Security Policy Alert: Summary of TSA's Monthly Conference Call for Airport Stakeholders
September 3, 2020
This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Alan Paterno, TSA's Airport Industry Engagement Manager in the office of Plans, Policy and Engagement (PPE). Following are highlights from today's call:
Innovation Task Force Broad Agency Announcement
Steve Coda from TSA's Innovation Task Force (ITF) provided an update on the ITF's most recent Broad Agency Announcements (BAAs). He also reported that Matt Gilkeson was recently named as the permanent Director for the ITF; Matt had been Acting Director since May following Mara Winn's departure to another DHS component agency.
TSA is preparing demonstrations of several solutions submitted last year under the agency's fourth ITF BAA. Two are related to virtual reality training for Federal Air Marshals (FAMs) and Transportation Security Officers. Another solution would provide geospatial capability to FAMs for Joint Vulnerability Assessments (JVAs). The only checkpoint screening solution to be demonstrated involves a material characterization alarm resolution x-ray made by an international company called Halo. Given the restrictions on international travel during COVID-19, the Halo X-ray demonstration has been delayed until at least October.
TSA released a fifth BAA on July 1 with a closing date of September 7 (Labor Day). The BAA included three problem statements and one request for information. The problems statements focused on soliciting solutions to provide: 1) social distancing capabilities, particularly related to screening from a distance; 2) cleaning solutions that do not involve a human agent (such as self-cleaning bins within Automated Screening Lanes (ASLs) using UV sanitizing lights); and 3) risk-based dynamic screening to allow passengers to be screened to their risk profile regardless of the queue lane (i.e. standard or PreCheck) they are in.
The BAA also included a Request for Information related to the TSA's Insider Threat Roadmap looking for commercially viable solutions for airports and air carriers to purchase and deploy to screen their own employees. TSA ITF will be sharing the information collected through the RFI with industry and Policy, Plans and Engagement.
Updates from Policy, Plans, and Engagement (PPE)
Kevin Knott introduced Jonathan Walton who has been named as Section Chief for Airports Special Programs. Walton previously served as a Transportation Security Inspector in the office of Compliance, serving at a number of airports including Clark County Department of Aviation, Sacramento, several smaller airports in Northern California, and LAWA and LAWA Police Department.
Security Directive 1542-04-08Q: TSA formed an internal working group to revise and update the Security Directive 1542-04-08 series. Draft revisions to SD 1542-04-08 series include:
Cyber and UAS Incident Reporting: TSA plans to issue for notice and comment proposed ASP, AOSSP and MSP amendments to require reporting of cyber and UAS incidents to TSA. Existing reporting requirements will not change under the proposed amendments. AAAE and the Quarterly Airport Security Review has provided feedback and comments on previous drafts of the proposed cyber and UAS incident reporting requirements. Current drafts are being routed internally within TSA and the agency expects to issue the proposed amendments for notice and comment in the fall.
TSA noted that they continue to adjudicate comments on the proposed amendments regarding the Rap Back program and the Centralized Revocation Database but did not provide any further details.
Airport Vetting and Access/Watchlist Vetting: TSA merrily reported that all airports are in compliance with ASP Amendment 18-01 regarding Airport Access and Vetting. As a result, Security Directive 1542-01-10K Threat to US Airports- No Fly and Selectee Lists Procedures is no longer applicable and will be officially rescinded in the near future. TSA is planning an ASP amendment for airports without ID media systems (and therefore not subject to STA requirements) to update the procedures currently outlined in Section III of ASP Amendment 18-01. TSA has created a Transportation Vetting Portal that will allow for perpetual vetting for employees at these airports (as well as air carrier employees). TSA will likely release the proposed ASP amendment for smaller airports with ID media systems after the Transportation Vetting Portal has been tested and is available for use.
Compliance Update
Action Plan Program Review: Joe Kris from TSA's office of Compliance provided an overview of last week's Action Plan Program review, the second of three scheduled reviews on the program. There are currently approximately 250 Action Plans in place across all regulated entities and 94 with airport operators. TSA has seen an $8 million investment in corrective actions by regulated entities as a result of the Action Plans. TSA posted the presentation used during the Action Plan Program review on the Homeland Security Information Network (HSIN).
During the review, TSA proposed to include Action Plans offers in Letters of Investigation to streamline the process and better promote the option of an Action Plan. AAAE, Airlines for America, ACI-NA, airports and air carriers participating in the review expressed significant concerns regarding this approach, which TSA originally planned to implement at the start of FY 2021 on October 1. A template of the proposed LOI with Action Plan offer is posted as part of the Action Plan Program Review presentation on HSIN. We encourage you to review it and provide any comments and feedback to TSA as soon as possible to the e-mail address: ask_compliance@tsa.dhs.gov.
There was also discussion of using additional metrics besides monetary investments to measure the effectiveness of the Action Plan Program, such as the number of training conducted or security procedure changes. Based on industry feedback, TSA is also looking at root cause and root cause analysis to evaluate training or briefings that can be provided to industry to promote consistency of analysis of root cause between TSA and regulated entities.
Cybersecurity Special Emphasis Assessment (SEA): TSA shared the results of the special emphasis assessment conducted across all commercial service airports in June focused on airport adoption of Information Circular (IC) 17-01B regarding cybersecurity. Twenty percent of all airports had adopted all of the recommended measures included in the IC. Eighty percent of all airports had adopted at least six of the recommended measures since not all measures included in the IC are applicable to all airports. Only three airports had not adopted any of the recommended measures. TSA will be sharing the results of the SEA with DHS' Critical Infrastructure and Cyber Security Agency (CISA), TSA's Intelligence and Analysis and Policy, Plans and Engagement. TSA plans to conduct the SEA again in FY 2021, likely in the spring or summer.
TSA also found that roughly 5 percent of airports were not accessing HSIN and encouraged all airports to regularly check HSIN for important information posted by TSA.
Enrollment Services and Vetting Programs Update
Rap Back: There are 233 participating operators in the Rap Back program - 221 airports and 12 air carriers - with 622,000 active subscriptions. TSA has seen an increase in the number of Rap Back subscription expirations and encouraged airports to renew or cancel Rap Back subscription before they expire. TSA posted the updated Rap Back User Guide Version 2.1 dated August 24, 2020 to the FPRD and HSIN. TSA also increased its available resources to assist in the on-boarding of 120 airports to the Rap Back program prior to the mandatory Rap Back requirements. Please contact TSA if you are interested in participating in the program prior to the Rap Back amendment becoming final.
Security Threat Assessments (STAs): TSA reported that STA processing is currently taking an average of nine days. TSA has allocated resources to address the STA cases in the queue. TSA thanked airports for their patience and requested that airports allow TSA sufficient time to work the cases.
eBadge: Twenty out an eligible 72 airports are currently participating the in the automated eBadge program with several additional airports planning to begin eBadge operations in the near future. There have been approximately 5,400 eBadge transactions since the program went live in April. Following is a list of participating airports:
TSA is deploying 501 Credential Authentication Technology machines to 90 airports, including Category X, I, and II airports. Deployments began in June at the first 14 airports; however, TSA had to pause the deployments due to a power board issue with these systems in July. The power board issue has now been addressed and the original 14 airports should receive their updated units in September. TSA plans to deploy to 75 more airports in October. TSA will provide a detailed deployment schedule to AAAE and we will share that as soon as it is available.
Next TSA Conference Call
The next TSA conference call for airport stakeholders is scheduled for Thursday, October 1 at 1:00 p.m. ET.
This afternoon, TSA held its monthly conference call for airport stakeholders. The conference call was led by Alan Paterno, TSA's Airport Industry Engagement Manager in the office of Plans, Policy and Engagement (PPE). Following are highlights from today's call:
Steve Coda from TSA's Innovation Task Force (ITF) provided an update on the ITF's most recent Broad Agency Announcements (BAAs). He also reported that Matt Gilkeson was recently named as the permanent Director for the ITF; Matt had been Acting Director since May following Mara Winn's departure to another DHS component agency.
TSA is preparing demonstrations of several solutions submitted last year under the agency's fourth ITF BAA. Two are related to virtual reality training for Federal Air Marshals (FAMs) and Transportation Security Officers. Another solution would provide geospatial capability to FAMs for Joint Vulnerability Assessments (JVAs). The only checkpoint screening solution to be demonstrated involves a material characterization alarm resolution x-ray made by an international company called Halo. Given the restrictions on international travel during COVID-19, the Halo X-ray demonstration has been delayed until at least October.
TSA released a fifth BAA on July 1 with a closing date of September 7 (Labor Day). The BAA included three problem statements and one request for information. The problems statements focused on soliciting solutions to provide: 1) social distancing capabilities, particularly related to screening from a distance; 2) cleaning solutions that do not involve a human agent (such as self-cleaning bins within Automated Screening Lanes (ASLs) using UV sanitizing lights); and 3) risk-based dynamic screening to allow passengers to be screened to their risk profile regardless of the queue lane (i.e. standard or PreCheck) they are in.
The BAA also included a Request for Information related to the TSA's Insider Threat Roadmap looking for commercially viable solutions for airports and air carriers to purchase and deploy to screen their own employees. TSA ITF will be sharing the information collected through the RFI with industry and Policy, Plans and Engagement.
Updates from Policy, Plans, and Engagement (PPE)
Kevin Knott introduced Jonathan Walton who has been named as Section Chief for Airports Special Programs. Walton previously served as a Transportation Security Inspector in the office of Compliance, serving at a number of airports including Clark County Department of Aviation, Sacramento, several smaller airports in Northern California, and LAWA and LAWA Police Department.
Security Directive 1542-04-08Q: TSA formed an internal working group to revise and update the Security Directive 1542-04-08 series. Draft revisions to SD 1542-04-08 series include:
- Clarifications to the ID Media Renewals sub-section to assist airports with issues arising from airline participation in Rap Back. These issues are related to certifications from aircraft operator and CHRC requirements.
- Revisions to clarify identity verification and authorization to work requirements for TSA personnel and non-LEO Federal employees.
- An address change in Section VII due to the TSA Headquarters' move to Springfield, VA this fall/winter
- Revision of signature line because revisions are now approved at a different level within TSA
- Correction of reference number in Attachment A, Privacy Act Notice. TSA is also reviewing options to remove the Privacy Act Notice from the SD to avoid multiple updates to ASP programs and related paperwork requirements. AAAE has advocated for this change for some time given multiple, recent changes in the Privacy Act Notice and conflicting requirements between CHRCs, STAs, and Rap Back.
Cyber and UAS Incident Reporting: TSA plans to issue for notice and comment proposed ASP, AOSSP and MSP amendments to require reporting of cyber and UAS incidents to TSA. Existing reporting requirements will not change under the proposed amendments. AAAE and the Quarterly Airport Security Review has provided feedback and comments on previous drafts of the proposed cyber and UAS incident reporting requirements. Current drafts are being routed internally within TSA and the agency expects to issue the proposed amendments for notice and comment in the fall.
TSA noted that they continue to adjudicate comments on the proposed amendments regarding the Rap Back program and the Centralized Revocation Database but did not provide any further details.
Airport Vetting and Access/Watchlist Vetting: TSA merrily reported that all airports are in compliance with ASP Amendment 18-01 regarding Airport Access and Vetting. As a result, Security Directive 1542-01-10K Threat to US Airports- No Fly and Selectee Lists Procedures is no longer applicable and will be officially rescinded in the near future. TSA is planning an ASP amendment for airports without ID media systems (and therefore not subject to STA requirements) to update the procedures currently outlined in Section III of ASP Amendment 18-01. TSA has created a Transportation Vetting Portal that will allow for perpetual vetting for employees at these airports (as well as air carrier employees). TSA will likely release the proposed ASP amendment for smaller airports with ID media systems after the Transportation Vetting Portal has been tested and is available for use.
Compliance Update
Action Plan Program Review: Joe Kris from TSA's office of Compliance provided an overview of last week's Action Plan Program review, the second of three scheduled reviews on the program. There are currently approximately 250 Action Plans in place across all regulated entities and 94 with airport operators. TSA has seen an $8 million investment in corrective actions by regulated entities as a result of the Action Plans. TSA posted the presentation used during the Action Plan Program review on the Homeland Security Information Network (HSIN).
During the review, TSA proposed to include Action Plans offers in Letters of Investigation to streamline the process and better promote the option of an Action Plan. AAAE, Airlines for America, ACI-NA, airports and air carriers participating in the review expressed significant concerns regarding this approach, which TSA originally planned to implement at the start of FY 2021 on October 1. A template of the proposed LOI with Action Plan offer is posted as part of the Action Plan Program Review presentation on HSIN. We encourage you to review it and provide any comments and feedback to TSA as soon as possible to the e-mail address: ask_compliance@tsa.dhs.gov.
There was also discussion of using additional metrics besides monetary investments to measure the effectiveness of the Action Plan Program, such as the number of training conducted or security procedure changes. Based on industry feedback, TSA is also looking at root cause and root cause analysis to evaluate training or briefings that can be provided to industry to promote consistency of analysis of root cause between TSA and regulated entities.
Cybersecurity Special Emphasis Assessment (SEA): TSA shared the results of the special emphasis assessment conducted across all commercial service airports in June focused on airport adoption of Information Circular (IC) 17-01B regarding cybersecurity. Twenty percent of all airports had adopted all of the recommended measures included in the IC. Eighty percent of all airports had adopted at least six of the recommended measures since not all measures included in the IC are applicable to all airports. Only three airports had not adopted any of the recommended measures. TSA will be sharing the results of the SEA with DHS' Critical Infrastructure and Cyber Security Agency (CISA), TSA's Intelligence and Analysis and Policy, Plans and Engagement. TSA plans to conduct the SEA again in FY 2021, likely in the spring or summer.
TSA also found that roughly 5 percent of airports were not accessing HSIN and encouraged all airports to regularly check HSIN for important information posted by TSA.
Enrollment Services and Vetting Programs Update
Rap Back: There are 233 participating operators in the Rap Back program - 221 airports and 12 air carriers - with 622,000 active subscriptions. TSA has seen an increase in the number of Rap Back subscription expirations and encouraged airports to renew or cancel Rap Back subscription before they expire. TSA posted the updated Rap Back User Guide Version 2.1 dated August 24, 2020 to the FPRD and HSIN. TSA also increased its available resources to assist in the on-boarding of 120 airports to the Rap Back program prior to the mandatory Rap Back requirements. Please contact TSA if you are interested in participating in the program prior to the Rap Back amendment becoming final.
Security Threat Assessments (STAs): TSA reported that STA processing is currently taking an average of nine days. TSA has allocated resources to address the STA cases in the queue. TSA thanked airports for their patience and requested that airports allow TSA sufficient time to work the cases.
eBadge: Twenty out an eligible 72 airports are currently participating the in the automated eBadge program with several additional airports planning to begin eBadge operations in the near future. There have been approximately 5,400 eBadge transactions since the program went live in April. Following is a list of participating airports:
AUS Austin-Bergstrom International Airport
BDL Bradley International Airport
BUF Buffalo Niagara International Airport
BWI Baltimore-Washington International Thurgood Marshall Airport
FLL Fort Lauderdale-Hollywood International Airport
HNL Daniel K. Inouye International Airport
MCI Kansas City International Airport
MSP Minneapolis-Saint Paul International Airport
OAK Metropolitan Oakland International Airport
PHX Phoenix Sky Harbor International Airport
PSM Portsmouth International Airport at Pease
RNO Reno-Tahoe International Airport
SAN San Diego International Airport
SAV Savannah Hilton Head International Airport
SFO San Francisco International Airport
SJU Luis Munoz Marin International Airport
SLC Salt Lake City International Airport
SYR Syracuse Hancock International Airport
TPA Tampa International Airport
Credential Authentication Technology (CAT)BDL Bradley International Airport
BUF Buffalo Niagara International Airport
BWI Baltimore-Washington International Thurgood Marshall Airport
FLL Fort Lauderdale-Hollywood International Airport
HNL Daniel K. Inouye International Airport
MCI Kansas City International Airport
MSP Minneapolis-Saint Paul International Airport
OAK Metropolitan Oakland International Airport
PHX Phoenix Sky Harbor International Airport
PSM Portsmouth International Airport at Pease
RNO Reno-Tahoe International Airport
SAN San Diego International Airport
SAV Savannah Hilton Head International Airport
SFO San Francisco International Airport
SJU Luis Munoz Marin International Airport
SLC Salt Lake City International Airport
SYR Syracuse Hancock International Airport
TPA Tampa International Airport
TSA is deploying 501 Credential Authentication Technology machines to 90 airports, including Category X, I, and II airports. Deployments began in June at the first 14 airports; however, TSA had to pause the deployments due to a power board issue with these systems in July. The power board issue has now been addressed and the original 14 airports should receive their updated units in September. TSA plans to deploy to 75 more airports in October. TSA will provide a detailed deployment schedule to AAAE and we will share that as soon as it is available.
The next TSA conference call for airport stakeholders is scheduled for Thursday, October 1 at 1:00 p.m. ET.
