United States Government Accountability Office Testimony Before the Subcommittee on Transportation and Maritime Security, Committee on Homeland Security, House of Representatives For Release on Delivery Expected at 10:00 a.m. ET October 29, 2019 TRANSPORTATION SECURITY TSA Has Taken Steps to Improve Security Areas Identified in the TSA Modernization Act, but Additional Actions are Needed Statement of William Russell, Director, Homeland Security and Justice GAO-20-225T October 29, 2019 TRANSPORTATION SECURITY Highlights of GAO-20-225T, a testimony before the Subcommittee on Transportation and Maritime Security, Committee on Homeland Security, House of Representatives TSA Has Taken Steps to Improve Security Areas Identified in the TSA Modernization Act, but Additional Actions Are Needed Why GAO Did This Study What GAO Found Threats to the nation’s transportation systems persist and continue to evolve. Within DHS, TSA is the federal agency with primary responsibility for the prevention of and defense against terrorist and other threats to the United States’ civil aviation, and rail, public transit, pipeline, and other surface transportation systems. The TSA Modernization Act includes provisions intended to enhance security across this broad range of systems and further calls on GAO to review TSA’s progress in these areas. The Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) has made initial progress in certain security areas mandated by the TSA Modernization Act, but additional actions are needed. This statement summarizes past and ongoing work related to TSA's actions to address selected aviation and surface transportation security areas covered by the TSA Modernization Act. This statement is based on products GAO issued from December 2017 through October 2019 and draft reports currently with TSA for comment. To perform this work GAO reviewed TSA program documents, visited domestic and foreign airports, and interviewed TSA officials, DHS officials, and transportation industry stakeholders, including associations and air carriers. • International aviation security. In December 2017, GAO reported that TSA has taken steps to enhance its foreign airport assessments. Since that time, TSA has developed a tool to better track and address foreign airport vulnerabilites. In addition, TSA reviews security directives and emergency amendments it issues to address security concerns. However, TSA’s review process does not fully define how to coordinate with industry representatives and it has not determined if it is appropriate to incorporate the security measures of many longstanding directives into air carrier security programs in accordance with TSA policy. In October 2019, GAO recommended, and TSA officals agreed, that TSA better define how to coordinate with air carriers when reviewing directives and when to incorporate directives into security programs. • Passenger screening rules. TSA develops screening rules by considering current intelligence and other factors to identify passengers who fall within the scope of the rules for enhanced screening. GAO found that TSA coordinates rules reviews through quarterly meetings and notifies an expanded set of DHS and TSA stakeholders of rule changes as called for by the Act. TSA tracks some data on rule implementation but does not comprehensively measure rule effectiveness. In its draft report, GAO recommended that TSA explore additional data sources for measuring the effectiveness of its rules. TSA is currently reviewing this recommendation. • Aviation screening technologies. GAO found that TSA does not ensure that screening technologies continue to meet detection requirements after they have been deployed to airports. According to officials, the agency uses certification—a step in the test and evaluation process—to confirm that technologies meet detection requirements before they are deployed to airports, and calibration of the technologies to confirm that technologies are at least minimally operational while in use at airports. While these processes serve important purposes, performance can degrade over time. In its draft report, GAO recommended that TSA implement a process to ensure technologies continue to meet detection requirements after deployment. TSA is currently reviewing this recommendation. • Surface transportation pipeline security. In December 2018, GAO identified some weaknesses and made recommendations to strengthen TSA’s management of key aspects of its pipeline security program. For example, TSA does not have a strategic workforce plan to help ensure it identifies the skills and competencies—such as the required level of cybersecurity expertise—necessary to carry out its pipeline security responsibilities. GAO recommended, and TSA concurred, that TSA develop a strategic workforce plan. As of October 2019, TSA has not yet fully addressed this recommendation. We will continue to monitor progress. What GAO Recommends GAO has made recommendations designed to address the challenges discussed in this statement. TSA concurred with recommendations from prior work and is currently reviewing recommendations from our draft reports, including those regarding passenger screening rules and aviation screening technologies. View GAO-20-225T. For more information, contact William Russell at (202) 512-8777 or russellw@gao.gov. ______________________________________ United States Government Accountability Office Letter Letter Chairman Correa, Ranking Member Lesko, and Members of the Subcommittee: Thank you for the opportunity to discuss our work on the Transportation Security Administration’s (TSA) actions to implement the TSA Modernization Act. 1 Within the Department of Homeland Security (DHS), TSA is the federal agency with primary responsibility for the prevention of and defense against terrorist and other threats to the United States’ transportation systems. Threats to the transportation system persist and continue to evolve. For example, in March 2017, TSA imposed new screening measures to enhance aviation security after intelligence agencies confirmed that terrorist organizations had the capability to plant explosives in personal electronic devices, such as laptops. The TSA Modernization Act (the Act) includes provisions intended to, among other things, improve screening technologies, streamline the passenger screening process, mandate more rigorous background checks of airport workers, strengthen airport access controls, increase passenger checkpoint efficiency and operational performance, enhance security in public areas of airports, and improve surface transportation stakeholder coordination. The Act also includes provisions for GAO to review TSA’s progress in a number of these areas. This statement summarizes past work and preliminary observations of our ongoing work on TSA’s actions to improve aviation and surface transportation security in select areas mandated by the TSA Modernization Act. This statement is based partly on five reports we issued from December 2017 through October 2019 on international aviation and pipeline security. In addition, this statement discusses key findings based on three draft reports regarding passenger screening rules, surface transportation, and passenger and checked baggage screening technology—which are currently with TSA for comment. Further, this statement includes preliminary observations from our ongoing review of the security of airport public areas. To perform work for our prior reports and draft reports with TSA for comment, we examined TSA program documents, visited domestic and foreign airports, and interviewed TSA officials, DHS officials, and 1 The TSA Modernization Act was enacted as part of the FAA Reauthorization Act of 2018. Pub. L. No. 115-254, div. K, tit. I, 132 Stat. 3186, 3542 (2018). Page 1 GAO-20-225T transportation industry stakeholders, including associations and air carriers. Further details on our scope and methodology are available within each of our published products. In addition, we regularly followed up with relevant officials to solicit updated information on agency actions taken in response to our recommendations. For our ongoing work on the security of public areas, we reviewed and analyzed the best practices and recommendations cited in the 2017 Public Area Security National Framework. We also interviewed TSA headquarters and field-based officials, as well as airport operators and law enforcement personnel in selected airport locations. The work upon which this statement is based was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. TSA Has Taken Steps to Improve Aviation Security, but Additional Actions Are Needed TSA Has Taken Actions to Strengthen International Aviation Security but Could Take Additional Steps to Ensure the Security of U.S.-bound Flights Civil aviation, including U.S.-bound flights, remains a target of coordinated terrorist activity. In the last 2 years, we issued reports on TSA’s foreign airport and air carrier inspection programs (December 2017), assessments of Cuban aviation security (July 2018), and TSA’s process for reviewing security directives and emergency amendments that apply at last point of departure airports (October 2019). 2 Foreign airport assessments and air carrier inspections. In December 2017, we reported that TSA had taken steps to enhance its 2 A last point of departure flight is a flight that does not make any intermediate stops between a foreign and U.S. airport. Page 2 GAO-20-225T foreign airport assessments and air carrier inspections since 2011, including aligning resources based on risk, resolving airport access issues, making evaluations more comprehensive, and creating operational efficiencies. 3 For example, we found that TSA had implemented targeted foreign airport assessments in locations where risk was high and developed a system to strengthen its data analysis capabilities. 4 However, we also found that TSA’s database for tracking the resolution status of security deficiencies did not have comprehensive data on security deficiencies’ root causes and corrective actions. In addition, the database lacked adequate categorization mechanisms such as capturing subcategories that would better explain the root causes of security deficiencies. We recommended, among other things, that TSA fully capture and more specifically categorize data on the root causes of security deficiencies that it identifies and corrective actions. To implement this recommendation, TSA developed a tool to capture airport vulnerability data and provided training to staff in the use of the tool and developed guidance that delineates updated categories for root causes in its data systems. Cuban aviation security. In July 2018, we reported on TSA’s efforts to ensure the security of air carrier operations between the United States and Cuba. 5 We found that TSA’s inspections and assessments in Cuba generally followed standard operating procedures, but TSA did not inspect all air carriers at its own established frequency. We recommended that TSA improve its ability to identify certain air carriers requiring inspection in Cuba and develop and implement a tool that more reliably tracks their operations between the United States and Cuba. In response to our recommendation and as required under the TSA Modernization Act, TSA developed several tools and processes that corroborate and 3 GAO, Aviation Security: TSA Strengthened Foreign Airport Assessments and Air Carrier Inspections, but Could Improve Analysis to Better Address Deficiencies, GAO-18-178 (Washington, D.C.: Dec. 4, 2017). Through its foreign airport assessment program, TSA assesses the effectiveness of security measures at foreign airports using selected aviation security standards and recommended practices adopted by the International Civil Aviation Organization, a United Nations organization representing 191 countries. 4 According to TSA officials, the Global Risk Analysis and Decision Support System has provided them with a number of benefits, including the ability to run standardized reports, extract and analyze key data, and manage airport operational information, such as data on security screening equipment. 5 See GAO, Aviation Security: Actions Needed to Better Identify and Track U.S.-Bound Public Charter Operations from Cuba, GAO-18-526 (Washington, D.C.: Jul. 12, 2018). Page 3 GAO-20-225T validate flight schedule data. 6 For example, TSA developed a tool to analyze aggregate flight data and validate or identify service to the United States from international locations and began issuing monthly reports on unscheduled operations to its inspectors responsible for Cuba. By taking these steps, TSA is better able to identify operations requiring inspection and corroborate and validate flight schedule data. Security directives and emergency amendments. When threat information or vulnerabilities at foreign airports indicate an immediate need for air carriers to implement additional security measures, TSA may issue new or revise existing security directives (for domestic air carriers) and emergency amendments (for foreign air carriers). 7 The TSA Modernization Act includes a provision for us to review the effectiveness of the TSA process to update, consolidate, or revoke security directives, emergency amendments, and other policies related to international aviation security at last point of departure airports. 8 As of March 2019, there were 46 security directives and emergency amendments (i.e., directives) in effect related to air carrier operations at foreign airports. 9 Earlier this month, we reported that TSA reviews directives, but its process does not fully define how to coordinate with industry representatives and TSA has not determined if it is appropriate to incorporate the security measures of many longstanding directives into air carrier security programs in accordance with TSA policy. 10 Representatives from four domestic air carriers stated that coordination with TSA on directives has improved. However, representatives from six air carriers and two associations indicated that TSA has issued revised directives that are vague or difficult to implement because TSA did not sufficiently involve them in the review process. This contributed to TSA officials offering different interpretations of aircraft cabin search requirements. Further, TSA policy states that directives are not intended 6 See Pub. L. No. 115-254, div. K, tit. I, § 1957(a), 132 Stat. at 3597. 7 See 49 C.F.R. §§ 1544.105(d), 1544.305, 1546.105(d). 8 See Pub. L. No. 115-254, div. K, tit. I, § 1953(b), 132 Stat. at 3594. 9 Twenty-eight directives addressed threats (e.g., explosives in laptops) and 18 pertained to vulnerabilities identified at foreign airports (e.g., inadequate perimeter fencing). 10 GAO, International Aviation Security: TSA Should Improve Industry Coordination and Its Security Directive and Emergency Amendment Review Process, GAO-20-7 (Washington, D.C.: Oct. 3, 2019). Page 4 GAO-20-225T to be permanent and are expected to eventually be canceled or incorporated into security programs. Our analysis found that TSA issued more than one half (25) of the directives prior to 2014, meaning they have been in effect for more than 5 years. Several have been in effect for more than 10 years. We recommended, among other things, that TSA better define how to coordinate with air carriers when reviewing directives and when to cancel or incorporate longstanding security directives and emergency amendments into security programs. TSA agreed with our recommendations and plans to develop a process for more formal and consistent coordination with air carrier and industry association stakeholders and consideration of directives for cancellation or incorporation into security programs. TSA Created a Domestic Aviation Security Working Group to Develop and Update Leading Practices with Transportation Security Stakeholders Public area security. In November 2013, an armed individual entered the Los Angeles International Airport, firing multiple shots killing a transportation security officer and injuring two others and a passenger. As a result of this and subsequent airport attacks, TSA co-hosted a series of security summits with stakeholders and published the Public Area Security National Framework in May 2017 outlining a series of best practices and recommendations to secure airport pubic areas. The TSA Modernization Act requires TSA and the DHS Cybersecurity and Infrastructure Security Agency to establish a public area security working group to promote collaboration between TSA and public and private stakeholders to develop non-binding recommendations for enhancing security in public areas of transportation facilities. 11 The Act also requires TSA to periodically share best practices developed by TSA and transportation stakeholders related to protecting public spaces of transportation infrastructure from emerging threats. 12 In March 2019, TSA officials established the public area security working group to engage with stakeholders to validate and update the best practices that were developed in the 2017 Public Area Security National Framework. The working group consisted of security stakeholders from both aviation and surface transportation modes. In October 2019, TSA officials told us that they plan to issue an updated list of best practices in the fall of 2019. 11 See Pub. L. No. 115-254, div. K, tit. I, § 1931(b), 132 Stat. at 3569-70. 12 See Pub. L. No. 115-254, div. K, tit. I, § 1932(a), 132 Stat. at 3571. See also Pub. L. No. 115-254, § 1931(c)(2), 132 Stat. at 3570. Page 5 GAO-20-225T Insider threats. Recent incidents involving aviation workers misusing their access privileges have heightened concerns regarding the risk of insider threats at airports. TSA estimated in 2018 that there were approximately 1.8 million people with unescorted access to secured areas of the nation’s airports. 13 We have ongoing work examining the actions TSA, airport operators, and air carriers have taken to mitigate concerns regarding insider threats at airports and the extent to which TSA’s Insider Threat Program is guided by a strategic plan. Additionally, the TSA Modernization Act requires TSA, in consultation with the Aviation Security Advisory Committee to conduct a study examining the cost and feasibility to airports, airlines, and TSA of implementing enhanced employee inspection measures at all access points between non-secured areas and secured areas of certain airports. 14 We will review this study once submitted by TSA. TSA Coordinates Reviews of Passenger Screening Rules, but Could Better Measure Rule Effectiveness Screening rule changes. In 2010, TSA began identifying passengers for enhanced screening who are not known or suspected terrorists, but who fall within the scope of screening rules. Specifically, TSA identifies passengers for enhanced screening through the application of screening rules, which TSA develops by considering current intelligence and other factors. TSA refers to these rules and lists as Silent Partner and Quiet Skies. Silent Partner rules identify passengers for enhanced screening on inbound flights to the United States. Quiet Skies rules—a subset of the Silent Partner rules—identify passengers for enhanced screening on subsequent domestic and outbound flights. The TSA Modernization Act includes a provision for GAO to review the oversight mechanisms and effectiveness of Silent Partner and Quiet Skies. 15 13 In general, secured areas of airports are areas for which security measures, such as access controls, must be carried out to prevent and detect the unauthorized entry, presence, and movement of individuals and ground vehicles, and include areas where domestic and foreign air carriers enplane and deplane passengers and sort and load baggage, and any adjacent areas not separated by adequate security measures. See 49 C.F.R. §§ 1540.5, 1542.201. 14 See Pub. L. No. 115-254, div. K, tit. I, § 1931(b), 132 Stat. at 3572. Established in 1989, the Aviation Security Advisory Committee provides advice to the TSA Administrator on aviation security matters, including the development, refinement, and implementation of policies, programs, rulemaking, and security directives. Committee members represent stakeholder groups affected by aviation security requirements. See 49 U.S.C. § 44946. 15 See Pub. L. No. 115-254, div. K, tit. I, § 1949(e), 132 Stat. at. 3589. Page 6 GAO-20-225T We found that TSA coordinates reviews of Silent Partner and Quiet Skies through quarterly meetings and notifies an expanded set of DHS and TSA stakeholders—including DHS Traveler Redress Inquiry Program and the Federal Air Marshal Service—of rule changes as required under the Act. We also found that TSA has not identified a means to comprehensively measure rule effectiveness. TSA officials explained that they had not yet fully assessed the rules’ effectiveness because it was difficult to measure. TSA has access to data—such as the outcomes of enhanced screening of Silent Partner and Quiet Skies passengers at airport checkpoints—that could be explored to better assess rule effectiveness. Exploring additional data sources could help TSA refine and supplement the agency’s existing efforts to measure program effectiveness. In our draft report, we recommended that TSA explore additional data sources for measuring the effectiveness of Silent Partner and Quiet Skies rules. TSA is currently reviewing the draft report and is scheduled to provide any comments by early November 2019. TSA Should Ensure Aviation Screening Technologies Continue to Meet Detection Requirements after Deployment To protect the U.S. aviation sector, including the roughly 440 airports it regulates, TSA deploys technologies to screen passengers and their carry-on and checked baggage for homemade explosives and other prohibited items that could, among other things, cause catastrophic damage to an aircraft. The ongoing threat of terrorism requires TSA to continually assess the effectiveness of its screening operations and, when necessary, develop and deploy new screening technologies. The TSA Modernization Act includes a provision for us to review whether TSA allocates resources appropriately based on risk at TSA-regulated airports, among other things. 16 Our review of TSA acquisition documents found that TSA considers risk at the beginning of the screening technologies acquisition process. However, TSA officials could not provide an example of when risk information for specific airports had directly influenced decisions about where and in what order to deploy screening technologies to airports in the recent past. Fully disclosing what risk factors are weighed and how decisions are made could better ensure that TSA’s deployment of screening technologies matches potential risks. We recommended that TSA officials document their assessments of risk and the rationale behind decisions to deploy screening technologies. 16 See Pub. L. No. 115-254, div. K, tit. I, § 1923, 132 Stat. at 3561. Page 7 GAO-20-225T We also found that TSA does not ensure that screening technologies continue to meet detection requirements after they have been deployed to airports, when performance can degrade over time. According to officials, the agency uses certification—a step in the test and evaluation process— to confirm that technologies meet detection requirements before they are deployed to airports, and calibration of the technologies to confirm that technologies are at least minimally operational while in use at airports. They stated that these processes are sufficient to assure TSA that screening technologies are operating as intended. While these processes serve important purposes, they do not ensure that screening technologies continue to meet detection requirements after they have been deployed because performance can degrade over time. Developing and implementing a process to ensure technologies continue to meet detection requirements after deployment would help ensure that TSA screening procedures are effective and enable TSA to take corrective action if needed. In our draft report, we recommended that TSA develop and implement a process to ensure technologies continue to meet detection requirements after deployment. TSA is currently reviewing the draft report and is scheduled to provide any comments by early November 2019. Page 8 GAO-20-225T Actions are Needed to Improve Surface Transportation Security TSA Should Improve Coordination for its Surface Transportation Security Training Program The TSA Modernization Act includes a provision that we review resources provided to TSA surface transportation programs and the coordination between relevant entities related to surface transportation security. 17 According to our analysis, TSA Surface Programs received $123 million in fiscal year 2017 and $129 million in fiscal year 2018. 18 The surface program appropriation represented about 1.6 percent of TSA’s total appropriation in both fiscal years, according to DHS data. We also found that in fiscal years 2017 through 2019, TSA reported using surface program resources for non-surface activities. For example, in fiscal year 2018, TSA reprogrammed $5 million from the Surface Programs account to Mission Support activities to address security requirements and increase hiring of transportation security officers. Further, we found that TSA could improve internal coordination roles and responsibilities for planning and implementing its voluntary Intermodal Security Training and Exercise Program (I-STEP)—a program intended to engage with system operators and governmental security partners to enhance surface transportation security. For example, officials from TSA’s office that provides intelligence briefings during program exercises stated that they do not typically participate in planning meetings because they are not consistently invited to attend. In our draft report, we recommended that TSA clarify roles and responsibilities for all offices involved in the coordination of surface transportation exercises, including when these offices are to coordinate. TSA is currently reviewing the draft of this report and is scheduled to provide any comments by early November 2019. 17 See Pub. L. No. 115-254, div. K, tit. I, § 1966, 132 Stat. at 3607. 18 Surface activities are primarily carried out by three TSA offices—Security Operations; Law Enforcement/Federal Air Marshal Service; and Policy, Plans, and Engagement. TSA reported that these offices were collectively allocated about 99 percent of TSA’s Surface Programs appropriation in fiscal year 2017 and 93 percent in fiscal year 2018. Page 9 GAO-20-225T Actions Needed to Reflect Pipeline Security Roles in Key Documents and to Address Weaknesses in TSA’s Pipeline Security Program Management More than 2.7 million miles of pipelines transport and distribute the natural gas, oil, and other hazardous liquids that the people and businesses within the United States depend on to operate vehicles and machinery, heat homes, generate electricity, and manufacture products. Responsibility for safeguarding these pipelines is shared by TSA; the Pipeline and Hazardous Materials Safety Administration (PHMSA), within the Department of Transportation (DOT); and pipeline operators. TSA oversees the security of all transportation modes, including pipelines. PHMSA oversees pipeline safety. DHS and DOT signed a memorandum of understanding (MOU) on their roles across all transportation modes in 2004, and an Annex to the MOU in 2006 to further delineate their pipeline security-related responsibilities. The TSA Modernization Act includes a provision for GAO to review DHS and DOT roles and responsibilities for pipeline security. 19 We reported in June 2019 that key pipeline security documents need to better reflect the current operating environment. 20 For example, the MOU Annex has not been reviewed to consider pipeline security developments since 2006. As a result, the MOU Annex may not fully reflect the agencies’ pipeline security and safety-related activities. We reported that by developing and implementing timeframes for reviewing the MOU and updating it, as appropriate, TSA and PHMSA could better ensure any future changes to their respective roles and responsibilities are clearly delineated and updated on a regular basis. In addition, TSA’s Pipeline Security and Incident Recovery Protocol Plan, issued in March 2010, defines the roles and responsibilities of federal agencies and the private sector, among others, related to pipeline security incidents. For example, in response to a pipeline incident, TSA coordinates information sharing between federal and pipeline stakeholders and PHMSA coordinates federal activities with an affected pipeline operator to restore service. However, TSA has not revised the plan to reflect changes in at least three key areas: pipeline security threats (e.g., cybersecurity threats), incident management policies, and DHS’s terrorism alert system. By periodically reviewing and, as appropriate, updating its plan, TSA could better ensure it addresses changes in pipeline security threats and federal law and policy related to 19 See Pub. L. No. 115-254, div. K, tit. I, § 1980, 132 Stat. at 3619. 20 GAO, Critical Infrastructure Protection: Key Pipeline Security Documents Need to Reflect Current Operating Environment, GAO-19-426 (Washington, D.C.: June 5, 2019). Page 10 GAO-20-225T cybersecurity, incident management and DHS’s terrorism alert system, among other things. We made five recommendations to address these issues, including for TSA and DOT to develop and implement a timeline for reviewing and updating the 2006 MOU Annex and for TSA to periodically review and update its 2010 pipeline incident recovery plan, as appropriate. TSA and PHMSA have actions under way to address our recommendations. For example, PHMSA officials stated that PHMSA and TSA continue to collaborate on updates to the 2006 MOU Annex. TSA has also developed and provided pipeline operators with voluntary security guidelines, and evaluates the vulnerability of pipeline systems through security assessments. However, in December 2018 we identified some weaknesses and made recommendations to strengthen TSA’s management of key aspects of its pipeline security program. 21 For example, we reported that the number of TSA security reviews of pipeline systems has varied considerably over time. TSA officials stated that staffing limitations— ranging from 1 full-time equivalent in 2014 to 6 from fiscal years 2015 through 2018—within its Pipeline Security Branch have prevented TSA from conducting more reviews. Further, TSA does not have a strategic workforce plan to help ensure it identifies the skills and competencies—such as the required level of cybersecurity expertise— necessary to carry out its pipeline security responsibilities. We recommended that TSA develop a strategic workforce plan. As of October 2019, TSA has not yet fully addressed this recommendation. We will continue to monitor progress. Chairman Correa, Ranking Member Lesko, and Members of the Subcommittee, this concludes my prepared statement. I would be happy to respond to any questions you may have at this time. 21 TSA agreed with our recommendations. See GAO, Critical Infrastructure Protection: Actions Needed to Address Significant Weaknesses in TSA’s Pipeline Security Program Management, GAO-19-48 (Washington, D.C.: Dec. 18, 2018). Page 11 GAO-20-225T GAO Contact and Staff Acknowledgments (103870) If you or your staff members have any questions about this testimony, please contact me at (202) 512-8777 or russellw@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. Other individuals making key contributions to this work include Kevin Heinz, Assistant Director; Paul Hobart, Analyst-in-Charge; Josh Diosomito; Amber Edwards; Michele Fejfar; Melissa Greenaway; Barbara Guffy; Winchee Lin; Tom Lombardi; Michelle Serfass; and Adam Vogt. Key contributors to the previous work discussed in this statement are listed in each of the cited reports. Page 12 GAO-20-225T This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website (https://www.gao.gov). Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to https://www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at https://www.gao.gov. To Report Fraud, Waste, and Abuse in Federal Programs Contact FraudNet: Website: https://www.gao.gov/fraudnet/fraudnet.htm Automated answering system: (800) 424-5454 or (202) 512-7700 Congressional Relations Orice Williams Brown, Managing Director, WilliamsO@gao.gov, (202) 512-4400, U.S. Government Accountability Office, 441 G Street NW, Room 7125, Washington, DC 20548 Public Affairs Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Strategic Planning and External Liaison James-Christian Blockwood, Managing Director, spel@gao.gov, (202) 512-4707 U.S. Government Accountability Office, 441 G Street NW, Room 7814, Washington, DC 20548 Please Print on Recycled Paper.