TSA Has Made Progress Implementing Requirements in the Aviation Security Act of 2016. GAO-17-662 Sep 7, 2017.
Recent incidents involving aviation workers conducting criminal activity in the nation's commercial airports have led to interest in the measures TSA and airport operators use to control access to secure areas of airports. The 2016 ASA required TSA to take several actions related to oversight of access control security at airports. The Act also contains a provision for GAO to report on progress made by TSA.
This report examines, among other issues, progress TSA has made in addressing the applicable requirements of the 2016 ASA. GAO compared information obtained from TSA policies, reports, and interviews with TSA officials to the requirements in the 2016 ASA. GAO also visited three airports to observe their use of access controls and interviewed TSA personnel. The non-generalizable group of airports was selected to reflect different types of access control measures and airport categories.
The Transportation Security Administration (TSA) has generally made progress addressing the 69 applicable requirements within the Aviation Security Act of 2016 (2016 ASA). As of June 2017, TSA had implemented 48 of the requirements; it plans no further action on these. For 18 requirements, TSA officials took initial actions and plans further action. TSA officials stated they have yet to take action on 2 requirements and plan to address them in the near future. TSA officials took no action on 1 requirement regarding access control rules because it plans to address this through mechanisms other than formal rulemaking, such as drafting a national amendment to airport operator security programs. Key examples of TSA's progress in implementing the requirements in the eight relevant sections of the Act are shown below:
Conduct a Threat Assessment: TSA conducted a threat assessment that analyzed vulnerabilities related to the insider threat—that is, the threat posed by aviation workers who exploit their access privileges to secure areas of an airport for personal gain or to inflict damage.
Enhance Oversight Activities: Among other things, TSA developed a list of measures for airport operators to perform, such as an airport rebadging if the percent of badges unaccounted for exceeds a certain threshold.
Update Airport Employee Credential Guidance: TSA issued guidance to airport operators to match the expiration date of a non-U.S. citizen aviation worker's identification badge to the individual's U.S. work authorization status.
Vet Airport Employees: In addition to making progress on updating employee vetting rules, TSA coordinated with the Federal Bureau of Investigation (FBI) to implement the FBI's Rap Back service for providing recurrent fingerprint-based criminal history record checks for aviation workers.
Develop and Implement Access Control Metrics: TSA developed and implemented a metric that determines the percentage of TSA secure area inspections found to be in compliance with the airport security program.
Develop a Tool for Unescorted Access Security: According to TSA officials , they developed a tool designed to ensure that aviation workers with unescorted access are randomly screened for prohibited items, such as firearms and explosives, and to check for proper identification.
Increase Covert Testing: TSA plans to increase the number of covert tests of access controls it will perform in 2017.
Review Security Directives: Security directives are issued by TSA when, for example, additional measures are required to respond to a threat. TSA officials stated they review all security directives annually to consider the need for revocation or revision, and brief Congress when new directives are to be issued.