The US Government Accountability Office (GAO) has issued its annual assessment of the Department of Homeland Security’s (DHS) major acquisition programs. The assessment aims to determine whether the programs are meeting their cost, performance and scheduling goals.
GAO reviewed key acquisition documents, collected cost, schedule and performance information and interviewed DHS officials. It is worth noting that the process allowing programs to adjust their cost and schedule baselines for effects attributable to Covid-19 is no longer in effect.
Two of the 26 major acquisition programs relate to the Transportation Security Administration (TSA), namely the Checkpoint Property Screening System (CPSS) and the Credential Authentication Technology (CAT) program.
Major acquisition programs can be multifaceted and lengthy, and program testing can require amendments and upgrades mid-program to ensure the best result. Steve Karoly, executive vice president at K2 Security Screening Group and former acting assistant administrator for the TSA Office of Requirements and Capabilities Analysis, told Passenger Terminal Today that the technologies are subject to rigorous testing.
“Before updated or new technology is ready for deployment, it must first be thoroughly tested to ensure that they are operationally effective and suitable for use in airports. This involves testing the capabilities and limitations of the technologies that TSA uses to advance and refine its product improvement strategy. As these technologies are deployed at TSA-regulated airports, the agency will continue to execute their pre-planned product improvement strategy throughout the lifecycle of these technologies to identify and address current and new vulnerabilities.”
Checkpoint screening
The purpose of the CPSS program is to replace aging, two-dimensional advanced technology (AT) x-ray machines that are used as the primary screening system for passenger carry-on items at airport checkpoints. CPSS officials plan to incrementally procure 2,263 systems with enhanced capabilities, including computed tomography (CT), which provides three-dimensional imaging and improved detection of explosives, weapons and other prohibited items. CPSS officials are procuring the systems in four configurations – AT/CT, base, mid-size and full-size – to provide flexibility at airport checkpoint facilities with varying sizes and passenger volumes. The program uses various contracts for modified commercial solutions with vendor custom-developed software, including firm-fixed-price orders. Under the CPSS program, qualified vendors are eligible for contract awards for systems of the four different configurations that are deemed operationally effective, suitable and cyber-resilient for each increment. Once vendors are deemed qualified, they can compete on solicitations. As at the time of GAO’s assessment, 11 systems from four vendors had been qualified.
GAO found that CPSS achieved increment 1 initial operational capability in March 2022. As of September 2023, according to program officials, CPSS deployed 781 of 910 systems needed to reach increment 1 full operational capability, which is scheduled for September 2025. The watchdog noted in its DHS-wide report that CPSS officials are planning for increment 1 upgrades that are expected to provide the systems with enhanced detection, system optimization and networking/cybersecurity capabilities. The program plans to develop cost and schedule goals for deploying a total of 2,263 systems incrementally.
According to program officials who spoke with GAO, the program demonstrated through testing that 11 systems (one AT/CT, two base, four mid-size and four full-size) have the capability to replace currently fielded systems. At the time of GAO’s assessment, operational test and evaluation of the final two systems in the qualification process was incomplete.
As of September 2023, CPSS had deployed 300 AT/CT systems, 316 mid-size systems, 115 base systems and 50 full-size systems. GAO noted that the overall program schedule for deploying all 2,263 CPSS systems is still not determined. It found that planning for increment 1 upgrades is ongoing. Program officials told the watchdog that they are developing enhancements and new capabilities that will be prioritized into three upgrade paths: enhance detection, system optimization and networking/cybersecurity. CPSS will develop these capabilities incrementally.
CPSS officials plan to conduct additional acquisition decision events (ADE) for each increment to update cost and schedule based on planned quantities and system configurations. ADEs are where DHS’ Acquisition Decision Authority decides whether the proposed acquisition program meets certain requirements necessary to move on to the next phase.
TSA officials told GAO that the current lifecycle cost estimate for increment 1 reflects a significant decrease in per-unit cost over the original estimate for each of the base, midsize and full-size systems, enabling them to increase the number of increment 1 full operational capability units from 771 to 910.
Credential authentication
The CAT system has three functions that together authorize a passenger to enter the protected area of an airport: authenticate a passenger’s identity document (ID), confirm a passenger’s flight reservation and verify a passenger’s pre-screened security status. The program plans to add new capabilities through upgrade kits to deployed CAT units or new CAT-2 units. These capabilities include facial biometric verification to confirm that the presenter of the ID is the person represented by the ID, authentication of digital IDs, and a self-service capability for individuals to present their own IDs. The program is currently focused on increment 1 of four total increments.
In April 2023, TSA awarded an indefinite delivery, indefinite quantity contract to Idemia for CAT-2 production units and issued a firm-fixed-price delivery order for a single CAT-2 prototype unit, which was delivered in August 2023. TSA achieved the ADE for the upgrade kits in June 2023 and the ADE for the CAT-2 production units is anticipated by March 2024. Installations for increment 1 initial operational capability took place in September 2023 and estimated lifecycle costs for that increment remain largely unchanged at US$412m.
In June 2022, the CAT program rebaselined to add the new capabilities, including facial recognition verification, to address operational gaps and improve performance. The rebaseline also increased the quantity of deployed systems from 1,520 to 3,585. Compared to the full original baseline, increment 1 comprises slightly fewer units at a slightly higher cost, but with the additional planned capabilities.
The rebaselined CAT program is planned for four increments comprising two separate configurations – to upgrade the 2,054 base CAT units that are already deployed with the new configuration and to produce and deploy 1,531 new CAT-2 units. Increment 1 includes both upgraded base CATs and new CAT-2s for a total of 1,377 units. GAO found that program officials are prioritizing upgrades for the current CAT units instead of producing new CAT-2s. Therefore, the target in increment 1 is for mostly upgraded CAT units (1,302) and relatively few new-production CAT-2s (75).
The program’s June 2023 initial operational test and evaluation report concluded that CAT upgrade kits met or exceeded requirements for each of the four key performance parameters – ID detection rate, biometric match rate, passenger vetting status success rate and user access success rate. However, GAO notes that the report also identified areas where limitations on the suitability and resilience of the program might pose risks. In particular, GAO said that DHS test and evaluation officials expressed concerns about the cyber resilience of the program. Officials noted that these vulnerabilities were not introduced by the CAT upgrade kits but are already present in the existing CAT units. They recommended that the program implement fixes to these cybersecurity vulnerabilities and then plan to review those fixes as part of a follow-on operational test and evaluation.
Concerns have been raised previously that the delays to the implementation of the Real ID Act might have an impact on the CAT program schedule, or vice-versa, but TSA says this is not the case. Passed in 2005, the Real ID Act set minimum security requirements for ID (e.g. driver’s licenses or identification cards) issuance and production, including procedures for states to follow when verifying the identity of individual applicants. The act also prohibits federal agencies from accepting, for certain purposes, IDs not meeting these minimum standards. DHS recently delayed enforcement of the Real ID Act by two years to May 2025, to give states more time to ensure residents had the correct ID. TSA intends to use CAT to validate state-issued identification for this purpose, but TSA officials told GAO that the delay is unrelated to the CAT schedule and that they continue to work to ensure that CAT systems will be prepared to validate IDs and that CAT is compliant with the act once enforcement begins.
The CAT program’s work to improve cyber resilience illustrates how TSA and DHS must consider new and emerging threats that may arise after the initial program goals were established. Karoly said that understanding what the threat is and what it could be realistically is the first step in a long series of steps to developing and deploying technology that meets the users’ needs, and in this case, TSA’s needs. “Updating and improving existing technology or developing new technology to mitigate the multitude of threats are the two methods that TSA focuses on to ensure that airport security screening systems can detect threats that bad actors deploy.” And this approach does not stop with the major acquisition programs. “Beyond CPSS and CAT, there are numerous others that follow similar engineering and acquisition processes that are needed to address the layers of security at every TSA-regulated airport,” Karoly said.
Replacing IDENT
GAO’s annual report also includes an assessment of DHS’ Homeland Advanced Recognition Technology (HART) program. HART is intended to replace the legacy Automated Biometric Identification System (IDENT) that stores, processes and shares biometric information on citizens and foreign nationals with the US government and foreign partners to support legitimate travel, trade and immigration. HART is expected to facilitate visa issuance, law enforcement actions and intelligence analyses, among other functions. It is also expected to provide capabilities to match, store and share information on multiple biometrics (fingerprints, face and iris). It will be used by DHS and its components including TSA and US Customs and Border Protection.
In September, GAO issued a scathing report about HART, noting that the system was “way behind schedule and costs more than estimated”. The watchdog also said the cost estimates were unreliable because DHS did not follow best practices for calculating them.
The Acquisition Decision Authority formally recognized In July 2023 that HART was in schedule breach status. DHS officials attributed the breach to continued technical challenges and contributing financial constraints associated with increment 1 development. The program was deemed insufficiently mature to begin the operational assessment as planned at the November 2022 operational test readiness review. However, GAO’s latest report says HART completed large-scale developmental testing during 2023. At the time of the watchdog’s latest annual assessment, the results from this testing had not yet been validated through operational testing. The initial operational capability date is now planned for September 2026.
HART program officials have taken steps to get the program back on schedule. In February 2023, for example, in response to the continuing challenges to increment 1, DHS established a working group to develop a path forward for the program. In April 2023, the working group reported back with various proposals for improving HART’s program management approach and structure, some of which are undergoing implementation.
GAO is concerned that delays in delivering planned capabilities and continued reliance on IDENT represent a significant challenge to meeting user needs for DHS and its components. The government watchdog notes that “continued reliance on an overextended IDENT system represents an ongoing risk as the legacy system risks failure and additional investments are necessary to keep the system operational”.
Altogether, across all components, DHS plans to spend more than US$4bn on its portfolio of major acquisition programs.
For more security updates, click here.