Security Policy Alert: Summary of TSA's Monthly Conference Call for Airport Stakeholders
December 3, 2020
This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Alan Paterno, TSA's Airport Industry Engagement Manager in the office of Policy, Plans and Engagement (PPE). Following are highlights from today's call:
20th Annual AAAE Aviation Security Summit
TSA highlighted its participation in the upcoming 20th Annual AAAE Aviation Security Summit being held virtually on December 8-9. Specifically, TSA Administrator David Pekoske will be kicking off the conference along with AAAE President & CEO Todd Hauptli. In addition, Executive Assistant Administrator for Operations Support Stacey Fitzmaurice and Executive Assistant Administrator for Security Operations Darby LaJoye will participate on a senior TSA leadership roundtable. Other TSA representatives participating on the agenda include Assistant Administrator for Requirements and Capabilities Analysis Austin Gould, Division Director for the Innovation Task Force Matt Gilkeson, and Director of the Enrollment Services Division Carrie Mitchell. Finally, there will be an Airports-Only session on Wednesday, December 9 with TSA representatives, including Deputy Assistant Administrator for Policy, Plans and Engagement Victoria Newhouse, Airport Industry Engagement Manager Alan Paterno, and Division Director for Compliance Operations Joe Kris.
Proposed TSA-NA-20-02 Regarding Aviation Workers
TSA reminded airports that comments are due on the proposed ASP amendment regarding aviation workers (TSA-NA-20-02) on Monday, December 7. Comments must be submitted electronically to the following e-mail: StaffScreeningComments@tsa.dhs.gov.
TSA is seeking comments on the proposal as a whole as well as specific comments on the following areas: applicability to smaller airports; dates and timeframes; definitions; access points; the questions included in the Aviation Worker Vulnerability Assessment; screening exemptions; use of explosive detection technology; and, data collection.
To date, TSA has already received close to 550 comments from 37 entities. TSA pledged to consider every single comment. Again, AAAE urges each airport to submit comment by the December 7 deadline. Please contact AAAE's Colleen Chamberlain if you have any questions about the comment process or need any additional information.
Centralized Database for Revoked SIDA Badges
TSA is in the last stages of finalizing an ASP amendment to implement a centralized database of SIDA badges that have been revoked due to security violations. Based on feedback from airports during the notice and comment period, TSA's Enrollment Services and Vetting Programs has worked to automate the data submission process, using information already available in the FPRD. Once finalized, TSA will host a series of webinars to demonstrate the automation process and how to enter revoked badges into the database. TSA also expects to include a longer than normal implementation timeframe (60 days versus 30 days), especially if the final amendment is issued in January or February 2021.
ASAC Subcommittee on Insider Threat
Dan McCann, TSA's Designated Federal Official for the Aviation Security Advisory Committee (ASAC) Subcommittee on Insider Threat, provided an overview of the Subcommittee's recent work. In 2019, at the request of the TSA Administrator, the Subcommittee conducted a review of the agency's Insider Threat Advisory Group. Based on that review, ASAC approved and TSA concurred with 21 recommendations related to insider threat mitigation. In May, ASAC approved and TSA concurred with an additional Subcommittee recommendation related to enrolling TSA employees and contractors into the Rap Back program for a total of 22 recommendations.
TSA is working on implementation plans for each of the recommendations. TSA has fully implemented the recommendation related to creating an Insider Threat Executive Steering Committee. TSA is near final completion of two other recommendations, including the creation of an Insider Threat information sharing platform and an Information Circular on an Insider Threat program framework that mirrors the Subcommittee's six focus areas.
McCann highlighted other Subcommittee activities, including the recently released white paper on COVID-19-Related Aviation Insider Risk Considerations which was put together by a Subcommittee working group led by AAAE's Colleen Chamberlain. ASAC members, including AAAE, also collaborated with TSA as it completed its Cost and Feasibility Study on Employee Screening which was required by Congress under the TSA Modernization Act of 2018. The study concluded that it would cost approximately $3 billion to implement near 100 percent employee screening. TSA stated in the report that, while feasible, TSA agrees with ASAC that enhanced random and unpredictable screening, rather than 100 physical screening, provides the best possible security and TSA endorses an intelligence driven, risk-based and multi-layered approach to insider threat mitigation.
Enrollment Services and Vetting Programs Update
Rap Back Program: In advance of the Rap Back program becoming mandatory, TSA took the opportunity to remind airports about the steps needed to enroll in the program. Interested airports must complete a Privacy Informational Briefing, sign a Statement of Responsibilities, and complete training. Please reach out to rapback@tsa.dhs.gov with any questions about enrolling in the Rap Back program. Over 230 airports already voluntarily participate in the program.
TSA has seen a sharp drop, and then steady rebound, of fingerprint submissions and Rap Back subscriptions. Accordingly, TSA has seen Rap Back expirations slightly rise as well. TSA Rap Back subscriptions should not expire. Airports enrolled in Rap Back will receive a Rap Back Renewal Notification (RBRN) 10 days prior to the Rap Back Subscription Expiration Date (RBXD). If the employee is going to continue to possess a credential, the subscription needs to be extended (up to two years) as soon as possible. If the employee is not going to continue to possess a credential, the subscription needs to be cancelled as soon as possible. At 12:01am EST on the RBXD, the case enters a pending expired status and limits the maintenance actions that can be performed on it.
Finally, TSA updated the Rap Back User Guide. Version 2.2 on November 24, 2020. It has been posted on HSIN, FPRD, and provided to the DACs. This guide is intended to provide a general understanding of TSA's implementation of the FBI Rap Back service for those airport and air carrier operator personnel that are responsible for aviation worker suitability determination, badging, and /or adjudication. This guide includes descriptions of Rap Back transactions, the subscription management process, and the roles and responsibilities of participating airports and air carriers. As a reminder, Safe Skies also recently released PARAS 0029 Criminal History Records Checks (CHRC) and Vetting Aviation Workers Guidebook, which includes information about the Rap Back program and tips and tricks that airports might find useful.
In response to an airport question on the call, TSA indicated that final amendment to make the Rap Back program mandatory, once issued, will require airports and air carriers to separately subscribe individuals to be able to view CHRCs and Rap Back notifications. TSA had previously developed a capability to allow sharing of Rap Back notifications between airports and air carriers but is not pursuing that option at this time.
Security Threat Assessment Processing Delays: TSA is encountering an increase in enrollments across all vetting populations (TSA Precheck, TWIC, HME) and TSA adjudicators support all of TSA's vetting programs (GA, HME, TWIC, Precheck, TWIC). TSA's security threat assessments division (STAD) has been working to cross train adjudicators to easily flex to accommodate the requirements by population. Specifically, TSA continues to receive increased enrollments for Aviation Workers, and their adjudicators are striving to keep the turnaround time to less than two weeks. The training required by these adjudicators takes upwards of a year and as TSA brings on new team members cross training does mean faster responses in the long run. As a result, TSA asked for airports' understanding and flexibility as enrollments and applications continue to increase. Airports can also work with their DAC to elevate STA cases that have been significantly delayed. AAAE is happy to continue to help in this capacity.
In the meantime, in response to a suggestion from AAAE, TSA's case management team has revised its standard response from "in process" to provide additional information to the airport and a timeframe to follow-up. It has been changed to:
"The Security Threat Assessment for (inset applicant's name) is still being processed. Currently, TSA does not need any additional information. If more information is requested, TSA will either mail a letter to the applicant via the US Postal Service or notify you though the DAC. If the application has not been updated in 2 weeks, please contact us for further assistance."
Innovation Task Force Broad Agency Announcement (BAA) Update
Steve Coda from TSA's Innovation Task Force under the office of Requirements and Capabilities Analysis provided an update on the agency's most recent Broad Agency Announcement (BAA). Five solutions submitted under the BAA have been selected for demonstrations. Two solutions are related to bin sanitization using UVCs with one configured as a UVC tunnel and the other as part of a stackable bin function found within Automated Screening Lanes. Due to the safety component related to these solutions, the BAA process was expedited, with a TSA Integrated Product Team formed in early October and a demonstration of both solutions at Ronald Reagan Washington National Airport (DCA). Based on lessons learned at DCA, TSA plans to demonstrate the UVC solutions at an additional five to eight airports.
Two other solutions selected under the BAA relate to dynamic screening and networking, with one solution enabling real-time reporting of mission critical data and another that will network transportation security equipment to enable dynamic screening (such as adjusting threat detection algorithms for PreCheck passengers in standard screening lanes).
The final solution selected under the BAA is a shoe scanner that would allow screening of footwear without passengers removing their shoes. This and the two solutions related to dynamic screening and networking were selected only last week so demonstrations likely will not place until February or March of next year.
Message from Strategy, Policy Coordination, and Innovation
Tim Weston from TSA's office of Strategy, Policy Coordination, and Innovation asked for airports to provide an IT point of contact for their facility to participate in a webinar that will be hosted by DHS's Cyber and Infrastructure Security Agency (CISA) and the FBI. The webinar is tentatively scheduled for either January 13 or January 15. The webinar would focus on the Private Industry Notifications (PINs) issued by the FBI earlier this year regarding airport related cyber threats and vulnerabilities. Again, the webinar with be targeted to IT professional, such as CISOs or other dedicated IT staff. Please provide any interested IT POCs to TSA by sending a note to Tim Weston at timothy.weston@tsa.dhs.gov.
Credential Authentication Technology (CAT) Deployment
TSA is on track to complete Round 2 of CAT deployment on time in mid-January which includes 501 units being deployed to 80 airports. This will result in a total of 770 units beings deployed at 109 locations. In the third quarter of Fiscal Year 2021, TSA will begin Round 3 of deployments of 460 units.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, January 7, 2021 at 1:00 p.m. ET. On that call, Jamie Clarkson from TSA's Requirements and Capabilities Analysis will provide a briefing on the revised and updated Cities and Airports Threat Assessment (CATA), including the factors that are used for the CATA scoring.
This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Alan Paterno, TSA's Airport Industry Engagement Manager in the office of Policy, Plans and Engagement (PPE). Following are highlights from today's call:
20th Annual AAAE Aviation Security Summit
TSA highlighted its participation in the upcoming 20th Annual AAAE Aviation Security Summit being held virtually on December 8-9. Specifically, TSA Administrator David Pekoske will be kicking off the conference along with AAAE President & CEO Todd Hauptli. In addition, Executive Assistant Administrator for Operations Support Stacey Fitzmaurice and Executive Assistant Administrator for Security Operations Darby LaJoye will participate on a senior TSA leadership roundtable. Other TSA representatives participating on the agenda include Assistant Administrator for Requirements and Capabilities Analysis Austin Gould, Division Director for the Innovation Task Force Matt Gilkeson, and Director of the Enrollment Services Division Carrie Mitchell. Finally, there will be an Airports-Only session on Wednesday, December 9 with TSA representatives, including Deputy Assistant Administrator for Policy, Plans and Engagement Victoria Newhouse, Airport Industry Engagement Manager Alan Paterno, and Division Director for Compliance Operations Joe Kris.
Proposed TSA-NA-20-02 Regarding Aviation Workers
TSA reminded airports that comments are due on the proposed ASP amendment regarding aviation workers (TSA-NA-20-02) on Monday, December 7. Comments must be submitted electronically to the following e-mail: StaffScreeningComments@tsa.dhs.gov.
TSA is seeking comments on the proposal as a whole as well as specific comments on the following areas: applicability to smaller airports; dates and timeframes; definitions; access points; the questions included in the Aviation Worker Vulnerability Assessment; screening exemptions; use of explosive detection technology; and, data collection.
To date, TSA has already received close to 550 comments from 37 entities. TSA pledged to consider every single comment. Again, AAAE urges each airport to submit comment by the December 7 deadline. Please contact AAAE's Colleen Chamberlain if you have any questions about the comment process or need any additional information.
Centralized Database for Revoked SIDA Badges
TSA is in the last stages of finalizing an ASP amendment to implement a centralized database of SIDA badges that have been revoked due to security violations. Based on feedback from airports during the notice and comment period, TSA's Enrollment Services and Vetting Programs has worked to automate the data submission process, using information already available in the FPRD. Once finalized, TSA will host a series of webinars to demonstrate the automation process and how to enter revoked badges into the database. TSA also expects to include a longer than normal implementation timeframe (60 days versus 30 days), especially if the final amendment is issued in January or February 2021.
ASAC Subcommittee on Insider Threat
Dan McCann, TSA's Designated Federal Official for the Aviation Security Advisory Committee (ASAC) Subcommittee on Insider Threat, provided an overview of the Subcommittee's recent work. In 2019, at the request of the TSA Administrator, the Subcommittee conducted a review of the agency's Insider Threat Advisory Group. Based on that review, ASAC approved and TSA concurred with 21 recommendations related to insider threat mitigation. In May, ASAC approved and TSA concurred with an additional Subcommittee recommendation related to enrolling TSA employees and contractors into the Rap Back program for a total of 22 recommendations.
TSA is working on implementation plans for each of the recommendations. TSA has fully implemented the recommendation related to creating an Insider Threat Executive Steering Committee. TSA is near final completion of two other recommendations, including the creation of an Insider Threat information sharing platform and an Information Circular on an Insider Threat program framework that mirrors the Subcommittee's six focus areas.
McCann highlighted other Subcommittee activities, including the recently released white paper on COVID-19-Related Aviation Insider Risk Considerations which was put together by a Subcommittee working group led by AAAE's Colleen Chamberlain. ASAC members, including AAAE, also collaborated with TSA as it completed its Cost and Feasibility Study on Employee Screening which was required by Congress under the TSA Modernization Act of 2018. The study concluded that it would cost approximately $3 billion to implement near 100 percent employee screening. TSA stated in the report that, while feasible, TSA agrees with ASAC that enhanced random and unpredictable screening, rather than 100 physical screening, provides the best possible security and TSA endorses an intelligence driven, risk-based and multi-layered approach to insider threat mitigation.
Enrollment Services and Vetting Programs Update
Rap Back Program: In advance of the Rap Back program becoming mandatory, TSA took the opportunity to remind airports about the steps needed to enroll in the program. Interested airports must complete a Privacy Informational Briefing, sign a Statement of Responsibilities, and complete training. Please reach out to rapback@tsa.dhs.gov with any questions about enrolling in the Rap Back program. Over 230 airports already voluntarily participate in the program.
TSA has seen a sharp drop, and then steady rebound, of fingerprint submissions and Rap Back subscriptions. Accordingly, TSA has seen Rap Back expirations slightly rise as well. TSA Rap Back subscriptions should not expire. Airports enrolled in Rap Back will receive a Rap Back Renewal Notification (RBRN) 10 days prior to the Rap Back Subscription Expiration Date (RBXD). If the employee is going to continue to possess a credential, the subscription needs to be extended (up to two years) as soon as possible. If the employee is not going to continue to possess a credential, the subscription needs to be cancelled as soon as possible. At 12:01am EST on the RBXD, the case enters a pending expired status and limits the maintenance actions that can be performed on it.
Finally, TSA updated the Rap Back User Guide. Version 2.2 on November 24, 2020. It has been posted on HSIN, FPRD, and provided to the DACs. This guide is intended to provide a general understanding of TSA's implementation of the FBI Rap Back service for those airport and air carrier operator personnel that are responsible for aviation worker suitability determination, badging, and /or adjudication. This guide includes descriptions of Rap Back transactions, the subscription management process, and the roles and responsibilities of participating airports and air carriers. As a reminder, Safe Skies also recently released PARAS 0029 Criminal History Records Checks (CHRC) and Vetting Aviation Workers Guidebook, which includes information about the Rap Back program and tips and tricks that airports might find useful.
In response to an airport question on the call, TSA indicated that final amendment to make the Rap Back program mandatory, once issued, will require airports and air carriers to separately subscribe individuals to be able to view CHRCs and Rap Back notifications. TSA had previously developed a capability to allow sharing of Rap Back notifications between airports and air carriers but is not pursuing that option at this time.
Security Threat Assessment Processing Delays: TSA is encountering an increase in enrollments across all vetting populations (TSA Precheck, TWIC, HME) and TSA adjudicators support all of TSA's vetting programs (GA, HME, TWIC, Precheck, TWIC). TSA's security threat assessments division (STAD) has been working to cross train adjudicators to easily flex to accommodate the requirements by population. Specifically, TSA continues to receive increased enrollments for Aviation Workers, and their adjudicators are striving to keep the turnaround time to less than two weeks. The training required by these adjudicators takes upwards of a year and as TSA brings on new team members cross training does mean faster responses in the long run. As a result, TSA asked for airports' understanding and flexibility as enrollments and applications continue to increase. Airports can also work with their DAC to elevate STA cases that have been significantly delayed. AAAE is happy to continue to help in this capacity.
In the meantime, in response to a suggestion from AAAE, TSA's case management team has revised its standard response from "in process" to provide additional information to the airport and a timeframe to follow-up. It has been changed to:
"The Security Threat Assessment for (inset applicant's name) is still being processed. Currently, TSA does not need any additional information. If more information is requested, TSA will either mail a letter to the applicant via the US Postal Service or notify you though the DAC. If the application has not been updated in 2 weeks, please contact us for further assistance."
Innovation Task Force Broad Agency Announcement (BAA) Update
Steve Coda from TSA's Innovation Task Force under the office of Requirements and Capabilities Analysis provided an update on the agency's most recent Broad Agency Announcement (BAA). Five solutions submitted under the BAA have been selected for demonstrations. Two solutions are related to bin sanitization using UVCs with one configured as a UVC tunnel and the other as part of a stackable bin function found within Automated Screening Lanes. Due to the safety component related to these solutions, the BAA process was expedited, with a TSA Integrated Product Team formed in early October and a demonstration of both solutions at Ronald Reagan Washington National Airport (DCA). Based on lessons learned at DCA, TSA plans to demonstrate the UVC solutions at an additional five to eight airports.
Two other solutions selected under the BAA relate to dynamic screening and networking, with one solution enabling real-time reporting of mission critical data and another that will network transportation security equipment to enable dynamic screening (such as adjusting threat detection algorithms for PreCheck passengers in standard screening lanes).
The final solution selected under the BAA is a shoe scanner that would allow screening of footwear without passengers removing their shoes. This and the two solutions related to dynamic screening and networking were selected only last week so demonstrations likely will not place until February or March of next year.
Message from Strategy, Policy Coordination, and Innovation
Tim Weston from TSA's office of Strategy, Policy Coordination, and Innovation asked for airports to provide an IT point of contact for their facility to participate in a webinar that will be hosted by DHS's Cyber and Infrastructure Security Agency (CISA) and the FBI. The webinar is tentatively scheduled for either January 13 or January 15. The webinar would focus on the Private Industry Notifications (PINs) issued by the FBI earlier this year regarding airport related cyber threats and vulnerabilities. Again, the webinar with be targeted to IT professional, such as CISOs or other dedicated IT staff. Please provide any interested IT POCs to TSA by sending a note to Tim Weston at timothy.weston@tsa.dhs.gov.
Credential Authentication Technology (CAT) Deployment
TSA is on track to complete Round 2 of CAT deployment on time in mid-January which includes 501 units being deployed to 80 airports. This will result in a total of 770 units beings deployed at 109 locations. In the third quarter of Fiscal Year 2021, TSA will begin Round 3 of deployments of 460 units.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, January 7, 2021 at 1:00 p.m. ET. On that call, Jamie Clarkson from TSA's Requirements and Capabilities Analysis will provide a briefing on the revised and updated Cities and Airports Threat Assessment (CATA), including the factors that are used for the CATA scoring.
