[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
HOW TSA CAN IMPROVE AVIATION WORKER VETTING
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
TRANSPORTATION SECURITY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
JUNE 16, 2015
__________
Serial No. 114-21
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
96-167 PDF WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island
Chair Brian Higgins, New York
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
Curt Clawson, Florida Bonnie Watson Coleman, New Jersey
John Katko, New York Kathleen M. Rice, New York
Will Hurd, Texas Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
Brendan P. Shields, Staff Director
Joan V. O'Hara, General Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON TRANSPORTATION SECURITY
John Katko, New York, Chairman
Mike Rogers, Alabama Kathleen M. Rice, New York
Earl L. ``Buddy'' Carter, Georgia William R. Keating, Massachusetts
Mark Walker, North Carolina Donald M. Payne, Jr., New Jersey
John Ratcliffe, Texas Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Krista P. Harvey, Subcommittee Staff Director
Dennis Terry, Subcommittee Clerk
Vacancy, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Katko, a Representative in Congress From the
State of New York, and Chairman, Subcommittee on Transportation
Security:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Kathleen M. Rice, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Transportation Security........................................ 3
Witnesses
Mr. John Roth, Inspector General, U.S. Department of Homeland
Security:
Oral Statement................................................. 5
Prepared Statement............................................. 7
Ms. Stacey Fitzmaurice, Deputy Assistant Administrator, Office of
Intelligence and Analysis, Transportation Security
Administration, U.S. Department of Homeland Security........... 10
Ms. Jennifer A. Grover, Director, Transportation Security and
Coast Guard Issues, Homeland Security and Justice Team, U.S.
Government Accountability Office:
Oral Statement................................................. 12
Prepared Statement............................................. 13
HOW TSA CAN IMPROVE AVIATION WORKER VETTING
----------
Tuesday, June 16, 2015
U.S. House of Representatives,
Subcommittee on Transportation Security,
Committee on Homeland Security,
Washington, DC.
The subcommittee met, pursuant to call, at 10:06 a.m., in
Room 311, Cannon House Office Building, Hon. John Katko
[Chairman of the subcommittee] presiding.
Present: Representatives Katko, Rogers, Carter, Ratcliffe,
McCaul, Rice, Keating, and Payne.
Mr. Katko. The Homeland Security Subcommittee on
Transportation Security will come to order.
The subcommittee is meeting today to hear testimony on
improving aviation worker vetting by TSA. I now recognize
myself for an opening statement.
I would like to welcome everyone to today's hearing on how
TSA can improve aviation worker vetting. Since the start of the
Congress, my subcommittee has actively engaged and examined a
number of alarming aspects relating to TSA's operations,
policies, and procedures. Through hearings, oversight
inquiries, and legislation, we have been working to get to the
bottom of these issues and raise awareness of the urgent need
to fix them. Recent revelations that the TSA cleared for
employment individuals with potential ties to terrorism
demonstrate the dire need for improved, streamlined procedures
at TSA. The findings released by the Department of Homeland
Security inspector general over the last few weeks are, indeed,
alarming.
In May, the inspector general released a report that found
that TSA did not have the appropriate controls in place to
ensure that screening equipment has necessary maintenance work
performed. A few weeks ago, news outlets reported test results
showing that screeners failed to detect prohibited threat items
96 percent of the time. Just last week, we learned that 73
airport employees with potential ties to terrorism were issued
credentials which allowed them to get access to secure areas of
airports. These more recent findings come out on the heels of
revelations earlier this year of security breaches by employees
at major U.S. airports involving a Nation-wide gun-smuggling
ring and an employee of the FAA bypassing security and flying
with a loaded firearm using his SIDA badge.
More recently, we learned of a drug trafficking ring
operating out of the airport in Oakland, California. All of
these findings individually are concerning. In the aggregate,
well, they just shake the public's confidence and only further
demonstrate the need for steady leadership at TSA to work
through the many issues that plague this agency.
This committee will continue to lead efforts to close
security loopholes and ensure the continuing safety and
security of our Nation's aviation system. The purpose of
today's hearing is to thoroughly examine the identified
security gaps highlighted in the most recent IG report about
aviation worker vetting and find ways to improve the vetting
process to ensure that these vulnerabilities are addressed and
the American people can feel safe and secure when traveling.
Aviation workers are supposed to be thoroughly vetted due
to their continuing access to sensitive areas of airports and
the fact that they hold a position of trust within the
transportation system. However, as the IG report has found so
clearly, there are significant shortfalls in the vetting
policies for aviation workers. For example, the IG found that
TSA does not have access to all the data it may need to
thoroughly check an aviation worker's potential ties to
terrorism. However, what is even more alarming is that a memo
was sent to the TSA administrator last year noting the need for
additional information. TSA has still yet to resolve this gap a
year later. The report also found that airports do not match
the expiration date of an employee's credentials to the
expiration of their legal work authorization in the United
States.
Again, while TSA stated they are working to resolve these
issues by the end of the calendar year, it raises serious
concerns that this gap exists in the first place. Therefore, I
have sponsored H.R. 2750, the Improved Security Vetting for
Aviation Workers Act of 2015, which I introduced last week
along with Chairman McCaul and Ranking Member Rice and
Congressman Payne, to close these security gaps and ensure the
safety and security of the transportation networks. The reality
is in this post-9/11 world that the terrorist threat is
metastasizing. We, as a Nation, must remain responsive to any
holes in the security of our transportation systems and ensure
that the protocols keep pace with the ever-evolving threat
landscape.
Improving the vetting of the aviation workers who have
access to these sensitive areas of airports can help close
another back-door vulnerability at our Nation's airports. At
today's hearing, we have representatives from the TSA, the DHS
inspector general himself, and GAO to address how the
recommendations highlighted in the report can be implemented,
and what tools are needed to improve the security at our
Nation's airports. I look forward to hearing their testimony
and having a meaningful dialogue on how we can better protect
this vital transportation mode and keep aviation safe and
secure for the American people.
The Chair now recognizes the Ranking Minority Member of the
subcommittee, the gentlelady from New York, Miss Rice, for any
statement she may have.
[The statement of Chairman Katko follows:]
Statement of Chairman John Katko
I would like to welcome everyone to today's hearing on how TSA can
improve aviation worker vetting. Since the start of this Congress, my
subcommittee has actively examined a number of alarming aspects related
to TSA's operations, policies, and procedures. Through hearings,
oversight inquiries, and legislation, I have been working to get to the
bottom of these issues and raise awareness of the urgent need to fix
them. Recent revelations that the TSA cleared for employment
individuals with potential ties to terrorism demonstrate the dire need
for improved, streamlined procedures at the TSA.
The findings released by the Department of Homeland Security
Inspector General over the last few weeks are alarming. In May, the
Inspector General released a report that found that TSA did not have
the appropriate controls in place to ensure that screening equipment
has necessary maintenance work performed. A few weeks ago news outlets
reported test results showing that screeners failed to detect
prohibited threat items 96% of the time, and just last week we learned
that 73 airport employees with potential ties to terrorism were issued
credentials granting them access to work in the secure areas of our
Nation's airports. These more recent findings come on the heels of
revelations earlier this year of security breaches by employees at
major U.S. airports involving a Nation-wide gun-smuggling ring and an
employee of the FAA bypassing security and flying with a loaded firearm
using his SIDA badge. All of these findings individually are
concerning, and, in the aggregate, shake public confidence and only
further demonstrate the need for steady leadership at TSA to work
through the many issues that plague the agency.
This committee will continue to lead efforts to close security
loopholes and ensure the continuing safety and security of our Nation's
aviation system. The purpose of today's hearing is to thoroughly
examine the identified security gaps highlighted in the most recent IG
report about aviation worker vetting and find ways to improve the
vetting process to ensure that these vulnerabilities are addressed and
the American people can feel safe and secure when traveling.
Aviation workers are supposed to be thoroughly vetted, due to their
continuing access to sensitive areas of airports and the fact they hold
a position of trust within the transportation system. However, the IG
report found significant shortfalls in the vetting policies for
aviation workers. For example, the IG found that TSA does not have
access to all of the data it may need to thoroughly check an aviation
worker's potential ties to terrorism. However, what is even more
alarming is that a memo was sent to the TSA administrator last year
noting the need for additional information, and TSA has still yet to
resolve this gap. The report also found that airports do not match the
expiration date of an employee's credential to the expiration of their
legal work authorization in the United States. Again, while TSA stated
they are working to resolve this issue by the end of the calendar year,
it raises serious concerns that this gap exists in the first place.
That is why I have sponsored H.R. 2750, the Improved Security
Vetting for Aviation Workers Act of 2015, which I introduced last week,
along with Chairman McCaul, Ranking Member Rice, and Congressman Payne
to close these security gaps, and ensure the safety and security of the
transportation networks.
The reality is that in this post-9/11 world, the terrorist threat
is metastasizing and we, as a Nation, must remain responsive to any
holes in the security of our transportation systems and ensure that the
protocols keep pace with the ever-evolving threat landscape. Improving
the vetting of the aviation workers who have access to these sensitive
areas of airports can help close another backdoor vulnerability at our
Nation's airports.
At today's hearing, we have representatives from TSA, the DHS
inspector general, and GAO to address how the recommendations
highlighted in the report can be implemented and what tools are needed
to improve the security at our Nation's airports. I look forward to
hearing their testimony and having a meaningful dialogue on how we can
better protect this vital transportation mode and keep aviation safe
and secure for the American people.
Miss Rice. Thank you, Mr. Chairman. Thank you for convening
this hearing. We have an important question to answer today:
How can we do a better job vetting aviation workers? How can we
do a better job ensuring that criminals and terrorists cannot
get a job in one of our airports and gain access to secure
areas? Clearly, if a terrorist were to penetrate an airport in
that way, the results could be catastrophic.
We have to assume that right now someone is trying to do
just that. We have to assume that we can prevent it. We have to
keep working together aggressively and proactively to
strengthen our security, find and close the gaps, and stay one
step ahead.
TSA is responsible for vetting diverse groups of people,
from the Transit Worker Identification Credential Program to
PreCheck, to aviation worker programs. Aviation workers,
themselves, are a diverse group of people who play many
different and important roles within the commercial airport
environment, from the person who works at the newsstand beyond
the security checkpoints to the mechanic who has access to the
plane itself to perform his or her duties. What these two
people have in common is that they both go to work every day
beyond the checkpoints in the secure area of the airport. We
have to do everything within our power to ensure that people
who go to work in these secure areas are exhaustively vetted,
both before employment and on a recurring basis, and prove
themselves to be trustworthy.
Last week, the Department of Homeland Security Office of
Inspector General issued a report that detailed how 73
individuals with links to terrorism were able to get jobs with
airlines and airport vendors and were cleared to access secure
areas. That is unacceptable. First, we should all be grateful
to the inspector general for bringing this to our attention. To
know that this threat was out there, to think about what could
have happened should be all the motivation we need to work
together, act swiftly, and do what needs to be done to make
sure this doesn't happen again.
That is why we are here today, not to create a spectacle or
cast blame. We are here to figure out how this happened, what
we need to learn from it, and what we need to do to close this
gap in our security. I also want to point out that Inspector
General Roth, himself, noted that TSA's vetting process was,
``generally effective.'' So that is not the problem here. As
far as I understand, there seem to be two main factors that
allowed this to happen.
No. 1, because of the current interagency watch list
policy, TSA doesn't have access to databases that would have
captured the individuals in question and alerted TSA to their
terrorism indicators. That, too, is simply unacceptable and has
to change. TSA should have had access to all information about
these individuals. TSA should have access to any and all
information that will make their vetting process as exhaustive
as possible.
No. 2, the report also made it clear that TSA's own
databases are a mess. Eighty-seven thousand employee files
without Social Security numbers, many with no passport number
or proof of citizenship, 300 files with no full name for the
employee. There is no excuse for that. It strikes me, as I am
sure everyone, as sloppy. There is no place for sloppiness when
we are dealing with the security of our Nation's aviation
system.
We strive for a security system that is airtight and
precise. In order to achieve that, our information must be
airtight. Everything we do must be precise. The inspector
general's office has issued six recommendations, all of which
will help to address these issues. I appreciate the fact that
TSA has concurred with these recommendations and is already
taking steps to implement them.
I look forward to hearing more about these issues and
corrective actions today. After this hearing, I look forward to
taking up legislation authored by myself and Chairman Katko
that will codify recommendations from this report and from
another OIG report that details the need for TSA to properly
manage its airport screening equipment maintenance program.
I want to thank each one of our witnesses for being here
today. I am eager to hear all of your testimony and have a
productive conversation about how we can do a better job
vetting aviation workers, how we can do a better job keeping
airports secure, and primarily keeping passengers safe.
Mr. Chairman, I thank you again for convening this hearing.
I yield back the balance of my time.
Mr. Katko. Thank you, Miss Rice.
I know at least the Chairman of the Homeland Security full
committee, Mr. McCaul, plans on coming here and making a
statement. When he comes, we will give him an opportunity to do
so. He is held up in another hearing. I will extend the same
courtesy to Mr. Thompson if he shows up.
With respect to the other Members of the committee, I want
to remind you that opening statements may be submitted for the
record. We are pleased to have several distinguished witnesses
before us today on this important topic. Let me remind the
witnesses that their entire written statements will appear in
our record.
Somebody that is well familiar to this committee and to
Homeland Security as a whole is Mr. Roth. Welcome back. Thank
you for your continuing good work, sir. Ms. Fitzmaurice, of
TSA, thank you for being here. Ms. Grover, thank you for being
here as well. I would like to hear from Mr. Roth with respect
to his opening statement.
STATEMENT OF HONORABLE JOHN ROTH, INSPECTOR GENERAL, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Roth. Chairman Katko, Ranking Member Rice, and Members
of the subcommittee, thank you for inviting me here today to
discuss the results of our most recent TSA audit.
Federal regulations require that individuals who work in
secure areas of commercial airports undergo background checks.
TSA and the airports are required to perform these checks
before granting individuals badges that allow them unescorted
access to secure areas. Each background check includes a
security threat assessment from TSA, including a terrorism
check, a fingerprint-based criminal history records check, and
evidence of the applicant's authorization to work in the United
States. The airports themselves collect this information used
for vetting and submit it to TSA through a contractor.
Once TSA receives biographic data, it electronically
matches it against an extract of the Terrorist Screening
Database to identify individuals with potential links to
terrorism. TSA also recurrently vets airport workers every time
it receives a watch list update. Based on this review, TSA may
direct the airport to grant, deny, or revoke a credential after
coordination with other Government entities.
We found that TSA was generally effective in identifying
individuals with links to terrorism. However, we did undercover
a significant weakness. At our request, the National
Counterterrorism Center performed a data match of over 900,000
airport workers who have access to secure areas against the
National Counterterrorism Center's TIDE database. As a result
of this match, we identified 73 individuals with terrorism-
related category codes within the TIDE database who also had
active airport credentials.
According to TSA officials, current interagency policy
prevents TSA from receiving all terrorism-related codes during
vetting. This lack of access to complete records resulted in
TSA not discovering the issue with these 73 individuals. TSA
officials candidly recognize that not receiving these codes
represents a weakness in its program and informed us that TSA
cannot guarantee that it can consistently identify all
questionable individuals without receiving those categories.
In 2014, the TSA administrator authorized his staff to
request some of the missing category codes for vetting.
However, according to an official at the DHS Office of Policy,
TSA and DHS has yet to formalize the request to the
watchlisting interagency policy committee in order to receive
additional categories of terrorism-related records.
Additionally, we found an issue with the manner in which
airport workers are checked for criminal histories. The
airports themselves maintain the ultimate authority to review
and determine whether an individual's criminal history contains
disqualifying crimes under Federal law. However, TSA did not
have an adequate monitoring process in place to ensure that
airport operators properly adjudicated these criminal
histories.
TSA officials informed us that airport officials rarely or
almost never documented the results of their criminal history
reviews electronically. Without sufficient documentation, TSA
cannot systematically determine whether individuals with access
to secure areas of the airport are free of disqualifying
criminal convictions. Moreover, under current law and FBI
policy, TSA and the airports are not legally authorized to
conduct recurrent vetting of criminal histories. We also found
a weakness in the verification process for an individual's
authorization to work in the United States.
As with criminal histories, it is the airport operators who
are required to ensure that aviation workers are authorized to
work before sending their information to TSA for review. TSA
then verifies that aviation workers have lawful status.
However, a review of TSA data showed that TSA has had to deny
credentials for over 4,800 applicants because TSA determined
that they did not prove their lawful status in the United
States even after appeal. Now, this occurred despite the fact
that these individuals had previously been cleared to work by
the airports as being legally authorized to work.
Finally, we looked at the quality of the data that is
involved in worker vetting. TSA relies on airports to submit
complete and accurate aviation worker data. However, we
identified thousands of aviation worker records that appeared
to have incomplete or inaccurate biographic information. We
made six recommendations in our report. TSA agreed to all the
recommendations and provided target completion dates for
corrective actions. We will follow up on the implementation of
these corrective actions.
Mr. Chairman, thank you again for inviting me to testify
here today. I look forward to any questions you or other
Members of the committee may have.
[The prepared statement of Mr. Roth follows:]
Prepared Statement of John Roth
June 16, 2015
Chairman Katko, Ranking Member Rice, and Members of the
subcommittee: Thank you for inviting me here today to discuss the
results of the Office of Inspector General's audit of the
Transportation Security Administration's vetting of employees with
access to secure areas of the airports.\1\ We also reported on TSA
worker vetting operations in 2011 and prior years.\2\ In addition to
reviewing vetting operations, in the past we have also used covert
testing to determine whether unauthorized and potentially dangerous
individuals could gain access to secured airport areas.\3\
---------------------------------------------------------------------------
\1\ TSA Can Improve Aviation Worker Vetting (Redacted), OIG-15-98.
\2\ TSA's Oversight of the Airport Badging Process Needs
Improvement, OIG-11-95; Transportation Security Administration's
Aviation Channeling Services Provider Project, OIG-13-42.
\3\ Covert Testing of Access Controls to Secured Airport Areas,
OIG-12-26.
---------------------------------------------------------------------------
TSA uses multiple layers of security to ensure the safety of the
traveling public and transportation systems. Aviation worker vetting is
just one area that we have reviewed; we have testified recently on
multiple transportation security vulnerabilities that we believe TSA
needs to address. Since 2004, we have published more than 115 audit and
inspection reports about TSA's programs and operations. Our work
includes evaluations of passenger and baggage screening, TSA PreCheck,
TSA acquisitions, and TSA equipment deployment and maintenance.
In our most recent audit on aviation worker vetting, we generally
found:
TSA's layered controls for vetting workers for terrorism are
generally effective. However, TSA did not identify 73
individuals with terrorism-related category codes because it is
not authorized to receive all terrorism-related categories
under current interagency watchlisting policy.
TSA had less effective controls in place to ensure that
airports have a robust verification process over a credential
applicant's criminal history and authorization to work in the
United States.
TSA needs to improve the quality of data used for vetting
purposes.
My testimony today will discuss each of these areas in further
detail.
background on tsa vetting
TSA was created in 2001 to ensure the safety and free movement of
people and commerce within the Nation's transportation systems. As part
of this mission, TSA has statutory responsibility for properly vetting
aviation workers such as baggage handlers and airline and vendor
employees.
Federal regulations require individuals who apply for credentials
to work in secure areas of commercial airports to undergo background
checks. TSA and airport operators are required to perform these checks
prior to granting individuals' badges that allow them unescorted access
to secure areas. Each background check includes:
a security threat assessment from TSA, including a terrorism
check;
a fingerprint-based criminal history records check (CHRC);
and
evidence of the applicants' authorization to work in the
United States.
Airports collect the information used for vetting, including each
applicant's name, address, date of birth, place of birth, country of
citizenship, passport number, and alien registration number (if
applicable). TSA also relies on airport or air carrier employees to
collect applicants' fingerprints for the CHRC.
Once it receives biographic data, TSA electronically matches
credential applicants against its extract of the Government's
Consolidated Terrorist Watchlist to identify individuals with potential
links to terrorism. TSA also recurrently vets airport workers every
time it receives a watch list update. TSA identifies potential matches
to terrorism-related information using varied pieces of data such as
names, address, Social Security number (SSN), passport number, and
alien registration number. TSA analysts manually review potential
matches to determine whether cases represent a true match of an
applicant to terrorism-related information and the risk posed by the
case. Based on this review, TSA may direct the airport to grant, deny,
or revoke, a credential after coordination with other governmental
organizations.
Airport operators are responsible for reviewing aviation worker
criminal histories and his/her authorization to work in the United
States. For the criminal history check, applicants submit fingerprint
records through airport operators and TSA for transmittal to the FBI.
TSA then receives the results of the fingerprint check and provides
them to airport operators for review. Certain criminal offenses--such
as espionage, terrorism, and some violent offenses and felonies--are
disqualifying offenses that should prevent an individual from
unescorted access to secured areas of an airport. TSA and the airports
also conduct checks to verify an individual's immigration status and
authorization to work, respectively.
results
Vetting for Terrorism Links
We found that TSA was generally effective in identifying
individuals with links to terrorism. Since its inception in 2003, TSA
has directed airports to deny or revoke 58 airport badges as a result
of its vetting process for credential applicants and existing
credential holders. In addition, TSA has implemented quality review
processes for its scoring model, and has taken proactive steps based on
non-obvious links to identify new terrorism suspects that it nominates
to the watch list.
Despite rigorous processes, TSA did not identify 73 individuals
with links to terrorism because TSA is not cleared to receive all
terrorism categories under current inter-agency watchlisting
guidance.\4\ At our request, the National Counterterrorism Center
(NCTC) performed a data match of over 900,000 airport workers with
access to secure areas against the NCTC's Terrorist Identities Datamart
Environment (TIDE). As a result of this match, we identified 73
individuals with terrorism-related category codes who also had active
credentials. According to TSA officials, current interagency policy
prevents the agency from receiving all terrorism-related codes during
vetting.
---------------------------------------------------------------------------
\4\ The Interagency Policy Committee responsible for watch list
policy determines what terrorism-related categories are provided to TSA
for vetting, while the DHS Watchlist Service provides allowable
information to TSA.
---------------------------------------------------------------------------
TSA officials recognize that not receiving these codes represents a
weakness in its program, and informed us that TSA cannot guarantee that
it can consistently identify all questionable individuals without
receiving these categories. In 2014, the TSA administrator authorized
his staff to request some missing category codes for vetting. However,
according to an official at the DHS Office of Policy, TSA must work
with DHS to formalize a request to the Watchlisting Interagency Policy
Committee in order to receive additional categories of terrorism-
related records.
Vetting for Criminal Histories
Airport operators review criminal histories for new applicants for
badges to secure airport areas after receiving the results of FBI
fingerprint checks through TSA. However, under current law and FBI
policy, TSA and the airports are not legally authorized to conduct
recurrent criminal history vetting, except for the U.S. Marshals
Service Wants and Warrants database. This is because aviation worker
vetting is considered to be for non-criminal justice purposes. Instead,
we found airports relied on individuals to self-report disqualifying
crimes. As individuals could lose their job if they report the crimes,
individuals had little incentive to do so.
TSA also did not have an adequate monitoring process in place to
ensure that airport operators properly adjudicated credential
applicants' criminal histories. While TSA facilitated the CHRC for
aviation worker applicants, over 400 commercial airports maintained the
ultimate authority to review and determine whether an individual's
criminal history contained disqualifying crimes under Federal law. TSA
officials informed us that airport officials rarely or almost never
documented the results of their CHRC reviews electronically. Without
sufficient documentation, TSA cannot systematically determine whether
individuals with access to secured areas of the airports are free of
disqualifying criminal events.
TSA has taken steps to address weaknesses in criminal history
vetting. TSA has planned a pilot of the FBI's ``Rap Back'' program to
receive automated updates from the FBI for new criminal history matches
associated with airport workers so that the airports can take actions.
TSA is planning this pilot program for multiple airports in late 2015.
Vetting for Authorizations to Work
We also found weaknesses in the verification process for an
individual's authorization to work in the United States. Airport
operators are required to ensure that aviation workers are authorized
to work in the United States prior to sending their information to TSA
for review. TSA then verifies that aviation workers have lawful status
in the United States. However, our review of TSA data showed that TSA
has had to send nearly 29,000 inquiries to credential applicants
regarding their lawful status since program inception in 2004. Of those
individuals, over 4,800 were eventually denied credentials because TSA
determined that they did not prove lawful status even after appeal.
This occurred despite the fact that these individuals had previously
received clearance from the airports as being authorized to work.
Additionally, we found that TSA did not require airports to
restrict the credentials of individuals who may only be able to work in
the United States temporarily. Consequently, airports did not put
expiration dates on the badges. Although airports are required to
verify work authorizations upon badge renewal every 2 years, or
whenever another credential is requested, individuals may continue to
work even when they no longer have lawful status during the period
between badge renewals. Without ensuring that an individual's
credential is voided when he or she is no longer authorized to work,
TSA runs the risk of providing individuals access to secure airport
areas even though they no longer have the authorization to work in the
United States.
TSA's Office of Security Operations performed annual inspections of
commercial airport security operations, including reviews of the
documentation that aviation workers submitted when applying for
credentials. However, due to workload at larger airports, this
inspection process looked at as few as 1 percent of all aviation
workers' applications. In addition, inspectors were generally given
airport badging office files, which contained photocopies of aviation
worker documents rather than the physical documents themselves. An
official from this office told us that a duplicate of a document could
hinder an inspector's ability to determine whether a document is real
or fake, because a photocopy may not be matched to a face, and may not
show the security elements contained in the identification document.
TSA Can Improve the Reliability of Its Vetting Data
TSA relied on airports to submit complete and accurate aviation
worker application data for vetting. However, we identified thousands
of aviation worker records that appeared to have incomplete or
inaccurate biographic information as follows:
87,000 active aviation workers did not have SSNs listed even
though TSA's data matching model identified SSNs as a strong
matching element. Pursuant to the Privacy Act, TSA is not
authorized to require the collection of SSNs.
1,500 records in TSA's screening gateway had individuals'
first names containing two or fewer characters.
Over 300 records contained a single character.
An additional 75,000 records listed individuals with active
aviation worker credentials as citizens of non-U.S. countries,
but did not include passport numbers. Out of those records,
over 14,000 also did not list alien registration numbers.
According to TSA, the passport number is a desired field to
collect, but is not required.
In addition to the data completeness issues that we identified, TSA
independently determined that airports may not be providing all aliases
used by applicants undergoing security threat assessments. This
typically occurred when TSA's vetting process discovered that
individuals had used aliases. Complete and accurate aliases are
important to the accuracy and effectiveness of TSA's vetting processes.
TSA has directed airports to report all aliases; however, to the extent
that airports do not ensure that aliases are captured and provided to
TSA, TSA terrorism vetting may be limited for certain individuals.
TSA has taken steps to address some of these weaknesses. TSA made
system enhancements between 2012 and 2014 designed to improve the
quality of data that it received from airports. For example, TSA will
refuse to vet individuals if their birth dates show that they were
younger than 14 or older than 105 and encourage airports to submit
electronic copies of immigration paperwork with applications to
expedite the vetting process. These enhancements will become effective
for new or reissued badges, which should happen within 2 years as
required by TSA's security policy.
recommendations
We made six recommendations in our report:
Follow up on the request for additional categories of
terrorism-related records.
Require inspectors to view original identity documents
supporting airport adjudication of an applicant's criminal
history and work authorization.
Pilot FBI's Rap Back Program and take steps to institute
recurrent vetting of criminal histories at all commercial
airports.
Require airports to link credential end dates to temporary
work authorization end dates.
Perform analysis to identify airports with weaknesses
related to applicants' lawful status.
Implement data quality checks to ensure complete and
accurate data as required by TSA policy.
TSA agreed to all recommendations and provided target completion
dates for corrective actions. DHS will follow up on implementation of
these corrective actions.
conclusion
TSA has the responsibility to ensure transportation security and
the free and safe movement of people and commerce throughout the
Nation. Effectively carrying out this responsibility is of paramount
importance, given emerging threats and the complex and dynamic nature
of this Nation's transportation system. We previously testified about
major TSA deficiencies in accomplishing its transportation security
mission, including extensive failures at TSA checkpoints identified
during recent penetration testing, as well as weaknesses in its
PreCheck vetting and screening process. With our recent report, we add
another security vulnerability that TSA must address: Ensuring it has
all relevant terrorism-related information when it vets airport
employees for access to secure airport areas. We will continue to
monitor TSA's progress as it takes corrective actions to address these
vulnerabilities.
computer matching act exception
I would be remiss if I did not mention the data matching issues
that we encountered while conducting this audit. As part of this
review, we collaborated with the NCTC to perform a data match of
aviation worker's biographic data against TIDE to determine if TSA
identified all individuals with potential links to terrorism. Because
we do not have an exemption from the Computer Matching Act, it took us
18 months to get a Memorandum of Understanding in place with the NCTC
in order to perform this data match--and that was with full cooperation
from the NCTC. We support legislation pending in the House, the
Inspector General Empowerment Act (H.R. 2395), that would give
Inspectors General a computer matching exception. This would enable us
to conduct these types of audits on a more frequent basis and with
greater ease.
Mr. Chairman, thank you for inviting me to testify here today. I
look forward to discussing our work with you and the Members of the
subcommittee.
Mr. Katko. Thank you, Mr. Roth, for your continued
professionalism in handling these matters. We appreciate you
being here today of course.
Our second witness, Ms. Fitzmaurice, the deputy assistant
administrator for TSA's Office of Intelligence and Analysis.
Prior to her current role, Ms. Fitzmaurice served as division
director for the Checkpoint Solutions and Integrity Division
within TSA's Office of Security Capabilities. In this position,
she led TSA's efforts to identify, acquire, and manage state-
of-the-art technologies and capabilities that screen passengers
at U.S. airports. Prior to beginning her Federal career, Ms.
Fitzmaurice held management positions with Airline Reporting
Corporation, U.S. Airways, and Trans State Airlines. The Chair
now recognizes Ms. Fitzmaurice to testify.
STATEMENT OF STACEY FITZMAURICE, DEPUTY ASSISTANT
ADMINISTRATOR, OFFICE OF INTELLIGENCE AND ANALYSIS,
TRANSPORTATION SECURITY ADMINISTRATION, U.S. DEPARTMENT OF
HOMELAND SECURITY
Ms. Fitzmaurice. Good morning, Chairman Katko, Ranking
Member Rice, and distinguished Members of the subcommittee. I
appreciate the opportunity to appear before you today to
testify about TSA's aviation worker vetting program. TSA
conducts security threat assessments for more than 2 million
workers requiring badged access to airports. These individuals
undergo terrorist watch list checks, as well as immigration
status, and criminal history records checks.
TSA checks against the Terrorist Screening Database are
constant and give us near-real-time notification of any changes
to the list of known or suspected terrorists so that we can
take appropriate action. Both the IG and an independent review
of DHS's vetting processes deemed TSA's vetting to be
effective. TSA has made key enhancements to aviation worker
vetting through projects that began in 2012. These include the
ability for airports to upload immigration and identity
documents, to conduct more robust identity verification and
immigration checks, and implementing system logic to reject
inaccurate information. We will continue to work on
improvements in this area.
Airport operators are responsible for reviewing FBI
criminal history records and ultimately making a determination
about granting badges to workers that provide secure access to
our Nation's airport according to TSA's requirements. An
airport operator may not issue a badge if TSA deems the
individual to be ineligible. Airports represent a critical
layer of security by making risk-based decisions using TSA
provided information and locally-derived information for the
final badging decision.
TSA recognizes the value of conducting more frequent or
recurrent criminal checks on workers to identify cases where
there has been subsequent criminal activity. TSA's use of
criminal history records checks is considered by the FBI to be
for non-criminal justice purposes according to pre-9/11 law and
regulations. As such, TSA has not had access to criminal checks
that are available to law enforcement agencies. However, in
September 2014, the FBI implemented a new automated capability
called Rap Back that will provide this service to other
agencies such as TSA for a fee.
TSA and the FBI have been working together to implement
recurrent criminal checks. TSA is planning for an initial Rap
Back pilot in the aviation sector to begin later this calendar
year. The IG recently made several key recommendations on
worker vetting, including one that TSA had also identified as
an area for enhancement in 2014. Namely, that there is
additional intelligence-related data that may provide value and
inform TSA's vetting decisions. Using this data, the IG
identified 73 cases for additional attention.
To be clear, these individuals are not considered to be
known or suspected terrorists. TSA has re-reviewed all 73 cases
and found the individuals do not pose a threat to
transportation security. The additional data did not change its
original determination for these cases. These additional
intelligence records do not meet the reasonable suspicion
standard of being considered a known or suspected terrorist by
the U.S. Government. That being said, TSA recognizes the value
of having as much relevant data as possible to make informed
decisions in its vetting. As such, former TSA Administrator
Pistole signed a memo in 2014 supporting TSA's request and
receipt for the additional data.
This information may not only be important for TSA to
conduct its security threat assessment, but also may allow TSA
to assist the intelligence and law enforcement community by
identifying previously unknown associations of known or
suspected terrorists. TSA and the Department are aggressively
pursuing automated access to the data and working to expedite
the process in interagency coordination to complete the
request. TSA concurs with all six of the IG recommendations and
is taking steps to address all of them.
In addition to the three items I have already mentioned, we
will also be including a requirement for inspectors to include
verifying an airport badging office's review of applicant
criminal history records and legal status, publishing guidance
to all regulated airports to ensure that the airport badging
offices deactivate the badges promptly when an individual's
temporary authorization to work in the United States ends, and
working with airports to analyze denials based on legal status,
validate the reasons for the denial, and issue guidance to
airports to address any weaknesses.
The IG findings support our efforts to improve the vetting
of regulated aviation workers and compliment the steps TSA has
taken to address the potential insider threat vulnerability at
U.S. airports. We recognize the value of complete and accurate
information when conducting vetting. We will continue to
identify areas for improvements.
TSA appreciates the work of the IG during the course of
this audit. We will use the information to enhance our
processes going forward. I want to thank the committee for your
interest in this important issue. I look forward to answering
your questions.
Mr. Katko. Thank you, Ms. Fitzmaurice, for your testimony.
Our third witness is Ms. Jenny Grover, director of the
Homeland Security and Justice Team at the Government
Accountability Office. Her portfolio includes GAO reviews of
TSA and Coast Guard programs and operations. Ms. Grover joined
the GAO in 1991. The Chair now recognizes her to testify.
STATEMENT OF JENNIFER A. GROVER, DIRECTOR, TRANSPORTATION
SECURITY AND COAST GUARD ISSUES, HOMELAND SECURITY AND JUSTICE
TEAM, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Ms. Grover. Good morning, Chairman Katko, Ranking Member
Rice, Chairman McCaul, and other Members and staff. I am
pleased to be here today to discuss TSA's implementation and
oversight of the aviation worker program which TSA and airports
use to determine whether airport workers pose security threats.
TSA, in collaboration with airport operators and the FBI,
completes applicant background checks, known as security threat
assessments, for airport facility workers, retail employees,
and airline employees. In general, security threat assessments
include checks of an applicant's criminal history, immigration
status, and known links to terrorism. TSA and airport operators
have different responsibilities within the process.
Airport operators collect applicant information and send it
to TSA for the security threat assessment. TSA reviews the
results of the terrorism and immigration checks to determine if
the applicant meets the eligibility criteria for holding an
airport credential. TSA transmits the results of the FBI
criminal history check, which contains information from a
National fingerprint and criminal history system, back to the
airport operator for review. Based on this information, the
airport operator evaluates the criminal history to identify
potentially disqualifying criminal offenses and then makes a
determination of eligibility. The airport also enrolls approved
applicants and issues a credential providing for access to
secured areas of the airport.
TSA has faced long-time challenges obtaining the necessary
criminal history information to accurately assess aviation
workers. In December 2011, we found that limitations in the
criminal history checks increased the risk that the agency was
not detecting all applicants with potentially disqualifying
criminal offenses. For the purposes of accessing FBI criminal
history records, TSA is considered a non-criminal justice
requester, similar to that of a private company conducting an
employment check on a new applicant. As a result, the
information that TSA received on aviation work applicants was
often incomplete.
For example, at the time of our report, TSA did not have
access to many State records with information on sentencing,
release date, and parole or probation violations. We
recommended that TSA and the FBI jointly assess the extent to
which this limitation posed a security risk and consider
alternatives. TSA and the FBI concluded that the risk of
incomplete information could be mitigated through improved
access to State-supplied records. The FBI has since reported
expanding the criminal history information that is available to
TSA for these security threat assessments.
Our remaining vulnerability, as others have noted this
morning, is that until recently, TSA did not conduct periodic
criminal history checks of airport workers after they had been
hired. In fact, workers who maintained continuous employment
with the same airport authority did not undergo any subsequent
criminal history checks.
In April 2015, TSA changed this policy by requiring
periodic criminal history checks of all credentialed airport
workers with unescorted access to secure areas of the airport.
According to this requirement, TSA will conduct these checks
until they are able to establish a system for real-time,
recurrent criminal history checks, similar to the way that TSA
conducts recurrent vetting against the terrorism database for
their aviation workers.
In conclusion, with more complete and updated information
about applicant and current worker criminal histories, TSA and
airports are better positioned to detect all individuals with
potentially disqualifying criminal offenses. TSA's new
requirement to periodically conduct criminal history checks of
their aviation workers is a positive interim step while TSA and
the FBI work toward full implementation of the FBI's Rap Back
service, which is intended to provide TSA and the airports with
real-time criminal activity monitoring.
Chairman Katko, Ranking Member Rice, Chairman McCaul, this
concludes my statement. I look forward to your questions.
[The prepared statement of Ms. Grover follows:]
Prepared Statement of Jennifer A. Grover
June 16, 2015
Chairman Katko, Ranking Member Rice, and Members of the
subcommittee: I am pleased to be here today to discuss our past work
examining the Transportation Security Administration's (TSA) Aviation
Workers Program. It has been nearly 14 years since the attacks of
September 11, 2001, exposed vulnerabilities in the Nation's civil
aviation system. Since then, TSA, within the Department of Homeland
Security (DHS), has taken steps to ensure that airport workers who
require unescorted access to secure areas of commercial (i.e., TSA-
regulated) airports are properly vetted to identify those who may pose
a security threat. These efforts are intended to reduce the probability
of a successful terrorist or other criminal attack at the Nation's
approximately 450 commercial airports. However, TSA has faced
challenges in obtaining the necessary information to accurately assess
aviation workers. According to TSA, the threat to civil aviation has
not diminished--underscoring the need for effective airport worker
screening programs.
As requested, my testimony today describes the role of TSA and
airport operators in assessing aviation workers for potential security
threats, as well as challenges and recent improvements. In carrying out
this process, TSA and airports work in collaboration with the Federal
Bureau of Investigation (FBI) to vet applicants against the FBI's
criminal history records, terrorist watch lists and other databases,
and issue credentials to qualifying airport facility workers, retail
employees, and airline employees, among others. This statement is based
on our report and testimonies issued from December 2011 through June
2015 related to TSA's efforts to vet aviation workers.\1\ For our past
work, we reviewed applicable laws, regulations, and policies as well as
TSA program documents, decision memorandums, and other documents. We
interviewed DHS, TSA, and FBI officials. We also conducted selected
updates in June 2015 on recent DHS and TSA efforts to vet aviation
workers. For these recent DHS and TSA efforts, we reviewed applicable
policies and the Aviation Security Advisory Committee's (ASAC) April
2015 report on improving airport employee access control.\2\ We
reviewed the report's methodology and determined that the findings were
reasonable for use in our report. Further details on the scope and
methodology for the previously issued report and testimonies are
available within each of the published products. We conducted the work
on which this statement is based in accordance with generally accepted
Government auditing standards. Those standards require that we plan and
perform the audit to obtain sufficient, appropriate evidence to provide
a reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objectives.
---------------------------------------------------------------------------
\1\ See GAO, Transportation Security: Actions Needed to Address
Limitations in TSA's Transportation Worker Security Threat Assessments
and Growing Workload, GAO-12-60 (Washington, DC: Dec. 8, 2011);
Aviation Security: TSA Has Taken Steps to Improve Oversight of Key
Programs, but Additional Actions Are Needed, GAO-15-559T (Washington,
DC: May 13, 2015); and Aviation Security: TSA Has Taken Steps to
Improve Oversight of Key Programs, but Additional Actions Are Needed,
GAO-15-678T (Washington, DC: June 9, 2015).
\2\ See ASAC, Final Report of the Aviation Security Advisory
Committee's Working Group on Airport Access Control (Arlington, VA:
April 8, 2015).
---------------------------------------------------------------------------
background
In accordance with the Aviation and Transportation Security Act
(ATSA), enacted following the September 11, 2001, terrorist attacks,
TSA requires that airport operators (e.g., an airport authority)
undertake specific actions before issuing credentials to airport
workers seeking unescorted access to secure areas of an airport to
reduce potential security risks posed by these workers.\3\ For example,
a worker seeking unescorted access to a Security Identification Display
Area (SIDA) must first undergo a fingerprint-based criminal history
record check.\4\ TSA oversees implementation of these requirements
through its Aviation Workers Program, which focuses on identifying
security threats posed by those individuals seeking to obtain a
credential for unescorted access to secure or restricted areas of
airports. Specifically, TSA, in collaboration with airport operators
and the FBI, completes applicant background checks, including Security
Threat Assessments, for airport facility workers, retail employees,
airline employees, and any other workers who apply for or are issued a
credential for unescorted access to secure areas in U.S. airports. In
general, Security Threat Assessments include checks for criminal
history records and immigration status, checks against terrorism
databases and watch lists, and checks for records indicating an
adjudication of lack of mental capacity, among other things.
---------------------------------------------------------------------------
\3\ See generally 49 C.F.R. pt. 1542, subpt. C. In general, secure
areas of the airport include areas specified in an airport's security
program: (1) Where air carriers enplane and deplane passengers, sort
and load baggage, and any adjacent areas (secured areas), (2) in which
appropriate identification must be worn (SIDAs), (3) that provide
passengers access to boarding aircraft and to which access is general
controlled through the screening of persons and property (sterile
areas), and (4) that include aircraft movement areas, aircraft parking
areas, loading ramps, and safety areas that are not separated by
adequate security systems, measures, or procedures (air operations
areas). See 49 C.F.R. � 1540.5.
\4\ See 49 C.F.R. � 1542.205.
---------------------------------------------------------------------------
tsa and airport operators share responsibilities for aviation worker
vetting
TSA and airport operators each have certain responsibilities within
the credentialing process. For example, we reported in December 2011
that airport operators are responsible for ensuring the collection of
application information, transmitting the results to TSA for the
Security Threat Assessment, enrolling approved applicants, and issuing
credentials.\5\ TSA's roles include adjudicating the immigration and
terrorism checks, running automated FBI criminal history records, and
transmitting the results of the criminal history record checks to the
airport operators. The FBI's criminal history records contain
information from a National fingerprint and criminal history system.\6\
If an individual has a criminal record in the database, the FBI
provides the criminal history record check results to TSA. TSA, in turn
transmits the results to the airport operator. The airport operators
are responsible under TSA regulations for adjudicating the criminal
history to identify potentially disqualifying criminal offenses
specified under TSA regulations, and making a final determination of
eligibility for a credential.\7\ In doing so, airport operators may
follow up with an applicant if the FBI Record of Arrests and
Prosecutions (RAP) sheet TSA provided lacks a disposition of a criminal
offense--which is necessary for the airport operators to determine if
the applicant has potentially disqualifying criminal offenses.\8\
Furthermore, airport operators, and not TSA, are the entities
responsible for revoking the issued credentials.\9\ For example,
airport operators are to revoke a worker's credentials if TSA
determines the worker poses a threat or violates airport security
policy. Figure 1 summarizes the credentialing processes and respective
responsibilities of TSA and airport operators under TSA's Aviation
Workers Program.
---------------------------------------------------------------------------
\5\ GAO-12-60.
\6\ The system provides automated fingerprint search capabilities,
latent search capability, electronic image storage, and electronic
exchange of fingerprints and responses. A segment of this system is the
FBI-maintained criminal history record repository, known as the
Interstate Identification Index (III, or Triple I) system that contains
records from all States and territories, as well as from Federal and
international criminal justice agencies. The State records in the III
are submitted to the FBI by central criminal record repositories that
aggregate criminal records submitted by most or all of the local
criminal justice agencies in their jurisdictions. The FBI's criminal
history records check is a negative identification check, whereby the
fingerprints are used to confirm that the associated individual is not
identified as having a criminal record in the database.
\7\ See, e.g., 49 C.F.R. � 1542.209.
\8\ See appendix I for a list of TSA Aviation Worker disqualifying
criminal offenses.
\9\ If TSA determines that an individual poses a threat based on
checks of information in the Terrorist Screening Database or
immigration checks, TSA will notify the airport operator to revoke the
credential.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
tsa has taken actions to address limitations in aviation worker vetting
Criminal history record checks are a key element of the Security
Threat Assessment process for TSA's Aviation Worker Program, helping to
ensure that the agency and airport operators detect those applicants
with potentially disqualifying criminal offenses. However, TSA has
faced challenges in ensuring it has the necessary criminal information
to effectively conduct Security Threat Assessments for applicants to
its Aviation Workers Program. In December 2011, we found that,
according to TSA, limitations in its criminal history checks increased
the risk that the agency was not detecting potentially disqualifying
criminal offenses as part of its Security Threat Assessments for
airport workers.\10\ Specifically, we found that TSA's level of access
to criminal history record information in the FBI's Interstate
Identification Index excluded access to many State records such as
information regarding sentencing, release dates, and probation or
parole violations, among others. For the purposes of accessing criminal
history records, FBI provided TSA the level of a noncriminal justice
requestor (e.g., equal to that of a private company conducting an
employment check on a new applicant, according to TSA). As a result,
TSA reported that its access to and airports' ability to review
applicant criminal history records was often incomplete. We found that
TSA and the FBI had not assessed whether a potential security risk in
TSA's Security Threat Assessment process existed with the level of
access to FBI criminal records that TSA had at the time.
---------------------------------------------------------------------------
\10\ GAO-12-60.
---------------------------------------------------------------------------
We recommended that the TSA and the FBI jointly assess the extent
to which this limitation may pose a security risk, identify
alternatives to address any risks, and assess the costs and benefits of
pursuing each alternative. In May 2015 and June 2015, we reported that
TSA and the FBI have since taken steps to address this recommendation.
For example, in 2014, the agencies concluded that the risk of
incomplete information did exist and could be mitigated through
expanded access to State-supplied records.\11\ TSA officials reported
that the FBI has since taken steps to expand the criminal history
record information available to TSA when conducting its Security Threat
Assessments for airport workers and others. For example, TSA reported
that the study between the FBI and TSA culminated in the FBI
implementing system changes to provide the TSA with access to expanded
criminal history record information. According to TSA officials, the
FBI's release of its Next Generation Identification System--which the
FBI reported achieving full operational capability in September 2014--
has been enhanced to expand the State-provided criminal history records
that are now incorporated into all FBI criminal history record
information for TSA's Security Threat Assessments for aviation
workers.\12\ We have not evaluated TSA's use of the new system.
---------------------------------------------------------------------------
\11\ GAO-15-559T and GAO-15-678T.
\12\ According to the FBI, the Next Generation Identification
System is an incremental replacement of a previous fingerprint
identification system that provides new functionality and improves
existing capabilities. The technological upgrade accommodates increased
information processing and sharing demands from local, State, Tribal,
Federal, and international agencies.
---------------------------------------------------------------------------
Further, in April 2015, TSA updated existing requirements to
address the need for recurrent criminal history records checks for
credentialed airport workers with unescorted access to secure airport
areas at periodic intervals. Until recently, TSA did not require
periodic criminal history checks of workers with unescorted access
authority as long as workers maintain continuous employment with the
same issuing authority. TSA updated its requirements in response to the
ASAC's recommendation and the Secretary of DHS's statement regarding
airport security enhancements.\13\ ASAC recommended that TSA should
incorporate real-time criminal activity monitoring into the aviation
worker vetting process in its final report on improving airport
employee access control. ASAC found that TSA's practice of reviewing
criminal history records once--at the time of vetting for initial
employment--created the potential for TSA and airport operators to be
unaware of aviation workers who had subsequently engaged in potentially
disqualifying criminal activity yet continued to hold active
credentials. ASAC reported that real-time criminal activity monitoring
should be a part of the vetting process, similar to the perpetual
vetting of aviation workers conducted by TSA against terrorist watch
lists. Specifically, ASAC recommended that TSA accelerate
implementation of a pilot of criminal activity monitoring using FBI's
Rap Back Service, with a goal of full implementation of the service by
the end of 2015.\14\ The Secretary of DHS stated that until TSA
establishes a system for real-time recurrent criminal history records
checks for all aviation workers, TSA should require fingerprint-based
criminal history records checks periodically for all airport employee
SIDA badge-holders.
---------------------------------------------------------------------------
\13\ ASAC, at the request of TSA in January 2015, created a working
group comprised of representatives from the aviation industry tasked
with analyzing the adequacy of existing security measures and
recommending any additional measures needed to improve employee access
controls. See 49 U.S.C. � 44946 (requiring establishment of an ASAC
within TSA to provide advice and recommendations on aviation security
matters, including the development, refinement, and implementation of
policies, programs, rulemaking, and security directives pertaining to
aviation security, while adhering to sensitive security guidelines).
\14\ FBI introduced its Rap Back Service in September 2014 as part
of its Next Generation Identification System. According to the FBI, the
Rap Back Service provides users, such as airport authorities, the
capability to receive immediate notification of criminal and, in
limited cases, civil activity of enrolled individuals that occur after
the initial processing and retention of criminal or civil fingerprint
transactions, such as the fingerprint-based criminal history records
checks currently conducted by TSA and airport operators.
---------------------------------------------------------------------------
Chairman Katko, Ranking Member Rice, and Members of the
subcommittee, this completes my prepared statement. I would be pleased
to respond to any questions that you may have at this time.
Appendix I: Criminal Offenses That Disqualify Applicants Under the
Aviation Workers Program from Acquiring an Airport-Issued Badge
In accordance with 49 C.F.R. �� 1542.209, 1544.229, and 1544.230,
an individual has a disqualifying criminal offense if the individual
has been convicted, or found not guilty of by reason of insanity, of
any of the crimes listed below in any jurisdiction during the 10 years
before the date of the individual's application for unescorted access
authority, or while the individual has unescorted access authority.
disqualifying criminal offenses
1. Forgery of certificates, false marking of aircraft, and other
aircraft registration violation; 49 U.S.C. � 46306.
2. Interference with air navigation; 49 U.S.C. � 46308.
3. Improper transportation of a hazardous material; 49 U.S.C. �
46312.
4. Aircraft piracy; 49 U.S.C. � 46502.
5. Interference with flight crew members or flight attendants; 49
U.S.C. � 46504.
6. Commission of certain crimes aboard aircraft in flight; 49
U.S.C. � 46506.
7. Carrying a weapon or explosive aboard aircraft; 49 U.S.C. �
46505.
8. Conveying false information and threats; 49 U.S.C. � 46507.
9. Aircraft piracy outside the special aircraft jurisdiction of the
United States; 49 U.S.C. � 46502(b).
10. Lighting violations involving transporting controlled
substances; 49 U.S.C. � 46315.
11. Unlawful entry into an aircraft or airport area that serves air
carriers or foreign air carriers contrary to established
security requirements; 49 U.S.C.
� 46314.
12. Destruction of an aircraft or aircraft facility; 18 U.S.C. �
32.
13. Murder.
14. Assault with intent to murder.
15. Espionage.
16. Sedition.
17. Kidnapping or hostage taking.
18. Treason.
19. Rape or aggravated sexual abuse.
20. Unlawful possession, use, sale, distribution, or manufacture of
an explosive or weapon.
21. Extortion.
22. Armed or felony unarmed robbery.
23. Distribution of, or intent to distribute, a controlled
substance.
24. Felony arson.
25. Felony involving a threat.
26. Felony involving--
(i) Willful destruction of property;
(ii) Importation or manufacture of a controlled substance;
(iii) Burglary;
(iv) Theft;
(v) Dishonesty, fraud, or misrepresentation;
(vi) Possession or distribution of stolen property;
(vii) Aggravated assault;
(viii) Bribery; or
(ix) Illegal possession of a controlled substance punishable by a
maximum term of imprisonment of more than 1 year.
27. Violence at international airports; 18 U.S.C. � 37.
28. Conspiracy or attempt to commit any of the criminal acts listed
above.
Mr. Katko. Thank you, Ms. Grover.
The Chair now recognizes the Chairman of the full Homeland
Security Committee, the gentleman from Texas, Mr. McCaul, for
any statement he may have.
Mr. McCaul. I would like thank Chairman Katko and Ranking
Member Rice for holding this important hearing.
Recent reports about the TSA screening, in my view, are
deeply disturbing and call into question some of the post-9/11
security measures we have worked hard to put in place. Yet 14
years after that horrible day, Islamist terrorists are still
plotting daily to kill Americans. Lately, the threat picture
has gotten worse.
Our aviation sector is of particular interest to the
terrorists. They think that by taking down airplanes, they can
bring down our economy. Last week we reportedly hit al-Qaeda's
No. 2 in a drone strike in Yemen, where the terror group has
been focused for years on developing bombs to plant on
airplanes. It was an important counterterrorism victory. But it
won't stop terrorists from aiming their sights at our skies.
As we stare down these threats, Congress and the American
people need confidence in our defenses. Terrorists have to be
right only once. To defend ourselves, we have to be right 100
percent of the time. Millions of travelers pass through our
Nation's airports every year. We need to know that the systems
in place will protect them. But in recent weeks, TSA has given
us more concern than confidence.
Reports about TSA's performance have alarmed the American
people and raised fears that bombs could pass through airport
passenger screening and terrorists might slip through TSA's
employee vetting. We need to get to the bottom of these claims
and do everything possible to deny terrorists an opportunity to
exploit our defenses.
Next month, I plan to hold a hearing on aviation security
with the new TSA administrator once he is confirmed. I want him
to outline his vision for TSA and give us answers on how he
will close any identified vulnerabilities. This will not be
easy. But in order to win the confidence of the American
people, TSA needs a good wire brushing and strong leadership.
We cannot become complacent about the threat. We can and
must improve our screening capabilities. We need aviation
workers who are thoroughly vetted. As the first step to tackle
these challenges, I am co-sponsoring H.R. 2750, the Improved
Security Vetting for Aviation Workers Act, introduced by
Chairman Katko, which codifies the inspector general's six
recommendations to ensure there are no loopholes in the
security background checks for aviation workers.
I also strongly support H.R. 2770, the Keeping Our
Travelers Safe and Secure Act, introduced by Ranking Member
Rice, which would close additional screening gaps and
strengthen our aviation security. I want to thank the DHS
Inspector General Roth for his leadership and strong oversight
at TSA and DHS in bringing these vulnerabilities to our
attention. I also want to thank the TSA and GAO witnesses here.
I hope they are committed to changing the agency's direction
and restoring the trust of the American people.
When I heard that 73 airport workers had ties to terrorism,
when I got that news, well, first of all, I couldn't believe
it, and I want additional briefings on these ties to terrorism,
but that is totally unacceptable 14 years after 9/11. I think
the American people deserve better. When we see, you know, the
grandma, the veteran, the Active-Duty service, the children
being patted down at these airports and water bottles being
taken out of luggage and all this going on. Yet, 96 percent of
the stuff gets through. We can't talk about what it is because
it is Classified. But 96, that is a 4 percent success rate.
The American people deserve better. They deserve to feel
safe when they travel on airplanes. With that, Mr. Chairman, I
yield back.
Mr. Katko. Thank you very much, Chairman McCaul.
I now recognize myself for 5 minutes to ask questions. I
will start with Mr. Roth. Briefly summarizing your findings in
your report and the recommendations, you recommend basically
four broad categories of recommendations. I just want to make
sure I got them right here. No. 1, TSA should request and
review additional watch list data, is that correct?
Mr. Roth. That is correct.
Mr. Katko. No. 2, that they require that airports improve
verification of applicants' rights to work, correct?
Mr. Roth. Correct.
Mr. Katko. No. 3, that they revoke credentials when the
right to work expires?
Mr. Roth. Correct.
Mr. Katko. No. 4, to improve the quality of vetting data,
is that correct?
Mr. Roth. Yes, sir.
Mr. Katko. All right. Ms. Fitzmaurice, does TSA agree with
all those recommendations?
Ms. Fitzmaurice. Yes. They do.
Mr. Katko. All right. I want to focus on requesting and
reviewing additional watch list data first. I will start with
Mr. Roth briefly. Could you tell me, you mentioned during your
testimony that about 900,000 individuals, employees Nation-wide
were run through that National Counterterrorism Center's TIDE
database, is that correct?
Mr. Roth. Yes, sir.
Mr. Katko. All right. How onerous a task was it to do that?
Mr. Roth. Well, for us it was actually, the actual task of
running it, and actually NCTC did it for us, the legal
authorization for it took some time. We had to get a memorandum
of understanding between TSA and NCTC to do it.
It took about 18 months to get all the legal authorizations
that we needed to do it because of the requirements of the Data
Matching Act. So legally and bureaucratically it was a huge
lift. But then actually to do the match was quite easy.
Mr. Katko. Okay. So the mechanical of checking against a
database, once those hurdles are cleared, is relatively easy?
Mr. Roth. Yes. The size of the data is not that large. So
it was not that big of a task to match one set of data against
the other set of data.
Mr. Katko. So if we can fix these hurdles, it should be a
relatively easy task to have this vetting going through the
database on a regular basis?
Mr. Roth. Yes, sir.
Mr. Katko. All right. Thank you. Ms. Fitzmaurice, a couple
questions for you. I would like to know when TSA first became
aware of this problem with respect to not getting appropriate
codes to run names through the database.
I know from at least May 2014, there was a memo to
Administrator Pistole advising that they needed additional
codes from TIDE for employee screening, is that correct?
Ms. Fitzmaurice. That is correct.
Mr. Katko. All right. To your knowledge, is that when the
administrator first became aware of this being a problem?
Ms. Fitzmaurice. That is my understanding.
Mr. Katko. Okay. So May 2014, at least, the administrator,
the head of TSA was aware of the fact that they may not be,
they were getting incomplete data regarding employees and that
that may affect whether individuals with terrorist ties are
working at airports across this country, is that right?
Ms. Fitzmaurice. Yes. If I may explain the distinction of
the information that we are requesting, TSA receives watch-
listed information that is maintained by the FBI's Terrorist
Screening Center. That information is the information that we
primarily use in our vetting process. That is who the Federal
Government has deemed to be known or suspected terrorists and
meets the reasonable suspicion standard, which is why that is
then shared with us for the watchlisting purposes.
What we are seeking access to is additional intelligence-
related information that is contained in the NCTC TIDE
database. I think it is important to understand that the
information that are on the watch list are in TIDE, but not
everyone in TIDE is a terrorist and meets that reasonable
suspicion standard to be then put on the watch lists.
Mr. Katko. Understood. But the fact remains that there was
at least 73 individuals that had potential ties to terrorism
that were not identified because you did not have the
appropriate information, is that correct?
Ms. Fitzmaurice. That is correct. We did not have access to
that information. We are seeking that access. We did review,
though, all of the cases of those 73 individuals, and have
determined they do not pose a threat to transportation
security.
Mr. Katko. Who made that determination?
Ms. Fitzmaurice. TSA did, sir.
Mr. Katko. Did anybody from outside TSA share in making
that determination?
Ms. Fitzmaurice. So sir, as part of our typical process,
when we look at information and we look at individuals who may
have some nexus to terrorism, we oftentimes will consult with
various law enforcement and intelligence community partners.
Mr. Katko. Did you do that?
Ms. Fitzmaurice. We do that regularly as part of our
process.
Mr. Katko. So the question is clear, with respect to these
73 individuals that have potential ties to terrorism according
to the TIDE database, TSA has made their own independent
determination that they don't pose a threat?
Ms. Fitzmaurice. TSA reviewed all of the 73 records on
these individuals, determined that they did not pose a threat
to transportation. That is part of TSA's kind of day-in and
day-out process. But every time we understand that someone may
have a potential nexus, they may not be designated as a known
or suspected terrorist, we do do that consultation with the IC
and other law enforcement----
Mr. Katko. I just want to make sure you are answering the
question. Just a brief yes or no. Did you consult with people
outside of TSA before you made the ultimate determination that
these 73 individuals who are on the TIDE database don't pose
any threat to TSA? Did you consult with outside people, yes or
no?
Ms. Fitzmaurice. Yes. That is part of our process. We did.
Mr. Katko. Okay. Okay. I take it that is something we can
see in a secured setting, the information regarding that?
Ms. Fitzmaurice. Yes. We would be happy to share that in a
closed setting.
Mr. Katko. More importantly, this has raised a concern, of
course, about a gap in, the biggest concern I have is the
amount of time it takes, once a concern is raised with TSA,
until the time when TSA actually acts upon it. So I guess from
a guideline standpoint, we have May 2014 is when the
information was brought to Administrator Pistole, correct?
Ms. Fitzmaurice. Yes, sir.
Mr. Katko. What did TSA do after that to try and fix this
problem? Okay, I know as of today, a year later, the problem
has not been fixed. So tell us what you have been doing in the
mean time?
Ms. Fitzmaurice. Certainly. So yes, the administrator did
sign a memorandum, May of last year, acknowledging our interest
to receive access to this information. We have been engaged in
on-going discussions in the interagency to receive access to
this information.
I just recently came back to the Office of Intelligence and
Analysis in March. Since my return to the office, have had
numerous interagency discussions on this topic. We are working
to expedite this process in our request to gain access to this
information.
Mr. Katko. With all due respect, when you say requesting to
expedite this process, it has been a year, right? It has been a
year. You realize that what could be a potentially serious
security gap, an obvious security gap. It has been a year. That
doesn't sound like it is being expedited.
Ms. Fitzmaurice. So, you know, I understand your point
there. Like I said, we are working very hard to gain access to
this information.
Mr. Katko. When you say very hard, what does that mean?
Ms. Fitzmaurice. So we have been having----
Mr. Katko. Because, you know, quite frankly, with respect
to employee screening at airports, we have had this problem
since 2011. We are still talking about problems with employee
screening at airports 4 years later. We hear the same thing
from TSA all the time, we are working on it. Well, with all due
respect, and I know you are just the person here filling in for
someone who is unavailable, but that is not acceptable.
You have the Nation's security in your hands, this agency
does. To sit there and give us a bureaucratic response we are
working on it in an expedited manner, you are talking about a
gap in terrorist watch lists. You are saying you are working on
it?
Ms. Fitzmaurice. So we are working on it. But I think what
is really important to understand is that we do receive the
Terrorist Screening Database and those are the individuals that
are deemed to be threats to transportation security.
We do vet all of the aviation workers against those. We
have taken action on those. What we are seeking to do now is
gain access to additional information that will assist us and
provide a fuller context of who these individuals are and
potentially identify unknown associations.
Mr. Katko. The point is, and I ask you to take it back to
your supervisors, and we are going to make the point crystal
clear to them, and actually Mr. Rogers and I have made it clear
to him again and again and so have many others here, the fact
remains, TSA is not responding in a timely manner to seemingly
very important issues.
As it stands right now, were it not for the IG report, I
highly doubt that we would be any closer to getting access to
the TIDE database because the TIDE database identified 73
people you didn't know about that may have had ties to
terrorism. Your determination whether or not they have ties to
terrorism is an internal thing that we will take a look at. But
the bottom line is it needs to be more quickly done. We cannot
have a bureaucratic morass in charge of guarding our airports.
We just can't.
With that, I will yield back questioning to the Ranking
Member, Miss Rice.
Miss Rice. Thank you, Mr. Chairman. Ms. Grover, you
mentioned something in your testimony about how the TSA is not
qualified as a law enforcement agency which limits the ability
for them to get relevant information regarding someone's
background. Is that a change that needs to be made to expand
the databases that TSA would have access to to ensure that the
vetting can be as thorough and complete as possible?
Ms. Grover. So this has been a topic of discussion for many
years. The Compact Act from 1998 is what set the requirements
for requesters that were considered to be having criminal
justice access versus non-criminal justice access.
When we did our work several years ago, TSA's position was
that they didn't really fit neatly into either one of those
categories. It was their position that the non-criminal justice
access records wasn't meeting their needs, which it clearly was
not because at the time they only had access to information
from about 15 States and really didn't have the information
that they needed to make a complete determination of
eligibility.
They have worked with the FBI. In the past, the FBI has
determined that they are not eligible for the different status
of criminal justice requester and has expanded the database. So
I believe now they have access to information from about 41
States. That certainly comes much closer to meeting their
needs.
Miss Rice. Okay. But that is not going to be complete until
they have access to all 50 and they are treated, for all
intents and purposes, like a law enforcement agency. So we have
to deal with that change. Okay. So you answered the second
question I was going to ask.
Ms. Fitzmaurice, one of the first things that you said in
your testimony was that the vetting process by the TSA has been
found to be effective, whether that is Mr. Roth's finding or
your finding. I have got to tell you, just sitting here, how is
it possible that anyone can come to that conclusion when we are
talking about all of these deficiencies?
Ms. Fitzmaurice. No, I understand that. Let me provide some
context for that comment. So, yes, the inspector general, as
part of his report, did say they found our vetting processes to
be generally effective. Additionally, several years back, the
Department sponsored a review of DHS's vetting programs. We
participated in that. The review of that found that TSA's
system was actually, I think, one of the best performing in
effective systems that DHS has in the vetting enterprise.
I think one of the key things that we have to keep in mind
and part of what we are talking about today, though, is the
information that we have access to. So we have a very
sophisticated vetting system that takes millions of records and
vets that against the databases of known and suspected
terrorists. But we are absolutely dependent on having access to
the right information about individuals who pose, you know, a
threat to transportation security and who also may have some
value from an intelligence standpoint.
Additionally, as has been highlighted, you know, the other
piece that is important on the information that we receive on
the applicants who are seeking to work in our transportation
system. So we are focused on those areas right now. But what my
comment was specifically referencing was the effectiveness of
the system that we have built, this very complex vetting
system.
Miss Rice. I think it is clear after today and probably
clearer much earlier that we can't use that word effective at
this point in my opinion.
Mr. Roth, I just want to ask you, you said that TSA denied
credentials to 4,300 applicants who had previously been found
to be okay? Can you just elaborate on that? Do you know what I
am making reference to?
Mr. Roth. With regard to immigration status?
Miss Rice. Yes. Yes. So how did that happen? If you can do
it quickly because I have a couple other questions.
Mr. Roth. Yes. That is precisely my question: How could
this happen? I mean, the airports are legally responsible for
ensuring immigration status, that these folks have lawful
authority to work. They do that. By the time they send it to
TSA, they are basically certifying that----
Miss Rice. They being who? Who sends that information?
Mr. Roth. Sorry. The airport operators.
Miss Rice. The airport operators send the background
information to TSA?
Mr. Roth. With the certification that these folks, in fact,
are legally entitled to work.
Miss Rice. So this is a deficiency on the part of the
airport operator not doing----
Mr. Roth. Correct. Then what TSA does is they take that
information, they bounce it off of CIS records. That is where
we found the discrepancy.
Miss Rice. Okay. So it is clear, I think, from what we are
hearing here today that post, you know, 9/11, 14 years post-9/
11, we still have Federal agencies and some private operators
who are siloing relevant information in a way that could lead
to a catastrophe. How do we fix that, Mr. Roth?
Mr. Roth. Well, certainly the airports themselves under law
have the obligation to certify whether or not someone meets the
criminal history check. In other words, they are void of any
disqualifying criminal offenses.
That is 450 airports across the country. TSA is obligated
to do a quality check on that. Unfortunately, because these
aren't electronic records, they have to do a manual review. So
if they do an airport inspection, they might do a manual review
of, in the larger airports, only about 1 percent of the
applications to determine whether or not the airport workers
who have these SIDA badges, in fact, have disqualifying
criminal offenses.
Miss Rice. Mr. Roth, I have got to tell you, I think that
is one of the most disturbing things that I have heard here,
that airport operators are not doing their due diligence to
ensure that people that they are sending to you to get the
stamp of approval, they are not giving you the relevant
information that you need.
Mr. Roth. I share your concern. It is especially concerning
given the fact that, you know, there are no layers of security.
Once you have a SIDA badge, that means you have unescorted
access to anywhere in the airport. You can load baggage. You
can have access to the aircraft. You can do basically anything
unescorted. That, obviously, is concerning if we don't have a
better understanding of who these airport workers are.
Miss Rice. Well, certainly the airport operators have to
assume an enormous amount of accountability and responsibility.
We have to figure out a better way to check to make sure that
the information that they are giving to the TSA is correct.
Thank you, Mr. Roth and Ms. Fitzmaurice, and Ms. Grover. I
yield back my time. Thank you, Mr. Chairman.
Mr. Katko. Thank you, Miss Rice. The Chair now recognizes
Mr. Rogers from Alabama for questions he may have.
Mr. Rogers. Thank you, Mr. Chairman. Now, Mr. Roth, and
this could be for Ms. Fitzmaurice, either one, because both of
you have just made statements that inferred that you don't have
access to databases that would give you the relevant
information to make sure that these staffers don't get the SIDA
badge, is that what I am hearing?
Ms. Fitzmaurice, let me go to you, you made reference a
little while ago that you can't do your job without access to
important information. So you are saying that you don't have
that access?
Ms. Fitzmaurice. So we do have access to the U.S.
Government's terrorist watch list data. What we are seeking
access to is additional intelligence information on
individuals. We are working through the interagency currently
to request that.
Mr. Rogers. Is that an existing database that you want
access to?
Ms. Fitzmaurice. That is a database that we are seeking
some automated access to be able to incorporate additional data
into our automated vetting processes.
Mr. Rogers. Heretofore, you have been told you cannot have
access? Or is it just something you all hadn't thought of?
Ms. Fitzmaurice. I think that when we recognized the value
of this, we have been working to pursue gaining access to this.
Mr. Rogers. But you knew about it before now? I am trying
to figure out why at this late time you are just now saying
well, we probably should have had access to that database. If
it was a database that had information about potential
terrorists in it, why wouldn't you already be plugged into it?
Ms. Fitzmaurice. So again, I think what we have to
understand is the watch lists, which are maintained by the
FBI's Terrorist Screening Centers, are what are determined to
be individuals who pose, you know, threats to transportation.
We receive those watch lists for purposes of our vetting.
I think what we have recognized over time through our
experience in vetting individuals and understanding the
additional intelligence information that is contained in TIDE,
we believe that we can supplement the value of what we do by
identifying potentially individuals who may be unknown and----
--
Mr. Rogers. Who has control of that database now?
Ms. Fitzmaurice. So that database that we are talking about
is maintained by the NCTC.
Mr. Rogers. Okay. Are they giving you any problems about
accessing it? Is it just a technical issue now? Are they happy
to let you in on it?
Ms. Fitzmaurice. Yeah. This is a coordination discussion
right now with the interagency. The vetting systems are very
complex. You know, we have the airports, we have the airlines,
they are submitting information to us. We have our system that
is actually doing the analysis. We are getting information from
the watchlisting community. So it is really just more of the
complexities of that interagency coordination process that we
are working through.
Mr. Rogers. How long do you think it will take you to work
through that?
Ms. Fitzmaurice. I am very optimistic now. We have had
frequent and on-going discussions on this matter. I would
expect that we will be able to work through it in the very near
future.
Mr. Rogers. That is very lawyerly.
Ms. Fitzmaurice. I am not a lawyer, sir.
Mr. Rogers. You sound like one.
Mr. Katko. All right, just for the record, that hurts me
because I am a lawyer.
Mr. Rogers. I am a recovering attorney too. That is why I
know one when I see one. So 60 days? Ninety days?
Ms. Fitzmaurice. I can tell you that we are having daily
conversations on this topic. Even as frequent as this
afternoon, we will be continuing those discussions on how we
can seek and gain the access.
Mr. Rogers. Mr. Roth, is what she just described what you
were making reference to about the SIDA badges?
Mr. Roth. Somewhat. It is a little more complicated than
that from our point of view. There are a number of codes that
we are talking about----
Mr. Rogers. A number of what?
Mr. Roth. Of codes or sort-of categories of individuals or
names in the large TIDE database. Now, some of those are, in
fact, known or suspected terrorists that TSA does not have
access to. Then there are others that are out there that are
simply in the large TIDE database that really aren't used for
watchlisting purpose, although TSA would like them to be noted
for watchlisting purposes.
So there is really two categories of information. Some that
is already sort-of vetted information, for example, there are
several of these categories that other components within DHS
gets but TSA doesn't get.
Mr. Rogers. Why?
Mr. Roth. It is difficult to describe in on open setting.
But we can certainly explain it later on if you would wish.
Mr. Rogers. Yes, I do. Let me ask, is this the first time
that you have done an IG report on this problem?
Mr. Roth. We have done reports on access badges in general,
control over access badges. This is the first time, though,
that we have done sort-of a data run comparing the SIDA badges
to the terrorist databases.
Mr. Rogers. Okay. All right. Do you agree with Ms.
Fitzmaurice's characterization that the 73 people that were
identified as having terrorist ties really weren't a problem?
Mr. Roth. We don't have any information as to the process
that TSA used once we gave them those names in November of last
year. I would say that the more information that you have, the
better decisions that you make. So whether or not these 73
individuals, in fact, did not pose a threat to terrorism
doesn't mean that the system is working perfectly.
Mr. Rogers. Well, my time is up. I hope one of the other
Members will pick up on this. Because I would like to know if
they weren't a problem, why were they on the list to begin
with? With that, I yield back. Thank you.
Mr. Katko. Thank you, Mr. Rogers. The Chair now recognizes
Mr. Payne from New Jersey for questioning.
Mr. Payne. Thank you, Mr. Chairman. Thank you to the
Ranking Member of this committee. Mr. Roth, a bit of a kind-of
confusing element in your most recent report is how TSA's
vetting process can be considered generally effective, yet 73
individuals with links to terrorism were not found during this
process. It seems a little contradictory. Can you elaborate?
Mr. Roth. Certainly. Thank you for that opportunity. When
we talk about generally effective, what we are talking about is
the operation that the vetting unit does within TSA. You know,
they are only as good as the information that they get. So they
do a very significant job, for example, they have over 2.2
million recurring vetting hits that they have to process every
year. That is about 6,000 per day.
Additionally, they have to actually manually review 24,000
records a year, so that is 2,000 records a month, 500 records a
week, to, you know, look at potential hits off the Terrorist
Screening Database, to see whether or not these, in fact, are
the individuals who are listed on the database itself.
So, I mean, they do a good job with the information that
they have. But, again, what we had said is that we uncovered a
vulnerability which is they didn't have all the information
they needed to do their job.
Mr. Payne. So basically with the volume, if it was other
than an issue of terrorism, it would be considered not that
bad. But, you know, the potential of 73 individuals, you only
need one to have ill will against this country.
Mr. Roth. That is the nature of the threat that TSA faces.
It is an asymmetric threat, that all it takes is one. They have
to be right every single time.
Mr. Payne. Your report acknowledges passport numbers and
Social Security numbers being strong matching elements, yet
neither is required during the application process. In your
view, can TSA effectively identify potential risk if such
elements are discounted?
Mr. Roth. I think it makes their job more difficult. One of
the things with regard, for example, the Social Security
numbers, that is probably the best identifier you can use as
far as an individual to being able to match an applicant off of
the database. Unfortunately, the Privacy Act, which has some
exemptions, does not exempt TSA from requiring SIDA badge
applicants to have a Social Security number. That is something
that I think would be a useful thing to have.
Mr. Payne. Okay. Ms. Fitzmaurice, during the Q and A with
the Members up here, what leverage do we have with the airport
operators if they are not complying and giving the information?
You know, I believe you said that there is a lapse sometimes
with the airport operators in doing that job. What leverage do
we have to make sure that they are complying?
Ms. Fitzmaurice. So, you know, before we get to the
compliance piece, I think what is important is us working
closely with the airport operators to identify the areas for
improvement, put out guidance on how we can do that, work with
them to implement that, and then ensure that we have a robust
compliance mechanism to go back and review and ensure that they
are doing that, and, you know, take corrective action if we
continue to find that they are not complying with that.
Mr. Payne. What would those corrective actions consist of?
If we are having, you know, obviously continued issues around
them getting to where we need them to be, what, what leverage
do we have if they are falling short?
Ms. Fitzmaurice. Sure. Well, we do have formal security
programs with all of the airports that they are required to
comply with. We have inspectors who go out and review their
performance against those requirements. I am not intimately
familiar with all of the consequences, I will say, with respect
to the, if there are issues of noncompliance, but happy to
follow up with you on that.
Mr. Payne. Okay. Well, what can we do to strengthen the
relationship TSA has with the airports to ensure accuracy of
the data from potential and current aviation workers?
Ms. Fitzmaurice. Thank you. So, you know, we continuously
look at this. We, again, we concur with the recommendations
that the OIG has made in this area. Going back to 2012, we have
been making improvements, putting in system logic so that it
will reject information that may be erroneous or inaccurate.
We have also added automation to allow them to upload
identity documents so we have that information to be able to
review. But looking forward, I think there are continued
opportunities. One of the things that we are looking at is
further automation in this process.
So the way the information comes from the airport operators
through channelers to us is through both automated and some
manual processes. We are looking to move to a fully automated
process that will reduce the opportunity for erroneous data to
be submitted.
Mr. Payne. Thank you. I yield back, Mr. Chairman.
Mr. Katko. Thank you, Mr. Payne. The Chair now recognizes
Mr. Ratcliffe from Texas for questioning.
Mr. Ratcliffe. I thank Chairman Katko and Ranking Member
Rice for holding yet another hearing on this matter. I have to
say, though, that it feels a little bit like the movie
Groundhog Day, where the same things keep happening over and
over again.
Inspector General Roth, you are back here again, as you
were previously. We have had several hearings on this matter
before this subcommittee on security breaches caused by
improper screening. Most recently in April, I think, we had
then TSA Administrator Carraway talking about the steps that
had been taken to make airport and airline employee screening
more secure.
But earlier this month, we had the report about officials
being able to get banned items through security checkpoints 95
percent of the time. Now, Inspector General, we have got your
report revealing that the TSA failed to identify these 73
active workers with links to terrorism, citing a lack of
effective controls in your report. I note in your report, you
conclude with this statement, ``With our recent report, we add
another security vulnerability that TSA must now address.'' I
agree with you. TSA does need to address these issues.
As Chairman McCaul noted, it has now been almost 14 years
since 9/11. Unfortunately, some of what I see in your report
calls to mind the troubling pre-9/11 trend that we had. I know
that you are a former Department of Justice official, former
assistant United States attorney, I should say. As you know, we
had a problem before 9/11 where intelligence and law
enforcement were not sharing information and connecting the
dots. But we had an excuse back then, the law didn't allow it.
So we changed the law to allow the sharing of that information.
So I want to ask you about your report because you say that
TSA didn't identify these 73 individuals with links to
terrorism because TSA isn't cleared to receive all terrorism
categories under the current interagency guidance. Did I
restate that accurately?
Mr. Roth. Yes, sir.
Mr. Ratcliffe. Okay. You talked a little bit about this
with Congressman Rogers, but I am not real clear. Is this a
situation where we need to change the law?
Mr. Roth. It may very well be. My suggestion would be to
allow TSA to deal with ODNI, the Office of National
Intelligence, and determine whether or not they will be able to
have access to this information. If not, it may require a
change in the law.
I will say that I share your concerns that information
sharing is critical, particularly in this area. Even if there
is information that is contained within the TIDE database that
is unsubstantiated, it is still useful for individuals doing a
manual review of somebody who is going to have unfettered
access to secure areas in the airport.
What is very troubling, both about this sort of TIDE
database as well as criminal history checks, is that TSA is
being treated, for all intents and purposes, as if they were a
Wal-Mart, that an individual holding a SIDA badge for recurring
criminal history checks, stands in line with Wal-Mart to
determine whether or not there will be a criminal history
check.
Mr. Ratcliffe. Okay. Let me ask you about that. Because we
talked a little bit about that. In your testimony, you talked
about the fact that airport operators review the criminal
histories for new applicants for these badges to secure areas,
secure airport areas, but that TSA and the airports aren't
legally authorized to conduct recurrent criminal history
vetting. Is that right?
Mr. Roth. That is correct.
Mr. Ratcliffe. So, currently, then, how do TSA and the
airports know if an employee has committed a crime during their
tenure at the airport?
Mr. Roth. That is the difficulty of it, and that is why TSA
is providing this Rap Back Program, a pilot program that they
are going to start at the end of this year, to try to attempt
to get recurrent vetting. It is a new program that the FBI has
started. But as far as the current conditions, that is a
vulnerability.
Mr. Ratcliffe. Okay. But is TSA right now--are they
checking--do they have the ability to check against the
Marshals Service Wants and Warrants list?
Ms. Fitzmaurice. Yes, we do check against the open Wants
and Warrants for the Marshals Service.
Mr. Ratcliffe. Okay. But that list doesn't include all
disqualifying crimes, correct?
Ms. Fitzmaurice. That is correct. What is really critical
here is getting access to the Rap Back capability.
Mr. Ratcliffe. Okay. I see that my time has expired, so I
yield back.
Mr. Katko. Thank you, Mr. Ratcliffe.
I now recognize the gentleman from Massachusetts, Mr.
Keating, for 5 minutes of questioning.
Mr. Keating. Thank you, Mr. Chairman.
Mr. Ratcliffe mentioned this reminded him of the movie
Groundhog Day. This also reminds me of the Leonardo DiCaprio
movie, Catch Me If You Can, where he dresses up like an airline
pilot, just waltzes right in through security. Because these
are very real issues.
We had a hearing of the Oversight Committee, which I was
Ranking at the time, at Logan Airport several years ago, and
one of the major things that came out of that was the fact that
there is real jurisdictional problems with airports that we
have. We are hearing it again here today, in very severe terms.
I just want to follow up and say, if you have noncompliance
by the municipal airport, what can you do about it? I mean, we
found holes in fences, perimeters not being looked at, and they
were cited in vulnerability assessments and other things, and
nothing was done because there was no enforcement over those
municipal airports or whoever runs the airport authority,
whoever runs these things.
We are seeing now in testimony this morning that when you
are reviewing some of the employment vetting that is there,
that you are doing only 1 percent of it. But you are finding
mistakes that they don't do and they didn't come forward with
it. Yet, how is that followed up? How are they penalized for
that? What are they threatened with for that?
It seems like we have a basic jurisdictional issue aside
from information sharing here, where you have Federal agencies
that aren't helping each other or giving each other information
that they should be giving each other. We are going to change
the law to make sure that is the case. Yet, what are you doing
with the municipalities?
Now, Ms. Fitzmaurice, there was an effort on the part of
TSA to take the exit lanes in that inner security area and move
the authority away from TSA employees and give it to the
local--give the responsibility to the local municipal
employees. Given what we have discussed this morning, is it
fair to say that is sufficiently dead? Are you going to stop
pushing that effort to get rid of TSA employees and replace
them with municipal airport employees, or authority of the
airport, you know, their employees?
Are you aware of what that effort has been in the last
couple of years trying to shift that responsibility?
Ms. Fitzmaurice. I want to make sure that I am responsive
and I understand your question.
You are asking whether we would take back the
responsibility of the airport worker?
Mr. Keating. No. No. You have been asking the airports over
the last couple of years to shift the responsibility, take the
responsibility with--they are putting their employees now in
that exit lane out of the airports in which many airports is
right next to where people are coming in. That has been
delayed, I think in part, because Members of the committee
expressing concerns.
Is it fair to say, given what we are hearing this morning,
that that is not going to be pursued anymore?
Ms. Fitzmaurice. You know, I apologize. I don't have an
answer for you on that. I will have to get back to you.
Mr. Keating. Also, when we are looking at the number
studies, I want to thank GAO. I mean, on the vulnerability
studies on the physical aspects of this, we found that it is
less than 3 percent of the airports that are being reviewed.
This morning, we found out it is only 1 percent. We also know
that the airports aren't doing their job either. It is too many
of them. So we have these lapses all the way through. What I
would hope, and maybe I can ask Mr. Roth this, do you think
there is a need to have more accountability and a better need
to enforce the operations of airport authorities and municipal
airports as well when they can just look at the
recommendations, look at what has been found, and we are not
even clear anything's done other than them--they can shrug
their shoulders, as they did with perimeter security when we
addressed it, just say, well, we don't have the resources for
this.
I just don't want to see a situation where we have a
strategy and the Federal Government is pointing their finger at
municipal airports and the authorities, the authorities are
pointing at the Federal Government, our other law enforcements
all pointing their fingers. Finger-pointing is dangerous, and
it is going to get us nowhere. That is what we have been
dealing with in the last few years.
So do you think there is a need to put teeth in what the
TSA can do with airports?
Mr. Roth. You raise a good point. We haven't actually done
any work on that, but it is certainly something that we would
be willing to consider, which is irrespective of whether TSA
follows up and actually finds out, for example, whether the
airport officials are doing the criminal history checks that
they need to do, when they find noncompliance, what do they do
about it? Unfortunately, I don't have the answer to that
question, but you raise a very good question and----
Mr. Keating. The answer when it comes to vulnerability
studies, it is a toothless grin, nothing. So let's find out
here and put some teeth in what we are trying to do.
I yield back, Mr. Chairman.
Mr. Katko. Thank you, Mr. Keating.
The Chair now recognizes Mr. Carter from Georgia for 5
minutes of questioning.
Mr. Carter. Thank you, Mr. Chairman. I appreciate your
leadership in this most disturbing situation we find ourselves
in.
Mr. Roth, I read your report, and I appreciate it very
much, but there were several things in your report that were
very disturbing to me, very disturbing.
First of all, it is my understanding that security
credentials are being given to individuals regardless of their
work or authorization dates. Is that correct?
Mr. Roth. That is correct. What we had found was, in fact,
say you were authorized to work for 18 months, you would get a
security badge that would not turn off at the termination of
your authority to work.
Mr. Carter. So what you are telling me is that we might
have people, and we may have people, we probably do have
people, who are walking around unescorted in our airports and
security areas who are here illegally?
Mr. Roth. Who do not have authorization to work, yes. We
identified that as a vulnerability.
Mr. Carter. You know, certainly--certainly, we have these
people's Social Security number, correct?
Mr. Roth. I am sorry. I missed the question.
Mr. Carter. Certainly, we have these people's Social
Security number? We have that?
Mr. Roth. We do not, no. That----
Mr. Carter. Whoa. Whoa. Whoa. We do not. So you are telling
me we have got people walking around unescorted in secure areas
in our airports, and we don't even have their Social Security
number?
Mr. Roth. That is correct. We did a scrub of the data and
found a number of areas in which they don't have either their
alien registration number, if that is appropriate, their
passport number, if that is appropriate, or their Social
Security number.
Mr. Carter. Holy cow.
Ms. Fitzmaurice, the report in the inspector general's
investigation found that we had thousands of incomplete, or
inaccurate applications and biographical information.
Can I ask you, Ms. Fitzmaurice--and if you will bear with
me, please--can you give me the first initial of your first
name?
Ms. Fitzmaurice. S.
Mr. Carter. S? Now I have got 3 minutes left to ask
questions here. Do you think I can guess your first name in
that 3 minutes? My point is simply this: We have applications
that only have the first initial of the first name?
Ms. Fitzmaurice. That is correct.
Mr. Carter. Does that scare you?
Ms. Fitzmaurice. So I think we are absolutely looking at
and concerned with where we have erroneous and missing
information, and we are taking actions. We have already
implemented logic in our system to reject these types of----
Mr. Carter. I appreciate that, Ms. Fitzmaurice. I really
do. Look, I am from Georgia. I travel at least once, usually
twice, through the busiest airport in the world, through
Atlanta Hartsfield-Jackson Airport. To think that we may have
people walking around in that airport who we don't even know
what their name is. We don't have their Social Security number.
I mean, isn't that something--look, I am okay. You know, I am
pretty confident I can take care of myself to a certain extent.
But my son's coming up later today. I want to make daggone sure
he is okay. My younger son's coming up today, my middle son's
coming up tomorrow. Isn't this something that should be taken
care of immediately? Immediately?
Ms. Fitzmaurice. Yes. We are taking actions immediately to
work on continued improvements to improve the data quality for
the vetting systems.
Mr. Carter. I just can't believe that in the world's
busiest airport, in Atlanta Hartsfield-Jackson Airport, that we
could have people walking around unescorted in secure areas in
that airport, who we don't know their Social Security number;
we don't know their name, and that is something that we are
sitting here talking about? You ought to be on the phone right
now. Stop, we have got to figure this out.
I am appalled at this. Mr. Roth, I appreciate the efforts
here, and I appreciate all the efforts of all of you, but we
need to take care of this immediately.
Mr. Chairman, I yield.
Mr. Katko. Well, thank you, Mr. Carter. I think the
committee shares your frustration, and that is why we had
something else scheduled for today here on passenger rail
safety and surface transportation safety, but instead we chose
to have this hearing.
I want to juxtapose TSA's turtle-like response to seemingly
serious problems with what the committee has done. We found out
about this less than a week ago. We are having a committee
hearing today, and we are marking up a bill to fix this problem
right after this hearing.
So the point is, if you have issues, and you need things
done, I highly encourage TSA to come to us, because we can give
you legislative fixes to things instead of waiting a year to
negotiate or hope to get something while the security lapse--
securities gaps continue.
Now, I note TSA is working on issues and trying to fix
things. Let me tell what you TSA is doing in the mean time.
We had a problem with PreCheck. Our PreCheck bill is going
to be introduced next week, or in the next couple of weeks, to
deal with expanding, revamping the PreCheck Program and having
it being run properly, because they have concluded that it was
not. Part of the PreCheck was called Managed Inclusion, we take
people out of nonsecure lines and put them into PreCheck
because--for keeping to our passengers' flow. That is not
right, and that is going to be fixed. Mr. Thompson is
introducing a bill regarding that. We have access control and
screening issues at airports to employees that are absolutely,
positively abysmal. When people are having guns on airplanes,
when people are dealing dope out of the Oakland Airport, it is
a problem. It can't wait for discussions. We are going to fix
that. We are introducing a screening bill next month that is
going to fix that.
We also have many other things we are going to be working
on. I can tell you going forward, I highly encourage TSA to
work with us and not just close ranks and say, we are working,
looking into the issue. It is now a year after you found out
that your employees were not getting checked against a
database, and a year after people started requesting that
information happen, and they are still spinning their wheels.
That can't happen.
You are entrusted with our Nation's security, our
children's security, like Mr. Carter said, and we need to do a
better job, we just flat out need to do a better job, and it
starts with leadership.
It took us months of begging the President just to appoint
a successor for TSA. That is unacceptable in such an important
agency. So I can tell you one thing going forward, we are not
going to wait for things to happen. We are going to legislate,
and we are going to fix these things, because we can't wait for
these things to be fixed.
Mr. Roth, I encourage you to keep doing what you are doing.
You are doing a superb job at keeping us informed and exposing
issues that need to be taken care of. I know it is a lot of
work. I can tell you, Ms. Grover, too, what you are doing is
critically important to the safety of our country. I applaud
both of you and your agencies and your staffs for what you are
doing, so keep it up.
Now, with that I want to thank the witnesses for their
testimony and the Members for their questions. The Members of
the committee may have some additional questions for the
witnesses, and we will ask your response to these in writing.
The hearing will be held open for 10 days without objection.
The committee stands adjourned, but I will note that we are
going right to mark up in about 15 minutes after a break, and
we are going to have these bills out of committee today,
hopefully, and then through the full committee next week and on
the floor for a vote. That is how it should be done.
[Whereupon, at 11:21 a.m., the subcommittee was adjourned.]
[all]