U.S. Customs and Border Protection (CBP) does not comprehensively plan and conduct its covert testing, use test results to address vulnerability, or widely share lessons learned. CBP’s two covert testing groups do not use risk assessments or intelligence to plan and conduct covert tests at ports of entry and U.S. Border Patrol checkpoints, do not plan coordinated tests, and do not design system-wide tests. This occurred because CBP has not provided adequate guidance on risk- and intelligence-based test planning, directed the groups to coordinate, given them the required authority, or established performance goals and measures for covert testing. Following testing, CBP does not widely share covert test results, consistently make recommendations, or ensure corrective actions are taken. Results are not widely shared because CBP has not defined roles and responsibilities for such sharing. Covert testing groups do not make recommendations or ensure corrective actions are implemented due to insufficient authority and policies directing these actions. Finally, CBP does not effectively manage covert testing groups to ensure data reliability, completeness, and compliance with security requirements due to leadership changes and limited staff. Without comprehensive planning, incorporating lessons learned from test results, and program management accountability, CBP cannot ensure it addresses vulnerabilities, which may be exploited and threaten national security. We recommended CBP develop policies and procedures for conducting covert testing and assign roles and responsibilities for oversight of covert testing groups. We made seven recommendations that will strengthen its covert testing program. CBP concurred with all seven recommendations.
CBP Needs a Comprehensive Process for Conducting Covert Testing and Resolving Vulnerabilities - (REDACTED)