o U.S. Customs and Border Protection (CBP) does not comprehensively plan and conduct its covert testing, use test results to address vulnerability, or widely share lessons learned. CBP’s two covert testing groups do not use risk assessments or intelligence to plan and conduct covert tests at ports of entry and U.S. Border Patrol checkpoints, do not plan coordinated tests, and do not design system-wide tests. This occurred because CBP has not provided adequate guidance on risk- and intelligence-based test planning, directed the groups to coordinate, given them the required authority, or established performance goals and measures for covert testing. Following testing, CBP does not widely share covert test results, consistently make recommendations, or ensure corrective actions are taken. Results are not widely shared because CBP has not defined roles and responsibilities for such sharing. Covert testing groups do not make recommendations or ensure corrective actions are implemented due to insufficient authority and policies directing these actions. Finally, CBP does not effectively manage covert testing groups to ensure data reliability, completeness, and compliance with security requirements due to leadership changes and limited staff. Without comprehensive planning, incorporating lessons learned from test results, and program management accountability, CBP cannot ensure it addresses vulnerabilities, which may be exploited and threaten national security. We recommended CBP develop policies and procedures for conducting covert testing and assign roles and responsibilities for oversight of covert testing groups. We made seven recommendations that will strengthen its covert testing program. CBP concurred with all seven recommendations.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| We recommend that the Deputy Commissioner of CBP develop and implement policies to ensure CBP's covert testing groups: a. develop risk-based annual covert test plans and identify systemic tests; b. distribute test results throughout the organization; c. make recommendations; and d. implement and track corrective actions. | |||||
| 5 | No | $0 | $0 | ||
| We recommend that the Assistant Commissioner of Office of Intelligence and Border Patrol's Chief of Law Enforcement Operations Directorate direct covert testing entities to develop and implement both performance measures and standard operating procedures including: a. processes for determining data to be included in test reports, b. data quality monitoring, and c. supervisory review. | |||||
| 7 | No | $0 | $0 | ||
| We recommend that the Assistant Commissioner of the Office of Intelligence direct all Operational Field Testing Division staff to review all prior and future classified reports to ensure they are properly marked to protect national security information. | |||||
