Security Policy Alert: Summary of TSA's Monthly Conference Call for Airport Stakeholders
February 3, 2022
TSA held its monthly conference call for airport stakeholders. The conference call was led by Kevin Knott, TSA's Branch Manager for Airport Policy in the office of Policy, Plans and Engagement (PPE). Although not addressed on the call, TSA's PPE Deputy Assistant Administrator Victoria Newhouse recently announced that she was taking early retirement from the agency to join the private sector. AAAE wishes Ms. Newhouse the best in her new endeavors and she will be missed within the agency as a strong advocate for airports and trusted and knowledgeable resource.
Policy, Plans and Engagement
Savannah Harbaugh, Section Chief for Airport Security Programs, reminded airports that there are two proposed Airport Security Program (ASP) amendments open for notice and comment. TSA-PNA-22-01 would require Category X, I and II to complete cybersecurity vulnerability self-assessments and implement cybersecurity contingency plans. Comments on these proposed cybersecurity measures are due no later than February 14, 2022.
TSA has also issued TSA-PNA-14-01B, Incident and Suspicious Activities Reporting, which would require all airports to report to TSA any Unmanned Aircraft System (UAS) incidents that disrupt flight operations. Comments on the proposed UAS incident reporting ASP amendment are due March 14, 2022.
As always, AAAE will be submitting comments on behalf of our airport members for both TSA-PNA-22-01 and TSA-PNA-14-01B. Please share any feedback or concerns you may have with AAAE's Colleen Chamberlain.
Looking ahead, Eric Byczynski with TSA's Airport Security Programs highlighted a number of potential policy changes being considered by TSA, noting that TSA plans to discuss the proposals further with the Quarterly Airport Security Review (QASR) later this year. TSA intends to codify in writing current guidance regarding eSignatures and digital signatures. TSA is currently researching a number of options, including physical and in-person signatures (which would always remain an option), a hybrid approach including an unauthenticated eSignature with a follow-up in person verification, and a fully digital signature such as used by the federal government (PIV) and financial institutions (for real estate transactions and car loans, etc.).
TSA is also considering a stand-alone ASP amendment to capture the requirements for Trusted Agents, which are currently contained in Section IV of the Security Directive 1542-04-08 series. TSA plans to expand the trusted agent requirements to Exclusive Area Agreement holders that issue badges as part of the potential policy change. On a related note, TSA is also reviewing requirements for crew and ramp badges issued by aircraft operators.
TSA also reported that the agency in the process of trying to improve the design and effectiveness of the ACO-200 web board on HSIN and recently made an update related to how new postings are demarcated. Previously, for ease of finding new items that were posted, TSA was posting documents in two conferences. For example, a proposed ASP amendment would be posted to both the NEW Postings Conference and the Airport Security Program Conference. Now, under the ACO-200 Posts, the right side of the screen shows the 'New Postings' within the last 30 calendar days. The user is able to see the post and the conference in which to find the new post. TSA welcomed any feedback on this change as well as on the ACO-200 web board overall.
E-Verify and SAVE Programs
Christine Beyer from TSA's Office of Chief Counsel reminded airports that Section 3405 of the FAA Extension, Safety and Security Act of 2016 required the Department of Homeland Security Secretary to 'authorize each airport operator to have direct access to the E'“Verify program and the Systematic Alien Verification for Entitlements (SAVE) automated system to determine the eligibility of individuals seeking unescorted access to any SIDA of an airport.' (Previously, E-Verify was limited to use by direct employers only.)
Beyer explained that both E-Verify and SAVE are valuable assets to verify identity and work authorization for individuals seeking airport access. Both programs, operated by the U.S. Citizenship and Immigration Service (USCIS), are free or have minimal costs to participate. USCIS may require a MOU for access to SAVE. USCIS has a webinar that provides an overview on how to use the E-Verify program.
Cyber-CHAMP Workforce Analysis for Airport Operators
Ollie Gagnon, Chief Strategist for Infrastructure Assurance and Analysis at the Idaho National Laboratory, provided an overview of an initiative being conducted in coordination with DHS' Cybersecurity and Infrastructure Security Agency (CISA) to better understand the cyber workforce needs within the aviation sector. Airports interested in participating or learning more can contact him at ollie.gagnon@inl.gov. Following is the background information provided by INL to AAAE, which has also been posted on HSIN.
The Aviation Cyber Initiative (ACI) mission is to reduce cybersecurity risks and improve cyber resilience to support safer, secure, and efficient operations of the Nation's Aviation Ecosystem. The ACI is a tri-chaired force led by chairs designated from DHS, the Department of Defense (DoD), and the Department of Transportation (DOT), who will collaborate and coordinate on a consensus basis. Idaho National Laboratory (INL), a Federally Funded Research and Development Center (FFRDC), supports the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) as the lead component for DHS. INL supports this effort through operational support and Research and Development activities.
Under the DHS/CISA Program Year (PY) 2022 Annual Work Plan (AWP), INL will conduct an ACI Workforce Development Training Needs Analysis: Cyber-CHAMP (Cyber-Competency Health and Maturity Progression Model) effort within the aviation ecosystem by September 15, 2022. The Cyber-CHAMP model is built to be performed and applied at the practitioner level, accounts for any technical (e.g., information technology, cybersecurity) role in an organization, and can be deployed by any size, or type of organization. The available modules of Cyber-CHAMP are the TRUST module, ORG module, RISK module, and TECH module. Cyber-TRUST provides suggested cybersecurity actions for strategic planning, policies and plans, and practices. Cyber-ORG helps an organization outline their workforce structure by providing a template of job role groupings and job roles. Cyber-TECH determines an individual's role alignment based on a job-task analysis survey using the categories, specialty areas, work roles, and associated tasks of the National Initiative for Cybersecurity Education (NICE) Framework. Cyber-RISK determines a manager's role alignment and educational needs based on legal responsibilities of the organization. The Cyber-CHAMP model provides:
· Customizable solutions for industry, government, and academia
· Understanding of cybersecurity operational readiness to establish target(s) for improvement
· Discovery of security/cybersecurity competency gaps, across entire work force
· Direct Return on Investment (ROI) through accomplishing industry/sector learning development profiles
· Identified training gaps as sources for education/training providers to develop new curriculum
· Validated measure of trust across supply chain based on metrics for security maturity and competency.
Due to importance to the Aviation Subsector under Transportation, Airports were identified as a potential focus area.
Enrollment Services and Vetting Programs Update
Brian Stortes from TSA's Enrollment Services and Vetting Programs provided the following updates:
Security Threat Assessment (STA) Processing Delays: TSA reported that there was an 11% increase in aviation worker applications in December 2021 over December 2019 (Full All-Cargo applications increased by 97% over 2019 and General Aviation increased by 123% over 2019.) TSA reported that 90% of applications are returned within 10 days with remaining 10% returned between 15 and 30 days. Several airports '“ both large and small -- expressed frustration with lengthy processing times for STAs, especially for non-U.S. citizens. TSA was not able to provide a timeline for if or when the situation would improve but did promise to continue to elevate the issue to TSA senior leadership. AAAE has also elevated the issue with senior TSA leadership several times over the past year and a half and will continue to do so.
TSA did note an issue with applicants from Congo (COG) and the Democratic Republic of Congo (COD). TSA stated that most documents provided by an applicant will say either Congo (COG) or Dem Congo (COD) on them. COD is also identified by Place of Birth city Kinshasa.
TSA reminded airports that any error increases the amount of time it takes to get an STA adjudicated. Any documents provided at the time of enrollment helps the adjudicators as well.
TSA continues to see a rise in Preliminary Determination of Ineligibility (PDI) due to incorrect addresses. TSA asked airports to please ensure the address on the application is current, so that if TSA needs more information, the correspondence will be correctly delivered, reducing further time lapse. Should the address have changed since enrollment, please update to the current address.
If TSA requests an Alias, Date Of Birth or Place Of Birth change, it is because that difference was discovered during the vetting process. The airport operator may have a newer document that says otherwise (e.g. AKA). If an airport does not make the changes TSA requested, the case times out and will close as a Do Not Issue (DNI). This necessitates a brand-new case if the employee still needs to be badged.
Rap Back: There are 276 airports and air carriers currently participating in the Rap Back program with approximately 693,000 active subscriptions. 93% of the subscriptions have been submitted by the 254 participating airports, with the remaining 7% submitted by the 22 participating aircraft operators. Airport operators, domestic air carriers and full all-cargo carriers are required to begin participating in the Rap Back program by March 29, 2022.
Flight Training Security Program: The Alien Flight School Program (AFSP) has changed its name to the Flight Training Security Program (FTSP). The website URL and Help Desk e-mail have been changed to www.fts.tsa.dhs.gov and FTSP.help@tsa.dhs.gov.
CJIS Information Letters: In January, TSA posted two FBI Criminal Justice Information Services (CJIS) Division Information Letters to HSIN.
CJIS Information Letter 21-3 provides a description of Cite and Release. Law enforcement agencies are opting to issue citations and release individuals who commit criminal offenses, as opposed to the typical method of booking which involves collecting the offender's fingerprints at the law enforcement agency's station. However, criminal records of individuals booked via the Cite and Release method do not get updated in the FBI's NGI because the NGI system relies on receiving fingerprints for individuals that have committed criminal offenses in order to update the individual's criminal record with arrest information. Thus, authorized NGI users may not receive a complete record of an applicant's criminal history if Cite and Release has been used. By utilizing a citation database, it is possible for states to share Cite and Release offenses. However, of the 25 states that use Cite and Release, only 5 have statewide citation database.
Due to Cite and Release practices, Rap Sheets provided in CHRC responses and any applicable Rap Back responses (RBN, RBMNTR, RBSR, etc.) may not include complete CHRI for the applicant. Airport and aircraft operators should be aware of this potential gap in CHRI for Cite and Release events and should continue to adjudicate rap sheets based on the criminal history information available at the time the rap sheet is received.
CJIS Information Letter 21-4 provides background on a recent development related to the distribution of criminal history record information (CHRI) for deceased individuals. In 2018, the CJIS Advisory Policy Board (APB) approved expanding the sharing of CHRI for deceased individuals to criminal ten-print fingerprint submissions up to the date that would be the individual's 110th birthday. It is unclear at this time whether CHRI for deceased individuals will be returned in rap sheets for noncriminal justice entities. Please be advised there is a possibility rap sheets will include criminal history records that indicate the subscribed individual is deceased. TSA expects the majority of these occurrences will follow Rap Back Activity Notifications (RBNs) triggered by the death of a subscribed individual.
Safe Skies Update
Jessica Grizzle provided the following update on recent Safe Skies' activity:
PARAS 0040 Pandemic Response, Recovery, and Preparedness Planning for Airport Security Operations (Phase 1) is now available for download at https://www.sskies.org/paras/reports/. The document identifies lessons learned and best practices relating to exposure control, security integrity, and operational impact. It summarizes actions that were beneficial to security operations during the COVID-19 pandemic, as well as opportunities for improvement. Phase 2 of the research is now underway and will focus on communicable disease response and recovery planning in airports, as well as provide specific tactical procedures to facilitate preparedness.
PARAS 0032 Enhancing Security of Cargo Operations at Airports and PARAS 0036 Airport Credentialing Efficiency Toolki t are under final review with publication anticipated by the end of February.
A few spots remain open on the project panel for PARAS 0047 Practices and Considerations for Centralized Revocation Database Use . PARAS is specifically seeking a representative from an airport legal department to ensure this important perspective is not overlooked. Please contact jessica.grizzle@sskies.org for more information on panel participation.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, March 3, 2022, at 1:00 p.m. ET. Please note the conference call number is 1-800-857-5826 and passcode is 9596778.
TSA held its monthly conference call for airport stakeholders. The conference call was led by Kevin Knott, TSA's Branch Manager for Airport Policy in the office of Policy, Plans and Engagement (PPE). Although not addressed on the call, TSA's PPE Deputy Assistant Administrator Victoria Newhouse recently announced that she was taking early retirement from the agency to join the private sector. AAAE wishes Ms. Newhouse the best in her new endeavors and she will be missed within the agency as a strong advocate for airports and trusted and knowledgeable resource.
Policy, Plans and Engagement
Savannah Harbaugh, Section Chief for Airport Security Programs, reminded airports that there are two proposed Airport Security Program (ASP) amendments open for notice and comment. TSA-PNA-22-01 would require Category X, I and II to complete cybersecurity vulnerability self-assessments and implement cybersecurity contingency plans. Comments on these proposed cybersecurity measures are due no later than February 14, 2022.
TSA has also issued TSA-PNA-14-01B, Incident and Suspicious Activities Reporting, which would require all airports to report to TSA any Unmanned Aircraft System (UAS) incidents that disrupt flight operations. Comments on the proposed UAS incident reporting ASP amendment are due March 14, 2022.
As always, AAAE will be submitting comments on behalf of our airport members for both TSA-PNA-22-01 and TSA-PNA-14-01B. Please share any feedback or concerns you may have with AAAE's Colleen Chamberlain.
Looking ahead, Eric Byczynski with TSA's Airport Security Programs highlighted a number of potential policy changes being considered by TSA, noting that TSA plans to discuss the proposals further with the Quarterly Airport Security Review (QASR) later this year. TSA intends to codify in writing current guidance regarding eSignatures and digital signatures. TSA is currently researching a number of options, including physical and in-person signatures (which would always remain an option), a hybrid approach including an unauthenticated eSignature with a follow-up in person verification, and a fully digital signature such as used by the federal government (PIV) and financial institutions (for real estate transactions and car loans, etc.).
TSA is also considering a stand-alone ASP amendment to capture the requirements for Trusted Agents, which are currently contained in Section IV of the Security Directive 1542-04-08 series. TSA plans to expand the trusted agent requirements to Exclusive Area Agreement holders that issue badges as part of the potential policy change. On a related note, TSA is also reviewing requirements for crew and ramp badges issued by aircraft operators.
TSA also reported that the agency in the process of trying to improve the design and effectiveness of the ACO-200 web board on HSIN and recently made an update related to how new postings are demarcated. Previously, for ease of finding new items that were posted, TSA was posting documents in two conferences. For example, a proposed ASP amendment would be posted to both the NEW Postings Conference and the Airport Security Program Conference. Now, under the ACO-200 Posts, the right side of the screen shows the 'New Postings' within the last 30 calendar days. The user is able to see the post and the conference in which to find the new post. TSA welcomed any feedback on this change as well as on the ACO-200 web board overall.
E-Verify and SAVE Programs
Christine Beyer from TSA's Office of Chief Counsel reminded airports that Section 3405 of the FAA Extension, Safety and Security Act of 2016 required the Department of Homeland Security Secretary to 'authorize each airport operator to have direct access to the E'“Verify program and the Systematic Alien Verification for Entitlements (SAVE) automated system to determine the eligibility of individuals seeking unescorted access to any SIDA of an airport.' (Previously, E-Verify was limited to use by direct employers only.)
Beyer explained that both E-Verify and SAVE are valuable assets to verify identity and work authorization for individuals seeking airport access. Both programs, operated by the U.S. Citizenship and Immigration Service (USCIS), are free or have minimal costs to participate. USCIS may require a MOU for access to SAVE. USCIS has a webinar that provides an overview on how to use the E-Verify program.
Cyber-CHAMP Workforce Analysis for Airport Operators
Ollie Gagnon, Chief Strategist for Infrastructure Assurance and Analysis at the Idaho National Laboratory, provided an overview of an initiative being conducted in coordination with DHS' Cybersecurity and Infrastructure Security Agency (CISA) to better understand the cyber workforce needs within the aviation sector. Airports interested in participating or learning more can contact him at ollie.gagnon@inl.gov. Following is the background information provided by INL to AAAE, which has also been posted on HSIN.
The Aviation Cyber Initiative (ACI) mission is to reduce cybersecurity risks and improve cyber resilience to support safer, secure, and efficient operations of the Nation's Aviation Ecosystem. The ACI is a tri-chaired force led by chairs designated from DHS, the Department of Defense (DoD), and the Department of Transportation (DOT), who will collaborate and coordinate on a consensus basis. Idaho National Laboratory (INL), a Federally Funded Research and Development Center (FFRDC), supports the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) as the lead component for DHS. INL supports this effort through operational support and Research and Development activities.
Under the DHS/CISA Program Year (PY) 2022 Annual Work Plan (AWP), INL will conduct an ACI Workforce Development Training Needs Analysis: Cyber-CHAMP (Cyber-Competency Health and Maturity Progression Model) effort within the aviation ecosystem by September 15, 2022. The Cyber-CHAMP model is built to be performed and applied at the practitioner level, accounts for any technical (e.g., information technology, cybersecurity) role in an organization, and can be deployed by any size, or type of organization. The available modules of Cyber-CHAMP are the TRUST module, ORG module, RISK module, and TECH module. Cyber-TRUST provides suggested cybersecurity actions for strategic planning, policies and plans, and practices. Cyber-ORG helps an organization outline their workforce structure by providing a template of job role groupings and job roles. Cyber-TECH determines an individual's role alignment based on a job-task analysis survey using the categories, specialty areas, work roles, and associated tasks of the National Initiative for Cybersecurity Education (NICE) Framework. Cyber-RISK determines a manager's role alignment and educational needs based on legal responsibilities of the organization. The Cyber-CHAMP model provides:
· Customizable solutions for industry, government, and academia
· Understanding of cybersecurity operational readiness to establish target(s) for improvement
· Discovery of security/cybersecurity competency gaps, across entire work force
· Direct Return on Investment (ROI) through accomplishing industry/sector learning development profiles
· Identified training gaps as sources for education/training providers to develop new curriculum
· Validated measure of trust across supply chain based on metrics for security maturity and competency.
Due to importance to the Aviation Subsector under Transportation, Airports were identified as a potential focus area.
Enrollment Services and Vetting Programs Update
Brian Stortes from TSA's Enrollment Services and Vetting Programs provided the following updates:
Security Threat Assessment (STA) Processing Delays: TSA reported that there was an 11% increase in aviation worker applications in December 2021 over December 2019 (Full All-Cargo applications increased by 97% over 2019 and General Aviation increased by 123% over 2019.) TSA reported that 90% of applications are returned within 10 days with remaining 10% returned between 15 and 30 days. Several airports '“ both large and small -- expressed frustration with lengthy processing times for STAs, especially for non-U.S. citizens. TSA was not able to provide a timeline for if or when the situation would improve but did promise to continue to elevate the issue to TSA senior leadership. AAAE has also elevated the issue with senior TSA leadership several times over the past year and a half and will continue to do so.
TSA did note an issue with applicants from Congo (COG) and the Democratic Republic of Congo (COD). TSA stated that most documents provided by an applicant will say either Congo (COG) or Dem Congo (COD) on them. COD is also identified by Place of Birth city Kinshasa.
TSA reminded airports that any error increases the amount of time it takes to get an STA adjudicated. Any documents provided at the time of enrollment helps the adjudicators as well.
TSA continues to see a rise in Preliminary Determination of Ineligibility (PDI) due to incorrect addresses. TSA asked airports to please ensure the address on the application is current, so that if TSA needs more information, the correspondence will be correctly delivered, reducing further time lapse. Should the address have changed since enrollment, please update to the current address.
If TSA requests an Alias, Date Of Birth or Place Of Birth change, it is because that difference was discovered during the vetting process. The airport operator may have a newer document that says otherwise (e.g. AKA). If an airport does not make the changes TSA requested, the case times out and will close as a Do Not Issue (DNI). This necessitates a brand-new case if the employee still needs to be badged.
Rap Back: There are 276 airports and air carriers currently participating in the Rap Back program with approximately 693,000 active subscriptions. 93% of the subscriptions have been submitted by the 254 participating airports, with the remaining 7% submitted by the 22 participating aircraft operators. Airport operators, domestic air carriers and full all-cargo carriers are required to begin participating in the Rap Back program by March 29, 2022.
Flight Training Security Program: The Alien Flight School Program (AFSP) has changed its name to the Flight Training Security Program (FTSP). The website URL and Help Desk e-mail have been changed to www.fts.tsa.dhs.gov and FTSP.help@tsa.dhs.gov.
CJIS Information Letters: In January, TSA posted two FBI Criminal Justice Information Services (CJIS) Division Information Letters to HSIN.
CJIS Information Letter 21-3 provides a description of Cite and Release. Law enforcement agencies are opting to issue citations and release individuals who commit criminal offenses, as opposed to the typical method of booking which involves collecting the offender's fingerprints at the law enforcement agency's station. However, criminal records of individuals booked via the Cite and Release method do not get updated in the FBI's NGI because the NGI system relies on receiving fingerprints for individuals that have committed criminal offenses in order to update the individual's criminal record with arrest information. Thus, authorized NGI users may not receive a complete record of an applicant's criminal history if Cite and Release has been used. By utilizing a citation database, it is possible for states to share Cite and Release offenses. However, of the 25 states that use Cite and Release, only 5 have statewide citation database.
Due to Cite and Release practices, Rap Sheets provided in CHRC responses and any applicable Rap Back responses (RBN, RBMNTR, RBSR, etc.) may not include complete CHRI for the applicant. Airport and aircraft operators should be aware of this potential gap in CHRI for Cite and Release events and should continue to adjudicate rap sheets based on the criminal history information available at the time the rap sheet is received.
CJIS Information Letter 21-4 provides background on a recent development related to the distribution of criminal history record information (CHRI) for deceased individuals. In 2018, the CJIS Advisory Policy Board (APB) approved expanding the sharing of CHRI for deceased individuals to criminal ten-print fingerprint submissions up to the date that would be the individual's 110th birthday. It is unclear at this time whether CHRI for deceased individuals will be returned in rap sheets for noncriminal justice entities. Please be advised there is a possibility rap sheets will include criminal history records that indicate the subscribed individual is deceased. TSA expects the majority of these occurrences will follow Rap Back Activity Notifications (RBNs) triggered by the death of a subscribed individual.
Safe Skies Update
Jessica Grizzle provided the following update on recent Safe Skies' activity:
PARAS 0040 Pandemic Response, Recovery, and Preparedness Planning for Airport Security Operations (Phase 1) is now available for download at https://www.sskies.org/paras/reports/. The document identifies lessons learned and best practices relating to exposure control, security integrity, and operational impact. It summarizes actions that were beneficial to security operations during the COVID-19 pandemic, as well as opportunities for improvement. Phase 2 of the research is now underway and will focus on communicable disease response and recovery planning in airports, as well as provide specific tactical procedures to facilitate preparedness.
PARAS 0032 Enhancing Security of Cargo Operations at Airports and PARAS 0036 Airport Credentialing Efficiency Toolki t are under final review with publication anticipated by the end of February.
A few spots remain open on the project panel for PARAS 0047 Practices and Considerations for Centralized Revocation Database Use . PARAS is specifically seeking a representative from an airport legal department to ensure this important perspective is not overlooked. Please contact jessica.grizzle@sskies.org for more information on panel participation.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, March 3, 2022, at 1:00 p.m. ET. Please note the conference call number is 1-800-857-5826 and passcode is 9596778.
