Match 10, 2013
The federal government has entrusted the security of the nation’s airports to the Transportation Security Administration (TSA). Yet according to a recent report from the Department of Homeland Security’s Office of Inspector General (OIG), the agency’s bungling of an airport security badge vetting program allowed at least 11 individuals with criminal backgrounds to obtain access to secured airport areas. What’s more, says the OIG, because of the TSA’s lack of oversight, some individuals with criminal records may retain such access to this day.
According to the OIG, the TSA initially selected a single vendor, the American Association of Airport Executives’ (AAAE) Transportation Security Clearinghouse, to relay background check information to the TSA, which then submits the data for a Criminal History Records Check and a Security Threat Assessment. Only individuals who pass both screenings are to be given badges granting them unescorted access to secured airport areas.
Responding to requests from airports, the TSA created the Aviation Channeling Services Provider (ASCP) program in 2010 to offer them a choice of vendors for the badge vetting process. The next year it selected three vendors to participate in the program: AAAE, Telos ID, and L1 Identity Solutions (now MorphoTrust Enrollment Solutions).
This being a government project, it comes as no surprise that the OIG found that the TSA “did not properly plan, manage, and implement” it. In fact, the “project is still not completely implemented and continues to face challenges to accomplish its mission.” As of July 1, 2012, only a single airport had switched vendors (from AAAE to Telos ID), and MorphoTrust Enrollment Solutions was just beginning the testing phase of the project.
From the beginning, the project was doomed. “TSA did not have a written comprehensive plan for the ASCP project design and implementation,” noted the report. The agency has very little documentation on the project at all, and none about who made or approved project decisions. The project team supposedly made decisions, but no one can prove what they were because “TSA did not maintain team meeting minutes but relied on agendas as evidence of actions assigned to each responsible member of the team.”
The TSA also has no idea how much the project has cost thus far. Writes the OIG, “TSA did not track and report all project costs related to implementing the ASCP project.” As a result, it cannot say whether more than three vendors could have been acquired, and it “cannot be sure that it has not incurred unplanned additional costs.”
“TSA did not establish standard testing requirements,” says the report, “nor did the agency require that all vendors test system functionality with at least one airport.” When the time came for testing, the TSA was ready, but none of its vendors was; one had not completed testing nearly a year later. “Since TSA did not establish testing timeframe requirements, the agency could not hold the vendors accountable for delaying the ASCP project schedule.”
All of this ensured that the deployment of the project would be fraught with difficulties. Sure enough, when ASCP was finally deployed in April 2012, “airports began to experience significant problems with the new … system,” according to the OIG. “Airport operations were hindered because of aviation workers’ inability to access secured areas without proper badge authority.”
At this point the TSA, in its wisdom, decided that if airports couldn’t operate without security badges and the badges were being held up because background checks were delayed, the solution was not to fix the problems with the project (or even to revert to the old system) but simply to allow airports to issue badges without background checks. Thus, from April 20 to June 1, 2012, airports could issue badges to those whose background checks were in limbo, with the proviso that these badges would be revoked if the checks were not completed within 14 days.
Predictably, “TSA did not track which airports used the alternate measures and the number of badges that were issued under those measures,” the report observes. Only after the OIG inquired about these important data did the TSA even bother to look into the matter, and then it merely initiated a survey in which airports were asked to self-report on the matter.
Of the 446 airports in the country, 290 responded to the survey; and of those, 168 said that they had adopted the alternate measures. “Five of the airports identified a total of 11 individuals with criminal backgrounds, who received badges during the alternate measures period and would not have received badges if they had been properly vetted. Five of those individuals held their badge for more than 14 days, and therefore those airports were not in compliance with the alternate measure.” The TSA has absolutely no knowledge of how many people with criminal backgrounds may have received security badges at the remaining 156 airports, nor does it know how many may still have them. Moreover, even the airports that responded to the survey had an incentive to make themselves look good, so it is possible that they underreported the number of shady characters who obtained or still possess badges. “Therefore,” declares the OIG, “individuals with criminal records may currently have access to secured areas in our Nation’s airports.”
The report goes on to offer recommendations for improving future projects. These are the sorts of commonsense things any private company or organization would naturally do, such as developing a “lessons learned report” from ASCP so that they don’t repeat their mistakes, documenting every step of a project, and holding vendors accountable for meeting their objectives. The TSA concurred with these recommendations, but who really believes the agency will implement them? It simply has no incentive to do so given that it is in no danger of going under no matter how horribly its projects are mismanaged. As Ronald Reagan memorably quipped, “A government bureau is the nearest thing to eternal life we’ll ever see on this earth.”
The OIG also recommended that the TSA “conduct a comprehensive review of badges issued” without background checks, which the TSA also agreed to do. But if that review is managed in a similar fashion as the project itself — and there is little reason to expect otherwise — it is likely to take years and still not end up with a full accounting of individuals with criminal records who possess security badges.
Anyone who thinks the TSA makes flying safer just isn’t paying attention.