Access Denied

Critics say DHS' transportation ID program falls short. Critics say DHS' transportation ID program falls short. Patrick Semansky/AP

Eleven years and a half billion dollars after launching a program to secure access to vulnerable maritime facilities in the wake of the Sept. 11, 2001, terrorist attacks, federal officials have yet to significantly improve port security, auditors say.  

The Homeland Security Department is set to roll out the Transportation Worker Identification Credential nationwide at a projected cost of $3 billion, plus $234.2 million for the installation of card scanners. But a federal watchdog report released May 8 advised Congress to revoke a law requiring employees to swipe the cards to enter facilities until the Transportation Security Administration can prove the smartcards and card readers actually work. TSA oversees TWIC security threat assessments.

Acknowledging that the current card reader system is deficient, some lawmakers say they are optimistic that alternative technologies can build on TSA’s legwork and succeed. 

“Repealing the requirement to deploy card readers misses the point,” Rep. John Mica, R-Fla., chairman of the Oversight and Government Reform Subcommittee on Government Operations, told Government Executive in an email. “There is no reason that in the 21st century, with the federal government already utilizing this technology, TSA cannot implement a solution that allows secure access to America’s ports.” At a subcommittee hearing the day after the report came out, Government Accountability Office researchers agreed that other types of passes, like the military’s universal credential, prove the initiative has potential.

The TWIC program requires maritime workers to undergo background checks and carry biometric IDs to enter certain harbor areas without an escort. During a recent $23 million trial, Homeland Security confirmed card readers could verify identities and restrict access. 

But GAO officials say the department’s findings are unsubstantiated. 

At the hearing in May, Rep. Elijah Cummings, D-Md., ranking Democrat on the full oversight committee, expressed his disappointment in the program. “Those TWIC cards are nothing more than very expensive flash passes without sophisticated electronic readers to read them,” he said. “That’s sad.”

In the report, Stephen Lord, GAO director for homeland security and justice issues, said DHS officials lacked data to back the conclusion that the smartcards and scanners provide “a critical layer of port security.” During testing, the ID readers and access control systems were unable to record reasons for errors, DHS and independent evaluators failed to collect comprehensive data on malfunctioning passes, and participants did not document instances of denied access, according to the audit.

“Eleven years after initiation, DHS has not demonstrated how, if at all, TWIC will improve maritime security,” Lord wrote, adding that Congress should consider repealing a law that directs the department to base card reader rules on the trial run and instead require that DHS “complete an assessment that evaluates the effectiveness of using TWIC with readers.” 

The new report follows more than a half dozen negative audits since 2003. “If you look at a poster child for programs that sort of run amok and do not get the job done, the TWIC card—as it’s affectionately known—the Transportation Worker Identification Card, is unfortunately the poster child for not producing what, I think, Congress intended,” Mica said during the hearing. “We spent a half billion dollars on this, and we’ve got a card now that is flawed, and not by my definition, but by GAO’s evaluation.”

The day the report was distributed, Rep. Bennie Thompson, D-Miss., the top Democrat on the Homeland Security Committee, said lawmakers should put off wasting additional funds on an effort that already has cost $544 million.  

“The program continues to suffer from fundamental problems,” Thompson said in an email. “Port workers and industry stakeholders have invested their time, effort and money into this troubled program, holding up their end of
the bargain.”

Thompson added he supports the auditors’ recommendation that TSA re-examine the merits of the biometric passes and scanners “before the American people are expected to invest additional money in this program. We cannot continue to throw good money after bad.”

Agency officials stand by the virtues of the credential but seem open to trying other security approaches.  

“It’s not a silver bullet. It’s part of our layered security,” Steve Sadler, TSA’s assistant administrator for intelligence and analysis, told lawmakers. “And I think it provides value when it’s used properly and installed properly.”

In an April letter responding to a draft GAO report, DHS officials defended the rigor of their assessment and said the department did not have enough funding to perform the type of study GAO expected.  

“There were limited fiscal and workforce resources made available at participating sites,” wrote Jim Crumpacker, director of the department’s GAO-inspector general liaison office. Also, he said, the tests needed to cover a wide range of environmental conditions but avoid interfering with daily operations, which affected
data collection. 

At the House hearing, Lord and subcommittee members from both parties urged Sadler to consider a different arrangement, like the Pentagon’s common access card, which functions as a standard military ID, or a model in which local ports issue credentials.

Sadler replied, “We’ll look at anything to make this pilot better and to make the result better.” 

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.


When you download a report, your information may be shared with the underwriters of that document.