The open nature of public transit systems makes them attractive targets for attack and also difficult to secure. Last year, a report noted that the United States had taken the lead among economically advanced countries in both the total number of incidents on public transit and the number of incidents with fatalities. On April 12, 2022, for example, a shooter opened fire in a subway car in New York City, injuring at least 10 passengers.
The Federal Emergency Management Agency (FEMA) manages the Transit Security Grant Program (TSGP), a discretionary grant program that provides grants to public transit agencies to protect critical transportation infrastructure and the traveling public from terrorism.
But the Government Accountability Office (GAO) has found that FEMA did not always follow the correct process when providing security improvement grants to public transit agencies.
The Transportation Security Administration (TSA) is the primary federal agency responsible for security in all modes of transportation in the United States, including mass transit and passenger rail, and provides subject matter expertise to support FEMA’s management of the TSGP. For example, TSA shares security information with FEMA to inform program policy and funding priorities and shares information about transit agencies to support FEMA’s assessment of applicants’ eligibility. TSA supports FEMA’s risk assessment process by providing FEMA with relevant risk information. TSA also assists FEMA in developing TSGP award recommendations each year.
GAO found that FEMA awarded nearly three-quarters of grants ($614 million) to public transit agencies for law enforcement activities ($245.2 million) and equipment ($211.5 million) from fiscal years 2015 through 2021. FEMA awarded remaining grants for infrastructure projects, training and exercises, public awareness campaigns, and planning.
Officials from various transit agencies told GAO that they often do not apply to FEMA for security projects, in part, because TSGP does not have enough money available to fund the types of projects they require given their high cost. Therefore, the amount of funding available affects transit agencies’ decisions about what to submit for funding. Officials mentioned the use of alternative funding sources such as Federal Transit Administration grants or the transit agency’s capital budget.
While GAO said FEMA’s award process was consistent with some relevant federal grant requirements, the watchdog found it did not meet other requirements for transparency of award decisions. Specifically, GAO said FEMA did not accurately describe its grant scoring criteria in the program’s fiscal year 2021 Notice of Funding Opportunity, as required. By accurately describing the criteria it uses to score grant applications, FEMA could improve transparency and help ensure applicants make informed decisions when applying.
FEMA described the merit review process to competitively score applications in its Notice of Funding Opportunity, but GAO said it did not use the results of its process as the sole basis for award decisions. For example, the watchdog found FEMA awarded grants to lower-scoring applications between fiscal years 2015 and 2021. By not selecting applications to recommend for award in accordance with its publicly disclosed merit review process, GAO said FEMA risked affecting the objectivity, fairness, and transparency of the process and could face questions about the integrity of the decisions.
GAO’s review also found that FEMA assessed physical terrorist threats to transit agencies, as well as their vulnerabilities to, and the estimated consequences of, an attack, in fiscal year 2021, but did not consider cyber threats in its risk model.
Transit systems rely on technology and internet-connected devices to manage and secure certain business functions, such as websites or communications, increasing their risks from a cyberattack. Transit agencies also increasingly rely on networked systems for tracking, signals, and operational controls of transportation equipment and services, such as computer-based systems that control signaling and train speed. Cyberattacks have the potential to significantly affect both business information systems and operational control systems. Officials from 15 of the 23 transit agencies GAO interviewed cited cyberattacks when asked about top threats facing their transit systems.
The Department of Homeland Security (DHS) introduced cybersecurity as a National Priority for TSGP in fiscal year 2019, indicating that cyberattacks are a relevant threat to transit agencies. However, GAO found that FEMA considered cyber threats for other risk-based grant programs it manages but not for the TSGP. In fiscal year 2021, FEMA incorporated data on cyber threats into its risk model for the State Homeland Security Program and Urban Area Security Initiative grant programs.
FEMA officials told GAO that in fiscal year 2021 they considered incorporating the cyber threats data used in the State Homeland Security Program and Urban Area Security Initiative risk model into the TSGP risk model. Officials said they consulted with TSA and the Office of Intelligence and Analysis and determined the data were too broad for the TSGP risk model. Specifically, FEMA officials said they did not add the cyber threats data to the TSGP risk model because the data reflect cyber threats to urban areas as a whole, rather than to individual transit agencies. GAO pointed out that in the case of physical threats, FEMA already considers threats to urban areas to be a valid representation of threats to the transit agencies that operate within those areas. FEMA officials responded that they are working to identify an alternative cyber threats data source that could be appropriate for the TSGP risk model.
Finally, GAO found that FEMA’s documentation for the TSGP risk model did not consistently include information that would enable users or reviewers of the model to understand the underlying assumptions and justifications that form the basis for the model. According to FEMA officials, they do not document these decisions because they come from informal conversations. However, they acknowledged that the reasoning underlying these decisions could be unclear to others reviewing the model at a later date.
GAO has made four recommendations to DHS to help TSGP better serve transit agencies across the United States.
- Ensure that FEMA accurately describes all the criteria that it uses to score applications in the TSGP’s Notice of Funding Opportunity, to include how associated weights are applied.
- Ensure that FEMA selects TSGP project applications to recommend for award in accordance with FEMA’s publicly disclosed merit review process, to include scoring criteria published in the Notice of Funding Opportunity.
- Ensure that the Administrator of FEMA incorporates cyber threats into the TSGP risk model.
- Ensure that the Administrator of FEMA documents the underlying assumptions and justifications for the TSGP risk model, to include the rationale used to assign weights to components.
DHS concurred and set out planned actions such as adding a cyber data element to the risk model if an appropriate data source can be identified. DHS expects all recommendations to be implemented by the end of December 2024.