[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]



.               A REVIEW OF ACCESS CONTROL MEASURES AT 
                         OUR NATION'S AIRPORTS

=======================================================================

                                HEARINGS

                               	BEFORE THE

                            SUBCOMMITTEE ON
                        TRANSPORTATION SECURITY

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                  FEBRUARY 3, 2015 and APRIL 30, 2015

                               __________

                            Serial No. 114-1

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 


                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________
                               
                               
                               
                  U.S. GOVERNMENT PUBLISHING OFFICE
94-105 PDF             WASHINGTON : 2015                  
                               
________________________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  

                              
                               
                               
                               
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice    James R. Langevin, Rhode Island
    Chair                            Brian Higgins, New York
Patrick Meehan, Pennsylvania*        Cedric L. Richmond, Louisiana
Jeff Duncan, South Carolina          William R. Keating, Massachusetts
Tom Marino, Pennsylvania             Donald M. Payne, Jr., New Jersey
Steven M. Palazzo, Mississippi**     Filemon Vela, Texas
Lou Barletta, Pennsylvania           Bonnie Watson Coleman, New Jersey
Scott Perry, Pennsylvania            Kathleen M. Rice, New York
Curt Clawson, Florida                Norma J. Torres, California
John Katko, New York
Will Hurd, Texas
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
                   Brendan P. Shields, Staff Director
                    Joan V. O'Hara,  General Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 ------                                

                SUBCOMMITTEE ON TRANSPORTATION SECURITY

                     John Katko, New York, Chairman
Mike Rogers, Alabama                 Kathleen M. Rice, New York
Earl L. ``Buddy'' Carter, Georgia    William R. Keating, Massachusetts
Mark Walker, North Carolina          Donald M. Payne, Jr., New Jersey
John Ratcliffe, Texas                Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
               Amanda Parikh, Subcommittee Staff Director
                    Dennis Terry, Subcommittee Clerk
             Vacancy, Minority Subcommittee Staff Director

* Honorable Patrick Meehan of Pennsylvania was elected to the 
    committee effective April 14, 2015.

** Honorable Steven M. Palazzo of Mississippi resigned from the 
    committee effective March 24, 2015.
                            C O N T E N T S

                              ----------                              
                                                                   Page

                       TUESDAY, FEBRUARY 3, 2015

                               STATEMENTS

The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Chairman, Subcommittee on Transportation 
  Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Kathleen M. Rice, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Transportation Security:
  Oral Statement.................................................     3
  Prepared Statement.............................................     4
The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas, and Chairman, Committee on Homeland 
  Security:
  Oral Statement.................................................     5
  Prepared Statement.............................................     6
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8

                               WITNESSES
                                Panel I

Mr. Mark Hatfield, Acting Deputy Administrator, Transportation 
  Security Administration, U.S. Department of Homeland Security:
  Oral Statement.................................................     9
  Prepared Statement.............................................    11
Mr. G. Doug Perdue, Deputy Assistant Director, Counterterrorism 
  Division, Federal Bureau of Investigation, U.S. Department of 
  Justice:
  Oral Statement.................................................    14
  Prepared Statement.............................................    17

                                Panel II

Mr. Miguel Southwell, General Manager, Hartsfield-Jackson Atlanta 
  International Airport:
  Oral Statement.................................................    43
  Prepared Statement.............................................    45
Ms. Sharon L. Pinkerton, Senior Vice President, Legislative and 
  Regulatory Policy, Airlines for America:
  Oral Statement.................................................    46
  Prepared Statement.............................................    48

                             FOR THE RECORD

The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Chairman, Subcommittee on Transportation 
  Security:
  Statement of Kevin M. Burke, President and CEO, Airports 
    Council International--North America.........................    39
  Letter From the American Association of Airport Executives.....    42
The Honorable Kathleen M. Rice, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Transportation Security:
  Letter From L.P. Robert Williams, AFGE Local 554 TSA Georgia...    38

                        THURSDAY, APRIL 30, 2015

                               STATEMENTS

The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Chairman, Subcommittee on Transportation 
  Security:
  Oral Statement.................................................    59
  Prepared Statement.............................................    60
The Honorable Kathleen M. Rice, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Transportation Security:
  Oral Statement.................................................    67
  Prepared Statement.............................................    68
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................    61

                               WITNESSES
                                Panel I

Mr. Melvin J. Carraway, Acting Administrator, Transportation 
  Security Administration, U.S. Department of Homeland Security:
  Oral Statement.................................................    63
  Prepared Statement.............................................    64

                                Panel II

Ms. Jeanne M. Olivier, A.A.E., Assistant Director, Aviation 
  Security and Technology, Security Operations and Programs 
  Department, The Port Authority of New York & New Jersey, 
  Testifying on Behalf of the American Association of Airport 
  Executives:
  Oral Statement.................................................    79
  Prepared Statement.............................................    81
Mr. Steven J. Grossman, Chief Executive Officer/Executive 
  Director, Jacksonville International Airport, Jacksonville 
  Aviation Authority, Testifying on Behalf of the Airports 
  Council International, North America:
  Oral Statement.................................................    85
  Prepared Statement.............................................    87

                                APPENDIX

Questions From Chairman John Katko for Melvin J. Carraway........   101
Questions From Chairman John Katko for Jeanne M. Olivier.........   103


      A REVIEW OF ACCESS CONTROL MEASURES AT OUR NATION'S AIRPORTS

                              ----------                              


                       Tuesday, February 3, 2015

             U.S. House of Representatives,
           Subcommittee on Transportation Security,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:33 p.m., in 
Room 311 Cannon House Office Building, Hon. John Katko 
[Chairman of the subcommittee] presiding.
    Present: Representatives Katko, Rogers, Carter, Walker, 
Ratcliffe, McCaul, Rice, Payne, and Thompson.
    Also present: Representative Johnson.
    Mr. Katko. The Committee on Homeland Security Subcommittee 
on Transportation Security will come to order.
    The subcommittee is meeting today to hear testimony on the 
access control measures and employee vetting at airports around 
the country.
    I now recognize myself for an opening statement. I would 
like to welcome everyone to the subcommittee's first hearing of 
the 114th Congress. I am honored to be the new Chairman of this 
important panel, which is charged with oversight of the 
Transportation Security Administration, commonly referred to as 
TSA. We are here about ensuring the security of our vast and 
vital transportation network as well.
    Today's hearing on airport access control measures stems 
from a series of security breaches in which loaded weapons were 
brought onto commercial airplanes unbeknownst to TSA and 
airport officials. These alarming incidents could have had 
devastating consequences if those involved had intended to 
carry out the attacks.
    The purpose of today's hearing is to examine current access 
control measures and employee vetting procedures and begin to 
identify short-term and long-term solutions to close any 
security loopholes. TSA spends billions of dollars every year 
to ensure every passenger is screened before boarding a 
commercial flight. That is an important responsibility. 
However, we must ask ourselves: What good is all the screening 
at the front door if we are not paying attention enough at the 
back door? The answer is common sense.
    On December 23, 2014, for example, Federal agents arrested 
Eugene Harvey, a Delta baggage handler at Hartsfield-Jackson 
International Airport in Atlanta and charged him with 
trafficking in firearms and violating security agreements--
requirements. Excuse me. Harvey allegedly work with a former 
Delta employee and used his security identification display 
area badge, commonly referred to as SIDA, to smuggle firearms, 
some of them loaded, onto passenger planes bound for JFK 
Airport in New York City.
    The FBI called this a serious security breach and vowed to 
work to prevent future breaches. On January 13, Port Authority 
police in New York City arrested a Federal Aviation 
Administration official at LaGuardia Airport after he flew with 
a loaded firearm on a Delta flight from Atlanta to LaGuardia. 
The inspector, who flew inside the cockpit as part of his 
duties, had bypassed TSA screening in Atlanta by using his SIDA 
badge. The inspector was reassigned to other tasks, and the FAA 
has suspended its program that allows safety inspectors to 
bypass screening.
    Finally, on January 24 of this year, the FBI arrested 
another Delta employee at Atlanta airport for boarding a flight 
to Paris without first being screened. He used his SIDA badge 
to gain entry to the sterile area of the airport. That 
investigation is on-going.
    It raises concerns that all of the most recent breaches 
occurred at Atlanta, one of the world's busiest and largest 
airports. Having said that, though, these incidents are just 
some of the latest examples of breaches at our Nation's 
airports. These problems are not unique to just one airport. 
Every case presents unique challenges and opportunities for 
TSA, the airports, the airlines, and other partners to 
strengthen their security protocols. I am confident that we can 
improve background checks, training, security, and other 
measures, and I look forward to discussing these ideas today 
with our witnesses.
    I also look forward to reviewing the recommendations of the 
Aviation Security Advisory Committee, otherwise known as ASAC, 
in roughly 90 days, following the ASAC's in-depth review of 
access control measures. Furthermore, I am planning to hold a 
follow-up hearing with my colleagues here focusing on that 
review, including how the ASAC's recommendations could be 
implemented at airports Nation-wide.
    The reality is that the threats we face today are not the 
same threats we faced 2, 3, or even 4 years after 9/11. Nearly 
14 years later, terrorists have adapted to our security 
protocols in ways that require us to be agile and resourceful. 
We cannot afford to be set in our ways and risk missing a 
glaring vulnerability. I hope this hearing is the beginning of 
a meaningful dialogue on the changes that need to be made at 
our Nation's airports.
    [The statement of Chairman Katko follows:]
                    Statement of Chairman John Katko
                            February 3, 2015
    I would like to welcome everyone to the subcommittee's first 
hearing of the 114th Congress. I am honored to be the new Chairman of 
this important panel, which is charged with oversight of the 
Transportation Security Administration (TSA) and ensuring the security 
of our vast and vital transportation network.
    Today's hearing on airport access control measures stems from a 
series of security breaches in which loaded weapons were brought onto 
commercial airplanes unbeknownst to TSA and airport officials. These 
alarming incidents could have had devastating consequences if those 
involved had intended to carry out an attack.
    The purpose of today's hearing is to examine current access control 
measures and employee vetting procedures, and begin to identify short-
term and long-term solutions to close any security loopholes.
    TSA spends billions of dollars every year to ensure every passenger 
is screened before boarding a commercial flight. That's an important 
responsibility. However, we must ask ourselves: What good is all of 
this screening at the front door if we are not paying enough attention 
to the back door? The answer is common sense.
    On December 23, for example, Federal agents arrested Eugene Harvey, 
a Delta baggage handler at Hartsfield-Jackson Atlanta International 
Airport and charged him with trafficking in firearms and violating 
security requirements. Harvey allegedly worked with a former Delta 
employee and used his Security Identification Display Area (SIDA) badge 
to smuggle firearms, some of them loaded, onto passenger planes bound 
for JFK. The FBI called this a ``serious security breach'' and vowed to 
work to prevent future breaches.
    On January 13, Port Authority police arrested a Federal Aviation 
Administration (FAA) Aviation Safety Inspector at LaGuardia airport 
after he flew with a loaded firearm on a Delta flight from Atlanta to 
LaGuardia. The inspector, who flew inside the cockpit as part of his 
duties, had bypassed TSA screening at Atlanta airport by using his SIDA 
badge. The inspector was reassigned to other tasks and the FAA has 
suspended its program that allows safety inspectors to bypass 
screening.
    Finally, on January 24, the FBI arrested another Delta employee at 
Atlanta airport for boarding a flight to Paris without being screened. 
He used his SIDA badge to gain entry to the sterile area of the 
airport. The investigation is on-going.
    It raises concern that all of the most recent breaches occurred at 
Atlanta, one of the world's largest and busiest airports. Having said 
that, these incidents are just some of the latest examples of breaches 
at our Nation's airports; these problems are not unique to just one 
airport. Every case presents unique challenges and opportunities for 
TSA, airports, airlines, and other partners to strengthen security 
protocols.
    I am confident that we can improve background checks, training, 
screening, and other measures, and I look forward to discussing these 
ideas today with our witnesses. I also look forward to reviewing the 
recommendations of the Aviation Security Advisory Committee (ASAC) in 
roughly 90 days, following the ASAC's in-depth review of access control 
measures. Furthermore, I am planning to hold a follow-up hearing 
focusing on that review, including how the ASAC's recommendations could 
be implemented at airports Nation-wide.
    The reality is that the threats we face today are not the same 
threats we faced 2, 3, or even 4 years after 9/11. Nearly 14 years 
later, terrorists have adapted to our security protocols in ways that 
require us to be agile and resourceful. We cannot afford to be set in 
our ways and risk missing a glaring vulnerability. I hope this hearing 
is the beginning of a meaningful dialogue on the changes that need to 
be made at our Nation's airports.
    I now recognize the Ranking Member of the subcommittee, the 
gentlewoman from New York, Ms. Rice, for an opening statement.

    Mr. Katko. The Chairman now recognizes the Ranking Minority 
Member of the subcommittee, the gentlelady and former fellow 
prosecutor like me from New York, Miss Rice, for any statement 
she may have.
    Miss Rice. Thank you, Mr. Chairman. Mr. Chairman, I ask 
unanimous consent that the gentleman from Georgia, 
Representative Hank Johnson, be allowed to sit and question the 
witnesses at today's hearing.
    Mr. Katko. Without objection, so ordered.
    Miss Rice. Thank you, Mr. Chairman.
    First, I want to thank you for convening this hearing. I 
want to express my eagerness to work with you and with all the 
Members of this subcommittee to do absolutely everything we can 
to maximize the security of our aviation sector.
    The Transportation Security Administration's mission is to 
protect the Nation's transportation systems to ensure freedom 
of movement for people and commerce. The TSA stands on the 
front lines in the effort to protect the traveling public, but 
we know that they do not stand there alone. Aviation security 
is a truly collaborative effort.
    Airports, vendors, airlines, and the TSA work as a team to 
prevent terrorists and criminals from harming the traveling 
public on the ground and in the air. All members of that team 
should be commended, as the aviation sector is stronger and 
more secure today than it has ever been. However, all members 
of that team must also be equally engaged in the effort to 
identify and correct any deficiencies in our aviation security. 
Recent incidents have revealed such deficiencies, 
vulnerabilities that exist within our airports, and must be 
swiftly addressed for the sake of our National security and for 
the safety of the American people.
    Last December, authorities in my home State of New York 
uncovered a gun smuggling operation in which a former airline 
employee brought weapons and ammunition, 153 firearms, 
including an AK-47 assault rifle, aboard commercial flights in 
carry-on luggage over a period of several months before he was 
arrested selling weapons to undercover FBI agents on multiple 
occasions.
    Also, in my home State just a few weeks ago, a safety 
inspector from the FAA was arrested at LaGuardia Airport after 
authorities discovered a firearm in his carry-on luggage. This 
individual flew from Atlanta to New York with a gun in his 
carry-on and was even allowed access to the cockpit, as the 
Chairman stated, while the plane was in the air.
    It would be easy to point fingers at particular airports or 
airlines involved in these incidents, but that would overlook 
the most important lesson to be learned. Major deficiencies 
exist right now within our airport security systems. If these 
incidents can happen at one airport, they can happen at any 
airport. That is the reality we face, and we are here today to 
ensure that these deficiencies will be corrected as quickly and 
completely as possible.
    What links these two incidents is that in both cases, the 
individuals exploited their SIDA credentials, their SIDA 
badges, to bypass security and bring prohibited items into 
secure areas. It is going to take a collaborative, 
comprehensive effort to ensure that on the front end SIDA 
badges are distributed only to individuals who have been 
thoroughly vetted and deemed worthy of being trusted with them 
and, secondly, to ensure that no one entrusted with a SIDA 
badge is exploiting it.
    Again, I want to reiterate that this is and must always be 
a collaborative effort. It is my intent that, through open 
dialogue between all of the entities here today, we can 
successfully neutralize access control incidents and eliminate 
a major deficiency in our Nation's aviation security system.
    I thank all of the witnesses for coming here before us 
today, and I yield back the balance of my time, Mr. Chairman.
    [The statement of Ranking Member Rice follows:]
              Statement of Ranking Member Kathleen M. Rice
                            February 3, 2015
    First, I want to thank you for convening this hearing, and I want 
to express my eagerness to work with you and with all the Members of 
this subcommittee to do absolutely everything we can to maximize the 
security of our aviation sector.
    The Transportation Security Administration's mission is to 
``protect the Nation's transportation systems to ensure freedom of 
movement for people and commerce.'' The TSA stands on the front lines 
in the effort to protect the traveling public, but we know they don't 
stand there alone.
    Aviation security is a truly collaborative effort. Airports, 
vendors, airlines, and the TSA work as a team to prevent terrorists and 
criminals from harming the traveling public on the ground and in the 
air. All members of that team should be commended, as the aviation 
sector is stronger and more secure today than it has ever been.
    However, all members of that team must also be equally engaged in 
the effort to identify and correct any deficiencies in our aviation 
security. Recent incidents have revealed such deficiencies--
vulnerabilities that exist within our airports and must be swiftly 
addressed for the sake of our National security and the safety of the 
American people.
    Last December, authorities in my home State of New York uncovered a 
gun-smuggling operation in which a former airline employee brought 
weapons and ammunition--153 firearms, including an AK-47 assault 
rifle--aboard commercial flights in carry-on luggage over a period of 
several months, before he was arrested selling weapons to undercover 
Federal Bureau of Investigation agents on multiple occasions.
    Also in my home State, just a few weeks ago, a safety inspector 
from the Federal Aviation Administration was arrested at LaGuardia 
Airport after authorities discovered a firearm in his carry-on luggage. 
This individual flew from Atlanta to New York with a gun in his carry-
on, and was even allowed access to the cockpit while the plane was in 
the air.
    It would be easy to point fingers at particular airports or 
airlines involved in these incidents. But that would overlook the most 
important lesson to be learned. Major deficiencies exist right now 
within our airport security systems, and if these incidents can happen 
at one airport, they can happen at any airport.
    That is the reality we face, and we're here today to ensure that 
these deficiencies will be corrected as quickly and completely as 
possible.
    What links these two incidents is that in both cases, the 
individuals exploited their Secure Identification Display Area 
credentials--also known as SIDA badges--to bypass security and bring 
prohibited items into secure areas.
    It will take a collaborative, comprehensive effort to ensure that, 
on the front end, SIDA badges are distributed only to individuals who 
have been thoroughly vetted and deemed worthy of being trusted with 
them . . . And secondly, to ensure that no one entrusted with an SIDA 
badge is exploiting it.
    I know that employee screening is a major component of the TSA's 
multi-layered strategy for addressing security vulnerabilities within 
the aviation sector. I look forward to hearing from Acting Deputy 
Administrator Hatfield today about how the TSA can further enhance this 
layer of security, and ensure that no unauthorized items make it into 
secure areas of airports.
    I look forward to hearing from Mr. Southwell, the aviation general 
manager of Hartsfield-Jackson Atlanta International Airport, about the 
short, intermediate, and long-term solutions he plans to implement in 
order to reform his airport's security system and neutralize the 
insider threat.
    Also with us today is Ms. Pinkerton, a member of the Aviation 
Security Advisory Committee, an entity that was codified into law 
through legislation offered by Ranking Member Thompson last Congress to 
advise on a wide variety of aviation security issues. As Ms. Pinkerton 
represents the perspective of multiple airports, I'm eager to hear her 
advice about what we can do across all our Nation's airports to 
eliminate this dangerous vulnerability.
    Lastly, I look forward to Deputy Assistant Director Perdue shedding 
light on the FBI's involvement in incidents such as those I've 
mentioned, and to discuss the penalties associated with these breaches 
and whether those penalties are adequate and effective.
    Again, I want to reiterate that this is and must always be a 
collaborative effort. It's my intent that through open dialogue between 
all of the entities here today, we can successfully neutralize access-
control incidents and eliminate a major deficiency in our Nation's 
aviation security system.

    Mr. Katko. Thank you, Miss Rice.
    The Chairman now recognizes the Chairman of the full 
committee, the gentleman from Texas, Mr. McCaul, for any 
statement he may have.
    Mr. McCaul. I thank the Chairman.
    I want to first congratulate you and Ranking Member Rice on 
your new position on this committee and by starting out this 
Congress with an important hearing that focuses on the 
importance of, and timely topic of, access control and employee 
screening at our Nation's airports.
    It is vital that agencies responsible for protecting our 
airports are doing all that they can to keep safe our aviation 
sector. This responsibility does not end at the passenger 
screening checkpoints. A robust system, the vetting employees 
at airports is equally as important.
    This hearing is an important opportunity to examine 
security programs designed to mitigate potential insider 
threats from airport employees, airline employees, TSA 
personnel, and others who have access to sterile areas of 
domestic airports.
    In addition to the most recent access control breaches at 
Atlanta airport that have been mentioned, there have been a 
number of insider threats and employee issues at various other 
airports in recent years. For example, in December 2013, the 
FBI arrested an avionic technician at Wichita airport for 
plotting a suicide attack using a vehicle-borne improvised 
explosive device. The technician allegedly intended to use his 
airport clearance to gain access to the tarmac and detonate the 
vehicle near planes and the terminal during peak holiday travel 
in order to maximize casualties. He was charged with attempted 
use of a weapon of mass destruction and attempted to provide 
material assistance to al-Qaeda in the Arabian Peninsula.
    Additionally, in September 2013, a TSA screener at Los 
Angeles International Airport was arrested a few hours after 
resigning his position for making threats against the airport 
that cited the anniversary of 9/11 and for leaving a suspicious 
package at the airport. His actions resulted in the evacuation 
of several airport terminals.
    Finally, in September 2014, a former airline employee at 
Minneapolis airport died in Syria fighting alongside the 
Islamic State in Iraq and Syria. Though the individual had left 
employment with the airline several years prior to becoming a 
foreign fighter of ISIS, he did have access to areas of the 
airport during his employment, including the tarmac.
    There are significant lessons to be drawn from these and 
other incidents involving employees. The bottom line is that 
our aviation network remains a prime target for terrorism. We 
must be vigilant and constantly reevaluate our security posture 
according to the threats that we face, and that includes 
potential insider threats.
    I am pleased that this subcommittee will hear testimony 
from TSA and the FBI and airport and airlines representatives 
on this important topic, and I look forward to examining what 
additional measures should be taken to protect our airports and 
the American people.
    With that, I yield back.
    [The statement of Chairman McCaul follows:]
                Statement of Chairman Michael T. McCaul
                            February 3, 2015
    I would like to commend Chairman Katko and Ranking Member Rice for 
starting off the Congress with focusing on the important and timely 
topic of access control and employee screening at our Nation's 
airports.
    It is vital that the agencies responsible for protecting our 
airports are doing all that they can to keep our aviation sector safe. 
This responsibility does not end at the passenger screening 
checkpoints; a robust system of vetting employees at airports is 
equally as important.
    This hearing is an important opportunity to examine security 
programs designed to mitigate potential insider threats from airport 
employees, airline employees, TSA personnel, and others who have access 
to sterile areas of domestic airports.
    In addition to the most recent access control breaches at Atlanta 
airport that have been mentioned, there have been a number of insider 
threats and employee issues at various other airports in recent years.
    For example, in December 2013, the FBI arrested an avionic 
technician at Wichita Airport for plotting a suicide attack using a 
vehicle-borne improvised explosive device. The technician allegedly 
intended to use his airport clearance to gain access to the tarmac and 
detonate the vehicle near planes and the terminal during peak holiday 
travel, in order to maximize casualties. He was charged with attempted 
use of a weapon of mass destruction and attempting to provide material 
assistance to al-Qaeda in the Arabian Peninsula.
    Additionally, in September 2013, a TSA screener at Los Angeles 
International Airport was arrested a few hours after resigning his 
position for making threats against the airport that cited the 
anniversary of 9/11, and for leaving a suspicious package at the 
airport. His actions resulted in the evacuation of several airport 
terminals.
    Finally, in September 2014, a former airline employee at 
Minneapolis Airport died in Syria fighting alongside the Islamic State 
in Iraq and Syria (ISIS). Though the individual had left employment 
with the airline several years prior to becoming a foreign fighter of 
ISIS, he did have access to sterile areas of the airport during his 
employment, including the tarmac.
    There are significant lessons to be drawn from these and other 
incidents involving employees. The bottom line is that our aviation 
network remains a prime target for terrorism. We must be vigilant and 
constantly reevaluate our security posture according to the threats we 
face, and that includes potential insider threats.
    I am pleased that the subcommittee will hear testimony from TSA, 
the FBI, and airport and airline representatives on this important 
topic and I look forward to examining what additional measures should 
be taken to protect our airports and the American people.
    I thank Chairman Katko for his leadership of the subcommittee and I 
yield back the balance of my time.

    Mr. Katko. Thank you, Mr. Chairman.
    The Chairman now recognizes the Ranking Minority Member of 
the full committee, the gentleman from Mississippi, Mr. 
Thompson, for any statement he may have.
    Mr. Thompson. I thank the Chairman for holding today's 
hearing. I also welcome both you and the Ranking Member of this 
committee.
    After the horrific attacks of September 11, 2001, multiple 
layers of security were put in place to protect our aviation 
system. Not only did screening procedures and the list of 
prohibited items change, but the protocols for security of the 
airports changed as well.
    While Congress and Executive branch were making 
considerations to keep the traveling public safe, they also 
recognized that there are 450 airports in the United States, 
each of which presents a unique set of security issues. For 
instance, vendors and airline employees need access to various 
areas of the airport. In an effort to maintain security and 
provide a sense of practicality to airport and airline 
employees, legislation was implemented to allow vetted 
individuals to have unescorted access within the areas that lie 
beyond airport secure screening checkpoints.
    Airline and airport employees are vetted through a criminal 
background check and biographical check. They are issued Secure 
Identification Display Area badges, commonly referred to as 
SIDA badges, to use to gain access to a sterile area of the 
airport without having to go through physical screening.
    While SIDA badge holders are vetted daily against a 
terrorist watch list, the criminal background checks are not 
conducted recurrently. Mr. Chairman, this is concerning. In 
2011, the Office of Inspector General found that some of the 
records provided by employees contain inaccuracies or omissions 
and that TSA had limited oversight of the application process.
    Moreover, recent events have me questioning whether TSA has 
taken seriously the recommendations of the OIG. I still 
question whether airports and TSA have the adequate internal 
controls to address potential insider threats from SIDA badge 
holders. Do employees retain badges upon termination? Are logs 
kept on the number of lost or stolen badges? Are badges being 
used to gain access only when an employee is on duty?
    Unfortunately, in December 2014, we saw a deplorable 
instance of SIDA badge misuse. Five men were charged in 
connection with a plot to smuggle over 150 guns from Atlanta to 
New York City. One of these men is alleged to have used his 
credentials to get by physical screening and board flights to 
New York City. Although the weapons were not intended to harm 
passengers, and these men have not been charged with terrorism, 
it is disheartening to think of a catastrophic consequence that 
could have occurred had one of those firearms been used on the 
airplane during the flight.
    Mr. Chairman, as you know, the threat is evolving. As it 
evolves, we cannot remain stagnant. It is my hope that through 
our continued oversight and bipartisan legislative work, we can 
make sure there are proper policies and procedures in place to 
ensure that those that have access to a sterile area of the 
airport cannot create such gross breaches of security. The 
security of an airport is a shared concern, and all entities 
should work together to ensure that the layers of security are 
as strong as they can be.
    With that, Mr. Chairman, I look forward to today's 
testimony. I yield back.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                            February 3, 2015
    After the horrific attacks of September 11, 2001, multiple layers 
of security were put in place to protect our aviation system. Not only 
did screening procedures and the list of prohibited items change, but 
the protocols for security of the airports changed as well. While 
Congress and the Executive branch were making considerations to keep 
the traveling public safe, they also recognized there are 450 airports 
in the United States, each of which presents a unique set of security 
issues.
    For instance, vendors and airline employees need access to various 
areas of the airport. In an effort to maintain security and provide a 
sense of practicality to airport and airline employees, legislation was 
implemented to allow vetted individuals to have unescorted access 
within the areas that lie beyond airports' secure screening 
checkpoints. Airline and airport employees are vetted through a 
criminal background check and biographical check. Then they are issued 
Secure Identification Display Area (SIDA) Badges to use to gain access 
to the sterile area of the airport without having to go through 
physical screening. While SIDA badge holders are vetted daily against 
the terrorist watch lists, the criminal background checks are not 
conducted recurrently.
    Mr. Chairman, this is concerning. In 2011, the Office of Inspector 
General found that some of the records provided by employees contained 
inaccuracies or omissions and that TSA had limited oversight of the 
application process. Moreover, recent events have me questioning 
whether TSA has taken the recommendations of the OIG seriously. I still 
question whether the airports and TSA have the adequate internal 
controls to address potential insider threats from SIDA badge holders. 
Do employees return badges upon termination? Are logs kept on the 
number of lost or stolen badges? Are badges being used to gain access 
only when an employee is on duty?
    Unfortunately, in December 2014, we saw a deplorable instance of 
SIDA badge misuse. Five men were charged in connection with a plot to 
smuggle over 150 guns from Atlanta to New York City. One of these men 
is alleged to have used his credentials to get bypass physical 
screening and board flights to New York City.
    Although the weapons were not intended to harm passengers, and 
these men have not been charged with terrorism, it is disheartening to 
think of the catastrophic consequences that could have occurred had one 
of those firearms been used on the airplane during the flight.
    Mr. Chairman, as you know, the threat is evolving. As it evolves, 
we cannot remain stagnant. It is my hope that through our continued 
oversight and bipartisan legislative work, we can make sure there are 
proper policies and procedures in place to ensure that those that have 
access to the sterile area of the airport cannot create such gross 
breaches of security. The security of an airport is a shared concern, 
and all entities should work together to ensure that the layers of 
security are as strong as can be.

    Mr. Katko. Thank you, Mr. Thompson.
    Other Members of the committee are reminded that opening 
statements may be submitted for the record.
    Now, we are pleased to have several distinguished witnesses 
before us today on this important topic. Let me remind the 
witnesses that their entire written statements will appear in 
the record.
    Our first witness, Mr. Hatfield, is the acting deputy 
administrator at the TSA. Prior to his current role, Mr. 
Hatfield served as a Federal security director for Newark 
Liberty International Airport, where he managed a security 
force over 1,200 employees. He has been with TSA since 2002, 
has held a number of roles including assistant administrator of 
strategic communications and public affairs.
    The Chairman now recognizes Mr. Hatfield to testify.

   STATEMENT OF MARK HATFIELD, ACTING DEPUTY ADMINISTRATOR, 
  TRANSPORTATION SECURITY ADMINISTRATION, U.S. DEPARTMENT OF 
                       HOMELAND SECURITY

    Mr. Hatfield. Thank you very much, sir.
    Good afternoon, Chairman Katko, Ranking Member Rice, 
distinguished Members of the committee.
    Chairman McCaul and Mr. Thompson, it is great to see you 
all here as well. I am personally honored and thrilled for the 
opportunity to have this conversation with you.
    After I finish with the requisite reading of my prepared 
statement, I am really looking forward to an energetic 
conversation, and I hope that I can provide enlightening 
answers to your questions.
    As you know, last December an investigation revealed that a 
Delta Airlines employee allegedly conspired to smuggle firearms 
from Hartsfield-Jackson International Airport to John F. 
Kennedy International Airport in New York, and a Federal 
prosecution is now under way in this case. While I am currently 
unable to comment in any detail on the specifics of these 
allegations, I can assure you that TSA views with great concern 
and focus any potential instance of security vulnerabilities. 
We are fully engaged with our aviation industry partners, and 
we look at all options to ensure the continued security of our 
Nation's commercial aviation and other transportation networks.
    In addition to coordinating efforts with industry 
stakeholders, we are also working closely with our colleagues 
at the Department of Homeland Security. In fact, Secretary 
Johnson personally visited Atlanta to speak with our partners 
at that airport. I can report to you that TSA has taken 
immediate steps to increase mitigation efforts of the insider 
threat. These steps include increasing operations that focus on 
screening airport employees at employee entrances and direct 
access points, such as secure doors and elevators and vehicle 
gates. In partnership with airport authorities, TSA is further 
examining circulation controls and reassessing employee access 
points, both the number and design of those access points.
    Many of our Nation's airports are open for business around 
the clock, and numerous entities support air travel by 
providing amenities such as food and shopping throughout the 
airport. While the sterile area of an airport hosts passengers 
and aircrews waiting for flights, it is also the workplace and 
break space for vendors, mechanics, ground crew, and others.
    Enforcing access control is a shared responsibility among 
multiple partners. I appreciate your pointing that out in your 
opening statement, Madam Rice. Every airport and airline has a 
security plan that reflects this. Airport authorities and the 
airlines are responsible for developing and executing these 
security plans. TSA is responsible for approving them and using 
our authority to perform inspections for compliance and 
comportment with those rules. Each airport operator must allow 
TSA at any time or place to make any inspection or test to 
determine compliance with TSA's regulations and other policies.
    TSA is currently conducting an insider threat analysis to 
help better identify indicators of criminal acts or threats to 
aviation. This is the type of critical thinking we use to 
improve training, operations, and methods of screening. 
Additionally, TSA Acting Administrator Carraway has asked the 
Aviation Security Advisory Committee, the ASAC, to specifically 
review access control and perimeter security issues and offer 
their recommendations to address potential threats. I, in fact, 
met with them yesterday. I met with the larger body and their 
Chairman, and they are meeting again today. We are eager to see 
their recommendations. They are reporting at 30-, 60-, and 90-
day threshold marks. That first report is due at the end of 
this week. Mr. Chairman, thank you for recognizing the work 
that they are doing.
    TSA also conducts security background checks for airport 
and airline employees. Airport workers are vetted before they 
are granted unescorted access to the secure areas of the 
airport, and TSA performs a security threat assessment on all 
airport workers who require a credential. Once TSA has 
completed the check, information is provided to the 
individual's prospective employer with access either granted or 
denied based on the results of the security threat assessment.
    We also continuously check all SIDA holders against the 
terrorist screening center's database to see if there are any 
changes in their status. That is an on-going, daily, continual 
check against that dynamic list.
    In Atlanta and in airports across the country, TSA performs 
physical screening of employees with SIDA badges and sterile 
area access to entrances of these areas of the airport, places 
like bus stops for employees, employee turnstiles, and airport 
entry gates.
    Following the revelation of the alleged smuggling operation 
in Atlanta, it has been suggested by some that airports 
institute 100 percent screening of all employees any time they 
enter or re-enter a secure area. In 2008, TSA actually 
conducted pilot programs comparing the screening effectiveness 
of 100 percent airport employee screening versus a program that 
includes continuous random and unpredictable employee screening 
measures.
    In that same year, the Homeland Security Institute, HSI, 
independently assessed those pilot programs and concluded that 
100 percent physical screening of all airport employees is both 
cost-prohibitive and poses a wide range of operational 
challenges without delivering demonstrably greater security. In 
other words, HSI also determined that random screening, 
properly done, is nearly as effective as 100 percent screening.
    As a result of the TSA pilot and the HSI report, TSA made 
recommendations to enhance access control security. They 
include: The order to accelerate the installation of closed-
circuit television and perimeter intrusion detection systems, 
phasing in the use of biometric access controls and identity 
verification systems, increasing security awareness training 
for airport workers, and increasing the Visible Intermodal 
Prevention and Response teams known as our VIPR teams 
operations.
    Having recently served as TSA's Federal security director 
in Miami, an airport that does conduct 100 percent employee 
screening, I can tell you without question that such a practice 
involves both a significant investment of resources and is 
operationally challenging. That said, I have great respect for 
my former partners in Miami and the extraordinary commitment 
that they make as an airport, sometimes unilaterally, and 
without the force of a Federal regulation or rule to 
continually look at ways to make that airport safer.
    TSA has an important role, in partnership with airport 
operators and airlines, in securing access to our Nation's 
airports, and we are committed to risk-based security solutions 
that enhance our current posture.
    I want to thank the committee for the opportunity to 
testify today, and I do look forward to your questions. Thank 
you.
    [The prepared statement of Mr. Hatfield follows:]
                  Prepared Statement of Mark Hatfield
                            February 3, 2015
    Good afternoon Chairman Katko, Ranking Member Rice, and 
distinguished Members of the committee. I appreciate the opportunity to 
appear before you today to discuss the Transportation Security 
Administration's (TSA) role in airport access control at our Nation's 
airports.
    The primary mission of TSA is to reduce security vulnerabilities 
and to strengthen resilience against terrorist attacks in the Nation's 
transportation systems, including aviation, mass transit, rail, 
highway, and pipeline, to ensure freedom of movement for people and 
commerce. To fulfill this vital mission, TSA employs a risk-based, 
layered approach to security through a well-trained front-line 
workforce, state-of-the-art technologies, intelligence analysis and 
information sharing, explosives detection canine teams, Visible 
Intermodal Prevention and Response teams, and our industry partners who 
voluntarily adopt security improvements and comply with regulations. 
This multi-layered approach helps to ensure that resources are applied 
efficiently to have the greatest impact in reducing risk and enhancing 
the security of the traveling public and the Nation's transportation 
systems.
                             access control
    Each day, TSA facilitates and secures the travel of nearly 2 
million air passengers at nearly 450 airports Nation-wide. Numerous 
entities are involved in supporting safe and secure travel as well as 
providing amenities such as food, shopping, and other entertainment. 
Controlling access to sterile, (post-security screening checkpoint) 
airport areas is a critical part of airport operations. While the 
sterile area hosts passengers and air crews waiting for flights, it is 
also the workplace for vendors, mechanics, ground crew, and others 
employed by the airlines and the airports. Access control is a shared 
responsibility among many partners, and every airport and airline has a 
security plan of which access control is an important and necessary 
element. Airport authorities and the airlines are responsible for 
developing and executing security plans; TSA is responsible for 
approving security plans and inspecting for compliance.
    TSA's inspections include credentialing, perimeter security, and 
testing of access control systems and processes at airports. Every 
commercial airport receives an annual security inspection to include an 
assessment of perimeter and access controls. TSA analyzes the results 
of these inspections and assessments to develop mitigation strategies 
to enhance airport security.
    Transportation Security Officers and Inspectors are also deployed 
on a random and unpredictable basis to screen airport and airline 
workers as they enter for work within the secure and sterile areas. The 
screening protocols vary by time, location, and method to enhance 
unpredictability. This includes ID verifications, and searches of 
individuals and/or their property, using various technologies and 
methods in order to detect and deter the introduction of prohibited 
items. Additionally, airport operators are required to conduct random 
inspections of employees entering sterile areas, to include ID 
verification and checks for prohibited items. If employees fail to 
follow proper procedures in accessing secure areas, they may be 
restricted from future access, disciplined by their employer, or 
subject to criminal charges and civil penalties.
    TSA has wide-ranging authority to pursue inspections of airport 
security plans. Each airport operator is required to allow TSA, at any 
time or place, to make any inspections or tests, to determine 
compliance of an airport operator, aircraft operator, foreign air 
carrier, indirect air carrier, or other airport tenants with TSA's 
regulations, security programs, security directives, and other 
policies. Inspections and audits are conducted by our Compliance 
Division and, in situations of possible non-compliance, investigations 
are undertaken by Transportation Security Inspectors. Enforcement 
Investigation Reports that yield evidence of non-compliance are jointly 
overseen by the airport's Federal Security Director and by the Office 
of Security Operation's Compliance Division.
                      vetting and badging process
    In addition to our regulatory role, TSA also conducts security 
background checks for airport and airline employees through the Secure 
Identification Display Area (SIDA) badging process. Airport workers are 
vetted before they are granted unescorted access to the secure area of 
the airport. TSA performs a Security Threat Assessment (STA) on those 
who require access to the secure/sterile area of the airport or 
unescorted access to cargo. When individuals apply for employment with 
the airport or airline, they submit STA information which is passed 
through one of several vendors to TSA for adjudication. This includes a 
check against the Terrorist Screening Database (TSDB). In partnership 
with the FBI and Customs and Border Protection (CBP), the individual 
also undergoes a Criminal History Background Check and immigration 
status check. Once TSA has completed the check, the information is 
provided to the individual's prospective employer with access either 
granted or denied based on the results of the STA. TSA also 
continuously checks all SIDA holders against the TSDB in case there are 
any changes to their status.
    With TSA's Risk-Based Security model, similar to what we do with 
trusted travelers in TSA PreTM or Known Crew Member, 
airport workers are vetted before they are granted unescorted access to 
the secure area of the airport. With the STA, we weed out potential bad 
actors, which is particularly important given the sensitive areas where 
many of these individuals work. However, we must balance the importance 
of conducting checks on employees with the need to facilitate air 
travel, and so have designed a system of background checks, 
inspections, and random checks as a risk-based approach to access 
control.
                      studies and recommendations
    In 2011, the Office of Inspector General (OIG) assessed TSA's 
efforts to identify and track access control at airports, specifically 
whether TSA had an effective mechanism to identify measures that could 
be used to improve security Nation-wide. The OIG found that without an 
effective mechanism to gather information about all security breaches, 
TSA was unable to monitor trends or make general improvements to 
security. The OIG made recommendations to use one comprehensive 
definition of a security breach as well as to develop a comprehensive 
program to ensure accurate reporting and corrective actions in breach 
incidents. As a result, TSA developed a single definition of ``Security 
Breach,'' and enhanced its oversight system with respect to airport 
security breaches. TSA now leverages the Performance and Results 
Information System (PARIS) to accurately report, track, and analyze 
access control trends. Further, TSA updated airport performance metrics 
to track security breaches and airport checkpoint closures at the 
National, regional, and local levels.
    In 2008, TSA conducted a study to compare two approaches to 
physically screening airport employees: Screening 100 percent of 
airport employees or conducting random screening measures. Three 
airports tested the 100 percent screening model and another four 
screened employees on a random basis. The Homeland Security Institute 
(HSI) independently assessed the pilot programs using three factors: 
Screening effectiveness, effect on airport operations, and cost 
considerations. HSI concluded that 100 percent physical screening of 
all airport employees is cost-prohibitive and poses a wide range of 
operational challenges. For instance, many employees wear steel-toed 
shoes for safety at work; however this poses a unique challenge and 
delay in screening through a magnetometer. Additionally, airports 
conducting 100 percent screening reported delays, ranging from minor at 
smaller airports to major at larger ones.
    HSI also determined that random is nearly as effective as 100% 
screening, stating that they ``did not see a clear distinction between 
the number of items confiscated at 100% versus random screening 
airports.'' Given the HSI and TSA pilot results, TSA made the following 
recommendations for airports to enhance access control security:
   Accelerate the installation of closed-circuit television and 
        perimeter intrusion detection systems;
   Raise physical screening levels for airport employees (TSA 
        and airport operators);
   Phase in the use of biometric access controls and identity 
        verification systems;
   Focus on locally-driven security solutions (Community 
        Policing and Airport Watch);
   Increase security awareness training for airport workers;
   Increase Visible Intermodal Prevention and Response teams 
        and surge operations (random and threat-based); and
   Promote behavior-based threat detection programs.
    In 2009, the Government Accountability Office (GAO) addressed the 
issue of insider threats in a review of TSA's efforts to secure 
commercial airport perimeters and access controls. Using data from the 
2008 tests referenced above, GAO reported that physically screening 100 
percent of employees would range from $5.7 billion to $14.9 billion for 
the first year, while the costs of enhancing random worker screening 
would range from $1.8 billion to $6.6 billion. This audit, entitled A 
National Strategy and Other Actions Would Strengthen TSA's Efforts to 
Secure Commercial Airport Perimeters and Access Controls, provided five 
recommendations to further TSA's efforts to enhance the security of the 
Nation's airports through a unifying National strategy that identifies 
key elements, such as goals, priorities, performance measures, and 
required resources. TSA concurred with and implemented the 
recommendations of this audit.
                       insider threat mitigation
    In December 2014, an investigation revealed that a Delta airlines 
employee allegedly conspired to smuggle firearms from Hartsfield-
Jackson Atlanta International Airport (ATL) to John F. Kennedy 
International Airport (JFK) in New York, and a Federal prosecution is 
under way in this case.
    To reduce risks exposed by this criminal conspiracy, TSA has 
implemented a variety of measures and is examining how this case can 
inform airport security more broadly. As described above, TSA 
administers Security Threat Assessments for all airport and airline 
employees prior to the issuance of SIDA badges granting unescorted 
access privileges. TSA also vets these individuals on a recurring basis 
against the Terrorist Screening Database. At ATL and Nation-wide, TSA 
requires the airport authority to randomly perform physical screening 
of employees with SIDA badges at a variety of unpredictable locations 
such as Secure Area access points, employee bus stops, employee 
turnstiles, and airport entry gates. In calendar year 2014, TSA 
performed 7,234 hours of such screening at ATL and 257,979 hours 
Nationally.
    TSA has taken immediate steps at ATL to mitigate the insider 
threat. Under the leadership of TSA officials, a working group was 
created with representation from various airport authorities, law 
enforcement, and stakeholders to further develop plans for improving 
security. TSA has increased operations to focus on screening airport 
employees at employee entrances and direct access points, such as 
turnstiles, Secure Area doors and elevators, and vehicle gates. Air 
carriers at ATL have also implemented additional security measures to 
address the issue. In partnership with airport authorities, TSA is 
further examining circulation controls and reassessing employee access 
points. We look forward to a continued partnership with key 
stakeholders to determine best practices and risk-based security 
solutions that could be replicated in other airports.
    On a broader level, TSA is examining the potential vulnerabilities 
exposed by this incident and other trends to determine if additional 
risk-based security measures, resource reallocations, new investments, 
or policy changes may be necessary. TSA is conducting an insider threat 
analysis to identify potential indicators of criminality or threats to 
aviation that could provide insight into new training, operations, or 
methods of screening and vetting employees. TSA is examining its legal 
authorities to assess if additional measures may be required or imposed 
to enhance security. Finally, TSA Acting Administrator Carraway has 
asked the Aviation Security Advisory Committee (ASAC) to specifically 
review access control and perimeter security issues to offer solutions 
to potential threats.
                               conclusion
    TSA plays an important role in partnership with airports and 
airlines in securing access to our Nation's airports, and is committed 
to fielding responsive, risk-based solutions that can enhance our 
current security posture. I want to thank the committee for your 
interest in this important issue and your support as we consider 
recommendations and future changes to improve aviation and airport 
security Nation-wide. Thank you for the opportunity to testify today, I 
look forward to your questions.

    Mr. Katko. Thank you, Mr. Hatfield, for your testimony. We 
appreciate you being here today. I appreciate and I look 
forward to the dialogue that is forthcoming.
    Our second witness is Mr. Gary Perdue, who currently serves 
as deputy administrative director of the counterterrorism 
division at the FBI. Mr. Perdue has over 30 years of U.S. 
Federal Government service--he beats me--specializing in 
military intelligence, foreign counterintelligence, drug 
trafficking, international terrorism, weapons of mass 
destruction, and counterproliferation. Prior to his current 
position, Mr. Perdue was the special agent in charge of the 
FBI's Pittsburgh division.
    The Chairman now recognizes Mr. Perdue to testify. Thank 
you, sir.

    STATEMENT OF G. DOUG PERDUE, DEPUTY ASSISTANT DIRECTOR, 
  COUNTERTERRORISM DIVISION, FEDERAL BUREAU OF INVESTIGATION, 
                   U.S. DEPARTMENT OF JUSTICE

    Mr. Perdue. Thank you. Good afternoon, Chairman Katko, 
Ranking Member Rice, and Members of the subcommittee.
    Thank you for the opportunity to appear before you today 
and for your continued support of the men and women of the 
Federal Bureau of Investigation.
    I am particularly pleased to be here today with Mark 
Hatfield, the acting deputy administrator of the Transportation 
Security Administration, to discuss our role in access control 
measures at our Nation's airports.
    Today's FBI is a threat-focused, intelligence-driven 
organization. Every professional understands--excuse me--every 
FBI professional understands that preventing the key threats 
facing our Nation means constantly striving to be more 
efficient and more effective.
    Just as our adversaries continue to evolve, so too must the 
FBI. We live in a time of acute and persistent terrorist and 
criminal threats to our National security, our economy, and to 
our communities. These diverse threats illustrate the 
complexity and breadth of the FBI's mission, and make clear the 
importance of its partnerships, especially with the TSA, in 
reducing security vulnerabilities in our Nation's 
transportation system.
    In fact, our National headquarters and local field offices 
have built partnerships with just about every Federal, State, 
local, Tribal, and territorial law enforcement agency in the 
Nation. Our agents, analysts, and professional staff work 
closely with law enforcement, intelligence, and security 
services to include representatives at our Nation's airports 
and airlines to mitigate the threat posed to our Nation's 
transportation infrastructure and internal aviation security 
processes and systems. By combining our resources and 
leveraging our collective expertise, we are able to investigate 
National security threats that cross both geographical and 
jurisdictional boundaries.
    Our civil aviation security program: In conjunction with 
our partners, the FBI's counterterrorism division's Civil 
Aviation Security Program, also known as CASP, is extensively 
involved in efforts to undercover and prevent terrorist 
operations to attack or exploit civil aviation in the United 
States. The FBI has special agents and task force officers 
assigned as airport liaison agents at each of the Nation's TSA-
regulated airports in order to respond to aviation-related 
incidents and threats, participate in joint FBI-TSA airport 
vulnerability assessments, and interact with interagency and 
private-sector stakeholders at airports around the country on 
exercises, threat mitigation, and other issues to protect the 
traveling public.
    The FBI's CASP and ALA program were created in 1990 to 
formalize the Bureau's investigative intelligence and liaison 
activities at the Nation's airports. CASP is located in the 
FBI's National Joint Terrorism Task Force, with a focus on 
supporting and enhancing efforts to prevent, disrupt, and 
defeat acts of terrorism directed toward civil aviation and to 
provide counterterrorism preparedness leadership and assistance 
to Federal, State, and local agencies responsible for civil 
aviation security.
    One of CASP's primary responsibilities is to provide 
program management and support to the FBI's airport liaison 
agencies. In addition, CASP represents the FBI on aviation 
security policy matters, provides guidance and training to the 
field, and supports National aviation security initiatives and 
mandates.
    I would like to go over briefly CASP efforts to mitigate 
the insider threat at America's airports. Our intelligence 
production. Since 2009, CASP has produced numerous intelligence 
products that are shared with the U.S. intelligence community. 
A couple of the Unclassified products titles include: 
``Aviation-related Suspicious Activities: An FBI Assessment'' 
on 3 June 2005. ``Terrorist Training Document Reveals Travel 
Guidance and Tactics'' on 13 October 2009.
    To further mitigate threats to aviation, CASP produces and 
distributes a comprehensive daily aviation-centric intelligence 
summary for all airport liaison agents and various FBI 
programs. This summary includes the latest threats to: 
Aviation, suspicious activity reporting within the air domain, 
current intelligence reporting, and updates on active aviation 
cases of importance.
    In addition, CASP intelligence analysts produce threat 
intelligence reports yearly in support of Congressionally-
mandated FBI-TSA joint airport vulnerability assessments, also 
known as JAVAs, and coordinate on-sight preparation, 
representation at JAVA events.
    Our liaison: CASP has conducted three FBI air carrier 
security director forums since 2011, with a 3-day forum planned 
for August of this year. CASP has published nine aviation-
centric Operation Tripwires since 2003, with a 2010 Operation 
Tripwire that addressed the insider threats specifically. For 
those of you not familiar with the FBI's Operation Tripwire, it 
began in 2003 as a counterterrorism division initiative 
designed to improve the FBI's intelligence and information 
base.
    The program's vision is to develop FBI partnerships that 
help to identify U.S.-based terrorist sleeper cells through 
collecting and assessing specific information related to 
potential counterterrorism threats. The program's goal is to 
leverage outreach programs focused on aiding industry and local 
officials in recognizing suspicious activity and providing them 
a point of contact for reporting that activity, as well as to 
provide actionable items for the Joint Terrorism Task Force. 
CASP proactively develops curriculum on aviation security 
issues and providing training to ALAs, other Government 
agencies, the private sector, and foreign governments.
    Our operational support: CASP provides operational support 
to the FBI's ALAs and substantive units on active 
investigations and provides strategic intelligence products on 
terrorist tactics, techniques, and procedures. CASP responds to 
official requests for information request for assistance, 
requests related to investigations of laser pointer 
illuminations of aircraft, unmanned aerial vehicle incidents, 
Government Accountability Office inquiries, National 
Transportation Safety Board aircraft accident investigation 
assistance, aviation-related exercises, and hijacking response 
plans involving ALA and FBI equities.
    CASP developed a series of ALA best practices that 
leverages division-specific initiatives for broad participation 
by all FBI divisions and ALAs. These initiatives include: 
Documents and guidance on conducting vulnerability assessments 
at general aviation airports under the general aviation 
assessments initiative, issuing Federal misdemeanors for non-
felonious criminal acts at airports under the Federal 
misdemeanor violations best practice, conducting recurring 
criminal record checks through the FBI's National Crime 
Information Center on airport employee under the air domain 
computer information comparison initiative, and providing 
checklist and guidance for handling a major aviation crisis 
such as a commercial airline crash under the aviation crisis 
response checklist best practice initiative.
    CASP also has access to the Federal Aviation 
Administration-managed domestic events network, allowing for 
enhanced response and situational awareness during real-time 
aviation incidents.
    Our training: One of CASP's major focus areas is conducting 
training for the FBI's ALAs, other Government agencies, and 
private-sector stakeholders. CASP has led the way with 
innovative cost-saving training initiatives that include: A 
2011 CASP-conducted joint FBI-NTSB-ALA regional training, 
instructing attendees on how to handle issues surrounding a 
major aviation crisis within their area of responsibility, 
conducted three FBI ACSD forums since 2011. CASP launched a 
mandatory ALA-specific virtual academy training course for FBI 
employees entitled Airport Liaison Agent Fundamentals in 2012.
    CASP recently worked with ALA coordinators for in-depth 
training at Los Angeles International Airport, Los Angeles, 
California on 10 through 11 September 2014. CASP represents the 
FBI's equities on various interagency and industry committees 
working groups such as: The Air Domain Awareness Working Group, 
Man Portable Air Defense Systems Analysis Working Group, 
Secondary Barrier Working Group, Civil Aviation Threat Working 
Group, Aviation Information-Sharing Working Group, the Air 
Domain Intelligence Integration and Analysis Center Working 
Group, Unmanned Aircraft Systems Event Reporting Working Group, 
and International General Aviations Working Group.
    In conclusion, Chairman Katko, Ranking Member Rice, thank 
you again for this opportunity to testify concerning access 
control measures at our Nation's airports. The FBI's efforts 
and successes would not be possible without the continued 
positive working relationship with our partners and with your 
support. I would be happy to answer any questions that you 
might have. Thank you.
    [The prepared statement of Mr. Perdue follows:]
                  Prepared Statement of G. Doug Perdue
                            February 3, 2015
                              introduction
    Good afternoon Chairman Katko, Ranking Member Rice, and Members of 
the subcommittee. Thank you for the opportunity to appear before you 
today and for your continued support of the men and women of the 
Federal Bureau of Investigation (FBI). I am particularly pleased to be 
here today with Mark Hatfield, the acting deputy administrator of the 
Transportation Security Administration (TSA) to discuss our role in 
access control measures at our Nation's airports.
    Today's FBI is a threat-focused, intelligence-driven organization. 
Every FBI professional understands that preventing the key threats 
facing our Nation means constantly striving to be more efficient and 
more effective.
    Just as our adversaries continue to evolve, so, too, must the FBI. 
We live in a time of acute and persistent terrorist and criminal 
threats to our National security, our economy, and to our communities. 
These diverse threats illustrate the complexity and breadth of the 
FBI's mission and make clear the importance of its partnerships, 
especially with the Transportation Security Administration, in reducing 
security vulnerabilities in our Nation's transportation system.
    In fact, our National headquarters and local field offices have 
built partnerships with just about every Federal, State, local, Tribal, 
and territorial law enforcement agency in the Nation. Our agents, 
analysts, and professional staff work closely with law enforcement, 
intelligence, and security services--to include representatives at our 
Nation's airports and airlines to mitigate the threat posed to our 
Nation's transportation infrastructure and internal aviation security 
processes and systems. By combining our resources and leveraging our 
collective expertise, we are able to investigate National security 
threats that cross both geographical and jurisdictional boundaries.
                    civil aviation security program
    In conjunction with our partners, the FBI's Counterterrorism 
Division's (CTD) Civil Aviation Security Program (CASP) is extensively 
involved in efforts to uncover and prevent terrorist operations to 
attack or exploit civil aviation in the United States. The FBI has 
Special Agents and Task Force Officers assigned as Airport Liaison 
Agents (ALAs) at each of the Nation's TSA-regulated airports in order 
to respond to aviation-related incidents and threats, participate in 
joint FBI-TSA airport vulnerability assessments, and interact with 
interagency and private-sector stakeholders at airports around the 
country on exercises, threat mitigation, and other issues to protect 
the travelling public.
    The FBI's CASP and ALA Program were created in 1990 to formalize 
the Bureau's investigative, intelligence, and liaison activities at the 
Nation's airports. CASP is located in the FBI's National Joint 
Terrorism Task Force with a focus on supporting and enhancing efforts 
to prevent, disrupt, and defeat acts of terrorism directed toward civil 
aviation, and to provide counterterrorism preparedness leadership and 
assistance to Federal, State, and local agencies responsible for civil 
aviation security. One of CASP's primary responsibilities is to provide 
program management and support to the FBI's ALAs. In addition, CASP 
represents the FBI on aviation security policy matters, provides 
guidance and training to the field, and supports National aviation 
security initiatives and mandates. I would like to go over briefly 
CASP's efforts to mitigate the insider threat at America's airports.
                        intelligence production
    Since 2009, CASP has produced numerous intelligence products that 
are shared with the U.S. intelligence community. A couple of the 
Unclassified product titles include:
   Aviation-Related Suspicious Activities: An FBI Assessment (3 
        June 2005)
   Terrorist Training Document Reveals Travel Guidance and 
        Tactics (13 October 2009)
    To further mitigate threats to aviation, CASP produces and 
distributes a comprehensive daily aviation-centric intelligence summary 
for all ALAs and various FBI programs. This summary includes the latest 
threats to aviation, suspicious activity reporting within the Air 
Domain, current intelligence reporting, and updates on active aviation 
cases of importance. In addition, CASP intelligence analysts produce 
threat intelligence reports yearly in support of Congressionally-
mandated FBI-TSA Joint Airport Vulnerability Assessments (JAVAs) and 
coordinate on-site FBI representation at JAVA events.
                                liaison
    CASP has conducted three FBI Air Carrier Security Directors (ACSD) 
Forums since 2011, with a 3-day forum planned for August of this year. 
CASP has published nine aviation-centric Operation Tripwires since 
2003, with a 2010 Operation Tripwire that addressed the insider threat 
specifically. For those of you not familiar with the FBI's Operation 
Tripwire, it began in 2003 as a CTD initiative designed to improve the 
FBI's intelligence and information base. The program's vision is to 
develop FBI partnerships that help to identify U.S.-based terrorist 
sleeper cells through collecting and assessing specific information 
related to potential counterterrorism threats. The program's goal is to 
leverage outreach programs focused on aiding industry and local 
officials in recognizing suspicious activity and providing them a point 
of contact for reporting that activity, as well as to provide 
actionable items for the Joint Terrorism Task Forces (JTTF).
    CASP proactively develops curriculum on aviation security issues 
and provides training to ALAs, other Government agencies, the private 
sector, and foreign governments.
                          operational support
    CASP provides operational support to the FBI's ALAs and substantive 
units on active investigations, and provides strategic intelligence 
products on terrorists' tactics, techniques, and procedures. CASP 
responds to:
   Official Requests for Information and Requests for 
        Assistance
   Requests related to investigations of laser pointer 
        illuminations of aircraft
   Unmanned Aerial Vehicle incidents
   Government Accountability Office inquiries
   National Transportation Safety Board (NTSB) aircraft 
        accident investigation assistance
   Aviation-related exercises and Hijacking Response Plans 
        involving ALA and FBI equities.
    CASP developed a series of ALA best practices that leverages 
division-specific initiatives for broad participation by all FBI 
divisions and ALAs. These initiatives include documents and guidance on 
conducting vulnerability assessments at General Aviation airports under 
the ``General Aviation Assessments Initiative''; issuing Federal 
misdemeanors for non-felonious criminal acts at airports under the 
``Federal Misdemeanor Violations'' best practice; conducting recurring 
criminal record checks through the FBI's National Crime Information 
Center on airport employees under the ``Air Domain Computer Information 
Comparison'' initiative; and providing checklists and guidance for 
handling a major aviation crisis, such as a commercial airliner crash, 
under the ``Aviation Crisis Response Checklist'' best practice 
initiative.
    CASP also has access to the Federal Aviation Administration-managed 
Domestic Events Network allowing for enhanced response and situational 
awareness during ``real-time'' aviation incidents.
                                training
    One of CASP's major focus areas is conducting training for the 
FBI's ALAs, other Government agencies, and private-sector stakeholders. 
CASP has led the way with innovative, cost savings training initiatives 
that include:
   In 2011, CASP conducted joint FBI-NTSB ALA Regional 
        Training, instructing attendees on how to handle issues 
        surrounding a major aviation crisis within their area of 
        responsibility. Conducted three FBI ACSD Forums since 2011, and 
        CASP launched a mandatory ALA-specific Virtual Academy Training 
        Course for FBI employees entitled, ``Airport Liaison Agent 
        Fundamentals,'' in 2012.
   CASP recently worked with ALA Coordinators for in-depth 
        training at Los Angeles International Airport, Los Angeles, CA, 
        on 10-11 September 2014.
                   working groups and policy meetings
    CASP represents the FBI's equities on various interagency and 
industry committees/working groups, such as:
   Air Domain Awareness Working Group
   Man Portable Air Defense System Analyst Working Group
   Secondary Barrier Working Group
   Civil Aviation Threat Working Group
   Aviation Information Sharing Working Group
   Air Domain Intelligence-Integration and Analysis Center 
        Working Group
   Unmanned Aircraft Systems Event Reporting Working Group
   International General Aviation Working Group
                          insider threat cases
    Several recent high-profile cases underscore the threat from 
``insiders,'' which are rogue employees that exploit their credentials, 
access, and knowledge of security protocols. The FBI and our 
interagency partners cooperated on the following arrests:
   The arrest of Wichita-based Terry Lee Loewen on December 13, 
        2013 by the FBI Wichita JTTF. Loewen was charged with attempted 
        use of a weapon of mass destruction, maliciously attempting to 
        damage and destroy by explosive, and attempting to provide 
        material assistance to al-Qaeda in the Arabian Peninsula. 
        Loewen, an avionics technician with Secure Identification 
        Display Area badge access to Wichita Mid-Continent Airport, was 
        taken into custody after he allegedly armed what he believed to 
        be an explosive device and attempted to open a security access 
        gate. During the investigation, Loewen allegedly engaged in, 
        among other things, pre-operational surveillance, photographing 
        gate access points, researching flight schedules, and assisting 
        in the acquisition of vehicle-borne improvised explosive device 
        components and construction of an explosive device.
   In December 2014, Eugene Harvey, a baggage handler at 
        Hartsfield-Jackson International Airport, was arrested on a 
        Federal complaint charging him with trafficking in firearms and 
        entering the secure areas of the airport in violation of 
        security requirements. The complaint alleges that Harvey 
        repeatedly evaded airport security with bags of firearms, some 
        of which were loaded. He then allegedly passed the guns off to 
        an accomplice who transported them as carry-on luggage to New 
        York, where they were illegally sold. On at least five 
        occasions in 2014, Harvey, a baggage handler for Delta Air 
        Lines, worked with another former Delta employee to allegedly 
        smuggle firearms through airport-controlled security 
        checkpoints for Delta employees, and thus he was not required 
        to go through the screening performed for passengers by TSA. 
        Once through the airport-controlled security checkpoints, the 
        firearms were allegedly carried in carry-on baggage into the 
        passenger cabins of aircraft. Each time, Harvey's accomplice 
        flew to New York with the guns, where they were allegedly 
        illegally sold.
                               conclusion
    Chairman Katko, Ranking Member Rice, thank you again for this 
opportunity to testify concerning access control measures at our 
Nation's airports. The FBI's efforts and successes would not be 
possible without the continued positive working relationship with our 
partners and your support. I would be happy to answer any questions you 
might have.

    Mr. Katko. Thank you, Mr. Perdue, for your testimony.
    We appreciate you both being here.
    We--I know your time is valuable. I now recognize myself 
for 5 minutes to ask questions, and I will start with Mr. 
Perdue.
    Mr. Perdue, in your written statements to the committee you 
included two examples of the insider threats that the FBI was 
intimately involved with during the past few years. The first 
one was the arrest of Wichita-based Terry Lee Loewen on 
December 13 by the FBI, an act of potential terrorism. The 
second was the Eugene Harvey case, the baggage handler in the 
Hartsfield-Jackson International Airport in Atlanta, who was 
involved in the gun-smuggling case. You are familiar with both 
those cases; is that correct?
    Mr. Perdue. Yes, sir. They are on-going investigations.
    Mr. Katko. Is it fair to say that both these cases point 
out that there are serious concerns with respect to employee 
access at airports?
    Mr. Perdue. I think we would concur with that, sir. Yes.
    Mr. Katko. Could you turn your microphone on?
    Mr. Perdue. Yes, sir. We would concur with that.
    Mr. Katko. Thank you very much.
    Mr. Perdue. Apologies.
    Mr. Katko. Now, based on these cases and the other cases 
that the FBI has been involved in with respect to employee 
access at airports, has the FBI developed any sort-of level of 
concern about this issue or do they consider it to be a major 
issue with serious threat or is it not a big deal to them?
    Mr. Perdue. No. It is a big deal for us. I think one of the 
things that we continue to do is to work with TSA and to 
collaborate and to come up with other programs that we think 
that we can help each other with the security matters.
    Mr. Katko. Okay. So you have been making suggestions to the 
TSA as to certain ways you can enhance the security?
    Mr. Perdue. Yes, we have. Over the last actually several 
months, we have had a couple of pilot projects that were 
literally at the ground level that we think that we can 
significantly enhance both of our capabilities for security at 
the airports.
    Mr. Katko. Could you briefly summarize some of those pilot 
projects for us?
    Mr. Perdue. Well, one of them without an acronym, I think 
it is being done at 20 different----
    Mr. Katko. Everything is done with acronyms in the 
Government by now.
    Mr. Perdue. Exactly. So there is a project that we have 
been working on, it is at 20 different airports now, that we 
believe that we will be able to, as opposed to doing the checks 
just once where we could do on-going recurring, you know, 
checks back with our criminal justice investigative service. So 
it is an on-going project. It is still nascent. That we are 
going to be working with TSA this year to see if we can't get 
that implemented at more than just 20 of the airports.
    Mr. Katko. Is there any other raw projects that you are 
suggesting?
    Mr. Perdue. That is the main one right now, sir.
    Mr. Katko. Now, when you are talking about doing the 
background check, is it fair to say that once an employee 
survives an initial background check and is given a SIDA badge, 
which gives him access to the airport, that they go back and do 
screening, but they don't go back and check criminal history; 
is that correct?
    Mr. Perdue. That is correct from my knowledge, sir.
    Mr. Katko. So just to pose a scenario to you. If someone 
gets arrested after being employed at the airport, you may not 
know about that; is that correct?
    Mr. Perdue. That is correct right now based on the 
situation. Yes, sir.
    Mr. Katko. That is something that needs to be addressed?
    Mr. Perdue. Indeed. That is--the prod sys that I was making 
reference to, I think, will greatly enhance that this coming 
year.
    Mr. Katko. I am used to asking questions for hours, so this 
is difficult to ask it all in 5 minutes. So forgive me.
    But quickly switching gears, with respect to the gun case--
the Harvey gun case in Atlanta, I know that the FBI wasn't in 
on that case from the beginning. Could you tell me when the FBI 
first found out that local authorities in New York City were 
investigating this matter?
    Mr. Perdue. I don't know the exact time, and it is an on-
going investigation. We can get back to you on that, sir. We 
would be happy to do that.
    Mr. Katko. One of the things I would like to know is when 
you first found out about it and when you think you should have 
found out about it. Because one of the things I think we should 
consider here is when Federal authorities should be notified of 
aviation cases when local offices are doing them.
    Mr. Perdue. We would be happy to get back to you on that.
    Mr. Katko. Thank you, sir.
    Switching gears here briefly, if I may. Mr. Hatfield, thank 
you for your testimony today, and I appreciate it. The ASAC--
you mentioned that the ASAC committee has--you have met with 
them recently and they have given you some preliminary 
recommendations. Are you at liberty to share any of those with 
us at this time?
    Mr. Hatfield. Sir, I did in fact meet with them yesterday, 
first one-on-one with their Chairman, and then with the entire 
group. The working group is a subset of that group. We are 
expecting, I believe it is the end of this week, that first set 
of--I don't believe that they will be recommendations. But the 
way they described it, they will give us the, you know, who, 
what, when, and how, you know, where they are and where they 
are headed with this work.
    Then at 60 days, a month from the end of this week, they 
will report again. Then their recommendations we expect at the 
90-day mark, which would be 2 months from this Friday.
    Mr. Katko. All right. You will share those results with the 
committee?
    Mr. Hatfield. Absolutely, sir.
    Mr. Katko. All right. Thank you.
    Mr. Hatfield. In fact, I am as eager to get them as you 
are.
    Mr. Katko. Now, when we are talking about what goes on in 
Miami, you worked in Miami's airport. Is that correct?
    Mr. Hatfield. Negative, sir. I was the Federal security 
director for TSA at Miami for nearly 7 years.
    Mr. Katko. At Miami's airport. Okay. Right.
    Now, when you were there, did you get any understanding of 
how they were able to afford it and handle doing that at such a 
large airport, doing full security checks for all employees?
    Mr. Hatfield. Well, they are on record as describing the 
price tag as just over $3 million a year. The tough thing in 
this answer, sir, is defining the word ``it.'' How they did it.
    So they were doing screening. They do it today. But 
``screening'' is a word that has a broad range of meaning. So I 
can just tell you in short terms that what they do in terms of 
their screening protocols at the four employee checkpoints and 
at the seven elevators that have access to the secure area is a 
very different type of screening than what we do at the very 
visible checkpoints in the lobby. It is different from the type 
of screening we do in our random unpredictable mobile screening 
at employee access points.
    Mr. Katko. I would ask you how so, but I am already over 
the limit. So I presume if someone else could follow up with 
that. But last----
    Mr. Hatfield. I will talk fast.
    Mr. Katko. I am good at that, too.
    The last thing I will ask you is with respect to the GAO 
numbers you referred to about the cost in having full screening 
of all employees, that was in 2008, I believe it was; is that 
correct? In 2009?
    Mr. Hatfield. The HSI, the Homeland Security Institute 
study, which puts in price tags--a range of price tag on that 
subject.
    Mr. Katko. That was before GSA had their PreCheck program. 
Is that correct?
    Mr. Hatfield. It was--that definitely preceded TSA's 
PreCheck.
    Mr. Katko. Do you think it would be prudent, when we are 
considering everything in the total mix of measures--remedial 
measures to take that we take into consideration perhaps a new 
study from GAO or somebody to see what the updated numbers 
might look like?
    Mr. Hatfield. I think by virtue of the fact that that is 
now a 7-year-old study, if we are going to really drill into 
this, I would not object, nor would I dissuade a new study to 
really look at it and try to squeeze some hard cost estimates 
out of it.
    Again, the toughest challenge in doing that study is going 
to be establishing a set of definitions. Because screening--
there is screening, and there is screening, and there is 
screening. We can't just lump it altogether as though it is 
sort of a universal practice.
    Mr. Katko. Yes. That is perfectly understood, and I 
couldn't agree with you more. Thank you very much both you 
gentlemen.
    I am now going to recognize the Ranking Minority Member of 
the subcommittee, the gentlelady from New York, Miss Rice, for 
any questions she may have.
    Miss Rice. Thank you, Mr. Chairman.
    So I am going to start with you, Mr. Perdue. I want to 
thank you both for coming here because this is not--this 
hearing is not about us asking gotcha questions at all. If we 
are going to get to the bottom of how we can keep American 
travelers safe at the 450 airports we have in this country, we 
have to be able to have an open and frank discussion.
    I have to say that, you know, obviously Mr. Chairman and I 
have significant prosecutorial experience in our backgrounds. I 
was working--you might have been, too, Mr. Chairman--but on 9/
11 for the Federal Government. One of the things that came out 
in the aftermath of 9/11 was the lack of communication between 
the various agencies in the Federal Government. They were not 
sharing information that, had they been, some things might have 
been able to be addressed earlier.
    So my question to you, Mr. Perdue, is: What protocols are 
put into place, if any, that the FBI has with not just the 
Atlanta airport, but any airport in this country in order to 
information share, whether that is investigations that are on-
going that you are doing to an airport employee that you need 
to inform local authorities about or the reverse?
    Mr. Perdue. Yes, ma'am. That is hopefully an easy question. 
Since 9/11, of course, we focus on our Joint Terrorism Task 
Forces. So every one of our 56 field offices has, at least, one 
Joint Terrorism Task Force. Each of these Joint Terrorism Task 
Forces have at least one airport liaison agent assigned to each 
of the airports.
    So we have roughly about 100--excuse me--about 450, give or 
take, you know, agents or task force officers that work for 
FBI's Joint Terrorism Task Forces that are at the airports 
every day. So collaboration, information sharing is key to 
everything that we do.
    So I don't mean to be so short or succinct, but that is a 
part of what we do. We preach it, we talk about it, and we do 
not tolerate the lack of sharing. So----
    Miss Rice. Well, it just begs the question as to why there 
maybe wasn't that kind of information sharing in the case that 
we are talking about in Atlanta?
    Mr. Perdue. Yeah. I do not have the details on that. I will 
say that that was a criminal investigation, and it is not that 
our criminal program is not as tight as our counterterrorism 
program. I would not suggest that. But I would say it is two 
different, you know, sets of work, even though that we do work 
collectively together at the airports.
    So we can get back to you on that, ma'am, on the details of 
that investigation. I don't know what actually fell apart at 
the time.
    Miss Rice. So there is no legal prohibition from the 
sharing of information. Correct?
    Mr. Perdue. There is not.
    Miss Rice. Confidentiality or----
    Mr. Perdue. No, ma'am.
    Miss Rice. Okay. So I don't think there is any question 
that we need to do more robust criminal background checks.
    Is there anything preventing, from a logistics standpoint, 
going back ad infinitum? Forget about the 10-year barrier. 
Doing a lifetime criminal background check, going back to 
whenever the person may have first had contact with the 
criminal justice system. Is there anything preventing that from 
being the way we conduct criminal background checks?
    Mr. Perdue. I don't know the details. I don't know how 
cost-prohibitive it is. I know the TSA has some details on 
that.
    I would say, though, that the pilot project that we are 
working toward hopefully we will get access 24/7 to the 
Criminal Justice Information Center, CJIS, at Clarksville for 
TSA and that information.
    So I think we have this pilot, and we will be looking at 
other pilots this year, where we can make our information 
readily available to them and in a system that would not be 
cost-prohibitive.
    Miss Rice. All right. Do you know what the rationale is for 
only going back 10 years?
    Mr. Perdue. I do not, ma'am.
    Miss Rice. So you do do recurrent criminal background 
checks now? Is that true?
    Mr. Perdue. No. There is a--I think at 20 of the airports 
right now, we have a pilot project that we are working on. So 
the goal this year is to enhance that.
    Miss Rice. Now, it is--correct me if I am wrong, but it 
doesn't require anything other than just looking, I guess, 
refreshing the review of a set of fingerprints to any number of 
databases. Correct?
    Mr. Perdue. The fingerprints would be one and, of course, 
just setting up a system where the information could be, you 
know, passed readily. So, again, that is something we will be 
working with TSA on this year.
    Miss Rice. So is there any way that you can set up a system 
of information sharing whereby an airport employee gets 
arrested, does not share that information with their employer, 
but a law enforcement agency can share that with the airline or 
the TSA?
    Mr. Perdue. Yeah. That would be at the heart of this pilot 
project. So----
    Miss Rice. That is the heart of it.
    Mr. Perdue. So that would literally be at the heart of it.
    Miss Rice. What is--what obstacles are in the way? I mean, 
do you see that as do-able?
    Mr. Perdue. I think--I think so. It is do-able. We have had 
discussions about this over the last couple of days, and we 
will be pursuing it, and we will look forward to testifying 
about it later.
    Miss Rice. Okay. So, Mr. Hatfield, I have a couple of 
questions for you. So when you are driving to work in the 
morning and you are looking at the day ahead of you, answer 
this question for me: The top three things that are going to 
frustrate me today in terms of enabling me to get my job done 
are?
    Mr. Hatfield. Well, that has to start with the word 
bureaucracy. Let me answer that, if I can, quickly in three 
ways. Inside: Our business is a people business. We have 60,000 
employees, and 43,000, in round numbers, are in uniform. We do 
what we do with technology, but the heart of our efforts are 
the people. So hiring those people, retaining those people, 
teaching, training, and cultivating those people can sometimes 
be a challenge with the personnel rules that we have to deal 
with. Getting rid of the bad people, the ones who don't belong 
there, is probably the most frustrating process that we go 
through. It can be very lengthy in the Federal system.
    That said, I have been here for about a week and a half at 
headquarters in from Miami. In my new role, I am very 
encouraged by the briefing that I just had by our human capital 
director, who is taking real aggressive steps towards 
streamlining, hiring, toward making the process, the Federal 
personnel processes easier for our field leaders, our Federal 
security directors to follow.
    Outside, you know, in the big picture, I see the faces 
almost every day in intelligence briefings of the suspects, the 
known individuals who are plotting, planning, or suspected of 
planning terrorist acts.
    I can tell you, I have been for almost 13 years in this 
agency, my sense of urgency, my commitment, my belief in the 
reality of that threat is more real today than it was when I 
started in 2002. Making sure that everyone else has that 
urgency, it can be frustrating. You know, the longer we go from 
any major domestic event, the shorter people's memory retention 
and the thinner it gets. We have a lot of stakeholders, we have 
a lot of customers, we have a lot of employees. Making sure 
that everybody shares that sense of urgency or, at least, that 
recognition of how real the threat is. They don't have to all 
be as urgent as we are at the center of the storm, but let's 
make sure we don't dismiss this threat as something that went 
away, because it did not.
    Miss Rice. Mr. Chairman, if I could just be indulged for 
one more brief second.
    You talked about the difficulty in terms of defining 
screening. You are well aware of the program that Miami has in 
place. You have actually lauded it and said it is, you know, 
basically like a blue ribbon system.
    Regardless of how you define screening, in your opinion is 
there any amount of money that is too much to ensure the safety 
of Americans traveling on our airlines?
    Mr. Hatfield. You know----
    Miss Rice. Is there a logistical impossibility? You have to 
keep it very brief. But is there a logistical impossibility to 
implementing them at various degrees depending on threat 
assessments that are made at each individual airport so that 
the cost can be contained and the actual threat can be 
addressed?
    Mr. Hatfield. I am going to take that in three parts and 
try and be as quick and responsive as possible.
    No. 1, the Miami system, absolutely laudable. Blue ribbon 
in the initiative that it represents and the willingness to 
take on unilateral cost, expense, and activity that the airport 
has demonstrated now for many years. It is a good system for 
airport crime fighting, theft, smuggling, the kind of things 
that it was designed to do. It has collateral benefit for 
counterterrorism work. But that is not its primary design, nor 
is that a primary, you know, part of the whole mix there.
    On the cost piece of it, that is a tough discussion to ever 
get into. I will answer it this way: I want to be better every 
day. Better does not always mean more, more money, more time, 
more resources. Better means better. Better means looking at 
your vulnerabilities that are highlighted through public 
disclosures, through your own self-analysis towards your own 
assessment--by your own assessments, and demanding better of 
yourself and your people every day.
    Miss Rice. Thank you.
    Mr. Hatfield. There was a third point, and I apologize----
    Miss Rice. Thank you, Mr. Hatfield. Thank you, Mr. 
Chairman.
    Mr. Katko. Thank you very much.
    Now, in accordance with our committee rules and practice, I 
plan to recognize Members who were present at the start of the 
hearing by seniority on this subcommittee, alternating back and 
forth between my right and my left.
    So the next person up is the gentleman from Alabama, Mr. 
Rogers. I give you 5 minutes. I will note, Mr. Rogers and the 
others on the committee, we have been a little lax on the time, 
but we are going to have to enforce it a little more strictly 
going forward.
    Mr. Rogers. Thank you, Mr. Chairman.
    Mr. Perdue, the Ranking Member was asking you about the 
data collection and the background reviews. You mentioned 
fingerprints.
    Are there some other points of data that could be collected 
that aren't currently that you think would be helpful in that 
10-year or whatever number of years review?
    Mr. Perdue. Well, the Criminal Justice Information System 
out at Clarksville, of course, it has the biometrics, so there 
is fingerprints, there is other biometrics, and there is just 
literally all of the thousands and thousands of points of 
information that we collect in our intelligence programs.
    So, with the speed of computers, all we would need to do is 
obviously, you know, access that and to run checks against it. 
So other than----
    Mr. Rogers. The data being collected is adequate. You 
just----
    Mr. Perdue. I believe so. The whole idea, I think, is to 
create a functional system where we can exchange it, you know, 
freely and openly in a timely manner.
    Mr. Rogers. Thank you.
    Mr. Hatfield, to follow up on the Chairman's questions. In 
Miami, you kind of left it. You said you will talk faster. But 
tell me more about how the Miami system works. I think you said 
there is four points of entry for the employees?
    Mr. Hatfield. Gladly. The basic story to be told here is 
that back in 1999, to face a rash of theft issues and 
smuggling, they looked at how they could tighten up controls, 
access controls with employees.
    The first thing they did is something that every airport in 
the country can do today, that many have done over the years 
because it is a dynamic, evolving industry, and that is how 
many access points are there? Pedestrian, vehicle, or 
combination.
    If you reduce that number of access points, you reduce the 
opportunity. You are also able to better focus and better train 
your resources on securing those points of access and egress. 
So the screening itself, the most robust part of it, is at four 
choke points. I think that at one point they had nearly 40 
access points. They have a fraction of that now, both for 
vehicles and for people.
    They have a traditional set-up with a magnetometer, walk 
through a metal detector, and an X-ray machine to screen both 
people and their bags for metallic objects, metallic threat 
items. So this is a guns and knives, the kind of classic items. 
But the--you know, there is a whole range of dynamic 
differences between that and the screening upstairs.
    Again, I can't say enough good things about what they have 
done in Miami. In the years that I spent down there, they were 
absolutely engaged partners, as were every other member of that 
airport community. I didn't get a chance in the beginning, but 
Mr. Perdue's folks at each airport I have worked at, Newark, 
Kennedy, and Miami, have been very strong partners for us. He 
certainly is a representative of the kind of quality individual 
that the FBI joins and partners with TSA day in and day out 
across the country.
    Mr. Rogers. So this does not sound like an overly 
burdensome process at those four checkpoints for the employees 
in Miami. But yet you seem to indicate that you didn't think 
that would be a system that would work at other airports. Did I 
misinterpret?
    Mr. Hatfield. No, sir. I didn't venture a speculation on 
that. I think that what was replicable--what is replicable at 
other airports is that first step that they took when they 
started this initiative many years ago, and that is look at how 
many access points there are for both people and vehicles, and 
what can you do to continue running the airport, maintain 
operations and efficiency, but reduce the number of 
opportunities.
    Mr. Rogers. Assuming that each airport did that, would you 
not agree that it would not be overly burdensome to require 
employees every time they reenter a workplace to go through a 
magnetometer?
    Mr. Hatfield. It goes to a more fundamental question, sir. 
That is we look at the screening of the employee base in this 
context. It is a known and trusted population. So through the 
vetting, through the credentialing----
    Mr. Rogers. There was that fellow in Atlanta that brought 
the guns back and forth----
    Mr. Hatfield. Right. It doesn't end with vetting and 
credentialing. It has to include a physical screening 
component.
    Mr. Rogers. So the answer is, yes, that is not an overly 
burdensome requirement to require every employee that comes 
back into the workplace to go through a magnetometer?
    Mr. Hatfield. It is not an overly burdensome requirement 
because it happens today. TSA does most of it. But airlines and 
airports also do physical screening in addition to Miami. Now, 
they are the example of 100 percent, and I believe Orlando has 
been mentioned as well.
    Mr. Rogers. Well, my point is requiring 100 percent of the 
employees would not be an overly burdensome requirement, just 
to go through a magnetometer.
    Mr. Hatfield. I think that for the best answer to that, I 
would wait for the report back from the ASAC, the security 
advisory group, because they are really doing a deep dive into 
this, and they have got the representation of all of the key 
stakeholders and players, as well as TSA participation in that 
group effort.
    Mr. Rogers. Well, I don't need to wait for the report. I 
know what the answer should be.
    With that, my time has expired. I will yield back, Mr. 
Chairman.
    Mr. Katko. Thank you very much, Mr. Rogers.
    The Chairman now recognizes Mr. Thompson.
    Mr. Thompson. Thank you, Mr. Chairman.
    Following along Mr. Rogers' line of questioning, Mr. 
Hatfield, who is tasked with the responsibility for this 
committee's information once a person is credentialed? Who is 
responsible for making sure that that person is who they are as 
it relates to going to work every day?
    Mr. Hatfield. I apologize, sir. I didn't quite hear the 
middle part of that question.
    Who is responsible----
    Mr. Thompson. Well, once a person receives a SIDA badge----
    Mr. Hatfield. Yes.
    Mr. Thompson [continuing]. And goes to work, is that the 
airport's responsibility for guaranteeing that that person is 
who they are, or is it TSA overseeing the process that the 
airport does?
    Mr. Hatfield. It ultimately falls on both. It starts with 
the airport because the airport is the entity that collects the 
information necessary to submit to TSA for the criminal history 
record check and for the security threat assessment. That 
information includes fingerprints and personal identifiers. For 
the airport's purpose, they may or may not collect Social 
Security. But they do then send that to TSA. We do the check 
and send back the results.
    As far as maintaining--you know, that was one that was a 
recent study not long ago.
    Mr. Thompson. So--so--I understand. I am trying to get----
    Mr. Hatfield. Sure. Go ahead.
    Mr. Thompson [continuing]. Everything down. So once that 
person has the badge----
    Mr. Hatfield. Yes.
    Mr. Thompson [continuing]. For 10 years, there is no 
review, or what is the review?
    Mr. Hatfield. The review is on a continuous basis on the 
TSA security threat assessment side because what happens is 
that name--those identifiers go into a database that is 
continually checked against the Terrorist Screening Center's 
database. The question at hand----
    Mr. Thompson. But not the criminal.
    Mr. Hatfield. No, sir. That is the question that is before 
the ASAC.
    Mr. Thompson. Not criminal, but terrorist. The burden is on 
the airport to guarantee that that person is who they are?
    Mr. Hatfield. Yes. It is. When they collect their 
information, they have a process to----
    Mr. Thompson. How about going to work every day? When that 
person goes to work every day?
    Mr. Hatfield. In terms of matching the ID with the face, 
many people are involved in that, sir. Most airports have 
challenge programs; if you see somebody on the ramp who is not 
showing an ID, if you see somebody on the ramp and use testers 
who wear a woman's ID or----
    Mr. Thompson. But who is ultimately in charge of the 
program? Is it the airport?
    Mr. Hatfield. Of the program of verifying identity on a 
daily basis? Everybody in that airport community is responsible 
for it.
    Mr. Thompson. I understand, but I am--I am a ramp worker--
--
    Mr. Hatfield. Okay.
    Mr. Thompson [continuing]. Going with my SIDA badge. If 
something happens, is it the airport, or are you saying it is 
everybody working together has to figure out who is there?
    Mr. Hatfield. You are getting to your job on the ramp, and 
it is in a secure area. You use that badge and you swipe 
through a reader or you present it to a guard, or, in some 
cases, you go through a screening area, but in fact that----
    Mr. Thompson. I am trying to narrow the area of 
responsibility so that we kind of understand, because I am 
trying to get to the other part of the question.
    Who pays for that? Is it the airport that pays for the 
screening of those individuals, or is it who?
    Mr. Hatfield. Sir, that is a complex question with a 
complex answer. So the easy part of that is who pays for the 
screening? Well, if they go through my checkpoint at Miami, I 
am going to screen them and TSA pays for it. If they go through 
Miami's checkpoint, the airport pays for it. If you go to 
Atlanta, they also pass through the TSA checkpoint which I 
guess the cost is then borne by TSA, but they go through--they 
go through a Delta screening contractor when they get on an 
employee bus.
    Mr. Thompson. So there is no one entity.
    Mr. Hatfield. There is a combination, sir.
    Mr. Thompson. So there is no one entity in charge?
    Mr. Hatfield. There are--well, leadership is shared and 
command is shared.
    Mr. Thompson. I understand. The individual with a SIDA 
badge, who is responsible for keeping up with the badges?
    Mr. Hatfield. The airport security office is responsible 
for the issuance and the retrieval of those badges----
    Mr. Thompson. All the badges.
    Mr. Hatfield. Yes.
    Mr. Thompson. So do you require a monitoring of that 
process?
    Mr. Hatfield. Absolutely, and, in fact, we have responded 
to a recent Government study that said there needed to be 
tighter constraints on that, and I was not here at headquarters 
when that took place and was delivered, but I was in the field, 
and I can tell you it manifested itself at the Miami security 
office in terms of how they audited, managed, retained 
records----
    Mr. Thompson. So are any of those SIDA badges, to your 
knowledge, biometric?
    Mr. Hatfield. I am sorry, sir.
    Mr. Thompson. Are any of them biometric?
    Mr. Hatfield. In Miami, they are not. Biometrics are the--
up to the discretion of the airport in terms of selecting, 
purchasing, deploying biometric reading equipment.
    Mr. Thompson. To your knowledge, do you know any airports 
that use biometrics?
    Mr. Hatfield. I know that some do, and I can't--I can get 
you names of them. We will poll them.
    Mr. Thompson. Please get us.
    Mr. Hatfield. Okay. You want it for biometrics for----
    Mr. Thompson. Your indulgence, please.
    Mr. Perdue, are you aware, in line with the Ranking Member 
of the committee's questioning, aware of any written protocols 
for the sharing of information with either airport police--and 
I am trying to get to the Atlanta situation. Would the Atlanta 
airport police department have been involved in a situation 
like that, or would that investigation have been conducted 
outside that airport?
    Mr. Perdue. I am not for sure I understand the question, 
sir, but----
    Mr. Thompson. Well, you have New York and Atlanta involved. 
I am trying to see at what point are there written protocols 
that would bring the Atlanta airport authorities, police or 
whomever, into this investigation since it went on so long. 
Would it have been at the beginning, in the interim, or at the 
end?
    Mr. Perdue. If the FBI had been in charge of it, sir, 
hopefully what we would have done would, and what we do with 
all our other investigations, we share, we collaborate and we 
do our best to make sure all of our partners know what is going 
on, and so on the particular issue, the question was is that am 
I aware of a written protocol that oversees local police 
officers sharing information? I am not, sir.
    Mr. Thompson. Not local. Federal sharing information with 
locals. The other way.
    Mr. Perdue. Inside the FBI, I am aware of the FBI's, you 
know, guidelines, our policies, and that they are all about 
sharing and collaborating, sir.
    Mr. Katko. The Chairman recognizes Mr. Carter.
    Mr. Carter. Thank you, Mr. Chairman.
    Mr. Hatfield, not to be redundant, and forgive me if I am, 
but I just want to make sure I understand this and I have got a 
clear understanding of it is that the SIDA cards that are 
issued at one airport are not--are not valid in other airports.
    Mr. Hatfield. Right.
    Mr. Carter. Okay. At a certain airport, such as Atlanta, at 
Hartsfield, that the list is maintained by the airport 
authority of those people who have the SIDA badges.
    Mr. Hatfield. The list of SIDAs, yes.
    Mr. Carter. SIDAs, okay. Is it ever--do they ever review it 
and just randomly check them? I know that you mentioned that 
they check them against the terrorism threats and such, but do 
they just have random checks from time to time?
    Mr. Hatfield. Some airports do, sir. I know, in fact, 
coming back to Miami, Miami does that. The Miami Police 
Department--Miami Dade County Police Department will go into 
the security office on a periodic basis, and it is pretty 
frequent, and they will take a chunk, a representative sample, 
and they will go back and they will run a recurrent criminal 
history record check against it, but, again, that is their 
initiative. It is not a requirement.
    Mr. Carter. Okay. Why isn't it a requirement? Why don't we 
have more consistency among the airports?
    Mr. Hatfield. It is a good question in terms of why isn't 
it a requirement. The part of the work that we are doing 
collaboratively with the FBI right now is to come up with a 
means to do it. So we have got a mechanism, and it is a fairly 
new mechanism that allows us to do recurrent vetting against 
the terrorist database to do terrorist database screening. It 
is not just something that is existing that can plug and play, 
which is why we are developing it, and I think we are fairly on 
the record, if we are not, I guess I am on the record now, we 
are looking for that. We want to be able to do constant 
recurrent criminal history records checks.
    Mr. Carter. Okay.
    Mr. Hatfield. We can go to the Ranking Member's question of 
the duration how far back we look, that is a separate issue, 
but in terms of do we want a mechanism that can allow us to do 
the same thing with criminal history records that we do with 
the terrorist database? Yes, sir.
    Mr. Carter. Okay. Let me ask you this: What did we learn in 
Atlanta?
    Mr. Hatfield. We were reminded in Atlanta of the fact that 
our airports are open and to a degree knowingly porous 
facilities. They--that is part of being an airport, that there 
are vulnerabilities. That it is our responsibility to identify 
and address those vulnerabilities, but just as important as 
identifying and addressing the vulnerabilities is understanding 
the threat and what the two of those things together go to 
create a risk.
    So the demonstration that that gun-running operation did 
was it was--it was a glaring vulnerability in that case. I 
wouldn't say that it was in and of itself a brand new 
revelation. We know that crime takes place in airports like it 
takes place in cities. They are just--they are smaller cities, 
and so we need to--you know, that is part of our partnership 
with the FBI and with local and Federal law enforcement is 
there is crime fighting that is going on in airports across the 
country, and there is counterterrorism work. We do overlap. We 
each benefit from each other's work, but they are separate 
disciplines, and so in that combined effort, we need to 
maintain focus on both of those challenges, and, again, what 
did we learn? I think we learned what I said earlier. We can do 
better. I think we can challenge ourselves to do better. Is 
that answer 100 percent employee screening? I don't know that 
it is. Again, I am eager to hear the council--ASAC's 
recommendations, but I do think that today now, even before 
those recommendations come in, we have taken steps that are 
helping us do better increasing employee screening.
    Mr. Carter. Okay. I know that there are a number of 
agencies, as you have alluded to, that have a part in this, but 
I want to concentrate primarily on airlines. What is their 
responsibility, and if they fail at that responsibility, is 
there any kind of disciplinary action or anything?
    Mr. Hatfield. I will be honest with you. The requirement 
for them to do employee screening is open to interpretation. It 
is fairly broad. So in some cases, you will find airlines--
Delta is included in Atlanta, by the way--where they are paying 
a third-party contractor, a security force provider, to screen 
their employees at points prior to entry into the secure area. 
They are footing the bill and executing that security measure 
on their own dime. That takes place in airports around the 
country by various airlines. So there is a commitment out 
there. There are demonstrable examples of it, but it is not a--
there is not a cut-and-dry standard or a threshold, a 
percentage, a number that they have to adhere to.
    Mr. Carter. Do you feel like there should be?
    Mr. Hatfield. The difficulty in doing that is, as Mr. 
Thompson said, there are 450 airports out there. We have got 80 
Federal security directors who, through a system of hub and 
spokes and stand-alone airports, work to create a tailor-made 
custom security plan for each of those airports. They demand 
that. So we might be able to get more specific. I think that is 
one of the things that we are looking at with the ASAC in terms 
of setting those screening goals for what the airport or the 
airlines are responsible for, but I am not going to pre-empt 
their recommendations in that.
    It is a cookie-cutter standard, a target number, a 10 
percent or 1,000 or any of those I think would be impractical, 
but we are good at working on these custom solutions. We have 
got Federal standards, and we know how to apply them in 450 
different areas. So this could be one of those things that we 
learn how to change our behavior with.
    Mr. Carter. Thank you very much.
    Mr. Katko. Thank you, Mr. Carter.
    The Chairman now recognizes the gentleman from New Jersey, 
Mr. Payne.
    Mr. Payne. Thank you, Mr. Chairman, for having this 
committee hearing.
    Also to the Ranking Member of the full committee and the 
Ranking Member of the sub. It is an honor for me to have joined 
this committee.
    Mr. Hatfield, being from the 10th Congressional District in 
the State of New Jersey, Newark Airport is 5 minutes from my 
home. You know, you stated in your testimony that through the 
security threat assessment, you know, bad actors are weeded 
out.
    What is your response to media reports that an individual 
that had been issued a SIDA credential in the past was found to 
be fighting overseas with ISIS?
    Mr. Hatfield. I actually think that is a good example of 
the system that we do have the constant recurring vetting on. I 
believe the case you are referring to involves an individual 
who was identified, but he--it was after his employment in the 
airport that his association with ISIL had begun, and so the 
idea of having--look, we don't have an enemy that fosters and 
cultivates cradle-to-battlefront operatives. They are out there 
recruiting adults and, you know, people who have lived lives 
and, you know, can become influenced by the rhetoric and the 
recruiting. So you may have somebody who has had a fairly 
uneventful life with no criminal record, with no terrorist 
contact or suspicion, who suddenly becomes activated or 
inspired, as the magazine's title intends it to do. So that is 
why we believe very strongly in maintaining that constant 
terrorist database vetting and why that proves a good model.
    Frankly, I think that there is, in this case, even higher 
value in that work that we are already doing, but it certainty 
supports our search and our work with the FBI in coming up with 
a constant criminal revetting system.
    Mr. Payne. Well, let me ask you, then, once, you know, a 
security breach occurs, following the Ranking Member's 
questioning, who is responsible for reporting the breach to the 
TSA, and are the breaches collected into a database?
    Mr. Hatfield. Yes. They are collected into a database, and 
we have--it kind of depends on the nature of the breach, where 
it occurred, who was on site, but there is very demanding 
reporting requirements. You know, in a typical situation, it is 
TSA and the local PD of jurisdiction who are the first to get 
it. On our side, it will typically be our regulatory folks. It 
can be the screening folks or our law enforcement arm, but the 
local police, then, and if it rises to the level of a Federal 
investigation, the FBI is brought in and so forth and so on, 
but your typical sort-of first reporting points for an airport 
security incident, TSA and the local police department.
    Mr. Payne. Mr. Perdue, you know, if a SIDA badge holder is 
convicted or found to be guilty of one of the 28 disqualifying 
crimes, are they expected to self-report the criminal activity, 
or is there a system in place to collect this data as well? Can 
you describe this process?
    Mr. Perdue. The process in place right now, again, is just 
when the entry-level employee's name trace and then the name 
checks come by through the Criminal Justice Information Center. 
So, other than what I have already provided testimony on today 
with this pilot project, those are the two things that we are 
working on.
    Mr. Payne. So it is identified, or are they obligated to 
self-report?
    Mr. Perdue. It is not--I have no information that they are 
obligated to self-report, and so that would be a TSA question, 
sir.
    Mr. Payne. Okay. You know, what penalties exist for those 
who misuse their SIDA credentials to enter a secure area of an 
airport?
    Mr. Perdue. I am not familiar with the exact exposure or 
what the crime actually would be. I defer to TSA or that too, 
sir.
    Mr. Payne. Mr. Hatfield.
    Mr. Hatfield. If it is a case of misuse where there is a 
regulatory or a rule violation, they can face suspension or 
revocation of that badge, which in many or most cases means 
their inability to work. So there is as high price there. If it 
moves into a criminal act or there is criminal elements to the 
case, then, of course, local PD and/or the FBI or the law 
enforcement agencies would--and that would be a case for the 
court systems, depending on if prosecution resulted from it.
    There also is the potential for civil penalties. Again, if 
it is a regulatory infraction, TSA can issue a civil penalty to 
an individual.
    Mr. Payne. Thank you.
    Mr. Hatfield. You are welcome, sir.
    Mr. Payne. Mr. Chairman, I am going to show restraint and 
yield back the balance of my time.
    Mr. Katko. Thank you very much.
    The Chairman now recognizes Mr. Ratcliffe of Texas.
    Mr. Ratcliffe. Thank you, Mr. Chairman.
    Thank you, Mr. Hatfield and Mr. Perdue, for being here 
today and for providing your insights and clarity on airport 
security measures.
    I do want to follow up on the line of questioning from the 
gentleman from New Jersey about security breaches a moment ago, 
and I will direct this to you, Mr. Hatfield.
    According to a DHS OIG report that was released back in May 
2012, TSA is supposed to document all security breaches locally 
at each specific airport, and that is supposed to be done 
through TSA's tracking system, the PARIS system, the 
Performance and Results Information System. That IG report, 
though, found that more than half of the breaches weren't 
actually being reported into the PARIS system, and of those 
that were reported, only half of those was any corrective 
measures taken. So can you comment on that and, in so doing, 
hopefully talk to us about what reforms TSA has made to those 
policies and procedures to ensure that everything is being 
accurately reported.
    Mr. Hatfield. I can, sir. The fundamental problem at that 
point in time--and I will talk to the remedy since then--the 
fundamental problem was in the definition of ``breach.'' You 
could go talk to 80 different Federal security directors or 
their staffs. Sometimes the most insignificant incidences were 
being called a breach, and other times more appropriate 
incidents were being called breaches. So we set out after that 
report and in concert with the IG, who I believe validated the 
response that we made, and that is to set a more defined set of 
parameters for what constitutes a breach.
    I was in the field during that time, and I know that, you 
know, we worked very hard to discern between a security event--
and that is sort-of--that is what we are left on the other side 
of the ledger, security events. They happen every day. But a 
breach is a pretty distinct event in itself and requires a 
threshold to be met. So once we got the definition down, I 
think our reporting through PARIS has gotten much better.
    When you talk about the absence or the lack of consequences 
in a large number, again, you had things being called breaches 
that either didn't draw or demand a punitive action or were 
such fleeting events that there really weren't even 
perpetratorial players to identify in it going back. So I think 
that we are pretty aggressive in terms of using the regulatory 
weight, if you will, of the civil penalty. Of course, in most 
cases--and I think any good regulator follows this philosophy--
corrective action and remedy to the bad behavior or the 
omission is the first goal rather than just, you know, 
collecting money for the Treasury, but if there is a repeat 
offense or an unwillingness to remedy and correct the problem, 
we absolutely will not hesitate to level civil penalties. We 
absolutely will not hesitate to bring in law enforcement if 
there is any indication of criminal activity.
    Mr. Ratcliffe. Okay. Thank you, Mr. Hatfield.
    So I know there is not a subsequent IG report, but you 
referenced their sort-of follow-up with you in terms of 
recognizing with a new definition, if you will, of what 
constitutes a breach.
    Can you put a percentage on the number of breaches that are 
now recorded in this system or give me an estimate of that?
    Mr. Hatfield. I don't have that visibility on the overall 
system, sir, but I will get back to you. I want to validate 
what I represent in terms of our remedy and the IG's reaction 
to it. I want to make sure that I have got that right. This 
is--at this level, sort-of an enterprise level of these 
activities, I am fairly new on the scene, but I have certainly 
seen it from the field perspective and have been part and 
parcel to the old practice and the new practice, and be more 
than happy to get you some feedback on that.
    Mr. Ratcliffe. Okay. Very good.
    Mr. Perdue, I don't want you to feel left out, so I have 
got a math question for you too. This relates to joint 
vulnerability assessments. So data that I have seen from the 
GAO indicated that from 2004 to 2011, JVAs had only been 
conducted at about 17 percent of TSA-regulated airports. Now, I 
am not math major, but does that mean that 83 percent during 
that period of time weren't being assessed?
    Mr. Perdue. I do not track that or monitor that. That would 
be a TSA question. We participate, you know, in this and we--
jointly we do these assessments, but as far as the numbers, I 
wouldn't have the answer to that, sir.
    Mr. Ratcliffe. Okay. But so maybe you can answer this 
question: Can you relate, since you do work with TSA with 
respect to that, and how do TSA and FBI decide which airports 
are going to be assessed or undergo a JVA?
    Mr. Perdue. Again, what we do is that we participate in 100 
percent of them. TSA decides which ones they are going to go to 
and then we make sure that we have representatives there to 
provide appropriate threat assessments.
    Mr. Ratcliffe. Okay. Can you expound on that, Mr.----
    Mr. Hatfield. Certainly. I would be happy to. The 
identification of those airports, I can give you the actual 
numbers in closed session, but let's say, by number, it is a 
small amount; by volume a percentage of daily passenger 
traffic, it is a huge amount. So 450 airports, if you look at 
our smallest airports, it is nearly 300 of them, represent just 
a fraction of the daily passenger traffic. So we are really 
focused on a critical number of highly important high-traffic 
airports. That said--and the cycle for that is one-third of 
them every year. So, in a 3-year cycle, we will get back to the 
first set of them.
    However, every single year every single airport goes 
through a TSA regulatory assessment. So our folks are out there 
looking at vulnerabilities, looking at compliance, looking at 
all of the aspects of the airport security plan for every 
single airport. That is an annual requirement, and it is a very 
large part of what our regulatory group does.
    Mr. Ratcliffe. Terrific. Thanks, gentlemen.
    I yield back.
    Mr. Katko. Thank you, Mr. Ratcliffe.
    The Chairman recognizes Mr. Johnson, the gentleman from 
Georgia.
    Mr. Johnson. Thank you, Chairman Katko and Ranking Member 
Rice. I want to thank you for allowing me to be here today.
    I sent a letter to the full committee and the 
Transportation Security subcommittee at the beginning of this 
Congress requesting that this committee hold a hearing on this 
very topic, and I thank you for listening to my call.
    This is an important issue for National security and for my 
hometown of Atlanta. I made a pledge to the people of Georgia 
that I would focus on this issue, and it is in that spirit that 
I appear here today.
    I look forward to working with all Members of this 
committee, which has important jurisdiction to protect the 
health, safety, and welfare of the public who transport 
themselves on the airlines, and this is critical work.
    I want to congratulate you both for ascending to these 
important positions on this important subcommittee, and I look 
forward to working with you in the future.
    As we all know, in December, at Hartsfield-Jackson Airport 
in my home State of Georgia, the busiest airport in the world, 
an employee and his co-conspirator, a former airport employee, 
were arrested for smuggling guns onto airplanes. If this is 
happening at one of--at the world's largest most prominent 
airport where passenger security is at the forefront, then I am 
afraid to think of what may be happening at other airports.
    The incidents at Hartsfield-Jackson should be a wake-up 
call to this committee and to airports and airlines. We must 
ensure that airport and airline employees who enjoy unique 
access to airplanes undergo rigorous security screenings in 
order to prevent such a more serious incident from occurring, 
and that is not the first incident of that nature to occur at 
Hartsfield-Jackson over the years.
    Mr. Hatfield, I heard you say before I left that random 
screening of employees is just as effective as 100 percent 
screening of employees. Is that correct?
    Mr. Hatfield. Sir, I--those were not my words. I was 
quoting a study, actually. It is not my conclusion. I mean, I 
did say that quoting the Homeland Security Institute's study, 
and I also qualify that by saying that even in their own 
footnotes, they acknowledge that they had a small sampling, and 
to the Member's question earlier, would it be a good idea to 
revisit that study, after 7 years, probably so.
    Mr. Johnson. If the premise or the conclusion of that 
study, as you have stated, is that random screening is just as 
effective as 100 percent screening of employees, then would you 
not think that that same general rule would apply to airline 
passengers? In other words, if we don't screen 100 percent 
airline passengers and we just do a random screening process 
for them, you would not agree that we should do that. Is that 
true?
    Mr. Hatfield. Sir, I would not subscribe to that notion, 
but I will also tell you that in the 12\1/2\ years TSA has been 
doing this, we have evolved on the passenger side as well, and 
now we actually segment the population of passengers and people 
on the plane, including flight crew and aircraft crew. In some 
cases, the known crew member, we are doing primarily identity 
screening. So it is a different type of screening. It is not 
the physical screening at the checkpoint although they are 
subject to that on a random basis.
    So, no, I would not, again, subscribe to the idea that we 
change our paradigm because I think we are pretty satisfied 
with it.
    Mr. Johnson. But you would be reluctant to be change in 
terms of going to a 100 percent screening of airline employees?
    Mr. Hatfield. Again, ``screening'' is a big word and it has 
a lot of meanings. Right now we do 100 percent screening of 
airline employees in that we screen them against a terrorist 
database every day. We screen physically----
    Mr. Johnson. Physical screening.
    Mr. Hatfield. Physical screening? Right now we physically 
screen about 100,000 employees a day through various means.
    Mr. Johnson. You have got how many employees in Atlanta? 
About--what--40,000 if I recall?
    Mr. Hatfield. In the total airport population?
    Mr. Johnson. Yes.
    Mr. Hatfield. I have heard it is around 40-plus thousand.
    Mr. Johnson. That is a lot of individuals coming through, 
some of whom are not screened at all. But statistically you 
would support the notion that it would be unnecessary to ramp 
up screening. Is that what you are arguing?
    Mr. Hatfield. No, sir. My position is this. We have a very 
qualified and dedicated group who is looking at this from a 
very analytical point of view with broad representation of all 
the players in the airport community.
    As an aside, I spoke with the Federal security director in 
Atlanta yesterday, Mary Leftridge Byrd, who is not only a 
colleague of mine but a friend, and talked to her about this 
subject. They have taken moves to ramp up the number, the 
percentage of physical screenings that they do as a sort-of a 
surge posture during this analysis while we look at what the 
long-range posture will be. But, again, as we bring in all the 
members of this community, airlines, airport operators, the 
TSA, law enforcement at both the Federal and local level, it is 
a question that demands discussion and that we are looking at.
    I am not prepared, sir, today to preempt the ASAC's 
recommendations nor to make conclusions at this point. But I 
will grant you this, yeah, we need to look at this. You know, 
is it going all the way to 100? Is it going to an incremental 
increase and the percentage that we physically screen today? I 
think the answer is somewhere in there.
    Mr. Katko. Thank you, Mr. Johnson for your questions.
    I want to thank the gentlemen, Mr. Hatfield and Mr. Perdue. 
It is obvious that you are fine public servants and that you 
are highly competent and qualified to answer these questions. 
We definitely had the right people here today with respect to 
you two. So thank you very much for your time, and I wish you 
well and look forward speaking to you in the future.
    Members of the committee may have some additional questions 
for the both of you. I will ask that you respond to these 
questions in writing in a timely manner. The hearing record 
will be held open for 10 days with respect these two witnesses.
    We will take a very brief recess so that the next--the 
second panel can get prepared to testify.
    Thank you, gentlemen.
    Mr. Hatfield. Thank you, sir.
    [Recess.]
    Mr. Katko. Good afternoon. Before we get into introductions 
here, I want to make a couple of technical notes for the 
record. First from Miss Rice.
    Miss Rice. Mr. Chairman, I ask unanimous consent that this 
letter from President Williams of AFGE Local 554 in Georgia 
regarding his concern over the firearm smuggling incident at 
Atlanta Jackson-Hartsfield Airport be entered into the record.
    Mr. Katko. Without objection, so ordered.
    [The information follows:]
      Letter From L.P. Robert Williams, AFGE Local 554 TSA Georgia
Honorable Bennie G. Thompson,
Ranking Member, Committee on Homeland Security.

Dear Congressman Thompson: I am writing to express my deep concern over 
the recent public revelations of current and former Delta employees 
smuggling 131 firearms and ammunition aboard Delta flights between May 
1 and December 10th 2014. This information was not surprising to the 
TSA Officers who work at Atlanta Jackson Hartsfield Airport.
    I represent all the TSA officers in the State of Georgia and this 
huge glitch has been repeatedly pointed out to local supervision and 
management over the last three years. TSA'S Local management's would 
refer me back to our collective bargaining agreement that prohibits any 
discussion dealing with security policies, procedures and deployment of 
security personal. The officers who commit to protecting our homeland 
are discouraged and prohibited from pointing out areas where the 
airport is vulnerable. Developing innovative countermeasures are 
frowned upon when officers suggest possible fixes to the insider threat 
problem.
    Many officers work in an environment where they believe their 
safety and the flying public's safety is put at risk by sequestration 
and staffing shortages. Atlanta's has a number of employee entrances 
that would benefit from increased TSA staffing who have the ability to 
search all airline personal more frequently. If and when that mandate 
is authorized TSA does not currently have the staffing to accomplish 
that mission.
    Since the discovery of this problem in late December the PLAYBOOK 
team has increased it's screening of employees that enter the airport 
which is commendable, however it does repair the root cause of the 
problem. Without securing the North and South CIDA badge access doors 
where any current or former airline employee with nefarious intentions 
can enter, the insider threat has not been stopped. The only 
significant change is the airport vendor employees have had their 
ability to enter those doors taken away by the airport authority. 
Airline employees still have the same CIDA access.
    AFGE believes the officers who are tasked with securing a port of 
entry to our nation should be at the table during these conversations 
on how best to secure the homeland. We would like Congress to encourage 
our inclusion in these meetings. AFGE would also like Congress to know 
that the taxpayers have invested millions of dollars in equipment that 
sits unused because TSA has not hired anyone to fill the many vacancies 
we have at the Atlanta airport. In closing we believe there are many 
opportunities to improve the security to our homeland, eliminate 
staffing shortages, and improve internal communication at the world's 
busiest airport. AFGE LOCAL 554 stands ready to serve when called upon.
            Respectfully Submitted,
                                      L.P. Robert Williams,
                                        AFGE Local 554 TSA Georgia.

    Mr. Katko. I also ask unanimous consent to insert in the 
record a statement from Airports Council International--North 
America, as well as a letter from the American Association of 
Airport Executives.
    Without objection, that is so ordered as well.
    [The information follows:]
   Statement of Kevin M. Burke, President and CEO, Airports Council 
                      International--North America
                            February 3, 2015
    Chairman Katko, Ranking Member Rice, and Members of the 
subcommittee, thank you for the opportunity to provide the views of 
airport operators on access control measures. As the president and CEO 
of Airports Council International--North America (ACI-NA), I am 
submitting this testimony today on behalf of the local, regional, and 
State governing bodies that own and operate commercial service airports 
in the United States and Canada. ACI-NA member airports enplane more 
than 95 percent of the domestic and virtually all the international 
airline passenger and cargo traffic in North America. More than 380 
aviation-related businesses are also members of ACI-NA.
    Mr. Chairman, each day, airports, operating in today's dynamic 
threat environment, implement a variety of measures to provide for the 
security of their passengers, employees, and facilities. To this end, 
airports partner with the Transportation Security Administration (TSA), 
U.S. Customs and Border Protection (CBP), the Federal Bureau of 
Investigation (FBI), other Federal, State, and local law enforcement 
agencies, and airlines to develop and maintain a comprehensive, multi-
layered, risk-based aviation security system. In our testimony, we have 
included several recommendations to enhance airport access control.
                           layers of security
    Airport access control systems rely on multiple risk-based layers 
of security implemented in partnership with airports, airlines, and the 
TSA. Although there is no perfect security system, the multiple 
layers--which are routinely enhanced--provide for the security of 
passengers, employees, and facilities. A clear strength of this type of 
system is the unpredictable nature of the individual layers of security 
and the fact that many airports go above and beyond the baseline 
security requirements, implementing additional processes, procedures, 
and technologies that take account of and are adapted to their unique 
geographic locations and facility designs.
    This system--in combination with TSA's employee-focused security 
initiatives--is more effective than a rigid, fixed-point 100 percent 
employee screening regime that would be extraordinarily costly, 
minimally reduce risk and significantly disrupt airport operations. In 
accordance with the current system, employees are subject to search, 
inspection, or screening at any point, not just when they enter through 
an access control point. Therefore, the current system more effectively 
mitigates risk through employees' expectation of being screened at any 
point and by accounting for employees found to be in possession of 
items--necessary in the performance of their assigned duties--that 
would otherwise be considered prohibited.
                     employee background screening
    An essential layer of security is the multi-faceted employee 
background screening process which is initiated prior to an employee 
being granted access to the secured area of an airport. In advance of 
issuing a Security Identification Display Area (SIDA) badge, which 
provides unescorted access to secure areas, airport operators conduct 
extensive vetting of employee backgrounds. There are two critical 
facets of the employee background screening regime that all employees 
who work in secured areas must successfully pass: A fingerprint-based 
Criminal History Records Check (CHRC), and a Security Threat Assessment 
(STA). Upon receiving an application from an employee seeking 
unescorted access to a secured area, airport operators validate the 
identity of the individual, collect and transmit their fingerprints and 
the associated biographic information to the TSA. The biometric 
fingerprint data is routed by TSA to the FBI for a CHRC. Through the 
STA process, TSA conducts a threat assessment against terrorism and 
other Government databases.
    If the STA reveals derogatory information about the individual, TSA 
informs the airport operator that they must not issue a SIDA badge 
granting unescorted access. If at any point thereafter recurrent STA 
vetting reveals derogatory information about an employee with 
unescorted access, TSA will notify the airport operator to immediately 
revoke their SIDA badge. Similarly, in accordance with existing 
regulations, when an airport operator discovers, during a review of 
CHRC results, that an applicant has been convicted of a disqualifying 
criminal offense within the previous 10 years from the date of 
application (``look-back period''), they refuse to issue the individual 
a SIDA badge. A distinct security feature is the ability for airport 
operators to review each and every applicant's criminal record to make 
a determination about their suitability for being granted unescorted 
access privileges.
    Furthermore, CBP regulations stipulate that only those employees 
with a CBP seal on their airport-issued SIDA badge may have unescorted 
access to the ``Customs security area,'' commonly known as the Federal 
Inspection Services (FIS) area, as well as to locations where 
international flights deplane. In order to obtain a CBP seal, 
applicants must submit to a background check, which typically involves 
either a review of the CHRC results obtained by the airport operator in 
accordance with TSA regulations or through a completely separate 
submittal of the applicant's fingerprints and associated information 
for a Criminal History Investigation, as required by the CBP port 
director. Notably, CBP regulations contain a more extensive list of 
disqualifying offenses, and a requirement for denial of a CBP seal if 
there is ``evidence of a pending or past investigation establishing 
probable cause to believe that the applicant has engaged in any conduct 
which relates to, or which could lead to a conviction for, a 
disqualifying offense.'' Given the disparity between the two lists of 
disqualifying offenses (TSA and CBP), there are cases in which 
employees have been--in accordance with regulations--granted unescorted 
access to the SIDA but denied a CBP seal.
    Although some airports go above and beyond the baseline measures in 
current TSA regulations and have implemented longer ``look-back 
periods'' and an expanded list of disqualifying criminal offenses, 
others are unable to do so due to restrictive State laws. While some 
airport operators re-submit a portion of the population of SIDA-badged 
employees for a CHRC, it only provides a snapshot of their criminal 
record as of the date of submission.
                           employee training
    Provided an applicant for unescorted access privileges has a clean 
background, but prior to being issued a SIDA badge, they must 
successfully complete an initial training program. This mandatory 
training, specifically tailored to the airport, includes information 
about the layers of security at the airport, the specific 
responsibilities of individuals who have been granted unescorted access 
privileges, and their obligation to support and uphold airport security 
requirements. In order to maintain their unescorted access privileges, 
employees must also participate in recurrent training.
                         access control systems
    Access control systems involve multiple layers of integrated 
processes, procedures, and technologies to detect and mitigate 
breaches. Although perimeter fencing and controlled access gates are 
the most outwardly visible features, numerous other systems, both 
conspicuous and inconspicuous, are in place at airports to bolster 
access control security. Vehicles and equipment seeking access to these 
areas are inspected by local law enforcement or specially-trained 
public safety personnel. In addition to routine patrols in secured and 
other airport areas, airport operators conduct random checks of 
employees at various access points.
    Access control systems have been in place for many years at 
airports and vary in their level of sophistication from passive to 
fully automated systems utilizing active technology. Many access 
control systems are enhanced through the use of closed-circuit 
television which allows critical areas or access points to be remotely 
monitored. In the event of a potential breach, active systems 
immediately identify the location, allowing operations center 
representatives to assess the situation and dispatch law enforcement or 
other resources to protect employees, aircraft, and facilities.
    The National Safe Skies Alliance, in partnership with airports, and 
funded through the Airport Improvement Program (AIP), conducts testing 
and operational evaluations of security technologies designed to 
further enhance access control. Many airports have deployed the systems 
tested and evaluated by the National Safe Skies Alliance. The reports, 
which are available to all airports, provide specific details about the 
application and functionality of technologies tested under the program 
and contain incredibly valuable information for airports as they make 
decisions on which technologies may work best at their facility.
    ACI-NA member airports are committed to ensuring effective security 
and continue to implement measures that further augment access control. 
Airport operators, in coordination with the FBI, Federal, State, and 
local law enforcement representatives, and TSA routinely conduct risk 
and vulnerability assessments to identify potential weaknesses and 
guide the application of resources to further enhance access control 
procedures and technology.
                   random and unpredictable screening
    Another important layer of security, The Aviation Direct Access 
Screening Program (ADASP), a TSA initiative that utilizes roving teams 
of TSA Transportation Security Officers (TSOs), Behavior Detection 
Officers (BDOs) and Transportation Security Inspectors (TSIs) to 
conduct random and unpredictable physical screening of employees 
working in or accessing secured areas, has proven to be very effective 
in mitigating risk. Some airports work in close partnership with TSA in 
support of ADASP operations to close certain access points and funnel 
employees through the screening locations. Others have taken the 
initiative to revoke the SIDA badge of any employee who refuses to be 
screened during ADASP operations. The ADASP program also effectively 
mitigates the risk of prohibited items introduced at the perimeter, 
which would go undetected under a fixed-point employee screening 
system. In addition to introducing a high level of deterrence, this 
type of random and unpredictable screening program represents another 
formidable layer of security.
                   recommended security enhancements
Security Awareness Training and Incentive Programs
    So that airports operators are able to more effectively educate 
employees and tenants, and in order to leverage the benefits of 
enhanced airport employee awareness, TSA and the FBI should provide 
airport operators with the key indicators of suspicious activity, 
elements of which could be drawn from BDO training. With this 
information, airport operators could incorporate more precisely-focused 
security awareness training into existing SIDA initial, recurrent, and 
other training programs. This would ensure that all employees and 
tenants are more effectively trained in security awareness. In addition 
to providing information on identifying suspicious activity, a key 
element of the training would focus on reporting. Building on the 
success of ``community policing'' initiatives such as The Rewards for 
Justice Program and Crime Stoppers USA, a Nationally-managed incentive 
program should be established to further encourage the reporting of any 
potential suspicious or criminal activity at airports.
Enhanced Background Checks
    In order to further strengthen the layer of security involving 
background checks, consideration should be given to expanding the list 
of disqualifying criminal offenses beyond those contained in current 
TSA regulations. The Aviation Security Advisory Committee (ASAC) should 
be tasked to reevaluate the current list and develop an expanded list 
of pertinent disqualifying criminal offenses. Furthermore, the ASAC 
should evaluate whether permanently disqualifying criminal offenses 
would enhance the integrity of the aviation security system.
    We recommend that steps be taken to immediately implement the FBI's 
Rap Back program so that real-time recurrent CHRCs are conducted on 
SIDA badge holders. In accordance with existing regulations, ``Each 
individual with unescorted access authority who has a disqualifying 
criminal offense must report the offense to the airport operator and 
surrender the SIDA access medium to the issuer within 24 hours of the 
conviction or the finding of not guilty by reason of insanity.'' 
Essentially, employees who, as a result of having been subjected to a 
stringent background check process, have been granted unescorted access 
privileges are on the ``honor system'' to report subsequent convictions 
for disqualifying criminal offenses. Unlike the STA process, through 
which TSA conducts perpetual vetting of employees who have been granted 
unescorted access privileges, the CHRC is currently a one-time snapshot 
of the applicants' criminal history. According to the FBI, Rap Back 
provides ``the ability to receive on-going status notifications of any 
criminal history reported on individuals holding positions of trust.'' 
When implemented, this program will provide airports (and airlines) 
much better and needed visibility into employees' criminal records, 
allow them to make informed determinations as to the suitability of 
existing employees and greatly assist in making determinations about 
whether employees should be allowed to retain their unescorted SIDA 
access privileges.
    Given the transitory nature of aviation workers, a National 
database--maintained by TSA but available to all airport operators--of 
employees who have had their SIDA badges revoked would provide yet 
another security enhancement. Such a database would eliminate the 
potential for an employee whose unescorted access privileges were 
revoked at one airport from transferring to another airport and being 
granted unescorted access privileges.
Expanded Employee Screening Operations
    As a means to enhance an important layer of security, TSA should 
expand the Aviation Direct Access Screening Program (ADASP) so that 
every employee entering or working in a secured area of an airport has 
the expectation that they will be subject to screening. Airport 
operators can support expanded ADASP operations by selectively closing 
access portals in order to route employees through the screening 
locations.
                               conclusion
    ACI-NA and its member airports are committed to working with 
Congress, TSA, FBI, CBP, and other law enforcement agencies and 
aviation stakeholders to enhance airport security through the 
application of risk-based measures. The current multi-layered, risk-
based aviation security system continues to be effective, particularly 
as airport operators--in partnership with TSA--routinely review 
security procedures to ensure they are applicable and mitigate new and 
emerging threats.
    We encourage the subcommittee to make it a priority to move forward 
with the implementation of the recommended initiatives to enhance 
airport security. Through continued collaboration to enhance security 
programs and related security initiatives, we can better achieve our 
mutual goals of enhancing security and efficiency while minimizing 
unnecessary operational impacts.
    Thank you for the opportunity to submit this written testimony.
                                 ______
                                 
       Letter From the American Association of Airport Executives
                                  February 2, 2015.
The Honorable John Katko,
Chairman, Subcommittee on Transportation Security, Committee on 
        Homeland Security, U.S. House of Representatives, Washington, 
        DC 20515.
The Honorable Kathleen Rice,
Ranking Member, Subcommittee on Transportation Security, Committee on 
        Homeland Security, U.S. House of Representatives, Washington, 
        DC 20515.

    Dear Chairman Katko and Ranking Member Rice: On behalf of the 
American Association of Airport Executives (AAAE) and the thousands of 
men and women across the country who manage and operate our Nation's 
airports, we appreciate your interest in undertaking ``A Review of 
Access Control Measures at Our Nation's Airports'' as part of this 
week's hearing. A key component of an intelligence driven risk-based 
approach to aviation security is the constant evaluation of existing 
security measures to ensure any potential vulnerabilities are addressed 
and mitigated with appropriate and up-to-date policies, procedures and 
best practices at the federal and local levels.
    As employees of local, public entities, airport executives work in 
constant collaboration with the Transportation Security Administration 
to enhance the layers of security that exist to identify and address 
potential threats in the airport environment, including extensive 
background checks for aviation workers, random physical screening of 
workers at airports, surveillance, law enforcement patrols, robust 
security training, and the institution of challenge procedures among 
airport workers.
    In particular, airport access control is an important security 
function that local airport operators have held for decades in 
compliance with robust federal requirements. The existing local/federal 
partnership approach ensures a critical level of local involvement with 
the management of credentialing and access control in accordance with 
strict federal standards, requirements, and oversight as part of a 
multi-layered security apparatus. It includes extensive efforts to 
identify ``bad'' people before they are ever given access to security 
sensitive areas of airports, which is absolutely essential to providing 
the highest levels of security.
    In our view, the best approach to enhancing access control at the 
nation's airports lies with continuing to focus on robust background 
checks, maintaining our multi-layered security approach, and preserving 
and protecting the critical local layer of security that airports 
provide with credentialing, access control, and other local functions. 
Inherently local security functions should remain local with federal 
oversight and backed by federal resources when appropriate.
    While some have argued for comprehensive physical screening of all 
persons entering an airport, including employees, it is critical from a 
security and resource perspective that risk mitigation efforts remain 
intelligence driven, balanced and effective. Detailed studies by both 
government and industry have shown that physical screening of all 
employees at airports around the country would cost upwards of $15 
billion annually with very little security benefit. In a world of 
limited resources, we are concerned that placing so much emphasis on 
one approach--in this case physical screening--could divert significant 
funding from other critical security functions that are currently 
producing significant benefits. We would welcome the opportunity to 
have a more thorough conversation with you on this topic to outline our 
significant reservations in more detail.
    AAAE staff and several of our airport members, including the Chair 
of our Transportation Security Services Committee Jeanne Olivier, 
A.A.E., Director of Aviation Security at the Port Authority of New York 
and New Jersey; are serving on the ad hoc working group formed by the 
Aviation Security Advisory Committee (ASAC) at the request of TSA to 
evaluate the aviation industry's current approach to airport employee 
screening. The Working Group has been tasked with developing a report 
to TSA on current and innovative methods for the vetting and physical 
screening of individuals entering the secure area of an airport. It is 
expected that the report will outline potential security gaps or 
vulnerabilities and include recommendations for proposed appropriate 
mitigation measures and notional methods for implementation, address 
the advantages and disadvantages of such measures, and the potential 
cost of each measure.
    Access control at airports is unique among other transportation 
facilities and has operated successfully for decades. That is not to 
say that improvements to the current system cannot be made. Airport 
operators take their direct responsibility for credentialing and access 
control very seriously and are committed to continuing to provide the 
robust layer of security and operational expertise that exists at the 
local level. We look forward to working through the ASAC ad hoc working 
group and with the TSA and the Subcommittee on identifying and 
implementing any risk-based options related to improving airport access 
control, including policy and procedures, industry best practices, 
technology, and employee training.
    Thank you for your time and attention to this important element of 
security at our nation's airports. We look forward to working with the 
Subcommittee as you continue to undertake efforts to enhance 
transportation security across the country.
            Sincerely,
                                             Joel D. Bacon,
           Executive Vice President, Government and Public Affairs,
                        American Association of Airport Executives.

    Mr. Katko. The Chairman now recognizes a second panel.
    I thank both Ms. Pinkerton and Mr. Southwell for being here 
today. We are pleased to have this panel of distinguished 
witnesses, of course.
    Let me remind the witness that their entire written 
statements will appear in the record.
    Our first witness, Mr. Miguel Southwell, is general manager 
at Hartswell-Jackson--excuse me--Hartsfield-Jackson 
International Airport in Atlanta. Mr. Southwell has been the 
aviation general manager at Atlanta since May 2014 and has 
served as senior airport leadership at both Atlanta and Miami 
International Airports throughout his career.
    The Chairman now recognizes Mr. Southwell to testify.

  STATEMENT OF MIGUEL SOUTHWELL, GENERAL MANAGER, HARTSFIELD-
             JACKSON ATLANTA INTERNATIONAL AIRPORT

    Mr. Southwell. Chairman Katko, Ranking Member Thompson, 
Ranking Member Rice, Members of the subcommittee, and visiting 
Congressman Johnson, I thank you for holding this hearing, and 
I thank you for including Hartsfield-Jackson Atlanta 
International Airport, the world's busiest passenger airport.
    I want to begin my remarks with the following statement: 
The safety and security of airport users is our top priority. I 
am reassured by the remarks offered by the witnesses on the 
first panel. I agree that ensuring the safety and security of 
our passengers and employees is a crucial and collective goal 
for all of us.
    Further, I am pleased to know that a number of the 
committee Members have backgrounds as prosecutors, evidencing a 
lifetime commitment to the safety of our Nation.
    At Hartsfield-Jackson, we have had some recent incidents in 
the area of security which should give us all concern. There is 
no mistaking that fact. As the general manager for the 
Department of Aviation, it is my job to provide leadership to 
ensure that working with the Transportation Security 
Administration, airlines, and stakeholders, security gaps are 
closed, and the passengers and employees at the airport are 
safe. Each year we have more than 94 million passengers who 
pass through Atlanta. In addition, we have more than 63,000 
employees on campus. Ensuring their safety and security is a 
big job, but I know that our partners, particularly the TSA and 
the airlines, are equally committed to this task.
    As you know, every airport is different. Each is unique in 
its configuration, and each is unique in terms of its risk 
profile. As such, there is no one-size-fits-all approach to 
airport security. As with every airport in the country, we work 
tirelessly with our security partners and operate on the TSA-
approved security plan. This multi-layered system of security 
measures is based upon the determined risk at a particular 
airport. However, we recognize that air transportation is a 
system, and any system is only as strong as its weakest link.
    Approximately 64 million of the 94 million passengers who 
pass through Atlanta annually are connecting from another 
airport. Therefore, we believe that some minimum standard of 
employee screening or inspection should be adopted across the 
entire system and should incorporate the input of all of our 
U.S. airports as well as our airline partners.
    As noted earlier, at our airport, we need to do more. 
Hence, in the last 6 weeks, the Aviation Department has held 
many meetings almost daily with TSA, Customs and Border 
Protection, the FAA, airlines, and other key stakeholders to 
develop an improved 
short-, medium-, and long-term safety and security plan for 
Hartsfield-Jackson Atlanta International Airport.
    In our early assessments, we have identified security 
enhancements that can be made now while we continue to develop 
other security options that will take some time. I have 
instructed our team that we will not wait to take action. We 
have and will implement immediately what can be done now while 
we continue to improve our plan.
    At Hartsfield-Jackson, one action that we can implement 
immediately is the reprogramming of Security Identification 
Display Area badges, known as SIDA badges. These are the badges 
which currently allow employees access to the sterile areas of 
the airport. This reprogramming will be based on employee job 
function and work location, and will effectively reduce the 
number of access portals through which an employee can enter 
the airport's secure areas.
    We recognize that 100 percent screening of airport 
employees has operational and cost challenges, and is neither 
practical nor sustainable, but the unmistakable fact, as recent 
events suggest, is that we need to be consistently vigilant in 
our efforts, and the kind of enhancements that we are 
considering will require a significant investment.
    Therefore, in the medium to long term, Atlanta will work 
closely with TSA, the airlines, and other key stakeholders to 
screen airport employees who access the SIDA. The few 
exceptions will include law enforcement, emergency personnel, 
other first responders, and those employees approved under the 
Federal regulation such as the TSA's Known Crew Member Program. 
Even with those exceptions, we have begun processes whereby all 
employees at Hartsfield-Jackson will have an expectation that 
they will be screened or inspected.
    Additionally, we are focusing on improvements to employee 
background checks and screening. We will focus on smarter 
access control as noted. We are likewise focusing on the 
security and safety of goods brought onto the airport property. 
While we attempt with our partners in the security and 
intelligence fields to prevent individuals with ill will from 
working at the airport, we are also focusing on eliminating 
illicit materials from ever entering the airport campus.
    In closing, the conversation is bigger than Hartsfield-
Jackson. Passengers will not fly if they cannot take their 
safety for granted. Therefore, a safe and secure air 
transportation system also means an economically healthy system 
and directly impacts the entire U.S. economy. In order to 
achieve these security enhancements, we will need the 
cooperation of our partners at the airport and, in particular, 
the financial support and resources of the TSA. Our commitment 
to ensuring the safety and security of everyone at Hartsfield-
Jackson is unwavering. We are up to the task, and I am 
confident that our partners are as well.
    Thank you very much, and I look forward to your questions.
    [The prepared statement of Mr. Southwell follows:]
                 Prepared Statement of Miguel Southwell
                            February 3, 2015
    Chairman McCaul, Ranking Member Thompson, Chairman Katko, Ranking 
Member Rice, and Members of the subcommittee, I thank you for holding 
this hearing, and I thank you for including Hartsfield-Jackson Atlanta 
International Airport, the world's busiest passenger airport.
    I want to begin my remarks with the following statement: The safety 
and security of airport users is our top priority. I am reassured by 
the remarks offered by the witnesses on the first panel, and I agree 
that ensuring the safety and security of our passengers and employees 
is a crucial and collective goal for all of us. Further, I am pleased 
to know that a number of committee Members have backgrounds as 
prosecutors, evidencing a lifetime commitment to the safety of our 
Nation.
    At Hartsfield-Jackson, we have had some recent incidents in the 
area of security, which should give us all concern. There is no 
mistaking that fact. As the general manager for the Department of 
Aviation, it is my job to provide leadership to ensure that--working 
with the Transportation Security Administration (TSA), airlines, and 
other stakeholders--security gaps are closed, and the passengers and 
employees at the airport are safe. Each year, we have more than 94 
million passengers who pass through Atlanta; in addition, we have more 
than 63,000 employees on campus. Ensuring their safety and security is 
a big job, but I know that our partners, particularly TSA and the 
airlines, are equally committed to this task.
    As you know, every airport is different. Each is unique in its 
configuration, and each is unique in terms of its risk profile. As 
such, there is no one-size-fits-all approach to airport security. As 
with every airport in the country, we work tirelessly with our security 
partners and operate under a TSA-approved security plan. This multi-
layered system of security measures is based upon the determined risk 
at a particular airport. However, we recognize that air transportation 
is a system, and any system is only as strong as its weakest link. 
Approximately 64 million of the more than 94 million passengers who 
pass through Atlanta annually are connecting from another airport. 
Therefore, we believe that some minimum standard of employee screening 
or inspection should be adopted across the entire system and should 
incorporate the input of all U.S. airports.
    As noted earlier, at our airport, we need to do more. Hence, in the 
last 6 weeks, the Aviation Department has held meetings almost daily, 
with TSA, Customs and Border Protection, the FAA, airlines and other 
key stakeholders, to develop an improved short-, medium-, and long-term 
safety and security plan for Hartsfield-Jackson Atlanta International 
Airport.
    In our early assessment, we have identified security enhancements 
that can be made now, while we continue to develop other security 
options that will take some time. I have instructed our team that we 
will not wait to take action. We will implement immediately what can be 
done now while we continue to improve our plan. At Hartsfield-Jackson, 
one action that we can implement immediately is the reprogramming of 
Security Identification Display Area badges, known as SIDA badges. 
These are the badges which currently allow employees access to the 
sterile areas of the airport. This reprogramming will be based on 
employee job function and work location, and will effectively reduce 
the number of access portals through which an employee can enter the 
airport's secured areas.
    We recognize that 100% screening of airport employees has 
operational and cost challenges, and is neither practical nor 
sustainable. But the unmistakable fact, as recent events suggest, is 
that we need to be consistently vigilant in our efforts, and the kind 
of enhancements that we are considering will require a significant 
investment.
    Therefore, in the medium- to long-term, Atlanta will work closely 
with TSA, the airlines and other key stakeholders, to screen airport 
employees who access the SIDA. The few exceptions will include law 
enforcement, emergency personnel, other first responders and those 
employees approved under Federal regulations such as the TSA's Known 
Crew Member program. Even with those exceptions, we have begun 
processes whereby all employees at Hartsfield-Jackson have an 
expectation that they will be screened or inspected.
    Additionally, we are focusing on improvements to employee 
background checks and screening. We will focus on smarter access 
control as noted. We are likewise focusing on the security and safety 
of goods brought onto airport property. While we attempt, with our 
partners in the security and intelligence fields, to prevent 
individuals with ill will from working at the airport, we are also 
focusing on eliminating illicit materials from ever entering the 
airport campus.
    In closing, this conversation is bigger than Hartsfield-Jackson. A 
safe and secure air transportation system also means an economically 
healthy system and directly impacts the entire U.S. economy. In order 
to achieve these security enhancements, we will need the cooperation of 
our partners at the airport, and in particular, the financial support 
and resources of the TSA. Our commitment to ensuring the safety and 
security of everyone at Hartsfield-Jackson is unwavering. We are up to 
the task, and I am confident our partners are as well.
    Thank you.

    Mr. Katko. Thank you, Mr. Southwell. I appreciate it, and I 
appreciate you meeting with our office yesterday as well in 
advance of this hearing today.
    Our second witness, Ms. Sharon Pinkerton, currently serves 
as a senior vice president for legislative and regulatory 
policy at Airlines for America.
    Airlines for America is a trade organization of the 
principal U.S. airlines representing the collective interest of 
airlines and their affiliates who transport more than 90 
percent of U.S. airline passenger and cargo traffic.
    The Chairman now recognizes Ms. Pinkerton to testify. Thank 
you.

   STATEMENT OF SHARON L. PINKERTON, SENIOR VICE PRESIDENT, 
    LEGISLATIVE AND REGULATORY POLICY, AIRLINES FOR AMERICA

    Ms. Pinkerton. Chairman Katko, Ranking Member Rice, and 
Members of the subcommittee, thank you for holding this 
hearing. The subcommittee's focus on this issue is both timely 
and beneficial. There is nothing more important to the airline 
industry than the safety and security of our passengers, 
employees, planes, and cargo. Our job, when it comes to safety 
and security, is never done. We work every day to ensure that 
we are as secure as we can be.
    The airline industry regards recent breaches of the civil 
aviation security system as unacceptable. Such breaches need to 
be carefully examined, root causes identified, and appropriate 
corrective actions formulated and then implemented. Our members 
have started to do that, and I am going to highlight several 
possible initiatives concerning employee background checks and 
airport access practices that we believe should be considered.
    The safety and security of commercial aviation is a shared 
responsibility, and as such, consideration should be 
collaborative, involving not only Government in its regulatory 
role but also considering the perspective of airline, airport, 
vendors, and employee representatives.
    Despite the recent well-publicized issues, the U.S. 
aviation system--security system is strong and getting 
stronger. It is a sophisticated system that anticipates 
emerging threats. Its success can be attributed in large 
measure to the methodical application of a risk-based approach 
to security. It is based on the realization that one size does 
not fit all.
    Risk-based security ranks risk factors along a quantitative 
scale. Once risk levels are determined, security resources are 
then apply in proportion to the assessed risk. It is simple and 
intuitive. Issues or people that exhibit higher risk and have 
higher risk factors receive greater scrutiny. This approach is 
working.
    The TSA screens almost 2 million passengers daily using 
risk-based procedures that have greatly facilitated its multi-
layered security system.
    One such layer is the employee background checks of 
employees who have unescorted access to secured areas of U.S. 
airports. Access is only approved if the employee does not have 
a disqualifying criminal history. There is a basic record check 
requirement and separate background check requirements that the 
U.S. Customs and the Postal Service also impose. My written 
testimony provides more detail on those checks.
    In addition to the criminal history record check programs 
TSA regulations require that airlines conduct daily watch list 
vetting for all their employees. This is an internal and 
automated process that matches names against the Federal watch 
list.
    Additionally, TSA conducts random searches of employees who 
have access to secured areas of the airport. Moreover, it 
conducts a security threat assessment of those whose have 
airport-approved or airport-issued IDs. The assessment includes 
checks against criminal history records, watch lists, and 
immigration databases. As a partner in safety and security, we 
believe that the Aviation Security Advisory Committee, the 
ASAC, is the right venue to conduct an evaluation of where we 
are today and potential next steps. ASAC's mission has been to 
examine areas of civil aviation security with the aim of 
developing recommendations for improvement.
    I provided more suggestions in my written testimony, but 
will call to your attention a few issues we believe the ASAC 
should look at carefully. On employee screening, we suggest 
expanding random screening of employees to include, for 
example, different airport access control entrances and company 
employee parking lots. In the area of background checks, ASAC 
should consider expanding the category of disqualifying crimes 
and modifying eligibility requirements for employment.
    Second, we think they should consider Federal 
standardization of disqualifying crimes.
    Third, having Federal Government-specified permanent 
disqualifying crimes.
    Fourth, lengthening the look-back period for criminal 
history record checks. To that last point, the FBI's initial 
criminal arrest history record check, as you heard on the first 
panel, is based on a fingerprint, but it is only conducted at 
the time of employment. It has a 10-year look-back. 
Furthermore, there is no on-going vetting after the initial 
review and no current system to inform employers should an 
employee be charged with a crime after the criminal history 
record check. We believe this warrants improvement.
    In closing, we have the safest and most secure commercial 
aviation system in the world, and we are making--we are working 
to make it better every day. We have gotten to this point by 
focusing our time and resources on our greatest risks. We also 
do not believe that increased security and smoothly moving 
passengers and employees through screening are mutually 
exclusive. Two of the greater wins for passengers and customers 
are the Known Crewmember and PreCheck programs. These programs 
recognize those who present a lower risk, free up space in 
lines, improve passenger and employee throughput, all while 
enhancing security. That is a win for everyone and an idea we 
should build on.
    Thank you, and I look forward to your questions.
    [The prepared statement of Ms. Pinkerton follows:]
               Prepared Statement of Sharon L. Pinkerton
                            February 3, 2015
    Airlines for America appreciates the opportunity to express its 
views about the security measures for employees who are authorized 
access to secured areas of U.S. airports.
    As we discuss more fully below, our members have examined this 
matter in detail and have identified airport security and employee 
background check improvements that they believe should be considered. 
Those include tighter controls over employee access to airport Secured 
Identification Areas; better communication among law enforcement 
agencies about investigations of employees who have access to the 
airport; expansion and harmonization among Federal agencies of the 
crimes that disqualify a person from unescorted access at airports; 
enhanced risk-based screening of employees; and strengthened employee 
criminal history record checks.
    We believe that the Transportation Security Administration's 
Aviation Security Advisory Committee is the appropriate venue in which 
to examine these matters--and any others that may be raised. The ASAC 
has representatives from a broad spectrum of aviation stakeholders and 
is the traditional site in which to develop collaboratively proposals 
to submit for improvements in civil aviation security.
                                overview
    The subcommittee's focus on this issue is both timely and 
beneficial.
    The airline industry regards any breach of civil aviation security 
as unacceptable. Such breaches need to be carefully examined, root 
causes identified, and appropriate corrective actions formulated and 
implemented.
    Our members have taken a fresh look at airport security. Below we 
highlight several possible initiatives concerning employee background 
checks and airport access practices that we believe should be 
considered. As noted above, that consideration should be undertaken 
collaboratively--involving not only the Government in its regulatory 
role but also taking into account the perspectives of airline, airport, 
vendor, and employee representatives.
    It is important to provide context to this hearing. The recent 
security breaches are absolutely unacceptable. That does not change the 
underlying fact that the aviation security system in our Nation is more 
robust than ever. It is a sophisticated, threat-based system that 
continues to advance in anticipation of existing and emerging threats. 
Its success can be attributed in large measure to the methodical 
application of a risk-based approach to security.
    The risk-based security system under which airlines and airports 
operate has markedly improved security. It is based on the fundamental 
recognition that sound security policy need not apply the same measures 
to every individual or item. In other words, one size does not fit all. 
That recognition is founded on the understanding that not every 
individual or item poses the same threat to aviation security.
    Risk-based security ranks an array of risk factors along a 
quantitative scale. Once risk levels are determined, security resources 
are applied in proportion to the assessed risk. In operation, this 
means that the aviation security system deploys its resources based on 
individualized assessments of risk of persons (and items) that are 
subject to the system. Those persons determined to exhibit higher-risk 
factors receive greater scrutiny. This approach enables us to put 
resources where they are most needed.
    Risk-based security in aviation has been a reality for some time. 
We thus have considerable, everyday experience with it. For example, 
the Transportation Security Administration screens about 1.8 million 
passengers daily using risk-based procedures. We understand risk-based 
security and we know its effectiveness. We consequently strongly 
support it. Whatever new measures may emerge concerning airport 
security, we firmly believe that the commitment of the Government and 
industry to risk-based security must remain undiminished.
    Moreover, risk-based security has greatly facilitated TSA's multi-
layered security system. As TSA has stated, each layer serves as a 
protection measure. In combination, these layers create a much 
stronger, better-protected transportation system. That, as experience 
demonstrates, is the optimum way to confront ever-evolving threats to 
aviation.
      federal background check requirements for airline employees
    Background checks of employees who have unescorted access to 
secured areas of U.S. airports have been required since 1985. Approval 
for access to those areas is authorized only if the results of the 
check indicate that the employee does not have a disqualifying criminal 
history. There is a basic record-check requirement and separate 
background check requirements that U.S. Customs and Border Protection 
and the U.S. Postal Service impose. These distinct requirements are 
summarized below.
Criminal History Records Check
    To ensure that certain designated areas of the airport have 
controlled access, Secured Identification Areas (SIDA) were 
established. These are areas on an airport in which only employees who 
are approved and who have received an airport-issued badge are 
permitted unescorted access.
    A Criminal History Records Check (CHRC) is conducted to determine 
if an employee should be issued a SIDA badge. The employee seeking such 
SIDA access must be fingerprinted. Fingerprints are sent to the Federal 
Bureau of Investigation, which processes them.
    The CHRC regulation includes a list of disqualifying crimes that 
originated in Federal legislation. If an employee has a conviction for 
any of the disqualifying crimes within the last 10 years, he or she 
will not be approved. If no disqualifying crimes are found in the FBI 
check, the airport operator notifies the authorizing employer or 
airline (or other sponsor) that the employee is eligible for a SIDA 
badge. The employee then goes to a SIDA class to learn the requirements 
and limitations of access to the SIDA and, upon successfully completing 
the class, receives an airport-issued ID badge.
U.S. Customs and Border Protection Checks
    Employees working at airports where there is international service 
who need unescorted access to a U.S. Customs and Border Protection-
designated security area must receive a CBP-issued seal for her or his 
identification media. To receive the seal, the employee must meet the 
qualifications for approval under the CHRC program and not have been 
convicted of any of 10 additional disqualifying crimes. In addition, 
CBP may deny an individual a seal if it deems her or him a risk to the 
public health, interest, or safety; National security; or aviation 
safety. Issuance of a seal also requires a certification by the 
employer that a ``meaningful'' background investigation has been 
conducted and that it has a need for this employee to access the CBP 
security area.
U.S. Postal Service Checks
    Employees who have access to U.S. mail must be approved by a third 
and separate process. This process is not set forth by law or Federal 
regulation but, rather, through the contractual obligation that the 
USPS includes in the agreements it has with air carriers to transport 
mail. The employee must be fingerprinted and the fingerprints are sent 
to the USPS for review and approval or denial. Virtually any felony 
conviction within the past 10 years will result in a denial of access 
to U.S. mail. In addition, the Postal Service's requirements also 
include a negative drug test, a separate criminal history check, and 
legal documentation that the individual has the right to work in the 
United States.
Airline Vetting
    In addition to these criminal history record check programs, TSA 
regulations require airlines to conduct daily watch list (terrorist 
database) vetting for all their employees. This is an internal 
automated process that matches names against the Federal watch list 
that is provided daily.
Additional TSA Actions
    Beyond the above-mentioned records checks and vetting, TSA conducts 
random searches of employees who have access to secured areas of the 
airport. Moreover, it conducts a Security Threat Assessment of persons 
who have airport-approved or airport-issued personnel identification 
media. The assessment includes checks against criminal history records, 
terrorist watch lists, and immigration status.
                additional security measures to consider
    We believe that the Aviation Security Advisory Committee should 
evaluate any new airport security measures. ASAC's mission is to 
examine areas of civil aviation security with the aim of developing 
recommendations for the improvement of civil aviation security methods, 
equipment, and procedures. The consideration of the additional measures 
that we suggest would fit without difficulty within the ASAC charter. 
Moreover, the members of are well-equipped to perform this examination 
and represent a cross-section of the airport community. After the ASAC 
completes its examination, it would forward any recommendations that it 
developed to the TSA for its action.
    These are the areas that we have concluded that the ASAC should 
examine:
Airports
    1. Consider tighter controls over SIDA access control areas based 
        on duty/higher-risk times.
    2. Consider requiring that local law enforcement agencies notify 
        Federal law enforcement agencies, i.e. the FBI and DHS, of any 
        on-going criminal investigation of an airport employee.
Security Threat Assessments
    1. Consider expanding the category of disqualifying crimes and 
        modifying eligibility requirements for employment.
    2. Consider expanding current databases that TSA searches.
    3. Consider Federal standardization of disqualifying crimes.
    4. Consider having the Federal Government specify ``permanent 
        disqualifying crimes.'' Such crimes, regardless of when they 
        were committed, would prohibit a person from obtaining an 
        airport SIDA badge or aviation employment in a position where 
        he or she would have access to a sensitive security work area.
Employee Screening
    1. Consider expanding random screening of employees to include, for 
        example, airport access control entrances and company employee 
        parking lots.
    2. Consider developing a program to identify high- and low-risk 
        airport community employees.
      a. Those employees identified as low-risk would be subjected to a 
            risk-based screening approach.
      b. Higher-risk employees would undergo random screening more 
            frequently, based on risk and location.
Criminal History Records Checks
    The FBI's initial criminal history records check/fingerprint check 
is only conducted at the time of employment. It has a 10-year ``look-
back''. There is no on-going vetting after the initial review. The 
industry is unable under the existing system to perform updated or 
random checks without again collecting fingerprints from the employee 
and performing a new CHRC. In view of this situation, we suggest that:
    1. Consideration be given to enabling airports and airlines to 
        perform random/specific CHRC without recollecting fingerprints 
        in the event that suspicious activities are observed.
    2. Consideration be given to lengthening the ``look-back'' period 
        for criminal history checks--e.g., 18-20 years.
    Furthermore, there is no current system to inform employers should 
an employee be charged with a crime after the criminal history records 
check.
    1. For example, if an employee hired in Virginia is arrested in 
        Nevada, the employer would only know of the arrest if the 
        employee self-disclosed the arrest.
    2. Consideration should be given to having the FBI conduct 
        recurrent criminal history record checks and notification be 
        provided to the airport/airline and/or other law-enforcement 
        agency for follow up.
Airlines
    As mentioned above, TSA requires airlines to conduct daily watch 
list (terrorist database) vetting of all employees. That process can be 
made more efficient.
    1. Consideration should be given to the TSA creating a web portal 
        whereby employers can examine new-hire employees.
      a. Employers could populate the web site with complete employee 
            lists for perpetual vetting against the watch list.
      b. Watch list vetting of employees would then shifted from the 
            industry to TSA responsibility, which would be a more 
            sensible allocation of this responsibility.
    This is not an exhaustive list. Other possible initiatives can be 
added to it.
                                 ______
                                 
    We believe that the foregoing response would be the most 
advantageous way to examine potential changes to criminal history 
record check, vetting, and airport access measures. It would assure 
broad-based stakeholder input by using the long-standing ASAC. Any 
recommendations that were forthcoming should be mindful of the risk-
based framework of current aviation security. TSA, of course, would 
have the ultimate authority to dispose of the recommendations.

    Mr. Katko. Well, thank you, Mr. Southwell, and, Ms. 
Pinkerton, both for your opening statements. They are very 
helpful.
    Ms. Pinkerton, I want to tell you that the written 
submission you made was very helpful because it listed a bunch 
of practical solutions, some of which we will touch on during 
the course of my questioning here for the next 5 minutes.
    In fact, a technical matter, I will recognize myself for 5 
minutes of questioning.
    I want to start with Mr. Southwell for a moment, please, 
first of all to respond to one of your comments. When you said 
that the conversation is bigger than Atlanta, I think you are 
absolutely right. I don't want you to think that we are 
singling out Atlanta as the sole reason we are here. Atlanta 
simply is--happens to be in an unfortunate position of having 
the most recent case, but by all means, it is not an exclusive 
list. I think everyone here acknowledges that.
    With respect to the Harvey case, which has been discussed, 
quick question for you, when did you first learn of it, when 
the investigation was under way?
    Mr. Southwell. I believe it was December 15, Mr. Chairman.
    Mr. Katko. Okay. So they worked with you. When did--did you 
have any knowledge about when the local authorities were first 
aware of it?
    Mr. Southwell. Well, actually, correction. We heard--I 
became aware of it and the airport became aware of it in terms 
of its specific nature on December 19. On December 15, we did 
receive a call, our security office, which it often does, 
asking for particular movements of the employee. The exact 
nature or context of the inquiry on December 15 was not shared. 
The context was shared December 19, I believe, when the 
employee was arrested, 19 or 20.
    Mr. Katko. Do you have any idea when the investigation by 
the local authorities in New York commenced?
    Mr. Southwell. No. I do not, Mr. Chairman.
    Mr. Katko. Okay. Is it fair to say that you would like to 
have known if it was going on for a while that--what was going 
on in your airport?
    Mr. Southwell. We certainly would have. We understand that 
the investigators have a certain amount of discretion in terms 
of widening the number of people with knowledge, but it 
certainly would have been helpful.
    Mr. Katko. One of the proposals that has been propounded by 
others is that we have some sort of a Federal requirement under 
the law that local authorities that are involved in aviation-
related investigations, criminal investigations, must notify 
the FBI office immediately. Would you support such a measure?
    Mr. Southwell. Absolutely, Mr. Chairman.
    Mr. Katko. Okay. Thank you.
    Now, I want to switch gears for a second here to Ms. 
Pinkerton. As I said, your list was wonderful, and it was very 
helpful and very thought-provoking going forward, and I 
appreciate that. Just a couple of quick questions. I won't go 
through things that we already have, but one question--one 
thing I didn't notice on here, it was maybe implicit in here 
was reducing the number of entry points at airports for 
employees.
    Would you support that as part of the overall enhancement 
of security measures for employee access?
    Ms. Pinkerton. I am sure that that is something the ASAC is 
going to be looking at, and it does make a lot of sense.
    Mr. Katko. Okay. That was easy. All right. Thanks.
    Now, with respect to the employee screening, and, again 
this, this is just one of many things to consider and to put on 
the table, but the Miami model, for lack of better term, and 
the Orlando model, is that all employees are screened. Now, my 
idea of screening is not simply walking through a metal 
detector. Whatever screening measures that people take into 
account I think are--for the local airports is fine, but 
basically screening all employees when they come through the 
door, would you support that or would you think that is fraught 
with problems?
    Ms. Pinkerton. Well, yeah, I think that since 9/11, Mr. 
Chairman, we have learned a lot as we have created this multi-
layered system, and really what we have learned is that one 
size doesn't fit all. What we have learned is the importance of 
conducting risk assessments and threat assessments, and I think 
that is, you know, how Miami developed their system and how 
Orlando has developed their system, but I don't necessarily 
think that that one size fits all 450 airports. So I think we 
need to look carefully to continue to work with our partners, 
airports, airlines, TSA, and the FBI working together to craft 
solutions that make sense on an airport-by-airport basis with 
some general standard guidelines, of course.
    Mr. Katko. Okay. Thank you.
    Last question for you and then I have got a couple more for 
Mr. Southwell.
    Would you consider expanding the disqualifying crimes for 
individuals that are going to get access to SIDA badges?
    Ms. Pinkerton. Absolutely. That is on our list. It is 
something that we think that the ASAC should look carefully at, 
and as you know, CBP has a broader list of disqualifying 
crimes, and that is probably a good place to start, and then we 
should think about having CBP, the Post Office, and TSA perhaps 
all having the same list of disqualifying crimes.
    Mr. Katko. Thank you, Ms. Pinkerton.
    Mr. Southwell, just for a moment, have you participated in 
the ASAC review that is going on Nation-wide? Have they come to 
you and interviewed you yet or talked to you about what is 
going on in Atlanta?
    Mr. Southwell. They have not.
    Mr. Katko. Okay. Do you intend to make contact with that 
committee?
    Mr. Southwell. Yes, Mr. Chairman.
    Mr. Katko. Okay. I would ask that you do so and make sure 
you share your thoughts with them. I think you have a wealth of 
experience. Speaking of which, prior to coming to Atlanta, you 
were in Miami. Is that correct?
    Mr. Southwell. Yes, Mr. Chairman, for 12 years.
    Mr. Katko. Miami, as we now well know has taken it upon 
themselves to have a more rigorous review based on a serious 
security breach that happened even prior to 9/11. Is that 
correct?
    Mr. Southwell. Yes, Mr. Chairman.
    Mr. Katko. Now, what if any of those aspects of the Miami 
model would you contemplate using in the Atlanta airport going 
forward?
    Mr. Southwell. In advance of the, of course, advisory 
committee's work, Hartsfield, Atlanta, is moving towards that 
model in terms of what we are currently thinking and 
recommending.
    The model that we are creating with the random inspections 
and not having full screening or inspection by employees 
speaks, really, to an employee who just wants to have gainful 
employment but who may be involved in various types of 
smuggling activities, et cetera.
    With what we have seen in the last 6 months and the 
evolution of course of the insider threat where you have 
Americans being recruited, certainly greater thought has to be 
given to not just giving employees the expectation that they 
will be screened, which is what the current system does, but 
giving the employee a perception of certainty that they will 
screened, which is what the Miami and Orlando models do, and we 
are certainly contemplating doing that.
    Mr. Katko. Okay. Of course, no decision has been made, but 
that is something that is in the mix for you.
    Mr. Southwell. Absolutely.
    Mr. Katko. Okay. Again, you are the world's largest 
airport, and you understand the task that would be at hand if 
you undertook such a model.
    Mr. Southwell. It is as great task, but it also is a 
great--something that we have to contemplate because of the 
high profile of Atlanta as the world's busiest passenger 
airport and as a threat.
    Mr. Katko. Okay. Now so I can enforce my own rule of not 
going over too far, I am going to pass the microphone over to 
Miss Rice. Thank you.
    Miss Rice. Thank you, Mr. Chairman.
    Ms. Pinkerton, I am struck by--I mean, I think that there 
are some flaws that we have all spoken about and you have 
certainly pointed out in terms of what can be done in the 
initial process, in terms of doing all the checks, background 
checks, and I don't know if there is anyone who can answer the 
question as to why someone doesn't have to provide a Social 
Security number. That still boggles my mind why we don't ask 
for that information.
    But the other area of concern is, what happens in the 
interim between hiring and separation? If you could just 
expound on ways that you think the TSA, airports, the FBI can 
be more effective at monitoring behavior of once-hired 
employees while they are in the employ of--while they are 
working because we know we can't count on self-reporting if say 
someone were to be arrested or and be convicted of a crime.
    Ms. Pinkerton. Right. I was very pleased to hear the 
discussion on the first panel. That was the first time that I 
had heard the FBI and the TSA actually talking about what 
sounded like a perpetual recurring vetting with the criminal 
history record check. That is absolutely something that--
especially if it is available, as the first panel seemed to 
indicate, we should definitely be relying on an automated 
system as opposed to self-reporting. I think that would be a 
huge step forward.
    Miss Rice. In your capacity, what is your biggest 
frustration, what are the airlines' biggest frustration in 
terms of the day-to-day--their ability to operate in an 
efficient, safe way?
    Ms. Pinkerton. Well, I would describe our relationship with 
TSA and our airport partners as being a positive and productive 
one. You know, I do think sometimes the media focus and 
attention on the latest incident sometimes clouds our ability 
to analyze different options thoughtfully, and that is why I am 
really pleased, frankly, that Congress and the administration 
are giving the ASAC committee, you know, 30, 60, and 90 days to 
come up with some really well-thought-out recommendations.
    Miss Rice. So, Mr. Southwell, I don't know if you can--I 
hope you can answer this question. I would imagine that there 
was a level of upset and frustration that you personally felt 
and professionally at being informed at such a late date of 
what was going on in your own airport.
    Going forward, how do we avoid that? How do we--because, to 
me, information is power. Right? The more information every 
partner has along the way, the more powerful we can be at 
preventing things like this from happening. So you are in a 
very unique position, and I am not asking you to throw anyone 
under the bus, because that is not what this is about. But, you 
know, if I were you, I would have been really angry. So what 
was your first reaction, and how do we avoid that from 
happening, because you should have been, in my opinion, a part 
of everything that was going on pre-arrest?
    Mr. Southwell. Well, we are working, Madam Congresswoman 
with the TSA as well as with the FBI, the local FBI 
authorities. The Atlanta police department, of course, is the 
one who is usually notified in those instances. We are looking 
to increase, for example, just historically the Atlanta Police 
Department is notified towards the time of apprehension. If 
they are not, in the instances where they are not, the Atlanta 
police has to sign a nondisclosure agreement. Most of the 
times, they don't have the particular clearance to receive the 
information, which is something we are working with the TSA as 
well as the FBI at this time.
    Miss Rice. What level of--if there--obviously, we need to 
figure out a better screening process, whether that is--whether 
it goes to 100 percent screening for employees in a separate 
area, how--and you would really be the airport that would 
probably bear the brunt of this the most out of any airport in 
this country. Is it even feasible? I mean, the things that were 
are talking, about Ms. Pinkerton's suggestions, things that we 
are asking questions about, is it feasible?
    Mr. Southwell. We believe it is feasible, to the extent you 
talk about full screening. That is, there will be some 
exceptions. There is no such thing as 100 percent screening, as 
I stated. There is just, from a practical point of view, if 
someone is having a heart attack, you can't stop the EMS folks 
from attending to those passengers.
    It is feasible. I worked in Miami for 12 years, and I have 
seen it work. So I know it is feasible. There is a disparity, 
even as we speak, regarding the passenger screening and the 
employee screening that we talked about earlier. The industry 
as a whole is looking for ways to contain costs. In the risk-
based analysis, for example, that we are using with passengers 
where as a passenger you submit your yourself to this extra 
background check to qualify as a trusted traveler. Once you 
pass that screening, you are rewarded with not no screening, 
but you are rewarded by having limited screening. You don't 
have to take off your jacket. You don't have to take off your 
shoes our take out your computer out of your carry-on, but you 
are screened.
    The employees at Atlanta's airport go through the similar 
background checks, and of course, they are treated a bit 
differently. They are currently just swiping and not being 
screened, and so one of--I am not subscribing that every 
airport would screen all of its employees. We believe, given 
the high profile in Atlanta, that it will be applicable.
    Miss Rice. Do you have--very quickly, do you have a system 
in place at the airport, and forgive me if you already answered 
this, to track lost or stolen SIDA badges? Is there a way to 
ensure that people are only going where they are--in secure 
areas where their job and their scope of employment requires? I 
mean, is there any way that you can kind-of------
    Mr. Southwell. We do. We do that all day through a system 
of dual access restrictions.
    Miss Rice. And they are effective?
    Mr. Southwell. Quite--quite so. You can't just simply 
move--simply because you can access a concourse doesn't mean 
that you can go down onto a ramp. We have a large number of 
employees who board a bus off-site at an off-site parking lot. 
They enter the airfield entrances and go onto the airfield. 
That doesn't mean that once they get onto the airfield, that 
they can just simply roam around. We are looking at that, 
however, because we talked about one key method of managing all 
of this cost. We have some 70 different portals at the airport. 
We are looking to reduce those to 10, similar to what Miami has 
done. So there are ways to make it feasible.
    Miss Rice. Thank you both.
    Thank you, Mr. Chairman.
    Mr. Katko. Thank you, Miss Rice.
    Thank you, Mr. Southwell, and, Ms. Pinkerton.
    Next up is Mr. Payne, the gentleman from New Jersey.
    Mr. Payne. Thank you, Mr. Chairman.
    Ms. Pinkerton, in your view, how can TSA airports, 
airlines, vendors, and others all work together to mitigate the 
insider threat?
    Ms. Pinkerton. Well, I think that we are starting to do 
that today by having this conversation, the sharing of ideas. 
Again, I was very pleased to hear that the FBI and TSA have 
started a pilot program to do constant perpetual vetting on 
criminal history records, but I would say the place where we 
are really formalizing that collaboration is through the ASAC 
committee, that this subcommittee and Congress have certainly--
can solidified the role of ASAC by passing that legislation. 
Then I think we are working together on a local basis with our 
airport and TSA to follow through on some of the ideas that Mr. 
Southwell has put on the table.
    Mr. Payne. Thank you.
    Mr. Southwell, you just mentioned, you know, how you have 
employees come from off airport parking lots and then bused in. 
Does your airport perform physical screening functions 
independent of those that TSA performs randomly on employees?
    Mr. Southwell. We certainly do, Mr. Congressman. We have 
teams of people who not only perform these. It is random at the 
entrance points. But also throughout the day, we perform these 
random checks within the concourses and the various portals of 
the airport.
    Mr. Payne. Well, thank you.
    Mr. Chairman, in the interest of time, I will yield back.
    Mr. Katko. Thank you, Mr. Payne.
    Now the Chairman now recognizes Mr. Johnson from Georgia.
    Mr. Johnson. Thank you.
    Ms. Pinkerton, you are aware of the fact that airlines have 
downsized the number of employees that they have to pay 
directly, and they have done that by farming out certain 
functions to contractors. Are you aware of that phenomenon?
    Ms. Pinkerton. Yes. In some instances.
    Mr. Johnson. Now your organization, Airlines for America, 
does not represent contractors at the airport whose employees 
are performing certain tasks. Is that correct?
    Ms. Pinkerton. That is correct.
    Mr. Johnson. Mr. Southwell, what percentage of that 40,000 
employee number that you stated earlier are subcon--or contract 
employees of airlines? Because you have airline employees, you 
have airport employees, and you also have contractor employees 
at the airport. What percentage of the number are contractor 
employees?
    Mr. Southwell. Congressman, I don't know what that number 
is, but I would imagine the vast majority of those employees 
are actually employees of the airline.
    I would also like to clarify because of your question that 
the airlines, which represent about half of the employees on 
the airport that have SIDA access, actually submit all of the 
information to the FBI to do the background check.
    Mr. Johnson. Well, you are kind of getting ahead of me 
then.
    I was wanting to know whether or not these contractor 
employees are considered employees who are subject to these 
employee background checks and, also, terrorist watch list 
checks?
    Ms. Pinkerton. Yes, Congressmen. They are.
    Mr. Johnson. They are?
    Ms. Pinkerton. They are.
    Mr. Johnson. Well, let me ask you this, Mr. Southwell. 
Thank you for that response. That is comforting.
    What impact has Georgia's Guns Everywhere Law, the law that 
allows guns to be carried in churches, in bars, in restaurants 
serving alcohol, in Government buildings, what impact has that 
law, which went into effect, I believe, in July of last year, 
had on airport security if any?
    Mr. Southwell. Mr. Congressman, we have not seen any 
increase or marked increase in the number of weapons being 
brought to the airport. The Federal Government still has a 
restriction regardless of the Federal law of passengers taking 
guns beyond the security checkpoint.
    Mr. Johnson. Thank you.
    I would close out by saying that this morning I had the 
pleasure of meeting with you, Mr. Southwell, and I think we had 
a very thorough and productive conversation. I want to pledge 
to work with you to achieve the kind of security that you deem 
is appropriate and necessary for Atlanta Hartsfield Airport.
    I want to take the liberty of, on your behalf, extending to 
the leadership of this committee an invitation to visit Atlanta 
and take a tour. When you do that, I would like to come with 
you and see the arrangements that are in place and that are 
being put in place to enhance security at the airport.
    Last I would just like to say again thank you for allowing 
me to participate in this very important hearing today. Thank 
you.
    Mr. Katko. Well, I would like to thank you, Mr. Johnson.
    I think we are going to take you up on that offer. I think 
it is important to come to Atlanta to see how things are going, 
and it would be very instructive for both of us.
    I want to thank the witnesses for their testimony, both Mr. 
Southwell and Ms. Pinkerton, as well as the others. The Members 
of the committee may have some additional questions. As always, 
the hearing record will be held open for 10 days.
    But I want to note that I appreciate the professionalism of 
both of you today as well. I mean, the one thing that is very 
heartening is that, instead of sweeping the problem under the 
rug, the industry has recognized it is a problem and we are 
going to work together to solve it. You know, you can rest 
assured you have a partner in Miss Rice and myself to do that.
    Last, I want to thank Miss Rice as well. She has been a 
very good partner here. I look forward to working with you 
going forward.
    So thank you.
    Ms. Pinkerton. Thank you, Mr. Chairman.
    Mr. Katko. All right. Without objection, the committee 
stands adjourned.
    Thank you.
    [Whereupon, at 4:39 p.m., the subcommittee was adjourned.]


 A REVIEW OF ACCESS CONTROL MEASURES AT OUR NATION'S AIRPORTS, PART II

                              ----------                              


                        Thursday, April 30, 2015

             U.S. House of Representatives,
           Subcommittee on Transportation Security,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:11 p.m., in 
Room 311, Cannon House Office Building, Hon. John Katko 
[Chairman of the subcommittee] presiding.
    Present: Representatives Katko, Rogers, Ratcliffe, Rice, 
and Keating.
    Mr. Katko. First of all, welcome back, Mr. Carraway. Thank 
you for being here again.
    I would like to welcome everyone to today's hearing on 
airport access controls, which serves as a follow-up to the 
subcommittee's first hearing of the 114th Congress on this very 
important topic.
    At the outset, I would like to express my support for 
President Obama's announcement of his intent to nominate Vice 
Admiral Peter Neffenger, current vice commandant of the U.S. 
Coast Guard, to be the next administrator of the TSA.
    TSA provides vital security to protect our Nation's 
transportation systems, and it is an imperative that the agency 
is equipped with the necessary leadership to ensure that it is 
operating in the most effective and efficient manner.
    I urge the Senate to act quickly on the nomination of Vice 
Admiral Neffenger to be TSA administrator.
    A number of serious security breaches by employees at major 
airports in the United States in recent months has highlighted 
the need for the TSA, the airport stakeholder community, and 
this subcommittee to take a hard look at how we can work 
together--and I stress the word ``together''--to improve access 
controls and employee vetting at our Nation's airports.
    I hope today's hearing can provide a positive and 
productive dialogue on how this can be accomplished. Unlike 
some of the hearings, I would note parenthetically, we are 
going to ask your opinion on a lot of things, and we welcome 
your input.
    In January of this year, Acting Administrator Carraway 
requested that the Aviation Security Advisory Committee conduct 
a review of airport access control measures. Today, with the 
final report in hand, the subcommittee intends to better 
understand the ASAC's findings and discuss the feasibility of 
the recommendations.
    The ASAC report included 28 recommendations to improve 
airport employee access control in five general areas, 
including, No. 1, security screening and inspection; No. 2, 
vetting of employees and security threat assessments; No. 3, 
internal controls in auditing of airport-issued credentials; 
No. 4, risk-based security for higher risk populations and 
intelligence; and No. 5, security awareness and vigilance.
    I am eager to hear how TSA and the airport community plan 
on improving the employee vetting process for individuals who 
have access to secure and sterile parts of the airport, as well 
as how the screening of these employees when they come to work 
can be improved.
    In response to Acting Administrator Carraway's request, the 
ASAC created a working group tasked with analyzing the adequacy 
of existing security measures, as well as issuing 
recommendations on what additional measures could be 
implemented to improve employee access controls.
    One of the initial areas the working group examined was the 
practicality of conducting 100 percent employee screening. 
Rather than 100 percent screening, the working group believes 
that TSA should expand random employee screening and inspection 
under its Playbook operations.
    I am pleased that TSA has already begun increasing the 
random screening for aviation employees at our Nation's 
airports. I look forward to hearing about the methodology TSA 
uses to determine the frequency of conducting such screening, 
as well as whether that methodology is effective in providing 
airport employees with the expectation that they will be 
subject to screening while working at an airport.
    Today, we have the assistant administrator of TSA, as well 
as two representatives from the airport community to address 
how those recommendations can be implemented at airports 
Nation-wide. I applaud the efforts of the ASAC in finding ways 
in which access control at our Nation's airports can be further 
improved through the cooperation of TSA industry stakeholders.
    Further, I look forward to having a meaningful discussion 
with TSA and airport stakeholders on what can be done going 
forward to improve employee vetting and screening for those 
with access to sensitive and sterile parts of airports.
    [The statement of Chairman Katko follows:]
                    Statement of Chairman John Katko
                             April 30, 2015
    I would like to welcome everyone to today's hearing on airport 
access controls which serves as a follow-up to the subcommittee's first 
hearing of the 114th Congress on this very important topic.
    At the outset, I would like to express my support for President 
Obama's announcement of his intent to nominate Vice Admiral Peter 
Neffenger, current vice commandant of the U.S. Coast Guard, to be the 
next administrator of the Transportation Security Administration. TSA 
provides vital security to protect our Nation's transportation systems 
and it is imperative that the agency is equipped with the necessary 
leadership to ensure that it is operating in the most effective and 
efficient manner. I urge the Senate to act quickly on the nomination of 
Vice Admiral Neffenger to be TSA administrator.
    A number of serious security breaches by employees at major U.S. 
airports in recent months have highlighted the need for the 
Transportation Security Administration, the airport stakeholder 
community, and this subcommittee to take a hard look at how we can work 
together to improve access controls and employee vetting at our 
Nation's airports. I hope today's hearing can provide a positive and 
productive dialogue on how this can be accomplished.
    In January of this year, Acting Administrator Carraway requested 
that the Aviation Security Advisory Committee conduct a review of 
airport access control measures. Today, with the final report in hand, 
the subcommittee intends to better understand the ASAC's findings and 
discuss the feasibility of the recommendations.
    The ASAC report included 28 recommendations to improve airport 
employee access control in five general areas including: (1) Security 
screening and inspection; (2) vetting of employees and security threat 
assessment; (3) internal controls and auditing of airport-issued 
credentials; (4) risk-based security for higher-risk populations and 
intelligence; and (5) security awareness and vigilance.
    I am eager to hear how TSA and the airport community plan on 
improving the employee vetting process for individuals who have access 
to secure and sterile parts of the airport, as well as how the 
screening of these employees when they come to work can be improved.
    In response to Acting Administrator Carraway's request, the 
Aviation Security Advisory Committee created a working group tasked 
with analyzing the adequacy of existing security measures, as well as 
issuing recommendations on what additional measures could be 
implemented to improve employee access controls.
    One of the initial areas the working group examined was the 
practicality of conducting 100% employee screening. Rather than 100% 
screening, the working group believes TSA should expand random employee 
screening and inspection under its playbook operations. I am pleased 
that TSA has already begun increasing the random screening for aviation 
employees at our Nation's airports. I look forward to hearing about the 
methodology TSA uses to determine the frequency of conducting such 
screening, as well as whether that methodology is effective in 
providing airport employees with the expectation that they will be 
subject to screening while working at an airport.
    Today, we have the assistant administrator of TSA as well as two 
representatives from the airport community to address how those 
recommendations can be implemented at airports Nation-wide.
    I applaud the efforts of the Aviation Security Advisory Committee 
in finding ways in which access controls at our Nation's airports can 
be further improved through the cooperation of TSA and industry 
stakeholders. Further, I look forward to having a meaningful discussion 
with TSA and airport stakeholders on what can be done going forward to 
improve employee vetting and screening for those with access to 
sensitive and sterile parts of airports.

    Mr. Katko. The Chairman now recognizes--well, actually, we 
are going to recognize Miss Rice for an opening statement, but 
she is not here yet. So when she gets here, we will recognize 
her. Other Members of the committee are reminded that opening 
statements may be submitted for the record.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                             April 30, 2015
    This is the second subcommittee hearing on airport access control 
measures. At our first hearing on this issue in February, I stated that 
each airport presents a unique set of security issues. While I 
understand the need for vendors and airline employees to access various 
areas of the airport to do their jobs, I also understand the need to 
maintain security. That is why all airline and airport workers with 
unescorted access to areas beyond the checkpoint must successfully 
complete terrorism and criminal background checks.
    At many airports, these vetted workers use their Secure 
Identification Display Area (SIDA) badges to bypass TSA security 
screening to get to their workplace--which happens to be on the other 
side of the TSA checkpoint. In most cases, granting vetted airport 
personnel such access to the sterile side of the airport is beneficial 
to airport operations and the flying public.
    However, in December 2014, we learned of an alarming instance of 
SIDA badge misuse. Individuals were charged with smuggling over 150 
guns from Atlanta to New York City aboard commercial flights. It seems 
that one of the gun smugglers used his SIDA badge to bypass physical 
screening to pass the weapons to a co-conspirator on the sterile side 
of the airport. After this incident, TSA asked the Aviation Security 
Advisory Committee to reevaluate airport employee screening protocols. 
Involving the ASAC was a good decision by Acting Administrator.
    The ASAC is comprised of stakeholders within the aviation community 
who have a deep knowledge of the inner workings of our Nation's 
airports and have valuable insights to offer on how to implement 
security efforts in a way that does not unduly disrupt or interfere 
with airport operations. Last year, I was pleased that the President 
signed into law a measure that I authored--the ``Aviation Security 
Stakeholder Participation Act of 2014''--to authorize this important 
advisory committee.
    I am pleased that the ASAC acted, and in its 90-day review, set 
forth a number of considerations and approaches to address potential 
airport security vulnerabilities. The ASAC made a total of 28 
recommendations. Among them was a recommendation that TSA strengthen 
the vetting procedures when screening employees. It also recommended 
that TSA maintain a database of all employees who have had credentials 
revoked.
    For quite some time, I have often questioned TSA about its 
recordkeeping of lost and revoked credentials. Together with Ranking 
Member Rice, I have asked the Government Accountability Office to look 
into this. I am looking forward to learning how TSA plans on addressing 
this matter. The ASAC also recommended that airports limit the number 
of access points into sterile areas and restrict access privileges when 
not needed and that airports enhance auditing practices for issued 
badges. I look forward to hearing Mr. Grossman's perspective, as an 
airport official, on this recommendation as he testifies on the second 
panel today.
    Furthermore, the ASAC recommended that TSA improve its insider 
threat program. While there is a case to be made for such enhancements, 
often with such programs, the devil is in the details. It is critical 
that TSA's insider threat program have strong protections to ensure 
that the program cannot be exploited to abuse, improperly target, or 
retaliate against airport workers.
    I was pleased that DHS took timely action, in response to the ASAC 
recommendations. Within days, DHS Secretary Johnson took immediate 
actions to enhance aviation security. These actions include screening 
of airport employees when they travel as passengers and increasing 
randomization screenings of aviation employees.
    Secretary Johnson also directed TSA to work towards requiring 
recurrent criminal history records checks for SIDA badge holders. While 
these are steps in the right direction, tough questions remain about 
the internal controls at our Nation's airports and whether meaningful 
progress can be made to address known access control vulnerabilities.
    Airport security is a shared concern, and we must work across the 
aisle to make sure that we strike the right balance at our Nation's 
airports to protect the American flying public and our critical 
aviation infrastructure, while ensuring the free flow of commerce and 
people. I look forward to continued work with this subcommittee, the 
ASAC, and TSA to ensure the layers of security are as strong as they 
should be.

    Mr. Katko. We are pleased to have two very distinguished 
panels of witnesses before us today on this important topic. 
For our first panel, I would like to welcome back Acting 
Administrator Carraway. Let me remind the witness that his 
entire written statement will appear in the record.
    Mr. Carraway, as we know from previous testimony, became 
acting administrator of TSA in January 2015. Prior to his 
current role, Mr. Carraway served as a deputy administrator 
beginning in July 2014. He has been with TSA since 2004, and 
has held various positions within the Offices of Security 
Operations and the Law Enforcement/Federal Air Marshal Service, 
including Supervisory Federal Air Marshal in charge for the 
Dallas Field Office.
    The Chairman now recognizes Mr. Carraway to testify.
    Mr. Carraway, welcome back, my friend.

    STATEMENT OF MELVIN J. CARRAWAY, ACTING ADMINISTRATOR, 
  TRANSPORTATION SECURITY ADMINISTRATION, U.S. DEPARTMENT OF 
                       HOMELAND SECURITY

    Mr. Carraway. Good afternoon, Chairman Katko, Ranking 
Member Rice, and distinguished Members of the committee. I 
appreciate the opportunity to appear before you and provide an 
update on TSA's efforts to mitigate the insider threat at our 
Nation's airports.
    Controlling access to the sterile side of the airport or 
the area beyond the TSA's screening checkpoint requires 
balancing security with the business operations of each unique 
airport. The sterile area holds passengers and air crews 
waiting for flights, but it is also the workplace for vendors, 
mechanics, ground crews, and others employed by the airlines 
and the airports, many of whom enter and exit the areas 
multiple times a day as a part of their regular duties.
    In January 2015, I asked the Aviation Security Advisory 
Committee, or ASAC, which we call it, to review airport access 
controls following the December 2014 incident in Atlanta by a 
Delta Airlines employee allegedly conspiring to smuggle 
firearms from Atlanta to New York. Following a 90-day 
comprehensive review, this group of industry experts delivered 
its report with recommendations to address vulnerabilities 
posed by an insider threat at our Nation's airports.
    It is important to note that TSA's engagement with the ASAC 
on this important issue did not stop with the delivery of this 
report. TSA officials, including myself, have been actively 
engaged with our private-industry partners to ensure effective 
and prompt response to the recommendations provided by the 
ASAC.
    Recognizing the potential for terrorists to exploit the 
vulnerability highlighted in the December 2014 events, I took 
several steps to address the insider threats at airports 
Nation-wide. These included increasing TSA random and 
unpredictable employee screening, reminding airlines that 
employees on personal travel must be screened at TSA 
checkpoints, and increasing communication between TSA and our 
aviation industry partners on threats and potential 
vulnerabilities.
    While these actions could be initiated in the immediate 
short term, I also recognize the need to adopt long-term 
solutions. The recommendations contained in the ASAC 90-day 
review are comprehensive, thoughtful, and will help TSA achieve 
meaningful reforms and partnerships with our aviation 
stakeholders. Additionally, these recommendations use a risk-
based approach, allowing resources to be used where they are 
needed the most.
    The ASAC identified five areas of analysis where TSA and 
industry could take action to address potential 
vulnerabilities. These areas include security screening and 
inspection, employee vetting and security assessments, internal 
controls and auditing of airport-issued credentials, risk-based 
security for high-risk populations and intelligence, and 
security awareness and vigilance.
    The ASAC generated 28 recommendations focusing on 
activities under TSA's jurisdictions from these five areas. 
Following my initial review, I found that all of these 
recommendations have merit. Some are achievable in the short 
term; however, there are many that require more thorough review 
to determine how to implement and if doing so will require 
statutory changes and/or additional resources.
    Yesterday, TSA issued updates to current security 
directives and issued an information circular to implement the 
measures Secretary Johnson announced last week. They are: 
Requiring the fingerprint-based criminal history records check 
every 2 years for all airport employee SIDA badge holders until 
TSA establishes a system for real-time recurring criminal 
history background checks for all aviation workers; require 
airport and airline employees traveling as passengers to be 
screened by TSA prior to travel; requiring airports to reduce 
the number of access points to secured areas to an operational 
minimum; and increase aviation employee screening to include 
random screenings throughout the workday. Finally, to 
reemphasize and leverage the Department of Homeland Security 
``If You See Something, Say Something'' initiative to improve 
situational awareness and encourage reporting suspicious 
activity.
    Over the coming months, TSA will examine the means and 
ability to implement additional recommendations designed to 
strengthen security at our Nation's airports even more. I 
appreciate the ASAC's review. I look forward to continued 
engagement with them and our industry partners.
    The ASAC also noted that requiring 100 percent physical 
employee screening would divert limited resources from other 
critical security functions and may also require infrastructure 
improvements, workforce expansion, and airport reconfiguration. 
It concluded that a random screening strategy would be the most 
cost-effective solution.
    As noted by the 9/11 Commission, perfection is unattainable 
and its pursuit unsustainable. Trying to eliminate all risks 
results in ineffective security and unnecessarily burdens the 
aviation industry and Government.
    Transportation security remains a shared responsibility 
among Government agencies, stakeholders, and aviation employees 
and the traveling public. I want to thank the committee for 
your partnership on this and other important issues, and I 
truly look forward to working with you and to answering your 
questions on this important topic.
    [The prepared statement of Mr. Carraway follows:]
                Prepared Statement of Melvin J. Carraway
                             April 30, 2015
    Good afternoon Chairman Katko, Ranking Member Rice, and 
distinguished Members of the committee. I appreciate the opportunity to 
appear before you today to provide updates on the Transportation 
Security Administration's (TSA) efforts in enhancing airport access 
control at our Nation's airports.
    In January 2015, I requested that the Aviation Security Advisory 
Committee (ASAC) convene a working group of industry experts to conduct 
a comprehensive review of airport access control following the December 
2014 incident of a Delta airlines employee allegedly conspiring to 
smuggle firearms from Hartsfield-Jackson Atlanta International Airport 
(ATL) to John F. Kennedy International Airport in New York. The ASAC 
was tasked with examining the potential vulnerabilities for terrorist 
activities exposed by this criminal incident to determine if additional 
risk-based security measures, resources, or policy changes were 
necessary. After a 90-day comprehensive review, the ASAC delivered its 
report with 28 recommendations to address vulnerabilities at our 
Nation's airports. I would like to report on these recommendations and 
share with you TSA's next steps in addressing them.
                       access control background
    Each day, TSA facilitates and secures the travel of nearly 2 
million air passengers at approximately 440 airports Nation-wide. 
Controlling access to the sterile side of the airport, or the area 
beyond the TSA screening checkpoint, requires finding the right balance 
between security and the business operations of each unique airport. 
The sterile area hosts passengers and air crews waiting for flights, 
but it is also the workplace for vendors, mechanics, ground crew, and 
others employed by the airlines and the airports, many of whom enter 
and exit the area multiple times a day as part of their regular duties.
    TSA requires each airport to have a security program that includes 
controlling access to the sterile area, and TSA inspects against these 
plans to ensure compliance. These inspections include checks of 
credentialing, perimeter security, exit lanes, employee access, and 
other critical areas.
                     employee vetting and screening
    TSA has established requirements for security background checks for 
airport and airline employees who have unescorted access to the sterile 
area and air operations area. This check is conducted through the 
Secure Identification Display Area (SIDA) badging process before 
employees are granted unescorted access to the sterile area of the 
airport. TSA conducts the name-based portion of the security threat 
assessment, which includes an immigration status check and recurrent 
checks against the Terrorist Screening Database. Additionally, under 
TSA regulations, airports are required to collect and submit 
fingerprints for a Criminal History Records Check (CHRC) and adjudicate 
any criminal history data for potential employees. Individuals who have 
committed a statutorily-defined disqualifying offense within the 
preceding 10 years are not eligible for a SIDA badge. While the CHRC is 
currently a single point-in-time check prior to employment, TSA has 
been working diligently towards solutions to provide recurrent vetting 
of the criminal history data of employees.
    Once workers are employed at airports, TSA requires airports to 
conduct random physical inspections of employees entering restricted 
areas, including identification verification and checks for prohibited 
items. TSA also screens workers on a random and unpredictable basis as 
they enter restricted areas. TSA's screening protocols vary by time, 
location, and method to enhance unpredictability. Employees who fail to 
follow proper procedures in accessing secure areas may be restricted 
from future access, disciplined by their employer up to and including 
removal, or subject to criminal charges and civil penalties.
                     immediate actions taken by tsa
    In the immediate aftermath of the December 2014 events, I took 
several steps to strengthen access control security and mitigate the 
potential vulnerability associated with aviation workers' access to 
secure areas. These actions include: Increasing TSA random and 
unpredictable screening of airport employees as they enter for work 
within the sterile area; issuing letters to airlines reiterating that 
employees on personal travel must be screened at TSA checkpoints; and 
increasing communication between TSA and our aviation industry partners 
on threats and potential vulnerabilities.
    While these actions can be conducted in the short term, I also 
recognized the need to adopt long-term solutions and the opportunity to 
engage stakeholders in the development of these solutions through 
consultation with the ASAC, TSA's primary advisory body comprised of 
industry and security representatives.
              aviation security advisory committee report
    While the measures TSA has in place for background checks, security 
programs, and compliance inspections provide a good baseline for access 
control security, the December incident of alleged gun smuggling by an 
employee with SIDA access illustrated a need to consider additional 
options to address the potential vulnerability of a terrorist utilizing 
insider threat methods. Thanks to this committee's work in passing into 
law the Aviation Security Stakeholder Participation Act, codifying the 
ASAC's existence and strengthening its supporting role for TSA's 
mission, the ASAC was the ideal consultation approach to review access 
control vulnerabilities. The ASAC's membership of industry, law 
enforcement, and other key stakeholders brought a broad range of 
perspectives to the problem of insider threat and access control. The 
recommendations in their 90-day review are comprehensive, thoughtful, 
and will help TSA achieve meaningful reforms in partnership with our 
aviation stakeholders. Additionally, these recommendations use a risk-
based approach, allowing resources to be used in the most efficient way 
for the most effective security.
    The ASAC identified five areas of analysis and generated 28 
recommendations in each of these areas where TSA and industry can take 
action to address potential vulnerabilities. These areas are:
   Security Screening and Inspection;
   Vetting of Employees and Security Threat Assessments;
   Internal Controls and Auditing of Airport-Issued 
        Credentials;
   Risk-Based Security for Higher-Risk Populations and 
        Intelligence; and
   Security Awareness and Vigilance.
    These recommendations focus on activities under the jurisdiction of 
the TSA granted to it under the Aviation and Transportation Security 
Act (ATSA, Public Law 107-71 November 19, 2001). The ASAC expects that 
these recommendations will concurrently mitigate criminal activity in 
the secured and sterile areas of airports as well.
    In terms of security screening and inspection, ASAC recommended 
that TSA and industry work together to increase the frequency of random 
and unpredictable screening for airport and airline employees. On 
employee vetting and security threat assessments, ASAC recommended 
updating the list of disqualifying criminal offenses and implementing 
recurrent criminal history records checks for airport and airline 
employees. Regarding internal controls and auditing credentials, ASAC 
recommended TSA and industry strengthen policies for proper airport 
identification media and penalties associated with credential misuse. 
On risk-based security, ASAC recommended TSA continue to work with our 
Federal intelligence partners and share intelligence information as 
broadly as possible and appropriate with industry partners. With 
respect to security awareness, ASAC recommended TSA, industry and law 
enforcement partners work collaboratively to share best practices and 
encourage employee engagement on reporting suspicious activity.
    The individuals employed by airlines and airports hold positions of 
trust and as mentioned above are repeatedly vetted against the 
Terrorist Watchlist. The ASAC recognized the unique role that airline 
and airport workers may have, including responsibility in securing the 
airport environment, and recommended leveraging this workforce to its 
fullest potential. By creating a culture of awareness for all airport 
employees, through increased training and promotion of the Department 
of Homeland Security ``If You See Something, Say 
SomethingTM'' program and other initiatives, these employees 
can serve as a force multiplier and further enhance access control 
measures.
    As a result of ASAC's review, on April 20, 2015 Secretary of 
Homeland Security Jeh Johnson announced a number of additional steps 
TSA will take to address the potential insider threat vulnerability at 
U.S. airports. First, until TSA establishes a system for real-time 
recurrent criminal history background checks for all aviation workers, 
we will require airports and airlines to conduct fingerprint-based 
Criminal History Records Checks every 2 years for all employee SIDA 
badge holders. We will reinforce existing requirements that all airport 
and airline employees traveling as passengers are screened by TSA prior 
to travel. We will direct and work with airports to reduce the number 
of access points to secured areas to an operational minimum. 
Additionally, TSA will require airports to increase aviation employee 
screening, to include additional randomization screening throughout the 
workday. Finally, we will work with our stakeholder partners to 
emphasize and leverage the Department of Homeland Security's ``If You 
See Something, Say SomethingTM'' initiative to improve 
situational awareness and encourage detection and reporting of threat 
activity.
    These enhancements to access control Nation-wide will greatly 
improve our effectiveness by reducing vulnerabilities and maintaining 
our risk-based approach to aviation security. Over the coming months, 
TSA will examine additional recommendations to implement in the future 
to continue strengthening our Nation's airports. I appreciate the 
ASAC's timely and thoughtful review, and look forward to working with 
them and our industry partners.
    Of note, the ASAC held the consensus opinion that while physical 
screening of employees is one means of deterring terrorist activity, 
100 percent physical employee screening is not the only, or necessarily 
the best, solution. Requiring 100 percent physical employee screening 
would divert limited resources from other critical security functions. 
Such physical screening, moreover, would require infrastructure 
improvements, workforce expansion, and airport reconfiguration. This 
would constitute an ineffective use of resources with limited security 
value. An ASAC working group concluded that ``the provision of so-
called `100 percent measures' as a layer of airport security does not 
appreciably increase the overall level of system-wide protection, nor 
does it lower over-all risk.'' It concluded that a random and 
unpredictable screening strategy would be the most cost-effective 
solution.
    For TSA, risk-based security considers how to provide the most 
effective security in the most efficient way to fulfill our 
counterterrorism mission and protect the traveling public. As noted by 
the 9/11 Commission, perfection is unattainable and its pursuit 
unsustainable. Trying to eliminate all risk results in ineffective 
security and unnecessarily burdens the aviation industry and 
Government.
                               conclusion
    Transportation security remains a shared responsibility among 
Government agencies, stakeholders, aviation employees, and the 
traveling public. TSA will continue to apply risk-based, intelligence-
driven security measures to address vulnerabilities associated with 
employees who have access to aircraft and secure areas of the airport, 
while working with industry representatives and the public to 
strengthen aviation security.
    I want to thank the committee for your continued partnership on 
this and other important issues, and I look forward to answering your 
questions.

    Mr. Katko. Thank you, Mr. Carraway. I will note that you 
are remarkably on the button time-wise, which is a rarity as I 
am finding out on this committee.
    I will note also that it is heartening to have a problem be 
identified by everybody and to call a hearing and for everyone 
to come to the table, not to fight about whether it is a 
problem, to acknowledge a problem, and working together to find 
a solution. That is how it is supposed to work, and I am glad 
that we are here today to work on working out--not to decide 
whether or not there is a problem, we are way past that--how to 
fix it. That is why I am glad we are here.
    Mr. Carraway. Yes, sir.
    Mr. Katko. The Chairman now recognizes Ranking Minority 
Member of the subcommittee, the gentlelady from New York, Miss 
Rice, who is as busy and I am, and she was a few minutes late 
getting here. So I want to give her an opportunity to give her 
opening statement.
    Miss Rice. Thank you for calling me out on that, Mr. 
Chairman, I appreciate that. I want to thank you for convening 
this very important hearing.
    Recent incidents, most notably the gun-smuggling operation 
involving a Delta employee, have highlighted the urgent need 
for us to look closely at access controls in our Nation's 
airports and the potential threat of employees exploiting 
security credentials to commit criminal activity, like we saw 
in Atlanta, or even to commit acts of terrorism.
    Our first oversight hearing in February revealed what I 
think we would all agree to be alarming vulnerabilities that 
exist in regard to employee screening, employee vetting, and 
access controls. These vulnerabilities constitute a major 
threat to our homeland security and they must be eliminated.
    As part of our effort to correct those deficiencies, Acting 
Administrator Carraway asked the Aviation Security Advisory 
Committee, or ASAC, to review security measures for industry 
employees. The ASAC, which was codified into law by legislation 
that Ranking Member Thompson offered last year, recently 
released its 90-day report on access control.
    First, I want to thank the members of the advisory 
committee for their swift and diligent response. Obviously, we 
are very grateful for your work. I also want to say that I am 
pleased to see that the ASAC is working exactly as it was 
intended. The job of maintaining our aviation security doesn't 
fall solely on the TSA or any one agency or entity. It is and 
must be a collaborative effort, and that is why this advisory 
committee serves such an important purpose.
    The ASAC brings all the stakeholders to the table, from 
Federal agencies and law enforcement to leaders in the aviation 
industry, so that we can consider all perspectives and work 
together to identify ways to make our aviation system safer and 
more secure.
    That kind of collaboration is exactly what this report 
represents. The 28 recommendations in the report are 
thoughtful, constructive, and well-researched, and I look 
forward to the dialogue today to understand how they can help 
us strengthen security procedures, tighten access controls, and 
neutralize the insider threat.
    So, Mr. Carraway, thank you very much for your appearance, 
and for all of the witnesses here today. Thank you.
    [The statement of Ranking Member Rice follows:]
              Statement of Ranking Member Kathleen M. Rice
                             April 30, 2015
    Recent incidents--most notably the gun-smuggling operation 
involving a Delta employee--have highlighted the urgent need for us to 
look closely at access controls in our Nation's airports and the 
potential threat of employees exploiting security credentials to commit 
criminal activity like we saw in Atlanta, or even to commit acts of 
terrorism.
    Our first oversight hearing in February revealed alarming 
vulnerabilities that exist in regard to employee screening, employee 
vetting, and access controls. These vulnerabilities constitute a major 
threat to our homeland security, and they must be eliminated.
    As part of our effort to correct those deficiencies, Acting 
Administrator Carraway asked the Aviation Security Advisory Committee, 
or ASAC, to review security measures for industry employees. The ASAC, 
which was codified into law by legislation that Ranking Member Thompson 
offered last year, recently released its 90-day report on access 
control.
    First, I want to thank the members of the Advisory Committee for 
their swift and diligent response--we're very grateful for the work you 
put into this report. I also want to say I'm pleased to see the ASAC 
working exactly as it was intended. The job of maintaining our aviation 
security doesn't fall solely on the TSA, or any one agency or entity. 
It is and must be a collaborative effort, and that's why this advisory 
committee serves such an important purpose.
    The ASAC brings all the stakeholders to the table--from Federal 
agencies and law enforcement, to leaders in the aviation industry--so 
that we can consider all perspectives and work together to identify 
ways to make our aviation system safer and more secure. That kind of 
collaboration is exactly what this report represents. The 28 
recommendations in the report are thoughtful, constructive, and well-
researched. And I look forward to the dialogue today to understand how 
they can help us strengthen security procedures, tighten access 
controls, and neutralize the insider threat.
    I want to thank each of our witnesses for being here today. I thank 
Acting Administrator Carraway for his service, and look forward to 
hearing his perspective on how the TSA will work with industry partners 
to act on these recommendations, as well as how TSA is working to 
implement the mandates issued by Secretary Johnson at the time of the 
report's release. Ms. Olivier, I want to also thank you for being with 
us today, and look forward to hearing the perspective of the American 
Association for Airport Executives on this report and these important 
issues. Your ideas and knowledge of the collective sentiments of 
airport executives across the Nation will add tremendous value to this 
discussion.
    Lastly, I would like to thank Mr. Grossman, the CEO and executive 
director of Jacksonville International Airport and member of Airports 
Council International-North America, who will explain how one 
individual airport handles access control and insider threats issues. I 
understand that your airport participated in the 2008 100% employee 
screening pilot program, and I'm eager to hear about that experience.
    I also understand that your airport employs unique strategies to 
mitigate the insider threat, such as yearly background checks from 
surrounding States, and I'm eager to hear about that as well. 
Certainly, every airport in this country is different and there is no 
one cure-all solution--but I think we may be able to draw best 
practices from your experience that could enhance the security across 
our aviation system.

    Mr. Katko. Thank you, Miss Rice.
    I will now recognize myself for 5 minutes to ask questions.
    Mr. Carraway, there are many areas that I think that we all 
agree on, so I want to kind of delve down into how we make what 
we agree on reality. The area I see the most difficulty trying 
to set parameters on is the security screening and inspection 
aspect. When I say set parameters, I think it is important to 
have some sort of general parameters within which all must 
operate to ensure that there is some sort of uniformity Nation-
wide.
    Now, on the same token, I am mindful of the fact that every 
airport is different. They are physically different. Kennedy 
Airport cannot be handled the same way as Syracuse, New York, 
where I am from, or an airport in a smaller city, or like 
Atlanta even. They are all different. I know Atlanta is 
endeavoring to many of the things talked about in this report, 
including 100 percent screening. But it is still the question: 
What is screening?
    You talked about random screening as an option, but the 
committee has a strong desire, I would say, overall, to set 
some sort of general parameters for each of the employee 
entrance points to begin with. You can overlay that with random 
screening on the job in different areas inside the secure area 
and outside the secure area. But that critical point when they 
go from the non-secure to the secure area is what we are 
probably most concerned with.
    So I want you to kind-of address that for us and tell us 
what you think employee access points should look like. Be 
mindful of the fact that we want to have some sort of general 
parameters for each of the employee access points, give 
airports the option of how many they want to have, but at least 
have some general standards within which they have to abide. So 
with that proviso, could you help us out here a second?
    Mr. Carraway. Yes, sir. Thank you very much again for this 
opportunity.
    Chairman, the issue that you are addressing was taken very, 
very seriously by the ASAC. In fact, I would say that that was 
probably the most critical issue. In referring to the ASAC 
report, they indicated specifically that this report was based 
upon looking at the employee coming to work, doing their work, 
and also then leaving from work. So it was very important for 
them to consider exactly what would happen to that employee in 
the aspect of their operation.
    In addition to that, they realized that every airport was 
different, that one size didn't fit all, utilizing the risk-
based security perspective in doing so. Also, that they wanted 
to make certain that the employees felt that any time, at any 
place that they would have this feeling that they would receive 
screening and/or some inspection in some form or fashion.
    That is the basis of the randomness that they brought to 
the table in the ASAC report and one that we have continued to 
do even today and which, immediately following the incident, we 
felt there had to be some sort of, again, this randomness that 
occurred so that every airport employee would have this feeling 
that they would be inspected in some form or fashion.
    That is truly the basis of what the risk-based security 
initiative is truly about, because, as you well know, the 
screening that is done on the front side of the airport is 
nowhere near that that can be done on the back side. The 
infrastructure, as you say, is not the same, cannot be fitted 
in that form or fashion. But creating an environment where they 
can be feeling that they could be screened at any time is what 
we are going for. So that is what we are doing and exactly what 
the ASAC members have stressed for us to do.
    What that looks like by the way of resources, it means our 
individuals, our TSOs, or BDOs, our behavior detection 
officers, it can also means canines, canines as well. Some 
airports have even gone on their own to do this themselves, in 
addition to the support that we bring to the table. My 
discussions with many airport directors and airports is that 
they felt this was significant for them to do and have begun to 
do it on their own.
    Mr. Katko. Yeah, I understand that, but maybe I am hung up 
on the physical composition of what the entrances should look 
like. Because I agree with everything you have just said, and I 
agree with what the ASAC is saying, but if you are screening 
someone after they are already in the secure area it may be too 
late. If you are screening before they get into the secure area 
that is great, but there is still that point where they enter 
in that there should be some sort of threat, if you will, or 
randomness to the access that they are going to get searched 
possibly coming into the secure area, and that is what I want 
you to address.
    Mr. Carraway. Well, unfortunately, there isn't this 100 
percent place for every employee to go through. I think that is 
really evident by the ASAC's report.
    What happens for most employees when they get there is 
there is either a biometric that is used, a swiping that is 
done, or a biometric using their hands, like in Dallas, that is 
done that allows them into that access area. There are some 
places in the airport, specifically Orlando and Miami, that 
they are doing some employee screening. But you have to 
realize, again, it is not 100 percent employee screening, there 
are some exceptions even to that rule, because there is 
equipment that has to be brought in, there are tools that are 
accessed there.
    Chairman Katko, what I think I really would like to do is 
change the narrative, because I think we get so hung up on this 
100 percent screening initiative that we miss the dynamic that 
truly is here. That is, as you said, the insider threat issue. 
So to change that dynamic requires this cultural change across 
the whole system, exactly what Miami and Orlando have done, 
created a culture where every employee believes that any time 
they could be screened. By having this randomness inserted into 
that process, that can happen.
    Mr. Katko. Thank you. I have so many more questions, but I 
am not going to hog the time. My time is up, and I now yield to 
Miss Rice.
    Miss Rice. So, Mr. Carraway, let me ask you this: Do you 
think that there are any additional recommendations that you 
would make to increase security in this regard other than the 
ones that were suggested in the report?
    Mr. Carraway. At this time, I believe that the ASAC 
committee has done a very thorough job in identifying the 
issues for us, to include the criminal history checks. 
Recurrent history checks I think are very central to this as 
well.
    Miss Rice. So that to me is one of the most glaring 
vulnerabilities that existed prior to this. Why was that?
    Mr. Carraway. Well, this was a trusted population, a 
trusted group of individuals. As you well know, airport airline 
workers are a unique bunch. They really are quite extraordinary 
about their work and prideful in what they do. Unfortunately, 
there are a few that took advantage of that, and that is what 
has brought us here today. I still believe they are a very 
professional group of very, very high integrity, and that is 
why it is important to institute the ``See something, say 
something'' and try to change that culture within the aviation 
worker industry.
    Miss Rice. So who do you think does it best?
    Mr. Carraway. Who does it best? I mean, is there one that 
you would say gets as close to best practices? I don't know if 
there is an answer to this. There may not be. I am just curious 
as to whether there is one that you think represents really 
what best practices should be.
    Mr. Carraway. I think there are security levels at each 
area. I have been to practically all 450 airports. I can tell 
you that each one of them has a level of security that I would 
tout as very best practices. You have to understand that the 
ASAC committee is made up of just those individuals, and what 
they brought to the table were all of those best practices that 
they are familiar with and aware of in the industry.
    I know we have touted Miami and Orlando to have initiatives 
out there. They are just a compendium of best practices. I 
think what we are going to do is take a look at all of those 
things over time and bring the very best to the industry, 
because at the end of the day we want the industry to be safe 
and secure.
    Miss Rice. Well, there is no question about that. I think 
everyone would agree that everyone in this room, we are on the 
same team. We are not opponents in this.
    Mr. Carraway. Yeah, yeah.
    Miss Rice. Will you tell me, would you agree, that there 
really isn't a one-size-fits-all, that the airports are 
different, uniquely different in their own ways? Would you 
agree with that?
    Mr. Carraway. I couldn't agree with you more. One size does 
not fit all. That is the crux of what they have brought to the 
table as well, to make certain that we find the best of all of 
those best practices. Something that may work at a large Cat X 
like Chicago may not work at a small Cat 1 or even smaller in 
North Dakota or in Iowa, not that those are----
    Miss Rice. Thank you, Mr. Carraway.
    Mr. Carraway. Yes, ma'am.
    Miss Rice. Thank you, Mr. Chairman.
    Mr. Katko. Unfortunately, they have called votes, but I 
think we can probably squeeze in one more 5-minute line of 
questioning. If Mr. Ratcliffe is ready, we will do that, and 
then we will break.
    Mr. Ratcliffe. How about if I talk fast?
    Mr. Katko. You will be just like me.
    Mr. Ratcliffe. Thank you, Chairman Katko, Ranking Member 
Rice, for holding another important hearing on this issue.
    Thank you, Acting Administrator Carraway, for your 
testimony and for coming back to the committee. Clearly, since 
9/11, Congress has entrusted TSA with the safety of Americans 
as they travel this country. As the gentlelady from New York 
commented, there have been a number of incidents fairly 
recently that have called into question the ability of airport 
employees to circumvent screening mechanisms. She talked about 
the incident, I think, at Atlanta Airport involving a Delta 
Airlines' employee smuggling firearms, but just in January 
there were two additional incidents, one with an FAA 
administrator, safety inspector, with a gun in his carry-on 
bag, and then also a Delta gate agent boarding a flight to 
Paris after circumventing passenger screening.
    So all of this begs the question: How can we truly have a 
secure airport when employees are not fully vetted to the same 
standards that passengers are? So, Mr. Carraway, I want to talk 
a little bit about the process here and give you an opportunity 
to explain how static security measures in your opinion are 
better-suited to screen airport employees than 100 percent 
screening.
    Mr. Carraway. Sure.
    Mr. Ratcliffe. If you believe that.
    Mr. Carraway. Yes, I really do. I know this comes down to a 
random versus static or 100 percent employee screening, but we 
will never have the resources, sir, to ever fill up every 
doorway and access in the airport. That is why one of the 
recommendations of the ASAC committee was to look at those 
access points in the airport and with a recommendation to close 
those or to find ways to limit the number of access points in 
the airport.
    Again, that strengthens the position of airport employees, 
having the realization that wherever they may be, they could be 
required to go through inspection or screening of some sort. 
That is the real strength of it: At any time, at any place that 
could occur.
    So that is the real strength of it. Having the resources 
and the dollars put towards 100 percent employee screening 
seems to be out of balance, both from my perspective, as well 
as from the ASAC review.
    Mr. Ratcliffe. Okay. So let me ask you a little bit about 
the security process as it exists right now. Right now, an 
airport employee undergoes a background check where their 
fingerprint is cross-referenced with a criminal history 
background check. Is that right?
    Mr. Carraway. Yes, sir.
    Mr. Ratcliffe. Okay. Are there any other checks in place 
right now?
    Mr. Carraway. Yes, they also go through a terrorist 
screening base as well, and other security processes that we 
have through TSA. Also in the criminal history background there 
are certain qualifiers or offenses that will eliminate them 
from the process of being hired as well. So that information 
then goes back to the airport.
    Mr. Ratcliffe. Okay. But is it fair to say that this only 
happens one time?
    Mr. Carraway. Yes, that is the inefficiency of the system, 
yes.
    Mr. Ratcliffe. Okay. At some point in time didn't TSA 
inform the House Homeland Security Committee, this committee, 
that it was interested in implementing the FBI's Rap Back 
service?
    Mr. Carraway. Yes, sir.
    Mr. Ratcliffe. That being the case, as I understand that, 
that is where the employer would receive immediate notification 
if there was evidence of some criminal activity. That being the 
case, can you tell us the status of where TSA is with respect 
to that?
    Mr. Carraway. We are looking at that program and any others 
that would come to our attention that would allow us to do this 
recurrent, on-going vetting of employee criminal history 
status. The idea, obviously, is if they are involved in any 
arrests or warrants or prosecution that would happen, the 
airport would be immediately notified of that offense and could 
take action towards that individual or individuals for the 
crime.
    Currently, Rap Back is being reviewed. It is not fully 
vetted and possibly on par to be implemented at this particular 
time. It takes a technology whole review, and implementation of 
that system would require both TSA and others to change their 
system to do that. That is why we have implemented the 2-year 
implementation or review of the criminal history at the 
airport, and we issued a security directive yesterday for all 
airports to do that immediately.
    Mr. Ratcliffe. Okay. Thank you, Mr. Chairman. I see my time 
has expired. I yield back.
    Mr. Katko. Thank you very much, Mr. Ratcliffe.
    Unfortunately, as I noted, votes were called. We stretched 
out as far as we can. There are three votes. The first vote is 
going, a few minutes left, then there are two 5-minute votes. 
So we are going to take a recess subject to the call of the 
chair, but I can tell that as soon as we are done voting, we 
are coming right back and going to get right back at it, so a 
minimal delay for you all.
    Mr. Carraway. No problem, sir. Thank you.
    [Recess.]
    Mr. Katko. The committee will come to order. I want to 
thank you for indulging us in getting our votes. We endeavored 
to get back as quickly as possible, and I am not getting used 
to this humidity here. It is brutal, and it is just starting.
    Mr. Keating is up next.
    Mr. Keating, please. You have 5 minutes.
    Mr. Keating. Thank you Mr. Chairman.
    Thank you for waiting, Administrator Carraway.
    Administrator, November 2010, before I was in Congress, I 
was a district attorney, a 16-year-old, Delvonte Tisdale, snuck 
into the tarmac at Charlotte Douglas Airport, and he hid 
himself in the wheel well. I know this because, unfortunately, 
he met a tragic end. The altitude froze him. They put the 
landing gear, he perished falling 30,000 feet in my district.
    When I came here, I started asking questions about airport 
security as a result, because if a 16-year-old with no evil 
intent can do that. He didn't even show up in the video 
afterwards, when our police went to investigate the issue.
    Now, since then, there has been somewhere in the vicinity 
of over 1,000 breaches. In that period that I look back with 
the latest statistics, 2004 to 2008, incredibly, I found out in 
terms of the security reviews that were done, the vulnerability 
assessments, that 87 percent of the airports weren't subject to 
that kind of security review.
    So I brought it up with then-Secretary Napolitano. We have 
had other instances. We had a 15-year-old boy in California who 
stowed himself away in a wheel well. Fortunately, he lived and 
survived going to Hawaii. We had a Chicago man throw his bike 
over the perimeter fence and ride across the runway terminal to 
the door.
    In Philadelphia, a man drove through a SUV, in the security 
fence there, and he drove across the runway as a plane was 
trying to land. In Los Angeles, a man climbed the perimeter 
fence 8 times within a year and twice reached the stairway in 
the tarmac. In Florida, a man running from law enforcement 
climbed the perimeter fence and hid in an empty plane. I mean, 
I could go on and on and on.
    So I followed what has been done by TSA to try and deal 
with this issue, and I found out that for fiscal year 2011 to 
2013, 30 airports were assessed annually. It is going down 
instead of improving. In 2014--I just got these figures a short 
time ago--that the assessments for that whole year were only 12 
airports in the entire country, of approximately 450, as you 
mentioned. That is less than 3 percent.
    So over 97 percent of our airports aren't even getting this 
kind of security review. It is getting worse instead of better. 
Yet we are putting so much attention at the gate that, in fact, 
it is getting worse in the perimeter. Now, how tough is it for 
someone, if a 15- and 16-year-old can do these things, for 
someone to put a bomb there, a terrorist with a different kind 
of intent?
    How can this continue to happen and, in fact, go in the 
opposite direction? We had a field hearing on this with the 
committee, with Chairman McCaul and myself when we were head of 
Oversight. We knew the jurisdictional issues. We talked about 
the perimeter issues. We have had expert after expert after 
expert, including 
9/11 Commission members, and they said it remains one of the 
top security threats that we have.
    Yet, it is getting worse. We are not even doing 3 percent. 
My patience is gone on this issue. Something is going to 
happen, and we are not doing anything about it. If you hear 
frustration, it is real.
    Mr. Carraway. I understand.
    Mr. Keating. So I know you are the acting administrator, I 
am not putting it on your doorstep, because this is happening 
for years. But something has to be done before we are reacting 
to a terrorist attack and a tragedy.
    Mr. Carraway. I thank you for the opportunity to address 
that, and it is a concern for TSA as well as the airports as 
well.
    The enormous responsibility of protecting perimeters is a 
combined effort both between TSA and the airports. No one owns 
it totally. Yes, we do the JVAs and we have increased the 
number of JVAs over the years. Yes, we are still ramping up 
that, particularly on a risk-based security perspective.
    Mr. Keating. I hate to bother you, but this is GAO 
information. It is going down.
    Mr. Carraway. Well, we are looking at it on a risk-based 
security perspective, hitting those airports that we deem to be 
the most at-risk airport. It is a matter of resources, as you 
can well imagine. Doing a joint vulnerability assessment with 
the FBI is an enormous task in doing. You don't look at just 
the perimeter, you look at every operation that is within the 
airport's purview to do that.
    Perimeter security is an enormous issue. There have been 
millions and multimillions of dollars spent on security 
systems, and still they are penetrable by individuals. The fact 
that someone could use a boat and come across and into Kennedy 
Airport is just an indication of that, and they have spent 
multi-million dollars on intrusions systems.
    I think the takeaway truly is that there are still layers 
in support of the airport and perimeter environment. Although 
someone made it through the fence and reached an airport or an 
airplane, there is still law enforcement, there is still some 
other capacity issues that are in place to assure that nothing 
further gets done. By just simply getting inside the belly of 
an airplane, there is still going to have to be something done 
to create this catastrophic event that we are talking about.
    Mr. Keating. Well, if they couldn't pick up a 15-year-old 
boy or a 16-year-old boy, how are they going to pick up an 
explosive? I mean, you are saying that we are doing better. It 
is risk assessment. It is a network. You are doing less than 3 
percent of the airports. Once a plane is in that network it can 
go to Charlotte and it is in the system. So it is vulnerable 
everywhere in that respect.
    So I just have to tell you, something has got to be done. 
And fact that you said more is being done on perimeter security 
just doesn't match up to the facts. If you have facts that can 
prove me wrong, I want to hear them, but the numbers don't lie.
    Mr. Carraway. Well, I would simply tell you, we work very 
hard with the airports to deal with perimeter security. We 
discuss it constantly. We know that there is not one-size-fits-
all, and exacting one solution is not going to keep someone 
with intent of doing something in that airport environment. 
That is why we have layers of security, both from TSA and the 
airport's perspective.
    Mr. Keating. Well, the layers are not working in this 
instance. I have got to tell you, discussing it is great, but 
it is time to do something about it.
    I yield back.
    Mr. Carraway. Thank you very much, sir.
    Mr. Katko. Thank you very much, Mr. Keating.
    Seeing no other Congressmen and -women, I want to follow up 
on some of the questions before we let you go, Mr. Carraway.
    One thing I want to do at the beginning is make a point of 
clarification. I think you mentioned in your comments in 
answering some of the questions that we were looking for 100 
percent screening. That is not the case.
    What I was envisioning and what we as the committee are 
envisioning with respect to these employee entrance points is 
that if employees go through a certain point, a select number 
of them may be randomly selected at any time, whatever the 
ratio may be, and that we can work out--in fact, we should 
probably talk for a moment at some point before you are done 
here today--but the idea is that when they come into the 
airport screening, they are going from the nonsecure to the 
secure area, that critically transitional point, that there is 
some sort of threat at that point that they are going to get 
searched, not just swiping a card.
    I understand that there are costs involved, and in the next 
session we will be talking with the airport people and they are 
going to tell me, ``Are you nuts?'' because it is going to cost 
too much money. I understand that. We will get to that, and we 
want to work with them on that. But I am curious to see what 
you think of that concept.
    Mr. Carraway. I see what you are saying.
    Mr. Katko. Okay.
    Mr. Carraway. Yeah, let me clarify, and maybe I didn't 
express it very clearly. The randomization is a full gamut of 
activities that the airport and TSA will employ as an 
individual comes to work. In some locations, it could very well 
be a magnetometer. It could be very well at an airport location 
electronic trace detection equipment of testing someone's 
hands. It could be an array of someone just simply looking into 
their bags or asking, verifying with their identification card 
to certify who they are.
    The ASAC, as well as TSA, did not want to limit that range 
of suites of activities for an employee coming to work that 
day. That too increases the randomness and the opportunity and 
expectation that an individual will be inspected when they come 
to work and even possibly as they exit the airport environment 
as well.
    I a bit misunderstood where you are coming from, from that, 
but that is how it is going to look across the network.
    Mr. Katko. Okay. So what do you think the employee access 
points should look like? What are the minimum requirements you 
think we should have at those access points?
    Mr. Carraway. That is a discussion I think would be best to 
have with the ASAC. At this particular point, it has not come 
to a point of requiring a minimum standard.
    I can tell you from a law enforcement perspective, I didn't 
want to tie anyone's hands, to say this is what you are going 
to have to get, because I think it is an unfunded mandate, and 
we didn't want to do that.
    We have had such great success in having communication and 
discussing with our stakeholders and our partners about this 
issue. If they find the need, most of them have literally gone 
out and taken care of those responsibilities without TSA having 
the authority to say: This is an SD, here is the directive, go 
forth and do those things.
    Mr. Katko. Okay. All right. Well, we will follow up on that 
with the next panel.
    We have talked a lot about screening inspection and risk-
based security aspects. We could probably go on for a while 
with that, but I want to touch on a few other things before we 
are done here. Talk for a moment about the vetting of employee 
and security threat assessments.
    There has been some talk in the ASAC report, and I just 
want to know if the recommendations with respect to the vetting 
of employees are something that you agree with and increasing 
the vetting and the randomization and recurrent vetting, et 
cetera.
    Mr. Carraway. This is a very important step. I think, as 
you can tell from the ASAC report, that they very much agree 
with it, and we have too. Having that recurrent vetting gives 
us a level of security about who and what the individual has 
been involved in. Couple that with looking at their past 
history, criminal activity, if any concerns, is another 
critical component of that.
    Mr. Chairman, working with you and others to help solidify 
that with those disqualifying criteria would be very helpful. 
In addition, strengthening the time frame of those 
disqualifying offenses would be very helpful as well.
    But the first component is doing that recurrent vetting 
process, whether or not it is the FBI's Rap Back initiative or 
some other recurrent vetting process that we take advantage of. 
That is just the very first step to assure the safety and 
knowledge of who that airport worker really is.
    Mr. Katko. Yeah, understood. Because with respect to the 
Delta Airline employee, if they went back a little further, 
they would have found that he had some convictions that were 
relevant to his criminal conduct. I think that is part of it, 
going back farther, doing the social media aspect of it as 
well. I think that is something we all agree on and so that is 
not really a controversial point. So I think that we will move 
on.
    Briefly, with respect to the internal controls and auditing 
of the airport-issued credentials, you agree with the 
recommendations as well in the ASAC report?
    Mr. Carraway. Yes, I do. Again, that is another critical 
component. Many times we find individuals who have had the 
opportunity, they may have been discharged for some activity at 
one end of the airport and by the end of the day they are hired 
at another end of the airport. Having that critical information 
about that individual is very essential to the airport as well 
as TSA, and we will have a database established to have that 
information and share with the airport environment.
    Mr. Katko. Now, the next category I just want to touch on 
is risk-based security for higher-risk populations and 
intelligence.
    Mr. Carraway. Yes, sir.
    Mr. Katko. Now, of course, this was touched on in the 
report as well. What do you think about that?
    Mr. Carraway. Again, it is another critical aspect for 
securing the airport. We believe sharing of information with 
our partners is essential to securing the airport. We already 
have intel briefings and FIOs, our field information offices 
that share information with the airports and the like. But I 
think we can do an even better job in sharing that information, 
and we are looking at ways in which to do that.
    Mr. Katko. Okay. Then last, the security awareness and 
vigilance, the proverbial ``if you see something, say 
something'' campaign, I think that, to me, is no-brainer that 
everyone agrees with, to encourage them to speak up. The 
question is: Do you think we should establish a hotline to DHS, 
or how do you want to do that?
    Mr. Carraway. Yes, we are looking at establishing a hotline 
specifically to TSA at this particular point and to create even 
an anonymous reward effort through the airports if necessary. 
All of these things in conjunction, ``see something and say 
something,'' will help to secure and create that culture that I 
spoke about earlier.
    Mr. Katko. Okay. Now, I know you are all happy that we are 
not coming out here saying you have to have 100 percent 
employee screening, and I am sure that is a good thing, but at 
the same time we are still, I don't know if hung up is the 
right term, but we are concerned about the fact that there has 
got to be some sort of uniformity that is applied Nation-wide 
that is flexible enough to deal with the different airports, 
because I know that airports are different all over the 
country.
    So that is a discussion we are going to have to have going 
forward. I don't know if we need to have another hearing. 
Perhaps we may just call you back in a panel discussion type of 
thing after I raise these issues. So between now and that time 
I reach out to you again, I want you to kind of think more 
about it with your people in Homeland Security about what it is 
we can try and memorialize that would at least set some sort of 
parameters for the employee access point.
    That seems to me to be the biggest sticking point. I mean, 
there are people that say it should be 100 percent employee 
screenings, everyone goes through magnetometers. I understand 
the costs involved with that.
    But I also realize and acknowledge that I probably don't 
sound much like a Republican when I am saying this, but we 
can't worry just about the cost of things. When it comes to 
security, if there are things that should be done, we have got 
to find a way to find the money through offsets to keep our 
country and our airlines as safe as possible.
    So we probably will revisit this issue with you either 
formally or informally, so I guess I am going to ask you to 
chew on it going forward and we can talk more about it.
    Mr. Carraway. Mr. Chairman, can I just simply say, thank 
you for your comment and obviously your diligence in seeking 
this issue, because I can tell you, those behind me and the 
other airport and airline executives and workers feel the very 
same way about this issue. This is the environment that they 
work in. They are very proud of what they do. They want to make 
certain that their environment is safe and secure as well.
    So thank you, and I look forward to working with you and 
others in this regard.
    Mr. Katko. Well, I appreciate that. I will close by noting, 
again, what I said at the outset, and that is, it was 
heartening to know that at the beginning we identified an issue 
and everyone said, yes, it is something that needs to be worked 
on, and we are all working towards the same goal here. That is 
a good thing. No one had to yell at each other, so that is a 
good thing.
    Mr. Carraway. Thank you, sir.
    Mr. Katko. So thank you very much, sir, and have a good 
evening.
    Mr. Carraway. Thank you.
    Mr. Katko. The committee will stand in recess for just a 
few moments.
    [Recess.]
    Mr. Katko. The Chairman now recognizes the second panel.
    Good afternoon. We are pleased to have another panel of 
distinguished witnesses before us today. Let me remind the 
witnesses that their entire written statements will appear in 
the record.
    Our first witness, Ms. Jeanne Olivier, is an assistant 
director of the Security Operations and Programs Department of 
the Port Authority of New York and New Jersey and is testifying 
on behalf of the American Association of Airport Executives. I 
will note also that she is an avid statistician, which 
horrifies me, because I really struggled with that in school.
    So welcome to our arena.
    The American Association of Airport Executives is the 
world's largest professional organization for airport 
executives, representing thousands of airport management 
personnel at public use, commercial, and general aviation 
airports. Ms. Olivier has worked with the port authority for 
over 30 years in airport operational management positions at 
JFK International, LaGuardia, Newark Liberty International, and 
Teterboro Airports.
    The Chairman now recognizes Ms. Olivier to testify.

  STATEMENT OF JEANNE M. OLIVIER, A.A.E., ASSISTANT DIRECTOR, 
   AVIATION SECURITY AND TECHNOLOGY, SECURITY OPERATIONS AND 
   PROGRAMS DEPARTMENT, THE PORT AUTHORITY OF NEW YORK & NEW 
  JERSEY, TESTIFYING ON BEHALF OF THE AMERICAN ASSOCIATION OF 
                       AIRPORT EXECUTIVES

    Ms. Olivier. Thank you, sir.
    Chairman Katko, Ranking Member Rice, Members of the 
subcommittee, thank you for the opportunity to be with you 
today. I am testifying, as you said, on behalf of the American 
Association of Airport Executives, which represents thousands 
of men and women across the country who manage and operate the 
Nation's airports. I am actively involved with AAAE as the 
chair of the association's Transportation Security Services 
Committee.
    Mr. Chairman, airport executives want to assure you and all 
of the Members that we take recent incidents and the prospect 
of the insider threat very seriously. Airports are public 
entities with their own security responsibilities, and they 
meet those obligations with a focus on the need to protect 
public safety, which is a fundamental mission of all airports.
    Collectively, airports have invested billions of dollars 
since 9/11 to enhance security with meaningful results. Perhaps 
as important as the financial investment is the resolve that 
airport executives have to enhance security every day. My 
fellow colleagues and I are public servants, sir, and we take 
our charge to protect public safety and security, be assured, 
very seriously.
    The security imperatives of airports and the TSA are 
closely aligned, and collaboration between the two to enhance 
the layers of security that exist and to identify and address 
potential threats in the airport environment is quite 
essential. Our work together continues to evolve and improve, 
as Acting Administrator Carraway has described just a few 
minutes ago, and we are confident that even more progress will 
be made in the days ahead.
    In our view, we have an important roadmap on how to proceed 
thanks to the work of the Aviation Security Advisory 
Committee's ad hoc working group that was established in 
January to review employee screening and airport access 
control. I was fortunate to serve as a subject-matter expert on 
the working group, joining several of my airport colleagues in 
that effort, along with a number of professionals from law 
enforcement and the aviation and security industries.
    The group in early April provided TSA with a report 
outlining 28 recommendations that collectively take a risk-
based and multi-layered approach to employee screening and 
airport access control with shared responsibilities across the 
aviation community. Specifically, the ASAC recommendations 
cover employee vetting, random security screening and 
inspection, internal controls and audit of badges, risk-based 
security for higher-risk employee populations, intelligence and 
intelligence sharing, and security awareness and vigilance.
    As you know, Secretary Johnson recently outlined several 
immediate actions based on the recommendations of the working 
group that the aviation industry is now working to comply with. 
We were all gratified to hear Acting Administrator Carraway 
refer to the representations of the group as comprehensive, 
thoughtful, and promising in helping TSA achieve meaningful 
reforms in partnership with the aviation industry.
    We couldn't agree more. The working group approached this 
task with a seriousness of purpose and determination that 
reflects what we believe Congress had in mind when it codified 
the ASAC last year. We believe firmly that the final ASAC 
recommendations offer a roadmap of how TSA and industry can 
partner together to enhance security and mitigate the insider 
threat and other potential vulnerabilities highlighted by the 
events that led to the establishment of the working group in 
the first place.
    Before closing and moving to answer any questions you may 
have, I would like to make just a few final points.
    No. 1: The ASAC process. We believe it worked incredibly 
well, bringing a wide array of industry professionals together 
to partner with TSA in producing recommendations for how to 
effectively deal with security threats with meaningful, 
actionable, and implementable solutions.
    No. 2: What is next? We urge Congress and DHS to recognize 
and support the important work of the ASAC and avoid the 
temptation to pursue other approaches in legislation or 
otherwise that could divert resources from other critical 
security functions.
    No. 3: Cost in operations. As efforts continue to address 
the insider threat and other potential vulnerabilities, 
Congress and DHS must work to minimize the financial and 
operational implications that new requirements, individually 
and collectively, will have on airports and the aviation 
industry. In a world of limited resources, we must proceed 
smartly with Federal backing when possible.
    In closing, please allow me to offer my sincere thanks to 
the TSA for its work in providing the resources necessary to 
ensure that the ASAC process was successful and to the 
subcommittee for your continued engagement on these important 
issues. I appreciate being here, sir, with you today, the 
committee, and look forward to answering any questions you 
might have.
    [The prepared statement of Ms. Olivier follows:]
                Prepared Statement of Jeanne M. Olivier
                             April 30, 2015
    Chairman Katko, Ranking Member Rice, and Members of the 
subcommittee, thank you for the opportunity to be with you to discuss 
airport access control--an important security function that local 
airport operators have held for decades in accordance with strict 
Federal standards, requirements, and oversight. I am testifying today 
on behalf of the American Association of Airport Executives, which 
represents thousands of men and women across the country who manage and 
operate the Nation's airports. I am actively involved with AAAE as 
chair of the Association's Transportation Security Services Committee. 
In addition to my work with AAAE, I currently serve as assistant 
director, aviation security and technology for the security operations 
and programs department of the Port Authority of New York and New 
Jersey. In this capacity, I oversee security operations for New York's 
Kennedy and LaGuardia airports and for Newark Liberty International 
Airport and Stewart International Airport.
    Mr. Chairman, I want to assure you and Members of the subcommittee 
that airports take recent incidents and the prospect of the ``insider 
threat'' in the aviation environment very seriously. Airport executives 
are working constantly in collaboration with the Transportation 
Security Administration to enhance the layers of security that exist to 
identify and address potential threats in the airport environment.
    In addition to partnering with TSA to help the agency meet its 
primary mission of passenger and baggage screening, airports as public 
entities also perform a number of inherently local security-related 
functions at their facilities, including incident response and 
management, perimeter security, employee badging and credentialing, 
access control, infrastructure and operations planning, and a myriad of 
local law enforcement functions. These important duties have long been 
local responsibilities that have been performed by local authorities in 
accordance with Federal standards under Federal oversight.
    Airport operators meet their security-related obligations with a 
sharp focus on the need to protect public safety, which remains one of 
their fundamental missions. The professionals who perform these duties 
at airports are highly trained and have the first responder duties that 
I know each and every Member of this subcommittee, the Congress, and 
the country value immensely. From a security and resource perspective, 
it is critical that these inherently local functions remain local with 
Federal oversight and backed by Federal resources when appropriate.
 aviation security advisory committee working group report on airport 
                             access control
    I also recently served as a subject-matter expert on the Aviation 
Security Advisory Committee's ad-hoc working group to review employee 
screening and airport access control. I was honored to join my other 
airport colleagues who also served on the group, including Jan Lennon 
from Atlanta Hartsfield-Jackson International Airport, Michele Freadman 
from Boston Logan International Airport, Cedric Johnson from BWI 
Thurgood Marshal International Airport, Alan Black from Dallas Fort 
Worth International Airport, and Chief Stephen Holl from the 
Metropolitan Washington Airports Authority Police Department, as well 
as staff from AAAE and ACI-NA. In addition to airport operators and 
airport associations, the working group was comprised of a broad cross-
section of industry representatives, including air carriers, airline 
associations, labor, law enforcement, general aviation, security 
technology, and airport services providers.
    In a letter dated January 8, TSA Acting Administrator Mel Carraway 
asked the ASAC to evaluate the aviation industry's current approach to 
airport employee screening and to review other risk-based approaches to 
address potential vulnerabilities related to security in the sterile 
area, including policy and procedures, industry best practices, 
technology, and employee training. TSA tasked the working group with 
providing 30-day, 60-day, and 90-day reports. The working group's final 
90-day report was submitted to TSA on April 8 after approval by the 
full ASAC.
    The working group's report outlines 28 recommendations that 
collectively take a risk-based and multi-layered approach to employee 
screening and airport access control with shared responsibilities 
across the aviation community, including TSA, air carriers, and airport 
operators. Specifically, the ASAC recommendations cover employee 
vetting; random security screening and inspection; internal controls 
and audit of badges; risk-based security for higher-risk employee 
populations; intelligence and intelligence sharing; and security 
awareness and vigilance. I have attached the list of recommendations to 
the end of my statement.
    Due to the interdependent nature of each of the recommendations and 
the complex variables associated with each one, the working group did 
not have the time to prioritize the recommendations. Time constraints 
also limited our ability to provide detailed cost analysis. The working 
group urged TSA to base any future actions related to employee 
screening and access control on these community-driven recommendations. 
The group also made clear its belief that any action taken by TSA 
should be made through the established regulatory process.
    The report contains a discussion and analysis of 100 percent 
employee screening, concluding that 100 percent physical screening 
would not completely eliminate potential risks and could divert limited 
resources from other critical security functions. Recent studies have 
indicated that implementing a 100 percent physical screening approach 
would cost an estimated $15 billion annually and could cause 
significant operational disruptions at many airports. As a result, the 
working group developed their recommendations within the context of 
Risk-Based Security (RBS), a comprehensive approach to aviation 
security endorsed by the Department of Homeland Security and TSA.
    In this regard, the working group agreed that greater 
implementation of RBS is essential in continuing to shift the aviation 
security paradigm in a very positive and meaningful way. RBS replaces 
the old one-size-fits-all security system that was in place prior to 
the attacks of 9/11, and it has proven to be a significantly better 
system because it enables allocation of available resources where they 
have the greatest ability to reduce risk. It also is driven by 
identifying those with intentions to do harm.
    The working group applied risk management principles in considering 
aviation's exposure to the insider threat and developed appropriate 
mitigation strategies within the current and proposed budgetary 
framework. The working group exercised a RBS approach that employed a 
systematic process of understanding, evaluating, and addressing these 
risks to mitigate the exposed vulnerabilities and to close any security 
gaps in airport access control. The risk-based system for employee 
screening or access control encompasses intelligence, employee vetting, 
RBS based on higher-risk populations, security awareness, training and 
behavior analysis, as reflected in the final recommendations.
    On April 20, as a result of the recommendations contained in the 
ASAC report, DHS Secretary Jeh Johnson directed TSA to take several 
immediate actions:
   Until TSA establishes a system for ``real-time recurrent'' 
        criminal history background checks for all aviation workers, 
        require fingerprint-based CHRCs every 2 years for all airport 
        employee SIDA badge holders.
   Require airport and airline employees traveling as 
        passengers to be screened by TSA prior to travel.
   Require airports to reduce the number of access points to 
        secured areas to an operational minimum.
   Increase aviation employee screening, to include additional 
        randomization screening throughout the workday.
   Re-emphasize and leverage the Department of Homeland 
        Security ``If You See Something, Say SomethingTM'' 
        initiative to improve situational awareness and encourage 
        detection and reporting of threat activity.
    Airports and the aviation industry are working collaboratively with 
TSA to implement these requirements. And, while there may be a 
difference of opinion on the specifics of the short-term actions from 
DHS and the recommendations of the ASAC working group to TSA, I think 
it is important to highlight the success of the overall ASAC effort 
over the past few months and the opportunity it provides as a model for 
pursuing security enhancements in the future. Airports are very pleased 
with the collaboration and feel confident that we will achieve better 
results quicker by having Government and industry work together toward 
the shared imperative of enhanced security.
    As the subcommittee contemplates further engagement and potential 
action to address the insider threat, we urge you to pay careful 
attention to the detailed work and recommendations of the ASAC working 
group. Congress and TSA have rightfully recognized the value of the 
ASAC and the promise of its approach in achieving real, implementable 
security enhancements.
     other industry efforts--access control and perimeter security
    In addition to my work on the ASAC, I serve on the RTCA Special 
Committee on airport access control, which in 2014 released the updated 
standard for airport access control (RTCA DO230-D). The document was 
prepared under the auspices of RTCA, which serves as a Federal Advisory 
Committee, and provides a vehicle for Federal regulators and regulated 
parties to develop consensus-based guidance and standards documents.
    Notably, the RTCA document provides guidance on acquiring and 
designing airport security access control systems, testing and 
evaluating system performance, and operational requirements. It also 
incorporates the latest technological advances in security access 
control system and identity management. The major areas covered 
include: Credentialing; Biometrics; Physical Access Control Systems 
(PACS), Perimeter Intrusion Detection Systems (PIDS); Video 
Surveillance Systems; Security Operations Centers (SOC); Integrations; 
Communications Infrastructure; and General Acquisition-Related 
Considerations.
    The 2014 document was the fourth version since the first standard 
for airport access control was published by RTCA in 1996. The Special 
Committee has spent the last year working on yet another update--no 
other airport security standard is updated so regularly. Like ASAC, the 
RTCA process involves the airport and aviation community working with 
TSA to provide consensus recommendations and a comprehensive set of 
guidelines on all technical aspects of access control. The document 
provides both TSA and airport operators a convenient source of 
information on current practices and procedures and unbiased 
information on new technology.
    The comprehensive guidance document also contains an entire section 
on perimeter intrusion detection, which reviews options from patrols to 
state-of-the-art technology solutions and what factors airport 
operators need to consider when implementing a perimeter security 
solution at their facility. I would be pleased to discuss this 
important work with the committee in more detail.
    Mr. Chairman, airport executives are working constantly in 
collaboration with TSA to evaluate and enhance the layers of security 
that exist to identify and address potential threats in the airport 
environment, including extensive background checks for aviation 
workers, random physical screening of workers at airports, 
surveillance, law enforcement patrols, robust security training, and 
the institution of challenge procedures among airport workers, to 
mention a few.
    In our view, the best approach to enhancing access control at the 
Nation's airports moving forward lies with continuing to focus on 
robust background checks, maintaining our multi-layered security 
approach, and preserving and protecting the critical local layer of 
security that airports provide with credentialing, access control, and 
other local functions. Inherently local security functions should 
remain local with Federal oversight and backed by Federal resources 
when appropriate.
    Members of the committee, recent events have highlighted the fact 
that we can never rest when it comes to airport security. Airport 
operators take their responsibilities in this area very seriously and 
are constantly seeking better approaches in close collaboration with 
our partners at TSA. I am confident that we can find productive ways to 
move forward, and I can assure you that the airport community is eager 
to partner with the subcommittee and all of you to achieve our shared 
goal of ensuring the highest level of security for the traveling 
public.
  final report of the aviation security advisory committee's working 
            group on airport access control recommendations
Security Screening and Inspection
    1. DHS should immediately shift existing resources, as needed, to 
        expand the TSA's random employee screening/inspection program 
        (i.e. the Playbook to secured area access points).

    2. TSA, in coordination and collaboration with Government and 
        industry subject-matter experts and airport and aircraft 
        operators, should develop an employee access security model 
        using intelligence, scientific algorithms, and risk-based 
        factors. This model should give all employees the expectation 
        that they are subject to security screening/inspection at any 
        time while working at an airport.

    3. TSA should establish risk-informed, enhanced random screening/
        inspection for all employees, which would be increased on the 
        basis of identified risk.

    4. DHS should request from Congress needed funding for 
        implementation of security measures for a to-be-developed 
        employee access security model and the Playbook.

    5. Airport and aircraft operators should prominently post signage 
        at access portals or via other means to alert employees that 
        they will be subject to screening/inspection in order to 
        support compliance with random screening/inspection programs.
Vetting of Employees and Security Threat Assessment
    6. TSA should accelerate the implementation of the FBI/Next 
        Generation Identification (NGI) Rap Back Service with an 
        immediate pilot with airport and aircraft operators with a goal 
        of full implementation by the end of calendar year 2015. Real-
        time recurrency should be part of the CHRC vetting process, 
        similar to the perpetual vetting conducted by TSA for the STA.

    7. TSA should review the existing list of disqualifying criminal 
        offenses to ensure that it is comprehensive enough to address 
        the current threat environment and pursue any legislative or 
        regulatory changes needed to update the list of disqualifying 
        criminal offenses, other eligibility criteria, the addition of 
        permanent disqualifying criminal offenses, extending the look-
        back period, and starting the period of adjudication on the 
        individual's sentence release date or program completion date.

    8. Airport and aircraft operators should introduce new 
        certification language for badge applications that broadens the 
        focus from existing regulatory requirements to a greater focus 
        on overall suitability.

    9. Airport and aircraft operators, in coordination with TSA, should 
        review current training for Trusted Agents and Signatory 
        Authorities and, as needed, provide enhanced training on 
        identification documents, identity fraud, and behavioral 
        analysis.

    10. TSA should create and maintain a National database of employees 
        who have had their airport- and/or aircraft operator-issued 
        badges revoked for cause.

    11. A comprehensive review should be conducted by the TSA to enable 
        a web-based portal for industry utilization for employee 
        vetting by TSA.

    12. TSA's Security Threat Assessment should be enhanced to include 
        SSN, running all U.S. citizens against SAVE, fingerprints 
        against DHS' IDENT system, TSA PreCheck Disqualifying 
        Protocols, and run foreign nationals and foreign-born against 
        international databases.
Internal Controls and Auditing of Airport Issued Credentials
    13. TSA, and airport and aircraft operators should assess the 
        efficacy of the auditing program requirements for airport-
        issued identification media (e.g., security badges) designed to 
        ensure the integrity, accountability, and control of security 
        media.

    14. In cooperation with airport and aircraft operators, TSA should 
        consider the establishment of biometric standards which may be 
        used in identity verification and badge validation. Included in 
        this effort should be recommended standards and a cost/benefit 
        analysis focused on implementing any such standards.

    15. TSA should implement direct enforcement requirements upon 
        authorized signatories associated with non-compliance, to 
        include failure to immediately report lost, stolen, and 
        unaccountable employee badges and employee separations.

    16. Airport operators, in conjunction with tenant business 
        partners, should identify opportunities to further restrict 
        access privileges and/or further reduce access points as 
        operationally necessary.

    17. TSA, in coordination with airport and aircraft operators, 
        should support the enhancement/expansion of CCTV or other 
        measures to monitor employees at certain entry points and other 
        areas, as necessary.
RBS for Higher-Risk Populations and Intelligence
    18. To foster the effectiveness of employee screening/inspection, 
        TSA should consider the development of risk matrices for 
        various employee groups using RBS principles.

    19. TSA should maximize the dissemination of Sensitive and 
        Classified intelligence collection as widely as practicable.

    20. TSA should further explore the use of social media to track and 
        assess emerging threats that may pose a risk to aviation. 
        Analysis and best practices gained from this effort should be 
        disseminated to regulated parties.

    21. TSA should expand/improve the existing City and Airport Threat 
        Assessment (CATA) or similar program to capture, quantify, and 
        apply applicable intelligence information, and engage the 
        aviation community in developing mitigation measures.

    22. TSA should partner with airport and aircraft operators in 
        conducting the Airport Risk Evaluation (A.R.E.) and provide the 
        results of any and all risk and vulnerability assessments to 
        appropriate regulated parties within the aviation community.

    23. TSA should further analyze applicable insider-threat cases to 
        create a model of predictive risk factors based on research and 
        applied knowledge of the involved individuals and techniques 
        used to circumvent security measures.

    24. TSA, FBI, and CBP should provide and make available enhanced 
        training and information on insider threat activity and 
        suspicious indicators that could be incorporated into airport 
        and aircraft operator training programs.
Security Awareness and Vigilance
    25. TSA should consistently provide briefings to airport and 
        aircraft operators on the results of their security assessments 
        to provide awareness of potential risks at the airport.

    26. Airport and aircraft operators should be encouraged to develop 
        and implement employee engagement/recognition programs aimed at 
        promoting employee engagement in aviation security.

    27. TSA, and airport and aircraft operators should promote existing 
        National anti-terrorism reward/employee engagement programs to 
        increase security awareness and reporting of suspicious 
        activity.

    28. TSA should promote or establish an existing or new Anonymous 
        Tip Line to receive information from aviation employees who 
        report a security concern or incident, and direct it to the 
        appropriate regulated party(ies).

    Mr. Katko. Thank you, Ms. Olivier, for your testimony. We 
appreciate you being here today as well.
    Our second witness, Mr. Steven Grossman, currently serves 
as the chief executive officer and executive director of the 
Jacksonville Aviation Authority and is testifying on behalf of 
Airports Council International, North America. I don't know if 
he is going to shed some light on who Jacksonville is going to 
select tonight in the NFL draft, since they have a high draft 
pick, but maybe we can talk off-line about that.
    But the Airports Council International, North America, 
represents local, regional, and State-governing body that own 
and operate commercial airports in the United States and 
Canada. Mr. Grossman assumed his role as CEO and executive 
director in 2009 and oversees the operation, maintenance, 
development, and marketing of all authority assets, which 
include Jacksonville International Airport, Cecil Airport, 
Jacksonville Executive at Craig Airport, and Herlong 
Recreational Airport.
    The Chairman now recognizes Mr. Grossman to testify.
    Mr. Grossman.

   STATEMENT OF STEVEN J. GROSSMAN, CHIEF EXECUTIVE OFFICER/
    EXECUTIVE DIRECTOR, JACKSONVILLE INTERNATIONAL AIRPORT, 
 JACKSONVILLE AVIATION AUTHORITY, TESTIFYING ON BEHALF OF THE 
         AIRPORTS COUNCIL INTERNATIONAL, NORTH AMERICA

    Mr. Grossman. Thank you, Chairman Katko, Ranking Member 
Rice, and Members of the subcommittee. Thank you for the 
opportunity to provide a perspective of both an airport 
operator and that of Airports Council International, North 
America, on airport access control measures.
    For airports, the safety and security of passengers, 
employees, and facilities are top priorities. Airports are in 
full compliance with Federal requirements and work closely with 
the Transportation Security Administration and airline partners 
to examine, test, and refine the aviation security system to 
provide the optimum level of security.
    TSA Acting Administrator Carraway is a strong leader and 
his team is always willing to partner with airports on security 
initiatives. In addition, we appreciate the opportunity for 
ACI-NA and airports to participate on the Aviation Security 
Advisory Committee review of access control.
    Criminal acts involving the unauthorized transportation of 
guns on aircraft prompted calls for the TSA to mandate 100 
percent screening of employees. As we have talked about, 100 
percent employee screening does not translate to 100 percent 
security and is simply the wrong approach. A low-employee 
screening is one of the multiple players of the aviation 
security system. It is not a stand-alone solution and should 
not be viewed as a silver bullet.
    In 2008, the Jacksonville International Airport and six 
other airports participated in an employee screening pilot 
program. During the pilot, only one prohibited item was 
discovered. Checkpoint screening operations were impacted. 
Construction was also disrupted, as it was necessary to devote 
resources to promptly screen the drivers and cement vehicles in 
order to prevent the cement from hardening before it could be 
delivered.
    As the ASAC appropriately noted, to implement 100 percent 
employee screening in the United States would be a significant 
investment of resources that would be unavailable to address 
other pressing threats. TSA has a random screening program 
called Playbook, which uses roving teams of TSA transportation 
security officers to conduct random and unpredictable physical 
screening of employees.
    At the Jacksonville International Airport and other 
airports, access points have been reduced, airports routinely 
support Playbook operations to reinforce employees' 
expectations of being screened, and conduct random inspections 
of employees and their Security Identification Display Area 
badges. In addition, some airports, including Jacksonville, 
conduct additional background checks on employees when their 
badges are renewed or at other intervals.
    TSA identified the need to implement risk-based, 
intelligence-driven initiatives that enhance security. Airports 
support the TSA PreCheck for enrolled travelers and other risk-
based approaches that provide the flexibility to apply security 
measures in areas where they have greatest ability to 
effectively reduce risk. Airport perimeter security involves 
multiple layers of integrated processes, procedures, and 
technologies. The layers of security provide an effective 
system to deter and detect potential intruders.
    In addition to perimeter fencing and controlled-access 
gates, frequent patrols of perimeters are conducted by airports 
and airline personnel, law enforcement officers, and other 
representatives. Employees are trained to identify and 
immediately report suspicious activities.
    It is important to note that most of the perpetrators of 
recent breaches were promptly apprehended, and I think this 
demonstrates the effectiveness of the measures already in 
place, although more can be done. Reporting about lost and 
unaccounted-for SIDA badges provided no information about the 
security systems designed to mitigate potential 
vulnerabilities.
    In addition to the badge swipe, many access control 
suspects require personal identification numbers to be entered 
to gain access through controlled portals. Furthermore, 
airports frequently reissue badges to all authorized employees 
upon receiving reports of lost or stolen identification media, 
badges--and badges are immediately deactivated.
    Now I would like to offer five recommendations to further 
enhance the airport access control, and this is probably most 
important: Invest in intelligence. History has demonstrated 
that effective intelligence information and sharing plays a 
critical role and provides one of the best opportunities to 
identify potential threats and prevent terrorist attacks.
    No. 2, continually review security requirements and 
eliminate those that are outdated. Based on such a review, 
adjustments can be made so that resources are applied in those 
areas where they can effectively reduce risk.
    Immediately implement the FBI's Rap Back program so that we 
can have real-time information on security issues.
    Further, expand the TSA Playbook program to provide for 
random screening.
    No. 5, institute an airport security-focused grant program 
or modernize the PFC to provide readily available funding 
support for these types of security measures.
    Mr. Chairman, thank you for the opportunity to testify, and 
I look forward to your questions.
    [The prepared statement of Mr. Grossman follows:]
                Prepared Statement of Steven J. Grossman
                             April 30, 2015
    Chairman Katko, Ranking Member Rice, and Members of the 
subcommittee, thank you for the opportunity to provide the perspective 
an of airport operator as well as that of Airports Council 
International--North America (ACI-NA) on airport access control 
measures.
    I am the CEO and executive director of the Jacksonville Aviation 
Authority and a member of the ACI-NA U.S. Policy Board, which is 
responsible for the formulation and direction of policy decisions 
arising under U.S. legislative and regulatory matters. As a member of 
the ACI-NA U.S. Policy Board, I have a profound interest in and 
advocate for risk-based aviation security initiatives that not only 
enhance security but also provide airport operators needed flexibility.
    The Jacksonville Aviation Authority, an independent government 
agency created by the Florida legislature, operates the Jacksonville 
International Airport, Cecil Airport, Jacksonville Executive at Craig 
Airport, and Herlong Recreational Airport.
    Located in Florida, Jacksonville International Airport has more 
than a dozen major airlines and a network of regional carriers that 
provide some 200 daily arrivals and departures. In 2013, the number of 
passengers using Jacksonville International Airport (JAX) reached 
5,129,212.
    Mr. Chairman, the safety and security of passengers, employees, and 
facilities are top priorities for U.S. airports. As such, the 
Jacksonville International Airport, and airports across the United 
States, are in full compliance with Federal requirements and, 
continually works with the Federal Government and airline partners to 
examine, test, and improve upon the aviation security system to provide 
the optimal level of safety and security. In partnership with the 
Transportation Security Administration (TSA), U.S. Customs and Border 
Protection (CBP), the Federal Bureau of Investigation (FBI), other 
Federal, State, and local law enforcement agencies, and airlines, 
airports maintain a comprehensive, multi-layered, risk-based aviation 
security system. In my testimony, I have included several suggestions 
to further enhance airport access control measures.
                           employee screening
    As a result of recent criminal acts involving the unauthorized 
transportation of guns on-board commercial aircraft, U.S. Department of 
Homeland Security (DHS) Secretary Jeh Johnson and TSA Acting 
Administrator Melvin Carraway requested that the Aviation Security 
Advisory Committee (ASAC) conduct an ``expedient and comprehensive 
review'' of access control measures to address potential security 
vulnerabilities at airports.
    Tasking the ASAC to identify security enhancements was the right 
approach and ensured collaboration across the industry. ACI-NA, along 
with representatives of several member airports, participated on the 
ASAC Working Group on Airport Access Control in the development of 
substantive, meaningful, and risk-based recommendations. Further, the 
final report accurately recognizes that each airport is uniquely 
different and one size certainly does not fit all.
    In addition, some have called on TSA to mandate that airports 
immediately implement 100 percent employee screening. As I will outline 
in my testimony, 100 percent employee screening does not translate to 
100 percent security and moving forward with such a mandate is simply 
the wrong approach.
    Although employee screening is one of the multiple layers in the 
aviation security system, it is not a stand-alone ``solution'' and 
should not be viewed as a ``silver bullet,'' and I am in agreement with 
the risk-based approach identified by the ASAC.
    In 2008, Jacksonville International Airport participated, along 
with other airports, in a Congressionally-mandated employee screening 
pilot program conducted by TSA. Despite augmented TSA Transportation 
Security Officer (TSO) staffing drawn from other airports to support 
100 percent screening during the pilot program, there was a negative 
impact on checkpoint screening operations, and significant additional 
TSO staffing would have been necessary to permanently sustain 100 
percent employee screening. Construction was also disrupted during the 
pilot and it became necessary to devote resources to screen the drivers 
and cement vehicles in a timely manner in order to prevent the cement 
from hardening before it could be delivered.
    As occurs routinely at other small and medium-sized airports, 
employees regularly transit between public and sterile or public and 
secured areas. At large airports, hundreds of employees transit such 
areas during shift changes and at other times. Not surprisingly, it was 
observed during the pilot that the same employees were repeatedly 
subject to screening throughout the day.
    During the 90-day employee screening pilot at Jacksonville 
International Airport, approximately 121,000 employees (51,000 of which 
were passengers in about 35,000 vehicles) were screened, but only one 
prohibited item was discovered.
    The costs associated with the implementation of true 100 percent 
screening of employees at airports in the United States are staggering 
and are estimated to be in the tens of billions of dollars for the 
first year alone. Given the questionable security benefit of such a 
costly initiative, and in consideration for the significant impact on 
aviation operations, 100 percent employee screening is simply not 
realistic.
    As the ASAC appropriately noted in its Final Report on Airport 
Access Control, there is no system domestically or internationally that 
``would qualify as 100 percent screening of 100 percent of all airport 
employees to passenger screening standards.'' Implementing such a 
system in the United States would necessitate a significant investment 
of resources that would then be unavailable to address other pressing 
threats.
    A 2008 Homeland Security Studies and Analysis Institute (HSSAI) 
report--on the pilot program conducted at Jacksonville and other 
airports--titled, Airport Employee Screening Pilot Program Analysis, 
concluded that ``a random screening strategy is the more cost-effective 
solution'' for airports.
    As identified by the ASAC, there is no perfect security system. The 
multiple layers of security--which can be routinely enhanced or 
modified--provide an effective means to secure passengers, employees, 
and facilities. A clear strength of this type of system is the 
unpredictable nature of the individual layers of security and the fact 
that many airport and aircraft operators exceed the baseline security 
requirements through the implementation of additional processes, 
procedures, and technologies that consider and are adapted to their 
unique geographic locations and facility designs.
    Therefore, multiple layers of security, including enhanced 
background checks, security awareness training, and random screening of 
employees, as recommended by the ASAC, are much more effective than a 
rigid and predictable 100 percent employee screening regime.
                   random and unpredictable screening
    Unlike airport operators, TSA is in the business of effectively and 
efficiently screening passengers, baggage, and employees at airports. A 
key element of the TSA Playbook program, formerly known as the Aviation 
Direct Access Screening Program, is the roving teams of TSA 
Transportation Security Officers, Behavior Detection Officers, and 
Transportation Security Inspectors that conduct random and 
unpredictable physical screening of employees working in or accessing 
secured areas. The Playbook program has proven to be very effective in 
mitigating risk.
    Some airports work in close partnership with TSA in support of 
Playbook operations to close certain access points and funnel employees 
through the screening locations. The Playbook program mitigates the 
risk of prohibited items being introduced at the perimeter, which would 
go undetected under a fixed-point employee screening system. In 
addition to introducing a high level of deterrence, Playbook provides 
employees the expectation of being screened at any time, not just when 
they enter through an access control point. This type of random and 
unpredictable screening program represents a formidable layer of 
security.
                   risk-based, multi-layered security
    Several years ago, TSA appropriately identified the need to 
transition from a one-size-fits-all approach to risk-based, 
intelligence-driven initiatives that not only enhance security but also 
increase efficiency. With limited industry and Government resources, 
risk-based security programs--and regulations--are essential, as we 
simply cannot continue the process of adding new security requirements 
and deploying new technology to respond to each new threat.
    Probably the most significant risk-based security initiative is TSA 
PreCheck, the agency's trusted traveler program, which provides 
expedited screening to travelers who are enrolled and pre-vetted while 
focusing the most invasive screening resources on those about whom the 
least is known. This type of risk-based system is absolutely what is 
needed and TSA should be commended for directing the implementation of 
this and other risk-based security initiatives.
    We also need to commit to an on-going transition from the one-size-
fits-all approach in the regulatory environment to risk-based security 
measures and regulation. With only limited resources available, it is 
essential that airports have the flexibility to apply security measures 
to those areas where they have the greatest ability to effectively 
reduce risk.
    Airport security systems rely on multiple risk-based layers of 
security implemented in partnership with airports, airlines, and the 
TSA. While each layer is not designed to be impenetrable, the 
individual layers have the ability to deter and mitigate potential 
risks, and when integrated, the multiple layers provide a robust 
aviation security system that is not only effective but also capable of 
being readily adapted to address new and emerging threats.
    Through the implementation of the risk-based enhancements 
identified by the ASAC, the current system will be even more effective 
in mitigating risk.
                     employee background screening
    An essential layer of security is the multi-faceted employee 
background screening process which is initiated prior to an employee 
being granted access to the secured area of an airport. In advance of 
issuing a Security Identification Display Area (SIDA) badge, which 
provides unescorted access privileges to secure areas, airport 
operators conduct extensive vetting of employee backgrounds. There are 
two critical facets of the employee background screening regime that 
all employees who work in secured areas must successfully pass: A 
fingerprint-based Criminal History Records Check (CHRC), and a Security 
Threat Assessment (STA). Upon receiving an application from an employee 
seeking unescorted access to a secured area, airport operators validate 
the identity of the individual, collect and transmit their fingerprints 
and the associated biographic information to the TSA. The biometric 
fingerprint data is routed by TSA to the FBI for a CHRC. Through the 
STA process, TSA conducts a threat assessment against terrorism and 
other Government databases.
    If the STA reveals derogatory information about the individual, TSA 
informs the airport operator that they must not issue a SIDA badge 
granting unescorted access privileges. If at any point thereafter, 
recurrent STA vetting reveals derogatory information about an employee 
with unescorted access, TSA will notify the airport operator to 
immediately revoke their SIDA badge. Similarly, in accordance with 
existing regulations, when an airport operator discovers, during a 
review of CHRC results, that an applicant has been convicted of a 
disqualifying criminal offense within the previous 10 years from the 
date of application (``look-back period''), they refuse to issue the 
individual a SIDA badge. A distinct security feature is the ability for 
airport operators to review each and every applicant's criminal record 
to make a determination about their suitability for being granted 
unescorted access privileges.
    Although some airports go above and beyond the baseline measures in 
current TSA regulations and have implemented longer ``look-back 
periods'' and/or an expanded list of disqualifying criminal offenses, 
others are unable to do so due to restrictive State laws. While some 
airport operators re-submit a portion of the population of SIDA-badged 
employees for a CHRC, it only provides a snapshot of their criminal 
record as of the date of submission.
    As recommended by the ASAC, the ``look-back period'' should be 
extended, and, through collaboration between Government and industry, a 
harmonized list of disqualifying criminal offenses should be developed.
                           perimeter security
    Airport perimeter security involves multiple layers of integrated 
processes, procedures, and technologies. Although there is no perfect 
perimeter security system, the multiple layers of security--which 
airports routinely enhance--provide an effective system to deter and 
detect potential intruders. While perimeter fencing and controlled 
access gates are the most outwardly visible layer of security, there 
are numerous other layers (systems), both conspicuous and 
inconspicuous, in place at airports to bolster perimeter security.
    Frequent patrols of perimeters in the public and secured areas are 
conducted by airport and airline personnel, law enforcement officers 
and other representatives. In addition to patrols, employees at 
airports are trained to identify and immediately report suspicious 
activities.
    Many airports go above and beyond the baseline security 
requirements for perimeter security, implementing additional processes, 
procedures, and technologies that integrate more effectively with their 
unique geographic locations and facility designs.
    The individuals involved in most of the ``breaches'' in recent 
reports were promptly apprehended. Rather than presenting a gaping 
vulnerability as some would have us believe, this is clear evidence of 
the effectiveness of the layered security system in place at airports. 
In addition, none of the individuals have been linked to terrorism, and 
the suggestion that terrorists may attempt to breach perimeters is 
purely speculative and not based on any empirical data.
    Airports, in conjunction with representatives of the TSA, the FBI, 
and other Federal, State, and local law enforcement officials, conduct 
joint vulnerability assessments (JVA) of their facilities, systems, and 
perimeters. The JVA results, along with the latest intelligence 
information, are used by airports to direct the application of 
resources to enhance individual security layers.
    An investment in research and development (R&D) of promising 
perimeter security technology is essential. In order to evaluate the 
effectiveness in the operational environment, TSA should commission a 
pilot test at airports of promising technologies identified through the 
R&D process. These pilot programs would provide valuable information 
about cutting-edge technologies that could be used to by airports to 
further enhance perimeter security.
    The National Safe Skies Alliance, in partnership with airports, and 
funded through the Airport Improvement Program, conducts testing and 
operational evaluations of security technologies designed to further 
enhance perimeter security and access control. Many airports have 
deployed the systems tested and evaluated by the National Safe Skies 
Alliance. The reports, which are available to all airports, provide 
specific details about the application and functionality of 
technologies tested under the program and contain valuable information 
for airports as they make decisions on which technologies may work best 
at their facility.
                               biometrics
    Although biometric access control technology can be a potentially 
useful tool in limiting access or supporting post-incident forensic 
analysis, such systems are not a panacea and would not have prevented 
the situation involving the unauthorized transportation of guns on-
board aircraft. In addition to being incredibly costly and challenging 
to integrate with some legacy airport systems, biometric access control 
systems are susceptible to environmental conditions and contamination 
from substances routinely found in the aviation industry. Reports from 
TSA officials subsequent to a study of biometrics in aviation and other 
sectors revealed that such systems are not ready for full-scale 
deployment at airports, and individual airports should conduct a cost-
benefit analysis to determine whether to procure and deploy such 
systems.
                              lost badges
    Recent reports about lost and unaccounted SIDA badges failed to 
accurately characterize the situation and provided no information about 
the various security processes, procedures, and technology specifically 
designed to mitigate potential vulnerabilities. Many airports go above 
and beyond TSA regulations and have designed additional features into 
their SIDA badges and access control systems to address concerns with 
lost or unaccounted badges. These include requirements for not only a 
swipe of the badge but also a personal identification number or a 
biometric to gain access through controlled portals, security features 
incorporated into the badges, and employee training. Some airports have 
deployed closed circuit television at access portals. In addition, 
airports frequently re-issue badges to all authorized employees. Upon 
receiving reports from badge holders of lost or stolen identification 
media, airports immediately deactivate the badges in their systems. Due 
to their sensitive nature, other security features incorporated into 
access control systems cannot be discussed publically.
   security directives vs. proposed airport security program changes
    The most effective approach to rulemaking exists when regulatory 
agencies afford airports the opportunity to comment on proposed changes 
to their airport security program. Over the years, ACI-NA and airports 
have participated on various National and international Government/
industry working groups intended to enhance aviation security as well 
as improve efficiency. This coordinated process has been very effective 
in allowing TSA to identify potential threats to civil aviation, and 
industry to collaboratively develop aviation security enhancements that 
minimize unnecessary costs and operational impacts at airports.
    Although TSA has the ability to avoid the notice and comment 
process and issue security directives (SDs), this regulatory option 
should be strictly reserved for situations involving an immediate 
threat, as was stipulated in the Aviation and Transportation Security 
Act and current TSA security regulations. Airports do not believe that 
Congress intended to provide TSA such latitude that it could issue SDs 
absent or months after an identified threat.
                         security enhancements
    Following are five suggestions to further enhance the security of 
airport access control:
1. Invest in Intelligence
    The importance of timely and actionable intelligence information 
being used to disrupt terrorist plotting and adjust security baselines 
cannot be emphasized enough. In the aviation industry, history has 
demonstrated that effective intelligence information and sharing plays 
a critical role and provides one of the best opportunities to identify 
potential threats and prevent terrorist attacks. By way of example, the 
2006 liquid explosives plot, the 2010 toner cartridge bomb plot and, 
more recently, the 2012 ``improved'' underwear bomb plot were all 
foiled by intelligence information developed and provided to industry 
by intelligence agencies.
    Armed with this type of information, airports make adjustments to 
security measures to mitigate threats. Therefore, it is crucial to 
invest in and provide additional resources to the intelligence agencies 
with the understanding that actionable intelligence information be 
shared with airports and airlines in a timely manner.
2. Review and Revise Security Requirements
    Even today, there continues to be general hesitancy or fear of 
rescinding long-standing security requirements, even when it is readily 
acknowledged that they are outdated--because no one wants to be accused 
of being weak on security. However, it is the very essence of risk-
based security to continually assess the latest intelligence 
information and conduct informed reviews of security procedures. Based 
on such a review, adjustments can be made so security measures maximize 
risk reduction, something that may necessitate shifting or reallocating 
security resources to bolster other areas. This reallocation of limited 
resources ensures that they are being applied to those areas where they 
can most effectively reduce risk.
3. Institute Real-Time Recurrent Background Checks
    Unlike the STA process, through which TSA conducts perpetual 
vetting of employees who have been granted unescorted access 
privileges, the CHRC is currently a one-time snapshot of the 
applicants' criminal history. According to the FBI, Rap Back provides 
``the ability to receive on-going status notifications of any criminal 
history reported on individuals holding positions of trust.'' When 
implemented, this program will provide airports (and airlines) much 
better and needed visibility into employees' criminal records, allow 
them to make informed determinations as to the suitability of existing 
employees and greatly assist in making determinations about whether 
employees should be allowed to retain their unescorted SIDA access 
privileges.
    As recommended by the ASAC, TSA should ensure the immediate 
implementation of the FBI's Rap Back program, so that real-time 
recurrent CHRCs are conducted on SIDA badge holders.
4. Expand Random Employee Screening Operations
    As a means to enhance an important layer of security, TSA should 
further expand its Playbook employee screening program, so that every 
employee entering or working in a secured area of an airport has the 
expectation that they will be subject to screening. Airport operators 
can support expanded Playbook operations by selectively closing access 
portals in order to route employees through the screening locations.
5. Institute an Airport Security-Focused Grant Program
    Although DHS, through its Homeland Security Grant Program, 
dispenses billions of dollars annually for systems and technology to 
bolster State, Tribal, and local preparedness, resiliency, and improve 
security, very little, if any, is allocated to airport operators. As 
airport operators have only limited funding that must be prioritized 
across a multitude of safety, security, and operational projects, an 
airport security-focused grant program would provide readily available 
funding to support perimeter, access control, and other security 
enhancements.
                               conclusion
    Jacksonville International Airport and airports across the United 
States are committed to working with Congress, TSA, FBI, CBP, State, 
and local law enforcement agencies and aviation stakeholders to enhance 
airport security through the application of risk-based measures. The 
recommendations identified by the ASAC for multi-layered, risk-based 
security enhancements provide the best approach to further enhance the 
security of the aviation system.
    Working in coordination with ACI-NA and airports, TSA should make 
it a priority to move forward with the implementation of the ASAC 
recommendations to enhance airport security. Through continued 
Government-industry collaboration to enhance security, we can better 
achieve our mutual goals of enhancing security and efficiency while 
minimizing unnecessary operational impacts.
    Thank you for the opportunity to submit this written testimony.

    Mr. Katko. Thank you very much, Mr. Grossman.
    I will start with both of you. One of the five programs 
that Homeland Security has recently implemented through Mr. 
Johnson was the requirement that airports reduce the number of 
access points to secured areas to an operational minimum. 
Sounds good. What does that mean to you?
    Mr. Grossman. Ladies first.
    Ms. Olivier. Each airport needs to work with their local 
TSA on that and with all of their tenants. The layouts of the 
airports, of course, as you know, are very different. You can 
have cargo areas, you can have direct terminal areas, you may 
have general aviation areas. Depending on the layout of the 
airport, there may be a need for various more remote access 
points, as well as ones that are close to the terminal.
    So in reducing those, an airport has to understand what the 
necessary movements are through these areas, as well as take 
into consideration what the vulnerabilities and risks 
associated with that location are. In heavily-trafficked 
airports, you have to understand what it does to the daily 
operations of the airport. Often in cargo situations it is very 
time-sensitive and so deliveries have to be made very quickly. 
They have to get in and get out and on their way. So we have to 
understand for every portal that we might reduce what the 
implications of that are.
    Mr. Katko. Mr. Grossman.
    Mr. Grossman. Over the last several years at Jacksonville, 
we have reduced our entry points from 24 to 14. During the 
pilot program that we participated in, that number was reduced 
to four. That became an operational nightmare, both for airport 
personnel and, more importantly, for airline personnel.
    So there is a right answer. For every airport it is going 
to be different. I think with all of the new security measures, 
airports do need to take a second look at that: How are we 
going to control those access points and work with the TSA so 
that the random screening is effective at each and every one of 
those entry points?
    Mr. Katko. Who decides what is an adequate reduction in 
entry points? Who says, ``That is good, you are where we want 
you to be''? Or who decides?
    Ms. Olivier. We think it should be consensus. At an 
airport, we engage the entire airport in the security program 
of the airport. Together, we try to get a comprehensive problem 
solving from all of our partners. That includes the TSA. It 
includes our tenants. We invoke our employees through 
committees to evoke their best ideas. So together with some 
very deliberate time and motion studies and the like, we come 
to an informed decision about what, in fact, can practically be 
decreased.
    Mr. Grossman is quite correct, airports across the country 
have already worked in previous rounds to reduce the number of 
access points. As we all continue to work on our airports and 
oftentimes as construction changes on the airports, that will 
present other opportunities for us to do further work in that 
area.
    Mr. Grossman. Yeah, Mr. Chairman, as you know, all airports 
are required to have airport security programs that are put 
together by the airport and approved by the TSA. We do that in 
conjunction with all of our partners.
    One of the things that is most impressive is at many of our 
airports, if not most of our airports, the cooperative working 
relationship between the TSA, the airport, and the airlines. I 
will tell you, it has not always been that way. But I think in 
the last few years we have worked very well together to solve 
problems that not only enhance security, but work operationally 
for the airport.
    Mr. Katko. So is it fair to say that the ultimate arbiter 
really is TSA through your airport security plans that you 
present them?
    Mr. Grossman. I would say yes.
    Mr. Katko. Okay. Now, have either one of you begun that 
evaluation given the recent guidelines from Homeland Security?
    Ms. Olivier. Personally in our airports, sir?
    Mr. Katko. Yes.
    Ms. Olivier. Yes, sir. We continue to look into that.
    Mr. Katko. Okay. When you say ``we,'' to whom are you 
referring?
    Ms. Olivier. Well, I have several airports that I work 
with.
    Mr. Katko. Yes, you do.
    Ms. Olivier. So we address this at things like our security 
consortiums with our partners, but I also have the airport 
security managers at each of those airports looking at 
opportunities to how we can reduce these gates. In fact, we are 
looking at that right now at JFK.
    Mr. Katko. Okay.
    Mr. Grossman. I think in almost all aspects of these 
recommendations we are a bit ahead of the game. We have reduced 
portals at our airport with regard to airport employees. An 
employee who gets on an airplane to take a flight without going 
through security is terminated as soon as that is discovered. 
There is no tolerance.
    In many of these other areas, we conduct with airport 
personnel over 250 temporary checkpoints every month at access 
doors with our staff. We have beefed up all of the challenge 
programs in the secure area. So just even talking this morning 
with the staff about the new security directives that are out, 
we were talking about: Okay, when does Rap Back come about?
    Because we already do additional background work every year 
when we review badges through a law enforcement database called 
LexisNexis. So we check that. We basically go back when we do 
the initial background check, and this is different in every 
State depending on State law, but we go back to when the person 
was 18 years old, regardless of how old they are now.
    Mr. Katko. That is great. That is great.
    Mr. Grossman. We will evaluate acts that happened back many 
years ago to see if there is a pattern and use our judgment as 
to whether or not that person should have a security badge. So 
it is basically a daily thing.
    Mr. Katko. One of the things that we are probably most 
concerned with, and you have heard this already several times 
today, is that point when the employee goes from the nonsecure 
to the secure area. How do you best try and prevent that from 
happening? I have heard a lot about the risk-based theories and 
the randomization and everything, which I understand on both 
sides, both before and after they get into the airport secure 
area.
    But at that critical point we might be able to stop it. It 
is probably where the committee itself is really kind-of hung 
up the most. I would like to hear from both of you. What do you 
think with the minimum requirements for a security check, or 
however you want to say it, for the access points when you are 
going from the nonsecure to the secure area for employees?
    I guess, for each of you, in your own words, tell me what 
you think should be the minimum requirements for each of the 
entry points.
    Mr. Grossman. I think in general I would say, if we were 
doing it, it would be a security person or two, minimum be able 
to wand somebody, make sure they are not carrying a gun, and 
then a fairly detailed inspection of anything they were 
carrying. I think if TSA is doing it, they have a bit more 
access and training to check for explosive residue than we do. 
We are just unequipped to do that. So I think it is going to be 
a combination of both TSA personnel, and at airports that can 
do it, airport personnel.
    Mr. Katko. So is this for each and every entry point for 
employees?
    Mr. Grossman. In doing it on a random basis, absolutely.
    Mr. Katko. Okay. So when you say on a random basis, okay, 
what does that mean? So sometimes they are there and sometimes 
they are not?
    Mr. Grossman. Correct.
    Mr. Katko. Okay. All right. So you would have that 
randomization component, which I understand you all do anyways, 
you all support, but I am talking about the physical 
composition, if you will, of what that entry point looks like. 
Tell me what you think it should look like.
    Ms. Olivier. Well, I would express some level of caution. I 
may be misinterpreting your question, but I would be reluctant 
to impose a particular specific model or requirement on a 
particular portal, because portals have different functions, 
they are trafficked by different people, they are located in 
different places.
    I would be reluctant to impose a solution that is uniform. 
I guess specific to that is, I would be reluctant to impose a 
uniform solution for all portals because that can then militate 
against the flexibility and agility that is needed at airports 
to address the various security postures that they need to 
employ depending on their information about risk and threat, et 
cetera.
    The minimum requirement certainly is that the people 
conducting the inspections, or physical searches, are trained 
to do so.
    Mr. Katko. Let me back up, though. You see, we are getting 
again into the randomization aspect of it, and I am talking 
about just the physical description. I know I probably am 
sounding like I am too focused on it, but we still don't have 
it yet. I mean, doors should be locked. They have a SIDA access 
badge. For the ones that aren't manned, what should be there? 
Ones that are manned, what should be there? That type of stuff. 
The nuts and bolts.
    Mr. Grossman. I mean, I would suggest, as is done now at 
many airports, just swiping a badge isn't enough. There has to 
be some form of other means that you have to enter in. It could 
be biometric, it could be your own personal code, et cetera. 
That is as a minimum. The door absolutely has to be locked.
    Mr. Katko. We are getting somewhere.
    Ms. Olivier. Well, certainly. Or guarded.
    Mr. Grossman. Right.
    Ms. Olivier. There may be times when you have to have the 
door open.
    Mr. Grossman. When a door malfunctions we automatically put 
a guard on the door.
    Mr. Katko. Right.
    Mr. Grossman. So I guess there are probably things we take 
for granted, of course, because we live it every day.
    Mr. Katko. Right. Right.
    Mr. Grossman. But I do think that those things are 
important. Then it is really going to be what is decided about 
what is the random check process going to look like.
    Mr. Katko. Right.
    Mr. Grossman. No door should ever be left unlocked.
    Mr. Katko. Okay. So as far as the random check process 
goes, we are trying to figure out how to get some sort of 
prescription to this without causing too much problems for the 
airports given their operational flexibility. But we are 
concerned about having some sort of basic standards that 
everyone understands they have to adhere to, and obviously to 
randomness.
    Much of what the ASAC says is great, but it still doesn't 
say how often it should be done or when it should be done or 
how often. People like me facing this random screening, is it 
once a month? Is it once a year? Is it 1 out of 4 employees on 
a daily basis should get screened?
    I mean, I guess, we want to set achievable goals that they 
can abide by so when you come later on and do inspections of 
airports, and they say, you have only been screening 1 out of 
1,000 employees, that is unacceptable. Without some sort of 
standards, your response could be: Well, that is what we 
thought was good for this airport, you know what I mean? So we 
have got to kind-of find a happy medium here.
    Ms. Olivier. Basically, I think another way of saying that 
is what employees say to me all the time too is, how do you 
actually operationalize this, right?
    Mr. Katko. Correct.
    Ms. Olivier. So I think further work, as you suggested, is 
going to be needed for us to work with our partners on that. 
But the ASAC did lay out some very fundamental principles for 
us to build upon on that. In the recommendations, it did 
suggest that there needed to be a reasonable expectation on the 
part of employees that they would be checked and inspected that 
moment when they walked through that portal.
    So whatever methodology we construct, whatever methods, 
whatever channeling we construct, is that employees have to 
expect whenever they come to work that day or whenever they 
return from lunch that they have a reasonable expectation that 
somebody is going to be taking a look at what they are 
carrying.
    Then to pick on an area in the ASAC recommendations that 
may have come across a bit obscurely is that we believe that 
the particular frequency, where we do it, when we do it, would 
be a matter of rather smart modeling, and this is where you and 
I are going to have some statistic lessons after class.
    Mr. Katko. Oh, man. I am getting flashbacks of my days at 
Catholic schools with the nuns. So go ahead.
    Ms. Olivier. Yeah, but I am not carrying a ruler.
    Mr. Katko. That is right. Thank God.
    Ms. Olivier. So, in fact, we will be able to work with 
industry experts in this area to determine the most efficacious 
model for each area where we can achieve that ultimate result 
that everyone has the reasonable expectation, it is very real, 
and it achieves a level of frequency and stratification that 
the public too feels that we have a very good chance of 
identifying any problems as they emerge.
    Mr. Katko. Mr. Grossman.
    Mr. Grossman. Yeah, I think the answer is much more 
frequently than once a month. It may not be every day, but it 
would be multiple times each month.
    Further, it needs to apply to everybody. In the pilot 
program, a number of employee groups were exempted from it, 
most particularly TSA employees, who probably access back and 
forth more times each day than any other group of employees at 
the airport. So that is going to be a big challenge as to how 
we get those people through these temporary checkpoints, but it 
has got to be done.
    Ms. Olivier. Remember too, when he described temporary 
checkpoints, exactly that. Sometimes we can choose to close 
down a checkpoint, right, or choose to close down a portal and 
say every employee or the next 10 employees have to go over to 
this other area where we do have screening set up, right? So 
there are many different options to achieve this.
    Mr. Katko. Right. Okay.
    I think I have got it, and it is just going to take some 
more fleshing out. But the overarching observation is that we 
all agree we have to step it up, and just a question of how to 
do that and how to make sure that the people that are committed 
to it are doing it the same way that people who may not have 
the same desires to.
    My concern is not so much an airport, you two, because you 
sound like you are on your game, but what about an airport 
authority that is really struggling for money? There are 
pressures from whomever and maybe they cut corners. That is why 
there have got to be some sort of generalized standards, 
minimal standards, which must be uniform so at least when they 
fall below those minimum standards we can do something about 
it. Right?
    Ms. Olivier. May I interject a comment that I don't think 
anybody expected to be saying?
    Mr. Katko. Sure. Of course.
    Ms. Olivier. But I would like to assert that many security 
professionals through the commercial airports in this country 
talk to one another. We do it through usually two associations, 
ACI and AAAE, and many of us are members of both. We have 
committee work. We have ways of corresponding in many other 
ways. I can attest that every day these folks are talking to 
one another by email, phone call or what about particular 
issues they are trying to solve at their airport and how they 
can address it.
    That involves people in the smaller airports that you have 
just cited, as well as the larger airports. There is a lot of 
cross-fertilization, everyone committed to trying to find 
solutions, things that others have thought of that we can 
capitalize on. My colleagues and I steal any good idea we can 
find.
    Mr. Katko. That is a good thing. Collaboration is 
wonderful.
    Now, I want to switch gears if I can and talk about some of 
the other subject areas, which I think we are all pretty much 
on agreement on these, that is the vetting of the employee and 
security threat assessment. The information set forth in the 
ASAC report about this subject, do either one of you have any 
questions or objections about those?
    Mr. Grossman. No, I think we are doing more than that right 
now. So we will continue to do that, but I think that process 
can be further assisted using the FBI's Rap Back program.
    Ms. Olivier. Yes, and taking a look, people need to take a 
look at this, but perhaps expanding the disqualifying crimes, 
expanding the length of look-back, integrating with certain 
foreign databases for a better understanding in that way. All 
of those recommendations we fully support.
    Mr. Katko. Okay. All right. As far as the internal controls 
and auditing of airport-issued credentials, I presume neither 
one of you have any questions about that. I mean, when people 
are losing their credentials, that is a problem?
    Mr. Grossman. Right.
    Ms. Olivier. Sure.
    Mr. Katko. Yeah. Okay. As far as the risk-based security 
for higher-risk populations and intelligence, I want to talk a 
bit about that. What do you understand that to mean, and what 
do you think about what the ASAC's recommendations are about 
that?
    Mr. Grossman. Well, I think I have always said that, 
unfortunately, over many decades as an industry we have been 
very reactive. We seem to plan for yesterday's incident.
    Mr. Katko. That is what we are doing right now, I guess, in 
a way. We want to get better than that.
    Mr. Grossman. Right.
    Mr. Katko. Right.
    Mr. Grossman. We are starting to get more proactive, 
developing scenarios of what might happen and what do we do, 
how do we prevent it? But the real key is intelligence. As I 
mentioned in my testimony, if there are more resources 
available, give them to the FBI, give them to other agencies 
developing real intelligence, and then let's do a better job 
of, No. 1, stopping these acts, and sharing the information 
locally.
    I think the Federal agencies are doing much better at 
talking to each other. They still have a ways to go in talking 
to us. That will come over time. But really, we have to stop 
bad actors before they get to the airport, when you are talking 
about terrorists.
    Mr. Katko. I agree with that.
    Ms. Olivier. I would like to highlight something too. We do 
often struggle to try to understand what intelligence is out 
there that can affect our day-to-day decisions at the airport, 
but also our long-term decisions. What intelligence out there 
can help me decide on major investments at the airport for 
protective elements, perimeter intrusion detection, 
surveillance systems, bollards on the frontage of airports.
    Those kinds of major capital investments may be worthwhile, 
but I need to know from an intelligence standpoint, is that 
appropriate or is there intelligence out there that tells me I 
should change some of my operational procedures or policies?
    There is an activity initiated by the Department of 
Homeland Security right now on intelligence that is attempting 
to reach out to industry partners, airlines as well as airport 
operators, to participate in an effort, referred to as ADIIC, 
to understand what intelligence is actually useful to airports.
    So I think that is a very excellent new initiative to bring 
airports closer to this intelligence-gathering effort and to 
ask airports: Is this useful to you? What else would you like 
to know? So I think that is very promising.
    Mr. Katko. Okay. Last, and then I am just going to bounce 
something off both of you, security awareness and vigilance. I 
take it you all agree that the efforts to beef that up and 
establish a hotline, if you will, and to encourage people to 
speak up when they have concerns is fine with both of you.
    Mr. Grossman. I think it is fine. I have always been very 
impressed with how serious airport workers take their role in 
security. We drill it into them when they first come on as an 
employee, whether it is my employee or an airline employee, and 
every year they get recurrent training that they are part of 
the security program. I think it works very effectively.
    The tools that were advocated in the report are all good 
enhancements to that. But I think they do a pretty good job 
right now.
    Mr. Katko. Now, the last thing I will leave you both with 
before we wrap up, and that is, as we were sitting here I was 
thinking how do we kind of ensure that this organic exchange of 
information and information sharing and just kind-of 
institutionalizing the information sharing on the security side 
for employees as well, how do we do that moving forward?
    I just want to bounce this off of you. What would your 
thoughts be about using ASAC as a vehicle through which maybe 
on an annual basis you kind-of do a review of what you have 
learned for the year, basically, and recommendations going 
forward, so all airports can have it, and we can have it, and 
if there are things we need, if we need to get more money to 
you, if we need to do things differently, if we need to tweak 
the laws, we need to back off on this, we have kind of a 
uniform way to do that? I think it just would lead to a better 
dialogue on both sides of the fence. What do you think about 
that?
    Mr. Grossman. As an outsider to the ASAC process, I will 
tell you how impressed I was that it really represents almost 
the first real collaboration of industry and TSA. I think the 
results of that were shown in how the report was received. They 
did a great job. I think if you can institutionalize it and 
make it part of the culture, I think that has been one of the 
issues we see with TSA, is what is the culture, and it needs to 
be a culture of collaboration. Because most at TSA headquarters 
have never run an airport. They have never worked at an 
airport. They need our input. This was a prime example of what 
can come from getting that input.
    Ms. Olivier. It was a very respectful process. It provided 
for a great deal of crosstalk across the industry. Remember 
that it is not just airports that are responsible for many of 
the things that were discussed today, but our airline partners, 
a great deal of responsibility there.
    Mr. Katko. Correct.
    Ms. Olivier. To bring all the parties to the table with the 
TSA for joint problem solving certainly seems to reap the 
highest level of product and benefit in a very short length of 
time.
    So we feel that this kind of collaborative process is a lot 
better too than issuing perhaps certain directives that haven't 
been vetted in the same way.
    Mr. Katko. Understood. Understood. Give me one moment, 
please.
    Unless there is anything else you want to offer here, I 
appreciate the efforts. Again, I will reiterate what I said to 
Mr. Carraway. This type of collaborative effort on attacking a 
real problem is what we are supposed to all be doing. I am 
proud to be part of the process. I very much appreciate your 
efforts in that regard as well.
    Moving forward we have got to remember, we are all trying 
do the same thing here. There are not two sides to this fence. 
We are all in the same boat. We look at it from different 
perspectives, and that is a good thing.
    So moving forward, I hope we continue this collaborative 
relationship on this issue and others relating to the airline 
industry. The risks are far too great to do anything other than 
that. I just wish more Americans would see that sometimes we 
can work together and get things done. I think this is a good 
example of that.
    So thank you both very much, and have a good evening.
    Ms. Olivier. Thank you, sir.
    Mr. Grossman. Thank you very much.
    [Whereupon, at 4:20 p.m., the subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              

       Questions From Chairman John Katko for Melvin J. Carraway
    Question 1a. At the hearing, you announced that TSA is requiring 
airports to increase aviation employee screening to include additional 
randomization screening throughout the workday.
    What is the estimated percentage of airport and airline employees 
being screened at Federalized airports daily?
    Question 1b. Will airports be required to screen a minimum 
percentage of employees on a daily basis? If so, what methodology did 
TSA use to determine that percentage? Do you think such measures are 
sufficient in providing employees with the expectation that they will 
be subject to screening every day?
    Question 1c. Has TSA issued minimum screening standards for 
airports when conducting employee screening? If so, please describe 
those standards.
    Question 1d. In your opinion, what are the best and most effective 
options for access points to ensure the integrity of the security 
apparatus?
    Answer. The Transportation Security Administration (TSA) captures 
general metrics associated with employee screening operations conducted 
by TSA; however, it does not maintain metrics identifying the 
percentage of airport employees screened as they enter the sterile 
area. TSA is using a risk-based security approach to affect the 
increase in employee screening, which includes TSA-directed inspections 
conducted by the airport operator, as well as TSA-conducted screening. 
TSA-conducted screening includes screening of airport and air carrier 
employees at TSA screening checkpoints (as required for sterile area 
airport tenants), as well as at other access points in the Aircraft 
Operations Area (AOA), sterile, secured, and cargo areas.
    Airport operators are required to conduct random inspections of 
individuals entering the sterile area at entry points other than the 
screening checkpoints to verify that they have appropriate and valid 
identification and access control media, and to determine if they are 
carrying prohibited items other than those required for operational 
needs. The inspections must be clearly visible to other individuals 
exercising their access privileges. While TSA does not require that a 
specific minimum percentage of employees be inspected, the rate and 
locations of random inspections must be approved by the Federal 
Security Director and must be frequent enough such that there is a 
reasonable expectation that individuals exercising their unescorted 
access privileges will be subject to an inspection. Additionally, TSA 
does not issue Standard Operating Procedures (SOP)-type parameters to 
airport operators, rather their requirement is to verify access 
authority and determine if an individual is in possession of prohibited 
items. In response to direction from Secretary Johnson to address 
insider threat vulnerabilities at domestic airports, TSA recently 
issued an Information Circular (IC) to airport operators encouraging 
them to work with their Federal Security Directors (FSDs) to utilize a 
continuous random methodology of inspections; increase the breadth of 
inspections to include public to secured area access points in addition 
to public to sterile area access points; and capture the updated 
measures in their regulated Airport Security Program (ASP) so that the 
measure become enforceable, rather than a recommendation through IC. 
TSA currently is compiling a survey establishing the level of the 
cooperative compliance with the IC recommendations. Industry has been 
advised by TSA that if there is insufficient voluntary process with the 
measure contained within the IC, TSA will consider other mandatory 
means of compliance. Airport operators are also expected to collaborate 
with their FSDs to determine the best location, frequency, and duration 
of these random inspections and amend their security programs 
accordingly. In addition, TSA also conducts screening, via Playbook, of 
individuals entering the sterile and secured areas of airports at 
access points other than the screening checkpoint on a random basis.
    The combination of enhanced vetting, security awareness training, 
intelligence and information sharing, and random screening/inspection 
help to ensure that airport employees do not introduce prohibited items 
into the sterile area or secured area. Prohibited items may go 
undetected if airport employees undergo only a fixed point-of-entry 
inspection process. Introducing a high level of random and 
unpredictable screening/inspection presents a formidable deterrence. As 
noted above, each airport operator works with its FSD to establish the 
manner and frequency with which these measures will be implemented and 
that activity is supplemented by TSA screening operations.
    Question 2. On average, how many Playbook operations are run daily 
and how many employees are screened in a typical day? Does TSA intend 
to expand Playbook operations so that more randomized screening occurs?
    Answer. Playbook is regularly performed at 117 of our Nation's 
busiest airports, which have been identified as higher-risk locations. 
Currently, Playbook is required at 100 percent of CAT X and I airports, 
in addition to 40 percent of CAT II airports. Other airports have the 
ability to implement Playbook, as needed. On average, across the 117 
Playbook-required airports, the Transportation Security Administration 
(TSA) conducts approximately 5,000 operational hours of Playbook per 
day, focusing approximately 95 percent of these hours on employee 
screening. As a result, Playbook screens about 45,000 airport employees 
daily. These figures have steadily increased over the past few months 
as TSA has expanded operations to concentrate more on employee 
screening.
    Question 3a. How does TSA define ``operational minimum'' as the 
term pertains to the number of access points to secured areas of an 
airport?
    Does TSA believe it is best to let local Federal Security Directors 
and airport officials determine the operational minimum for the number 
of access points?
    Question 3b. Do you think there should there be a National 
definition?
    Answer. The Transportation Security Administration (TSA) has not 
provided a numerical value to the term ``operational minimum.'' Each 
airport has unique operational and geographical considerations that 
must factor into the decision as to how many access points are 
appropriate to achieve an operational minimum. Accordingly, based on 
operational and geographical diversity of airports, varying in size 
from the Los Angeles International Airport to Tupelo Regional Airport, 
a Nationally-driven numeric value is not feasible. For that reason, 
there is no definition for operational minimum, and TSA currently does 
not plan to create one.
    TSA believes that the Federal Security Director (FSD) at each 
airport, working in coordination with airport officials, is in the best 
position to determine the operational minimum number of access points 
for that airport.
    TSA has directed FSDs to work with airport operators to further 
review the minimum number of access points to ensure they are at the 
operational minimum, and to include that information in the airport's 
Airport Security Programs.
    Question 4. The Aviation Security Advisory Committee recommended 
updating the list of disqualifying criminal offenses for SIDA badge 
holders. What criminal offenses do you think should be added or removed 
from the list?
    Answer. See response, Question 5.
    Question 5. In your testimony, you stated that individuals who have 
committed a statutorily-defined disqualifying offense within the 
preceding 10 years are not eligible for a SIDA badge. Do you think the 
10-year look back period is adequate? How feasible is to look back to 
age 18 for disqualifying offenses?
    Answer. TSA will require additional time to review the current list 
of disqualifying crimes and any new criminal offenses that should be 
considered to disqualify individuals from receiving a SIDA badge. 
Additionally, TSA will need more time to evaluate the 10-year look-back 
period to consider whether changes are warranted. Any updates to the 
list of disqualifying offenses or the length of the look-back period 
will likely require legislative and rule-making changes.
    Question 6a. Is TSA considering creating a National database for 
airport employees?
    Could it be modeled after the Federal Aviation Administration's 
database of individuals who hold some type of certificate (pilots, 
mechanics, etc.)?
    Question 6b. How quickly could such a database be created?
    Answer. TSA has a database of all airport employees for whom TSA 
has completed a security threat assessment (STA). TSA's system contains 
the biographic information these workers submitted to TSA as part of 
their STA and application for an airport credential which if approved, 
would afford access to airport secured areas. TSA is reviewing 
technical, regulatory, civil rights and civil liberties, and privacy 
issues related to implementing a National database that would be used 
for other purposes or accessed by other entities. When TSA has 
determined what, if any, legal or operational impediments exist, we can 
determine how long implementation would take.
    Question 7. Is TSA creating a National anonymous tip line for 
employees to report suspicious behaviors? If so, what is the time frame 
for doing so? Which office would be responsible for investigating the 
complaints?
    Answer. Yes, the Transportation Security Administration (TSA) has 
created a National anonymous tip line for employees to report 
suspicious behavior.
    The anonymous tip line, 844-MY-ARPRT (844-692-7778), began 
operation on May 26, 2015, when materials about the tip line were 
delivered to the airports.
    The Tip Line is routed to the TSA's Call Center. The caller will be 
informed that he/she has reached the TSA Call Center. Once the caller 
presses ``2'' to report a security threat, the call is then forwarded 
to the Watch Desk at the TSA's Transportation Security Operations 
Center (TSOC). The Watch Desk is staffed 247.
    TSOC will refer the information to the appropriate office for 
further investigation.
        Questions From Chairman John Katko for Jeanne M. Olivier
    Question 1. What is the feasibility of mandating a percentage of 
airport employees that must be randomly screened daily at airport 
access points? If feasible, what do you think that percentage should 
be?
    Answer. Mandating a fixed percentage of airport employees to be 
screened would limit the Transportation Security Administration's (TSA) 
and airport operators' ability to implement a risk-based and random 
screening methodology. A cornerstone of risk-based security is the 
continuous reevaluation of processes and protection measures in light 
of changing vulnerabilities, better understanding of risks, 
availability of new technologies, and the evolution of industry 
business practices. TSA and airport operators need the flexibility and 
agility to respond to not only changing operational needs but also 
changing threats and vulnerabilities--which would be hampered by a 
mandated percentage for employee screening. Rather, the ASAC working 
group recommends establishing a science-based methodology to determine 
``randomness'' in the context of employee screening at airport access 
points.
    It is critical from a security and resource perspective that risk 
mitigation efforts remain intelligence-driven, balanced, and effective. 
In a world of limited resources, we are concerned that placing so much 
emphasis on one approach--such as screening a certain percentage of 
employees--could divert significant funding from other critical 
security functions that are currently producing significant benefits.
    Question 2. Is there an industry definition of ``operational 
minimum'' as the term pertains to access points for employees at 
airports? If so, what is that definition?
    Answer. There is not an industry definition of ``operational 
minimum.'' It is defined on a facility-by-facility, and often even 
terminal-by-terminal, basis in conjunction with air carriers, tenants, 
and TSA. Under current regulation, airport operators have already 
worked to reduce access points to an operational minimum and also 
segment which employee populations can use certain access points and 
when. Airport operators must also factor safety concerns into the 
determination of ``operational minimum,'' often needing to keep access 
points active to meet fire code regulations and provide access or 
egress for emergency response. Condition changes, such as terminal 
modifications and flight schedule changes, may also provide 
opportunities for further reduction of access points. As a result, 
airport operators continuously monitor the need and utilization of each 
access point.
    Question 3. In your opinion, what are the best and most effective 
options for each access point to ensure the integrity of the security 
apparatus?
    Should there be a minimum threshold of technology (i.e. biometrics, 
CCTV) and physical screening?
    Answer. Each access point should have the security apparatus needed 
to provide an agile screening response based on intelligence and a 
risk-based methodology that would result in all airport employees 
having the expectation of being screened. We would be reluctant to 
impose a specific requirement or standard for access portals because of 
the different uses, layouts, and populations using each of the access 
points.
    Again, risk-based security provides for the continuous reevaluation 
of processes and protection measures in light of changing 
vulnerabilities, better understanding of risks, availability of new 
technologies, and the evolution of industry business practices. TSA and 
airport operators need the flexibility and agility to respond to not 
only changing operational needs but also changing threats and 
vulnerabilities--which would be severely hampered by a mandated minimum 
threshold of technology at each and every access point. Security 
resources, whether measured in terms of infrastructure or personnel, 
provide a higher degree of risk mitigation when used in random and 
unpredictable ways, consistent with risk-based security. Static 
security measures, such as physical screening done at the same place at 
the same time with the same technology, can be studied, tested, and 
more easily circumvented than those that are dynamic and less 
predictable. No single measure can provide broad-spectrum protection 
against risks or adversaries. Therefore, risk-based, multi-layered 
security offers the greatest ability to mitigate risks through the 
application of flexible and unpredictable measures to protect 
commercial aviation. This also creates the expectation for airport 
employees that they can be screened at any time and any place.
    Once again, it is critical from a security and resource perspective 
that risk mitigation efforts remain intelligence-driven, balanced, and 
effective. In a world of limited resources, we are concerned that 
placing so much emphasis on one approach--such as screening a certain 
percentage of employees--could divert significant funding from other 
critical security functions that are currently producing significant 
benefits.
    Question 4. The Aviation Security Advisory Committee recommended 
updating the list of disqualifying criminal offenses for SIDA badge 
holders. What criminal offenses do you think should be added or removed 
from the list?
    Answer. A comprehensive review of the list of disqualifying crimes 
is needed in order to adequately answer this question. The review of 
disqualifying criminal offenses should be done in the context of 
determining that an individual can be trusted to perform his or her job 
and responsibilities in a manner that poses no threat of intentional 
harm to themselves or others while in the secure areas of airports with 
access to aircraft. The review should ensure that the existing list of 
disqualifying criminal offenses is comprehensive enough to address the 
current threat environment and to address changes within today's legal 
system. Specific areas of review should include making a distinction 
between a charge and a conviction (since many serious crimes are plead 
down to non-disqualifying convictions), identifying patterns of 
misdemeanors or other non-disqualifying criminal offenses, and 
expanding the limited look-back period and variances in look-backs from 
the date of application instead of the sentence-release date, and 
increasing the potential for permanent disqualifying criminal offenses. 
The disqualifying criminal offenses should also be referenced against 
other similar programs operated by DHS, U.S. Customs and Border 
Protection, United States Postal Service, and Department of 
Transportation.
    By regulation, airport operators are responsible for adjudication 
of the criminal history records check, which allows airport operators 
to know more about individuals that have access to their facilities. It 
is critical that airport operators maintain the responsibility for 
reviewing each and every applicant's criminal record prior to making a 
determination about their suitability for being granted unescorted 
access privileges. For example, in some cases, an individual is 
eligible under the list of disqualifying criminal offenses; however, 
the individual may require further scrutiny or at least situational 
awareness for the Airport Security Coordinator. In addition, some 
airport operators have adopted local regulations/ordinances and used 
other practices to add disqualifying crimes beyond those listed in the 
Federal regulation. TSA published Legal Guidance on Criminal History 
Records Checks (dated May 28, 2004) that states, ``In addition to the 
disqualifying offenses set forth in the CHRC statute and regulations, a 
credentialing authority may apply its own criteria in making a decision 
to grant or deny unescorted access authority.'' Consequently, airports 
have added various processes to enhance their vetting practices. It 
would be helpful for airport operators to have the regulatory support 
for suspending or revoking access privileges if a current badgeholder 
is arrested for a disqualifying or serious crime.
    Question 5a. In your opinion, are there any impediments to creating 
a National database for airport employees?
    Do you think it could it be modeled after FAA's database of 
individuals that hold some type of certificate (pilots, mechanics, 
etc.)?
    Question 5b. How quickly do you think it could it be created?
    Answer. Given the transitory nature of aviation workers, a National 
database--maintained by TSA but available to all airport operators--of 
employees who have had their SIDA badges revoked would provide yet 
another security enhancement. Such a database would eliminate the 
potential for an employee whose unescorted access privileges were 
revoked because of security violations at one airport from transferring 
to another airport and being granted unescorted access privileges. This 
models best practices in other industries that maintain databases of 
sensitive information for reference purposes and suitability concerns.
    The relevant information is already reported by airport operators 
to TSA which should facilitate a relatively quick creation of such a 
database. The biggest obstacles to implementation are likely addressing 
privacy and legal concerns on behalf of airport employees, providing 
airport operators access to such a database (which is key to its 
value), determining exactly what information will be included in the 
database (revoked badges, badges not issued, etc.), establishing a 
redress process for airport employees and allocating TSA resources for 
the database creation.
    Question 6. Do you think the Aviation Security Advisory Committee 
(ASAC) should produce an annual report on airport access control 
security and employee screening?
    Answer. As we stated in the cover letter for the final ASAC report 
on airport access control, we stand ready to provide additional 
assistance to TSA on the issue of airport access control security and 
employee screening. In particular, it is important that TSA work with 
the ASAC and industry on the implementation of the recommendations. 
Some recommendations, like the review of the list of disqualifying 
criminal offenses, need additional study and review which the ASAC 
working group could not do in the limited 90-day time frame. Other 
recommendations, like the use of the FBI RapBack program for recurrent 
criminal history record checks, require industry input to accelerate 
current TSA time lines for implementation. At a minimum, it would be 
prudent for ASAC to produce a follow-up report in a year's time to 
assess implementation of the recommendations as well as a review of the 
adequacy of airport access control security measures after such 
implementation of the recommendations.

                                 [all]