Secure Flight is the government's second attempt at a preflight screening program for domestic airlines following the terrorist attacks of Sept. 11, 2001. An earlier system, called the Computer-Assisted Passenger Prescreening System, was created in 2003 then abandoned in 2004 because of privacy concerns.
For his part, Kip Hawley, the assistant secretary of the TSA, told the Senate Committee on Commerce, Science and Transportation that he has asked the TSA's Information Technology Office to conduct an IT system security audit of Secure Flight to address weaknesses identified by the GAO. The audit would also ensure that the program fully addresses security and privacy concerns.
While he supported the TSA's efforts to secure all modes of transportation, Committee Chairman Ted Stevens (R-Alaska) noted that the program has been in development for a number of years but for various reasons has not yet been implemented. Stevens said the committee wants answers about the viability of the program as well as a timetable for its launch.
"The committee also will examine the impediments that have caused the delay, including privacy concerns, Stevens said in a statement at the hearing.
"While the Secure Flight regulation is being developed, this is the time to ensure that Secure Flight's security, operational and privacy foundation is solid," Hawley told the committee. "We will move forward with the Secure Flight program as expeditiously as possible, but in view of our need to establish trust with all of our stakeholders on the security and privacy of our systems and data, my priority is to ensure that we do it right ? not just that we do it quickly."
Hawley didn't say when the program would be implemented.
Testifying before the committee, Catherine Berrick, the GAO's director, Homeland Security and Justice Issues, said that although Secure Flight has been in development for three years, the agency still faces significant challenges in developing and implementing the program.
For one thing, Berrick said, the TSA has not properly managed the development of the program, choosing to develop it quickly rather than accurately.
"As a result of this approach, the development process has been ad hoc, with project activities conducted out of sequence, requirements not being fully defined, and documentation containing contradictory information or omissions," Berrick said.
In addition, even though the TSA has taken steps to make sure that the Secure Flight system is secure, its efforts are incomplete, she said. The agency is also developing the program without defining system requirements and cost estimates, she added.
"Further Secure Flight's system development documentation does not fully explain how passenger privacy protections are to be met, and TSA has not issued the privacy notices that describe how it will protect passenger data once Secure Flight becomes operational," Berrick told the committee.
Hawley said the TSA has identified the same issues as the GAO and is working to address them.