Security Policy Alert: TSA Monthly Conference Call Summary for November 2021

November 4, 2021

This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Alan Paterno, TSA's Airport Industry Engagement Manager in the office of Policy, Plans and Engagement (PPE).

Enrollment Services and Vetting Programs Update

Rap Back Program: There are currently 261 regulated entities participating in the Rap Back program '“ 241 airports and 20 air carriers. In September, TSA issued the final ASP amendment to make participation in the Rap Back program mandatory. Airports not yet participating have until March 2022 to begin to participation. Under the final ASP amendment, airports have 60 days to enroll new employees into Rap Back and then must enroll their entire population within two years, or by March 29, 2014. 
 
Notable changes under the final ASP amendment include:
·      Sharing of CHRC results between airports and air carriers will no longer exist; 
·      Airports must review Rap Back Notifications (RBNs) withing three business days by completing the review in the FPRD; 
·      'œSearch and Retain' will no longer be an acceptable method of CHRC submission.
 
TSA will issue an Aviation Workers bulletin further highlighting the key differences between 'œSearch and Subscribe' (which is mandated by the final ASP amendment) and 'œSearch and Retain' (which will no longer be available after March 2022). In the meantime, on the call, TSA explained the difference as such:
 
With Search and Subscribe, the airport or aircraft operator need only cancel Rap Back subscriptions for those applicants found to be ineligible after adjudication is completed. Since the majority of applicants are approved, Search and Subscribe will significantly reduce the administrative burden for processing initial CHRCs since a separate Rap Back transaction can be avoided for the majority of applicants. 
 
The response to a CHRC Search and Subscribe transaction includes clear indication if the response from the FBI includes a criminal record or no criminal record. As a result, adjudicators only need to review results in FPRD for those responses that include a criminal record. However, under Search and Retain, the response to a Subsequent Rap Back Subscription transaction (RBSR) does not include an indication whether a criminal record is present or not. That means that adjudicators must open every Subsequent Rap Back Subscription response to see if a criminal record is present or not. There is also a security risk that an updated criminal record included with the Subsequent Rap Back Subscription response will be overlooked. These added administrative burdens are avoided by using the Search and Subscribe transaction for all initial CHRCs. 
 
Record Delete Notification Update: TSA has developed a new notification known as the delete notification, which will be used to notify the Designated Aviation Channelers (DACs)'”and subsequently, airport operators'”that a specified case is being marked for deletion. Delete notifications will be sent for the following two scenarios: 
 
1. Pending Delete Notification '“ Case has reached a condition to be deleted from the system and is pending delete for one of the following reasons: 
a. Case has no active badges 
b. Case has had no updates for a period of time longer than the security threat assessment (STA) validity period (2 years for populations not enrolled in Rap Back) 
 
2. Airport or aircraft operator has submitted a delete request through their DAC '“ delete notification is sent to convey that the delete transaction request has been completed (30 days after TSA receives the delete request.) 
 
If your airport receives a delete notification for a case that is not in response to a request for deletion, there are two options for action: 
1. If the applicant is indeed no longer active, note the delete date and mark the case to be deleted no earlier than the delete date in your system. This applies to DAC systems and airport or aircraft operator systems. Note: For airport operators utilizing a third-party Identity Management System (IDMS), the airport operator must ensure reconciliation with the IDMS. 
2. If the case being marked for deletion should remain active, please ensure there is at least one active badge tied to the case. If the applicant should still be in the active population, airport or aircraft operators must submit an Update Biographic transaction containing the active badge identifier to reactivate the case. 
 
Pending Delete notifications will include a delete date element, which specifies the date the case will be deleted from the TSA system. The delete date will be no earlier than 30 days after the date the message was issued. Delete notifications may be received as single transactions or in batches of multiple transactions. This information will be distributed in an TSA Aviation Worker bulletin shortly.
 
Security Threat Assessment Processing: TSA is returning more than 89 percent of STA application within 10 days. The remaining less than 11 percent require manual review and are returned to airports within 11 to 30 days. Once again, TSA encouraged airports to attach identity documents with the STA application at the time of submission. In addition, airports should try and ensure that the address on the application is current so that if TSA needs additional information correspondence will be correctly delivered, reducing further delay. Airports should note that applications 'œawaiting applicant response' may take longer than 30 days given transit time for certified mail, collecting and processing documents and adjudication. TSA encourages airports to reach out through their DACs for any cases pending longer than 25 cases and TSA will research and provide a response as appropriate. 
 
Policy, Plans and Engagement

TSA provided an update on recently issued and pending policy updates:

Centralized Revocation Database: On Wednesday, November 10 at 3:00 p.m. ET, TSA will host a call with representatives from Policy, Plans and Engagement, Chief Counsel and Enrollment Services and Vetting programs to review and discuss the Centralized Revocation Database. TSA will also address questions related to the Rap Back program mandate on the call. AAAE will provide the call-in information for the TSA call next week, which immediately follows AAAE'™s regularly scheduled monthly Transportation Security Services Committee call.  

TSA-NA-97-01: On October 25, TSA issued TSA-NA-97-01 to replace FAA-AP-97-01. TSA-NA-97-01 does not contain any new requirements and instead aligns the old FAA document with current TSA formatting and removes outdated sections that have been replaced by other updated regulatory requirements. For example, identification media audit procedures have been removed from the document since they are now contained in TSA-NA-19-02. TSA-NA-97-01 becomes effective on December 15, 2021. 

TSA-NA-21-02A: On Monday, November 8, TSA will post on HSIN the updated TSA-NA-21-02A, which will become effective on December 8, 2021. Earlier this year, TSA issued a previous version of National Amendment which will update, cancel, and supersede the 1993 Ramp Movement Amendment. The previous language caused some difficulties for airport operators because the requirements (in some cases) required both domestic and international flight crews to be screened at the TSA checkpoint. That amendment was recalled before it became effective. Based on airport feedback, TSA was able to make the needed edits and will issue TSA-NA-21-02A on Monday. 

TSA is also working on a technical change to TSA-NA-03-02 regarding Airport Security Coordinator training curriculum. The technical change will only address formatting issues in the document to align with current TSA practices.

Information Circular on Mask Incident Reporting

On Monday, TSA issued an information circular (IC-21-03) to provide guidance and best practices for reporting violations of the federal face mask requirement security directives. As of this week, there have been 4,351 face mask non-compliance incidents reported to TSA by airports and air carriers. TSA has actively reviewed 3,650 of the cases and have opened 2,915 investigations. To date, TSA has issued 2,305 warning notices and 232 recommended civil penalties. 

Based on their case experience to date, TSA stressed the importance of having a first-person eyewitness account from the person who observed the mask non-compliance. TSA also stressed the need for the name and contact information of the violator. As outlined in the IC, TSA underlined the importance of reporting mask non-compliance incidents as thoroughly and as quickly as possible.

TSA acknowledged that the best practices in the IC were based mainly on the agency'™s experience (and challenges) with cases reported by the air carriers. TSA thanked airports and industry for their collaboration in reporting incidents and providing TSA follow-up information as requested within tight timeframes.

Special Emphasis Assessment on Cybersecurity

Joe Kris, Director of Compliance Operations, reported on the results of the Special Emphasis Assessment (SEA) conducted in June 2021 to assess airport adoption of the cybersecurity best practices outlined in Information Circular 17-03B. TSA conducted the same SEA in August 2020 at 419 airports. This year, the SEA was conducted at 432 airports and asked the same 10 questions, which mirrored the 10 best practices outlined in the IC. 

Again, because this was a SEA and especially because it was focused on adoption of an information circular (which are not mandatory), there were no findings or investigative reports issued. Rather, SEAs are for data collection purposes to provide a snapshot in time of, in this case, adoption of recommended best practices.

TSA reported that 102 airports noted cybersecurity as a priority. The top three implemented best practices included: immediate installation of security patches when issued (92%); strong password protocols (89%); and, evaluation of control system networks to ensure that they are not directly accessible from the Internet (86%). 

TSA recognized that the least implemented best practices were not applicable at many airports. For example, only 37% of airports monitor the creation of administrator-level Wi-FI access accounts by third-party vendors for services and networks not directly managed by the airport. However, this does not apply at 48% of the airports.

PreCheck

TSA reported that PreCheck enrollment volume has returned to pre-pandemic levels. During the summer, TSA saw an increase in both enrollments and renewals. Renewals are at 73% and TSA expects enrollments to remain steady; as a reference, in July, TSA had over 215,000 new enrollments. There are now over 10 million PreCheck Known Traveler Numbers.
 
TSA recently reduced the online renewal fee for PreCheck from $85 down to $70. If a participant renews completely online and before their membership expires, they will be charged $70; however, if a participant renews at an enrollment center or experiences issues while renewing online, and must go to an enrollment center, then the fee is $85 because they are utilizing the enrollment center to process their renewal application. There are FAQs on TSA.gov and the Universal Enrollment Center Help Site which addresses the reduction in price.
 
The two additional PreCheck Enrollment Providers approved by TSA are not expected to begin operations until early 2022. However, airports may be contacted by the new enrollment providers regarding space and operational logistics at their facilities.
 
TSA'™s current enrollment provider, IDEMIA, is conducting TSA PreCheck In-Journey pilots at several airports nationwide. In-Journey enrollment provides passengers traveling through an airport the opportunity to enroll real time near the security screening checkpoints. Once a passenger has completed their enrollment, ideally, they are provided the benefit to have front of the line access to the standard lane; however, passengers do not receive automatic PreCheck privileges.
 
TSA HQ has presented the In-Journey pilot as an option to Federal Security Directors; FSDs are not mandated to pursue this effort. FSD do not need to provide staffing to support this effort since IDEMIA provides the staff and equipment needed and will coordinate with local TSA before the pilot commences at individual locations. For situational awareness, the two additional enrollment providers may decide to offer similar real-time enrollment options once operational.
 
Safe Skies
 
Jessica Grizzle, PARAS Program Manager for Safe Skies, provided the following update:

The following PARAS projects are in the outreach and data collection stage, which means airports may be hearing from the research teams as they collect data. Primary contacts are listed for each. 
·      0039 Security, Operations, and Design Considerations for Airside Vehicle Access Gates (TransSolutions, Jessica Gafford jgafford@transsolutions.com
·      0042 Force Multiplier Strategies for Airport Law Enforcement (QuinnWilliams, Julie Quinn jquinn@quinnwilliams.com
·      0043 Guidance for Security Operations Center Planning and Design (EVANS, Kerri Knox kknox@evansonline.com
·      0044 Strategies for Aviation Security Stakeholder Information Sharing (CrowZnest Consulting, Don Zoufal don@crowznestconsulting.com
 
The following projects are both under internal review and will be published before the end of the year: PARAS 0037 Planning and Operational Security Guidance for Construction Projects at Airports (expected in November) and PARAS 0032 Enhancing Security of Cargo Operations at Airports (expected in December). 

The Safe Skies Oversight Committee, on which AAAE proudly serves, selected the following eight PARAS projects for funding in FY 2022. Additional details, including how to participate on the project review panels, will be available on the Safe Skies web site next week.
·      0045 Selecting, Designing, and Deploying Biometric Technology at Airports 
·      0046 Enhancing Security at Independent Operator Facilities 
·      0047 Practices and Considerations for Centralized Revocation Database Use 
·      0048 Electronic Storage, Submission, and Approval of ASPs and Regulatory Compliance Documents 
·      0049 Strategies for Creating and Maintaining a Strong Security Culture at Airports 
·      0050 Security Considerations for Airport Consolidated Rental Car Facilities (CONRACs) 
·      0051 Table-top Exercises for Airport Security 
·      0052 Lessons Learned for Airport Technical Design Standard (ATDS) Implementation at Evolving International Facilities   

A new ASSIST report, ASSIST PTF: Evaluation Report '“ Bosch DINION IP thermal 8000 Video Analytic System, is now available in the Safe Skies conference on HSIN or you can request a copy by contacting anna.hamilton@sskies.org.         

Next TSA Conference Call

The next TSA conference call for airport stakeholders is scheduled for Thursday, December 2 at 1:00 p.m. ET. Please note the conference call number is 1-800-857-5826 and passcode is 9596778.