Security Policy Alert: TSA Monthly Conference Call Summary for December 2021

December 2, 2021

This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Alan Paterno, TSA's Airport Industry Engagement Manager in the office of Policy, Plans and Engagement (PPE).

REAL ID

Simone Davis, Executive Liaison for TSA'™s Enrollment Services and Vetting Programs (and who will be speaking at 21st Annual AAAE Aviation Security Summit) provided an update on REAL ID. 

Beginning May 3, 2023, every air traveler 18 years of age and older will need a REAL ID-compliant driver'™s license or identification card, state-issued enhanced driver'™s license, or another TSA-acceptable form of identification at airport security checkpoints for domestic air travel.  All 50 U.S. states, the District of Columbia, and four of five U.S. territories covered by the REAL ID Act and related regulations are now compliant with REAL ID security standards and are issuing REAL ID-compliant driver'™s licenses and identification cards. However, only a handful of states issue only REAL ID-compliant driver'™s licenses. As a result, of the 277 million driver'™s licenses and identification cards, only 46 percent are currently REAL ID-compliant. Of the others, 34 percent are non-compliant. This means that while the ID has been recently issued, the individual chose the non-compliant option offered by the state at the time of issuance or renewal. Nineteen percent are legacy cards that have not been renewed. TSA is working with states to improve messaging about the benefits of REAL ID compliant cards to increase the adoption rate and maximize the conversion of legacy cards.
 
TSA is also working with DHS on a broader marketing campaign, aimed to reach the 85 percent of Americans that identify themselves as leisure travelers, to educate the traveling public about the REAL ID requirements that will go into effect in only 18 months. TSA asked for airport assistance in amplifying this message.
 
Policy, Plans and Engagement Update

Rap Back Program: As a reminder, the national ASP amendment to make participation in the Rap Back program mandatory goes into effect on March 29, 2022. At that time, all new applicants must be submitted into the Rap Back program. (Last month, TSA has referred a 60-day timeframe for new applicants but that is NOT the case.) There is a two-year timeframe to ensure existing badge holders are entered into Rap Back by March 29, 2024. In response to questions on the call, TSA stated that it does not plan to amend the requirement that badge applicants be submitted into Rap Back at the time of CHRC submission (known as 'œsearch and subscribe') rather than at badge issuance ('œsearch and retain'). TSA also stated that it removed the CHRC sharing functionality because of Rap Back requirements for both airport and aircraft operators. Airports can accept a certification letter from an air carrier to meet its regulatory obligations; or, if an airport wants access to the CHRC, the airport can submit the individual for vetting. 

Security Directive 1542-04-08: TSA will update the Security Directive 1542-04-08 to reflect the changes encompassed by the final Rap Back program ASP amendment. TSA PPE is finalizing review of comments received by other TSA offices and associations, including AAAE and the Quarterly Airport Security Review. The next step will be formal coordination within TSA. TSA intends to issue the updated before or by March 29, 2022. Based on the comments received on the draft update on sections not related to Rap Back, TSA expects additional updates to the SD 1542-04-08 series in 2022. 

Cybersecurity: As a follow-up to last month'™s call, TSA has posted a PowerPoint presentation on HSIN detailing the results of TSA'™s Special Emphasis Assessment of airport adoption of cyber best practices as outlined in Information Circular 17-03B. 

On November 22, TSA issued the final program changes for airport operators (ASP), aircraft operators (AOSSP) and full all-cargo aircraft operator (FACAOSSP). The major requirements are that airports must identify a cybersecurity point of contact that meets the criteria established and must report cybersecurity incidents, as defined, to the Cybersecurity and Infrastructure Security Agency (CISA). The requirements become effective for airports on January 10, 2022. Other security programs, such as 12-5, Private Charter, and Indirect Air Carriers, will receive the same requirements early next year.

Vera Adams, Executive Division Director for Aviation, explained that TSA plans to issue additional security program changes for airports, air carriers and all-cargo air carriers that will require cybersecurity self-assessments and cyber incident contingency plans. The requirements would only be for Category X, I and II airports; Category III and IV airports will receive an Information Circular recommending adoption of cyber assessments and contingency plans. TSA anticipates that the proposed ASP amendment will be issued around January 10, with a comment period of at least 30 days. AAAE encouraged TSA to provide additional guidance on TSA expectations for cyber vulnerability assessments and contingency plans in advance of the comment period.

Although not discussed on the call, DHS did announce that cybersecurity requirements for surface transportation owners and operators take effect today. Here is a TSA press release with more information on the requirements for surface transportation operators. 

Enrollment Services and Vetting Programs Update

Record Delete Notification Update: As a follow up to last month'™s call, TSA reminded airports that a 'œpending delete notification' feature will be put into place in early 2022. This notification will be used to update the Designated Aviation Channelers (DACs)'”and subsequently, airport operators'”that a specified case is being marked for deletion. 

Delete notifications will be sent for the following scenarios: 
1. Pending Delete Notification '“ Case has reached a condition to be deleted from the system and is pending delete for one of the following reasons: 
a. Case has no active badges 
b. Case has had no updates for a period of time longer than the security threat assessment (STA) validity period (2 years for populations not enrolled in Rap Back) 
2. Airport or aircraft -operator has submitted a delete request through their DAC '“ Delete notification is sent to convey that the delete transaction request has been completed (30 days after TSA receives the delete request).
3. TSA will send delete notifications for '˜legacy'™ cases. These notifications will go out for oldest cases first. TSA realizes that airports may not have some of cases, which may cause confusion. 

Pending Delete notifications will include a delete date element, which specifies the date the case will be deleted from the TSA system. The delete date will be no earlier than 30 days after the date the message was issued. Delete notifications may be received as a single transaction or in batches of multiple transactions. If your airport receives a delete notification that is not in response to a case for which you have requested deletion, there are two options for action: 
1. If the applicant is indeed no longer active, note the delete date and mark the case to be deleted no earlier than the delete date in your system. Note: This applies to DAC systems, airport or aircraft operator systems, and operators utilizing a third-party Identity Management System (IDMS). In each instance, the Airport Operator must ensure reconciliation with the IDMS. 
2. If the case being marked for deletion should remain active, please ensure there is at least one active badge tied to the case. If the applicant should still be in the active population, airport or aircraft operators must submit an Update Biographic transaction containing the active badge identifier to reactivate the case.

eBadge Phase II: TSA is nearing completion of testing phase II of eBadge with U.S. Customs and Border Protection (CBP). Phase II will be able to provide a vetting result back to the DACs regarding eBadge submissions. The current statuses returned are either accepted or rejected. New statuses under Phase II will return approved, denied, revoked, or expired. TSA stressed the importance of looking at any functional specification documents if airports use third party IDMS providers to see if there is additional development work to be done to accommodate this. Airports interested in participating in the eBadge program can reach out to their local CBP Seals Office, DAC, or email TSA'™s Aviation Worker inbox. 

Security Threat Assessment (STA) Processing: For the aviation workers program, TSA processed 12 percent more applications in November 2021 as compared to November 2019. For the Full All Cargo program, TSA processed 63% more applicants than 2019. 

TSA again reminded airports to attach identity documents, if able, with cases at time of submission. Airports should also ensure the address on the application is current, so if TSA needs more information from the applicant, the correspondence will be correctly delivered, reducing further time lapse.

If airports have questions about why a case that has '˜awaiting applicant response'™ as the status has not been updated for over 25 days, please elevate the case to the Aviation Workers inbox for TSA to look investigate. As a follow up, should TSA request more information from an applicant via certified mail, it is reasonable that with transit time to and from, gathering documents, and adjudication, an airport may not receive a result within 30 days.

TSA adjudicates cases in order of receipt. Adjudication response times may vary based on the applicant'™s case details reported during the vetting process. TSA understands there is some residual confusion regarding extended processing times based on citizenship status. Vetting results that require manual review by adjudicators impact processing times, not citizenship status. 

Centralized Revocation Database: Following up on the call TSA hosted last month on the implementation of the Centralized Revocation Database (CRD), the agency outlined several criteria for use of the system. 

TSA has determined that entries submitted prior to the ASP amendment effective date of June 20, 2021, should not be entered and must be removed from the system. It has not yet been determined if TSA or the submitting entity will remove entries submitted before June 20. 

Other criteria for submission include:
·       Badge status: If person in question does not possess a badge, do not enter into CRD. Must be existing badge holder, not first-time applicant for a badge. 
·       Theft: Unless theft is related to security equipment of TSA, airport, or aircraft operators, do not enter into CRD. If it is related, provide sufficient detail to enable full understanding of the violation. 
·       Disqualifying Criminal Offenses: If a DQ crime is discovered upon CHRC review, do not enter into CRD. 
·       Loss of FAA Certification: If individual lost FAA certification, do not enter into CRD. 
·       Piggybacking: For '˜Piggybacking'™ enter into CRD only for two or more occurrences; first-time offense must not be entered. 
·       'œOther Security Violations': Enter into CRD at airport/airline discretion, provide sufficient detail to enable full understanding of the violation. 
·       Rap Back Notifications (RBN): If you receive an RBN with a disqualifying crime, do not enter into CRD. 

TSA plans to update the CRD User Guide to include these criteria for submission to the CRD.

Alien Registration Numbers (ARN): Recently, there has been some confusion regarding the removal/placement of ARNs. ARNs do not expire; rather, they stay with the individual forever, even after naturalization (or, if there'™s a U.S. passport issued, for example). As a result, TSA adjudicators find a mismatch when working with the citizenship vetting system USCIS-SAVE. Mismatches occur when the ARN field is changed to include a certification number or U.S. passport number. USCIS-SAVE will error on those numbers; however, the ARN return a U.S. Citizen status. Keeping the ARN in the field will ensure a timelier result. 

TSA Mailbox: Finally, TSA reaffirmed that any inquiries to the Aviation Worker inbox must sent to the correct one (aviation.workers@tsa.dhs.gov). Any inquiries sent to Aviation.workers@dhs.gov are not being answered, as that mailbox was sunset some time ago. If you have not received an update from the DHS.GOV box, TSA recommends that you resend your correspondence to the TSA.DHS.GOV box. 

Safe Skies Update

Jessica Grizzle provided the following update on recent Safe Skies'™ PARAS and ASSIST activities:
PARAS 0037 Planning and Operational Security Guidance for Construction Projects at Airports is now available for free download here. This guidance is intended to help airports integrate security considerations as part of the general project life cycle, as well as identify specific considerations and mitigation strategies that could be applicable under certain circumstances. In addition to the guidance, templates are also included for a Contractor Training Guide, Project Security Plan, and Construction Security Checklists. Section 2 of the guidance provides an overview of some of the common pitfalls and lessons learned that were identified during the research process and are grouped in the following themes: 
·       Establishing a Strong Security Culture
·       Importance of Simplicity
·       Clearly Documenting Expectations
·       Sufficient Contractor Training
·       Comprehensive Stakeholder Engagement
·       Compliance Assurance Strategies
·       Access Control Considerations
·       Public Safety Assurance

Safe Skies is still seeking project panel members for the PARAS projects listed below that have been allocated funding by the Oversight Committee for FY 2022. Short project descriptions for each can be found here. The project panel application can be found here. Please contact jessica.grizzle@sskies.org to submit your application or indicate your interest in participating. Panel members play a critical role in scoping the problem statement and resulting research, helping to ensure that valuable content is created for airport operators.  
 
·       0045 Selecting, Designing, and Deploying Biometric Technology at Airports - The objective of this research is to provide a thorough overview of current biometrics options viable for use in aviation, including advantages, restrictions, scalability, and other related factors, to assist stakeholders in making informed regarding the potential use of biometrics for various functions at airports. 
·       0046 Enhancing Security at Independent Operator Facilities - The objective of this research is to assist airports in assessing both procedural and technological options available to enhance security at tenant-owned facilities along the airport'™s perimeter. 
·       0047 Practices and Considerations for Centralized Revocation Database Use - The objective of the research is to gather practices in-place or under consideration in the revocation of ID media, the entry of individuals into the CRD, and the use of the CRD information in subsequent ID Media issuance, as well as applicable considerations for each, to assist airports in making informed decisions regarding their own practices. 
·       0048 Electronic Storage, Submission, and Approval of ASPs and Regulatory Compliance Documents - The objective of the research is to examine potential methods and practices for converting ASPs and other regulatory compliance documents to an electronic format. The research should include considerations for secure submission, approval, and storage of these documents. 
·       0049 Strategies for Creating and Maintaining a Strong Security Culture at Airports - The objective of this research is to create a consolidated source of options and strategies that support ongoing insider threat mitigation efforts by creating and maintaining a strong culture of security at airports. 
·       0050 Security Considerations for Airport Consolidated Rental Car Facilities - The objective of the proposed research is to identify the various criminal and nefarious activities that may occur at CONRACs and provide practical and applicable strategies for mitigation. The resulting strategies must account for the roles, responsibilities, and limitations of the various stakeholders operating within such facilities. 
·       0051 Table-Top Exercises for Airport Security - The objective of this research is to produce guidance detailing best practices, considerations, and lessons learned for conducting an effective aviation security table-top exercise. The guidance should address gaps in existing resources and provide updated, relevant exercise scenarios based on current and evolving threat conditions. 
·       0052 Lessons Learned for ATDS Implementation at Evolving International Facilities - The objective of this research is to collect and share lessons learned for implementing ATDS requirements and enabling easy adaptation of new and evolving conditions. 

Finally, Safe Skies recently issued the following ASSIST reports that can be found in the Safe Skies conference on HSIN: 
SSDA'”21-023 Bosch FLEXIDOME Video Analytic Exit Lane Breach Detection Systems '“ San Diego International Airport 
SSDA'”21-024 Senstar Symphony 7â„¢ Video Analytic Exit Lane Breach Detection System '“ San Diego International Airport 

Next TSA Conference Call

The next TSA conference call for airport stakeholders is scheduled for Thursday, January 6, 2022, at 1:00 p.m. ET. Please note the conference call number is 1-800-857-5826 and passcode is 9596778.