On a normal travel day (at least pre-COVID), millions of passengers pass through Transportation Security Administration (TSA) screening checkpoints at U.S. airports. Passengers are screened using “body scanners” while carry-on bags are screened by an X-ray or computed tomography (CT) machine. Prior to installation, such screening equipment undergoes a rigorous testing process to ensure it meets TSA requirements. Time is of the essence when it comes to getting new equipment certified and deployed. While TSA’s testing approach is appropriately thorough, it is also very slow. To help speed up the equipment testing process, in 2013, TSA introduced a “third-party testing” program, whereby an independent organization may test new technology to verify that it meets TSA requirements. A recent Government Accountability Office (GAO) report assessed TSA’s third-party testing program and concluded it may be in need of a tune-up.
Third-Party Testing at a Glance
TSA’s testing process typically involves three phases. First, TSA conducts certification testing to ensure the system meets TSA explosive detection standards and demonstrated acceptable false alarm rates. Second, the technology undergoes qualification testing at a TSA facility, which verifies that the system performs against TSA’s requirements and is safe, reliable, and able to be maintained. Finally, the system is tested on-site at airports to ensure proper performance in the airport environment.
Because of TSA’s review process and limited testing capacity, it can take years for new equipment to be approved for deployment. The GAO found that one system took more than seven years to complete operational testing. Such a protracted process inhibits the timely deployment of the latest threat detection technology at airport checkpoints. In fact, by the time technology is deployed, it may already be outdated. Third-party testing was designed to alleviate this problem by giving security technology vendors a way to submit their systems for third-party testing prior to beginning TSA’s testing progress. The vendor would then include third-party testing data in its application to TSA. Additionally, third-party testing is used when a system experiences failures during TSA testing.
There are two main problems with this approach to third-party testing. First, while TSA testing is free, third-party testing is expensive, and all costs must be paid by technology vendors, thereby discouraging use. Second, third-party testing does not replace TSA testing — instead, it is “an additional step either prior to submitting technologies to TSA, or if … equipment fail[s] the TSA testing and evaluation process and they need to conduct further testing.” As a result, third-party testing does not meaningfully expedite TSA’s testing process. Further, while TSA has indicated it is willing to accept third-party testing data “on a case-by case basis,” GAO reported that this has not yet happened. As a result, industry vendors lack an incentive to invest in third-party testing, while remaining beholden to TSA’s lengthy testing timelines.
Though TSA’s third-party testing program has been in place since 2013, GAO confirmed that the program has not been widely used. Additionally, GAO determined that TSA’s “policies and guidance do not identify any metrics with regard to” meeting efficiency goals, and that TSA “had not yet identified any metrics pertaining to third-party testing and its contribution to the goal of testing efficiency.” To remedy this, GAO recommended that TSA: (1) develop metrics to measure the effects of third-party testing on efficiency, (2) assess its effects on efficiency, and (3) assess whether third-party testing contributes to supplier diversity and innovation. TSA concurred with all three of GAO’s recommendations.
TSA should be commended for its steadfast commitment to ensuring that all new security technologies meet TSA-required detection and operational standards. However, TSA, the aviation security vendor community, and the millions of passengers who pass through airport checkpoints each day would benefit from a strengthened third-party testing program that would expedite deployment of new technologies to meet the security threats of tomorrow.