The Transportation Security Administration (TSA) has not yet resolved recommendations the Department of Homeland Security (DHS) Inspector General (IG) earlier made in two key areas: security requirements in the Security Technology Integrated Program, a data management system that connects airport screening equipment to servers, and that TSA is responsible for maintaining closed-circuit televisions, including cameras, at airports, according to the IG’s redacted final Summary Report on Audits of Security Controls for TSA Information Technology Systems at Airports.
“TSA officials indicate it will take time, money and contract changes to include security requirements in the Security Technology Integrated Program,” and “also disagrees that closed-circuit televisions, including cameras at airports,” are TSA’s responsibility,” the IG said.
The IG previously “reported on deficiencies regarding security controls for the TSA’s information technology (IT) systems at airports. This report summarizes the previous reports and analyzes the effectiveness of TSA’s actions to implement improved IT security policies at these critical sites.”
According to the IG, it previously identified numerous deficiencies in security controls for TSA’s IT systems and equipment at airports. These deficiencies included inadequate physical security for TSA server rooms at airports, unpatched software, missing security documentation, and incomplete reporting of IT costs. TSA has undertaken various actions to address the recommendations we made in these reports. Based on our review of the corrective actions taken as of May 2016, we consider most of the recommendations resolved and closed.”
But “as a result of our analysis to compile this report,” the IG stated it’s “making two new recommendations to improve security controls for TSA’s IT systems at airports. Specifically, TSA needs to assess the risk of not having redundant data communications capability to sustain operations at airports in case of circuit outages. Additionally, while TSA has undertaken reviews of security controls for its IT systems at airports, it would benefit from establishing a plan to conduct the reviews on a recurring basis nationwide.”
In his introductory letter accompanying the final summary report, IG John Roth also “lodge[d] an objection regarding the way that TSA has handled information in the report it considered Sensitive Security Information (SSI).”
The IG stated, “The redactions are unjustifiable and redact information that had been publicly disclosed in previous Office of Inspector General reports. I am challenging TSA’s proposed redactions to our summary report based on the following:
- On page 5 of the Dallas Ft. Worth audit report, Audit of Security Controls for DHS Information Technology Systems at Dallas/Ft. Worth International Airport (OIG-14-132, September 5, 2014), the IG reported 12 server rooms reviewed showed warning lightssignaling that batteries needed to be replaced or were being bypassed. On page 7 of the same report, the IG listed the temperature and humidity readings for the 12 server rooms. TSA did not mark this information as SSI in the Dallas/Ft. Worth audit report, but has opted to redact this same information on page 8 of the IG’s draft summary report.
- In the IG’s report, Audit of Security Controls for DHS Information Technology Systems at John F. Kennedy International Airport, (OIG-15-18, January 7, 2015), the IG discussed TSA’s fire protection systems in airport server rooms. A table on page 9 of the report listed the server rooms by name and terminal location. Again, TSA did not redact this information in the John F. Kennedy audit report, but has marked this same information as SSI on page 9 of the IG’s draft summary report.
- On page 21 of the IG’s draft summary report, TSA has requested redacting average high vulnerabilities reported at San Francisco International Airport, based on a vulnerability assessment scan the IG performed on servers at the airport. However, in the prior report, Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport, (OIG-15-88, May 7, 2015) listed on page 21, table 5, the servers and number of high vulnerabilities, as well as the number of critical high vulnerabilities. TSA did not redact this information in the prior report.
- TSA is requesting the words ‘TSA is Not Scanning STIP Servers’ on page 24 of the draft summary report be classified as SSI for three specific airports. However, TSA is not requesting the same redactions for the John F. Kennedy, San Francisco and Orlando airports listed on the same page. Moreover, the IG previously publicly reported that TSA was not scanning STIP servers for technical vulnerabilities, without TSA’s objection.
- TSA is requesting the number of deficiencies identified on pages 8 and 9 of our draft summary report regarding server and telecommunications rooms at Dallas Ft. Worth, John F. Kennedy, San Francisco and Orlando airports be classified as SSI. However TSA is not requesting similar information be redacted for the Washington Dulles, Ronald Reagan, Los Angeles, Chicago O’Hare and Hartsfield-Jackson Atlanta airports on the same pages.
- On page 52 of the IG’s draft summary report, TSA is requesting redaction of information on whether technical control issues existed at the John F. Kennedy, San Francisco and Orlando airports. However, TSA is not requesting that comparable information be redacted for all of the other airports listed in the same table.
Consequently, the IG’s final summary report stated, the IG “can only conclude that TSA is abusing its stewardship of the SSI program. None of these redactions will make us safer and simply highlight the inconsistent and arbitrary nature of decisions that TSA makes regarding SSI information. This episode is more evidence that TSA cannot be trusted to administer the program in a reasonable manner.”
“This problem is well-documented. In addition to my previous objection to the handling of one of our reports, the House Committee on Oversight and Government Reform in 2014 issued a bipartisan staff report finding that TSA had engaged in a pattern of improperly designating certain information as SSI in order to avoid its public release because of agency embarrassment and hostility to Congressional oversight,” Roth said, noting, “As recently as a hearing held this summer, Rep. John Katko (R-NY) of the [House] Committee on Homeland Security, Subcommittee on Transportation Security, stated that the improper invocation of SSI ‘raised the specter that we’ve heard again and again about TSA conveniently using the security classifications to avoid having public discussions about certain things that may be unpleasant for them to discuss in public.’"
In response to a request from House Committee on Homeland Security Chairman Mike McCaul (R-TX), Katko and Oversight and Management Efficiency Subcommittee Chairman Scott Perry (R-PA), the IG has initiated a review of TSA’s management and use of the SSI designation which, “We expect to issue our final report in the summer of 2017.”
“Inconsistently and inappropriately marking information in our reports as SSI impedes our ability to issue reports to the public that are transparent without unduly restricting information, which is key to accomplishing our mission and required under the Inspector General Act,” Roth said. “In order to meet our timeliness requirements, we are publishing this report with the redactions as requested. However, this letter serves as our formal direct appeal to the Administrator of TSA to remove the above-listed redactions.”