[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3469 Engrossed in House (EH)]

<DOC>
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
116th CONGRESS
  1st Session
                                H. R. 3469

_______________________________________________________________________

                                 AN ACT


 
   To direct the Transportation Security Administration to carry out 
  covert testing and risk mitigation improvement of aviation security 
                  operations, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Covert Testing and Risk Mitigation 
Improvement Act of 2019''.

SEC. 2. TSA COVERT TESTING AND RISK MITIGATION IMPROVEMENT.

    (a) In General.--Not later than 180 days after the date of the 
enactment of this Act and annually thereafter, the Administrator of the 
Transportation Security Administration shall implement the following:
            (1) A system for conducting risk-informed headquarters-
        based covert tests of aviation security operations, including 
        relating to airport passenger and baggage security screening 
        operations, that can yield statistically valid data that can be 
        used to identify and assess the nature and extent of 
        vulnerabilities to such operations that are not mitigated by 
        current security practices. The Administrator shall execute 
        annually not fewer than three risk-informed covert testing 
        projects designed to identify systemic vulnerabilities in the 
        transportation security system, and shall document the 
        assumptions and rationale guiding the selection of such 
        projects.
            (2) A long-term headquarters-based covert testing program, 
        employing static but risk-informed threat vectors, designed to 
        assess changes in overall screening effectiveness.
    (b) Mitigation.--
            (1) In general.--The Administrator of the Transportation 
        Security Administration shall establish a system to address and 
        mitigate the vulnerabilities identified and assessed pursuant 
        to the testing conducted under subsection (a).
            (2) Analysis.--Not later than 60 days after the 
        identification of any such vulnerability, the Administrator 
        shall ensure a vulnerability described in paragraph (1) is 
        analyzed to determine root causes.
            (3) Determination.--Not later than 120 days after the 
        identification of any such vulnerability, the Administrator 
        shall make a determination regarding whether or not to mitigate 
        such vulnerability. The Administrator shall prioritize 
        mitigating vulnerabilities based on their ability to reduce 
        risk. If the Administrator determines--
                    (A) to not mitigate such vulnerability, the 
                Administrator shall document the reasons for the 
                decision; or
                    (B) to mitigate such vulnerability, the 
                Administrator shall establish and document--
                            (i) key milestones appropriate for the 
                        level of effort required to so mitigate such 
                        vulnerability; and
                            (ii) a date by which measures to so 
                        mitigate such vulnerability shall be 
                        implemented by the Transportation Security 
                        Administration.
            (4) Retesting.--Not later than 180 days after the date on 
        which measures to mitigate a vulnerability are completed by the 
        Transportation Security Administration pursuant to paragraph 
        (3)(B)(ii), the Administrator shall conduct a covert test in 
        accordance with subsection (a) of the aviation security 
        operation with respect to which such vulnerability was 
        identified to assess the effectiveness of such measures to 
        mitigate such vulnerability.
    (c) Compilation of Lists.--
            (1) In general.--Not later than 60 days after completing a 
        covert testing protocol under subsection (a), the Administrator 
        of the Transportation Security Administration shall compile a 
        list (including a classified annex if necessary) of the 
        vulnerabilities identified and assessed pursuant to such 
        testing. Each such list shall contain, at a minimum, the 
        following:
                    (A) A brief description of the nature of each 
                vulnerability so identified and assessed.
                    (B) The date on which each vulnerability was so 
                identified and assessed.
                    (C) Key milestones appropriate for the level of 
                effort required to mitigate each vulnerability, as well 
                as an indication of whether each such milestone has 
                been met.
                    (D) An indication of whether each vulnerability has 
                been mitigated or reduced and, if so, the date on which 
                each such vulnerability was so mitigated or reduced.
                    (E) If a vulnerability has not been fully 
                mitigated, the date by which the Administrator shall so 
                mitigate such vulnerability or a determination that it 
                is not possible to fully mitigate such vulnerability.
                    (F) The results of any subsequent covert testing 
                undertaken to assess whether mitigation efforts have 
                eliminated or reduced each vulnerability.
            (2) Submission to congress.--The Administrator shall submit 
        to the Committee on Homeland Security of the House of 
        Representatives and the Committee on Commerce, Science, and 
        Transportation of the Senate a comprehensive document tracking 
        the status of the information required under paragraph (1) 
        together with the Transportation Security Administration's 
        annual budget request.
    (d) GAO Review.--Not later than 3 years after the date of the 
enactment of this Act, the Comptroller General of the United States 
shall review and submit to the Administrator of the Transportation 
Security Administration and the Committee on Homeland Security of the 
House of Representatives and the Committee on Commerce, Science, and 
Transportation of the Senate a report on the effectiveness of the 
Transportation Security Administration's processes for conducting 
covert testing projects that yield statistically valid data that can be 
used to assess the nature and extent of vulnerabilities to aviation 
security operations that are not effectively mitigated by current 
security operations.

            Passed the House of Representatives December 9, 2019.

            Attest:

                                                                 Clerk.
116th CONGRESS

  1st Session

                               H. R. 3469

_______________________________________________________________________

                                 AN ACT

   To direct the Transportation Security Administration to carry out 
  covert testing and risk mitigation improvement of aviation security 
                  operations, and for other purposes.