OIG Audit Report 05-34

Review of the Terrorist Screening Center's
Efforts to Support the Secure Flight Program
(Redacted for Public Release)

Audit Report 05-34
August 2005
Office of the Inspector General

Chapter 2: TSC's Preparations to Support Secure Flight

Since the announcement of the Secure Flight initiative in August 2004, the TSC has begun preparations for supporting this additional terrorist screening effort. The TSC's role in Secure Flight involves performing tasks similar to those it currently conducts in screening suspected terrorists at ports of entry and within the United States. However, in preparing for the launch of Secure Flight, the TSC has implemented a number of changes in anticipation of a significant increase in the volume of screening requests.
Coordinating Secure Flight Efforts

During the course of the development of the TSA's Secure Flight program, the TSA reorganized or restructured the office responsible for the initiative at least two times. According to the GAO, in November 2004 the DHS attempted to consolidate and strengthen TSA's screening capability by combining the Office of National Risk Assessment - which developed CAPPS II - with the Credentialing Program Office to become the Office of Transportation Vetting and Credentialing. In April 2005, this office was restructured to create the Office of Secure Flight/Registered Traveler.
According to TSC officials, this repeated restructuring has hampered communication and coordination between the TSA and the TSC and has impeded the TSC's ability to fully plan for the implementation of Secure Flight, as detailed below.
In September 2004, officials from TSA and the TSC met to discuss initial plans for implementing Secure Flight, and in October 2004 jointly developed a high-level process flow chart for Secure Flight. In December 2004, the TSC IT Branch provided the TSA with data from the TSDB for the purpose of conducting preliminary testing related to Secure Flight. In January 2005, the TSC asked for and received the assistance of a full-time TSA executive to work as the TSC Secure Flight Program Coordinator. However, it was not until February or March 2005 that the TSA and the TSC began to actively work together on the Secure Flight program. At that time, regularly scheduled, joint meetings with all key participants were initiated to define the roles of the supporting agencies and discuss the status of Secure Flight's development.²² TSA officials explained that this delay resulted from their devotion of significant resources to data testing and that they simply did not have time to coordinate with the TSC. Early discussions included the level of information contained within the joint concept of operations between the TSA and the TSC and the level of participation the TSC and FBI Counterterrorism Division staff would be expected to have in the Secure Flight process.
In March 2005, the TSA finalized its initial Secure Flight concept of operations. According to the March 2005 GAO report, the concept of operations document provides "a high-level perspective of how the system will operate and includes the roles and responsibilities of key staff and organizations. It also provides information necessary to begin finalizing other documents, such as system requirements."²³ However, the GAO reported that key operational decisions for Secure Flight had not yet been made, such as how passenger information would be transferred from the airlines to the TSA Secure Flight office. Since issuance of the GAO report, the TSC has collaborated with the TSA on a revised concept of operations document that provided for the participation of the TSC, which was finalized on July 13, 2005.²⁴
In addition to the concept of operations document, the TSC and TSA have collaborated on a Memorandum of Understanding (MOU) intended to outline the agencies' respective roles and responsibilities for the Secure Flight program. The TSC initially prepared a draft of the document and submitted it to the TSA in May 2005. As of July 31, 2005, the document had not been finalized.
We spoke with officials at both the TSA and the TSC about the working relationship that had developed between the two agencies. TSA officials expressed their satisfaction with the TSC's support of the Secure Flight program and believe that the TSA and the TSC have a positive partnership. Further, the TSA stated that the TSC had assisted the TSA significantly in its development of processes and IT-related projects. According to TSA officials, the relationship between the TSA and the TSC will allow for a more consistent and unified law enforcement response to airline security incidents and help the TSA in ensuring transportation security.
The TSC has expressed its willingness to assist the TSA in its Secure Flight initiative. Further, despite TSC personnel initially being excluded from the TSA's preliminary planning for the program, we found that the TSA/TSC relationship has evolved into a more positive working partnership. However, TSC officials explained that their ability to prepare for the implementation of Secure Flight has been hampered by the TSA's failure to make, communicate, and comply with key program and policy decisions, such as the planned launch date and initial participation volume (discussed in Chapter 1) and the IT connections and redress responsibilities discussed later in this chapter.
Planning for Operational Changes at the TSC

The Director of the TSC stated that the portion of the agency's activities dedicated to Secure Flight has evolved over time. She estimated that only a small portion of the TSC's resources were dedicated to Secure Flight in the winter of 2004. However, the TSC's efforts have increased incrementally since then. The Director estimated that by mid-July 2005 about 60 to 70 percent of the TSC's work could be attributed to preparations for the Secure Flight program because of the impending launch of the initiative and the large of amount of preparations underway.
The TSC stated that once preparations for the Secure Flight program are finalized, the program is launched, and screening begins, Secure Flight will be an additional important TSC customer that will significantly increase its call center activity. The TSC will perform much of the same screening processes it currently conducts for calls from state and local law enforcement, border patrol agents, and government agents abroad. As of July 2005, TSC screeners were receiving about 100 inquiries per day resulting from hits against the watch list database forwarded from these sources. Based on information currently available, the TSC expects that full implementation of Secure Flight will result in [SENSITIVE INFORMATION REDACTED] additional screening inquiries per day, representing an increase of [SENSITIVE INFORMATION REDACTED] percent of its current screening operations.
Formation of TSC Secure Flight Working Group

To ensure that the TSC addressed all areas of support for the Secure Flight program, the TSC developed three sub-teams - an operations team, an information technology (IT) team, and a policy/legal team. These teams meet on a weekly basis with the TSC Secure Flight Program Coordinator to discuss the status of their projects and to jointly prioritize their work. According to the TSC, the combination of these sub-teams and the leadership of the Program Coordinator resulted in a multi-disciplined internal working group that organized and prioritized the agency's Secure Flight objectives and streamlined its approach to the program.
Funding for Secure Flight

The TSC stated that the Secure Flight program will significantly impact its space, staffing, and funding needs. TSC officials also stated that other TSC projects have taken a back seat while they focused on the planning and development of Secure Flight requirements.
TSC Budget Information

The TSC's base budget for FY 2005 is $29 million. In addition, it recently obtained through the FY 2005 Emergency Supplemental Appropriations Act additional funding of $35.23 million, which the TSC will have 2 years to spend. These additional funds were provided by Congress for Secure Flight and other unspecified infrastructure improvements. As a result, the TSC received a total of $64.23 million in FY 2005.
The FBI's initial FY 2006 budget request of $29 million for the TSC was later supplemented in November 2005 by an out-of-cycle request of $75 million for TSC enhancements, including a new facility, state-of-the-art telecommunications equipment for call center operations, and preparations for Secure Flight and other government initiatives that will result in additional terrorist screening opportunities. Therefore, the FBI's total funding request for the TSC for FY 2006 amounts to $104 million.
Tracking of TSC Secure Flight Costs

At the outset of our review, we requested an accounting of the TSC's expected and actual Secure Flight costs. In response, the TSC stated that Secure Flight cannot operate without substantial modifications to the TSC's existing IT environment, such as the ability to handle a significant increase in the number of screening inquiries, the development of data interfaces with new participating agencies, improvements allowing for real-time connectivity with users, and other necessary enhancements to the TSDB and the TSC's Encounter Management Application (EMA).²⁵ According to TSC officials, they are using the Secure Flight requirements as the basis for all modifications to the TSC's databases and processes that have any connection to Secure Flight. As a result, TSC officials said they could not distinguish Secure Flight funding needs from those necessary for other TSC system enhancements not related to Secure Flight.
In response to our request, however, the TSC Administration Branch prepared and provided a summary spending plan. We reviewed this document and noted several problems. For example, the document stated that the TSC could attribute only $1.5 million directly to the Secure Flight program. The $1.5 million only captured estimates for contractor funding for initial IT development, including the identification of requirements and concept development for Secure Flight. Moreover, the document did not specify how Secure Flight affected other expected costs or what portion of the TSC's activities were impacted by Secure Flight. As a result, we expressed to the TSC the importance of more specifically allocating its costs so that the resource requirements of discrete programs or initiatives can, at a minimum, be estimated.
The Director of the TSC agreed with the need to identify Secure Flight funding needs separately from other TSC endeavors. Additionally, she acknowledged that because certain TSC expenses, such as systems, staffing, and procurements, are paid by other federal agencies or divisions within the FBI, the TSC is unaware of how much the organization truly costs to operate. The Director stated that she recognizes the importance of having designated budget staff to perform budget formulation, analysis, and execution, but stated that the TSC does not currently possess the expertise to perform these functions. Given the importance of its mission and the large amount of money it annually receives, we believe it is critical that the TSC have a budget staff able to track its costs and requirements.
Review of Funding Information

As a result of our discussions with the TSC Director and her staff in July 2005, the TSC subsequently informed us that it would make another attempt to more precisely reconstruct its estimation of Secure Flight costs. In mid-July, we received a breakdown of FY 2005 and FY 2006 Secure Flight direct costs as well as the indirect costs in proportion to the total costs for the TSC as a whole.
To separate Secure Flight indirect costs from the total costs for all TSC programs and activities, the TSC identified the percentage of the total call volume, customers, and staff at the TSC that were expected to be related to Secure Flight activities. These percentages were applied to budget categories to allocate the costs of each category and to estimate the overall cost of supporting Secure Flight.
As shown in Table 1, the breakdown provided by the TSC reveals that 12.5 percent ($8,034,732) of the TSC's $64.23 million in appropriated and supplemental resources in FY 2005 is estimated to be in direct support of the Secure Flight program. An additional 20.6 percent ($13,256,696) of the total is estimated as indirect costs for the Secure Flight program. This amounts to a total of $21,291,428 for Secure Flight-related expenses in FY 2005, or 33.15 percent of the TSC's total FY 2005 funding.

TABLE 1: FY 2005 TERRORIST SCREENING CENTER RESOURCES²⁶

Category TSC Total Secure
Flight
Direct Other TSC Secure
Flight
Indirect Secure
Flight Total Secure
Flight %
of TSC
Total

Building Requirements $0 $0 $0 $0 $0 0.00%

Leases 903,467 0 903,467 169,400 169,400 18.75%

Office Supplies and Equipment 4,626,825 51,557 4,575,268 2,450,010 2,501,567 54.07%

Hardware/Software 21,664,019 829,235 20,834,784 3,941,848 4,771,083 22.02%

IT Contracts & Reimbursable Staff 21,975,146 6,870,935 15,104,211 4,685,746 11,556,681 52.59%

Operational Contracts & Reimbursable Staff 9,624,437 283,005 9,341,432 1,167,679 1,450,684 15.07%

Training, Travel, and Security 1,841,709 0 1,841,709 392,714 392,714 21.32%

Disaster Recovery 1,531,250 0 1,531,250 191,406 191,406 12.50%

Other Requirements 2,063,147 0 2,063,147 257,893 257,893 12.50%

Total $64,230,000 $8,034,732 $56,195,268 $13,256,696 $21,291,428 33.15%

Source: Terrorist Screening Center, July 2005

As shown in Table 2, the TSC estimated its FY 2006 budget expenditures directly related to Secure Flight will amount to 11.6 percent ($11,417,869) of the resources included in the FY 2006 President's Budget request for the TSC. Indirect costs for Secure Flight in FY 2006 are projected to amount to 26.4 percent ($26,099,699) of the TSC's total anticipated budget for FY 2006. Therefore, the total cost for Secure Flight (direct and indirect) in FY 2006 is projected to account for 38 percent ($37,517,568) of the TSC's total requested budget.

TABLE 2: FY 2006 TERRORIST SCREENING CENTER RESOURCES²⁷

Category TSC Total Secure
Flight Direct Other TSC Secure
Flight
Indirect Secure
Flight Total Secure
Flight %
of TSC
Total

Building Requirements $800,000 $0 $800,000 $320,000 $320,000 40.00%

Leases 5,947,737 0 5,947,737 2,379,095 2,379,095 40.00%

Office Supplies and Equipment 18,011,740 0 18,011,740 9,601,258 9,601,258 53.31%

Hardware/Software 24,122,768 5,100,000 19,022,768 2,907,496 8,007,496 33.19%

IT Contracts & Reimbursable Staff 24,417,249 3,527,885 20,889,364 7,528,284 11,056,169 45.28%

Operational Contracts & Reimbursable Staff 15,985,220 2,789,984 13,195,236 1,649,405 4,439,389 27.77%

Training, Travel, and Security 7,144,973 0 7,144,973 1,205,997 1,205,997 16.88%

Disaster Recovery 505,313 0 505,313 63,164 63,164 12.50%

Other Requirements 1,800,000 0 1,800,000 445,000 445,000 24.72%

Total $98,735,000 $11,417,869 $87,317,131 $26,099,699 $37,517,568 38.00%

Source: Terrorist Screening Center, July 2005

The majority of the TSC's actual and projected Secure Flight direct costs in both FY 2005 and FY 2006 are related to IT enhancements and operational expenditures to support an anticipated increase in call center activity. A significant portion of the overall program costs are percentages of TSC enhancements and infrastructure improvements that are not related directly to Secure Flight, but which the TSC has stated will support all of its activities. As previously noted, the TSC budget increases for both FY 2005 and FY 2006 were to support Secure Flight and other initiatives.
We were unable to perform transaction testing or an in-depth analysis of the cost breakdowns provided by the TSC because the information was not provided until July 18, 2005. The TSC also has not been able to adequately estimate its projected workload increase due to the TSA's failure to provide a reliable and definitive implementation schedule for the Secure Flight program as a whole. Moreover, the TSC's total and indirect costs are based upon assumptions of growth in areas outside of Secure Flight, and in this review we did not examine these non-Secure Flight enhancements.
Given these factors, we are unable to reach a conclusion as to the accuracy of the financial information the TSC provided our auditors to explain its direct and indirect costs of implementing Secure Flight. We recommend that the TSC develop the capacity to produce more accurate financial and budgetary projections that identify its Secure Flight funding needs separately from other TSC endeavors. However, as it stands currently from the information provided, the OIG cannot determine how much of the $75 million out-of-cycle budget enhancement requested by the TSC for FY 2006 appropriately reflects the TSC's actual anticipated expenses for Secure Flight versus other enhancements.
At the exit conference for this audit, TSC officials stated that they do not currently have the ability to project baseline budget information related to the cost of adding Secure Flight to the TSC's regular operations. TSC officials attributed this lack of fundamental data to their stage of development, noting that the organization has been in existence for less than 2 years. TSC management stated that the TSC's base budget of $29 million was derived from conservative estimates developed during the organization's earliest days and this amount cannot meet its normal operating requirements. They further stated that the composition of the TSC as an intergovernmental organization within the FBI makes the situation more complex. In addition, TSC officials stated that the structure of the FBI's financial systems limits its flexibility in categorizing and summarizing costs associated with its varied projects and programs. TSC officials said that they understand the importance of being able to discretely project and track costs by program, budget category, or organizational unit. However, the TSC stated that it currently is unable to accurately estimate the incremental cost of adding programs that increase the TSC's range of operations, such as Secure Flight.
Delayed Projects

According to the TSC, it has been forced to delay the implementation of security measures, database enhancements, and quality control improvements to provide support for the launch of Secure Flight. TSC officials informed us that such delays will impact the accuracy, completeness, thoroughness, and security of the consolidated watch list information. TSC officials said that the following projects were delayed because of Secure Flight:

Implementation of a new version of the TSDB, which was to provide real-time updates to the National Crime Information Center database;
Enhancement of the TSDB through the development and inclusion of stringent information system rules over data integrity;
Repair of the interface with a participating agency database to allow for the necessary electronic transfer and receipt of updated data;
Development of direct connections between the TSDB and its customers, allowing for real-time watch list queries;
Enhancements to the encounter management system to streamline and automate certain procedures involved in the quality assurance process;
Preparations for and installation of a firewall that will improve the security of the TSDB; and
Over 40 individual modifications to the TSDB software to improve the system for use within the TSC Nominations Unit.

Each of the projects listed above relate directly or indirectly to the findings and recommendations in our June 2005 report. We are tracking the TSC's accomplishment of these items through that report and have observed that these projects have incurred delays. At the exit conference, TSC officials reported that several of the delayed projects have been initiated or completed.
Planning for Secure Flight-Related Information Technology

As reported in our June 2005 audit of the TSC, the TSC was operating in an immature IT environment when it hired a Chief Information Officer (CIO) in August 2004. Our previous report included 16 recommendations related to the TSC's IT systems, planning, and operations. In an effort to develop and stabilize the IT environment in preparation for implementation of the Secure Flight program, the CIO has spearheaded a number of initiatives.
First, TSC officials have begun to develop an IT-specific strategic plan that identifies nine major objectives related to issues such as security, life cycle planning, and data accuracy and completeness. The TSC intends to incorporate this IT-specific information in its overall strategic plan, which is also in development.²⁸
Second, in order to streamline IT functions, the TSC has reorganized its IT Branch into four areas - engineering, project management, applications, and operations. The engineering area designs the top-level physical IT system, drafts diagrams of the general construction of the system, and conceptualizes security architecture. The project management area plans, schedules, and tracks various IT-specific projects and assists with all types of TSC projects, such as scheduling and tracking the TSC's proposed move to a new facility. The applications area manages software development, including determining user requirements and designing, testing, and deploying the programs. The operations area provides maintenance and support for the TSC's data systems, applications, and users.
In addition, the TSC established an office responsible for developing business/data rules to ensure the integrity of the watch list data. This office will assist in the TSC's quality assurance efforts and have responsibility for ensuring that the TSA Secure Flight office has an up-to-date watch list at all times.
We believe that these initiatives will assist the TSC in enhancing its IT environment. A better-functioning IT environment is critical to the smooth introduction of the TSA Secure Flight program into the TSC's operations.
TSC and TSA IT Coordination

TSC officials said that it initially appeared to them that the TSA did not plan for the TSC to be directly involved in the Secure Flight screening process. The TSC officials said that the TSA assumed that it would be responsible for conducting all of the electronic searches and vetting for terrorist screening related to domestic air travel. Under this scenario, the TSC's role would be limited to providing a copy of the consolidated watch list database to the TSA. However, according to TSC officials, the TSA's initial plan did not account for communicating vetting results to the law enforcement agencies responsible for responding to hits against the watch list. The TSC, which derives its authority from Homeland Security Presidential Directive-6, is the entity responsible for consolidating government terrorist watch list screening and to facilitate any associated law enforcement actions. Therefore, the TSC sought a broader role in the TSA's Secure Flight program.
The TSC also said that the TSA initially neglected to plan for the complex process of record additions, deletions, and modifications made to the TSDB on a continual basis. According to the TSC's IT officials, this deficiency resulted from the TSA's initial assumption that it would receive a relatively static copy of the TSDB against which it would compare the passenger data obtained from the airlines.
Once the TSA and the TSC agreed to the TSC's expanded role in the Secure Flight program, many of the processes that the TSA had already developed had to be re-designed and re-tooled to accommodate the TSC's involvement. This necessitated the previously discussed revisions to the Secure Flight concept of operations document. In addition, the TSC's planning for Secure Flight has been affected by several other actions and decisions by the TSA, including:

TSC officials stated that the TSA established the initial target implementation date of August 19, 2005, based on the TSA's initial concept of operations in which the TSC's participation was limited to providing a copy of the TSDB to the TSA. Once the TSA and the TSC agreed on the TSC's expanded role in the screening process, the TSC attempted to meet the TSA's August 19 implementation date. TSC officials stated that the resulting compressed work schedule created significant risk for a project as complex as Secure Flight because under such a timetable project life cycles must be collapsed. As a result, the TSC has had to complete all aspects of project development in parallel, meaning that while the TSC's IT staff are still attempting to determine all of the system or software application requirements, the same systems and software applications are simultaneously being designed and developed.
In preparation for Secure Flight, a TSA contractor performed initial passenger data testing against the TSDB by comparing June 2004 domestic passenger flight data to a December 2004 version of the consolidated watch list. The TSC was not heavily involved in the preparations for this experiment and, according to the TSC CIO, poor test design and data parameters resulted in higher-than-acceptable projections of expected matches against the database. Specifically, the test was initially designed to compare passenger names with the universe of TSDB records and resulted in an unmanageable number of instances in which a match could not be conclusively determined. In an effort to narrow the match results, the TSA contractor reviewed the effect of including other identifying information, such as passenger date of birth. The contractor then prepared new estimates based upon the concept of including passenger birthdates and limiting results to those individuals that matched against a TSDB name and birth date [SENSITIVE INFORMATION REDACTED].²⁹ Based on this new model, the TSA estimated that at full implementation Secure Flight would result in [SENSITIVE INFORMATION REDACTED] watch list matches forwarded to the TSC each day.
TSC IT officials suggested that the test could have been improved by [SENSITIVE INFORMATION REDACTED]. In addition, the TSC advised that the TSA should not use the entirety of the TSDB for its searches because many records in the database do not contain sufficient identifying information.
The TSA and TSC subsequently agreed that the copy of the TSDB provided to the TSA will be limited to records containing both a full name and date of birth, [SENSITIVE INFORMATION REDACTED]. As of June 14, 2005, the TSDB contained a total of 274,873 records and the agreed upon subset that the TSC will provide to the TSA Secure Flight Office amounted to 120,382 records. Based upon the reduced size of the database, the TSC currently is projecting it will receive an additional [SENSITIVE INFORMATION REDACTED] screening inquiries per day from the Secure Flight program.
However, because the TSA has not yet issued the necessary regulation to require airlines to collect date of birth information within domestic travel reservations, the TSC does not know whether the database queries during the first phase of the program will be aided by the inclusion of passenger birth dates.
In an effort to formalize and standardize its systems development processes, the TSC initiated development of an Interface Control Document. The Interface Control Document is a written agreement that establishes organizations' expectations and arrangements regarding how their information systems will connect, interact, and operate. The TSC drafted an Interface Control Document in conjunction with the TSA; however, according to TSC IT officials, the TSA was hesitant to commit to the overall planning process necessitated by the Interface Control Document concept. Because the document was not finalized until July 7, 2005 - well into the Secure Flight development phase - the TSA and TSC IT systems were developed without mutually agreed-upon standards.
According to TSC IT personnel, the TSC has implemented the Terrorist Watchlist Person Data Exchange Standard (TWPDES) that was adopted by the intelligence community in the fall of 2004.³⁰ The TSC is attempting to adhere to this established standard in all of its IT systems. However, as a result of the TSA's reluctance to use the TWPDES, together with the compressed work schedule, the TSC has had to deviate from the TWPDES and modify its processes and file structure for exporting data to the TSA. Although the TSC has asserted that this deviation from the accepted standard was necessary, we believe that it will have to be addressed in the future through modifications to the database interfaces between the TSC and the TSA.

TSC officials reported that beginning in May 2005 coordination between the two organizations improved greatly. However, in the middle of June, just weeks prior to the original laboratory testing date, the TSA identified problems with the data file formats that are critical for transmission of passenger information from the airlines to the TSA Secure Flight Office and the subsequent transmission of TSA Secure Flight-determined watch list matches to the TSC. According to TSC officials, two separate teams at the TSA designed the two processes and apparently did not coordinate the basic file structures and did not consult the TSC. Until the basic format was finalized in July 2005, the TSC was not certain what data fields it would receive. TSC IT officials stated that the TSA's file format problem might not have occurred had standards been established and the Interface Control Document finalized prior to developing the Secure Flight systems and applications.
Secure Flight IT Processes

As outlined in the Secure Flight Overview section in Chapter 1, the domestic flight screening process involves four main data interface connections for the transmission of: (1) passenger data from the airlines to the TSA Secure Flight Office; (2) TSDB watch list updates from the TSC to the TSA Secure Flight Office; (3) initial watch list match results from the TSA Secure Flight Office to the TSC; and (4) final screening results from the TSC to the TSA Secure Flight Office as well as to appropriate responding entities such as the FBI Counterterrorism Division, FAMS, or NORAD. Of these four data connections, the TSC is directly involved in three.
Airline Passenger Data to the TSA Secure Flight Office - The TSA assumed responsibility for developing these data interfaces. To fully accomplish the mission of the Secure Flight program, the TSA ultimately will need to develop a connection between its Secure Flight Office and each commercial airline reservation database. However, as previously discussed, the TSA experienced internal problems regarding the development of the file format for this data transfer. According to TSA officials, the necessary interfaces with select air carriers will be operational to begin test operations in September 2005.
TSDB Watch List Updates to the TSA Secure Flight Office - After the initial transfer of appropriate watch list records, the TSC will transmit, in near real-time, three types of watch list record updates to the TSA Secure Flight Office - additions, modifications, and deletions.
The TSA has assumed responsibility for this data interface. However, TSC IT officials stated that for their normal screening operations, they have been working to develop an interface so that a computer system (such as the one being developed for the TSA Secure Flight program) could connect directly with the TSDB for terrorist screening.³¹ According to the TSC officials, this direct interface will provide for greater data accuracy, integrity, and security for the TSDB because it eliminates the need to copy, update, maintain, and secure the TSDB in another location. The TSC had planned to have this capability by May 2005. The TSC officials stated that the TSA ultimately refused the integration of this option in the Secure Flight program because of the compressed work schedule. In order to meet the TSA's Secure Flight implementation deadline, the TSC was forced to delay development of its direct interface process for its other screening customers.
To support its current operations, the TSC established a stand-alone network for the TSDB. In addition, on May 23, 2005, the TSC began operating the newly created TSCNet that was established on an existing sensitive but unclassified platform called the Open Source Information System (OSIS). In preparation for Secure Flight, the TSC has tested a connection between the TSDB network and the newly created TSCNet. Further, the TSC has established a direct connection to the DHS's network, DHSNet, which is also on the OSIS platform. The TSC intends to use these multiple connections to exchange TSDB records with the TSA. [SENSITIVE INFORMATION REDACTED] provides a back-up that will automatically re-route data transmissions in the event of a failure in the primary interface to ensure continuation of Secure Flight operations.
TSC IT officials said they finished testing the connection to DHSNet on July 13, 2005, and plan to submit to the FBI CIO the necessary documents to obtain specific accreditation for the new connection. The TSC anticipates that this process will be fully tested and the new connections accredited prior to the implementation of the TSA Secure Flight program.
Watch List Matches from the TSA Secure Flight Office to the TSC - For passengers determined to be possible matches against the watch list, the results of the TSA's vetting of passenger records need to be transmitted electronically to the TSC for final adjudication. Each record (called a Request for Action, or RFA) will contain passenger information obtained from the airline as well as results of the analysis performed by the TSA Secure Flight staff.
TSC assumed responsibility for this data interface, and it modified and enhanced its existing encounter application to create a new application, entitled Encounter Management Application - Secure Flight (EMA SF). The EMA SF data will be transmitted electronically to the TSA Secure Flight Office via the TSC's and DHS's mutual connection with OSIS. According to TSC IT officials, the TSC was able to enhance operational capability, minimize the impact to its current screening customers, and conserve resources by modifying its existing encounter management application to serve this function.
The EMA SF application is designed to streamline TSC functions by electronically transmitting data and pre-populating data fields, thereby eliminating the need to manually re-type data. Because of the compressed implementation schedule, the EMA SF will only contain the functions necessary to meet initial operating capability. However, according to the TSC it will be fully operational. Over time, the TSC intends to make further enhancements to the system to enable the sharing of more complete data.
The TSC completed testing the prototype EMA SF application at the beginning of June 2005. The end users, including representatives from the TSC call center, TSA, the Federal Air Marshal Service (FAMS), and FBI Counterterrorism Division met in mid-July 2005 and tested the design of the application. TSC IT officials stated that user testing of the application design is critical because the process assists in the identification of any real-life situations that were not addressed during system design. Two additional testing phases remain for the EMA SF application. The final testing phase is scheduled to begin on August 2, 2005, and run for approximately 25 business days. TSC IT officials anticipate that the final test phase will be successfully concluded and the application will be ready for the September 2005 implementation date.
TSC Disposition of Final Watch List Hits to the TSA and Responders - Upon receipt of the TSA's initial vetting results, the TSC will conduct additional screening on the passenger record, make a final determination as to whether the individual attempting to travel is a valid match against the watch list, and electronically return the final disposition result to the TSA Secure Flight Office. In addition, when the TSC's review reveals a positive or inconclusive identity match, the TSC will communicate the available details of the match (such as passenger name, flight information, and handling instructions) to the law enforcement agencies responsible for responding to the anticipated encounter with an individual on the watch list.
The TSC assumed responsibility for this data interface and will use its enhanced EMA SF. The new application will assist in coordinating an appropriate law enforcement response by ensuring that all participating agencies view the same data in near real-time.
The TSC will use the OSIS network to enable its partners to access the EMA SF application. According to TSC IT officials, the North American Aerospace Defense Command (NORAD), FAMS, and the TSA have established and tested network connections with DHSNet and OSIS. In addition, because the TSC had an existing working relationship with the FBI Counterterrorism Division for its normal business operations, it did not need to establish a new network connection for TSA Secure Flight.
Planning for Legal and Policy Issues in Support of Secure Flight

In preparation for supporting the TSA's Secure Flight program, the TSA and the TSC have worked together to address several legal requirements. In addition, in an attempt to maximize terrorism screening while minimizing passenger inconvenience, the TSC and the TSA have also begun quality assurance and redress projects.
Legal Considerations

According to the TSC Privacy Officer, the TSDB is considered a "system of records" as defined by the Privacy Act of 1974, as amended, because it contains data regarding individuals that can be retrieved by the name of the individual or by an identifying number, symbol, or other piece of information.³² As a result, both the TSA and the TSC are required to publish in the Federal Register a description of their records or a new use of the information and to provide the public an opportunity to comment. This System of Records Notice, or SORN, informs the public of the purpose for the system and includes information such as a description of the types of individuals reflected in the records, the data collected, the reason for data collection, the data safeguard and security processes, and rules and purposes for sharing the data.
The TSA has issued at least two SORNs for the Secure Flight program and will need to issue an additional SORN specifically addressing TSA's implementation of the operational screening. According to TSA officials, this notice will be published prior to implementation of the TSA Secure Flight program in September 2005.
According to TSC officials, the TSC is currently operating under an existing FBI SORN covering the FBI's central records system. However, according to the TSC Privacy Officer, the TSC has elected to draft its own SORN because of the TSC's unique mission. On July 28, 2005, the TSC published its SORN, which applies to Secure Flight and all of TSC's current and anticipated screening operations.
In addition to the Privacy Act, both the TSC and the TSA are subject to the E-Government Act of 2002, which discusses the need to conduct and publish, as appropriate, Privacy Impact Assessments (PIA).³³ A PIA relates specifically to an IT system that collects, maintains, or disseminates personal information about members of the public who are not government employees, agencies, or instrumentalities. The PIA informs the public about issues such as affected individuals, types of information collected, and information safeguard procedures.
The TSA has published multiple PIAs for the Secure Flight program and will need to conduct an additional PIA specifically addressing the implementation of the operational screening. According to TSA officials, this notice will be published prior to implementation of the TSA Secure Flight program in September 2005. The TSC Privacy Officer stated that she has begun to conduct and draft a PIA for all TSC IT-programs.³⁴
Redress

To assist individuals who believe they were inappropriately delayed or prohibited from boarding their flights because of the Secure Flight program, the Intelligence Reform and Terrorism Prevention Act of 2004 (the Intelligence Reform Act) directed the DHS to establish a timely and fair method to appeal these determinations and to correct any erroneous data found in the terrorist screening database. To provide domestic airline passengers a redress process, TSA officials indicated that they would expand and enhance existing procedures for individuals raising issues with flight problems related to the no-fly, selectee, and CAPPS I screening processes that have been in existence for several years. To augment its redress operations, the TSA stated that it established a new office, increased its staffing, and drafted new processes and procedures.
According to the TSA, the TSC will play a supporting role in the redress process and will not have direct contact with the public about these issues. When an individual submits a request for redress to the TSA, the individual will be required to provide specific, verifiable identifying information such as passport or visa number, birth certificate number, or driver's license number. The TSA will review available information, request TSC assistance in obtaining more detailed investigation-specific data if necessary, and respond to the redress requestor. If the individual is determined to be a false positive (a close enough match to a TSDB record that will result in a hit against the watch list despite the person not being a true match of the watch-listed individual), the TSA may place the person on a "cleared list" that includes the individual's additional identifying information. This cleared list will be included in the airline screening process and may therefore speed the process for these individuals during subsequent attempts to travel.
Because the responsibility for fully establishing and implementing redress policies and procedures rests with the TSA, we could not review the plans for enhancing this area as it relates to the Secure Flight program.³⁵ However, we found that the TSC had devoted significant effort to enhancing its own activities related to the redress process. In July 2005, the TSC Privacy Officer issued a revised protocol outlining the TSC's procedures for handling redress inquiries. In addition, the TSC provided us with evidence that appropriate TSC staff had received training on the new protocol.
Quality Assurance

In the June 2005 OIG report on the TSC, we identified errors, omissions, and inconsistencies in the TSDB. As a result, the TSC is currently performing a review of all TSDB records in the database for accuracy and completeness. The TSC has initiated a major quality assurance effort to ensure that all records are analyzed through a record-by-record search, in order of highest priority first. TSC officials have stated that this effort will verify the integrity of historical TSDB data and allow the quality of new data to be controlled through the automated processes included in the most recent version of the TSDB. However, TSC officials stated that they believe many errors and omissions in the records are directly attributable to the records received from the source and nominating agencies and that these inaccuracies contribute significantly to the overall reliability of the TSDB.
The TSC's record-by-record review will likely not be completed before Secure Flight is implemented. In addition, as of April 2005, the head of the TSC Data Management Office has been assigned full time to Secure Flight-specific issues. The TSC CIO expressed concern that, as a result, the watch list data was not being checked sufficiently for accuracy and that available and necessary security measures had not been implemented.
The compressed time frame of our review did not allow us to perform additional testing on the TSDB records. However, while conducting our fieldwork at the TSC, we were informed of a recent incident in which a participating agency combined two separate records and forwarded the data to the TSC as a single record for inclusion in the TSDB. As a result, the TSDB record included erroneous identifying information and an individual was falsely identified as a positive match against the watch list. The TSC redress staff informed us that the TSC had identified the error, provided the originating agency with its findings, and confirmed that the source record was corrected.
In addition, officials at the TSC informed us that the volume of issues handled through the quality assurance process is increasing. To manage this increased workload, the TSC has increased manpower by hiring new permanent employees and temporary duty staff. Even with these enhancements, TSC officials expressed concern regarding their ability to manage the quality assurance process because the volume of inquiries will greatly increase once the TSA Secure Flight program is implemented. According to TSC officials, their Quality Assurance staff requested an enhancement to the EMA system that would automate the tracking and management of the quality assurance process. However, the development of the requested enhancement has been delayed because the IT staff has been dedicated to Secure Flight issues.

Footnotes

Aside from the TSA and the TSC, other key stakeholders include the Terrorist Screening Operations Unit (TSOU) in the FBI Counterterrorism Division, the DHS's Federal Air Marshal Service (FAMS), and the Department of Defense's North American Aerospace Defense Command (NORAD). The TSOU will coordinate any necessary law enforcement response to anticipated or realized encounters with individuals who are a match against a watch list record. The FAMS will monitor and resolve any on-board activity of flights in progress, while NORAD will monitor affected flights and take any necessary airspace actions.

Aviation Security: Secure Flight Development and Testing Under Way, but Risks Should Be Managed as System Is Further Developed, Government Accountability Office (GAO-05-356, March 2005)

This concept of operations is a TSA-originated document and the TSA declined to provide it to us until it was finalized. We received evidence of the finalization at our exit conference with the TSC on July 26, 2005. Therefore, we were unable to examine this document prior to the completion of our review.

EMA is the TSC's tool for recording the details of all incoming calls to its call center resulting from government encounters with individuals that appear to be a hit against a watch list record. Call center staff record the information they received from the caller, the TSC determination of whether the individual is a match with a TSDB record, whether the caller was forwarded to law enforcement for further action, and the final disposition of the encounter.

The direct costs shown in Table 1 reflect Secure Flight actual expenditures through May 2005, projected expenditures for the remainder of FY 2005, and FY 2005 obligations to be paid in FY 2006.

This budget includes all non-personnel funding included in the FY 2006 budget submission for the TSC. An additional $5,265,000 was requested to enhance the number of full-time equivalent FBI positions assigned to the TSC. The TSC did not include any personnel figures in the information that it provided to us because all of its positions are provided through the participating agencies, such as the FBI or the DHS.

In our June 2005 report, we recommended that the TSC develop a formal, comprehensive strategic plan. We are tracking the TSC's progress in achieving this objective.

This concept was reviewed in a hypothetical setting because the June 2004 airline passenger records did not include dates of birth.

The TWPDES codifies the intelligence community's protocol for the exchange of information regarding known and suspected terrorists.

Currently, screeners such as border inspectors or state and local police officers access the consolidated watch list indirectly through copies of the database loaded on their agencies' network or computer system that are updated on a daily basis.

Pub. L. No. 93-579 (1974)

Pub. L. No. 107-347 (2002)

According to the TSC Privacy Officer, the TSC initially conducted and drafted a PIA during the initial stages of its standup, but this draft became obsolete because the TSC's IT-related systems were changing quickly. TSC officials noted that the E-Government Act exempts systems containing national security and sensitive information, such as the TSDB, from the requirement to conduct a privacy impact assessment.

During our review TSC officials expressed concern regarding one aspect of the redress process. TSA officials have asserted that the Intelligence Reform Act requires the agency to inform redress requestors of the specific results of the inquiry - whether the requestor's name is on a government watch list or is similar to a name on the watch list. TSC officials believe that the TSA's interpretation of the legislation is overly broad and the integrity and effectiveness of the watch lists will be irreparably damaged if the TSA releases such details to the public. The TSC stated that officials from the FBI Counterterrorism Division, NCTC, Central Intelligence Agency Office of the General Counsel, and the counsel to the Director of National Intelligence have expressed similar concerns. At the exit conference, TSC officials reported that they believed the TSC and the TSA had reached an agreement in principle on this issue. However, the TSC stated that the agreement was not yet final and that details still need to be addressed.