Security Policy Alert: Summary of TSA's Monthly Conference Call for Airport Stakeholders
October 1, 2020
This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Alan Paterno, TSA's Airport Industry Engagement Manager in the office of Policy, Plans and Engagement (PPE). Following are highlights from today's call:
New Aviation Deputy Director
Gary Seffel has been named as the Deputy Director for Aviation under Director Vera Adams within TSA Policy, Plans and Engagement. Gary previously served as an advisor for TSA international operations, worked for the National Security Council at the White House, and was the TSA Transportation Security Area Representative (TSAR) in East Africa.
Registered Traveler Amendment Clarification
TSA will be posting a letter to airports and air carriers hosting Registered Traveler (RT) operations to clarify several provisions of the national amendment regarding the RT program. The letter, which will also be given to RT provider Clear, will pe posted later today or early tomorrow. The letter will clarify Travel Document Checker referral requirements, how to calculate them and the timeframe to complete the daily referral requirements.
Real Time Wait Time and Crowd Movement Technology Standards
The TSA Modernization Act of 2018 required TSA to collect and post real time wait times at every checkpoint across the country. However, Congress did not provide an appropriation to fund this activity. In working to meet the Congressional mandate, TSA Requirements and Capabilities Analysis developed crowd movement technology standards, which have now been posted on HSIN for reference and use by airports or air carriers that have already invested in or are looking to invest in crowd movement/wait time technology. The Crowd Movement Technology Standards will be added to the next version of the Checkpoint Design Guidelines and are intended as guidance to allow airports to seamlessly integrate any crowd movement technology that TSA may invest in or deploy in the future, depending on the availability of appropriated funding. The availability of the Crowd Movement Technology Standards does not in any way require airports to invest in this technology at this time.
For airports that have already invested in crowd management or wait time technology and have asked to share the data with TSA, TSA does not have the ability to ingest the data at this time. If TSA does move forward on its own investment to meet the Congressional mandate, accepting data from airport or air carrier sources will likely be the first step.
In the meantime, TSA Security Operations plans to issue an Operational Directive to Federal Security Directors (FSD) to align how TSA measures wait times with the language in the TSA Modernization Act. In response to a question from AAAE on the status of the Operational Directive, TSA reported that it has not yet been provided to the field.
Checkpoint Cleaning and Sanitization Reimbursement
By the close of the fiscal year, TSA was able to finalize 70 Other Transactional Agreements (OTAs) to reimburse airport operators for COVD-19 related cleaning and sanitization at TSA controlled areas like the checkpoint. TSA also entered into third party agreements (based on the GSA schedule) at five Category X airports for COVID-19 related cleaning and sanitization. TSA continues to work on approximately 20 reimbursement applications currently in process and expects to complete these applications within the next 30 days. TSA is also working to potentially extend current OTAs for three to six months after the December 31 expiration based on CARES Act funding availability.
Plans, Policy and Engagement Update
International Travel Documentation Verification: TSA reminded airports of the useful Edison Travel Document reference tool that is available to help airports verify international identification documents. Edison TD is a publicly available website (edisontd.net) that hosts a database of images of what valid identity and travel documents look like from most countries in the world. The database is developed by the Dutch authorities in cooperation with authorities in Canada, Australia, the U.S., the United Arab Emirates, and Interpol.
The database is easy to use and is separated out by country, then by document, and then by series or version if applicable. Users are able to view images of what each document looks like and images of specific security features.
Information Circular 17-01B: TSA also provided a reminder about the recommended best practices contained in Information Circular 17-01B on airport identification media. TSA strongly recommends that airports implement multi-factor authentication for access control. TSA also recommends the use of RTCA's DO-230 series of documents and the National Institute of Science and Technology's F I P S Publication 201 series as a way to enhance access control and ID media security at airports.
In regard to the physical security of the ID media itself, TSA recommends card shields and enhanced card stock. As part of the most recent update to the IC, TSA also added recommendations on embedded security features, to include holograms; holographic images; laser etching and engraving; optical varying inks or images; raised or embossed text; and microprinting. The use of privacy shields to cover PIN entry is also something TSA recommends.
Finally, regarding publicly available information, TSA recommends that airports, when possible, minimize the publication or online posting of ID media configurations and anything specific, like a trademark or logo that also happens to be on the ID media. Lastly, TSA recommends that airports advise ID media holders themselves to avoid posting pictures of their ID media online to avoid giving potential adversaries a look at the image of the airport ID media.
Special Emphasis Assessment on Cybersecurity
TSA Policy, Plans and Engagement provided a detailed analysis of the recent Special Emphasis Assessment on Information Circular 17-03B related to recommended best practices for cybersecurity. (Security Operations, which conducted the assessment, provided a brief overview of the results on last month's call.)
TSA conducted assessments at 419 airports to determine adoption of the 10 best practices outlined in the Information Circular. 87 airports implemented every cybersecurity best practice listed in IC 17-03B;3 airports (2 Cat IVs, 1 CAT III) did not implement any of the listed best practices; and, 370 airports implemented at least 6 best practice measures.
TSA also analyzed the adoption rate based on Category and the number of enplanements (per 2019 FAA enplanement data):
- 3 airports (1%) did not adopt any best practices and account for less than 1% of total annual enplanements,
- 370 airports (88%) adopted 6 or more best practices and account for 99% of total annual enplanements, and
- 87 airports (21%) adopted all best practices and account for 55% of total annual enplanements.
TSA provided AAAE the following information regarding additional cybersecurity related resources for airports:
- Idaho National Labs Critical Infrastructure Training
https://inl.gov/critical-infrastructure-protection-training/ - Aviation Cybersecurity Initiative Airports Cybersecurity Working Group
For information about joining the working group, please contact:
TSA: Michael Jacobs (michael.jacobs@tsa.dhs.gov) FAA: Phil Windust (philip.b.windust@faa.gov)
Upcoming Proposed Airport Security Program Amendments for Notice and Comment
TSA has been working with AAAE and industry to meter out several proposed Airport Security Program (ASP) amendments for notice and comment so as to not overwhelm or overburden airports during these difficult times. Currently, TSA plans to post the proposed ASP amendment on aviation workers and staff screening next week for notice and comment through December 7. The comment due date may shift depending on when the proposed amendment is actually posted; it was expected to be issued this week and may be delayed again which would impact the comment due date.
Once the comment period closes for the staff screening ASP amendment, TSA will issue the proposed ASP amendment on adding cybersecurity and UAS incidents to the suspicious incident reporting requirements. If issued on December 8 as planned, comments would be due on January 27, 2021.
Once the comment period on cyber and UAS reporting closes, TSA will issue an ASP amendment to revise requirements related to inspection of merchandise in airport clubs and lounges to properly place the responsibility of inspection of merchandise in 1544 and 1546 airport controlled clubs and lounges on 1544 and 1546 regulated entities. If issued on January 28 as planned, comments would be due in mid-March 2021.
National Safe Skies Alliance
Jessica Grizzle from Safe Skies provided an update on their latest activities, including:
- Project panels met in September to select research teams to conduct PARAS 0032 Enhancing Security of Cargo Operations at Airports and PARAS 0037 Planning and Operational Security Guidance for Construction Projects at Airports. Panels will meet later this month to select research teams for PARAS 0034 Optimization of Airport Security Camera Systems and 0036 Airport Credentialing Efficiency Toolkit. Selected organizations will be announced when contracts are executed.
- PARAS 0022 Active Shooter Mitigation and Recovery Strategies is under final review and will be available in October.
- Safe Skies' Oversight Committee will meet in late October to determine which of the 12 submitted Problem Statements will become funded PARAS projects for FY 2021. Safe Skies anticipates that at least one or two of the selected projects will relate to COVID-19 impact on airport related security measures and investments. Safe Skies will begin assembling Project Panels immediately and will continue to hold panel meetings virtually to avoid unnecessary delays in developing and issuing RFPs.
- Two new ASSIST evaluation reports have been issued for Southwest Microwave INTREPIDâ„¢ MicroTrackâ„¢ II Buried Cable Intrusion Detection System and Thermal Imaging Radar Hydra Ultra System. They can be found in the Safe Skies folder on HISN or you can email Anna.Hamilton@sskies.org to request them.
FBI Audit of TSA CHRC Programs
Last year, the FBI conducted an audit of TSA's CHRC programs, which includes the aviation worker program, TWIC, Hazmat and the Alien Flight School Program. For the aviation worker program, the FBI noted two areas of concern: the correction of records process and compliance with Privacy Act notification requirements.
Although the FBI audited TSA, the audit was conducted at airports across the country and FBI observed that not all airports properly explained how applicants can correct their criminal records if applicable. It is an FBI and regulatory requirement that applicants subject to CHRC have access to information on how to correct records if needed. TSA is working on a pamphlet to provide additional information on how to best advise individuals about how they can correct their records and will make it available shortly.
TSA also encouraged airports to ensure that they are using the latest version of the Privacy Act Notice available, which can be found on the FPRD and as part of the SD 1542-04-08 series on HSIN. In response to a question by AAAE, TSA reported that they are still working with FBI to identity and correct, if needed, any discrepancies between the TSA required Privacy Act Notice and the FBI's privacy requirements for CHRCs.
Intelligence Update
TSA referenced three recent intelligence products which are now available on HSIN: a Transportation Intelligence Note entitled "Crime Almost Certainly Will Continue to Dominate as Primary Aviation Insider Activity"; a Terrorist Snapshot on AQAP; and, a Terrorist Snapshot on ISIS in East Asia.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, November 5 at 1:00 p.m. ET. TSA Acquisitions and Program Management will provide an update on the latest technology deployment schedules.
