The Transportation Security Administration has improved its processes for covert testing of passenger and checked baggage screening at U.S. airports to uncover vulnerabilities but its overall efforts remain mixed, the Government Accountability Office (GAO) says in a new report.

“In 2015, TSA established the Security Vulnerability Management Process to leverage agency-wide resources to address systems vulnerabilities,” GAO says in an unclassified version of its report. “However, this process has not yet resolved any identified security vulnerabilities. Since 2015, Inspection officials submitted nine security vulnerabilities identified through covert tests for mitigation, and as of September 2018, none had been formally resolved through this process.”

The report, TSA Improved Covert Testing but Needs to Conduct More Risk-Informed Tests and Address Vulnerabilities (GAO-19-374), says that TSA has two offices that conduct covert tests, Inspections and Security Operations. The Inspections office does its tests based on the agency’s risk assessments whereas the Security Operations basically use their “professional judgment,” GAO says.

The report says that the Inspections office’s testing process “has resulted in quality test results” while “Security Operations has not been able to ensure the quality of its covert test results.” It notes that TSA is in the process of transferring covert testing programs that are managed by Security Operations to Inspections.

The testing done by Inspections is focused on identifying vulnerabilities in the technology TSA uses to screen at the checkpoint and for checked baggage. Security Operations’ testing is related to performance of the TSA agents that operate the screening equipment.

The Department of Homeland Security says it concurs with all of GAO’s recommendations and has set deadlines to meet them.