GAO Questions Prescreening Plan

The Transportation Security Administration may be establishing a viable CAPPS II successor with its controversial Secure Flight passenger screening program, but a report issued last month by the Government Accountability Office said it has adequately addressed only one of 10 key areas of congressional inquiry.

Among GAO's concerns are Secure Flight's unproven ability to establish real-time connectivity with air carrier reservation systems, its lack of a stress-tested system of redress for falsely identified passengers, and its failure, thus far, to clearly define its impacts on passenger privacy in an operational environment.

Despite GAO's findings, TSA is set to begin the first phase of final Secure Flight testing—including unit, integration, system and end-to-end this month.

"TSA officials stated that they have identified a time frame during end-to-end testing when they plan to conduct performance and complete system stress-testing. However, officials stated that the specific test plans cannot be finalized until TSA makes key decisions regarding the final operational and functional requirements for Secure Flight," GAO found. "Until TSA develops detailed and complete test plans and fully executes these plans, it is unknown how well Secure Flight will perform and whether it will be ready to be operational with two air carriers in August."

Mandated in October 2004 to assess and report on 10 aspects of Secure Flight's development and implementation, GAO conducted research and analysis from April 2004 to March 2005, and concluded that "TSA has not yet completed these efforts or fully addressed these areas, due largely to the current stage of the program's development."

While GAO recognized progress TSA has made in its attempts to build into Secure Flight more rigorous processes than those used for CAPPS II, the office found that "initial tests have only recently been completed, and key policy decisions—including what data will be collected and how it will be transmitted—have not yet been made. Until requirements are fully defined, operating policies are finalized, and testing is completed—scheduled for later in the system's development—we cannot determine whether TSA will fully address these areas of interest."

In February 2005, TSA completed initial comparison testing of historical, static passenger name record data against existing terrorist watch lists, and is now in the process of "concept testing" the use of more comprehensive commercial data to determine its value to the Secure Flight program.

According to a March 22 memo from the acting director of the Department of Homeland Security's departmental GAO/OIG liaison office, responding to a draft of the March 28 GAO report, the administration "generally concurs" with GAO's recommendations, but notes that the report "is being issued on Secure Flight in the eighth month of a 14-month planning, development, testing and implementation cycle."

GAO recommended that that the Secretary of Homeland Security direct TSA to "finalize policies and procedures detailing the Secure Flight passenger redress process" and specify "how the Secure Flight program will protect personal privacy," prior to operational implementation, now planned for August 2005.