Security Policy Alert: Summary of TSA's Monthly Conference Call for Airport Stakeholders
May 5, 2022
TSA held its monthly conference call for airport stakeholders on May 5. The conference call was led by Alan Paterno, TSA's Industry Engagement Manager for Airports in the office of Policy, Plans and Engagement (PPE).
Update from Policy, Plans and Engagement
A proposed change to the recently issued TSA-NA-21-02A Ramp Movement (which superseded the long-standing 1993 FAA Ramp Movement Amendment) is being routed for signature internally at TSA and will be issued for notice and comment in May or early June. The comment period will be at least 30 days. The proposed change would allow airport operators to recognize air carrier issued identification media for unescorted access on the ramp.
TSA is also in the early stages of drafting a proposed Airport Security Program amendment to consolidate and expand exiting public advisory requirements to include notices that firearms are not permitted through the checkpoint or in restricted areas. A draft of the proposed ASP amendment has been shared with AAAE and the Quarterly Airport Security Review for initial and informal feedback. TSA is also open to additional ideas of how to reduce firearms at the checkpoint.
Centralized Revocation Database
The Centralized Revocation Database, which was recommended by the Aviation Security Advisory Committee (ASAC) and required under law by the TSA Modernization Act of 2018, went into effect in June 2021. Airport and aircraft operators have entered over 180 individuals that have had their identification media permanently revoked due to aviation security violations into the database to date.
TSA is currently conducting outreach to several airports and air carriers to remove certain individuals from the database, especially those submitted before the effective date or who were never issued badges. In certain cases, TSA may request additional information to ensure the individual meets the criteria to be entered into the database.
TSA has also updated its Centralized Revocation Database User Guide and Briefing Slides. The updated user guide will contain additional scenarios and examples for when an individual should or should not be entered into the database. TSA provided several examples of reasons why individuals should not be included in the database, such as: single security violations like piggybacking; loss of FAA airmen certificate; employment termination without any further details; discovery of disqualifying crimes during the CHRC process; petty theft or stolen items; or, refusing to cooperate in an investigation. The updated User Guide will be posted on HSIN and FPRD in the near future.
CDC Recommendation for Masks on Public Transportation
Vera Adams, Executive Director, Aviation Division, PPE, highlighted the recent recommendation by CDC that everyone aged 2 and older '“ including passengers and workers - properly wear a well-fitting mask or respirator over the nose and mouth in indoor areas of public transportation (such as airplanes, trains, etc.) and transportation hubs (such as airports, stations, etc.). Adams stressed that TSA has no immediate plans to reinstate its Security Directive implementing the mask mandate due to the court injunction.
TSA InfoBoard AvOps Cybersecurity
TSA has created a new board on the Homeland Security Information Network (HSIN) entitled the TSA InfoBoard AvOps Cybersecurity. The Cyber Board was created for the cybersecurity coordinators and alternates required under TSA-NA-21-05 Cybersecurity Incident Reporting, which went into effect on January 10, 2022. Federal Security Directors were required to submit cybersecurity points-of-contact to TSA HQ to grant individuals (who must be U.S. citizens) access to the board. The Cyber Board will contain Alerts and Notices related to cybersecurity issued by DHS' Cybersecurity and Infrastructure Security Agency (CISA), FBI, TSA and others and is intended for cybersecurity coordinators as named under TSA-NA-21-05. Individuals who currently have access to the TSA InfoBoard AvOps Airport Security (ACO-200) will automatically be granted access to the new Cyber Board. However, it is a manual and time-consuming process to add users to the new board so it may take several months before ACO-200 users are granted access. In the meantime, information posted to the Cyber Board will continue to be posted to the ACO-200 board.
AAAE questioned the process of how cybersecurity coordinators and airport operators were notified of how to access the new board. Individuals who are cybersecurity coordinators who have not been contacted by their FSDs about access to the board can reach out to their local TSA Transportation Security Inspectors (TSIs) to begin the process.
REAL ID
In less than a year, beginning May 3, 2023, every air traveler 18 years of age and older will need a REAL ID-compliant driver's license or identification card, state-issued enhanced driver's license, or another TSA-acceptable form of identification at airport security checkpoints for domestic air travel.
The previous enforcement deadline of October 1, 2021 was extended due to impacts of the pandemic. However, despite the fact that state DMVs are back up and running (for the most part), REAL ID adoption rates remain lower than historical levels at just 0.5 percent. As of April, there were 277 million state issued driver's licenses and identification cards, of which 136 million (or 49 percent) are REAL ID compliant, 101 million are not REAL ID compliant and 40 million are legacy cards that will need to be renewed. Legacy driver's licenses and identification cards represent that greatest chance to convert to a REAL ID; yet, in the first quarter, 200,000 more non-compliant cards were issued than compliant REAL IDs. TSA noted that more needs to be done to maximize conversion to REAL IDs.
In December 2020, Congress passed the REAL ID Modernization Act which, among other things, allowed for individuals to digitally submit documentation necessary for a REAL ID. However, DHS does not plan to issue the Notice of Proposed Rulemaking to implement the digital submission flexibility until November 2022, meaning a final rule would not go into effect until at least 6 months after that if not longer. The REAL ID Modernization Act also required airlines to inform passengers of REAL ID requirements at booking and check-in. TSA recently issued an airport operator security program change that required airlines to begin this notification as of May 2.
TSA is also conducting a number of engagement activities with airports, air carriers and states to inform the traveling public of the upcoming enforcement deadline. Marketing collateral from its most recent 'Be Your REAL ID Self' campaign is available upon request. TSA is also seeking funding for an additional marketing campaign this year.
Finally, TSA is working with DHS S&T on a data collection and analysis capability to inform the agency's implementation of the enforcement deadline and minimize impact on checkpoint operations. TSA stated today that it is too early to gauge the impact on checkpoint operations.
Credential Authentication Technology (CAT) Deployment
Gina Bigelow from TSA's Acquisition and Program Management (APM) noted that the CAT program office typically updates the ID document library on a quarterly basis but has been providing almost monthly updates in recent months. The latest round of updates including the following IDs: DOD Next Generation Dependent / Retiree; North Carolina; Nevada; Rhode Island; South Carolina; West Virginia; New York; Illinois; Arkansas; Michigan; Missouri; Tennessee; Louisiana; and Massachusetts.
TSA has procured and is currently deploying 534 CAT-systems to 97 airports. Deployment began in late January 2022 and is expected to be completed in early November 2022. This includes 122 CAT-2 (also known as CAT with camera) upgrade systems, 107 of which have already been deployed. TSA plans to deploy 412 CAT units and relocate 102 to expand coverage at Category III and IV airports.
The CAT program office is the process of procuring 730 additional CAT-2 systems and anticipates starting deployment in Fiscal Year 2023.
Update from Enrollment Services and Vetting Programs
Rap Back: As of March 29, due to the Rap Back mandate, all CHRCs submitted to TSA must contain a Rap Back subscription. There are no exceptions to this rule despite any airport best practices or ASP requirements that may be in place, local CBP requirements, or business use cases. Any CHRC sent to TSA '“ including CHRCs for individuals already enrolled in Rap Back '“ without a Rap Back subscription will be rejected by TSA. TSA further explained that there is no TSA requirement to have multiple CHRCs for the same employees. Rap Back provides continuous monitoring and, in TSA's opinion, eliminates the need for multiple CHRCs. If an airport submits multiple CHRCs, they must be accompanied by multiple Rap Back subscriptions. According to TSA, airports conducting multiple CHRCs on an individual per language in their ASP should change their ASP to fit TSA's Rap Back programming needs.
Per the Rap Back ASP amendment, airports have two years to subscribe their entire eligible population, including those individuals who were vetted and badged with a 'search and retain' transaction prior to March 29, 2022, or at badge renewal, whichever comes first. As a result, if an airport renews badges on an annual basis, the renewal CHRC must have a Rap Back subscription or it will be rejected.
In March, TSA sent out a policy clarification letter regarding transactions that include updated Rap Sheets like the Rap Back Subscription Response (RBSR). Under the policy clarification letter, each operator was given 90 calendar days from March 30, 2022 to clear their work queue of RBSRs. After 90 days, operators must review in FPRD any Rap Back response that includes a Rap Sheet, to include RBSRs, Rap Back Activity Notifications (RBNs), Rap Back Maintenance Transaction- Uncancel, and Manual Name Check Responses (MNCRs), as they arrive, within three business days.
Operators must click on the 'view rap sheet' link for each RBSR in the work queue to determine if any updated rap sheet information is present or not. It is possible new criminal information could be present. For compliance purposes, operators must 'Complete the Review' in FPRD for these transactions. However, it does not mean that the operator has completed the adjudication process and made a final determination. TSA cautioned operators that while they can subscribe the remainder of their covered population into Rap Back at any time, it may be beneficial to consider 'subscription management' and submit 100-200 cases at a time rather than thousands at one time due to this requirement.
Rap Back Subscription Mismatch Update: TSA reported that, in rare cases, the status of a Rap Back subscription in TSA does not always match the status in FBI's NGI system. This discrepancy is often realized when an operator attempts to submit a Rap Back maintenance transaction (RBMNT) to extend the expiration date of a subscription or cancel a subscription on the expiration date of the subscription, and an unexpected error is returned from the FBI stating the subscription is in a different state than what is listed in FPRD. The most common example of this issue observed thus far is the following: An operator attempts to cancel a subscription listed as Active in FPRD, and NGI returns an error with the following message: 'RB007-Rap Back maintenance cannot be performed on subscription <RBSI #> because it has expired or been cancelled. A new Rap back subscription must be established.' TSA does not consider this to be an issue of non-compliance with the Rap Back mandate and will consider these instances on a case-by-case basis. Airports are encouraged to communicate instances where Rap Back transactions submitted through their Designated Aviation Channeler (DAC) to TSA are met with errors from NGI, and TSA will work with the DACs and FBI to resolve these cases. TSA reconciles records with the FBI semi-annually and will continue to communicate these as they come up.
eBadge Update: There are currently 31 airports participating in the voluntary eBadge program with just under 200,000 submissions. eBadge allows TSA to share the fingerprints provided by airports to TSA for aviation worker vetting with CBP for the FIS seal process, leveraging the biometric and biographic prints to conduct simultaneous vetting by TSA and CBP. However, local CBP will most likely still require manual submission of Form 3078 and some field offices may also require a separate set of fingerprints. Despite this CBP requirement for additional fingerprints, TSA will not accept the second CHRC without a second Rap Back subscription. TSA advises that airports work with their local CBP to either convince them to remove the requirement, submit directly to CBP's manual and time-consuming vetting platform, or continue to submit duplicate Rap Back subscriptions.
TSA is working with CBP to address one of several eBadge system inequities related to multiple employer scenarios, which were highlighted by BWI and IAD airports.
Safe Skies
Jessica Grizzle from Safe Skies provided an update on the organization's latest research.
Safe Skies recently issued the following ASSIST reports:
SSDA'”22-006 Bosch FLEXIDOME IP starlight 8000i Video Analytic Outdoor Exit Lane Breach Detection System '“ Santa Barbara Airport
SSDA'”22-007 Senstar Symphony 7â„¢ Video Analytic Outdoor Exit Lane Breach Detection System '“ Santa Barbara Airport
Airport Security Coordinators who wish to request the ASSIST reports may email anna.hamilton@sskies.org or navigate to the Safe Skies Conference area on HSIN to download them.
Two PARAS Requests for Proposals (RFPs) recently closed and contractors will be selected soon to conduct research on PARAS 0045 Guidance for Biometric Technology at Airports and PARAS 0047 Practices and Considerations for Centralized Revocation Database Use. According to Grizzle, PARAS 0045 on the Centralized Revocation Database will focus on the practical use of the database, from the process of revocation to entry of individuals to how an airport chooses to use the information provided by the database.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, June 2, 2022, at 1:00 p.m. ET. Please note the conference call number is 1-800-857-5826 and passcode is 9596778.
Alan Paterno noted that if you currently receive a calendar invitation for the monthly call directly from him, you may receive a cancellation notice followed by an updated calendar invite. Paterno reminded recipients that the calendar invite should only be shared with airport employees or authorized representatives directly responsible for carrying out the airport's security program.
Paterno also noted that TSA will be scheduling a dedicated briefing for airports on the Capability Acceptance Program (CAP). TSA's Office of Inspections has also agreed to brief airport operators on current Red Team testing known as Project Chameleon. Additional details to follow.
TSA held its monthly conference call for airport stakeholders on May 5. The conference call was led by Alan Paterno, TSA's Industry Engagement Manager for Airports in the office of Policy, Plans and Engagement (PPE).
Update from Policy, Plans and Engagement
A proposed change to the recently issued TSA-NA-21-02A Ramp Movement (which superseded the long-standing 1993 FAA Ramp Movement Amendment) is being routed for signature internally at TSA and will be issued for notice and comment in May or early June. The comment period will be at least 30 days. The proposed change would allow airport operators to recognize air carrier issued identification media for unescorted access on the ramp.
TSA is also in the early stages of drafting a proposed Airport Security Program amendment to consolidate and expand exiting public advisory requirements to include notices that firearms are not permitted through the checkpoint or in restricted areas. A draft of the proposed ASP amendment has been shared with AAAE and the Quarterly Airport Security Review for initial and informal feedback. TSA is also open to additional ideas of how to reduce firearms at the checkpoint.
Centralized Revocation Database
The Centralized Revocation Database, which was recommended by the Aviation Security Advisory Committee (ASAC) and required under law by the TSA Modernization Act of 2018, went into effect in June 2021. Airport and aircraft operators have entered over 180 individuals that have had their identification media permanently revoked due to aviation security violations into the database to date.
TSA is currently conducting outreach to several airports and air carriers to remove certain individuals from the database, especially those submitted before the effective date or who were never issued badges. In certain cases, TSA may request additional information to ensure the individual meets the criteria to be entered into the database.
TSA has also updated its Centralized Revocation Database User Guide and Briefing Slides. The updated user guide will contain additional scenarios and examples for when an individual should or should not be entered into the database. TSA provided several examples of reasons why individuals should not be included in the database, such as: single security violations like piggybacking; loss of FAA airmen certificate; employment termination without any further details; discovery of disqualifying crimes during the CHRC process; petty theft or stolen items; or, refusing to cooperate in an investigation. The updated User Guide will be posted on HSIN and FPRD in the near future.
CDC Recommendation for Masks on Public Transportation
Vera Adams, Executive Director, Aviation Division, PPE, highlighted the recent recommendation by CDC that everyone aged 2 and older '“ including passengers and workers - properly wear a well-fitting mask or respirator over the nose and mouth in indoor areas of public transportation (such as airplanes, trains, etc.) and transportation hubs (such as airports, stations, etc.). Adams stressed that TSA has no immediate plans to reinstate its Security Directive implementing the mask mandate due to the court injunction.
TSA InfoBoard AvOps Cybersecurity
TSA has created a new board on the Homeland Security Information Network (HSIN) entitled the TSA InfoBoard AvOps Cybersecurity. The Cyber Board was created for the cybersecurity coordinators and alternates required under TSA-NA-21-05 Cybersecurity Incident Reporting, which went into effect on January 10, 2022. Federal Security Directors were required to submit cybersecurity points-of-contact to TSA HQ to grant individuals (who must be U.S. citizens) access to the board. The Cyber Board will contain Alerts and Notices related to cybersecurity issued by DHS' Cybersecurity and Infrastructure Security Agency (CISA), FBI, TSA and others and is intended for cybersecurity coordinators as named under TSA-NA-21-05. Individuals who currently have access to the TSA InfoBoard AvOps Airport Security (ACO-200) will automatically be granted access to the new Cyber Board. However, it is a manual and time-consuming process to add users to the new board so it may take several months before ACO-200 users are granted access. In the meantime, information posted to the Cyber Board will continue to be posted to the ACO-200 board.
AAAE questioned the process of how cybersecurity coordinators and airport operators were notified of how to access the new board. Individuals who are cybersecurity coordinators who have not been contacted by their FSDs about access to the board can reach out to their local TSA Transportation Security Inspectors (TSIs) to begin the process.
REAL ID
In less than a year, beginning May 3, 2023, every air traveler 18 years of age and older will need a REAL ID-compliant driver's license or identification card, state-issued enhanced driver's license, or another TSA-acceptable form of identification at airport security checkpoints for domestic air travel.
The previous enforcement deadline of October 1, 2021 was extended due to impacts of the pandemic. However, despite the fact that state DMVs are back up and running (for the most part), REAL ID adoption rates remain lower than historical levels at just 0.5 percent. As of April, there were 277 million state issued driver's licenses and identification cards, of which 136 million (or 49 percent) are REAL ID compliant, 101 million are not REAL ID compliant and 40 million are legacy cards that will need to be renewed. Legacy driver's licenses and identification cards represent that greatest chance to convert to a REAL ID; yet, in the first quarter, 200,000 more non-compliant cards were issued than compliant REAL IDs. TSA noted that more needs to be done to maximize conversion to REAL IDs.
In December 2020, Congress passed the REAL ID Modernization Act which, among other things, allowed for individuals to digitally submit documentation necessary for a REAL ID. However, DHS does not plan to issue the Notice of Proposed Rulemaking to implement the digital submission flexibility until November 2022, meaning a final rule would not go into effect until at least 6 months after that if not longer. The REAL ID Modernization Act also required airlines to inform passengers of REAL ID requirements at booking and check-in. TSA recently issued an airport operator security program change that required airlines to begin this notification as of May 2.
TSA is also conducting a number of engagement activities with airports, air carriers and states to inform the traveling public of the upcoming enforcement deadline. Marketing collateral from its most recent 'Be Your REAL ID Self' campaign is available upon request. TSA is also seeking funding for an additional marketing campaign this year.
Finally, TSA is working with DHS S&T on a data collection and analysis capability to inform the agency's implementation of the enforcement deadline and minimize impact on checkpoint operations. TSA stated today that it is too early to gauge the impact on checkpoint operations.
Credential Authentication Technology (CAT) Deployment
Gina Bigelow from TSA's Acquisition and Program Management (APM) noted that the CAT program office typically updates the ID document library on a quarterly basis but has been providing almost monthly updates in recent months. The latest round of updates including the following IDs: DOD Next Generation Dependent / Retiree; North Carolina; Nevada; Rhode Island; South Carolina; West Virginia; New York; Illinois; Arkansas; Michigan; Missouri; Tennessee; Louisiana; and Massachusetts.
TSA has procured and is currently deploying 534 CAT-systems to 97 airports. Deployment began in late January 2022 and is expected to be completed in early November 2022. This includes 122 CAT-2 (also known as CAT with camera) upgrade systems, 107 of which have already been deployed. TSA plans to deploy 412 CAT units and relocate 102 to expand coverage at Category III and IV airports.
The CAT program office is the process of procuring 730 additional CAT-2 systems and anticipates starting deployment in Fiscal Year 2023.
Update from Enrollment Services and Vetting Programs
Rap Back: As of March 29, due to the Rap Back mandate, all CHRCs submitted to TSA must contain a Rap Back subscription. There are no exceptions to this rule despite any airport best practices or ASP requirements that may be in place, local CBP requirements, or business use cases. Any CHRC sent to TSA '“ including CHRCs for individuals already enrolled in Rap Back '“ without a Rap Back subscription will be rejected by TSA. TSA further explained that there is no TSA requirement to have multiple CHRCs for the same employees. Rap Back provides continuous monitoring and, in TSA's opinion, eliminates the need for multiple CHRCs. If an airport submits multiple CHRCs, they must be accompanied by multiple Rap Back subscriptions. According to TSA, airports conducting multiple CHRCs on an individual per language in their ASP should change their ASP to fit TSA's Rap Back programming needs.
Per the Rap Back ASP amendment, airports have two years to subscribe their entire eligible population, including those individuals who were vetted and badged with a 'search and retain' transaction prior to March 29, 2022, or at badge renewal, whichever comes first. As a result, if an airport renews badges on an annual basis, the renewal CHRC must have a Rap Back subscription or it will be rejected.
In March, TSA sent out a policy clarification letter regarding transactions that include updated Rap Sheets like the Rap Back Subscription Response (RBSR). Under the policy clarification letter, each operator was given 90 calendar days from March 30, 2022 to clear their work queue of RBSRs. After 90 days, operators must review in FPRD any Rap Back response that includes a Rap Sheet, to include RBSRs, Rap Back Activity Notifications (RBNs), Rap Back Maintenance Transaction- Uncancel, and Manual Name Check Responses (MNCRs), as they arrive, within three business days.
Operators must click on the 'view rap sheet' link for each RBSR in the work queue to determine if any updated rap sheet information is present or not. It is possible new criminal information could be present. For compliance purposes, operators must 'Complete the Review' in FPRD for these transactions. However, it does not mean that the operator has completed the adjudication process and made a final determination. TSA cautioned operators that while they can subscribe the remainder of their covered population into Rap Back at any time, it may be beneficial to consider 'subscription management' and submit 100-200 cases at a time rather than thousands at one time due to this requirement.
Rap Back Subscription Mismatch Update: TSA reported that, in rare cases, the status of a Rap Back subscription in TSA does not always match the status in FBI's NGI system. This discrepancy is often realized when an operator attempts to submit a Rap Back maintenance transaction (RBMNT) to extend the expiration date of a subscription or cancel a subscription on the expiration date of the subscription, and an unexpected error is returned from the FBI stating the subscription is in a different state than what is listed in FPRD. The most common example of this issue observed thus far is the following: An operator attempts to cancel a subscription listed as Active in FPRD, and NGI returns an error with the following message: 'RB007-Rap Back maintenance cannot be performed on subscription <RBSI #> because it has expired or been cancelled. A new Rap back subscription must be established.' TSA does not consider this to be an issue of non-compliance with the Rap Back mandate and will consider these instances on a case-by-case basis. Airports are encouraged to communicate instances where Rap Back transactions submitted through their Designated Aviation Channeler (DAC) to TSA are met with errors from NGI, and TSA will work with the DACs and FBI to resolve these cases. TSA reconciles records with the FBI semi-annually and will continue to communicate these as they come up.
eBadge Update: There are currently 31 airports participating in the voluntary eBadge program with just under 200,000 submissions. eBadge allows TSA to share the fingerprints provided by airports to TSA for aviation worker vetting with CBP for the FIS seal process, leveraging the biometric and biographic prints to conduct simultaneous vetting by TSA and CBP. However, local CBP will most likely still require manual submission of Form 3078 and some field offices may also require a separate set of fingerprints. Despite this CBP requirement for additional fingerprints, TSA will not accept the second CHRC without a second Rap Back subscription. TSA advises that airports work with their local CBP to either convince them to remove the requirement, submit directly to CBP's manual and time-consuming vetting platform, or continue to submit duplicate Rap Back subscriptions.
TSA is working with CBP to address one of several eBadge system inequities related to multiple employer scenarios, which were highlighted by BWI and IAD airports.
Safe Skies
Jessica Grizzle from Safe Skies provided an update on the organization's latest research.
Safe Skies recently issued the following ASSIST reports:
SSDA'”22-006 Bosch FLEXIDOME IP starlight 8000i Video Analytic Outdoor Exit Lane Breach Detection System '“ Santa Barbara Airport
SSDA'”22-007 Senstar Symphony 7â„¢ Video Analytic Outdoor Exit Lane Breach Detection System '“ Santa Barbara Airport
Airport Security Coordinators who wish to request the ASSIST reports may email anna.hamilton@sskies.org or navigate to the Safe Skies Conference area on HSIN to download them.
Two PARAS Requests for Proposals (RFPs) recently closed and contractors will be selected soon to conduct research on PARAS 0045 Guidance for Biometric Technology at Airports and PARAS 0047 Practices and Considerations for Centralized Revocation Database Use. According to Grizzle, PARAS 0045 on the Centralized Revocation Database will focus on the practical use of the database, from the process of revocation to entry of individuals to how an airport chooses to use the information provided by the database.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, June 2, 2022, at 1:00 p.m. ET. Please note the conference call number is 1-800-857-5826 and passcode is 9596778.
Alan Paterno noted that if you currently receive a calendar invitation for the monthly call directly from him, you may receive a cancellation notice followed by an updated calendar invite. Paterno reminded recipients that the calendar invite should only be shared with airport employees or authorized representatives directly responsible for carrying out the airport's security program.
Paterno also noted that TSA will be scheduling a dedicated briefing for airports on the Capability Acceptance Program (CAP). TSA's Office of Inspections has also agreed to brief airport operators on current Red Team testing known as Project Chameleon. Additional details to follow.