Nearly 14 years into the war on terror, the U.S. has begun to question whether its domestic response to 9/11 has been effective and legal. And while the scandal exposed by Edward Snowden has put the Patriot Act and the NSA in the crosshairs, that's not enough. It's time to take another look at the Transportation Safety Administration, too.

The videos of Mohammed Atta and other 9/11 terrorists passing through Logan Airport on the morning of the attack prompted Congress to bolster airport security. They chose the top-down approach of federalizing security in airports, in part to apply consistent standards to all flights in the U.S., and in part to keep financially strapped airlines from carrying the burden alone. Airports reconfigured their terminals to keep all but travelers out of the concourses and gates, routing them through checkpoint stations that were intended to screen out potential threats before they could board planes.

Even with that in place, occasional breaches occurred, such as "shoe bomber" Richard Reid in December 2001, and the "underwear bomber" Umar Farouk Abdulmutallab in December 2009. Those incidents began overseas, however, outside the TSA's jurisdiction. The long track record of quiet since the 9/11 attacks has left the impression that the TSA has succeeded in its mission, especially since most Americans assumed that al Qaeda would attempt another attack on American aviation soon after their one success.

Two recent reports suggest that the confidence may be misplaced. The White House "reassigned" acting TSA chief Melvin Carraway after the agency managed a spectacular failure in an audit of their front-line capabilities. The Department of Homeland Security — TSA's parent agency — conducted 70 tests at various locations to smuggle threatening materials past the airport checkpoints that serve as the only security for American aviation. The checkpoints detected only three of the tests, allowing bomb materials and weapons to pass through undetected a whopping 95 percent of the time.

That would be bad enough if it happened once. However, this audit intended to follow up on promised improvements to the system after a similar exercise in 2009 produced essentially the same results in regard to baggage screening, another key TSA responsibility. After that failure, DHS got an extra $500 million dollars to improve its technology and staffing and another $11 million to ramp up training. Even with all of that extra cash, a spot test in 2013 allowed a fake bomb to pass through Newark Liberty Airport undetected. Then-TSA head John Pistole promised Congress that weekly tests would produce better results. Instead, his successor got cashiered.

One week later, a new report from the DHS Inspector General points out another problem at TSA — but one with roots that go back to the days before 9/11. TSA vets airport and airline employees to approve credentials that allow them into secure areas of airports, a monumental task considering the scope of the mission. The airlines usually do much of the background investigation, but the TSA checks the data and the identification against government watch lists to keep security risks from gaining access to secured areas. The IG notes that TSA is "generally effective" at this task, vetting thousands of applicants a year, but found 73 people with links to terrorism had been approved by TSA for employment at airports.

Given the large number of applications, this failure rate is much lower than that produced by the audit of checkpoints. However, these are not test cases, but actual hires of people who can access all sorts of sensitive areas at airports in the U.S. Even one failure to catch a risk like this could have catastrophic consequences for travelers and the transportation industry.

Even more disturbing is what led to the failure. When applicants showed up on the watchlists produced by U.S. intelligence, the TSA found and flagged them. The problem is that the government didn't provide TSA with access to all of the codes needed to find watchlisted individuals. TSA "is not authorized to receive all terrorism-related categories under current interagency watchlisting policy," the Inspector General office wrote in its summary. Furthermore, on criminal rather than terrorism issues, TSA could not do follow-up vetting on those with existing credentials "due to current law and FBI policies" that restrict them from getting that data. Instead, TSA "relied on the credential holders themselves to report disqualifying crimes to the airports where they worked."

In other words, our security now rests on criminals self-reporting and the data from the most sensitive classes of terrorist risk being withheld from the agency that arguably needs it the most. That sounds even worse than our security posture before 9/11, and a great waste of money and resources.

The great lesson from 9/11, Congress and independent panels found, was a failure to "connect the dots" that could have alerted law enforcement and intelligence agencies to the terror plot that killed almost 3,000 Americans. That lesson drove Congress to create DHS and the National Counterterrorism Center, and to fold TSA within that structure. Now, almost 14 years later, Americans discover that TSA routinely fails tests on its core mission while the government keeps critical information from the agency.

Thankfully, we have been lucky, at least thus far. We cannot count on luck forever, though, and we cannot afford to learn these lessons the hard way again. Congress needs to overhaul the nation's security apparatus in a way that coordinates intelligence and law-enforcement information much more nimbly, and provide front-line defenses with more competence and accountability.