Security Policy Alert: Summary of TSA's Monthly Conference Call for Airport Stakeholders
March 3, 2022
This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Karin Glasgow, TSA's Industry Engagement Manager for Airlines in the office of Policy, Plans and Engagement (PPE).
Federal Mask Mandate for Transportation
TSA reminded airports that the federal mask mandate for airports, air carriers and other modes of transportation remains in effect until March 18, 2022. TSA is working in consultation with the Centers for Disease Control and Prevention (CDC) to assess the duration of the federal mask mandate for transportation; however, it remains unchanged at this time. AAAE will keep you updated as soon as we learn more.
Update from Policy, Plans and Engagement
Rap Back Mandate : TSA reminded airports that the Rap Back mandate goes into effect on March 29, 2022, with all new CHRC submissions required to include a Rap Back subscription. All airport badge holders subject to a CHRC must be subscribed by March 29, 2024. Airports that have not yet enrolled into the Rap Back program are urged to do so as soon as possible as a TSA Privacy briefing and Designated Aviation Channeler (DAC) training are required prior to participating in the program.
On Monday, TSA plans to post the updated Security Directive 1542-04-08S which will be effective as of March 29. TSA updated the SD 1542-04-08 series to deconflict with Rap Back mandate and to remove the two-year CHRC requirement.
Proposed TSA National Amendments : The comment period for TSA-PNA-22-01, which would require Category X, I and II to complete cybersecurity vulnerability self-assessments and implement cybersecurity contingency plans, closed on February 14. TSA received 238 comments from 24 airports. Comments covered a variety of subject areas, including compliance, definitions, duplicate reporting / utilizing other established assessments, the policy vehicle used, the prescribed self-assessment / contingency plan process, safeguarding information, third party IT and OT systems, implementation timeline, and unfunded mandates.
TSA has also issued TSA-PNA-14-01B, Incident and Suspicious Activities Reporting, which would require all airports to report to TSA any Unmanned Aircraft System (UAS) incidents that disrupt flight operations. Comments on the proposed UAS incident reporting ASP amendment are due March 14, 2022. Once TSA has received and adjudicated comments, the agency will likely update and re-issue the TSA-NA-14-01 series on incident and suspicious activity reporting to include UAS incidents (versus as a stand-alone ASP amendment). As always, AAAE will be submitting comments on behalf of our airport members for TSA-PNA-14-01B. Please share any feedback or concerns you may have with AAAE's Colleen Chamberlain.
Information Circular to Enhance Surface, Aviation and Cargo Transportation Security : In light of world events, last week TSA issued an Information Circular (IC) regarding enhancing cybersecurity for the surface, aviation, and cargo transportation sectors.
The IC recommends that airport operators 1) review, and as appropriate, implement recommended actions in the Joint Cybersecurity Alert and the CISA Shields Up site; 2) prioritize locking down privileged and administrator level accounts for network access, conducting tests of manual functions to the fullest extent practicable, and conducting an incident response tabletop exercise to ensure understanding and preparedness are in place to mitigate the effects of a cybersecurity incident; and, 3) when determining which cybersecurity incidents to report, reduce thresholds to the lowest possible level, emphasizing the government's preference for covered parties to err on the side of reporting to afford the broadest opportunity to detect potential Russian-driven malicious cyber activity.
Cybersecurity Incident Reporting FAQs : Last week, TSA also released a Frequently Asked Questions document related to cyber incident reporting requirements under TSA-NA-21-05 that went into effect on January 10. The FAQs address questions in a number of different areas, including:
· IT or OT system ownership -- Per their applicable security program, a regulated party must report an incident involving a system they have the responsibility to operate and maintain. In this case, responsibility refers to the responsibility to carry out security program requirements, which aligns with TSA's definition of authorized representative. If a system is used by an authorized representative to carry out an operator's security program responsibilities, then the operator must report any cybersecurity incident involving that system. Alternatively, an operator is not required to report a cybersecurity incident involving a contracted third party's system if the system does not carry out a security program function. TSA provided the following example: An airport contracts their access control systems with a third party. The access control system is impacted by a cybersecurity incident, impacting the airport's ability to stop individuals from accessing unauthorized areas of an airport. This event, as it ties directly to the airport's security program, would need to be reported. Conversely, if the same third-party contractor's human resource system is impacted by a cybersecurity incident, it would not need to be reported because these company functions do not fall within the airport's security program.
· Marking Information Reported as SSI -- All information reported to CISA in accordance with the security program requirements is considered SSI, which means it is protected from public disclosure under the Freedom of Information Act. Confidential Business Information is also included in SSI, which includes trade secrets and commercial or financial information. It is important for the individual reporting the incident to clearly mark the submitted information as SSI and indicate that the report is being made in accordance with applicable security program. This triggers the information sharing procedures, beginning with TSOC.
· Compliance -- TSA will inspect and enforce compliance with these requirements through its existing inspections program. This includes a progressive enforcement philosophy to address issues of non-compliance, which range from administrative actions to civil penalties.
Enrollment Services and Vetting Programs Update
Sam Smith from TSA's Enrollment Services and Vetting Programs provided the following updates:
Rap Back Program : TSA again reminded airports that participation in the Rap Back program is mandatory as of March 29, 2022. There are currently over 260 airports and 27 air carriers participating in the program with over 716,000 subscriptions. There are a number of airports and air carriers that have completed the required TSA Privacy briefing and DAC training but have not yet begun Rap Back subscriptions. There are 57 airports and 32 air carriers that have not yet begun the process to participate in Rap Back; TSA again urged these airports NOT to wait until the last minute as it is a mandatory program as of March 29.
With Rap Back implementation, TSA has made several procedural changes, most notably requiring all Rap Back submissions to be 'search and subscribe' at the time of fingerprint submission. TSA maintains that they require 'search and subscribe' at the time of CHRC submission for security and efficiency reasons.
An individual may have multiple Rap Back submissions, with both an airport and air carrier submitting the same individual as an example. CHRC sharing is not allowed between airports and air carriers (outside of the certification process). In addition, TSA pointed out that the Rap Back User Guide does not allow airport operators to enroll air carrier employees into the Rap Back program.
FPRD Enhancements : TSA is soliciting feedback on potential enhancements for FPRD. TSA is currently considering additional functionality related to: listing of badge type and status; notification of Rap Back Notifications (RBNs) through the DACs; automated reconciliation processes; and, an automated process to separate consolidated records.
Record Delete Notification : TSA recently issued an Aviation Worker Bulletin detailing the Record Delete Notification process, which began on February 22.
Security Threat Assessment (STA) Processing Delays : TSA reported that the agency is committed to addressing the STA processing delays that have plagued the system for over the past year, including increasing resources for the TSA adjudication center to handle the increased volume in STA applications. TSA is also working with its adjudication center to update and compile best practices to facilitate swift processing of STAs. As an example, TSA advised today that airport operators should include the A-number for legal permanent residents (LPRs) even if they have already become naturalized citizens; this will avoid a manual review based on data in the USCIS vetting systems. In addition, TSA recently discovered a bug in its systems, which has not been ingesting some identity documents included by airports at the time of STA submission. TSA has been stressing the importance of attaching identity documents at the time of submission for many months as a means to facilitate more efficient STA processing. AAAE asked for more information about what was causing this issue and how quickly TSA expected the issue within its system to be resolved.
Safe Skies Update
Jessica Grizzle provided the following update on recent Safe Skies' activity:
PARAS 0032 Enhancing Security of Cargo Operations at Airports has been finalized and is available on the Safe Skies website under PARAS reports . The document is intended to be a comprehensive resource to help airports and their stakeholders make well-informed decisions to ensure secure and efficient cargo operations. It discusses the regulatory context for air cargo operations requirements and provides guidance and best practices for security programs and measures. The document pays particular attention to the implementation of the third-party canine program in a cargo operation.
Credential Authentication Technology Deployment Update
TSA reported that the agency reached Full Operational Capacity (FOC) of 1520 Credential Authentication Technology (CAT) units in December 2021. TSA is now deploying 534 additional units above FOC, which began the week of January 30. The current round of deployments also includes 122 CAT-2 upgrade kits (also known as CAT with camera or biometrically enabled CAT), 412 new CAT-1 units and 102 reallocated CAT-1 units to 124 locations. To date, 55 CAT-2 upgrade kits have been deployed to 9 locations and 26 CAT-1 units have been relocated to 7 locations, including Category III and IV airports. Deployments will continue through the last week of March; however, delays are expected because of global supply chain issues. TSA tentatively expects to resume deployments in late May or early June. In total, there are 1557 CAT systems currently deployed at 176 airports.
Airport representatives on the call raised concerns about the deployment of CAT displacing aviation worker badge readers at the Travel Document Checker (TDC) station. Airports urged TSA to work with airports to ensure employee card readers can be made available at the checkpoint.
TSA Intelligence and Analysis Update
Representatives from TSA's office of Intelligence and Analysis (I&A) briefed two recently released aviation-related intelligence products. TSA highlighted its Transportation Intelligence Study (TIS) that provides a comprehensive and in-depth overview of foreign terrorist plots since September 11, 2001, targeting aviation involving IEDs concealed in carry-on items. TSA also reviewed its annual assessment of aviation insider incidents which is based on a review of insider reporting over the past year and ongoing investigations of insider activity. Most incidents were attributed to negligence. There were no reported incidents of terrorist insiders plotting attacks against the U.S. aviation sector during the past year and TSA continues to assess that criminal activity is the primary insider activity weakening the domestic aviation security environment. Both products can be found on the TSA web board on HSIN in the Intel Conference folder.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, April 7, 2022, at 1:00 p.m. ET. Please note the conference call number is 1-800-857-5826 and passcode is 9596778.
This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Karin Glasgow, TSA's Industry Engagement Manager for Airlines in the office of Policy, Plans and Engagement (PPE).
Federal Mask Mandate for Transportation
TSA reminded airports that the federal mask mandate for airports, air carriers and other modes of transportation remains in effect until March 18, 2022. TSA is working in consultation with the Centers for Disease Control and Prevention (CDC) to assess the duration of the federal mask mandate for transportation; however, it remains unchanged at this time. AAAE will keep you updated as soon as we learn more.
Update from Policy, Plans and Engagement
Rap Back Mandate : TSA reminded airports that the Rap Back mandate goes into effect on March 29, 2022, with all new CHRC submissions required to include a Rap Back subscription. All airport badge holders subject to a CHRC must be subscribed by March 29, 2024. Airports that have not yet enrolled into the Rap Back program are urged to do so as soon as possible as a TSA Privacy briefing and Designated Aviation Channeler (DAC) training are required prior to participating in the program.
On Monday, TSA plans to post the updated Security Directive 1542-04-08S which will be effective as of March 29. TSA updated the SD 1542-04-08 series to deconflict with Rap Back mandate and to remove the two-year CHRC requirement.
Proposed TSA National Amendments : The comment period for TSA-PNA-22-01, which would require Category X, I and II to complete cybersecurity vulnerability self-assessments and implement cybersecurity contingency plans, closed on February 14. TSA received 238 comments from 24 airports. Comments covered a variety of subject areas, including compliance, definitions, duplicate reporting / utilizing other established assessments, the policy vehicle used, the prescribed self-assessment / contingency plan process, safeguarding information, third party IT and OT systems, implementation timeline, and unfunded mandates.
TSA has also issued TSA-PNA-14-01B, Incident and Suspicious Activities Reporting, which would require all airports to report to TSA any Unmanned Aircraft System (UAS) incidents that disrupt flight operations. Comments on the proposed UAS incident reporting ASP amendment are due March 14, 2022. Once TSA has received and adjudicated comments, the agency will likely update and re-issue the TSA-NA-14-01 series on incident and suspicious activity reporting to include UAS incidents (versus as a stand-alone ASP amendment). As always, AAAE will be submitting comments on behalf of our airport members for TSA-PNA-14-01B. Please share any feedback or concerns you may have with AAAE's Colleen Chamberlain.
Information Circular to Enhance Surface, Aviation and Cargo Transportation Security : In light of world events, last week TSA issued an Information Circular (IC) regarding enhancing cybersecurity for the surface, aviation, and cargo transportation sectors.
The IC recommends that airport operators 1) review, and as appropriate, implement recommended actions in the Joint Cybersecurity Alert and the CISA Shields Up site; 2) prioritize locking down privileged and administrator level accounts for network access, conducting tests of manual functions to the fullest extent practicable, and conducting an incident response tabletop exercise to ensure understanding and preparedness are in place to mitigate the effects of a cybersecurity incident; and, 3) when determining which cybersecurity incidents to report, reduce thresholds to the lowest possible level, emphasizing the government's preference for covered parties to err on the side of reporting to afford the broadest opportunity to detect potential Russian-driven malicious cyber activity.
Cybersecurity Incident Reporting FAQs : Last week, TSA also released a Frequently Asked Questions document related to cyber incident reporting requirements under TSA-NA-21-05 that went into effect on January 10. The FAQs address questions in a number of different areas, including:
· IT or OT system ownership -- Per their applicable security program, a regulated party must report an incident involving a system they have the responsibility to operate and maintain. In this case, responsibility refers to the responsibility to carry out security program requirements, which aligns with TSA's definition of authorized representative. If a system is used by an authorized representative to carry out an operator's security program responsibilities, then the operator must report any cybersecurity incident involving that system. Alternatively, an operator is not required to report a cybersecurity incident involving a contracted third party's system if the system does not carry out a security program function. TSA provided the following example: An airport contracts their access control systems with a third party. The access control system is impacted by a cybersecurity incident, impacting the airport's ability to stop individuals from accessing unauthorized areas of an airport. This event, as it ties directly to the airport's security program, would need to be reported. Conversely, if the same third-party contractor's human resource system is impacted by a cybersecurity incident, it would not need to be reported because these company functions do not fall within the airport's security program.
· Marking Information Reported as SSI -- All information reported to CISA in accordance with the security program requirements is considered SSI, which means it is protected from public disclosure under the Freedom of Information Act. Confidential Business Information is also included in SSI, which includes trade secrets and commercial or financial information. It is important for the individual reporting the incident to clearly mark the submitted information as SSI and indicate that the report is being made in accordance with applicable security program. This triggers the information sharing procedures, beginning with TSOC.
· Compliance -- TSA will inspect and enforce compliance with these requirements through its existing inspections program. This includes a progressive enforcement philosophy to address issues of non-compliance, which range from administrative actions to civil penalties.
Enrollment Services and Vetting Programs Update
Sam Smith from TSA's Enrollment Services and Vetting Programs provided the following updates:
Rap Back Program : TSA again reminded airports that participation in the Rap Back program is mandatory as of March 29, 2022. There are currently over 260 airports and 27 air carriers participating in the program with over 716,000 subscriptions. There are a number of airports and air carriers that have completed the required TSA Privacy briefing and DAC training but have not yet begun Rap Back subscriptions. There are 57 airports and 32 air carriers that have not yet begun the process to participate in Rap Back; TSA again urged these airports NOT to wait until the last minute as it is a mandatory program as of March 29.
With Rap Back implementation, TSA has made several procedural changes, most notably requiring all Rap Back submissions to be 'search and subscribe' at the time of fingerprint submission. TSA maintains that they require 'search and subscribe' at the time of CHRC submission for security and efficiency reasons.
An individual may have multiple Rap Back submissions, with both an airport and air carrier submitting the same individual as an example. CHRC sharing is not allowed between airports and air carriers (outside of the certification process). In addition, TSA pointed out that the Rap Back User Guide does not allow airport operators to enroll air carrier employees into the Rap Back program.
FPRD Enhancements : TSA is soliciting feedback on potential enhancements for FPRD. TSA is currently considering additional functionality related to: listing of badge type and status; notification of Rap Back Notifications (RBNs) through the DACs; automated reconciliation processes; and, an automated process to separate consolidated records.
Record Delete Notification : TSA recently issued an Aviation Worker Bulletin detailing the Record Delete Notification process, which began on February 22.
Security Threat Assessment (STA) Processing Delays : TSA reported that the agency is committed to addressing the STA processing delays that have plagued the system for over the past year, including increasing resources for the TSA adjudication center to handle the increased volume in STA applications. TSA is also working with its adjudication center to update and compile best practices to facilitate swift processing of STAs. As an example, TSA advised today that airport operators should include the A-number for legal permanent residents (LPRs) even if they have already become naturalized citizens; this will avoid a manual review based on data in the USCIS vetting systems. In addition, TSA recently discovered a bug in its systems, which has not been ingesting some identity documents included by airports at the time of STA submission. TSA has been stressing the importance of attaching identity documents at the time of submission for many months as a means to facilitate more efficient STA processing. AAAE asked for more information about what was causing this issue and how quickly TSA expected the issue within its system to be resolved.
Safe Skies Update
Jessica Grizzle provided the following update on recent Safe Skies' activity:
PARAS 0032 Enhancing Security of Cargo Operations at Airports has been finalized and is available on the Safe Skies website under PARAS reports . The document is intended to be a comprehensive resource to help airports and their stakeholders make well-informed decisions to ensure secure and efficient cargo operations. It discusses the regulatory context for air cargo operations requirements and provides guidance and best practices for security programs and measures. The document pays particular attention to the implementation of the third-party canine program in a cargo operation.
Credential Authentication Technology Deployment Update
TSA reported that the agency reached Full Operational Capacity (FOC) of 1520 Credential Authentication Technology (CAT) units in December 2021. TSA is now deploying 534 additional units above FOC, which began the week of January 30. The current round of deployments also includes 122 CAT-2 upgrade kits (also known as CAT with camera or biometrically enabled CAT), 412 new CAT-1 units and 102 reallocated CAT-1 units to 124 locations. To date, 55 CAT-2 upgrade kits have been deployed to 9 locations and 26 CAT-1 units have been relocated to 7 locations, including Category III and IV airports. Deployments will continue through the last week of March; however, delays are expected because of global supply chain issues. TSA tentatively expects to resume deployments in late May or early June. In total, there are 1557 CAT systems currently deployed at 176 airports.
Airport representatives on the call raised concerns about the deployment of CAT displacing aviation worker badge readers at the Travel Document Checker (TDC) station. Airports urged TSA to work with airports to ensure employee card readers can be made available at the checkpoint.
TSA Intelligence and Analysis Update
Representatives from TSA's office of Intelligence and Analysis (I&A) briefed two recently released aviation-related intelligence products. TSA highlighted its Transportation Intelligence Study (TIS) that provides a comprehensive and in-depth overview of foreign terrorist plots since September 11, 2001, targeting aviation involving IEDs concealed in carry-on items. TSA also reviewed its annual assessment of aviation insider incidents which is based on a review of insider reporting over the past year and ongoing investigations of insider activity. Most incidents were attributed to negligence. There were no reported incidents of terrorist insiders plotting attacks against the U.S. aviation sector during the past year and TSA continues to assess that criminal activity is the primary insider activity weakening the domestic aviation security environment. Both products can be found on the TSA web board on HSIN in the Intel Conference folder.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, April 7, 2022, at 1:00 p.m. ET. Please note the conference call number is 1-800-857-5826 and passcode is 9596778.
