new, more austere times, we are going to
have to be good stewards of our Federal tax dollars.
With that in mind, the cost of this technology skyrocketed,
as you heard me say earlier. It went from $35 million projected
cost in 2008 to $115 million in 2011. It is a 200 percent
increase. Can you tell me how that developed?
Mr. Hoggan. Sir, I will have to get back on you for that. I
know the original procurement for the 1,400 units could cost
anywhere from $35 million to $45 million and the life-cycle
cost estimate over a 20-year time frame would be an additional
upwards of $130 million over that time, as Mr. Lord had talked
about, that has to do with the life cycle being anywhere from 7
to 8 years and a replenishment factor for 2,600 units to manage
it to 1,400 across that 20-year time frame.
The specifics of the reasons why the changes had happened I
will have to research that and I will provide that back to you,
sir.
Mr. Rogers. What about this? In 2011, TSA said the cost of
each machine was going to be roughly $25,000. More recently TSA
said the cost of each machine is now going to be $100,000. It
is a pretty big jump.
Mr. Hoggan. That is incorrect, sir. This is a procurement-
sensitive issue right now, and I could talk to you specifically
off-line about the individual cost because we are still in the
middle of the process.
However, it is not $100,000 per machine. I can assure you
that.
Mr. Rogers. Good, I am glad to hear that.
It took this committee 3 weeks to share--or it took TSA 3
weeks to share with this committee the cost of this program,
those numbers which you now point out are incorrect. Given
these huge cost increases, it is easy to understand why.
Were you aware it took 3 weeks for your office to get that
information to us in the time we requested it?
Mr. Hoggan. No, sir, I am not.
Mr. Rogers. Okay. Do you find that acceptable?
Mr. Hoggan. No, sir, I do not.
Mr. Rogers. Great.
Tell me what you see is the purpose of the CAT/BPSS.
Mr. Hoggan. In 2007 TSA, as a layered approach to security,
took over the boarding pass ID authentication and review at the
check point from airline employees or individuals as were
subcontracted by airlines at the departure gates. At that time
we employed transportation security officers to do the review
of the documents and the boarding passes.
What we have found over time--and I will give you the
example and the numbers--with the 50 States and eight different
territories we have approximately 600 different permeations of
IDs that could be presented at checkpoints.
If you take that into consideration with TWIC cards or CAC
cards or TESLA cards from the DOD, as well as passports, we
have upwards of 2,470 different variations of ID's that could
be presented at a checkpoint alone for travel, you know, on the
air.
That being said, a TSO who is deployed at Washington Dulles
might have a very good understanding of driver's license from
District of Columbia, State of Maryland, State of Virginia,
maybe State of Pennsylvania or West Virginia, but they don't
have a fundamental pure understanding of IDs from other parts
of the country.
Notwithstanding, 2,470 different permeations of ID is hard
for anybody to get a perspective on. So the technology allows
us to have good authentication of the different travel
documents that are presented, whether it is the ID and the
boarding pass. The boarding pass also allows us to have the
name matches, as well as other fields, not least of which is
departure date, flight, and so forth to ensure that it matches
the data.
So for a human factors component it is very difficult for a
TSO over time to have a continued high level of proficiency for
that many variables, but the technology does provide it.
Mr. Rogers. Thank you. My time is expired.
The Chairman now recognizes the Ranking Member for any
questions she may have.
Ms. Jackson Lee. I thank the Chairman very much. I thank
the witnesses again.
Mr. Hoggan, what is the name of the contractor? Are there
many contractors or just one?
Mr. Hoggan. Madam, right now there are three contractors
that have provided BAE Systems. I would have to look at my
notes for the exact full names of them, but we have three
contractors now--presented. There were four original
contractors that came in the procurement, but only three of
them cleared the process.
Ms. Jackson Lee. Okay. I don't want to be unfair, but I
think you have got staff sitting behind you and they are not--
we need to be helpful to the witness. Maybe they can find it
for you, Mr. Hoggan, so you won't have to look. I think they
can better look for it.
Are these small companies or medium-sized companies or
what?
Mr. Hoggan. Madam, originally one of them was a small
business during the procurement life cycle. Subsequently, my
understanding is, it had been purchased by a larger business in
the interim and----
Ms. Jackson Lee. Why don't you read the names into the
record, please?
Mr. Hoggan. Names of record are Trans Digital Technologies,
BAE Systems, NCR Government Solutions.
Ms. Jackson Lee. Each are offering their type of technology
or they are collaborating?
Mr. Hoggan. Each are offering their own type of technology.
Ms. Jackson Lee. They are involved in the pilot.
Mr. Hoggan. Yes, madam, they are, in the OT&E.
Ms. Jackson Lee. Do you find one technology better than the
other?
Mr. Hoggan. Not right now. They are very similar. There are
unique differences. It is preliminary, as we talked about
before. We are still in the OT&E process. It just completed
last week. We are in the process of gathering the data. We had
all the machines at Dulles for 6 weeks and at San Juan and
George Bush Intercontinental for 4 weeks. So we are pulling the
data right now.
But the preliminary information that I have been privy to
is that they are very similar, but there are some unique
differences--minor unique differences. One of them might have a
harder time reading a BlackBerry or----
Ms. Jackson Lee. So you are not going to at this point in
time say that of the three, two are out and one is in?
Mr. Hoggan. No, madam, I am not.
Ms. Jackson Lee. All right. Let me rapidly move forward on
my questions, so I can get as many in as possible.
You are not--so therefore the assessment that we have to go
back to the drawing board comes from where?
Mr. Hoggan. The assessment comes from the OT&E review as it
relates to the technology in detection and most importantly as
well as reliability and speed for the processing. They are not
at the levels they need to be, and we found these issues as it
relates to the IDs, the boarding passes.
So we want to go back to the manufacturers and update some
database entries as well as some software----
Ms. Jackson Lee. So the incident that I recited in my
statement about a gentleman getting on the plane with a false
boarding pass generated the interest in trying to enhance
technology to determine about these false documents?
Mr. Hoggan. No, madam, we actually started this in 2007
with integrated product team back when we took over----
Ms. Jackson Lee. What was the purpose of starting this?
Mr. Hoggan. It was a travel document checking process that
we took over with the TSOs. This is the fourth procurement
event for this type activity. We had an RFP go out in March
2009 and we had no vendors that qualified with our----
Ms. Jackson Lee. So then you came back?
Mr. Hoggan. Yes, madam.
Ms. Jackson Lee. Do you see a value in the utilization of
this technology if it can be perfected?
Mr. Hoggan. Yes, madam, I do.
Ms. Jackson Lee. How does that value translate to securing
the homeland?
Mr. Hoggan. It allows us the opportunity to ensure that the
people who are traveling, as they present themselves, are who
they say they are; their ID is authenticated; it matches the
boarding passes for travel on that day, which then ensures,
because there are encrypted data that comes through, that all
those boarding passes have----
Ms. Jackson Lee. So if someone is leaving West Virginia,
going to Montana, and they have Montana documents, and you are
having TSOs who are unfamiliar with Montana documents, can this
technology enhance that TSO's ability to protect the homeland
by knowing whether those are false documents, through that
technology?
Mr. Hoggan. Yes, madam.
Ms. Jackson Lee. So there is a value to it?
Mr. Hoggan. Yes, madam.
Ms. Jackson Lee. Let me ask you, Mr. Lord. In your
assessment, is this a valuable technology if it is perfected
and if it has the efficiencies of scale?
Mr. Lord. Well, with all due respect, madam, those are
major ``ifs.'' That is the purpose of the operational test and
evaluation.
Ms. Jackson Lee. Do you view the operational test as
valuable?
Mr. Lord. Yes.
Ms. Jackson Lee. Is this what we should be doing?
Mr. Lord. That is something we have identified in our prior
work. In the past, TSA's tended to either not do that or
truncated the testing. So we think it is very important to take
as much time as needed in operational tests and evaluation to
ensure the technology you are procuring meets the original
requirements.
Ms. Jackson Lee. So how many more tests would you suggest
they have?
Mr. Lord. Well, it is the length of the testing period.
What they are doing is they bought two each, as Mr. Hoggan
indicated. There are three vendors. They are testing two units
of each vendors' technology in the three airports. So they
purchased. The initial buy was 30 for $3 million, so that is
how he derived the $100,000 per unit cost.
That is the original up-front cost, but if you are going to
purchase 1,400, obviously, the unit costs are going to come way
down. But again----
Ms. Jackson Lee [continuing]. Not asking for that right
now.
Mr. Lord. Yes.
Ms. Jackson Lee. Go ahead.
Mr. Lord. Again, but the major lesson learned here is slow
to train down if you have to. There is an old saying in
procurement circles, ``If you want it bad, you get it bad.'' So
that just underscores----
Ms. Jackson Lee. So, from your perspective, when you are
dealing with these agencies--and you have just given us a
review--do you see the validity in this technology, but what
you are bringing to us as a committee, in terms of our
oversight, is to slow this process down; be deliberative;
ensure that the technology will do what it is supposed to do?
Mr. Lord. Before going with your plan, you know, the full
buy, yes.
Ms. Jackson Lee. Full steam ahead.
Mr. Lord. Yes.
Ms. Jackson Lee. This is my last--do you have any concern
that these machines, this technology cannot stand by a
checkpoint and operate themselves; it requires a TSO personnel?
Mr. Lord. Yes, it definitely requires--in fact, if you
looked at the total life-cycle costs of the program, by and
large, the biggest component is cost of the TSOs to operate the
machines.
Ms. Jackson Lee. But if the TSOs are already there, so the
cost is just the TSOs there now working the equipment. Is that
correct?
Mr. Lord. Well, it is going to require some training. That
is another concern I have. TSA indicated earlier they are
planning to roll this out in December, but you not only have to
complete the operational tests and evaluation; you have to
train new staff.
So I am encouraged to here today they are thinking of
moving that date to the right.
Ms. Jackson Lee. So you would be comfortable if, No. 1, we
had a more deliberative--when I say we, the oversight of TSA,
had a more deliberative approach--and I am glad for your
report, to be very honest with you--and that you would
certainly want TSOs to be trained?
Mr. Lord. Properly trained.
Ms. Jackson Lee. But in your looking at the technology,
since you have that expertise, do you see it as having some
ultimate value if done right?
Mr. Lord. Well, it is--the technology is designed to
address a real vulnerability, and that is the use of fraudulent
IDs and boarding passes. So assuming you can get the technology
to work properly and it meets requirements, there obviously
would be some value in addressing that vulnerability.
Ms. Jackson Lee. Mr. Chairman, I thank you.
Mr. Lord, thank you for affirming the value of saving lives
through adequate and efficient technology, and how we can work
through this is, I think, an important point going forward.
Mr. Chairman, thank you. I yield back.
Mr. Rogers. I thank the gentlelady. The Chairman now
recognizes the gentleman from Minnesota, Mr. Cravaack, for 5
minutes.
Mr. Cravaack. Thank you, Mr. Chairman.
Mr. Hoggan, you having fun so far?
Mr. Hoggan. Yes, sir, I am.
Mr. Cravaack. Good to hear. Good to hear. Well, anyway,
thank you for being here today.
Just some quick questions. In studying for today's
committee hearing, I just had some questions in regards to the
system itself. As I understand it, this system is not linked to
any no-fly lists or any type of State or Federal database. Is
that correct?
Mr. Hoggan. That is correct. Right now, it is not linked.
There is an interoperability requirement in the operation
requirements document. I believe it is in Section 3.2, Mr.
Rogers, as we provided. It says it allows the opportunity,
going forward in time, to do that. It is not in our original
requirements this time, but if we find, going forward, that we
need to hook to either something internal or external, there is
an opportunity to do that, depending on what it is as well as
taking into concerns, privacy concerns----
Mr. Cravaack. Well, taking into account your answer, sir,
my question would be, technically, if a person were able to,
you know, fabricate a pretty good fake ID, you could have the
same person at the same address flying on the same day,
practically at the same time, without interoperability of the
machines themselves. Would that be a correct statement?
Mr. Hoggan. Not necessarily because, the--ID, we have
confidence that the equipment could get it. The no-fly list,
sir, may I remind you, is connected through the airlines
reservation systems. So that check will be done behind the
scenes before the boarding pass is actually generated. So that
check should already have been done.
Mr. Cravaack. Okay. But in regards to just the ID
themselves, wherever there is an offensive measure, there is
always a countermeasure that will happen later on. We have seen
that through the years. As a military person, I understand that
completely. But the bottom line is this system does not track
travel patterns. It doesn't track who is flying on a certain
day or anything of that nature; it just takes a look at the
idea itself and goes from there. Is that correct?
Mr. Hoggan. That is correct, sir.
Mr. Cravaack. Okay. The other questions I have--how are
identifications of an ID--become--there is a question about the
ID itself. How is that situation then handled?
Mr. Hoggan. If an ID has some type of warning or notice
through the process, the TSO then takes a manual review of the
ID, depending on what the different criteria was that caused
the error. There is also opportunity in the SOP that a
supervisory TSO actually does another review on top of that as
well. Keep in mind we also still have a layered approach based
on the behaviors and whether it is the TSO watching or behavior
detection officers. But it is run through a next-level, second-
tier, third-tier review.
Mr. Cravaack. Well, my question is the technology could be
such that there is such a high rate of passengers subject to
additional screening because of the false alarm rate being set
at a high level that people could be going through security
and, really through no fault of their own, because they have a
valid ID, could also be subject to more intense scrutiny.
So I am a little concerned about that and what I have been
reading so far on the technology.
Mr. Hoggan. You are absolutely correct. Some of the
preliminary information we are finding during the testing
phase, and we want to go back and address those specific areas
of concern and go back with the vendors as relates to the
database as well as the algorithms and make those modifications
and changes.
It is currently performing very near the standard it is
supposed to be at in some areas. In others, it is not, and we
need to address that. So that is the intent of extending the
test and evaluation.
Mr. Cravaack. Has the TSA worked in conjunction with S&T
Directorate or the DOD?
Mr. Hoggan. Yes, sir. We work with S&T as it relates to our
operational test and evaluation. We are a DHS-approved testing
facility for this type of technology.
Mr. Cravaack. Okay, that is good to hear.
Mr. Lord, can you tell me that TSA--and, kind of, jumping
on what Ms. Jackson was saying, the TSA has said in the past,
at least in my readings, that this technology, the purchase of
this technology, would help reduce workforce needs?
Is that a true or incorrect statement?
Mr. Lord. I am not sure at this point, sir. I would have to
go back and look at the workforce projections. But, again, this
is not a piece of technology that works--I mean, it works in
conjunction with the transportation screen officer. He is still
standing at the platform and he is on--the technology gives you
read, essentially red light/green light, and he is the one that
has to interpret that and then make the judgment, in some cases
referred a person to secondary screening or another person for
review.
So it does not eliminate the need for a TSO, just to be
clear.
Mr. Cravaack. So it would not necessarily reduce workforce.
I have just been handed a note from our staff that S&T is
saying that they didn't play any role in your study, sir. So
seeing that time is over, will there be a second round, sir?
Okay. With that, sir, I will yield back.
Mr. Rogers. Thank you. The Chairman now recognizes Mr.
Walberg for any questions he may have.
Mr. Walberg. Thank you, Mr. Chairman.
Mr. Hoggan, currently this technology doesn't connect to
any other State or Federal database, as I understand.
Mr. Hoggan. That is correct, sir.
Mr. Walberg. To me, that seems like an obvious
vulnerability for coordination that generally you think would
be important. What plans does TSA have to link this technology
to other databases in the future?
Mr. Hoggan. It is something that we need to review once we
get the original requirements moving forward. That is in the
second phase, to make that determination. Originally, this
program was set to do ID authentication and then boarding pass
matching with the names. As we go forward in time, that is
definitely something we will review.
Mr. Walberg. Speaking of review, could you describe the
initial results from the operational testing and evaluation of
the technology at Dulles, at George Bush International--or
Intercontinental Airport, basically those airports, what were
the results of the operational testing?
Mr. Hoggan. Well, the operational testing just completed
last week, so they are providing the reports to me now. But the
anecdotal information I have been giving is that there are some
issues as it relates to boarding pass authentication, whether
it is encrypted with--you need to have 2D bar codes to have it
encrypted; 1D doesn't necessarily do that.
There are some issues when name matches, presentation of
names--first, last and changes. There are also some issues as
it relates to IDs.
You know, some States, like I said, with the 50 States and
the eight territories, there are 600 permeations. I have in my
pocket right now a Virginia State ID that is well over 5 years
old, but there are a lot of individuals who have different IDs.
So you also have problems with wear on the IDs, and
different security features on there that are causing problems,
as well. So these are the little things we are looking at.
There is a slight problem with one of the vendors as it relates
to reading mobile boarding passes. There are some changes that
have to be done on that.
But the exact specifics, I don't have a full document. This
is just anecdotal information I have from talking with
individuals.
Like I said, we just completed that. We are still in the
process. We haven't finished it. So if you would like, as soon
as I have that preliminary report I would be more than happy to
share it to the committee.
Mr. Walberg. I think we would appreciate that.
Mr. Hoggan. Okay, sir.
Mr. Walberg. In your view, how does the technology propel
TSA forward in a more economical threat-based--as a more
economical threat-based agency?
Mr. Hoggan. Economical in meaning the saving--the TSOs in
the process?
Mr. Walberg. Savings across the board.
Mr. Hoggan. Well, as Mr. Lord had said, the original
requirements document showed a processing rate of 240
passengers an hour, which is comparable to the planning,
staffing levels that we have today. So I will have to research
and find the documentation that, Chairman Rogers, you had
referred to, as well as you, sir, that it would be a savings.
Right now I don't project it to be a savings of staff. I
project it to be an increased opportunity to cover a
vulnerability that we have and have a better detection
capability as it relates to fraudulent IDs as well as ensuring
that the passenger is the one that has gone through the Secure
Flight engine.
But as it relates to the economics of saving FTE or TSOs, I
don't see that being the case right now. So I will have to
research the documents that you refer to.
Mr. Walberg. Thank you. Mr. Lord, given TSA's track record
of having a continuously expanding workforce, do you think that
this technology realistically could lead to a reduction in the
TSA workforce needs?
Mr. Lord. I am not sure at this point. We will have to wait
and see how the tests and evaluation phase goes. Again, that is
still being tested. So they anticipated some reductions
initially. But I always like to see how the testing goes before
finalizing my judgment.
The good news is they are conducting a separate operational
test and evaluation phase for the technology. As Mr. Hoggan
indicated, they are already identifying some issues with
throughput and character recognition, et cetera.
So that is--I mean, that is good. They are trying to fix
the bugs, so to speak.
Mr. Walberg. In your experience, Mr. Lord, when a
Government agency is planning procurement, do they generally
have a sense of what the cost will be?
Mr. Lord. Oh, yes. The DHS acquisition guidance requires
before you start purchasing, before--it is called--at the end
of the so-called analyze phase you are supposed to have a
validated life-cycle cost estimate. So you are supposed to have
a pretty good idea what your costs are going to be. It is not
sufficient to just generate a life-cycle cost estimate. You
have to have a review by an outside party to help ensure there
is no bias in their projections.
We note, at least with this program, as part of this
passenger screening program, the life-cycle costs for the
larger program is yet to be validated by an outside entity, so
that is something I raise in my statement today, a concern.
So, you know, we are not sure what the costs are gonna be
at this point.
Mr. Walberg. Thank you. I yield back.
Mr. Rogers. I thank the gentleman.
I want to pick back up where my questioning left off when I
had asked Mr. Hoggan the purpose of the CAT/BPSS. I would ask
Mr. Lord, do you believe the CAT/BPSS would identify terrorist
threat?
Mr. Lord. Well, that is a really important question. It is
oriented to detect the use of fraudulent IDs. There have been
some instances where--in the past where terrorists have been
exposed and--have used fraudulent IDs. But, again, you have to
make the overall judgment. The system is gonna cost over $100
million. Is it--it is gonna provide some incremental benefit.
Is it justifiable? I have not seen the cost-benefit analysis
that clearly lays that out. But there have been instances in
the past--terrorists have used fraudulent documents. So it
potentially could help address that vulnerability. But----
Mr. Rogers. I would ask either one of you if you are aware
if TSA's done a cost-benefit analysis of the potential costs
against the benefit that we would incur.
Mr. Hoggan or Mr. Lord, either one.
Mr. Lord. I haven't seen one. Mr. Hoggan could correct me
if needed.
But part of the problem is that a key component of that is
the life-cycle cost assessment, and that is not completed yet
because it hasn't been fully validated. So I am not sure how
they could do one because that is a big piece of it, having a
validated cost----
Mr. Rogers. Do you know, Mr. Hoggan?
Mr. Hoggan. Mr. Lord is correct, we actually submitted our
life-cycle cost estimate to DHS in November 2011. It came back
in the spring of 2012 for review and adjustment, as well as an
introduction of the risk analysis that is in review. We expect
to have it back to DHS inside of 30 days, sir.
Mr. Rogers. Do you know, Mr. Hoggan if the CAT/BPSS is in
any way based upon or pulling from intelligence about a known
terrorist threat? You know, one of my concerns when we were out
there was the no-fly list was not pegged against what it was
scanning for.
Mr. Hoggan. The no-fly list right now as I was talking to
the gentleman comes through the air carriers as it relates to
the issuance of the boarding passes. So that is how it is tied
into the system.
Now, if you are asking whether the system----
Mr. Rogers. So you are saying the boarding pass----
Mr. Rogers [continuing]. Pinged off the no-fly list?
Mr. Hoggan. Yes, sir, to be able to get the boarding pass
generated by the air carrier it must go through the Secure
Flight process.
Mr. Rogers. You know, the biggest threat that we are facing
right now when it comes to air security is the non-metallic
explosive device. Do you know if there is anything about this
other than detecting somebody is not who they pretend to be
that would detect an explosive device on the person?
Mr. Hoggan. No, sir. This is a credential authentication
and boarding pass authentication. It has got nothing to do with
screening of the passengers.
Mr. Rogers. Okay.
I want to go back to Mr. Walberg's questions. One of the
things I was wondering when they were demonstrating the devices
to our group was why would we still need TSOs--if they can
develop this technology so it has a higher degree of
proficiency and we feel comfortable that it will add benefit,
why would we need a TSO to put the driver's license or the
boarding pass in the machine? Why couldn't we let the passenger
do that and then if the green light goes off a little gate open
and they can walk on through? All you need is one TSO to watch
each of the gates to make sure people only going through on a
green light, or if somebody got a red light then go over and
interdict.
You know, why do we have to have just as many people--you
know, you go to McDonald's now and you pour your own Coca-Cola,
you know. Why can't we just take some of that approach?
Mr. Hoggan. Because we are--the technology is not there,
yet, sir, to be honest with you. As I said, this is the fourth
time we have gone through. The first time we put an RFP out we
had zero vendors that actually met our requirements. The second
time we had one, and we couldn't have a procurement with just
one vendor. This was in March, if I am not mistaken. I have it
written down, if--I can tell you the exact months if you want--
but it would have been in March 2009.
Then again it would have been--I am sorry--July 2009. Then
a third time there were no vendors that met the requirements,
the minimum requirements--in October 2010. This is the fourth
time they came through, which is April 2011.
In a perfect world, going forward in time, is that
technology matures, and part of our spiral development and
getting technology that meets our baselines, I could foresee
that happening. But as it exists today with the technology you
still have to have the TSO there to do a couple things.
The first thing that is most important is a visual check to
make sure that the picture on the ID matches the person----
Mr. Rogers. Right, right.
Mr. Hoggan [continuing]. That presents themselves, as well
as ensuring that the compliance of the boarding passes are
actually compliant in ensuring all the information is in there
as it relates to----
Mr. Rogers. See, the machine ought to do that, though.
Before you ever purchase that machine, the second----
I agree first item is a point that is valid. The second
item, that machine ought to tag that base.
Mr. Hoggan. You are absolutely correct. The machine does
that. But if the information is not provided accurately from
the carriers as they present the information on the boarding
pass, the machine can't read what is not there. So that is why
we continue to have outreach with the carriers to ensure that
we have the encryption and we have the information in the
specific fields in the boarding pass that we want in the bar
code----
Mr. Rogers. Right.
Mr. Hoggan. Provided we have that and we have a good
representation and a consistent representation of that
information of the passenger, I could accept your comment. But
right now it is not there.
Mr. Rogers. Well, you know, as I told you yesterday, one of
the things I would invite you all to do--and I have done this
with department heads across the entire Department--is to have
more of an open dialogue with the private sector about what you
are trying to do. I think you may find these goals are
achievable, including the self-service approach, if we think
about it and we talk about the subject matter with the private
sector before we do the RFP.
But thank you very much.
We will now go to Mr. Cravaack for a second round of
questions.
Mr. Cravaack. Thank you, Mr. Chairman.
Thank you, again.
I wanted to just say thank you for the prescreening for our
troops. Appreciate that. I mean, we are going to the risk-based
analysis, so thank you. It gives me a nice smile when I see a
trooper that is coming back from Afghanistan able to not be
strip-searched and able to get through. So thank you very much.
With that said, in regard to the risk-based analysis, the
deployment of the machines themselves, I have read, is going to
be evenly distributed throughout the system. Would that be a
correct statement?
Mr. Hoggan. The original deployment plan as listed in the
operations requirement document would be the purchase of 1,400
units, which simple math says if we have 2,800 lanes it is one
for every two, and that was what was in there.
As it relates to which ones go where and which sequence, if
in fact that we did purchase all 1,400 based on the
requirements, there would be threat-based and risk-based.
Mr. Cravaack. Okay.
Mr. Hoggan. It would be deployed at our higher-risk
airports----
Mr. Cravaack. Good.
Mr. Hoggan. I am sure JFK would get it before a much
smaller airport that only handles 10 passengers a day, sir.
Mr. Cravaack. Yes, as I understand it they were supposed to
be all deployed at one time, so that is----
Mr. Hoggan. Yes, that couldn't happen. We would never
deploy anything at one time.
Mr. Cravaack. Yes, okay.
Mr. Hoggan. It would be staggered based on risk, sir.
Mr. Cravaack. Yes, I read that.
Just to make sure that I understand what this system does,
it is a stand-alone system, is that correct? It isn't----
Mr. Hoggan. That is correct, sir.
Mr. Cravaack. No interoperability with any other Federal,
State, or airline databases, is that correct?
Mr. Hoggan. For the machine--correct.
Mr. Cravaack. At the same time, does not alleviate any
workforce demands upon the system, is that correct?
Mr. Lord. That is correct.
Mr. Cravaack. Okay.
We really don't have any source of action regarding false
alarm rates and, you know, how do we adjust for that and making
sure that the system works correctly and what we do with false
alarms and what kind of false alarm rate system we have, is
that correct?
Mr. Lord. Well, we are in a process of reviewing that with
DOE T&E. We have standards that we have for the machines to
choose it. But there will be a protocol in place to address
anything that is a false alarm not unlike what we had the day
with our other technology and checkpoints.
Mr. Cravaack. Okay, then with all that said, and I commend
your decision to not pursue rolling the system out until those
questions are answered, I can't support this program
whatsoever. Though like the Chairman says, the concept is
great, but we have to--before we do something like we did with
the puffer machines and spent a lot of the taxpayers' hard-
earned money on systems that don't work, I highly recommend,
sir, that you step back, reevaluate the situation and then make
sure that we have the proper procedures and the proper
equipment with the layered security that you were just--we all
want and need to make sure our traveling public is safe.
So with that, thank you very much sir, I appreciate all
your information, Mr. Lord as well.
I will yield back.
Mr. Rogers. I thank the gentleman.
The Chairman now recognizes Mr. Walberg for a second round
of questions.
Mr. Walberg. Thank you, Mr. Chairman.
Going back to analysis, Mr. Hoggan, did TSA use independent
cost validation?
Mr. Hoggan. We did not, I don't believe we did, sir.
Mr. Walberg. Okay, so no concern about looking, letting
someone outside look in?
Mr. Hoggan. It is my understanding that we performed with
the DHS acquisitions directorate but I will double check that.
I am not sure that that is in there. I will have to follow up,
I apologize, I will have to get information back with you on
that, sir.
Mr. Walberg. Then let me ask you, has TSA developed
procedures for the travel document checker if the technology we
are discussing at the checkpoint experiences a system failure,
would there be a TSO there trained in the lights and loupes
method?
Mr. Hoggan. Yes, absolutely sir, that would be a backup for
the procedure that we have in place, not unlike what actually
exists across the Nation.
Mr. Walberg. Any other backup other than that in case the
system goes down?
Mr. Hoggan. No, you would refer back to the process that we
have in place. Again, this is a huge vulnerability we hope to
cover and move it--refer back to what we are doing today.
Mr. Walberg. Thank you.
Mr. Lord, you have got definitely a lot of experience in
assessing weaknesses in TSA's past procurements. What concerns
me and I think our committee is that it appears that the TSA is
not applying lessons learned from its past missteps to this
procurement.
Can you discuss some of the problems that you identify with
TSA's procurement process for this technology thus far?
Mr. Lord. In general, the lessons learned have been a
three-fold. First, it is important to test and evaluate any
technology you are procuring. It is important to have clear
requirements set up front so you can measure what are the--
requirements. It is also important to adhere to, you know, to
document the major decisions. These are some of the lessons
learned.
We have found in the past and specific to this platform,
one thing Mr. Hoggan noted as there could be some issues
related to throughput, which is related to throughput, which
is, you know, an important consideration to look at when you
are evaluating the technology. So rather than change the
requirements, we would like to know: Is TSA going to respond to
that concern?
Well they hopefully take a little longer and work with the
vendor and ensure they get the throughput they are looking for
rather than modify and of the, you know, the requirements.
Mr. Walberg. Okay.
Thank you.
I yield back.
Mr. Rogers. Just one point of clarification, Mr. Hoggan. In
response to Mr. Walberg's question, you referred to this false
identification problem as being a huge vulnerability. Could you
expand on that? What did you mean by it?
Mr. Hoggan. It is a vulnerability, I am sorry if I said
huge. But there is a vulnerability that we need to ensure that
the----
Mr. Rogers. Well I agree. When you said huge, it made me
think that this was a much more prominent problem----
Mr. Hoggan. I am sorry, I meant a vulnerability----
Mr. Rogers. Right, right.
Mr. Hoggan [continuing]. Not a huge vulnerability.
Mr. Rogers. I knew that we had occasional false IDs, I
didn't think it was happening that much except down on the
border now, we have them all the time coming in our ports of
entry down in El Paso and other places. So we might see this
technology being used in some of those ports of entry,
hopefully only at a much lower cost because these numbers are
pretty staggering.
But with that, I want to thank the witnesses for their
time. I will remind you that the Members who could not be here
because of conflicts may have questions and these Members as
well as I may have some additional questions we will submit to
you in writing.
So for the next 10 days, this hearing will remain open for
that purpose. If you do get those written questions, I would
ask that you provide timely responses to those. Thank you
again.
This hearing is adjourned.
[Whereupon, at 2:17 p.m., the subcommittee was adjourned.]
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
