The Office of Inspector General (OIG) has found issues with covert testing at U.S. Customs and Border Protection (CBP). The watchdog found that CBP does not comprehensively plan and conduct its covert tests, use covert test results to address vulnerabilities, or widely share lessons learned.
CBP has established two groups responsible for covert testing: CBP’s Operational Field Testing Division (OFTD) conducts covert testing operations at U.S. ports of entry and border checkpoints. Border Patrol’s Checkpoint Program Management Office (CPMO) oversees the Checkpoint Internal Assessment Program (CIAP), which requires Border Patrol sectors with permanent checkpoints to conduct annual internal assessments (covert tests).
OIG’s review found that neither of these two covert testing groups use risk assessments or collaborate with intelligence partners to plan and conduct tests that identify weaknesses throughout CBP. Inspectors also noted that the groups do not coordinate with each other to plan tests that prevent duplication of effort. In addition, the groups primarily design tests for single ports or sectors rather than planning repeatable tests for multiple locations, which would help identify systemic vulnerabilities.
In 9 of 10 test operations plans with 21 test scenarios OIG reviewed, OFTD did not document the risk-based rationale for choosing the test types or locations. Instead, the operations plans covered logistics, such as travel information and local points of contact.
In 2017, OFTD provided an intelligence assessment of operations at the Miami port and risks to the cruise industry. However, OIG could not connect any of OFTD’s subsequent testing activities to the priorities identified by the risk assessment. OFTD officials acknowledged that the risk assessment was not a typical product for them and they did not use it to direct testing, nor does it have plans to produce that type of risk assessment in the future. OFTD also could not demonstrate it prioritized tests based on available intelligence, and did not collaborate with intelligence divisions to produce overall risk assessments that aligned testing with highrisk areas.
Border Patrol also failed to prepare risk or intelligence assessments or document the rationale for the types of tests conducted. Lacking any central guidance, Border Patrol sector leadership independently chose the types of tests to conduct and which checkpoints to test, based on its preferences for type or location of the test.
The review also uncovered a lack of coordination between OFTD and Border Patrol, and found this was largely due to not being directed to do so by CBP leadership, and also because of the belief that different sectors and ports face different threats.
CBP does not plan system-wide covert tests to detect broad-based vulnerabilities. For an example of how to plan such tests, OIG examined policies and procedures of the Transportation Security Administration’s (TSA) covert testing group. TSA’s process allows testers to use the same test scenario at multiple locations to determine whether a weakness, and thus a threat, exists throughout the component. TSA requires detailed project plans that include the purpose of the testing project, the threat item, scenario, and the test methodology. The procedures also typically require sections for assumptions, deliverables, milestones, and a testing schedule.
Conversely, neither CBP testing group plans or conducts repeatable, systemic covert tests. Officials told OIG that they have not been given the authority to do so. In addition, CBP testing groups are not conducting systemic tests because CBP has not established specific performance goals or measures that covert testing groups should accomplish or demonstrate.
OIG also found that the CBP groups are not sharing test results or lessons learned post-covert testing and that they only make recommendations in limited instances. Furthermore, the review found that neither group ensures that these recommendations to resolve the local vulnerabilities are acted upon. CBP also does not track the implementation of such actions.
According to OIG, CBP does not manage its covert testing groups to ensure data reliability, completeness, and compliance with security requirements. It said OFTD entered only 21 percent of covert testing results into the testing database. A new database is currently in development but staff told OIG they did not know when this would be ready for use.
OFTD also did not ensure its reported test results complied with security requirements. OIG reviewed 31 test reports marked classified by OFTD staff. All reports were missing some paragraph markings to indicate which sections of the document were classified, and 26 of the reports were missing classification blocks describing the author, classification authority, and declassification date. OIG could not determine whether supervisors reviewed reports prior to their dissemination because the reports were unsigned and undated. Further, OFTD officials could not specify why they classified the documents nor could they provide the classification guide they had used. OIG reported this to CBP’s point of contact for security classification issues, who later determined OFTD had over-classified the documents.
OIG attributes these ineffective management of data and security compliance issues to multiple leadership changes at the Office of Intelligence and CPMO and limited staff with competing priorities. Specifically, OFTD has had multiple directors and acting directors since its move to OI, which inhibited its ability to develop standard operating procedures (SOPs) such as those used by TSA.
OIG’s report inevitably makes several recommendations:
- The Deputy Commissioner of CBP should develop and implement policies to ensure CBP’s covert testing groups develop risk-based annual covert test plans and identify systemic tests; distribute test results throughout the organization; make recommendations; and implement and track corrective actions.
- The Deputy Commissioner of CBP should study the effectiveness of maintaining multiple covert testing groups, and if CBP maintains multiple groups, OIG recommends specifying roles, responsibilities, and requirements for coordination to eliminate redundancies.
- The CBP Executive Director of Policy should assign roles and responsibilities for planning and conducting covert tests, making recommendations, and overseeing corrective actions.
- The Deputy Commissioner of CBP should assess organizational placement and resources of OFTD to determine the best placement in CBP’s organizational chart, and provide OFTD with the authority to plan and conduct independent, systemwide tests, make recommendations, and track corrective actions.
- The Assistant Commissioner of OI and Border Patrol’s Chief of Law Enforcement Operations Directorate should direct covert testing entities to develop and implement both performance measures and standard operating procedures including processes for determining data to be included in test reports, data quality monitoring, and supervisory review.
- The Assistant Commissioner of Office of Intelligence and Border Patrol’s Chief of Law Enforcement Operations Directorate should direct covert testing entities to develop and implement databases to record test results, recommendations, and the status of corrective actions.
- The Assistant Commissioner of the Office of Intelligence should direct all OFTD staff to review all prior and future classified reports to ensure they are properly marked to protect national security information.
CBP concurred with the recommendations and aims to complete work to action these by April 30, 2021. It did however express concern that the OIG report contains “several inaccurate representations”, including the definition of risk applied to CBP’s testing methodologies. CBP asserted its senior managers drive the component’s covert testing activities to identify unknown risk versus known risk. The results of these tests inform its risk assessments instead of using risk assessments to inform covert testing. OIG argues that this methodology does not meet the risk-based testing requirement of the Trade Facilitation and Trade Enforcement Act of 2015. Further, the watchdog points out that the DHS Risk Lexicon defines risk-based decision making as determining a course of action predicated primarily on the assessment of risk and using the assessment of risk as the primary decision driver.
CBP also asserted that its covert test groups do not measure operational success by detection and interdictions. OIG argues that this statement conflicts with what CBP reports as key responsibilities for its staff, as well as factors CBP uses to support its annual budget requests.
Regardless of these interpretations, it is clear to see that improvement is needed to overcome the weaknesses addressed in OIG’s report, which were impacted by multiple leadership changes within the CBP testing groups.
Almost exactly one year ago, in August 2019, a Government Accountability Office report recommended that CBP implement a policy to conduct periodic comprehensive analyses of covert test findings. Then, CBP said it was already in the process of writing a policy that would document procedures for comprehensive reporting, including periodic reviews of corrective actions taken to mitigate vulnerabilities.
Effective covert testing is an essential part of a multi-layered strategy for guarding against dangerous people and materials. Clear authority and direction, along with performance measurement and data sharing will get CBP covert testing back on track.