In March 2018, TSA Administrator Pekoske officially tasked the Aviation Security Advisory Committee (ASAC) to once again look at the security threat posed by airport insiders. ASAC referred the request to its newly formed Subcommittee on Insider Threat – a permanent subcommittee formed to assume the work and objective of the previous Employee Screening and Airport Access Control Working Group. That working group provided a report in 2015 with 28 recommendations related to employee screening, airport access control and insider threat mitigation that has driven efforts in this area for the past several years.
ASAC and its Subcommittee on Insider Threat delivered a series of reports to TSA throughout 2018 and 2019 addressing various aspects of the insider threat to aviation. In an interim report submitted late in 2018 that provided an unconstrained review of full employee screening, ASAC continued to recommend that TSA pursue a multi-layered, outcome focused, random, and robust approach to mitigating the insider threat, resulting in a reasonable expectation by aviation employees that they will be screened throughout their work day.
The interim report to TSA included an analysis of 100 percent or full employee screening and a discussion of minimum performance standards.
The interim report refuted the existence of 100 percent employee screening at any airport in the world given screening exemptions, limited operating hours and terminal focused scope. The report also reinforced the ASAC finding from its 2015 report that 100 percent physical screening is not an effective solution to address the insider threat. The review of minimum performance standards echoed the TSA Administrator’s own comments at a ministerial meeting of International Civil Aviation Organization (ICAO) in December 2018 at which the U.S. pushed back on a proposal for an international standard on 100 percent employee screening. In statements to the press following the ICAO meeting, Pekoske said he believed the approach should be more outcome-based and that he was increasingly focused on outcomes and trying to step away from prescribed levels of activity.
In 2019, ASAC approved a third and final report that builds on previous work done by TSA’s Insider Threat Advisory Group (ITAG) and makes 21 recommendations in the areas of: threat detection, assessment and response; aviation worker vetting and evaluation; aviation worker screening and access control; training and engagement; information sharing; and, governance and internal controls. Screening related recommendations focus on TSA’s efforts under the Advanced Threat and Local Allocation Strategy (ATLAS) programs and do not include any new requirements for airport operators to conduct physical screening. Other recommendations focus on insider threat awareness training, enhanced vetting of aviation workers and best practices for establishing robust insider threat mitigation programs.
ASAC delivered its report to TSA in advance of an ICAO meeting where the United States is expected to continue to push back against efforts from countries like the United Kingdom advocating for more stringent international standards for full physical staff screening.
On Capitol Hill, Congress in 2018 approved the first-ever TSA authorization bill as part of a broader package that also included FAA reauthorization legislation. The measure, which was signed into law in October, included several items pertaining to the insider threat:
• A cost and feasibility study at a statistically significant number of airports of all sizes to determine the cost to both the federal government and airport operators of “enhanced employee inspections,” including equipping all employee access points to secure areas with physical screening equipment, specific access control measures and CCTV;
• A review by TSA, in consultation with airports and air carriers, of aviation credentialing standards, policies and practices;
• A national database of aviation credentials that have been revoked for failure to comply with security requirements;
• A requirement for aviation employees with airport-issued Security Identification Display Area (SIDA) media to submit their social security number for vetting purposes;
• An effort led by TSA to work with airport operators and air carriers to enhance the security awareness of employees, especially in regard to the insider threat;
• Mandatory participation in the FBI’s Rap Back program for all credentialed aviation worker populations;
• Direction to the TSA Administrator to ensure that TSA’s Advanced Threat and Local Allocation Strategy (ATLAS) physical employee screening efforts are “targeted, strategic, and focused on providing the greatest level of security effectiveness,” including covert testing of TSA’s employee screening operations; and
• TSA consultation with airport operators and airline operators to identify advanced technologies, including biometric identification technologies, which could be used for securing employee access to the secured areas and sterile areas of airports.
AAAE staff was highly engaged with the House and Senate as these provisions were being drafted and debated, and the final product removed all references to 100 percent employee screening and reflected significant input from airport operators and the leadership and members of the Transportation Security Services Committee. With certain Members of Congress intent on pushing toward 100 percent physical screening requirements, this engagement was important in producing a final product that focused on enhanced inspection measures and other requirements rather than employee screening mandates.