This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

GAO

Accountability * Integrity * Reliability

United States General Accounting Office
Washington, DC 20548

June 4, 2004

The Honorable Joseph I. Lieberman
Ranking Minority Member

Committee on Governmental Affairs

United States Senate

The Honorable Jim Turner

Ranking Minority Member

Select Committee on Homeland Security

House of Representatives

In November 2001, shortly after the September 11 terrorist attacks,
President Bush signed into law the Aviation and Transportation Security
Act, or ATSA (Pub. L. No. 107-71). The act established the Transportation
Security Administration (TSA), giving it responsibility for securing all
modes of transportation, including aviation. One of TSA's first challenges
imposed by the act was to improve the security of airline passenger and
baggage screening activities, activities for which TSA has direct
responsibility. The agency is also taking action to address provisions of
the act to improve three other areas of aviation security: the security of
airport perimeters (such as airfield fencing and access gates), the
adequacy of controls restricting unauthorized access to secured areas
(such as building entry ways leading to aircraft), and security measures
pertaining to individuals who work at airports. Recent media reports of
security breaches and other illegal activities, such as drug smuggling,
taking place at some airports highlight the importance of strengthening
security in these areas. Taken as a whole, these areas, along with
passenger and baggage screening, comprise key elements of the aviation
security environment at commercial airports, both individually and as a
nationwide system.

You requested that we examine TSA's efforts to strengthen security related
to perimeter and access controls. This report assesses TSA's efforts to
(1) evaluate the security of airport perimeters and the controls that limit
access into secured airport areas, (2) help airports implement and enhance
perimeter security and access controls by providing funding and technical
guidance, and (3) implement measures to reduce the potential security
risk posed by airport workers. Due to TSA's concern that the public
release of some of our detailed findings could compromise aviation
security, we also issued a restricted version of this report.

To perform these assessments, we analyzed TSA data on security evaluations conducted and funds distributed to commercial airports for security improvements. We also reviewed pertinent legislation, regulatory requirements, and policy guidance. To determine to what extent TSA had met requirements, we discussed with our Office of General Counsel specific requirements contained in three sections of the act:

Section 106 (requirements for evaluating airport access controls, testing and evaluating security technologies, and providing technical and financial support to small and medium-sized airports);

Section 136 (recommending commercially available measures to prevent access to secure airport areas and developing a deployment strategy for available technology at all large airports); and

Section 138 (performing background checks for all employees with unescorted access to secured airport areas, among others).

We obtained and analyzed TSA data on security breaches, covert testing, inspections of airport compliance with security regulations, and vulnerability assessments. (TSA's covert testing data and information on the test program are classified and are the subject of a separate classified GAO report.) We discussed the threat scenarios used in TSA vulnerability assessments with TSA officials to identify those related to perimeter and access control security. We obtained and analyzed data from the Federal Aviation Administration (FAA) and TSA on perimeter and access controlrelated security funds distributed to commercial airport nationwide. We reviewed reports on aviation security issued previously by GAO and the Department of Transportation Inspector General.

In addition, we conducted site visits at 12 commercial airports to observe airport security procedures and discuss issues related to perimeter and access control security with airport operator officials. These were Boston Logan International Airport, Atlanta Hartsfield Jackson International Airport, Ronald Reagan Washington National Airport, Washington Dulles International Airport, Orlando International Airport, Tampa International Airport, Miami International Airport, Los Angeles International Airport, San Francisco International Airport, Middle Georgia Regional Airport, Chattanooga Metropolitan Airport, and Columbus Metropolitan Airport. At 10 of these airports, we analyzed a sample of records to verify that the procedures to reduce the security risk of airport workers were followed. We also discussed security issues with TSA airport and headquarters officials, airport security coordinators at each of the nation's 21 largest

Results in Brief

and busiest airports (referred to by TSA as "category X" airports), as well as airport industry representatives. More detailed information on our scope and methodology is contained in appendix I. We conducted our review from June 2003 through March 2004 in accordance with generally accepted government auditing standards.

TSA has begun evaluating the security of airport perimeters and the
controls that limit access into secured airport areas, but has not yet
determined how the results of these evaluations could be used to make
improvements to the nation's airport system as a whole. Specifically, TSA
is conducting regulatory compliance inspections, covert testing of selected
security procedures, and vulnerability assessments at selected airports.
These evaluations-though not yet completed-have identified perimeter
and access control security concerns. For example, TSA identified
instances where airport operators failed to comply with existing security
requirements, including access control-related regulations. (Our
evaluation of TSA's covert testing of airport access controls is classified
and is discussed in a separate classified report.) In addition, TSA identified
threats to perimeter and access control security at each of the airports
where vulnerability assessments were conducted in 2003. In January 2004,
TSA temporarily suspended its assessment efforts to conduct higher-
priority vulnerability assessments dealing with airport vulnerability to
shoulder-fired missiles. TSA plans to begin conducting joint vulnerability
assessments with the Federal Bureau of Investigation (FBI) but has not yet
determined how it will allocate existing resources between its own
independent airport assessments and the new joint assessments, or
developed a schedule for conducting future vulnerability assessments. In
addition, TSA has not yet determined how to use the results of its
inspections in conjunction with its efforts to conduct covert testing and
vulnerability assessments to enhance the overall security of the nation's
commercial airport system.

TSA has helped some airports enhance perimeter and access control security by providing funds for security equipment, such as electronic surveillance systems. TSA has also begun efforts to evaluate the effectiveness of security-related technologies, such as biometric identification systems. Responsibility for funding most airport security projects shifted in December 2003 from FAA to TSA. As a result, TSA is developing new policies to determine how to review, approve, and prioritize security project funding. However, TSA has not yet begun to gather data on airport operators' historical funding of security projects and current needs to aid the agency in setting funding priorities. Nor has