1. Home
  2. TRID
  3. View Record
https://www.nationalacademies.org/trb/events

CBP’s Trusted Traveler Systems Using RFID Technology Require Enhanced Security (Redacted)

The Department of Homeland Security (DHS) Office of Inspector General (OIG) audited DHS and select organizational components’ security programs to evaluate the effectiveness of controls implemented on Radio Frequency Identification (RFID) systems. Systems employing RFID technology include tags and readers on the front end and applications and databases on the back end. RFID is a wireless technology that stores and retrieves data remotely from devices. The technology allows sensitive information to be read and written to tags and for numerous tags to be scanned simultaneously from a distance. The flexibility and portability of RFID technology and devices, as well as the information that resides on the tags, increase the need for security and privacy controls. OIG's objective was to determine whether U.S. Customs and Border Protection (CBP) has implemented effective controls to protect critical data processed by its trusted traveler systems. To address this objective OIG: (1) interviewed personnel at CBP’s National Data Center; (2) reviewed applicable DHS and CBP policies and procedures; (3) conducted vulnerability assessments of the databases that collect and process information; and (4) evaluated the effectiveness of physical security and assessed the security controls over the RFID readers and RFID-enabled cards and transponders at selected ports of entry (POEs) in Detroit, MI; Blaine, WA; El Paso, TX; and Nogales, AZ. CBP has implemented effective physical security controls over the RFID tags, readers, computer equipment, and databases supporting the RFID systems at the POEs visited. No personal information is stored on the tags used for CBP. Traveler’s personal information is maintained in and can be obtained only with access to the system’s database. Additional security controls would be required if CBP decides to store travelers’ personal information on RFID tags or migrates to universally readable Generation 2 (Gen2) products. However, CBP has not developed adequate policies and procedures to ensure that security controls are implemented consistently by all POEs to protect its trusted traveler systems. In addition, CBP has not implemented the necessary controls on the system’s back end to ensure that the data captured and stored for the trusted traveler programs are properly protected. In addition, OIG determined that CBP did not ensure that its trusted traveler systems fully comply with all Federal Information Security Management Act (FISMA) requirements. For example, the systems reviewed did not have a valid authority to operate, interconnection security and user agreements were not reviewed annually, and security reviews of contractor facilities were not performed. For the systems utilizing RFID technology, OIG is recommending that the CBP Commissioner direct its Chief Information Officer (CIO) to: (1) Develop and implement procedures to strengthen user account and password management processes relating to the trusted traveler systems. Procedures should include periodic vulnerability assessments and reviews of all user access. (2) Ensure that all vulnerabilities identified for which risks have not been assumed be remedied. (3) Develop and implement policy and procedures that address security controls over all components of an RFID system. (4) Ensure that audit trails are reviewed, documented, and maintained on a regular basis. (5) Ensure that all FISMA requirements are implemented, including certification and accreditation.

Language

  • English

Media Info

  • Media Type: Web
  • Features: Appendices; Figures; Photos; Tables;
  • Pagination: 33p

Subject/Index Terms

Filing Info

  • Accession Number: 01029508
  • Record Type: Publication
  • Report/Paper Numbers: OIG-06-36
  • Files: TRIS
  • Created Date: Jul 24 2006 7:14AM