119 HR 4126 IH: Aviation Risk Mitigation and Security Act U.S. House of Representatives 2025-06-25 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

I119th CONGRESS1st SessionH. R. 4126IN THE HOUSE OF REPRESENTATIVESJune 25, 2025Mr. Crane introduced the following bill; which was referred to the Committee on Homeland SecurityA BILLTo direct the Transportation Security Administration to carry out covert testing and risk mitigation improvement of aviation security operations, and for other purposes.

1.

Short title

This Act may be cited as the Aviation Risk Mitigation and Security Act or the ARMS Act.

2.

TSA covert testing and risk mitigation improvement

(a)

In general

Not later than 180 days after the date of the enactment of this Act, the Administrator of the Transportation Security Administration (TSA) shall establish the following to strengthen aviation security operations: (1)In accordance with subsection (b), a system for conducting risk-informed, headquarters-based covert testing project scenarios for aviation security operations, including relating to airport passenger and baggage security screening operations, that can yield statistically valid data that can be utilized to identify and assess the nature and extent of any vulnerabilities to such operations that are not mitigated by current security operations. (2)A long-term headquarters-based covert testing program, employing static but risk-informed threat vectors, based on annual risk assessments of emerging threats, designed to assess the effectiveness of aviation security operations on an annual basis. (b)

Methodology

The Administrator of the TSA shall conduct the risk-informed, headquarters-based covert testing project scenarios for aviation security operations under paragraph (1) of subsection (a) based on annual risk assessments of emerging threats. The Administrator shall— (1)conduct not fewer than three such covert testing project scenarios to identify any systemic vulnerabilities in aviation security operations, and ensure that each Category X airport in the United States is included in such covert testing project scenarios at least once per fiscal year; and (2)document the methodology, assumptions, and rationale guiding the selection and execution of such covert testing project scenarios to ensure statistical validity and actionable results. (c)

Mitigation

(1)

In general

The Administrator of the TSA shall establish a process to address and mitigate any vulnerabilities to aviation security operations identified and assessed pursuant to the covert testing project scenarios conducted under paragraph (1) of subsection (a). (2)

Analysis

Not later than 90 days after identifying a vulnerability referred to in paragraph (1), the Administrator of the TSA shall conduct a root cause analysis to determine the origin and contributing factors relating to such vulnerability. (3)

Determination

Not later than 150 days after conducting the analysis under paragraph (2), the Administrator of the TSA shall make a determination regarding whether or not to mitigate the vulnerability referred to in such paragraph, and shall prioritize mitigating such vulnerability based on the ability to reduce risk. If the Administrator determines— (A)to not mitigate such vulnerability, the Administrator shall document the justification relating thereto; or (B)to mitigate such vulnerability, the Administrator shall establish and document— (i)key milestones appropriate for the level of effort required to so mitigate such vulnerability; and (ii)a date by which measures to so mitigate such vulnerability shall be implemented by the TSA. (4)

Retesting

Not later than 180 days after the date on which measures to mitigate a vulnerability are completed by the TSA pursuant to paragraph (3)(B)(ii), and to the extent applicable, the Administrator of the TSA shall conduct a covert testing project scenario in accordance with subsection (a)(1) for the aviation security operation with respect to which such vulnerability was identified to assess the effectiveness of such measures to mitigate such vulnerability. (d)

Annual reporting

(1)

Compilation of test results

Not later than November 30 of the first full fiscal year that begins after the date of the enactment of this Act and annually thereafter, the Administrator of the TSA, in consultation with the Secretary of Homeland Security, shall produce a report detailing the results of all covert testing project scenarios for aviation security operations under subsection (a)(1) conducted in the immediately preceding fiscal year by the TSA. Each such report shall— (A)be submitted in unclassified form, but may contain a classified annex in accordance with paragraph (2); and (B)include— (i)a summary of all vulnerabilities to aviation security operations that were identified and the respective dates of such identifications; (ii)the status of mitigation efforts under subsection (c), including key milestones and expected completion dates; (iii)the results of retesting under such subsection on previously mitigated vulnerabilities; (iv)justifications for vulnerabilities that remain unmitigated under such subsection, and a determination of whether full mitigation is feasible; and (v)an assessment of security improvements based on covert testing data trends. (2)

Submission to Congress

The Administrator of the TSA shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate each report required under paragraph (1) together with the Transportation Security Administration’s annual budget request. Each such report may include classified and sensitive security information, and any such information shall be submitted as a classified annex. (3)

Public disclosure of covert testing performance at Category X airports

(A)

In general

Not later than November 30 of the first full fiscal year that begins after the date of the enactment of this Act and annually thereafter, the Administrator of the TSA shall publish, and maintain on a publicly accessible website of the TSA, a summary of performance data acquired as a result of covert testing project scenarios conducted at Category X airports under subsection (b)(1) during the immediately preceding fiscal year. Each such summary shall— (i)include, at a minimum— (I)the total number of tests carried out as part of such covert testing project scenarios conducted at Category X airports; (II)the aggregate pass rate and failure rate, expressed as percentages, for all such covert tests, calculated across all tested locations and covert testing project scenarios; and (III)general observations or trend data regarding changes in performance compared to the prior fiscal year; and (ii)not include test scenario details, methodologies, or airport-specific data that could compromise aviation security operations. (B)

Exception

Clause (ii) of subparagraph (A) shall not apply with respect to summary-level statistics regarding the overall performance of TSA screening operations at Category X airports for purposes of public availability of the annual summaries under such subparagraph. (e)

GAO review

Not later than three years after the date of the enactment of this Act, the Comptroller General of the United States shall submit to the Administrator of the TSA, the Committee on Homeland Security of the House of Representatives, and the Committee on Commerce, Science, and Transportation of the Senate a report on the effectiveness of the TSA’s processes for conducting covert testing that yields statistically valid data that can be utilized to assess the nature and extent of any vulnerabilities to aviation security operations that are not effectively mitigated by current security operations.