Security Policy Alert: TSA Monthly Conference Call Summary for March 2021

March 4, 2021

This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Alan Paterno, TSA's Airport Industry Engagement Manager in the office of Policy, Plans and Engagement (PPE). Paterno introduced Jackie Bester who is currently serving as the Acting Branch Manager for Industry Engagement and has been with TSA in various positions since 2002. Following are highlights from today'™s call:

Policy Updates

Information Circular 15-01F: TSA has issued an updated Information Circular (IC) 15-01F on Insider Threat which became effective on March 1, 2021. The updated IC contains minor changes that provide clarification to existing provisions. TSA reminded airports that Information Circulars contain recommendations and best practices and not requirements. 

Proposed TSA-NA-14-01A: TSA reminded airports that proposed ASP amendment (TSA NA 14-01A) to add cyber incidents to the incident and suspicious activities reporting requirements has been issued. The comment period closes on April 4, 2021, which is a Sunday so TSA will accept comments through April 5, 2021. AAAE will be submitting comments on behalf of our airport members so please share any feedback that you may have on the proposed ASP amendment by Friday, April 2, 2021.  

Centralized Revocation Database: The final ASP amendment for the Centralized Revocation Database (TSA NA 21-01) included an updated Privacy Act Notice, which has been posted on HSIN in the new Privacy Act Notice conference. The Security Directive 1542-04-08 series also includes a Privacy Act Notice as an attachment. TSA is in the process of updating and renewing the SD 1542-04-08 series which will remove the Privacy Act Notice attachment. Once that is completed, the Centralized Revocation Database (CRD) Privacy Act Notice will be used to meet the requirements of both the CRD and SD 1542-04-08. In the meantime, it is acceptable for airports to use either or both of the Privacy Act Notices '“ either the one issued as part of the final ASP amendment on the Centralized Revocation Database (CRD) or the SD 1542-04-08 attachment. 

In addition, TSA is in the process of issuing a technical correction to TSA-NA-21-01 to clarify the intent of Section II, currently entitled Training, that airports must notify (rather than train) individuals that they will be listed in the CRD for 5 years if they violate an aviation security requirement. TSA will also clarify the terms for a permanent revocation to encompass airport standards or processes for revocations. For example, if an operator'™s local badge policy imposes a maximum duration on the length of a revocation (e.g., two years), such revocations would be considered 'œpermanent' and the operator would be required to enter such revocations into the CRD.

TSA plans to issue the technical correction prior to the current April 22 implementation date for TSA-NA-21-01. TSA PPE is recommending that the implementation date be extended another 90 days after the technical correction is issued but that has not yet been approved. TSA recognizes the need for swift action on the technical change given the current April 22 deadline and is working as expeditiously as possible on getting the technical correction approved and issued.

TSA will also be posting a Frequently Asked Questions document based on the questions received during the TSA informational briefings held in January and February. TSA has already posted the presentation used for those briefings to HSIN. The CRD is currently operational on the FPRD.

Rap Back: During the comment adjudication process to make the Rap Back program mandatory for airports and air carriers, TSA discovered an issue related to CHRC responsibility. The current regulatory language is unclear concerning whether an airline must conduct a CHRC, or whether it can assume completion of a CHRC if an individual has an airport-issued SIDA badge.  

According to TSA, this generally accepted practice of airlines using an airport SIDA badge to meet its CHRC obligations cannot be continued in the era of continuous criminal history monitoring and Rap Back. TSA has determined that the Rap Back mandate and its nuances would also require some CHRC duplication. 

TSA explored several options to reduce this duplication and determined that a regulatory exemption is needed. This regulatory exemption will permit an airline, for certain individuals, to accept an airport'™s CHRC to meet its regulatory obligations without the need for a certification. This exemption will apply to 1544 direct employees or authorized representatives who accept checked baggage or screen cargo, work at a SIDA airport, possess an airport SIDA badge and cannot otherwise be covered by 1544.229 (meaning that they cannot be covered by a certification letter or have a 1544 CREW, RAMP, or EXCLUSIVE SIDA badge).

This exemption is still under development and TSA is working to ensure it aligns with the final Rap Back program changes. TSA may require airports to notify airlines (authorized signatories) if the SIDA badge is pulled due to a disqualifying crime. The exemption will require some approval outside of TSA and it will be published in the Federal Register. TSA'™s plan is to have the final program changes and the exemption be published around the same time. Both are still a work in progress.

As a reminder, airports have been and are still responsible for the CHRCs of 1544 employees and authorized representatives who need unescorted access to the SIDA or Sterile Area, but do not perform the specified covered functions in 1544.229.

REAL ID Update

DHS'™ Steve Yonkers provided an update on REAL ID and the upcoming October 1, 2021 enforcement deadline. There are currently 276 million state driver'™s licenses and identification cards in circulation in the 56 U.S. states and territories (54 of which are REAL ID compliant). Of the 276 million, 117 million are REAL IDs '“ or about a 43 percent adoption rate. REAL ID adoption rates grow approximately half a percentage each month wherein pre-COVID the adoption rate was closer to 1 or 1.5 percent per month.

In December, Congress passed the REAL ID Modernization Act which allows states to use a digital application process for obtaining a REAL ID. DHS plans to issue regulations in the coming months to implement the provisions of the REAL ID Modernization Act. In the meantime, DHS Secretary Ali Mayorkas is reviewing the REAL ID October 1, 2021 enforcement deadline.

In January, DHS launched a public awareness campaign for REAL ID and the existing enforcement deadline. A digital tool kit can be found on slide 11 of the DHS REAL ID advertising campaign presentation. In addition to urging an extension of the REAL ID deadline, AAAE encouraged DHS and TSA to reinforce mask requirements as part of its advertising campaign for REAL ID. 

Safe Skies

Jessica Grizzle from Safe Skies provided an update on the organization'™s recent reports:

• PARAS 0023 Exit Lane Strategies and Technology Applications is available for download at https://www.sskies.org/paras/reports/. The primary purpose of this document is to assist airports in researching, designing, procuring, and installing exit lane technology. It is designed to assist airports in all stages of deploying exit lane solutions and includes discussions on planning considerations, operational factors, testing, maintenance, training, potential configurations, compliance, and capabilities of available technology types. The report does not address a specific technology product or technology vendors. Airports can reference previous ASSIST reports on various exit lane technologies for details on specific products or vendors. 
• PARAS 0024 Consolidated Receiving and Distribution Facilities at Airports and PARAS 0026 Insider Threat Mitigation at Airports are under final review and will be published in March. 
• The ASSIST Evaluation Report for Senstar FiberPatrol® FP1150 fence-mounted intrusion detection system, evaluated at Hartsfield-Jackson Atlanta International Airport, is now available in the Safe Skies folder on HSIN. Alternatively, airports can receive a copy via email by submitting a request to anna.hamilton@sskies.org. 

Enrollment Services and Vetting Programs Update

Sam Smith from TSA'™s Enrollment Services and Vetting Programs (ESVP) provided an update on several programs.

eBadge: There are currently 22 airports participating in the eBadge program, with over 30,000 eBadge submissions. TSA recently began sitting in on monthly CBP field meeting where several eBadge success stories were shared, including instances where the program did help to speed the CBP seal process. 
 
Data Management: As TSA modernizes its vetting systems, the agency may require additional data points from airports that are currently voluntary. TSA will work to ensure changes to appropriate regulations are implemented in a manner that does not place undue burden on airports. AAAE urged TSA to ensure adequate coordination within the agency to ensure technology changes do not proceed or contradict policy requirements. 
 
Rap Back: There are 231 airports currently participating in the Rap Back program '“ that is over 66% of federal airports eligible currently participating. TSA reminded the approximately 100 airports not currently participating that the process to get started is fairly straight-forward '“ complete the Privacy Informational Briefing, submit a signed Statement of Responsibilities, and complete your Designated Aviation Channeler (DAC) training. Please reach out to your DAC or TSA at rapback@tsa.dhs.gov with any questions about getting started in the RAP Back program. 
 
After pandemic related decreases in Rap Back active subscriptions, TSA has seen six straight weeks of active subscription increases. Last month, TSA reported a minimal delay from the FBI in returning complete Rap Sheets. Since the call, TSA has worked diligently with the FBI to complete these records. If you continue to experience delays, please reach out the CHRCRequests inbox (CHRCRequests@tsa.dhs.gov), or Aviation Workers inbox (aviation.workers@tsa.dhs.gov). 

On February 24, TSA posted a new version of the Rap Back User Guide on HSIN and the FPRD. The new version deletes language regarding airports being allowed to enter 2 plus 30 as an option to avoid inadvertent Rap Back expirations. However, that option is still under discussion between TSA and FBI and is not yet final. Once final, TSA will issue a bulletin and again update the Rap Back User Guide.
 
Finally, TSA has a new FPRD User Access form 4.0 which will be effective as of March 15, 2021. After April 1, 2021, only the new FPRD User Access form will be accepted.
 
Credential Authentication Technology (CAT)
 
TSA has completed Phase II of its deployment of Credential Authentication Technology (CAT), with 1,053 units deployed at 121 locations. This summer, TSA will begin Phase III with deployment of 467 additional units. The locations and schedule are still being determined, although a majority of the 467 units will go to Category III and IV airports.
 
TSA also discussed the recent changes to the CAT machines that allow the monitor to swivel to enable passenger self-scanning of their identification to reduce contact between passengers and TSOs. TSA prohibits disassembly of the units so swiveling the monitor may not work in all locations, especially certain instances where plexiglass barriers prevent self-scanning.
 
TSA/CISA/FBI Aviation-Specific Cybersecurity Webinar
 
On March 23 at 3:00 p.m. ET, TSA, in conjunction with DHS'™ Cyber and Infrastructure Security Agency (CISA) and the FBI, with host a webinar to discuss aviation-specific cyber threats currently being tracked by the U.S. government. The webinar will be geared to IT professionals but open to any U.S. airport representatives. Please contact TSA'™s Tim Weston at timothy.weston@tsa.dhs.gov if you are interested in participating. 
 
UV-C Demonstrations
 
As part of the fifth Broad Agency Announcement (BAA), TSA'™s Innovation Task Force (TSA) selected three Ultraviolet (UV-C) Light standalone bin disinfection systems from two unique vendors and have been pushing forward with an accelerated demonstration process to ensure an expedited live operational demonstration. TSA received two horizontal conveyer belt style systems where bins are fed through individually and are exposed to UV-C light for a period of time ranging from 25 to 35 seconds. TSA also received a smaller vertical system that allows for a stack of bins to be inserted at one time before being exposed to UVC light one at a time. All 3 systems fit different sizes of bins and TSA tested all bins that fit in each system (such as standard bins, secure point, and CT bins). TSA'™s required dosage to inactivate SARS CoV-2, as determined by DHS S&T, has been set at 75-150mj/cm2.  
 
The solutions were sent to the Transportation System Integration Facility (TSIF) to undergo operational efficacy testing to measure dosage on different bin types, as well as safety evaluations (structural safety as well as light reading assessments to ensure the systems were not leaking harmful UV-C outside of the protective curtains).  The systems have been deemed safe for operational use without the use of personal protective equipment. 
 
Two of the three systems are moving to Washington Reagan airport for a live operational demonstration in the screening checkpoint and the demonstration is planning for a go-live on March 15. Systems will be in operation at different checkpoints for 45 days. 
 
While there, operators will follow a CONOPS where bins will be stacked on carts at the re-composure area and moved over to the UV-C system, where they will be fed into the UV-C system for disinfection by UV-C light exposure. The airport will continue with their manual sanitization processes but TSA will evaluate efficiencies of manual sanitization versus UV-C to determine if it's a viable option to replace manual processes. 
 
During the 45-day demo, TSA'™s operational test team will go out at the beginning, 15 day, 30 day and 45 day mark to assess operational efficacy, including dosage measurements at various touch points on the bin. In addition, TSA'™s human factors team will conduct focus groups with TSOs to gather feedback on operational efficiencies and feasibility of working these technologies into the normal rotation at the checkpoint. At the conclusion of the demonstration, ITF will make a recommendation for next steps based on operational needs and system efficiencies, which may include a procurement of individual units.
 
In addition to UV-C standalone solutions, TSA is also exploring in-line systems that will be integrated to pre-existing Automated Screening Lanes (ASLs). Utilizing the same UV-C light sanitization techniques as a standalone system, this in-line solution is added to the ASL tray return system, under the re-composure area, where the trays travel back to the next passenger after security screening is completed. Currently, TSA is evaluating the efficacy of these integrated solutions between three separate UV-C providers and four ASL vendors across Advanced Technology X-Rays, as well as Computed Tomography scanners in the field. To expedite the end-to-end acquisition and deployment process, TSA aims to utilize these demonstrations to inform subsequent risk assessments and system evaluation activities, thus progressing to acquisition review sooner than the traditional approach. As of now, TSA is planning for a demonstration in Atlanta on CT ASL lanes no later than Memorial Day 2021. 
 
Next TSA Conference Call

The next TSA conference call for airport stakeholders is scheduled for Thursday, April 1 at 1:00 p.m. ET. Please note the new conference call number and passcode: 1-800-857-5826 and passcode 9596778.