Security Policy Alert: Summary of TSA's Monthly Conference Call for Airport Stakeholders
October 6, 2022
This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Alan Paterno, TSA's Industry Engagement Manager for Airports in the office of Policy, Plans and Engagement (PPE).
Update from Policy, Plans and Engagement
Cybersecurity '“ Performance Based Measures: TSA thanked the airports, air carriers and associations that submitted 877 comments on the proposed security program changes for performance-based cybersecurity measures (TSA-PNA-22-03 for Category X and I airports). These are the most comments TSA has received since the proposed amendment on aviation worker screening.
TSA is just beginning its review of the comments received but has organized them into certain topics and groups, including:
· Scope, such as what fuel systems, checked baggage systems and physical access control systems are covered;
· System ownership and relationships with authorized representatives and contractors;
· Concerns about burden, cost and compliance timeline;
· Protection of information submitted to TSA;
· Questions on specific cybersecurity measures, some of which were technical and some that sought alternatives.
TSA plans to host technical roundtables with airports and air carriers to further discuss some of the more technical questions and comments. TSA will provide additional information in the near future on these technical roundtables.
Information Circular 22-05: TSA is planning to issue a technical correction to the Information Circular 22-05: Cybersecurity Self-Assessments and Incident Response Plans, which is applicable to Category III and IV airport operators, as well as other aviation and air cargo stakeholders. The change would remove the language pertaining to submitting the operator's completed self-assessment and remediation measures to TSA using the HSIN portal. Rather, the operator would maintain the completed documentation and provide it to TSA upon request. TSA will post the updated IC once it is approved to the HSIN airport operator and cybersecurity coordinator web-boards.
HSIN Portal for Cybersecurity Self-Assessments: Category X, I and II airports must submit their cybersecurity self-assessment as required by TSA-NA-22-01 by October 29. As a reminder, all self-assessment information must be uploaded in the automated form on the HSIN portal referenced in the ASP amendment. TSA provided the following guidance and tips regarding accessing and using the HSIN portal:
· At least one contact (typically the primary ASC or Cyber POC) from each Category X, I, and II airport has been granted access to the Cybersecurity Reporting Portal.
· Each person that was granted access should have already received an email stating that their access has been approved.
· To obtain access to the Cybersecurity Reporting Portal, an individual must already have a HSIN account.
· If you are having issues with accessing the cybersecurity reporting portal, please contact your AFSD-I, who will contact TSA HQ Compliance for resolution and/or assistance.
· The portal performs best with Firefox and Chrome. It does not work as intended using Internet Explorer or Edge.
· Please try to access the portal through link in the original HSIN cybersecurity portal approval email.
· Try adding 'TWG' to the end of website address provided in amendment; https://hsin.dhs.gov/collab/tib/twg/
A link for uploading the plan for remediation measures as required by TSA-NA-22-01 will be added to the Cybersecurity Reporting Portal the first week in November. All remediation measure plans are required to be submitted by January 27, 2023
Firearms Messaging and Public Advisories: On September 29, TSA posted a proposed national amendment related to public advisories. TSA is requesting comments on a proposed measure for the airport to remind passengers using public overhead announcements or signage that firearms are prohibited through the TSA screening checkpoint. The comment period will close November 14, 2022. At this time, TSA is working with aircraft operators and their associations to discuss ideas on how airlines can also assist with the issue pertaining to firearms at checkpoints. TSA has not yet issued any new proposed measures to aircraft operator standard security programs.
Policy Clarification Notices: TSA recently issued two separate Policy Clarification Notices (PCN) regarding Rap Back. The first once focused on CHRC certifications and stressed the voluntary nature of these certifications for all parties involved. TSA also clarified that airports should avoid adding additional content requirements to the certifications. TSA is working on updating the PCN to provide guidance on what date should be used in the certification for someone who may have a break in service.
The second PCN focused on search and subscribe requirements and TSA's prohibition on 'CHRC by proxy.' TSA uses the term 'CHRC by proxy' to refer to the process where one regulated entity submits a CHRC on behalf of another regulated entity using the other entity's fingerprint code, otherwise known as the SON. TSA has two incidents recently in which a regulated entity received CHRC results and Rap Back subscriptions they did not request, because another entity submitted prints and Rap Back subscriptions on their behalf. The PCN clarifies that submission of any CHRC and Rap Back subscription using another entity's SON is a violation of the security program. Airports may still collect fingerprints and transmit those fingerprints to another regulated entity in a secure manner, but only the entity requesting the CHRC and Rap Back subscription can submit fingerprints to TSA.
The PCNs can be found on HSIN under the new PCN conference on the airport operator web-board.
CISA Cybersecurity Grants
Carrissa VanderMey, TSA's Senior Liaison to CISA and Security Operations Cybersecurity Coordinator, provided an overview of the State and Local Cybersecurity Grant Program created and funded under the Infrastructure Investment and Jobs Act, commonly referred to as the Bipartisan Infrastructure Law. Airports can work with their state cybersecurity planning committees to compete for eligible funding for projects to manage and reduce systemic cyber risk.
AAAE requested additional information about the grant program and the state cybersecurity planning committees. TSA provided a number of documents and links in response. For ease of reference and in the interest of space within this call summary, AAAE will send a separate Alert summarizing the grant program and the resources provided by TSA prior to our Transportation Services Committee call next week.
Update from Enrollment Services and Vetting Programs
Rap Back: There are now over 1 million Rap Back subscriptions for the aviation worker program, with 314 airports and 68 air carriers submitting under the mandatory Rap Back program.
Security Threat Assessments: TSA recently sent out an STA Best Practices Guide that the TSA Intelligence and Analysis adjudicators worked to create to address common errors and deconfliction techniques. TSA intends to publish this guide semi-annually, or when trends are identified that require communication.
TSA again asked airports to wait at least 14 days before inquiring about STA status. TSA has a team of customer service representatives that respond to inquiries and TSA wants them to focus on inquiries that may require escalation or intervention.
eBadge Update: Today, TSA posted a 'lessons learned' document regarding the eBadge program based on feedback from air carriers, airports and the Designated Aviation Channelers (DACs). The eBadge program supports CBP Seal requests which specifically apply to individual airport-issued SIDA badges only; therefore, eBadge requests can only be made by airport operators as a part of the SIDA badge issuance or update process.
If an applicant visited the local CBP office and submitted a manual CBP Seal application, a duplication error will be received for the eBadge submission should the airport attempt to subsequently submit a CBP Seal application.
While the eBadge application takes only about 5 minutes to submit and are accepted by CBP Seals Offices within hours of submission, results are transmitted manually only once a week to the DACs. Phase II of eBadge, which will automate result status, is still being tested.
If an airport is currently participating in eBadge, the CBP Seal application can be submitted by the airport operator through TSA via TWP eBadge, provided the applicant is processed for an airport SIDA badge. The aircraft operator/applicant would need to indicate their need for a CBP Seal when processing the applicant's SIDA application, and the airport will need to request eBadge in their DAC interface while processing the individual's SIDA badge application.
If the airport is currently not participating in eBadge (but eligible to do so), the applicant must visit their local CBP office and submit a CBP Seal application (to include fingerprinting) manually, until such time the airport operator begins participating in the voluntary eBadge program.
Visa Status: Visa type J1 (student), F1, B1, and B2 (tourist) do not bestow Lawful Presence for aviation workers. The status of any cases that are submitted with these visa types will receive '˜Awaiting Applicant Response' as the status, and the applicants will receive a Preliminary Determination of Ineligibility (PDI). The applicant must respond via fax or U.S. Mail specifically as outlined in the PDI letter sent directly to the applicant.
Fiscal Year 2023 Resource Allocation Plan
TSA distributed its Fiscal Year (FY) 2023 staffing allocation, known as the Resource Allocation Plan (RAP), to Federal Security Directors (FSDs) on September 27. FSDs have been directed to share details of the RAP with airport stakeholders during the month of October.
TSA is currently operating under a Continuing Resolution (CR) that keeps funding at FY2022 levels through December 16. While the CR has forced TSA to reduce its overall allocations from what it was requesting for FY 2023, the agency was able to add 1,000 additional FTE to the RAP model and plans to maintain hiring where needed for FY2023.
The FY23 RAP is on par with the passenger volumes for FY2019. Because airports have experienced varying degrees of passenger volume recovery, TSA differentiated between airports that have met or exceeded 2019 passenger volumes and those that have not yet. For airports with volumes above FY2019 during peak periods, TSA used FY2022 peak period numbers plus 2 percent for the staffing allocation. For airports that have not yet met FY2019 volumes, TSA took the difference between FY2022 and FY2019 volumes and gave at least a 50 percent staffing allocation increase back to those airports.
This year's RAP saw two significant changes with an increase in allocation for the Travel Document Check (TDC) stations and a decrease in checked baggage alarm resolution staffing given advancements in automated alarm resolution technology. Other notable changes include:
· An increase the overtime allocation from 3.2% to 3.5% to cover call-outs, flights changes, volume mitigation efforts and staffing challenges.
· More allocation for sick and parental leave.
· ATLAS staffing remains at the elevated FY2022 due to the 334 FTE provided by Congress for insider threat mitigation.
· The National Deployment Force remains staffed at approximately 1,000 FTE.
· Training has been adjusted to include an additional week of training for new hires.
· An adjustment in the agency's canine allocation model for extended canine coverage at capacity constrained airports, which unfortunately means less coverage at select airports.
As always, TSA will adjust its RAP throughout the year based on budget, passenger volume and airport configurations.
Safe Skies Update
Jessica Grizzle from the National Safe Skies Alliance provided the following update:
PARAS 0038 Airport Guidance for Identity Management Systems (IDMS) is under final review and will be published in October. The document will assist airports in making informed decisions during IDMS planning, procurement, implementation, and operation to ensure system effectiveness.
PARAS 0048 Electronic Management of Security and Regulatory Compliance Documents has been awarded to Faith Group with Heidi Benaman as the Principal Investigator.
Safe Skies received 16 Problem Statement submissions for FY 2023 consideration. Feedback is being gathered from industry reviewers to assist in evaluating and prioritizing the research topics. If you are interested in reviewing a submission (time commitment of approximately 15 minutes), please email jessica.grizzle@sskies.org. Feedback is due on October 12. The Safe Skies Oversight Committee will meet in early November to determine which topics will become funded PARAS projects for 2023.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, November 3, 2022, at 1:00 p.m. ET.
This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Alan Paterno, TSA's Industry Engagement Manager for Airports in the office of Policy, Plans and Engagement (PPE).
Update from Policy, Plans and Engagement
Cybersecurity '“ Performance Based Measures: TSA thanked the airports, air carriers and associations that submitted 877 comments on the proposed security program changes for performance-based cybersecurity measures (TSA-PNA-22-03 for Category X and I airports). These are the most comments TSA has received since the proposed amendment on aviation worker screening.
TSA is just beginning its review of the comments received but has organized them into certain topics and groups, including:
· Scope, such as what fuel systems, checked baggage systems and physical access control systems are covered;
· System ownership and relationships with authorized representatives and contractors;
· Concerns about burden, cost and compliance timeline;
· Protection of information submitted to TSA;
· Questions on specific cybersecurity measures, some of which were technical and some that sought alternatives.
TSA plans to host technical roundtables with airports and air carriers to further discuss some of the more technical questions and comments. TSA will provide additional information in the near future on these technical roundtables.
Information Circular 22-05: TSA is planning to issue a technical correction to the Information Circular 22-05: Cybersecurity Self-Assessments and Incident Response Plans, which is applicable to Category III and IV airport operators, as well as other aviation and air cargo stakeholders. The change would remove the language pertaining to submitting the operator's completed self-assessment and remediation measures to TSA using the HSIN portal. Rather, the operator would maintain the completed documentation and provide it to TSA upon request. TSA will post the updated IC once it is approved to the HSIN airport operator and cybersecurity coordinator web-boards.
HSIN Portal for Cybersecurity Self-Assessments: Category X, I and II airports must submit their cybersecurity self-assessment as required by TSA-NA-22-01 by October 29. As a reminder, all self-assessment information must be uploaded in the automated form on the HSIN portal referenced in the ASP amendment. TSA provided the following guidance and tips regarding accessing and using the HSIN portal:
· At least one contact (typically the primary ASC or Cyber POC) from each Category X, I, and II airport has been granted access to the Cybersecurity Reporting Portal.
· Each person that was granted access should have already received an email stating that their access has been approved.
· To obtain access to the Cybersecurity Reporting Portal, an individual must already have a HSIN account.
· If you are having issues with accessing the cybersecurity reporting portal, please contact your AFSD-I, who will contact TSA HQ Compliance for resolution and/or assistance.
· The portal performs best with Firefox and Chrome. It does not work as intended using Internet Explorer or Edge.
· Please try to access the portal through link in the original HSIN cybersecurity portal approval email.
· Try adding 'TWG' to the end of website address provided in amendment; https://hsin.dhs.gov/collab/tib/twg/
A link for uploading the plan for remediation measures as required by TSA-NA-22-01 will be added to the Cybersecurity Reporting Portal the first week in November. All remediation measure plans are required to be submitted by January 27, 2023
Firearms Messaging and Public Advisories: On September 29, TSA posted a proposed national amendment related to public advisories. TSA is requesting comments on a proposed measure for the airport to remind passengers using public overhead announcements or signage that firearms are prohibited through the TSA screening checkpoint. The comment period will close November 14, 2022. At this time, TSA is working with aircraft operators and their associations to discuss ideas on how airlines can also assist with the issue pertaining to firearms at checkpoints. TSA has not yet issued any new proposed measures to aircraft operator standard security programs.
Policy Clarification Notices: TSA recently issued two separate Policy Clarification Notices (PCN) regarding Rap Back. The first once focused on CHRC certifications and stressed the voluntary nature of these certifications for all parties involved. TSA also clarified that airports should avoid adding additional content requirements to the certifications. TSA is working on updating the PCN to provide guidance on what date should be used in the certification for someone who may have a break in service.
The second PCN focused on search and subscribe requirements and TSA's prohibition on 'CHRC by proxy.' TSA uses the term 'CHRC by proxy' to refer to the process where one regulated entity submits a CHRC on behalf of another regulated entity using the other entity's fingerprint code, otherwise known as the SON. TSA has two incidents recently in which a regulated entity received CHRC results and Rap Back subscriptions they did not request, because another entity submitted prints and Rap Back subscriptions on their behalf. The PCN clarifies that submission of any CHRC and Rap Back subscription using another entity's SON is a violation of the security program. Airports may still collect fingerprints and transmit those fingerprints to another regulated entity in a secure manner, but only the entity requesting the CHRC and Rap Back subscription can submit fingerprints to TSA.
The PCNs can be found on HSIN under the new PCN conference on the airport operator web-board.
CISA Cybersecurity Grants
Carrissa VanderMey, TSA's Senior Liaison to CISA and Security Operations Cybersecurity Coordinator, provided an overview of the State and Local Cybersecurity Grant Program created and funded under the Infrastructure Investment and Jobs Act, commonly referred to as the Bipartisan Infrastructure Law. Airports can work with their state cybersecurity planning committees to compete for eligible funding for projects to manage and reduce systemic cyber risk.
AAAE requested additional information about the grant program and the state cybersecurity planning committees. TSA provided a number of documents and links in response. For ease of reference and in the interest of space within this call summary, AAAE will send a separate Alert summarizing the grant program and the resources provided by TSA prior to our Transportation Services Committee call next week.
Update from Enrollment Services and Vetting Programs
Rap Back: There are now over 1 million Rap Back subscriptions for the aviation worker program, with 314 airports and 68 air carriers submitting under the mandatory Rap Back program.
Security Threat Assessments: TSA recently sent out an STA Best Practices Guide that the TSA Intelligence and Analysis adjudicators worked to create to address common errors and deconfliction techniques. TSA intends to publish this guide semi-annually, or when trends are identified that require communication.
TSA again asked airports to wait at least 14 days before inquiring about STA status. TSA has a team of customer service representatives that respond to inquiries and TSA wants them to focus on inquiries that may require escalation or intervention.
eBadge Update: Today, TSA posted a 'lessons learned' document regarding the eBadge program based on feedback from air carriers, airports and the Designated Aviation Channelers (DACs). The eBadge program supports CBP Seal requests which specifically apply to individual airport-issued SIDA badges only; therefore, eBadge requests can only be made by airport operators as a part of the SIDA badge issuance or update process.
If an applicant visited the local CBP office and submitted a manual CBP Seal application, a duplication error will be received for the eBadge submission should the airport attempt to subsequently submit a CBP Seal application.
While the eBadge application takes only about 5 minutes to submit and are accepted by CBP Seals Offices within hours of submission, results are transmitted manually only once a week to the DACs. Phase II of eBadge, which will automate result status, is still being tested.
If an airport is currently participating in eBadge, the CBP Seal application can be submitted by the airport operator through TSA via TWP eBadge, provided the applicant is processed for an airport SIDA badge. The aircraft operator/applicant would need to indicate their need for a CBP Seal when processing the applicant's SIDA application, and the airport will need to request eBadge in their DAC interface while processing the individual's SIDA badge application.
If the airport is currently not participating in eBadge (but eligible to do so), the applicant must visit their local CBP office and submit a CBP Seal application (to include fingerprinting) manually, until such time the airport operator begins participating in the voluntary eBadge program.
Visa Status: Visa type J1 (student), F1, B1, and B2 (tourist) do not bestow Lawful Presence for aviation workers. The status of any cases that are submitted with these visa types will receive '˜Awaiting Applicant Response' as the status, and the applicants will receive a Preliminary Determination of Ineligibility (PDI). The applicant must respond via fax or U.S. Mail specifically as outlined in the PDI letter sent directly to the applicant.
Fiscal Year 2023 Resource Allocation Plan
TSA distributed its Fiscal Year (FY) 2023 staffing allocation, known as the Resource Allocation Plan (RAP), to Federal Security Directors (FSDs) on September 27. FSDs have been directed to share details of the RAP with airport stakeholders during the month of October.
TSA is currently operating under a Continuing Resolution (CR) that keeps funding at FY2022 levels through December 16. While the CR has forced TSA to reduce its overall allocations from what it was requesting for FY 2023, the agency was able to add 1,000 additional FTE to the RAP model and plans to maintain hiring where needed for FY2023.
The FY23 RAP is on par with the passenger volumes for FY2019. Because airports have experienced varying degrees of passenger volume recovery, TSA differentiated between airports that have met or exceeded 2019 passenger volumes and those that have not yet. For airports with volumes above FY2019 during peak periods, TSA used FY2022 peak period numbers plus 2 percent for the staffing allocation. For airports that have not yet met FY2019 volumes, TSA took the difference between FY2022 and FY2019 volumes and gave at least a 50 percent staffing allocation increase back to those airports.
This year's RAP saw two significant changes with an increase in allocation for the Travel Document Check (TDC) stations and a decrease in checked baggage alarm resolution staffing given advancements in automated alarm resolution technology. Other notable changes include:
· An increase the overtime allocation from 3.2% to 3.5% to cover call-outs, flights changes, volume mitigation efforts and staffing challenges.
· More allocation for sick and parental leave.
· ATLAS staffing remains at the elevated FY2022 due to the 334 FTE provided by Congress for insider threat mitigation.
· The National Deployment Force remains staffed at approximately 1,000 FTE.
· Training has been adjusted to include an additional week of training for new hires.
· An adjustment in the agency's canine allocation model for extended canine coverage at capacity constrained airports, which unfortunately means less coverage at select airports.
As always, TSA will adjust its RAP throughout the year based on budget, passenger volume and airport configurations.
Safe Skies Update
Jessica Grizzle from the National Safe Skies Alliance provided the following update:
PARAS 0038 Airport Guidance for Identity Management Systems (IDMS) is under final review and will be published in October. The document will assist airports in making informed decisions during IDMS planning, procurement, implementation, and operation to ensure system effectiveness.
PARAS 0048 Electronic Management of Security and Regulatory Compliance Documents has been awarded to Faith Group with Heidi Benaman as the Principal Investigator.
Safe Skies received 16 Problem Statement submissions for FY 2023 consideration. Feedback is being gathered from industry reviewers to assist in evaluating and prioritizing the research topics. If you are interested in reviewing a submission (time commitment of approximately 15 minutes), please email jessica.grizzle@sskies.org. Feedback is due on October 12. The Safe Skies Oversight Committee will meet in early November to determine which topics will become funded PARAS projects for 2023.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, November 3, 2022, at 1:00 p.m. ET.
