The Transportation Security Administration (TSA) announced this week its PreCheck application program reached a new milestone with more than 1 million travelers enrolled. The announcement came just as the agency drew fire for allowing a former member of a domestic terrorist group convicted of murder and other crimes involving explosives “was permitted to travel with expedited screening through the PreCheck process,” according to a Department of Homeland Security (DHS) Inspector General (IG) investigation.
The redacted public version of the IG’s report, Allegation of Granting Expedited Screening Through TSA PreCheck Improperly, “stemmed from a whistleblower disclosure which alleged that a notorious felon was improperly cleared for TSA PreCheck screening and was allowed to use the PreCheck lanes.”
“In general, we concluded that while TSA PreCheck is a positive step toward risk-based security screening, modifications are necessary,” the IG’s report stated.
Operating since October 2011, TSA PreCheck is an expedited screening program that enables low-risk travelers to enjoy a smart and efficient screening experience. The application program allows US citizens and lawful permanent residents to directly apply for TSA PreCheck. Once approved, travelers receive a “Known Traveler Number” and will have the opportunity to utilize TSA PreCheck lanes at 133 US airports when flying on 11 participating carriers.
There are more than 330 application centers nationwide, including locations at 31 airports.
The Aviation and Transportation Security Act of 2001 authorizes TSA to implement trusted passenger programs and use available technologies to expedite security screening of participating passengers. The intent is to allow airport security personnel the ability to focus more extensive screening on higher-risk and unknown populations. The TSA PreCheck trusted traveler initiative is a component of TSA’s intelligence-driven, risk-based security approach to identify low-risk passengers for expedited airport checkpoint screening.
House subcommittee investigates
During a hearing Wednesday by the House Committee on Homeland Security Subcommittee on Transportation Security, Roth and Jennifer Grover, director of homeland security and justice issues at the Government Accountability Office (GAO), discussed their respective audits and investigations into TSA’s PreCheck program and processes.
Roth’s testimony focused on the unclassified and non-Sensitive Security Information (SSI) results of his office’s two recent inspection reports. The SSI version of the publicly disclosed report Homeland Security Today reported on was discussed in greater detail during a closed session by the subcommittee.
“We determined that, as a concept, TSA PreCheck is a positive step towards risk-based security screening. However, TSA needs to modify TSA PreCheck vetting and screening processes,” Roth said. “We also determined that TSA PreCheck communication and coordination need improvement.”
“In addition,” Roth told the panel, “we responded to a whistleblower disclosure concerning the use of a risk-based rule by the TSA Secure Flight program that may create a gap in aviation security.”
The SSI inspection results were made available to the subcommittee.
"Over the last three years, TSA has adopted a more common sense, risk-based approach to passenger screening through the implementation of its PreCheck program. PreCheck has fundamentally changed the way Americans think about passenger screening in a post-9/11 world, and I believe it should continue expanding. However, in order to do so, the program should grow and mature in a manner that saves taxpayer dollars and improves the experience of the traveling public while not compromising security in any way,” said subcommittee chairman John Katko (R-NY).
According to the IG, “The US Office of Special Counsel (OSC) received a whistleblower disclosure alleging a sufficiently notorious convicted felon was improperly cleared for TSA PreCheck screening, creating a significant aviation security breach. The disclosure identified this event as a possible error in the TSA Secure Flight program since the traveler’s boarding pass contained a TSA Pre indicator and encrypted barcode. On October 16, 2014, OSC referred this allegation to the Secretary of Department of Homeland Security. The Department subsequently requested our assistance with this allegation.”
Homeland Security Today earlier reported that the IG’s report stated, “After an extensive investigation of the allegation and assessment of the TSA PreCheck initiative, we determined that TSA provided a TSA PreCheck indicator and barcode on the traveler’s boarding pass. After checking the traveler’s boarding pass and identification, an alert Transportation Security Officer (TSO) at the airport recognized the felon and alerted his supervisor. However, the supervisor directed the TSO to take no action and allow the traveler to continue through the TSA PreCheck lane.”
The IG stated that TSA had never granted or vetted the personfor TSA PreCheck screening through the TSA Pre Application Program or Managed Inclusion (MI). TSA granted the traveler TSA PreCheck screening through risk assessment rules in the Secure Flight program. TSA’s use of [redacted] to provide TSA PreCheck screening to unknown passengers creates an aviation security vulnerability. We recommend TSA [redacted] limit TSA PreCheck screening to known passengers that TSA determines to be members of trusted populations.”
The IG’s report on the TSA PreCheck breach said it had “determined the Transportation Security Officer followed standard operating procedures, but did not feel empowered to redirect the traveler from TSA PreCheck screening to standard lane screening.”
Roth told the subcommittee that, “To further illustrate the need for modification of TSA PreCheck vetting and screening processes, we issued a letter report this month that found a notorious felon convicted of domestic terrorism crimes was granted TSA PreCheck screening through Secure Flight risk assessment rules. We reviewed the allegation after the Office of Special Counsel received a whistleblower disclosure alleging the convicted felon was improperly cleared for TSA PreCheck screening.”
The IG said, “We determined TSA did not grant the convictedfelon TSA PreCheck screening through the TSA PreCheck Application Program or managed inclusion, but rather, through risk assessment rules. Specifically, the Transportation Security Officer in this case scanned the traveler’s boarding pass and received a TSA PreCheck eligibility notification. The TSO knew of the traveler’s disqualifying criminal conviction. The TSO followed the standard operating procedure and reported this to the supervisory TSO who then directed the TSO to take no further action and allow the traveler through the TSA PreCheck lane.”
“As a result, we recommended TSA limit TSA PreCheck screening to known passengers that TSA determines to be members of trusted populations,” Roth testified. “We also determined the TSO followed standard operating procedures but did not feel empowered to redirect the traveler from TSA PreCheck screening to standard lane screening. We recommended TSA modify standard operating procedures to clarify TSO and supervisory TSO authority to refer passenger with TSA PreCheck boarding passes to standard screening lanes when they believe the passenger may be a threat to transportation security.”
TSA uses the following methods to assess whether a passenger is low risk and therefore eligible for expedited screening:
- Approved TSA PreCheck lists of known travelers. These lists are comprised of individuals whom TSA has determined to be low risk by virtue of their membership in a specific group, such as active duty military members, or based on group vetting requirements.
- Automated TSA PreCheck risk assessments of all passengers. Using these assessments, TSA assigns passengers scores based upon information available to TSA to identify low risk passengers eligible for expedited screening for a specific flight prior to the passengers’ arrival at the airport.
- Real-time threat assessments through Managed Inclusion. These assessments use several layers of security, including procedures that randomly select passengers for expedited screening, behavior detection officers who observe passengers to identify high-risk behaviors, and either passenger screening canine teams or explosives trace detection devices to help ensure that passengers selected for expedited screening have not handled explosive material. TSA developed Managed Inclusion as a tool to improve the efficiency of dedicated TSA PreCheck screening lanes as well as to help TSA reach its internal goal of providing expedited screening to at least 25 percent of passengers by the end of calendar year 2013.
“TSA has tested the effectiveness of individual Managed Inclusion security layers and determined that each layer provides effective security. However, GAO has previously identified challenges in several of the layers used in the Managed Inclusion process, raising concerns regarding their effectiveness,” Grover told the subcommittee.
“For example,” she testified, “in November 2013, GAO found that TSA had not demonstrated that behavioral indicators can be used to reliably and effectively identify passengers who may pose a threat to aviation security. TSA is taking steps to revise and test the behavior detection program, but the issue remains open.”
In December 2014, she said, GAO also “reported that TSA planned to begin testing Managed Inclusion as an overall system in October 2014 and TSA estimated that testing could take 12 to 18 months to complete. GAO has previously reported on challenges TSA has faced in designing studies to test the security effectiveness of other programs in accordance with established methodological practices such as ensuring an adequate sample size or randomly selecting items in a study to ensure the results can be generalizable — key features of established evaluation design practices.”
Grover stated that, “In March 2015, TSA officials noted that a pilot for testing behavior detection officers was scheduled to run from October 2014 through May 2015, and testing of canines was scheduled to begin in June 2015 and be completed in March 2016. Ensuring its planned testing of the Managed Inclusion process adheres to established evaluation design practices will help TSA provide reasonable assurance that the testing will yield reliable results.”
DHS concurred with GAO’s recommendation and is taking action to address it.
Recommendations and responses
Conversely, Roth told the subcommittee, “We are concerned about TSA’s response to our findings. In the first inspection report, we made 17 recommendations and TSA did not accept the majority of these recommendations. In the second inspection, we made three recommendations but TSA nonconcurred with two. We made two recommendations in the third report and TSA concurred with only one. We are disappointed that TSA did not concur with the majority of our recommendations, and we believe this represents TSA’s failure to understand the gravity of the situation.”
In response, TSA Chief Risk Officer Kenneth Fletcher told the subcommittee that, “The DHS Office of Inspector General recently concluded an audit of TSA PreCheck and made 17 recommendations, of which 13 are resolved but open. TSA is working to address the IG’s recommendations, such as working with the DHS Office of Policy and Customs and Border Protection to establish a common definition for identifying ‘lower-risk’ travelers and low-risk trusted travelers across the department for consistency in application across all DHS vetting programs."
"The IG also recommended that TSA work to improve communications about TSA PreCheck to the public, as multiple avenues for access to TSA PreCheck can be confusing," Fletcher testified. "TSA is working with [the] IG to address the intent of the outstanding recommendations, and further improve the program’s security and access for the traveling public.”
In its December 2014 56-page audit report, GAO stated that, “Since the Transportation Security Administration implemented its expedited screening program — TSA PreCheck in 2011, the number of passengers receiving expedited screening grew slowly, and then increased about 300 percent in October 2013 when TSA expanded its use of methods to increase passenger participation, such as conducting automated risk assessments of all passengers. In conducting these assessments, TSA assigns passenger scores based upon information available to TSA to identify low risk passengers eligible for expedited screening for a specific flight prior to the passengers’ arrival at the airport.”
“To assess whether a passenger is eligible for expedited screening,” the GAO audit report explained, “TSA considers (1) inclusion on an approved TSA PreCheck list of known travelers; (2) results from the automated risk assessments of all passengers; and (3) threat assessments of passengers conducted at airport checkpoints known as Managed Inclusion. Managed Inclusion uses several layers of security, including procedures that randomly select passengers for expedited screening, behavior detection officers who observe passengers to identify high-risk behaviors and either passenger screening canine teams or explosives trace detection devices to help ensure that passengers selected for expedited screening have not handled explosive material. Prior to Managed Inclusion’s implementation, TSA relied primarily on approved lists of known travelers to determine passenger eligibility for expedited screening.”
Continuing, the GAO audit stated, “TSA has tested the effectiveness of individual Managed Inclusion security layers and determined that each layer provides effective security.”
However, GAO said its previous work on several of the layers used in the Managed Inclusion process raised “concerns regarding its effectiveness and recommending actions to TSA to strengthen them. For example, in January 2013, GAO recommended TSA take actions to comprehensively assess the effectiveness of canine teams. TSA subsequently addressed this recommendation by conducting the assessment. In October 2014, TSA planned to begin testing Managed Inclusion as an overall system, but could not provide specifics or a plan or documentation showing how the testing is to be conducted, the locations where it is to occur, how these locations are to be selected or the timeframes for conducting testing at each location.”
“Moreover,” GAO noted, it had “previously reported on challenges TSA has faced in designing studies to test the security effectiveness of its other programs in accordance with established methodological practices such as ensuring an adequate sample size or randomly selecting items in a study to ensure the results can be generalizable — key features of established evaluation design practices. Ensuring its planned testing of the Managed Inclusion process adheres to established evaluation design practices will help TSA provide reasonable assurance that the testing will yield reliable results.”
Fletcher told the subcommittee that, “The 9/11 Commission Report noted that the US government should set risk-based priorities to protect transportation assets, and implement the most practical and cost-effective programs to protect them. By applying a risk-based approach to security, TSA is able to employ resources with the greatest impact in reducing risk and enhancing the security of the traveling public and the nation’s transportation systems. Expedited screening for low-risk passengers is key to the success of RBS [risk-based security] in aviation security. Through RBS measures, TSA increased the percent of passengers receiving some form of expedited screening from 9.6 percent in September 2013 to 50 percent by November 2014. This increase resulted in an overall average of 43.5 percent of passengers receiving some form of expedited screening by TSA during 2014.”
“RBS enhancements do not stop with prescreening through TSA PreCheck. Beyond efforts like TSA PreCheck, RBS screening at checkpoints includes real time threat assessments through the deployment of behavior detection techniques, explosives detection canines and explosive trace detection equipment and risk-based physical screening utilizing differentiatedscreening
procedures and technology applications.”
“RBS is not a standalone program,” Fletcher testified, “but a strategic application of intelligence-driven risk mitigation principles that moves away from the one-size-fits-all approach to security. TSA will continue to focus on applying our risk-based security approaches to other aspects of transportation security, including checked baggage, air cargo, regulatory compliance, and Federal Air Marshal deployments.”