[House Hearing, 112 Congress] [From the U.S. Government Publishing Office] ACCESS CONTROL POINT BREACHES AT OUR NATION'S AIRPORTS: ANOMALIES OR SYSTEMIC FAILURES? ======================================================================= HEARING before the SUBCOMMITTEE ON TRANSPORTATION SECURITY of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS SECOND SESSION __________ MAY 16, 2012 __________ Serial No. 112-91 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PRINTING OFFICE 78-151 PDF WASHINGTON : 2013 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Peter T. King, New York, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Daniel E. Lungren, California Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Michael T. McCaul, Texas Henry Cuellar, Texas Gus M. Bilirakis, Florida Yvette D. Clarke, New York Paul C. Broun, Georgia Laura Richardson, California Candice S. Miller, Michigan Danny K. Davis, Illinois Tim Walberg, Michigan Brian Higgins, New York Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana Joe Walsh, Illinois Hansen Clarke, Michigan Patrick Meehan, Pennsylvania William R. Keating, Massachusetts Ben Quayle, Arizona Kathleen C. Hochul, New York Scott Rigell, Virginia Janice Hahn, California Billy Long, Missouri Vacancy Jeff Duncan, South Carolina Tom Marino, Pennsylvania Blake Farenthold, Texas Robert L. Turner, New York Michael J. Russell, Staff Director/Chief Counsel Kerry Ann Watkins, Senior Policy Director Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON TRANSPORTATION SECURITY Mike Rogers, Alabama, Chairman Daniel E. Lungren, California Sheila Jackson Lee, Texas Tim Walberg, Michigan Danny K. Davis, Illinois Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana Joe Walsh, Illinois, Vice Chair Vacancy Robert L. Turner, New York Bennie G. Thompson, Mississippi Peter T. King, New York (Ex (Ex Officio) Officio) Amanda Parikh, Staff Director Natalie Nixon, Deputy Chief Clerk Vacant, Minority Subcommittee Lead C O N T E N T S ---------- Page STATEMENTS The Honorable Mike Rogers, a Representative in Congress From the State of Alabama, and Chairman, Subcommittee on Transportation Security....................................................... 1 The Honorable Sheila Jackson Lee, a Representative in Congress From the State of Texas, and Ranking Member, Subcommittee on Transportation Security........................................ 12 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security.............................................. 2 WITNESSES Panel I Mr. John P. Sammon, Assistant Administrator, Office of Security Policy and Industry Engagement, Transportation Security Administration: Oral Statement................................................. 3 Prepared Statement............................................. 5 Mr. Charles K. Edwards, Acting Inspector General, Department of Homeland Security: Oral Statement................................................. 7 Prepared Statement............................................. 8 Panel II Mr. Mark Crosby, Chief of Public Safety and Security, Portland International Airport, Testifying on Behalf of The American Association of Airport Executives: Oral Statement................................................. 33 Prepared Statement............................................. 35 Mr. Sean P. Cassidy, First Vice President, Air Line Pilots Association, International: Oral Statement................................................. 39 Prepared Statement............................................. 41 Mr. William H. Swift, Chairman, Airport Minority Advisory Council: Oral Statement................................................. 45 Prepared Statement............................................. 47 ACCESS CONTROL POINT BREACHES AT OUR NATION'S AIRPORTS: ANOMALIES OR SYSTEMIC FAILURES? ---------- Wednesday, May 16, 2012 U.S. House of Representatives, Subcommittee on Transportation Security, Committee on Homeland Security, Washington, DC. The subcommittee met, pursuant to call, at 10:03 a.m., in Room 311, Cannon House Office Building, Hon. Mike Rogers [Chairman of the subcommittee] presiding. Present: Representatives Rogers, Lungren, Walberg, Cravaack, Turner, Jackson Lee, Thompson, Davis, and Richmond. Mr. Rogers. The Committee on Homeland Security, Subcommittee on Transportation Security will come to order. The committee is meeting today to receive testimony on secure area access control points at our Nation's airports. I would like to welcome everybody to this hearing and thank our witnesses. We look forward to your testimony and greatly appreciate the time and effort that you had to put into preparing for these hearings. Securing our Nation's aviation system requires 100 percent accuracy. Our enemies could exploit any weaknesses in the system. The many reports of security breaches and unauthorized access to the tarmac are extremely troubling and continue to underscore the need to strengthen our access controls. We must make certain that the billions of taxpayer dollars we spend screening passengers is not wasted if systematic vulnerabilities exist through the back doors of our airports that could lead to attack. I look forward to questioning TSA and its partners about the measures in place to not only physically protect our airports, but also to ensure that employees with sterile-area access have been thoroughly vetted and do not pose a threat. A secure airport requires the coordination and cooperation of a range of stakeholders. When a breach occurs, it is incumbent on both TSA and its partners to evaluate what went wrong and take immediate steps to mitigate or eliminate the vulnerability. What concerns me is that we had such a large number of breaches occurring, it is hard to believe that these do not reflect some larger systematic problem. In October 2011, a local news station in Atlanta investigated the access control procedures at Atlanta International Airport after a whistleblower contacted the station. The whistleblower, an employee of an airline catering company, was able to capture on video a company employee swiping his badge to let another person in a secure area, allegedly without that person having the necessary credentials to pass through. The video also revealed that an employee was able to put unauthorized juice containers onto several carts as inspectors from the company responsible for inspecting all food containers loaded onto an aircraft, stood nearby without doing anything. The Aviation and Security Transportation Security Act requires all supplies put on an airplane to be sealed to ensure easy visual detection of tampering. However, the video showed rows of unsealed catering carts on the dock and in trucks waiting to be loaded onto flights. While we can all hope that this is an isolated incident at Atlanta Airport, this is more than likely indicative of a broader, more pervasive problem affecting airports Nation-wide. In another recent case, a civilian vehicle crashed through an airport gate and drove onto a taxiway near a busy runway at Philadelphia International Airport. According to sources, the vehicle drove past a Philadelphia police officer in a patrol car and two airport employees. Thankfully in these two examples there was no harm done. However, we may not always be so lucky. With a huge financial cost to taxpayers, we frankly expect better from TSA and others who are responsible for securing our aviation system. Finally, I cannot stress enough how disturbing it is that DHS and the Office of the Inspector General reported just this week that over half of all security breaches that occur at airports are never properly reported to TSA headquarters. In addition, only half of all incidents result in some corrective action. Mr. Sammon, these are sobering findings. I am eager to receive testimony today from the acting DHS IG about the report and the recommendations that TSA will need to address going forward. With that I now recognize the Ranking Member of the full committee, the gentleman from Mississippi, for any opening statement he may have. Mr. Thompson. Thank you very much, Mr. Chairman. No agency in the Federal Government has a more central role in securing our aviation system than TSA. Accordingly, it is essential that TSA have the necessary processes and protocols in place to secure our aviation systems. These processes and protocols must include ensuring the integrity of airport perimeters by securing access controls and providing comprehensive and sufficient guidance to airport operators. In March, the media reported on an individual who drove a truck onto the runway at the Philadelphia Airport. Last year, we learned of the tragic case of a young man who breached the airport perimeter and became a stowaway in a wheel well of a plane. While none of these people involved in these cases had any terrorist intentions, each case should have been put on notice that the grounds surrounding the airport must be considered in airport vulnerability assessments. To accomplish that, TSA must establish a single comprehensive definition of what constitutes a security breach. Failing to establish such a definition leads to inconsistent and subjective reporting. Without a clear understanding of the types of breaches occurring at our airports, TSA cannot make any reasonable conclusions about the kinds of security enhancements that should be broadly implemented. But in a system of layered security, perimeter security must be complemented with other measures. An equally important component of layered security environment is ensuring that only properly vetted people can gain access to the secured areas of the airport and access to aircraft and field operations. The vetting process should not be a burden to individuals or businesses, but it must enhance the security of the airport. I look forward to hearing from our second panel of witnesses on how TSA's vetting process is working today. Mr. Chairman, thank you for holding this hearing, and I yield back. Mr. Rogers. I thank the gentleman. Other Members of the committee are reminded that opening statements may be submitted for the record. We are pleased today to have several distinguished witnesses before us on this important topic. Let me remind the witnesses that their entire written statements will appear in the record. Our first witness, Mr. John Sammon, currently serves as assistant administrator for the Office of Security Policy and Industry Engagement at TSA. We appreciate Mr. Sammon for appearing once again before this committee. The Chairman now recognizes Mr. Sammon for his opening statement. STATEMENT OF JOHN P. SAMMON, ASSISTANT ADMINISTRATOR, OFFICE OF SECURITY POLICY AND INDUSTRY ENGAGEMENT, TRANSPORTATION SECURITY ADMINISTRATION Mr. Sammon. Good morning Chairman Rogers, and Mr. Thompson, and the distinguished Members of the subcommittee. I appreciate the opportunity to appear before you today to discuss the Transportation Security Administration's responsibility regarding access control at U.S. commercial airports. Every airport and airline has a security plan of which access control is an important piece. While TSA is responsible for approving the plan and inspecting airport compliance with the plan, airport authorities and airlines are responsible for carrying out the plan. TSA sets standards, conducts inspections associated with access control including badging, perimeter security, and testing of access control processes at airports. TSA analyzes the results of these inspections and assessments to develop mitigation strategies that enhance an airport security posture and to determine if any changes are needed. Every commercial airport receives an annual security inspection to include an assessment of perimeter and access controls. While the current badging process was put in quickly after 9/11 thanks to the work of AAAE, TSA, and the Nation's airports, TSA issued security directive 1542-08G in 2009 to address a number of badging process deficiencies to include identity verification and work authorization, document authentication, standardized 2-year badge renewal requirements, requirements to return and reactivate expired badges, recordkeeping requirements, documentation requirements for naturalized and non-U.S. citizens, enrollment process audits, and expanded the covered populations. While that directive improved the badging process, TSA has written a regulation called the Universal Rule that addresses many of the gaps left by that security directive, and also concerns that have been raised by the DHS inspector general. Specifically that rule will provide for trusted enrollment agents to identify verification and document inspection and collection; more uniform, more stringent, and recurrent training for enrollment agents; one uniform enrollment process; data that will be entered directly into the TSA system for adjudication; TSA up-front edits for completeness and accuracy of data; identity documents scanning the TSA; identity documents verification by TSA; criminal history records check every 5 years which is consistent with other Federal background checks; strengthen ID verification and immigration standards, including documentary evidence of U.S. citizenship. It will be a person-centric versus an airport-centric system--enroll once and use many times in different fields. Instant access to the data by TSA inspectors, and it will be much more enforceable than what we have today. That rule is currently being reviewed within the administration, and we hope to issue it for comments later this year. In the mean time, TSA will be stepping up inspection efforts to close gaps in existing process. In terms of breaches, the DHS inspector general recently released a report on airport breaches. That report had two recommendations. The first was to define and use one comprehensive definition of what constitutes a security breach, and ensure the guidance is clearly understood and used throughout the agency. The second recommendation was to develop a comprehensive oversight program for reporting and corrective actions. TSA concurred with the recommendations, and the inspector general found that TSA's planned actions sufficiently addressed the two recommendations in this report. TSA's goal is to work with airport authorities and airlines in our shared responsibilities to stay ahead of evolving terrorist threats while protecting passengers' privacy and facilitating the efficient flow of travelers and legitimate commerce. TSA's airport control initiatives are one part of that comprehensive effort. I want to thank the committee for the opportunity to discuss this important issue. I am pleased to answer any questions you may have. [The statement of Mr. Sammon follows:] Prepared Statement of John P. Sammon May 16, 2012 Good afternoon Chairman Rogers and Ranking Member Jackson Lee and distinguished Members of the subcommittee. Thank you for the opportunity to testify today about the Transportation Security Administration's (TSA) successes and challenges in developing and implementing a comprehensive risk-based approach to secure our Nation's transportation systems, including the management of airport access controls. In 2011, the Transportation Security Administration's 50,000 Transportation Security Officers screened more than 603 million passengers at 450 airports across the country and stopped more than 125,000 prohibited items at airport checkpoints. Of those items, more than 1,300 were firearms. TSA employs risk-based, intelligence-driven operations to prevent terrorist attacks and to reduce the vulnerability of the Nation's transportation system to terrorism. TSA protects the Nation's transportation systems to ensure freedom of movement for people and commerce. TSA's security measures create a multi-layered system of transportation security that mitigates risk. In partnership with airport operators, airlines and local law enforcement agencies, TSA secures our Nation's commercial airports through a variety of programs that create layers of security. These measures include a focus on preventing and detecting the unauthorized entry, presence, and movement of individuals and ground vehicles into and within the Airport Operations Areas (AOA) and the secured area of an airport. risk-based security TSA is committed to focusing resources on higher-risk aviation passengers, while speeding the travel of lower-risk populations, and we have made significant progress transforming TSA's approach to aviation security away from a one-size-fits-all paradigm. We continue to evolve our security approach by examining the procedures and technologies we use, how specific security procedures are carried out, and how screening is conducted. TSA's risk-based and intelligence-driven Security Playbook program strengthens the transportation security environment by increasing unpredictability and providing additional layers of security. This program employs security measures at direct access points and airport perimeters and uses a variety of resources and equipment to conduct screening of individuals and vehicles entering the AOA. Examples of the security measures that may be employed at direct access points and airport perimeters include: Vehicles inspections, explosive trace detection (EDT) of individuals and property, enhanced screening, accessible property searches, and ID/media verifications, as well as behavior detection. Following are some of the concrete steps we have taken to implement key components of the agency's intelligence-driven, risk-based approach to security, advancing the agency toward the ultimate goal of becoming a high performing counterterrorism agency that provides the most effective security in the most efficient way possible. known crewmember We hold airline pilots responsible for the safety of the traveling public every time they fly a plane. It makes sense to treat them as our trusted partners. To build on our risk-based approach to security, we are currently conducting a pilot where TSA security officers positively verify the identity and employment status of airplane pilots, which enables the pilots to receive expedited access through the checkpoint. The Known Crewmember program is the result of a collaborative effort between the airline industry, pilots, and TSA, which currently allows uniformed pilots from 28 airlines in ten airports to show two forms of identification. After evaluating operational data from ten airports, and through much discussion with industry representatives, we are planning to expand the Known Crewmember solution to more airports this calendar year. tsa precheck expedited passenger screening Perhaps the most widely known risk-based security enhancement we are putting in place is TSA PreCheckTM. Since first implementing this initiative in the fall of 2011, the program has been expanded to 14 airports and over 1,000,000 passengers around the country have experienced expedited security screening through TSA PreCheckTM. Under TSA PreCheckTM, travelers volunteer information about themselves prior to flying. TSA pre-screens TSA PreCheckTM passengers each time they fly through participating airports. If the indicator embedded in their boarding pass reflects eligibility for expedited screening, the passenger is able to use the TSA PreCheckTM lane. TSA PreCheckTM travelers are able to divest fewer items, which may include leaving on their shoes, jacket, and light outerwear, and may enjoy other modifications to the standard screening process. As always, TSA continues to incorporate random and unpredictable security measures throughout the security process, and at no point are TSA PreCheckTM travelers guaranteed expedited screening. Currently, eligible participants include certain frequent flyers from Alaska Airlines, American Airlines, and Delta Air Lines, as well as existing U.S. citizen members of U.S. Customs and Border Protection's (CBP) trusted traveler programs, such as Global Entry, flying domestically on participating airlines. TSA is actively working with other major air carriers to expand both the number of participating airlines and the number of airports where expedited screening through TSA PreCheckTM is provided. In February 2012, Secretary Napolitano and TSA Administrator Pistole announced the goal to have TSA PreCheckTM rolled out and operating at 35 of the busiest domestic airports by the end of 2012. TSA has expanded the TSA PreCheckTM population to include active duty U.S. Armed Forces members with a Common Access Card (CAC) traveling out of Ronald Reagan Washington National Airport. Similar to other PreCheckTM travelers, service members always undergo the standard TSA Secure Flight pre-screening. If we are also able to verify the service member is in good standing with the Department of Defense, by scanning their CAC card at the airport, they will receive TSA PreCheckTM expedited screening benefits. credential authentication technology/boarding pass scanning system TSA is also employing technology to automatically verify boarding passes, and provide TSA with a greater ability to identify altered or fraudulent passenger identification documents. This technology, known as Credential Authentication Technology--Boarding Pass Scanning Systems (CAT-BPSS), will eventually replace the current procedure used by security officers to detect fraudulent or altered documents. CAT-BPSS enhances security and increases efficiency by automatically comparing a passenger's ID and boarding pass to a set of security features to concurrently seek to identify indicators of fraud and ensure that the information on both documents match. The system can screen a wide range of travel documents. TSA began testing the technology in July 2011 and has begun evaluations at select airports. strengthening access control Effective access control at our Nation's airports is vital to ensure the safety of the traveling public. The regulatory compliance inspector workforce routinely conducts access control tests as directed by the National compliance work plan. Access control procedures are reviewed and tested at all areas where access may be gained to non- public areas of the airport to include the air operations area and the Secure Identification Display Area (SIDA)/Secure areas. Access control measures can range from simple lock and key control to biometric devices that may require a scan of your fingerprint or iris to make positive identification of individuals trying to gain entry into the secure airport environment. Inspectors use different methods to try and defeat or compromise various access control devices as part of their regular duties. If any weaknesses are discovered, they are communicated to the airport operator immediately so that corrective measures can be implemented. TSA also conducts on-going and comprehensive airport inspections to enhance security and mitigate risk associated with access control and perimeter integrity, including Joint Vulnerability Assessments, Special Emphasis Inspections, and the testing of access control processes at airports. TSA analyzes the results of these inspections and assessments to develop mitigation strategies that enhance an airport's security posture, and to determine if any changes are required. TSA also works in collaboration with airport operators to identify effective best practices across the industry regarding access control and perimeter security. conclusion Thank you for the opportunity to appear before you today to discuss TSA's efforts in securing our Nation's transportation system in the most effective and efficient manner possible. Mr. Rogers. Thank you, Mr. Sammon, for your testimony. We appreciate you being here today. Our second witness is Mr. Charles Edwards. He is the acting inspector general of the Department of Homeland Security. Mr. Edwards has appeared before this subcommittee on a range of important topics, and the Chairman now recognizes him for his opening statement. STATEMENT OF CHARLES K. EDWARDS, ACTING INSPECTOR GENERAL, DEPARTMENT OF HOMELAND SECURITY Mr. Edwards. Good morning, Chairman Rogers, Ranking Member Jackson Lee, Ranking Member Thompson, and Members of the subcommittee. Thank you for inviting me to testify today regarding access controls at our Nation's airports. I will present the results of three audits we have conducted in the past year on this topic. We looked at TSA's oversight of the process for determining whether an individual may be issued a badge granting unescorted access to secure areas of an airport, TSA's oversight of physical access controls at airports, and third, we looked at TSA's oversight of the reporting and collection of information about security breaches at individual airports. We found that TSA's oversight of the process for screening employees, prior to giving them an access or security badge, did not ensure that the employees are fully screened. We analyzed data from 359 airport badging officers and identified badge holder records with omissions or inaccuracies pertaining to security threat assessment status, birth dates, and birth places. For example, our analysis identified an individual with badges issued at three airports. Each badge showed a different birthplace. We believe these problems exist because TSA's oversight of the process does not ensure the airports use sufficient quality assurance measures, such as checking the applications and data entry for accuracy and completeness, or provides sufficient training and tools to badge office employees. TSA also does not require its own transportation security inspectors to verify the badge holder data during the review of airports. We did identify several airports with best practices in the badging review process. We have provided details of those practices to TSA to share with all airports across the country. TSA also does not require airports to conduct a recurring criminal history records check of current security badge holders. Passing an initial criminal history check does not preclude employees from engaging in subsequent criminal activity and presenting an insider threat. For example in 2007, it was discovered that a customer service officer with no prior record had agreed to smuggle money and illegally export weapons and military equipment to a foreign country. TSA concurred with five of our recommendations from this audit, and concurred in part with an additional recommendation. In a separate audit we conducted covert testing to determine if unauthorized individuals could gain access to secured airport areas. Our audit identified areas of concern. However, the detailed results of our tests are classified. We have shared the classified results with this and other appropriate Congressional committees, TSA staff, and Department officials. The third audit looked at TSA's ability to identify and track security breaches. For the purposes of the audit, we identified an airport security breach as an individual gaining access to an unauthorized area without submitting to all screening, inspections, and detection according to TSA's standard operating procedures. For example, a person sticking to an exit lane to get around a checkpoint would be considered a security breach. Some of the results of our testing have been designated sensitive security information and cannot be included in this testimony. It can be stated, however, that even though TSA has several programs to report and track identified security breaches, it does not have a comprehensive oversight program to gather information about all security breaches at airports across the Nation, and therefore cannot use the information monitor trends or make improvements. TSA does not provide needed guidance and oversight to ensure that all breaches are consistently reported, tracked, and corrected. We determined that only 42 percent of the security breaches be reviewed in individual airport files but reported to TSA's official records. For example, a person entered through a security gate with a handwritten boarding pass, but was not reported TSA's official records as a security breach incident. Further, our review of airport records identified corrective actions being taken for only 53 percent of the security breaches in airport files. We made two recommendations. TSA concurred with both and started taking action to implement them. In conclusion, despite the billions of dollars spent on multiple layers of aviation security since September 11, 2001, issues remain. Our recent reports have included best practices and recommendations to address those vulnerabilities. TSA has agreed to make changes to improve the effectiveness of its efforts to protect the traveling public. Mr. Chairman, this concludes my prepared remarks. I thank you again for the opportunity to testify before this committee. [The statement of Mr. Edwards follows:] Prepared Statement of Charles K. Edwards May 16, 2012 Good morning Chairman Rogers, Ranking Member Jackson Lee, and Members of the subcommittee: I am Charles Edwards, Acting Inspector General for the Department of Homeland Security (DHS) Office of Inspector General (OIG). Thank you for inviting me to testify today about the results of our audits regarding the Transportation Security Administration's (TSA) access controls at our Nation's airports. Since the events of September 11, 2001, TSA has spent billions of dollars on multiple layers of aviation security and relies on those layers of security to ensure the safety of the traveling public. My testimony today will present the results of three recent audits of aspects of TSA's oversight of security at our Nation's airports.\1\ Specifically, I will address TSA's oversight of the process to vet airport, or airport vendor, employees prior to giving them badges that allow unescorted access to secure areas; TSA's oversight of airports' physical access controls; and last, I will summarize our evaluation of TSA's collection of security breach information which should be used to identify and correct potential vulnerabilities. --------------------------------------------------------------------------- \1\ The information provided in this testimony is contained in the following reports: TSA's Oversight of the Airport Badging Process Needs Improvement (OIG-11-95); Covert Testing of Access Controls to Secured Airport Areas (OIG-12-26); and Transportation Security Administration's Efforts To Identify and Track Security Breaches at Our Nation's Airports (OIG-12-80). --------------------------------------------------------------------------- airport badging process \2\ --------------------------------------------------------------------------- \2\ TSA's Oversight of the Airport Badging Process Needs Improvement (OIG-11-95). --------------------------------------------------------------------------- We evaluated TSA's oversight of the process for issuing airport security badges. These badges allow an individual unescorted access to secure airport areas, including:Sterile Area.--A portion of an airport, defined in the airport security program, that provides passengers access to boarding aircraft, and to which the access is generally controlled by TSA through the screening of persons and property. Air Operations Area (AOA).--A portion of an airport that includes aircraft movement areas, loading ramps, and safety areas for use by aircraft. Security Identification Display Area (SIDA).--A part of the AOA regularly used to load cargo on, or unload cargo from an aircraft. TSA can designate all or portions of the AOA as SIDA. As of the time of our audit fieldwork, there were approximately 890,000 individuals with 1.2 million active badges that had access to secure areas of airports.\3\ --------------------------------------------------------------------------- \3\ Employees could have more than one badge if working for multiple employers at the airport or if working at multiple airports. --------------------------------------------------------------------------- Applicants for these badges are required to undergo a fingerprint- based criminal history records check and have an approved security threat assessment (STA) from TSA before receiving a badge and obtaining unescorted access to secure airport areas. The STA is accomplished by comparing an applicant's information against critical data sets to discern whether the applicant is a threat to transportation or National security. TSA relies on designated airport operator employees as trusted agents to perform the essential functions of the badging process. Their duties consist of collecting, verifying, and inputting applicant data used for the STA process and fingerprinting applicants for the Criminal History Records Check. Airport operator employees are responsible for ensuring that the badge application is complete with the required biographical and fingerprint data for the STA. Critical data processed from the application includes full legal name, date of birth, place of birth, passport number, and alien registration number. Airports are responsible for ensuring that badges are issued only to qualified applicants, and must account for and manage all active and deactivated badges. TSA has the statutory responsibility for requiring individuals with unescorted access to secure areas of the airport to be properly vetted, or checked. TSA fulfills this responsibility through its Threat Assessment and Credentialing adjudication service, which completes the STAs for applicants and provides oversight of the airports' processes through its Transportation Security Inspectors. Individuals who pose a threat to airport security may be able to obtain badges and gain access to secured airport areas. We evaluated a database of information on active badges at 359 airports. We identified a number of badges issued with one or more instances of omissions or inaccuracies of key applicant data used for vetting, such as STA status, birthdates or birthplaces.\4\ Many of the omissions or inaccuracies pertained to critical information used for vetting. For example, one applicant was listed as having three active badges at three different airports. The applications for this individual reflected three different places of birth: The United Kingdom, Ukraine, and the United States. With inaccurate information on place of birth, TSA was unable to accurately vet the applicant, yet the three airports issued the requested badges.\5\ --------------------------------------------------------------------------- \4\ The exact number of discrepancies we identified is Security Sensitive Information and cannot be disclosed in publicly available documents. \5\ We followed up on this individual's information. He is a United States citizen and all three badging application files contained copies of his passport identifying the United Kingdom as his place of birth. --------------------------------------------------------------------------- We believe these problems exist because the design and implementation of TSA's oversight of the application process is limited. Specifically, the agency did not ensure that airport operators have quality assurance procedures for the badging application process; ensure that airport operators provide training and tools to designated badge office employees; and require its TSA Inspectors to verify the airport data during their reviews. Quality assurance.--TSA does not ensure that airport operators have quality assurance procedures to safeguard the completeness and accuracy of the vetted data. For example, TSA does not require, and most airports do not have, different individuals verifying the entry of an applicant's information into the vetting process. Having separate individuals verifying the information would likely enhance the detection of missing or inaccurate information, such as a missing place of birth or a transposition in a date of birth. In our audit work, we found an airport that had several procedures in place that could be considered ``best practices,'' such as conducting on-site badge audits annually; using a supervisory review checklist to ensure that at least two agents handle each application; using equipment to check identification; and using local police to run criminal investigation checks on badge applicants. Other best practices include: (1) One airport used daily system- generated reports to identify and resolve potential problems with active badge holders; (2) another airport had a Memorandum of Understanding with U.S. Customs and Border Protection to have the agency verify all immigration documents before submitting the information to TSA for vetting; and (3) yet another airport used a supervisory review checklist to ensure that at least two agents have reviewed the application for completeness and accuracy. Training and tools.--In addition to the lack of quality assurance procedures for gathering and inputting the applicant data, TSA also does not always ensure that airports are providing their individuals with proper training and tools. For instance, officials at 12 airports visited did not know what happens to the data once they enter it. These officials were unaware of how data entry errors or transposed numbers related to key identifying elements could create vulnerabilities, be exploited, and provide the wrong individuals access to secured airport areas. TSA also does not ensure airport operator employees are using available tools while performing their duties. Tools such as identification document scanners, ultraviolet lights, and loupes (magnifying lenses) allow employees to more closely inspect a document, which prevents fraud. At 8 of 12 visited airports, these employees had tools available to assist in identifying fraudulent documents, but did not consistently use them. For example, at one airport, there was an identification scanner available, which reads the magnetic strip on a driver's license or State-issued ID to display its validity. One employee admitted to using the scanner only occasionally, but not using the lights and loupes at all. Inspectors verify data.--Regarding the inspection process, TSA Inspectors review the airport badging process during inspections; however, the limited coverage does not ensure vetting information is complete and accurate. Inspectors consult TSA's Handbook and the Performance and Results Information System to use basic questions provided, along with guidance, which is based on regulatory requirements from the CFR and TSA Security Directives. The Handbook does not require Inspectors to verify the information reported to TSA to identify discrepancies with badging information. It simply indicates that the Inspector should ensure that proper documentation has been submitted and returned to the airport operator before an employee is granted unescorted access to secured areas. TSA also does not require Inspectors to review any percentage of files; therefore, inspections of badging office records may be insufficient to determine the airports' compliance with vetting process requirements. Additionally, Inspectors do not always have direct access to the Transportation Security Clearinghouse database and are not required to compare or cross-reference records. This direct access would not only enable Inspectors to verify records for approved STAs timely and take immediate corrective action if necessary, but it would increase inspection effectiveness and efficiency. When our audit findings were presented to airport operators, TSA officials, and Inspectors, more than 100 updates were generated, which airport operators sent to the Transportation Security Clearinghouse. We also provided a list of suspect STAs, which prompted Inspectors to take corrective action at some locations. In fact, Inspectors at one airport revealed numerous badges issued without accurate or complete vetting data and immediately revoked access pending an approved STA. To this end, unless airport operators implement quality assurance procedures for the badging process, the data integrity and vetting results will continue to be questionable. TSA needs to also ensure that airports are providing airport operator employees with the proper training and tools to perform their assigned duties and responsibilities. Furthermore, the agency's inspection activities must be enhanced in order to identify application omissions or inaccuracies for immediate corrective action. covert testing of physical access to secure areas of airport \6\ --------------------------------------------------------------------------- \6\ Covert Testing of Access Controls to Secured Airport Areas (OIG-12-26). --------------------------------------------------------------------------- We conducted covert testing to determine whether TSA's policies and procedures prevent unauthorized individuals from gaining access to secured airport areas. We also identified the extent to which Transportation Security Officers, airport employees, aircraft operators, and contractors are complying with related Federal aviation security requirements. The compilation of the number of tests conducted, the names of the airports tested, and the quantitative and qualitative results of our testing are classified, or designated as Sensitive Security Information. We have shared the information with the Department, TSA, and appropriate Congressional committees. We identified access control vulnerabilities at the domestic airports where we conducted testing. As a result of our testing, we made six recommendations to TSA. TSA concurred with three recommendations, partially concurred with two recommendations, and did not concur with one. TSA continues to conduct significant work in a number of areas to address our recommendations. tsa's efforts to identify and track security breaches \7\ --------------------------------------------------------------------------- \7\ Transportation Security Administration's Efforts To Identify and Track Security Breaches at Our Nation's Airports (OIG-12-80). --------------------------------------------------------------------------- Based on a request from Senator Frank Lautenberg, we conducted an audit into the security breaches at Newark Airport reported in the media. Senator Lautenberg asked the DHS OIG to review the contributing factors that led to the security breaches, TSA's response to the breaches, and the general level of security at the airport. He also requested that we compare the incident rate of breaches at Newark to other airports in the New Jersey/New York region and comparable airports Nation-wide, and that we determine whether corrective action had been taken on the specific security incidents. Our audit objectives were to determine whether TSA at Newark had more security breaches than at other airports; and whether TSA has an effective mechanism to use the information gathered from individual airports to identify measures that could be used to improve security Nation-wide. Some of our results, such as the comparison of the number of incidents at Newark to other airports, have been designated Sensitive Security Information and cannot be included in this testimony. Overall, however, we found that while TSA has several programs and initiatives that report and track identified security breaches, it does not have a comprehensive oversight program in place to gather information about all security breaches and, therefore, cannot use the information to monitor trends or make general improvements to security. We determined that only 42 percent of the security breaches we reviewed in individual airport files were reported in TSA's official record, the Performance and Results Information System (PARIS)\8\ under any category. Additionally, the agency does not provide the necessary guidance and oversight to ensure that all breaches are consistently reported, tracked, and corrected. Our audit work identified corrective action being taken for only 53 percent of the breaches we reviewed. --------------------------------------------------------------------------- \8\ PARIS is TSA's internal reporting system and official record of a security incident and it contains 33 categories of possible incidents. In our audit, we focused on incident reports in three PARIS categories--security breaches, improper/no screening, and sterile area security events. --------------------------------------------------------------------------- While there are varying levels and definitions of security breaches, our audit defined ``security breach'' as an individual or individuals gaining access to the sterile area, specifically at the checkpoint or exit lane, without submitting to all screening, inspections, and detection according to TSA's Standard Operating Procedures. For instance, a person entering the sterile area by sneaking through an exit lane without anyone preventing the entry would be considered a security breach. Security breaches are documented locally by TSA at each airport, and TSA staff is required to report security breaches through PARIS and the Transportation Security Operations Center (TSOC). The TSOC is expected to use this information to identify events occurring at disparate locations throughout the U.S. transportation system that could represent an orchestrated attempt to defeat or circumvent security protocols. We did not determine or evaluate how the TSOC used the information about the security breaches we reviewed. In its response to our audit, TSA reported that it collects thousands of records of incidents and security breaches occurring at airports and other transportation facilities. The agency documents and disseminates the information to the program offices through various channels of reporting, to include the Transportation Security Operations Center, the Executive Summary Report, TSA's Management Controls Program, as well as an Assessment Team that TSA formed in March 2010. TSA concurred with both of our recommendations in this audit report and is taking action to implement the recommendations. Mr. Chairman, this concludes my prepared remarks. I welcome any questions that you or the Members of the subcommittee may have. Mr. Rogers. Thank you, Mr. Edwards. I appreciate that revealing testimony. The Chairman now recognizes the Ranking Member, my friend and colleague from Texas, for her opening statement. Ms. Jackson Lee. Mr. Chairman, thank you so very much. I acknowledge the Members of the committee and the Ranking Member of the full committee. Mr. Chairman, I have been discussing TSA since early this morning, and I thank you for your indulgence, as I made my way back from a discussion on airport security. This is a very important hearing, and I am delighted to collaborate with Chairman Rogers and the full committee on finally getting to this hearing, and particularly hearing both Mr. Sammon and Mr. Edwards together. A little over a year ago, under the direction of the President of the United States, Navy SEALs eliminated the architect responsible for the most horrific terrorist acts against this country. Since September 11, we have made significant progress in securing our transportation system, particularly our aviation sector. Particularly, Mr. Sammon, I made it a point earlier in my discussions that TSA has been a pivotal part of this. Certainly I consider the officers of TSA, TSOs, a crucial front-line component to the fact that we have not had a terrorist incident of catastrophic proportions on our soil. We all know that airports and aviation--and I would add mass transit but in this instance aviation--is a keen and focused target by terrorists tragically, probably yet unborn where individuals would wish to do the American people, but even more the American system and way of life, great damage. We must recognize and proactively address the evolving nature of the threat to aviation to protect the millions of people every year who use commercial aviation. I am told that if we assess the amount of people that TSOs have processed or that enter airports, it would be billions over the last decade, billions plus. In 2011 alone, U.S. Air flew 730 million passengers. Mr. Chairman, when we discuss aviation security we usually think of transportation security officers, pilots, flight attendants, and passengers. However, we must not forget those who work behind the scenes to ensure that these jets are properly stocked and maintained. The mechanics, technicians, and operators play a critical role in the function of our aviation system. Additionally, we must not forget about the small businesses that operate at the airports. By and large, we know great Americans, individuals who would have no interest in doing us harm. The men and women who own, operate, or work at these shops can be a helpful component to a layered security environment, but we know it takes just one person to disrupt this system. The men and women working at our airports and board aircraft must not only have the proper training to be a part of this effort, but they must also undergo proper vetting to ensure that risks are reduced. This is an issue that Nita Lowey and myself worked on in early years about the ingress and egress and the access to the airport and, of course, concern about the perimeter of the airport. I look forward to hearing from our witnesses today and gaining a comprehensive understanding of where we stand with access and control and perimeter security. Earlier this year, the Philadelphia International Airport was a subject of discussion after an individual drove through the airport's metal fence and headed for the runway while a plane was gearing for landing. If we take a survey of our airports, we will see that most of them, unless they are inner city, in city airports, have perimeters that are unattended, that may be wetlands. They are quite attractive for intrusion, for piercing. We have a challenge. We need to address this challenge head-on. Frankly, I want to hear today in our question and answers how TSA plans to address it head-on quickly, expeditiously, and respond to the assessment made by GAO. Unfortunately, this is not the first time an incident like this happened and has threatened passengers at an airport, the one in Philadelphia. Just before this particular incident took place, the media reported that another couple bypassed perimeter security, headed for the runway at Philadelphia International Airport, I am sure innocently, but it happened. Last year, the media reported on a video at Hartsfield Atlanta Airport that showed back doors being opened to allow several people through without swiping their badges and gaining access to catering carts destined to be loaded on flights. I would say innocent acts, friend helping friend, but it cannot be tolerated. There must be zero tolerance. We have to protect the traveling public. We all recall the infamous shutdown in Newark in 2010. I led this committee to Newark when that happened, when flight operations were shut down and thousands of members of the flying public were inconvenienced for nearly 7 hours. Operations were halted after a man walked into the sterile area of the airport, through the exit lane and without being screened. These are instances where perimeters and access controls were breached and caused major disruptions, and shed light on security vulnerabilities at these airports. Unfortunately, all relevant examples are far too many to cite in the 5 minutes allotted to me today, and span across various commercial airports of all sizes. I look forward with you, Mr. Chairman, to ensure that we continue to conduct oversight on perimeter security at our airports. As I mentioned to you, I am also interested in looking and holding a hearing on cabin security as well so that we don't leave all of our internal airport as a plane is airborne, if you will, to passenger courage, which we know there are many courageous passengers. As you know, Mr. Chairman, I am committed to working with you to ensure TSA improves its operational capabilities to manage access controls and perimeter security, and that it is as effective and cost-efficient as possible. In addition, I am concerned about the badges, and the review process for determining the badges, how the badges are protected, how they are secured, how they are maintained, and whether or not we have sufficient oversight of the individual process of providing the badges. I want to compliment Mr. Thompson for recognizing some years back of the single focus or single contractor that was engaged or responsible for providing, assessing, reviewing the badges for personnel, and to open the door for greater opportunity for other contractors or providers. I think that helps the level of security to have more eyes looking and more technology and more techniques, and so I thank Mr. Thompson for that. Before yielding back, Mr. Chairman, I ask unanimous consent that statements from the Association of Flight Attendants and the United Steel Workers urging TSA to include flight attendants in the Known Crewmember Program be inserted for the record. I have repeatedly waged this issue and raised this issue, and waged it as an effort that I hope we can join in a bipartisan way. But I ask unanimous consent to place these two letters or statements into the record. Mr. Rogers. Without objection, so ordered.* --------------------------------------------------------------------------- * Documents have been retained in committee files. --------------------------------------------------------------------------- Ms. Jackson Lee. Mr. Chairman, again, this is a very important hearing. Thank you and I yield back. Mr. Rogers. I thank the gentlelady and she is right. We also have perimeter concerns that will be the subject of a later hearing. As you know, this hearing was called long before this IG's report came out. We knew that there were problems with the access control points, but this was very eye-opening. We didn't realize that these particular components were problems and that being the information reporting. Mr. Sammon, in your opening statement, you made reference to the fact that you count on the airports to follow your policies and report. But my understanding from the IG's report is that these access breaches were reported by TSA local, but they just never made their way up to big TSA to PARIS for processing. Is that not correct? Is there some failure that is not revealed in the IG's report? Mr. Sammon. No, no and that is why we have concurred with the IG's two recommendations in terms of having a consistent definition. A definition, that in terms of a security breach, that has to do with immediate danger and security to the airport itself, as opposed to other definitions of breaches that have one consistent definition of a breach, and have that communicated and understood by all people not only within an airport, but among airports around the country. So we are looking at one standard definition of what a breach is---- Mr. Rogers. So---- Mr. Sammon [continuing]. And so that people can understand that. Mr. Rogers. So I am understanding that the 58 percent of breaches that were not reported up to PARIS were viewed by somebody at the local TSA level as not being a breach by definition? Mr. Sammon. That is quite possible, yes. Mr. Rogers. Okay. Well, let me ask, of the 42 percent that were reported according to the IG's report, only half of them had a response made. Do you have an answer for why that occurred? Mr. Sammon. Again, I would go back to--with the IG's recommendations in terms of what we have concurred with them, and in terms of our plans that we are putting forward in terms of getting a uniform definition, and developing a comprehensive oversight program that is being developed right now, the IG has concurred that those are sufficient requirements in terms of their recommendations. These two recommendations are being held open until we supply the specific documentation and the reports of exactly what we are going to do and they are holding those two recommendations open. Mr. Rogers. Well, it is disturbing that, regardless of definition used, that 58 percent of breaches are not being reported up to big TSA in PARIS. I am really disturbed by the fact that a handwritten boarding pass was able to get somebody through a checkpoint. Do you have any explanation as to how that happened? Mr. Sammon. I don't, but I can get you--if you would like to put a question for the record, would be happy to get the specifics on that. I would like to give you a complete answer on that specific instance. Mr. Rogers. I have here a directive, a 10-page document, that TSA has outlined, dated December 16, 2005, on how to report incidents to PARIS. I would like to offer this for the record. If there is no objection, it will be submitted.* --------------------------------------------------------------------------- * Documents have been retained in committee files. --------------------------------------------------------------------------- The first thing that I am most concerned about is there is a recorded document about this. Apparently nobody was--in a directive that nobody was following or, at least, 58 percent of the time they weren't following. Are you saying the definition outlined in your own policy is not adequate? Mr. Sammon. Apparently, it was not clear enough. What we are doing right now is--based upon working with the IG--is coming up with a clear set of directions and making sure those directions are understood throughout the airports that TSA operates in. Yes, sir. Mr. Rogers. Well, apparently, the definitions were adequate for the IG to feel like that they were not being followed. Why is it that 7 years have lapsed since this has been updated? Mr. Sammon. I would have to get back to you on that. I don't know, sir. Mr. Rogers. Okay. Mr. Edwards, did you feel like the definition in the TSA's own policies was adequate for you to discern what were and were not breaches? Mr. Edwards. Thank you, Chairman. Well, there is no set clear definition, you know. Also even if there is a definition, TSA needs to clearly give guidance on that and TSA needs to follow through. Mr. Rogers. So this 10-page directive that TSA has on this does not have a definition that is adequate in your view? Mr. Edwards. I have to get back to you on that, Chairman. Mr. Rogers. Well, how did you come up with the number of 58 percent that were reported if you didn't have a definition? Mr. Edwards. We didn't, you know. We came up with the definition. In my opening statement, I have said, you know, anybody accessing unauthorized area, either through inspections, or getting through, that is clearly a breach, you know. Mr. Rogers. It is not rocket science, is it? Mr. Edwards. No, sir. Mr. Rogers. Tell me about this hand-written boarding pass. What did you find? How did that happen? How does somebody hand-write a boarding pass and get through security? What was the explanation that you found in the records? Mr. Edwards. It was part of our testing, Chairman. I can get back to you on details of that. I don't have it here with me. Mr. Rogers. Okay, thank you. My time has expired. I recognize the Ranking Member for her opening questions. Ms. Jackson Lee. Thank you very much, Mr. Chairman. I see a pathway to fixing what has been laid out by your report, Mr. Edwards. Are you recommending today that we eliminate TSA and TSO officers? Mr. Edwards. No, ma'am. All we are saying is, based on our audit work, TSA needs to provide clear-cut guidance and have procedures in place, and needs to follow through. Ms. Jackson Lee. From your assessment, do you find that a fixable or a doable process? As you look at TSA and TSO officers, do you find that doable? Mr. Edwards. Yes, ma'am. Ms. Jackson Lee. Then let me proceed with these questions. As I ask Mr. Edwards, Mr. Sammon, I am going to be asking you to respond because he said a number of things that I think is extremely important. Mr. Edwards, explain again about the checking of the application for completeness, and TSA not requiring its TSOs to review the process. Because you are talking about the document that the person who has the right of ingress, of entering the airport, is going to show something, and you are saying TSA is missing-in-action. Explain that. Mr. Edwards. Well, at the airport when the application is being filled out, in some of the airports we have found there is a quality check process that somebody is looking through the data, and verifying and validating that the data, in fact, is correct. There is also audits on badging applications to look for common errors. Some airports follow that, but overall it is not being followed. Also---- Ms. Jackson Lee. When you say airports, you are talking about not the airport personnel, you are talking about TSA? Mr. Edwards. Airport personnel, you know, they take the information down. Ms. Jackson Lee. Right and then---- Mr. Edwards. Then it is sent to the Threat Assessment Center---- Ms. Jackson Lee. Right. Mr. Edwards [continuing]. For them to read it. So there is, you know, inaccurate information that is being entered. What happens is when TSA's inspectors go to review, the review is not really in detail. So what we have recommended that when the inspectors go back and review these, make it more detailed inspection and look for these errors. Also recommend look at the quality assurance that some of the airports are following. Ms. Jackson Lee. Where do the TSA inspectors intervene? At the point before the application is approved? Mr. Edwards. They routinely come--you know, they do a review of the airports. So when they do that, that is the time they will be looking at that---- Ms. Jackson Lee. You find that that is a missing element. It is not sufficiently broad-based and TSA doesn't take it sufficiently seriously---- Mr. Edwards. Yes, ma'am. Ms. Jackson Lee [continuing]. To make sure that it happens. Mr. Sammon, why not? What are you doing to fix that problem? Your mic is not on, sir. Mr. Sammon. In the opening testimony, referred to a rule, a very large and comprehensive rule, called the Universal Fee Rule that has been drafted. It is in the administration's review process. We agree with the IG's overview of badging processes, that some are good and some are not as good. The airports are responsible for completing the badging, accepting the information, and checking the documentation. What we want to do is have a much more complete process; require much more stringent enrollment age and training; have the documents submitted through TSA so we can put up front edits for completeness and accuracy; scan the documents in through TSA so we can do this up front. So we are not relying-- -- Ms. Jackson Lee. You have to be governed--you said that the rule--what is the potential time frame for that rule being promulgated? Mr. Sammon. We would guess that the rule would be--what we are hoping is that it would be out for public comment later this year. It is in executive department review. Ms. Jackson Lee. You started working on the rule when? Mr. Sammon. Several years ago. Ms. Jackson Lee. Okay. Let me go back to Mr. Edwards again. I think this is enormously important. That is why we are here. We are talking about breaches and you mentioned that, to Chairman Rogers' question, you know a breach when you see it. A breach is a breach is a breach. My question is, Mr. Edwards, you are saying there is a failure to keep a detailed and adequate record of breaches that could result in a horrific and terrible incident. Mr. Edwards, is that---- Mr. Edwards. Yes, ma'am. Ms. Jackson Lee. So there is no depository where one could go and pull up all of the breaches that have occurred. Mr. Edwards. Well, first, you know, they need to have, you know, like I said earlier and the Chairman alluded to, there needs to be a clear definition of what a breach is. Then TSA needs to give clear guidance to the airports what to report and when to report. Then TSA needs to follow through with that. They have the system, PARIS. They need to make sure that the metric, the indicator is there. Also, they can go back and look at the trends and look to see how it is being addressed. That is not there. That is part of---- Ms. Jackson Lee. So it is setting a standard for airports to adhere to, which we don't have. Therefore that hinders the collection of the data. Mr. Sammon, why is that not happening? Why do we not have a complete picture of breaches in America's airports, at least 450 that we are in charge of? Mr. Sammon. So we have concurred with the IG's recommendations. The IG, in terms of their report that was issued just recently, they agree that our plan going forward would meet the requirements of that recommendation. But they will keep their recommendations open until we supply them the documentation. So our people are actively, at this point, putting together the information, the requirements, the system, the training to be able to do that; to have a consistent definition of breaches and reporting and response to breaches across the country. Ms. Jackson Lee. Okay, but is that in place now? Mr. Sammon. It is being put together right now and being drafted right now, I think. Ms. Jackson Lee. I may have an additional question, Mr. Chairman. I will just yield and just simply say this. Let me put an exclamation point. I am glad Mr. Edwards said that we need TSA and TSO. That is my commitment continuously. But he also indicated a wide gap. To hear that the first answer is about a rule and the end of the year, let me put a punctuation mark after now. If not now, when? I think in terms of security, our functionalities are too slow. It is imperative that we move now. So I would like to discuss this with you further on an expedited process. I know the rulemaking goes by rules. But clearly we have to put an exclamation mark to moving forward more quickly. I yield back, Mr. Chairman. Mr. Rogers. I thank the gentlelady. The Chairman now recognizes the gentleman from Michigan, Mr. Walberg, for 5 minutes. Mr. Walberg. Thank you, Mr. Chairman. Thank you, Mr. Edwards and Mr. Sammon, for being here. It is almost, humanly speaking, an impossible responsibility that you all have in screening and making sure that security is 100 percent, because that is really what is has to be. But even having said that, it is still a requirement that we expect to take place, and hopefully, what we have seen in the report and read will be fodder for continuous improvement. Mr. Sammon, TSA's Playbook program employs security measures at the direct access points and airport perimeters, as you know, and uses a variety of resources to conduct screening of individuals and vehicles entering the airport operation areas. Could you provide examples for this committee of the security measures that may be employed at an airport's access point and its perimeter? Mr. Sammon. Yes, there may be, in terms of access points and perimeter, particularly for access points, random screening that a team may show up and screen employees, coming through to check badges throughout the airport operations area. There are random challenges for badges to make sure that the people out there are the people who belong there. You referred to Playbook earlier. We use, if you think of secure flight where we look at watch list passengers who are traveling selectees. We look at patterns. We may look at particular airports they are going out of, gates. You may have seen random gate screening in terms of EDT and taking swabs of passenger hands. That is risk-driven in terms of intelligence, where we see people traveling, so all these are random elements that take place throughout the airport within the sterile area and the access points and in the airports operations area. Mr. Walberg. How often has this program prevented a security breach at airports? Mr. Sammon. Again, that particular program has prevented a number. I couldn't give you specific numbers in terms of how many have been prevented. I think if you look at access control through doors, piggybacking, if people suspect that they may be stopped; if there are TSA people on the other side that it does to a certain extent. It is probably not complete. A number of airports have various programs in place in terms of technology that prevent piggybacking; camera systems in place that people, operators, can view what is going on at those access control points, but not all airports do. Mr. Walberg. Are you required to notify an airport before setting up these additional measures? Mr. Sammon. We generally work with the airport law enforcement and security people in terms of what we are doing. We like to include them and have them part of the efforts, because if we can build on their capabilities along with ours, it is a better deterrent and better enforcement than otherwise. Yes. Mr. Walberg. According to the report issued by the Department of Homeland Security Inspector General's Office, inspection enforcement analysis tracks and analyzes breach data only upon request, if I understand it correctly, which appears to me to present a potential vulnerability. Do you agree that this could be a problem? Mr. Sammon. Yes, and that is why we concurred with both of the inspector general's recommendations. We are putting plans together that we have shared with the inspector general. They have concurred that those plans, if properly implemented, would meet their requirements or recommendations. Mr. Walberg. Thank you. Mr. Edwards, has the TSA given you a reason why it tracks and analyzes breach data only upon request, though they have admitted that it is a problem? Mr. Edwards. No, sir. Even though TSA has agreed to our recommendations, and they are going to implement it, I would, for the record, would like TSA to kind of aggressively pursue and implement our recommendations. Mr. Walberg. What does aggressive mean? Mr. Edwards. Well, some of them have taken years just based on the previous question. We wanted TSA--I know it is a challenging monumental task, but we need those recommendations to be implemented. Mr. Walberg. Okay. In the remaining 29 seconds here, Mr. Sammon, while I have the opportunity, and it is on a different subject, Mr. Chairman, forgive me for it, but this is the opportunity. Anything about the foreign repair stations; is that coming to conclusion here? That is a security issue as well. Mr. Sammon. Yes, as we briefed you, and Chairman Rogers, the economic analysis has moved on. It is under executive department review. So that has moved on in the time frame that we have briefed you on earlier. Yes, sir. Mr. Walberg. Well, we are not forgetting that. It is an awful long time it is going on here, and hope to see a conclusion. Thank you, Mr. Chairman. Mr. Rogers. I thank the gentleman. The Chairman now recognizes the Ranking Member of the full committee, Mr. Thompson, for any questions he may have. Mr. Thompson. Thank you very much. Mr. Edwards, your testimony before the committee, I want to make sure we are absolutely on the same page. Presently there is no definition that you could find codified by TSA for a security breach? Mr. Edwards. The definitions are not consistent across all policy, sir, so that is why the definition for our testing, we used the simple definition that I have indicated in my opening statement. Mr. Thompson. So, it is no. Let me add this. You know, I think we already--I am just trying to get it on the record that is all. The other point I think we want to make is, Mr. Sammon, what directive in these security breaches did you give TSOs before this IG report came out? Mr. Sammon. The TSOs and inspectors throughout the airport are given direction in terms of their screening procedures and processes. We have found that in every case, there have been examples where people have been able to evade or avoid those. So we have continuous training with the officers. Obviously, the point is to have everyone who is entering the sterile area to have been properly screened. The officers know that, and it is a matter of making sure that the officers and their supervisors are continuously and constantly every day reinforcing it and carrying out the procedures that are required. Mr. Thompson. So your testimony is that rather than a defined statement for what a security breach is, training was the substitute. Mr. Sammon. We agree with the inspector general that the less specific definition of a security breach was not helpful. That we need to have a specific definition that everyone understands and uses in implementation across all 450 airports. Yes, sir. Mr. Thompson. All right. So what is the latest statistics that you can provide this committee on security breaches that have occurred in airports across the country? Mr. Sammon. I would have to provide the committee--be happy to provide those to the committee. But I don't have those specific numbers with me today, sir. Mr. Thompson. Who collects it? Mr. Sammon. Our operations department, the Office of Security Operations. Mr. Thompson. So security operation manages the data for security breaches? Mr. Sammon. Yes, sir. Mr. Thompson. Is that your understanding, Mr. Edwards? Mr. Edwards. Well, there are so many offices in headquarters in TSA that provides the reporting guidance, and they have the PARIS data system. But the corrective action on the breaches is taken at the field level. It is not at the headquarters. Mr. Thompson. So, Mr. Sammon, Mr. Edwards just said something different. Mr. Sammon. The field-level people he is referring to all report to the Office of Security Operations. All the TSOs, all the inspectors, all the Federal security directors are all under the Office of Security Operations. Mr. Thompson. How is the data for the breaches transferred from the field to headquarters? What is the directive? Mr. Sammon. So it would come up through, if there is a breach noted by an employee, they would report it to the supervisor, who would report it to the airport, who then reports it back up in through the system, up to the headquarters, where it is compiled for all 450 airports. Mr. Edwards, is that your understanding? Mr. Edwards. That is my understanding too, sir. Mr. Thompson. So you agree with that? Were you able to see any reports of the information transfer at the headquarters? Mr. Edwards. Well, that is where we say there is 42 percent of the reports at the airport and what is reported to headquarters, there is no consistency, because there is no clear guidance on what to report and when to report. One of our recommendations is that they have to have a comprehensive oversight program where they provide clear guidance on how each of the airports need to be reporting and when, and then TSA needs to follow through. Mr. Thompson. Mr. Sammon, all of us have heard about this incident at the Newark airport. Was TSA involved in that at all? Mr. Sammon. The New York Port Authority had issued the badge for that particular person. He is employed by the New York Port Authority to staff exit lanes at the Newark airport. So in terms of TSA, he is not employed by TSA. His badging process that the New York Port Authority went through is the process that TSA prescribes. We have, you know---- Mr. Thompson. Describe what that process is. Mr. Sammon. In terms of initially, it would be a criminal history records check. It would be a watch list check. It would be immigration status or citizenship status. Those three things comprise the check. He had been working there for quite some time. A number of those airports, when we put procedures in, were grandfathered in, in terms of not having to redo criminal history records check or other things. His identity was run through a criminal history records check and the watch list. It did not show up. He did not hit anything--nor both his assumed identity and his original identity. Mr. Thompson. So your testimony is that there are people working at airports from a security standpoint, who were grandfathered in and we did not do background checks on them? Mr. Sammon. They were run with background checks. They were run--the watch list is run on them every single evening. In terms of their original criminal history records check that was put in when people apply for a badge. They get a criminal history records check. What we are proposing in this rule, however, is to make the renewal of that criminal history records check every 5 years, the same as it is for all other Federal badging standards. Mr. Thompson. So criminal history does not require identification? Mr. Sammon. It requires submission of fingerprints, sir, and identification. Mr. Thompson. So I could--Mr. Chairman, with your indulgence on this. I am trying to figure out how somebody could put their fingerprint on a badge, and end up having identity of somebody else. Mr. Sammon. So he, as I mentioned, the process was he has been in the system for quite some time. He has been working in the New York area under the Airport Authority for quite some time. He went in--even if you submitted his fingerprints, if he is not a criminal and there is no criminal history, he is not going to make--there is not going to be a match. So unless either identity, either his real identity or the assumed identity, had a criminal record when you put his fingerprints in, there would be no match in the FBI criminal history records check. Mr. Thompson. So you are saying that there could be a lot of people just like this person in the system because our system is not designed to pick up people like this? Mr. Sammon. Again, this is why we want to have this more comprehensive rule. We are using rulemaking because we are making substantial changes to the documentation and verification. This person apparently has--he assumed an identity. He didn't attempt to do anything other than maintain his job with that identity. He didn't use it for fraud. There were no criminal nor terrorist associations with---- Mr. Thompson. But I think he used it for fraud. He is working under somebody who is dead. Mr. Sammon. Right. He was using it for fraud to get that job, yes, sir. Mr. Thompson. Well, I yield back, Mr. Chairman. Mr. Rogers. I thank the gentleman. Listen, I have listened patiently. You all keep making references, both of you, to not having a clear definition as being excuse for these not being reported, and that is just B.S. The fact is a breach is a breach. If somebody gets through a checkpoint, a secure access checkpoint, that is not supposed to and it is reported to a supervisor, that ought to be reported up to TSA. I don't care what definition you use. So please don't excuse that anymore in your remarks. We have got to find a way to make sure every breach, by any definition, is reported up to big TSA and PARIS, so we can come up with processes to fix this. Chair would now recognize the gentleman from Minnesota, Mr. Cravaack, for any questions he may have. Mr. Cravaack. Thank you, Mr. Chairman, for this very important hearing. I would like to request that we have a field hearing sometime in the future regarding this important issue. Mr. Sammon, I flew 17 years as an airline pilot. I have got to tell you, if you had asked an airline pilot where--before 9/ 11--what was going to happen, we would have told you. I am going to tell you now that I feel the next breach that will occur is going to come from the shadow of the airplane, and coming from the ground, hooking up to a passenger that comes in through clean through the airport. Would it surprise you, sir, if I told you that several people, both pilots and ground personnel, have told me the security around the aircraft coming from outside sources is a joke? Mr. Sammon. I would think that there is a lot of activity on the back side of the airport. There are a lot of different people and crafts coming and going. The people who have SIDA badges undergo three layers of checks. Does that prevent all criminal activity and whatever else? It does not. TSA does random inspections of folks in terms of what they are doing there. We have also had a large number of people on the back side of the airport who have reported activities in terms of contraband being shipped in and out of aircraft. So, no, it is a very active area, yes, sir. Mr. Cravaack. Okay. I could tell you that I have had people call me up because of my background and telling me--and warning me that this--and I am going to tell you right now, the next incident is going to come from the ground. It is going to come from the shadow of the aircraft. It is not going to come through the passenger terminal. I am telling you that. Okay? Now, I don't know if you are aware, in October 2011 Channel 2 down at Hartsfield-Jackson Airport did an undercover report. This is what they said, the whistleblower that went in: ``If I were a crazy lunatic or an Osama bin Laden sympathizer, I can come in and put anything on the plane.'' The other comment was, ``I can bring a gun in there if I want to, a bomb, anything,'' said the whistleblower, ``that is how easy it is.'' So my question to you, sir, is: Do you believe that TSA has sufficient procedures in place to protect the traveling public from an incident from occurring? Mr. Sammon. So with regard to the whistleblower, and the story was reported in the Atlanta paper, or the newspaper--or the TV anyway. First of all, they do not understand the procedures and the law. They don't understand the requirements of what has to be sealed. In terms of the areas that they are talking about people piggybacking were not a secure area, they are the catering facilities. The allegations in terms of what could or could not be done in terms of what was sealed between the carts and between the trucks, the person does not understand the regulations. We have also inspected this operation at least 20 times in the past several months and found that in terms of all the regulations, they meet all the requirements that are in place. Mr. Cravaack. Well, it says here--this is part of the thing--it says--he said the carts that were sealed are the liquor carts to keep employees from stealing the liquor. That was really the only things that were consistently sealed. Mr. Sammon. So the carts can be unsealed if the truck is sealed or the driver is accompanied to the aircraft. So there is--we have had a running contention with that reporter in terms of his understanding and reporting on what the law says and what the regulation is saying. Mr. Cravaack. Well, we know what the law says and the regulation says. What I am telling you, sir, is that with--this is just a report that has been done. But I am telling you from people that I know that have been on--that are ground counters around the shadow of the airplane are basically reinforcing what this person is telling me. So my question--you know, and when asked the TSA responded pretty much what you just said right now, sir. Now, I am not trying to---- Mr. Sammon. Right. Mr. Cravaack. This is bigger than pointing fingers. This is about protecting the flying public. This is ensuring that we don't have another incident like 9/11 ever again. I am trying to fix the problem. I am not trying to point blame, trust me on that. I am trying to make sure that we never have that incident occur again. We never have an aircraft that is used as a human missile. So what I am trying to say is pretty much the response to this was all that TSA sent to Channel 2 was a generic statement reiterating that it does regular inspections on airline security operations to make sure everyone is following the rules. Now with that said, sir, I understand that only 17 percent of the airports have been assessed. Is that correct? Mr. Sammon. I think what you are referring to is the JVA. Mr. Cravaack. Correct. Mr. Sammon. The JVA is a very in-depth assessment. It is done with TSA and the FBI. It takes quite a bit of time and a limited number of airports are assessed each year. Mr. Cravaack. Okay. Well in all due respect, sir--and I am over my time--we have a very intelligent enemy that very easily can find the weaknesses of a small airport connecting into a larger airport connecting further on. I don't envy you your job. Trust me when I say that. But we have to be much smarter than the enemy. I see a lot of holes here. I am being alerted to a lot of holes. I am telling you where the next incident is going to occur. So with that, sir, I will yield back. Mr. Rogers. I thank the gentleman. The Chairman now recognizes the gentleman from Louisiana, Mr. Richmond, for any questions he may have. Mr. Richmond. Well, I will just start where my colleague left off, and a very general question. Mr. Sammon or Mr. Edwards, either one of you can answer it. But is there a line or protocol or procedure for an employee to call, whether it is a pilot, stewardess, janitor at an airport, so that, when they have these gut feelings about what the next plan may or may not be, that they can report it to somebody so that it is on the radar and you all respond to those reports? So does something like that exist? Mr. Edwards. Sir, we have a hotline. DHS OIG has a hotline that we get referrals and allegations about a wide variety of issues. We also educate all the DHS employees to refer to when they see a situation like this. If I may, if I could go back to the Congressman from Minnesota about the concern he had about the shadow of the aircraft. Sir, that is why we do covert testing. We have done a number in the last several years. The results of it is classified. I would be glad to come by and brief on the results that we came up with. Mr. Richmond. Mr. Sammon, you also talked about the goal. I think it was having 35 airports in the prescreen program? Mr. Sammon. Yes, sir. Mr. Richmond. Where are you up to right now? Mr. Sammon. Right now, we are at probably about a dozen or so. Getting up to PreCheck is a function of also adding the additional airlines. United Airlines will be coming on shortly. U.S. Air will be coming on within the next month or so. Also JetBlue will be coming on later this summer. So we are getting the airlines up. They are modifying their systems to be able to do this. We expect to be rolling up additional airports over the balance of this year. Mr. Richmond. Also--and I listened to the exchange between you and Ranking Member Thompson about the incident at Newark and what happened and all of that. What I didn't hear is what procedure could have been in place to prevent it, and is it in place now? So---- Mr. Sammon. Again, the types of procedures and process changes we need, in terms of getting data into the system, identifying documents, does require rule-making, unfortunately. There are impacts on airports. It costs money. Those procedures that we have outlined, I believe, if we had those in place, it may have caught this gentleman. I can't guarantee it, but it may have. Mr. Richmond. So with the rule-making and things not being done yet, we still don't have a procedure in place to prevent this in the future? Mr. Sammon. Right now, the system still has gaps, and that is what this rule-making is intended to address. Yes, sir. Mr. Richmond. I guess the other question just becomes is there a general feedback to TSOs, TSAs, and airport security? At least in my experience, people try something one time just to see if it works, and they continue to do it. So do we do a continuing education or training or anything to let people know this is the latest attempt in getting into secured areas or getting past certain checkpoints? Do we do that with our on-the-ground troops? Mr. Sammon. Yes, we take--in terms of incidents, not only in terms of the kinds of things that--in terms of access control, but people attempting, testing the system, say shipping cheese with electronics attached to those things, putting those images back for training for TSOs in terms of what to look for and the kinds of things that they should be up to date. So we have increased the number of TSOs with security background checks so that we can share more intelligence with them. Because we want to keep this feedback not only from where the incident happened but to share it across the country, because they are not isolated. They are generally--things can happen at any location. Mr. Richmond. But in order to do that, the breach has to be reported and put in something so that all of them can be used as teachable moments. Hopefully, we are getting to fewer and fewer teachable moments in the process. Mr. Sammon. Yes, we agree, and concur with the IG. Yes, sir. Mr. Richmond. Is there anything else you can do besides something that takes rule-making so that we can prevent people from getting into secured areas, or what happened in Newark, just in case we don't have time to wait on rule-making? Mr. Sammon. Our inspection efforts have been increased to working with the IG in terms of things we can do in the near term, in terms of badging process kinds of audits, and information analysis. But also our training at the checkpoint and other areas throughout the airport is being stepped up, because we realize there are process things that have to be done. But also, in the shorter term, the intensity has to be picked up. Yes, sir. Mr. Richmond. Thank you. My time has expired. I yield back. Mr. Rogers. I thank the gentleman for his questions. The Chairman now recognizes Mr. Lungren for any questions he may have. Mr. Lungren. Thank you very much. I guess I have got 37 seconds. So, thank you. Mr. Rogers. You have got time. Mr. Lungren. Thank you very much. Mr. Sammon, first of all, let me just say there is a lot of criticism that has been leveled at DHS and at TSA. It is probably where more Americans get to see--I was going to say are touched by TSA--than any other place in the country. But we ought to reflect on the successes. I mean, 9/11 was over 10 years ago. We know the enemy probably wishes to continue to use commercial air traffic as one of the vulnerabilities to attack us. We have been, through a lot of hard work, a lot of people dedicated, and some luck, not subjected to another attack like we were on 9/11. So I think there are some thanks that ought to be delivered to TSA and those that work. Having said that, let me ask you about your prescreening expedited passenger program. Would Henry Kissinger qualify for that? Mr. Sammon. I think we saw this morning in The Wall Street Journal a very complimentary article from Dr. Kissinger, in terms of how he was treated professionally at the airport. He was--I can pull a copy of the article out---- Mr. Lungren. I understand that. But in the mind of a lot of people, it would seem to be a waste of time to subject Mr. Kissinger to extra, sort of---- Mr. Sammon. Yes, he would qualify if he--again, there are two ways, right now, to qualify: One, through opting in through your airline if you are of a certain level of flying; also through global entry, through CBP. We are looking at many more ways to say: How do we get trusted people into the system? I mean, our vision would be that, in the future, the majority of passengers are going through a less physically intensive screening process. Because if we know more about them up-front, that we can improve the level of security while improving the passenger experience through the airport. Yes, sir. Mr. Lungren. I hope that happens because, frankly, I have heard that with two administrations. I have heard that in classified briefings and in open briefings, that this makes sense, that it would be better for us. Yet it seems like it is stretched out and stretched out. I am glad that we at least are going forward. Here is a question I would address to both of you. This is a serious matter in terms of control points with respect to access. But let us face it. It is a tedious job. If you are successful, and if most people are not trying to bring something that is prohibited through, you know, 99 percent of the time. I mean, there is a tendency to slack off. There is a tendency to presume that you are not going to find an item that you ought to stop. So how do you continue to keep the edge? It would seem to me one of the things is very, very aggressive supervision. I know that part of that is, you know, management versus employees and that sort of thing. But it just seems to me, that is one of the toughest conundrums that you have. Mr. Sammon. Right. Mr. Lungren. I wonder what you would have to say to that. Mr. Edwards, if, in the reviews that you have undertaken, you have any comment on that? Mr. Sammon. So I think your point about supervision is critical. TSA was stood up basically around the country, local hiring, training took place locally. What we have done is stood up a training program in Glynco, Georgia for the first-line supervisors. Because that is where you make it or break it, in terms of what those supervisors communicate to the employees, what they see, and how they manage those individual checkpoints. We have not--TSA in its first 10 years had had no central place to run all the supervision through a standardized approach to understanding TSA's mission to TSA's--what we were trying to accomplish at the checkpoint, and maintaining that edge that you are referring to. So that is--what you brought up is exactly what we have recognized and are beginning to do. We have run two classes through, the first two classes. I think there is another graduation this week. We are going to be--our goal is to get all the first-line supervisors through that process because that is where you have to begin. Mr. Lungren. Mr. Edwards, is that the proper approach? Are you satisfied with what they are doing? Mr. Edwards. Yes, sir. But I also would like to point out, if I may, that, you know, we want to make sure that TSA operates in an optimum fashion. We want to make sure that they bring issues and concerns to you and to the American public to see TSA fix those recommendations in a timely fashion. I think they add value by bringing--pointing out those issues to TSA. TSA is working towards fixing them, but we would like it to be fixed sooner than later. Mr. Lungren. I would just reflect on this, Mr. Chairman, and that is that in virtually every other endeavor in our society competition has been viewed as one of the ways in which we sharpen our instincts, and sharpen our approaches, and sharpen our performance. Yet for whatever reason TSA administrators, over the past number of years, have been reluctant to support a program that allows private sector to be involved as an adjunct or a competitor to the regular TSA operation. I would just say I hope we don't lose sight of that. I know that there are many of us in the Congress that believe that that is one component. It is not a criticism of TSA employees. But it is one component of how you improve performance. I yield. Thank you, Mr. Chairman. Mr. Rogers. I thank the gentleman. Before the Chair recognizes Mr. Davis for any questions, the Ranking Member has informed me she needs to leave and wants to make an observation before she has to step out. The Ranking Member is recognized. Ms. Jackson Lee. Thank you, for a moment, Mr. Chairman. Let me just try to pointedly go back to this question of breaches, which I think really deserves an immediate response. I do want to indicate that I am pleased. I think that the Chairman is having this hearing, and we are joined together at this hearing. The Members are here, I would say, because of the faith we have in the fine men and women that work for TSA and realizing the work that they do. I believe Administrator Pistole's concept of a Federal force, if you will, combined with intelligence, information, and fighting counterterrorism is probably the best approach and does not lend itself, from my perspective, though my mind is open, to massive privatization. The reason I say that are these two pointed questions. The gentlemen at Newark used identification of a deceased person. We need to get that on the record. He was operating with an identity that could have generated in a heinous incident. So the question is: Did you do a security threat assessment of what might have happened, Mr. Sammon? Then with respect to breaches, this also includes airport collaboration. I see a gaping hole while we are sitting here talking to each other about the communication between TSA and airports. Mr. Edwards, you see the direction that I am going. Even though you are doing a comprehensive rulemaking at this point, a simple missive, if you will, to your lead officers at these airports, you take the risk assessment approach to indicate that airports are responsible for reporting those breaches. Why have you not done that simple task, even though the rulemaking is proceeding? A missive to our 10 most vulnerable, or however the risk assessment is made, Mr. Edwards, would that be a fair approach, even though we are in the middle of rulemaking, to communicate with airports? Mr. Edwards. Yes, ma'am. Ms. Jackson Lee. And insist that they provide information of breaches. Mr. Sammon, can that be done now? Mr. Sammon. We can communicate that to our airport operating people and make sure that they do get the breaches reported properly. Yes, ma'am, it can be done. Ms. Jackson Lee. I would ask you to do that. I would ask-- you cannot answer it now, but I would ask whether or not you have done a security threat assessment of what it meant for a person having a deceased person's documentation for the period of time that this gentleman had it. I thank the gentleman for yielding. Mr. Rogers. I thank the gentlelady. The Chairman recognizes the gentleman from Illinois, Mr. Davis, for any questions he may have. Mr. Davis. Thank you very much, Mr. Chairman. I trust that the questions I am going to ask have not been already asked. If they have been I apologize for that. Mr. Edwards, in your testimony you mentioned that you gave six recommendations to TSA in reference to access control vulnerabilities. Have the recommendations accepted been implemented? If so, what has been the outcome of those recommendations? Mr. Edwards. Out of the--thank you, Congressman. Out of the six recommendations, TSA has implemented one and has agreed to implement the other five. They are in the process of doing it. They haven't given us detailed information back to us on when they are going to implement the other five. Mr. Davis. I would imagine that there has not been sufficient time to evaluate the impact of the one that is undergoing implementation now? Mr. Edwards. Yes, sir. Mr. Davis. Mr. Sammon, I am actually quoting from your testimony in terms of a statement. ``The Known Crewmember program is the result of a collaborative effort between the airline industry, pilots, and TSA which currently allows uniformed pilots from 20 airlines in 10 airports to show two forms of identification. After evaluation, evaluating operational data from 10 airports, and through much discussion with industry representatives, we are planning to expand the Known Crewmember solution to more airports this calendar year.'' Let me ask you, is it a feeling or is it your feeling that there is a one-size-fits-all approach to this? Or is this experimental in a way? Or is it testing an approach? Could you respond to that? Mr. Sammon. I would be happy to. We had piloted or had tested the approach at about three airports for probably over 2 years. Having had considerable conversations with the various pilot associations and the airline industry, and have come to a rollout approach that we expect to get to over 30 airports by the end of the year. The pilots are the most trusted person coming through the checkpoint. The pilot does not need an explosive device to damage the plane. So what we want to do is expedite their access. We actually do more identity verification today through Known Crewmember than is done through the regular process coming through the checkpoint. So we feel that we have a higher identity verification that the person is indeed a pilot. But there is less physical inspection. Mr. Davis. Thank you very much. Thank you, Mr. Chairman. Mr. Rogers. I thank the gentleman. I will recognize myself for a second series of questions. Yesterday at this time of the day, I was in New York City at Ground Zero touring that progress there--very sobering. Then to come here today and hear this is just disturbing. As I told you earlier, regardless of the definition, if a breach was reported by a TSA agent or officer to their supervisor, it should be reported up the food chain, regardless of the definition. I just can't get past that point. Mr. Sammon, I have worked with you for a long time and I know you to be an extremely competent fellow who does a lot of things very well. This isn't one of them. I hope that you recognize that this has got to be fixed and fixed quickly. We don't need a rulemaking. We need your supervisors in the airports to know if a breach is reported to them it goes up--no matter what the definition is--it goes up to PARIS and to you all so you all come up with processes to fix this. Having said that, when do you think that this definition will be in place? Tomorrow would be a good time. Mr. Sammon [continuing]. A good time. People are working on it right now in terms of definition, and we are working on the security operations directives to get them rolled out to the field. We can get you a timing--I would be happy to get you an update on the timing here. Mr. Rogers. I hope you will. Mr. Edwards, would you agree that given we haven't had the reporting of all breaches, that we really don't know if there is a pattern of breaches that have been occurring for TSA to be able to respond to or prepare for? Mr. Edwards. No, sir. The airports that we looked at and what was reported, we don't have that, sir. Mr. Rogers. You don't what? Mr. Edwards. There is--we cannot predict a pattern because it has not been reported up all of them. Mr. Rogers. Exactly my point. Mr. Edwards. Yes, sir. Mr. Rogers. Until we get 100 percent of these breaches reported, there could be a pattern that is being established by folks feeling their way through these different airports to find out our vulnerabilities. We don't have a way of responding to it. Mr. Edwards. Right. If it is reported back to the PARIS system then they can look at trends and do some analysis to see what the breaches were. Mr. Rogers. The Ranking Member wants to ask something right quick. Mr. Thompson. Yes. Mr. Sammon, you made a statement that a lot of employees at airports were grandfathered. Do we know how many? Mr. Sammon. I don't know off the top of my head. We can get--I would be happy to supply the committee information, but not off the top of my head. Mr. Thompson. I really think the committee really needs that because this is my first time hearing this. Mr. Edwards, were you aware of this grandfathering? Mr. Edwards. No, sir. Mr. Thompson. Would you be concerned too? Mr. Edwards. Absolutely. I also would like to point out that even--you know, there has to be--I gave an example in 2007. There has to be periodic and recurrent criminal history checks. That is one of the findings in our audit. You know, I am definitely concerned just like you. Mr. Thompson. So with 450 airports, and if we grandfathered all these individuals in, Mr. Chairman, we could have any number of people working in airports right now that we don't know whether they are who they say they are---- Mr. Rogers. That is exactly right. Mr. Thompson [continuing]. Based on the Newark Airport incident. Mr. Edwards, are you aware of a method that could provide TSA with the identification of the employee and the criminal background that would not require rulemaking to get done? Mr. Edwards. Can I get back to you on that, sir? We will work on a simple process to get back to you. Mr. Thompson. Well, are you aware of any other agency that is doing--let me just--Mr. Chairman, the general public assumes that every person who goes to an airport that goes through this process is first, who they say they are and whether or not the criminal background. I am concerned now that we don't have a way of identifying the identity of that person other than some fingerprint that may or may not only show that that person does not have a criminal history but it does not verify identity. Mr. Rogers. Right. Mr. Thompson. That is a real concern on my part. I yield back, Mr. Chairman. Mr. Rogers. I thank the gentleman. I want to go back to something Mr. Edwards said in his opening statement talking about how you found the various employees that had gotten certification badges or access badges at different airports with different information. Is there not a database where when somebody applies for clearance that they are checked against every other airport? Is there a single database or clearinghouse for that? Mr. Edwards. Well, there are--the 359 airport offices, badging office that we looked at, we found this anomaly of this one individual having three different birth places. We brought it to TSA's attention. They immediately fixed-- got the correct birth place, and fixed that and completed the-- and updated the record---- Mr. Rogers. That is not my question. My question is these badges are allowed based on TSA's criteria. Mr. Edwards. Right. Mr. Rogers. When an airport is going to grant a badge, do they not have to check it against the database of TSA-approved persons? Mr. Edwards. They have to check the database, but all the fields do not match in order for them to get a valid---- Mr. Rogers. So the database is worthless then? Mr. Edwards. Right, that is what they tell me. Mr. Rogers. Goodness gracious. I don't have any further questions. Do you have any? I want to thank the gentlemen for their time. This panel is now dismissed. We will call up the second panel. The Chairman now recognizes the second panel. We are pleased to have several additional witnesses before us today on this important topic. Now, let me remind the witnesses that their entire written statements will appear in the record. Our first witness, Mr. Mark Crosby, currently serves as chief of public safety and security in Portland International Airport. He will be testifying on behalf of the American Association of Airport Executives. As Chairman, I recognize Mr. Crosby for his opening statement. STATEMENT OF MARK CROSBY, CHIEF OF PUBLIC SAFETY AND SECURITY, PORTLAND INTERNATIONAL AIRPORT, TESTIFYING ON BEHALF OF THE AMERICAN ASSOCIATION OF AIRPORT EXECUTIVES Mr. Crosby. Thank you, Chairman Rogers, Ranking Member Thompson, Members of the subcommittee. Thank you again for this opportunity to speak before you today on behalf of the American Association of Airport Executives. As AAAE's security committee chair, and the chief of public safety and security at three airports, including Portland International and three seaports, I can assure you that airport operators take the insider threat to the aviation environment very seriously. We also take seriously the findings highlighted today by the DHS inspector general. Ten-and-a-half years after 9/11, I still hold monthly conference calls with airport security managers to talk about current issues and to talk about best practices. It is a very dynamic area of our industry and it continues to evolve. As you know, TSA is largely responsible for controlling access to sterile areas beyond the security checkpoints. My comments today are focused on the other areas where airports control access via airport-issued security badges. First, airports are public entities with an imperative to provide the highest levels of security. It is our airport. We work there every day, and we care about it. In addition to partnering with TSA to meet the core mission of passenger and baggage screening, airports perform a number of inherently local security-related duties, including incident response and managements, perimeter security, employee vetting, credentialing, access control, and local law enforcement functions. These important duties have long been local responsibilities performed by local authorities in accordance with Federal standards, and subject to Federal oversight. The public safety professionals that I have the privilege of working with every day to perform these duties at airports are highly trained and have first responder duties that we all value immensely. While these responsibilities are important, let me focus on badging and access control responsibilities, and urge you to preserve the local role of airports in these areas. Background check process for airport workers has operated for many years successfully as a partnership between Federal and local officials, with the Federal Government holding the sole responsibility for the security threat assessments; and with local airport authorities operating and managing enrollment, credentialing, badging, criminal history background check adjudication, and access control systems in accordance with strict Federal standards. Local involvement provides a critical layer of security and gives airports the operational control they require to ensure that qualified employees receive the credentials they need to work in the airport environment. My final point today is that any effort to increase the Federal role in airport badging in access control procedures will diminish security and divert TSA's attention from its core mission. The underachieving results of the TWIC program in the maritime environment provide my point. As someone with responsibilities for security in both the airport and seaport environments, I can tell you that any move to shift additional functions in aviation to the Federal Government will diminish security by reducing or eliminating a critical extra layer of security that is already in place at airports. Pursuing such an approach would scuttle a successful local Federal model that has worked for decades. It would streamline significant efforts already underway at airports to upgrade and biometrically enable the existing airport badging and access control systems, and significantly increase costs to the aviation industry with no demonstrable security benefit. Members of the subcommittee, the access control systems at airports are unique among other transportation facilities, and have operated successfully for decades. That is not to say there isn't areas for improvement. As was mentioned earlier, the threat is always changing, therefore our measures need to change and improve as well. Local involvement provides a crucial additional security layer that should not be discarded. That concludes my comments. I look forward to your questions. [The statement of Mr. Crosby follows:] Prepared Statement of Mark Crosby May 16, 2012 Chairman Rogers, Ranking Member Jackson Lee, and Members of the subcommittee, thank you for the opportunity to be with you today to discuss airport access control--an important security function that local airport operators have held for decades in accordance with strict Federal standards, requirements, and oversight. I am testifying today on behalf of the American Association of Airport Executives, which represents thousands of men and women across the country who manage and operate the Nation's airports. I am actively involved with AAAE as chair of the association's Transportation Security Services Committee. In addition to my work with AAAE, I currently serve as chief of public safety and security for the Port of Portland in Oregon, a joint port authority that operates three seaport terminals and three airports, including Portland International Airport (PDX). In that capacity, I have overall responsibility for Emergency Management at the Port and manage the Port's Public Safety and Security Department, which includes the Airport and Marine Security Departments, the Airport Police Department, Fire Department, and the Communications Center. I have also served on the Public Safety & Security Steering Group for Airports Council International--North America. I am a graduate of the U.S. Air Force Academy and serve currently as a colonel in the Oregon Air National Guard. Mr. Chairman, I want to assure you and the Members of the subcommittee that airports take recent incidents and the prospect of the ``inside threat'' in the aviation environment seriously. Airport executives are working constantly in collaboration with the Transportation Security Administration to enhance the layers of security that exist to identify and address potential threats in the airport environment, including extensive background checks for aviation workers, random physical screening of workers at airports, surveillance, law enforcement patrols, robust security training, and the institution of challenge procedures among airport workers, to mention a few. In the public areas of airports, local law enforcement presence and patrols provide security far beyond what is typically in operation at other potential public targets such as sport stadiums, train stations, or shopping malls. The title of today's hearing poses the question as to whether recent incidents are an anomaly or the sign of systematic failure in terms of access control at airports. From my perspective and the perspective of AAAE, the existing access control system at the Nation's airports works well and is continuously improving. It relies on local management of credentialing and access control systems in accordance with strict Federal standards, requirements, and oversight; a robust, multi-layered security apparatus; and extensive efforts to identify ``bad'' people before they are ever given access to security sensitive areas of airports. That is not to say that the current system is infallible or that improvements cannot be made. Airport executives, for example, are aggressively working to enable voluntary migration to biometric-based badging and access control systems at airports as part of an initiative known as the Biometric Airport Security Identification Consortium. Other efforts to enhance airport access control technology and procedures are underway as well. In our view, the best approach to enhancing access control at the Nation's airports lies with continuing to focus on robust background checks, maintaining our multi-layered security approach, and preserving and protecting the critical local layer of security that airports provide with credentialing, access control, and other inherently local functions. While some have argued for Federalizing virtually all security responsibilities in airports, doing so would add to TSA's already daunting mission and abandon the successful local systems and process in place that have proven effective for decades in enhancing security and ensuring efficient airport operations. From a security and resource perspective, it is critical that inherently local security functions remain local with Federal oversight and backed by Federal resources when appropriate. airports add a critical, local layer of security that must be preserved and protected As you know, airports play a unique and critical role in aviation security, serving as an important partner to the TSA in helping the agency meet its core mission of passenger and baggage screening. The significant changes that have taken place in airports over the past decade with the creation of the TSA and its assumption of all screening duties have been aided dramatically by the work of the airport community, and we will continue to serve as a critical local partner to the agency as it continually modifies its operations with PreCheck and other risk-based approaches to security, which we fully support. In addition to partnering with TSA to meet its core mission, airports as public entities provide a critical local layer of security, performing a number of inherently local security-related functions at their facilities, including incident response and management, perimeter security, employee vetting and credentialing, access control, infrastructure and operations planning, and local law enforcement functions. These important duties have long been local responsibilities that have been performed by local authorities in accordance with Federal standards and subject to Federal oversight. Airport operators meet their security-related obligations with a sharp focus on the need to protect public safety, which remains one of their fundamental missions. The professionals who perform these duties at airports are highly trained and have the first responder duties that I know each and every Member of this subcommittee, the Congress, and the country value immensely. preserving the local role of airports with badging and access control is critical A cornerstone of security within the Nation's airports is the credentialing and background check processes that all workers must undergo prior to receiving airport-issued credentials that grant access to security sensitive airport areas. While a relatively new concept in the maritime environment, credentialing tied to strict, Federally- specified access control has been a key component of security at airports for more than 20 years. I have included a 1-page document at the end of my testimony that provides additional details on airport badging processes and requirements. In the aviation environment, the background check process for workers operates successfully as a Federal/local partnership with the Federal Government holding sole responsibility for criminal history record checks, security threat assessments, and other necessary Government checks for prospective workers and with local airport authorities operating and managing enrollment, credentialing, badging, criminal history background check adjudication, and access control systems in accordance with strict Federal standards. The current system for aviation ensures the highest level of security by combining the unique local experience, expertise, and knowledge that exists at individual airports regarding facilities and personnel with Federal standardization, Federal oversight, and Federal vetting assets. Local involvement provides a critical layer of security and gives airports the operational control they require to ensure that qualified employees receive the credentials they need to work in the airport environment. In contrast to the long-standing locally-controlled credentialing and access control apparatus that exists in the aviation environment, the credentialing/access control system in place in the maritime environment with the Transportation Worker Identification Credential (TWIC) program is relatively new. Under the TWIC model, the Federal Government or its contractors are responsible for virtually all aspects of credentialing, including worker enrollment, applicant vetting, and credential issuance. Some have suggested abandoning the successful local systems and processes already in place at airports with badging and access control to expand TSA and the Federal Government's control over more of the process as is the case with TWIC in the maritime environment. Airport executives oppose any move to shift any additional functions in aviation to the Federal Government and believe that such a move would diminish security by reducing or eliminating a critical, extra layer of security that is already in place in airports. Pursuing such an approach would scuttle a successful local/Federal model that has worked well for decades, eliminate local operational control, stymie significant efforts already underway at airports across the country to upgrade and biometrically enable existing airport badging and access control systems, and significantly increase costs to the aviation industry with no demonstrable security benefit. While the desire to centralize and Federalize the process for all transportation worker vetting programs may be understandable from the Federal Government's perspective, airport executives are concerned about Federal intrusion into existing processes that have worked well for decades. Airports are also very concerned about having to help foot the bill for these initiatives--estimated at $633 million through 2025 in appropriations and new fees as part of the TTAC Infrastructure Modernization (TIM) program--for changes that provide them with no demonstrable security or operational benefit. The current system in aviation operates efficiently and effectively at a fraction of the cost of other transportation vetting programs and at no cost to the Federal Government. Airport executives want to ensure that remains the case. With the Federal Government and State and local governments operating under historic budget constraints, it makes little sense to devote hundreds of millions of dollars in scarce resources to Federalize functions that airports have performed successfully for nearly a decade. The TIM effort fails to take into account the long- proven approach that exists in the aviation industry. biometric airport security identification consortium (basic) Before concluding, I want to take this opportunity to bring the subcommittee up to date on a related topic and the efforts of the Biometric Airport Security Identification Consortium or BASIC initiative. In simple terms, the objective of BASIC is to define a comprehensive, airport-driven Concept of Operations that will enable voluntary migration to biometric-based badging and access control systems at airports--a goal that I know subcommittee Members share. More than 40 airports of all sizes actively participate in BASIC. I would note that BASIC airport participants are working cooperatively with TSA on this initiative as well as with other groups, including the Airport Consultants Council. Many airport operators--including the Port of Portland--are eager to move forward with biometrics, but concerns remain about the prospect of overly prescriptive and costly solutions. Airports are also eager to avoid repeating mistakes made in the past where the Federal Government required costly and often proprietary access control systems to be deployed in airports in a compressed period of time. That approach proved both expensive and ineffective. In an effort to avoid unnecessary regulations and a one-size-fits- all mandate regarding biometric-based systems, airports participating in BASIC have identified several key principles that must be part of any future biometric-based badging and access control systems, including: Safeguards on local control and issuance of credentials, Leveraging of existing capital investments and resources, Standards-based open architecture and local determination of qualified vendors, and Phased implementation that migrates over time. In addition to building on the processes and regulations already in place at airports today, BASIC is also working to adapt important Federal standards regarding secure biometric credentials into the airport's operational environment. For example, Federal Information Processing Standard (FIPS) 201 and the more recent Personal Identity Verification Interoperability (PIV-I) for Non-Federal Issuers are reflected throughout the BASIC Concept of Operations and greatly inform the recommended phased implementation for airports. The BASIC working group, which meets on a regular basis, is moving forward aggressively to update and refine a detailed Concept of Operations that will define the biometric components and common business processes that need to be added to airports' existing procedures to enable biometric-based badge and access control systems in a reasonable and cost-effective time frame. In fact, several airports have already begun to implement the early phases of the BASIC Concept of Operations. Newark Liberty International Airport, San Francisco International Airport, Aspen Pitkin County International Airport, Los Angeles International, and Salt Lake City International Airport--to name just a few--have implemented a secure messaging structure for the submission of biographic security threat assessments and biometric criminal history record checks that will ultimately enable the return of trusted biometrics back to the airport for use on credentials or in access control systems. Airports are committed to moving forward to bring biometrics into the airport environment as soon as possible in a manner that builds upon existing capabilities and limits operational difficulties. The BASIC initiative, which is being driven by airports in cooperation with the Federal Government, offers the best opportunity for making the promises of biometrics a reality in a timely manner. Mr. Chairman, in closing, let me thank you once again for the opportunity to testify today. As an experienced security professional responsible for managing public safety and security operations at airports as well as vibrant maritime port facilities in my home of Portland, I am proud of the important role that local officials play in ensuring the highest levels of security and safety within critical transportation facilities. As I have highlighted throughout my testimony, the access control apparatus at airports is unique among other transportation facilities and has operated successfully for decades. Airport operators, which are extensions of local government, are directly responsible for credentialing and access control under strict Federal rules and oversight in recognition of the security and operational expertise that exists at the local level. Local involvement provides a crucial, additional security layer that should not be discarded. The current system in aviation leverages local experience, knowledge, and expertise with Federal standardization and vetting assets. Airport operators know and understand their facilities, and they maintain decades-old relationships with the numerous parties that employee individuals throughout the airport environment, resulting in high levels of security. Abandoning a decades-long record of local expertise and investment in favor of an unproven system under which credentialing and access control would be controlled centrally out of Washington or elsewhere-- as is being attempted in the maritime environment with TWIC--would be a huge step backwards in terms of security from where we are now with aviation. We appreciate your leadership and the work of this subcommittee to preserve and protect the important role that local airport officials play in partnership with TSA to ensure the highest levels of security at their facilities. I look forward to answering any questions you might have. Attachment.--Airport Badging Requirements and Processes historical context Airport operators and the aviation industry have a robust history of credentialing and access control experience. Since the inception of this approach more than 20 years ago, airport operators have been delegated badging authority by the Federal Government. In the early 1990's airports installed access control systems that for the first time were tied to a credential. In 1996, airports started utilizing criminal history record checks (CHRC) conducted by the FBI to adjudicate employees whose employment backgrounds could not be verified. current requirements and practices Since shortly after the September 11, 2001 terrorist attacks, CHRCs have been conducted on all employees with access to the Secure Identification Display Areas (SIDA) and Sterile Areas. Beginning in October 2007, TSA regulations also require name-based security threat assessments (STAs) for all individuals applying for either a SIDA or Sterile Area badge. The FBI performs CHRCs and provides airports with the full results of an applicant's check. TSA performs STAs, which check an individual against the Terrorist Screening Database and ``determines whether there are any outstanding immigration, terrorist or federal open wants or warrants issues pending against the potential employee.'' TSA provides airports with either ``approved'' or ``disapproved'' status for a prospective employee only based on security sensitivities. Airport operators maintain responsibility for worker enrollment, and badging, issuing local badges with card topography and identifying features unique to that airport facility. By regulation, airport operators and air carriers are responsible for adjudication of the CHRC which allows airport operators to know more about individuals that have access to their facilities. In some cases an individual is not disqualified under CHRC rules; however the individual may require further scrutiny or at least situational awareness for the Airport Security Coordinator. This approach provides a critical local layer of security. federal/local partnership in aviation--unique among other transportation modes In the aviation environment, the background check process for workers operates successfully as a Federal/local partnership with the Federal Government holding sole responsibility for STAs and other necessary Government checks for prospective workers and with local airport authorities operating and managing enrollment, credentialing, badging, criminal history background check adjudication, and access control systems in accordance with strict Federal standards. The current system for aviation ensures the highest level of security by combining the unique local experience, expertise, and knowledge that exists at individual airports regarding facilities and personnel with Federal standardization, Federal oversight, and Federal vetting assets. Local involvement provides a critical layer of security and gives airports the operational control they require to ensure that qualified employees receive the credentials they need to work in the airport environment. Mr. Rogers. I thank the gentleman. The Chairman now recognizes my colleague from Minnesota who will introduce our next guest. Mr. Cravaack. Thank you Mr. Chairman. I would like to introduce Captain Sean Cassidy. Captain Cassidy serves for Alaska Airlines, and ALPA's first vice president. Captain Cassidy has served as both chairman and vice chairman of Alaska Airlines Master Executive Council, and he was the chairman of Alaska Air Group Labor Coalition from 1999 to 2009. Hired by Alaska in 1996, Captain Cassidy serves as a Boeing 737 captain, has thousands of hours in the air. Most importantly, prior to his airline experience, Captain Cassidy serves as an officer in the United States Navy as a pilot. Captain Cassidy has performed duties in the carrier-based EA-6B which is the hardest aircraft to bring on the aircraft carrier, and supported numerous military operations including those in the Persian Gulf, and finished his naval career flying the C-9 as an officer in the United States Naval Reserves. With that, I would like to welcome Captain Cassidy. I will yield back to the Chairman. Mr. Rogers. I thank the gentlemen. Captain, you are recognized for your opening testimony. STATEMENT OF SEAN P. CASSIDY, FIRST VICE PRESIDENT, AIR LINE PILOTS ASSOCIATION, INTERNATIONAL Mr. Cassidy. Thank you, sir. On a side note, my wife was an Air Force pilot. I think she might beg to differ with you, sir. So good morning, Mr. Chairman, Ranking Member Thompson, and Members of the subcommittee, as the introduction said, I am Captain Sean Cassidy, the first vice president of Airline Pilots Association International. I represent 53,000 pilots, both in the United States and Canada at 37 different airlines. Controlling access to secure airport areas is critically important to the safety and security of the airline industry and the traveling public as we have certainly demonstrated today. While the Transportation Security Administration and airport authorities do a good job of controlling and preventing unauthorized access to these areas, it is my hope that both the TSA and the individual airports involved will continue to develop better response strategies. ALPA believes that like the vast majority of airline passengers, the overwhelming share of airline workers are trustworthy individuals who want to see their airlines and their industry succeed. In this context, the insider threat to passenger and all- cargo airline operations has always existed. Advances have been made in identifying those individuals who are reliable versus those who could pose a potential threat. However, effort is still needed to enhance the security of airlines and airports by ensuring those who have access to aircraft and payloads are appropriate to do so. The solution lies in advancing a risk-based approach to aviation security, and achieving one level of security for all airline operations regardless of whether they fly passengers or cargo. Unfortunately, a significant disparity exists today between the security of passenger and all-cargo flight operations. This gap is a serious concern for ALPA. For example, the Air Cargo Final Rule of 2006 does not require all airports that serve all-cargo airline operations to establish security identification display areas, otherwise known as SIDAs. As a result, the individual with access to secured areas of the airport are background-checked only through a biographic process, rather than through fingerprint-based criminal record history checks that are required for airline employees working similar jobs at passenger airlines. The U.S. Government has publicly acknowledged that a fingerprint-based system provides greater security, and a long- established precedent exists for using these systems. Moreover without such a system, we cannot reliably determine whether a person has been convicted of any of the 28 prohibited crimes that preclude access to secure airport areas. Just as practical experience has shown that the vast majority of airlines passengers have no harmful intent, the same can be said for aviation workers. We need to do more to identify those prospective employees who pose no threat, so that greater resources can be focused in identifying those who may pose a threat. One example of the kind of risk-based security that is needed is the ALPA- and Airlines for America-sponsored enhanced crew screening system for pilots known as Known Crewmember. This Government-approved alternative means of access to sterile areas of airports is available to pilots who comply with Known Crewmember requirements. Known Crewmember has been implemented at seven airports, and 11 more are expected to receive the system soon. ALPA and A4A have encouraged the TSA to include flight attendants in this program. The Known Crewmember program is just one example of risk- based security. By properly vetting, training, harnessing, and empowering airline workers much more can and must be done to employ them as part of the solution to advancing overall aviation security. Adopting a threat-based approach must also mean creating and fostering a security culture at airlines and airports in the same way that our industry has sought to achieve a safety culture. Such a security culture needs investments from airline, airports, and regulatory leaders, and decisive action to establish and enforce a true security culture. Achieving a security culture will call for these organizations to place more emphasis on providing meaningful, practical security training for all employees. A security culture will also require that all airline airport workers become the eyes and the ears for potential threats. With me today is airline--pardon me, Alaska Airlines First Officer Ed Finnegan sitting right behind me in the red tie, who I am pleased to say was concerned enough about this issue to take the time to contact his congressman, Congressman Cravaack. Also he is here with us today. He is a great example of how professional airline pilots stand ready to help advance aviation security in every way possible. One hundred percent screening of individuals entering the secure areas of airports is not the answer to counter the insider threat. Rather, we need to develop and immediately implement a risk-based systematic method of employee vetting that includes fingerprint-based criminal history background checks of every employee with unescorted access to passenger and cargo aircraft in our operations areas. To this end, Congress must take action to ensure that full SIDA requirements are mandated for all airports serving Part 121 all-cargo operations. A risk-based approach to aviation security, coupled with more traditional methodologies and a commitment to building a security culture at all airlines and airports, will help our industry reduce the insider threat at a very reasonable cost. Equally important, realizing such an approach will enhance aviation security for all who depend on air transportation. It will ensure the U.S. airline industry continues to fuel the Nation's economy. Thank you. [The statement of Mr. Cassidy follows:] Prepared Statement of Sean P. Cassidy May 16, 2012 Mr. Chairman and Ranking Member Jackson Lee, thank you for the opportunity to testify. The Air Line Pilots Association, International (ALPA), representing more than 53,000 pilots flying for 37 airlines in the United States and Canada, is the world's largest professional pilot association and the world's largest non-Governmental aviation safety organization. We are the representative for the majority of professional airline pilots in the United States with a history of safety and security advocacy spanning more than 80 years. As the sole U.S. member of the International Federation of Airline Pilots Associations (IFALPA), ALPA has the unique ability to provide active airline pilot expertise to aviation safety and security issues worldwide, and to incorporate an international dimension to safety and security advocacy. overview We applaud the subcommittee's demonstrated interest in airline and airport security by holding this hearing on airport access and other, related subjects. Maintaining and enforcing effective control of access to sterile and secure airport areas is critically important to the safety and security of the airline industry and the traveling public. The Transportation Security Administration (TSA) reviews and approves mandated Airport Security Programs (ASPs) which must be followed by our Nation's certificated, commercial airports. ASPs must delineate effective measures designed to preclude unauthorized access to sterile and secure areas, and also must provide effective response protocols in those instances where unauthorized access is attempted or occurs. To comply with these mandated security measures, airports utilize a variety of mechanisms, to include: Security Identification Display Area (SIDA) protocols; security training and challenge protocols for SIDA badge-holders; perimeter fencing and physical barriers; sophisticated technologies to prevent and detect unauthorized entry into sterile and secure areas; law enforcement patrol and response; and, interior access control systems which incorporate both technological and human resources. Airport screening checkpoints play a prominent role in an airport's security plan, providing access and screening controls to airport sterile areas for passengers, aviation and airport workers. Airports work in close partnership with the TSA to facilitate the checkpoint screening process. Accompanying these required airport access control measures dictated in the ASP are certain other TSA policy mandates, normally implemented through Security Directives (SDs) or Emergency Amendments (EAs), which obligate airports and aviation workers to enforce and follow prescribed protocols related to accessing sterile and secure airport areas, and, at times, dictating specific protocols aviation workers must follow as pertains to traditional checkpoint screening, or, alternative forms of approved screening prior to entering sterile and secure airport areas. The ALPA- and Airlines for America-sponsored security screening system for pilots, Known Crewmember (KCM), is an example of a Government-approved, alternative means of access to sterile areas of airports which is available to pilots who comply with KCM requirements. KCM has been implemented at 7 airports thus far, with 11 more that have been identified to receive the system soon and many more thereafter. ALPA and A4A have encouraged the TSA to include flight attendants in this program, as they should be part of risk-based security. It has been ALPA's general experience that TSA and airport authorities do a very good job in controlling and preventing unauthorized access to sterile and secure airport areas. There have been some documented failures in this regard, causing inconvenience to passengers and resulting in a negative impact on the timeliness of airline and airport operations. However, we know of no such instances which involved persons who possessed the intent to do harm to the aviation industry. Based on the specifics of these reported incidents, we believe that both TSA and airports have developed sound strategies intended to prevent their reoccurrence. It has also been ALPA's experience that, in general, aviation workers comply with Government requirements regarding entry into airport sterile and secure areas. Because of practical constraints or operational needs, those regulations do not require all such workers to undergo traditional checkpoint screening protocols prior to entry, but apply alternative means of screening instead. It is normally in this context that discussion ensues regarding the ``insider threat'' to aviation. source of the threat The insider threat to passenger and all-cargo aviation operations has always existed in aviation security; it is not a new threat. It is one that must always be addressed, so that the risk of this threat causing a serious event is minimized to the maximum, practical extent. Notwithstanding the advances that have been made in passenger and cargo screening since 9/11, and the reliability of most aviation employees, a concentrated effort is needed to identify and eliminate threats posed by individuals who have access to commercial aircraft and their payloads. Shortly after the Christmas day 2009 underwear bomber's thwarted attack on NWA Flight No. 253 as it approached Detroit, ALPA published a white paper entitled Meeting Today's Aviation Security Needs: A Call to Action for a Trust-Based Security System. In it, we cited the need for a more comprehensive, threat-based approach to aviation security, stating: ``The insider threat to the aviation industry must not be overlooked or minimized. It must be addressed along with enhanced screening capabilities; background checks should be conducted on all those with access to our airplanes.'' Historically, the insider threat has been well-documented, both internationally and domestically. Al-Qaeda in the Arabian Peninsula (AQAP) has attempted to facilitate the hiring of flight attendants, baggage handlers, and airport security personnel, and in 2010, a Taliban sympathizer gained employment as a baggage handler at a U.S. carrier and traveled to Afghanistan to provide assistance in fighting against U.S. forces. While we believe that the vast majority of individuals employed by the airlines and Government agencies at the airport are upright, responsible, and trustworthy, no organization is immune from the possibility of employing individuals who engage in criminal behavior. Criminal organizations in the United States have regularly used airport, airline, Government, and contract employees to facilitate criminal activities in the airport environment, which include, but are not limited to, drug trafficking, contraband smuggling, theft, and prostitution. In March, a security officer in Buffalo, NY was criminally charged with allowing passengers to pass through screening checkpoints while using false identification, and as recently as last month, Federal drug agents arrested two former and two current security personnel at Los Angeles International Airport on drug trafficking and bribery charges. Fortunately for the traveling public, the insider threat has primarily been associated with the perpetration of criminal rather than terrorist activity. However, just as a criminal organization can infiltrate a segment of the aviation work force or circumvent existing security procedures, so too can a terrorist organization. Whether breached by a willing participant who is working for a criminal or terrorist organization, or an unwitting dupe believing he is simply facilitating a criminal rather than a terrorist act, existing weaknesses which facilitate these dynamics must be identified and corrected. Vulnerability and risk associated with the insider threat is magnified because risk-based security measures have not yet been applied to the extent that they are needed. One example: The May 2006 Air Cargo Final Rule did not require all airports which serve all-cargo airline operations to establish Security Identification Display Areas (or SIDAs). Many persons with access to air operations areas of these airports and to wide-body cargo aircraft are background-vetted only by means of a biographic-based Security Threat Assessment (STA) process, rather than by means of a fingerprint-based Criminal History Records Check (CHRC) which is required for similar employee categories in the passenger airline domain. This lack of standardized application of fingerprint-based CHRCs in background-vetting of aviation workers exists even though the Government has publicly acknowledged that a fingerprint-based CHRC provides a greater degree of security than an STA, and that there should be congruency in background vetting for workers in functions that present similar security concerns, such as checked baggage screeners and cargo screeners. As a result of this imbalance in background-vetting standards, many persons holding positions of trust in the all-cargo domain, and who have unescorted access to cargo aircraft, the goods they carry and to air operations areas of airports, are not vetted to the same standard as persons occupying equivalent positions in the passenger aviation domain. There is long-established precedent for using fingerprint-based CHRCs in determining an individual's suitability for hiring in a security-sensitive position. Numerous employment categories exclude convicted felons from eligibility, deeming them to be unsuitable candidates due to security concerns, character issues, and recidivism rates. The difference between undergoing CHRC-based background vetting as opposed to a STA is significant when viewed in terms of the dangers presented by the insider threat. Without use of a fingerprint-based CHRC, no reliable determination can be made as to whether a person has been convicted of any of the 28 prohibited crimes that are described in 49 CFR 1544.229, and which preclude unescorted access to secure airport areas. This lack of standardization between the background- vetting processes applied to workers employed by passenger airlines and all-cargo carriers unnecessarily creates yet another challenge in mitigating the insider threat to aviation. reasonable expectations To effectively mitigate the problem of the insider threat to aviation, we must begin with reasonable expectations, have a good understanding of the industry's operational environment, acknowledge that there can never be total elimination of risk and accept the fact that the best we can hope to achieve is reasonable mitigation of the threats we face. It is also necessary to recognize that a certain degree of trust must always exist within the framework of securing the aviation domain. For the system to work, we have to trust Federal Security Directors, Transportation Security Officers, airport law enforcement officers, air traffic controllers, pilots, flight attendants, aircraft mechanics, et al. If we did not, the industry would be paralyzed. History has demonstrated that ``trust'' is a very fluid dynamic which offers no guarantees. Aldrich Ames and Robert Hanssen attained the highest levels of trust within their respective agencies, but ultimately compromised the values they had sworn to protect and the security of their Nation. Fortunately, such events are extremely rare and despite the uncertainties which will always accompany the allocation of ``trust,'' so doing is a necessary component of any security system. It is in this context that the concept of ``trust, but verify'' takes on significance. recommendations for mitigation Since its creation following the 9/11 attacks, the TSA has continued to evolve its passenger screening measures in an attempt to address the challenges posed by an intelligent, adaptive terrorist adversary. We have witnessed the evolution of Advanced Imaging Technology and the increased use of Behavioral Detection Officers. Regardless of the tremendous advances in airport screening capabilities, however, we only have to recall the incident of the infamous ``underwear bomber,'' or last week's reports that intelligence and law enforcement agencies had identified and interdicted an IED created entirely of non-metallic material reportedly designed by an AQAP master bomb-maker to be detonated by a suicide bomber aboard an aircraft. Although technology plays an integral role in the aviation security process, it is not a stand-alone solution. TSA Administrator John Pistole has recognized this fact by applying a more risk-based, threat- driven approach to aviation security, as evidenced by his support of the Known Crewmember program and other special screening programs such as Global Entry, Pre-Check, I-Step, SPOT, and behavioral detection techniques. The DHS public message of ``If you see something, say something'' is a valuable public awareness campaign to help mitigate the threat of terrorism. harnessing existing resources Aviation workers, which number in the hundreds of thousands, represent a vast and under-utilized resource in protecting the aviation domain, to include combating the insider threat. Commercial pilots, all of whom have undergone security awareness training as part of their employment, know their segment of the aviation industry and can sense anomalies whether commuting for work, on personal travel, or flying their assigned routes. Just as a police officer knows the beat he patrols and the mailman knows the neighborhood in which he delivers, so does the pilot know his or her normal work environment. As such, pilots should be considered assets in identifying threats to the industry, including insider threats, and treated as part of the solution rather than being viewed as part of the problem. This logic can be applied to other classes of aviation workers who frequent the airport domain: Flight attendants, mechanics, caterers, fuelers, baggage handlers, airport service providers, et al. In the late 1990's, ALPA served on the Government/industry Employee Utilization Working Group (EUWG) for the purpose of identifying guidelines to be followed by aviation sector employees to enhance security. One of the recommendations ALPA made to that group was to focus on the largely untapped resource of airport, airline, and other tenant employees. All of the individuals who work at an airport, regardless of position, background, and experience, and can usefully serve as the ``eyes and ears'' of security. Regrettably, the EUWG's recommendations have been largely ignored, but we believe that this hearing provides an opportune time to revisit them, because they are still valid: Encourage and assist airports and air carriers to develop and implement security awareness programs which emphasize the ``team'' concept. Encourage each airport and airline to employ or designate an existing employee as a security training manager. Create a standing security awareness working group comprised of Government and industry representatives for the specific purpose of enhancing employee's security awareness and compliance. Perform human factors research into why security lapses occur, applying lessons learned from that research to future employee awareness training efforts. Encourage certain employee groups (e.g., baggage handlers) to have their members serve as candidates to be used as a security observer/auditor for a few hours each month on a rotating basis when schedules allow. Employees should be utilized in this fashion in order to make them more security- conscious. Create a common, easily remembered, and dedicated phone number for specific employee use at airports for reporting of suspicious behavior or security breaches. Maintain a repository of employee utilization and security awareness media, including videos. Just as practical experience has shown that the vast majority of airline passengers have no evil intent and represent no threat to aviation, the same can be said for the vast majority of aviation workers. By properly vetting, training, harnessing, and empowering them, much can be done to counter the insider threat. The accomplishment of this goal will require a paradigm shift within the aviation domain. Just as the airline industry has placed great emphasis on the use of Safety Management Systems (SMS) in order to achieve and maintain aviation's excellent safety record, similar emphasis must be placed on the development and maintenance of a comprehensive security management system. The successful completion of this task will require true buy-in from the leadership of critical aviation stakeholders such as airlines, airports, and regulators, and their definitive action in the establishment and enforcement of a true security culture within their respective organizations. It will require these entities to invest more resources in and place more emphasis on providing meaningful, practical security training to employees and their empowerment as valued security resources, rather than simply ``checking the box'' in meeting Government mandates regarding the length and content of security training. Only in this way can a true security culture be established. conclusions One hundred percent physical screening of individuals entering secure/sterile areas of airports is not the answer to the insider threat. A highly-developed, systematic and reliable method of employee vetting, including fingerprint-based criminal history background checks (CHRC) of every employee with unescorted access to passenger and cargo aircraft, air operations areas, baggage and cargo should be implemented to support a risk-based approach to identify ``evil intent.'' To this end, full SIDA requirements must be mandated for all airports serving FAR part 121 all-cargo operations. In addition, fingerprint-based CHRCs must accompany the STA process in the background vetting of all individuals who have unescorted access to all-cargo air operations areas, aircraft, and the cargo they carry. If the leadership of critical aviation stakeholder organizations and regulators commit themselves to following through on the aforementioned recommendations, and if aviation workers are properly vetted, provided the appropriate training and reporting mechanisms and then empowered, they can be counted upon to counter the insider threat. This approach to aviation security, coupled with other more traditional methodologies such as the use of random inspections, employment of technological assets, such as surveillance and detection equipment, will do much to mitigate the insider threat, at very reasonable cost. ALPA is grateful for the opportunity to be heard on this important matter and to provide its views to the subcommittee. Mr. Rogers. Thank you, Captain Cassidy, for your testimony. Our third witness, Mr. William Swift currently serves as chairman of the Airport Minority Advisory Council. The Chairman now recognizes Mr. Swift for his opening statement. STATEMENT OF WILLIAM H. SWIFT, CHAIRMAN, AIRPORT MINORITY ADVISORY COUNCIL Mr. Swift. Mr. Chairman, Ranking Member Thompson, and Members of the House Homeland Security Subcommittee on Transportation Security, I am a principal at Business Traveler Services, Inc. BTS is a privately-held concessionaire based out of Atlanta, Georgia. I thank you for the opportunity to participate in today's hearing, and would like to discuss some of the issues that concessionaires like myself face on a regular basis in the airport security arena. As a concessionaire, I am concerned about airport security, as are all those who travel daily through nearly 400 U.S. commercial airports. A breach of security that leads to a major incident significantly impacts the traffic and business for all airports, and for all of us who have businesses at these airports. As part of my testimony, I would like to make three suggestions for the committee and Transportation Security Administration to consider: One, raising the SIDA Badge allocation limit. I ask the subcommittee to consider raising the 25 percent allocation limitation, or implementing a reasonable minimum allocation that would allow small businesses to successfully operate in the airport arena. Two, in showing a consistent delivery process--I recommend that the subcommittee look at ways to ensure the delivery process is subject to consistent security standards for all airports that do not unduly inhibit the ability of small concessionaires to compete and do business. Three, in showing consistency in the processing time line for new hires--we must be able to depend on a consistently timely response from TSA and the airport, and ask the subcommittee to examine methods to ensure consistency in this process. My comments today are focused on the impact of allocation of identification badges with SIDA badge privileges for concessionaires. It is particularly difficult for those of us who are small operators in airports having as few as one to three locations, and as a result as few as 6 to 12 employees. In posting a 25 percent limitation on those total number of employees permitted to be issued a SIDA badge suggests that only one and a half to three employees may have a SIDA badge. This limitation is arbitrary at best, and not based on facts relative to the procedures and practices by which we are required to operate in the airport environment. Now as we operate more often imposed by the airport, 12 to 17 hours per day, require at least two complete employee teams per day, 7 days per week on-site. A company needs opening and closing personnel, as well as floaters to address a variety of circumstances, i.e., repairs requiring an escort, product deliveries, replacing employees who call in sick or are late. The mathematical equation applied here does not work. Under one contract I have in Atlanta Airport, we provide a number of products and services via vending and/or mechanized units. Our employee operates this array of machines through three partners: A full-time maintenance man and a clerical assistant. We all have to pitch in to keep our company a step ahead of customer service demands. Amongst ourselves, we have asked rhetorically why does TSA view our business group as a higher risk to security of the airport. I recommend the subcommittee consider raising the 25 percent allocation limitation, or implementing a reasonable minimum allocation that would allow small businesses to successfully operate in the airport arena. Inconsistent handling of deliveries--another area of concern is the inconsistent handling of U.S. Postal, UPS, or FedEx packages. Small operators frequently do not maintain an off-airport warehouse for one to two stores operating, and therefore must rely on UPS or FedEx deliveries. Some airports permit deliveries by these companies' post-security stores, while others do not permit these deliveries. I recommend that that subcommittee look at ways to ensure the delivery process is subject to consistent security standards that do not unduly inhibit the ability of small concessionaires to compete and do business. Inconsistent processing time frames for new hires-- additional impact on the small operators, the inconsistent time frame to get hires through the TSA airport badging process, typically, this is 10 to 14 days processing, but as has been as long as 30 days. Consider that many of our new hires can ill afford to wait several weeks to get an approval, resulting in the loss of potential employees, as well as the $110 fee we are charged for each employee. In conclusion, I thank you for allowing me to share my experiences as an airport concessionaire with the subcommittee. I understand the careful balance between maximizing security while also ensuring businesses can still operate successfully and efficiently. I appreciate the work both the subcommittee and full committee have done in this area. Should any Members of the subcommittee have any questions for me today, I would be happy to address them. Thank you. [The statement of Mr. Swift follows:] Prepared Statement of William H. Swift May 16, 2012 Mr. Chairman, Ranking Member, and Members of the House Homeland Security Subcommittee on Transportation Security, my name is William Swift, a principal at Business Traveler Services, Inc. (BTS). BTS is a privately-held concessionaire based out of Atlanta, Georgia. I thank you for the opportunity to participate in today's hearing and would like to discuss some of the issues that concessionaires like myself face on a regular basis in the airport security arena. As a concessionaire, I am as concerned about airport security--as are all those who travel daily through nearly 400 U.S. commercial airports. A breach of security that leads to a major incident significantly impacts the traffic and business for all airports and for all of us who have businesses at these airports. As part of my testimony, I would like to make three suggestions for the Committee and Transportation Security Administration (TSA) to consider: 1. Raising the SIDA Badge Allocation Limit.--I ask the subcommittee consider raising the 25% allocation limitation or implementing a reasonable ``minimum'' allocation that would allow small businesses to successfully operate in the airport arena. 2. Ensuring a Consistent Delivery Process.--I recommend that the subcommittee look at ways to ensure the delivery process is subject to consistent security standards that do not unduly inhibit the ability of small concessionaire to compete and do business. 3. Ensuring Consistency in the Processing Timeline for New Hires.-- We must be able to depend on a consistently timely response from the TSA/airport, and I ask the subcommittee to examine methods to ensure consistency in this process. sida badge privileges My comments today are focused on the impact of the allocation of identification badges with SIDA badge privileges for concessionaires. It is particularly difficult for those of us who are small operators on airports, having as few as 1-3 locations, and as a result as few as 6- 12 employees. Imposing a 25% limitation on the total number of employees permitted to be issued a SIDA badge suggests that only 1.5-3 employees may have a SIDA badge. This limitation is arbitrary at best-- and not based on facts relative to the procedures and practices by which we are required to operate in an airport environment. The hours we operate, more often imposed by the airport, 12-17 hours per day, require that at least two complete employee teams per day 7 days per week be on-site. A company needs opening and closing personnel, as well as floaters to address a variety of circumstances, i.e. repairs requiring an escort, product deliveries, replacing employees who call in sick or late. The mathematical equation applied here does not work. Under one contract I have in the Atlanta airport, we provide a number of products and services via vending and/or mechanized units. Our company operates this array of machines through three partners/ principals, a full-time maintenance man and a clerical assistant. We all have to pitch in to keep our company in-step or ahead of the customer service demands. The arbitrary number of SIDA badges permitted is stifling to the small operator who, through necessity of the Homeland Security proportioned allocations, is being forced into a ``one-size-fits-all standard'' that cannot work when it comes to the small operator. Amongst ourselves, we have asked rhetorically, why does TSA view our business group as a higher risk to the security of the airport? I recommend the subcommittee consider raising the 25% allocation limitation or implementing a reasonable ``minimum'' allocation that would allow small businesses to successfully operate in the airport arena. inconsistent handling of deliveries Another area of concern is the inconsistent handling of U.S. postal, UPS, or FedEx packages. Small operators frequently do not maintain an off-airport warehouse for a 1-2 store operation and, therefore, must rely on UPS or FedEx deliveries. Some airports permit deliveries by these companies to post security stores, while others do not permit these deliveries. The impact is significant and costly for a small operator, possibly requiring that they must hire additional personnel and vehicles to be available on standby for these deliveries that can only be made and transported across the tarmac. Small operators cannot financially absorb the additional costs and remain profitable. I recommend that the subcommittee look at ways to ensure the delivery process is subject to consistent security standards that do not unduly inhibit the ability of small concessionaire to compete and do business. inconsistent processing time frame for new hires Additional impact on the small operator is the inconsistent time frame to get new hires through the TSA/airport badging process. Typically there is a 10-14 day processing, but it has been as long as 30 days. Considering that many of our new hires can ill-afford to wait several weeks to get an approval, resulting in the loss of potential employees and the fees we were charged by the airport for processing them. We must be able to depend on a consistently timely response from the TSA/airport, and I ask the subcommittee to examine methods to ensure consistency in this process. conclusion I thank you for allowing me to share my experiences as an airport concessionaire with the subcommittee. I understand the careful balance between maximizing security while also ensuring business can still operate successfully and efficiently, and I appreciate the work both the subcommittee and full committee have done in this area. Should any Members of the subcommittee have any questions for me today, I am happy to provide my insight and will answer your questions to the best of my ability. Mr. Rogers. Thank you, Mr. Swift. I recognize myself for opening questions. Mr. Crosby, what are airports doing proactively to incorporate biometrics into their access control systems? Mr. Crosby. Thank you, Mr. Chairman. It is an exciting thing that we are doing. We have voluntarily formed a consortium with airports and vendors to develop a concept of operations for biometrically-based access control systems. Rather than being mandated by the TSA, TSA supports the fact that we are trying to do it voluntarily. Like any piece of technology, access control systems need to be replaced over time. An example I will give you is our airport in Portland. We are about to replace our 20-year system. Right now we are heavily engaged with the free information that we are getting from airport officials at other airports who have already implemented biometrics, and those from the vendor community to get the latest technology at our airports. Mr. Rogers. What suggestions do you have for how both airport operators and TSA can reduce the number of security breaches that occur? You have heard the testimony earlier today. But I would love to hear your thoughts. Mr. Crosby. I have. I think that first of all TSA has made a lot of progress when it comes to breaches, in spite of maybe some of the reporting discussion that happened today. I can say, because I have been in this position since 9/11, when we all remember the times when airport concourses were dumps and many of us maybe missed flights, caused delays, hundreds of thousands dollars' worth of delay to people. Those don't happen near as much anymore. That is because the TSA is doing a better job of communicating with their own staff and with airport law enforcement officials. So I have seen improvement there. We have used technology to help us out. An example of that is using closed circuit television to better identify where the anomaly happened. The biggest area for traditional breaches at checkpoints is in the hand-off of an uncleared bag or an uncleared person between TSA officials. They are able to rectify that much more clearly and quickly now with the use of CCTV and better communication procedures. Mr. Rogers. Do you feel that access controls have a uniform level of security from airport to airport? Mr. Crosby. No, sir. As you know, the saying in our industry is if you have seen one airport, you have seen one airport. We all have the same parts, but we are all laid out differently. I think like any system, the best systems in the airport access control systems in the country are at airports that have proactive programs like Captain Cassidy referred to. We have lots of programs where we rely on all badge holders to report information to us so that we can respond to it and act and deal with security instances. We award badge holders, crewmembers, concessionaires for their reporting of things. I think those best practices that TSA has compiled, that we at airports talk about, we need to continue to spread around. Mr. Rogers. Thank you. I have got to step away for a few minutes. Mr. Cravaack is going to take the chair. I do want to let the Members know though, that later today I will be sending a letter to Administrator Pistole demanding that 100 percent of all breaches by any definition be reported up to PARIS, which is the Performance and Results Information System, the database by which they come up with processes to resolve these problems. I will also demand that the administrator take immediate action to remedy the database deficiencies that were outlined in the testimony and the questioning by Mr. Thompson and me. Those are inexcusable and should be remedied immediately. I am going to follow the gentleman from California's advice and recommend that if the administrator does not have the capacity to do that he needs to contract somebody that does. With that, Mr. Cravaack, you take the chair. Oh, and Mr. Thompson is recognized right now for any questions he may have. Mr. Thompson. Thank you very much, Mr. Chairman. Mr. Swift, in your testimony you suggested that TSA raise the minimum allocation of SIDA badges to vendors above the present 25 percent to allow businesses to successfully operate. Can you explain to the committee why you raised that as a concern? Mr. Swift. Primarily because if we have a small sales staff or operating staff of 10 to 12 people, 25 percent is only two or three people. When we run such a long day and 7 days a week, we have several shifts. If we lose one person, and it takes 2.5 to 3 weeks to replace that person through the approval process, we are short. Now we are trying to figure out or jerry-rig the process in order to stay in business. That is not acceptable to us. Mr. Thompson. So in other words, the 25 percent for a small business provides what is, by that small business, an undue burden through no fault of their own from a security standpoint. Mr. Crosby, have you looked at that? Mr. Crosby. Yes, sir, Ranking Member Thompson. I am glad this issue came up because I am happy to report some good news. Over the last 2 years as chair of AAAE's security committee, and in conjunction with Airport Councils International and the TSA, we have formed a task force that has been looking at all the new security regulations that have been written since 9/11, and then modifying them to fit today's world. One of those areas that is currently out for public review is this 25 percent rule that Mr. Swift may not be aware of. Our committee, that includes airport operators, has worked with TSA to come up with a modification to that rule that allows for relief of the 25 percent rule as long as the operator can prove a business need to have a higher percentage. So that rule is currently under review and should be implemented in the next couple months. Mr. Thompson. I guess my point is, so it is no longer 25 percent, but what is it? Mr. Crosby. It is whatever the vendor, concessionaire, can prove to the Federal security director is needed. Mr. Swift, as he said, we have the same case at our airport with a great concession program. We have vendors with four operators and some with 400. It depends on where your storage area is and what times of operations you have. If you can prove that all four of those four need it, then the FSD has the authority to approve that now to 100 percent. Mr. Thompson. To give you all four. Mr. Crosby. Yes, sir. Mr. Thompson. Would that alleviate the problem we are talking about here, Mr. Swift? Mr. Swift. Absolutely, but it is a matter of timing. Mr. Thompson. Yes. Mr. Swift. We are talking about another 6 months. We are still--it costs us money every day that we don't have the flexibility to do it right. Mr. Thompson. Captain Cassidy, you suggested in your testimony that airports designate an existing employee as a security training manager. How does that differ from your understanding of the present way things are done? Mr. Cassidy. Well, the way things work right now, you know, airlines have a corporate security department. They also have security personnel that are affiliated typically with the labor groups, to use an example, labor groups representing mechanics, pilots, flight attendants, dispatchers, et cetera. The bigger groups typically have a security person affiliated with them as well. When you go to the airport, the security responsibilities alternate between being in a non-sterile area where you have security more oriented with the law enforcement folks, and then when you get to the airplane, it kind of moves over towards the airlines. So the training responsibility also moves depending on, you know, where you are in your phase of operations. But I think the important thing is that however you get there, there has to be a team that is composed that takes into account the unique security aspects of operating an airport, operating concessions, flying the airplanes, servicing the airplanes. They need to kind of work towards coordinated---- Mr. Thompson. So---- Mr. Cassidy [continuing]. On the training. Mr. Thompson. So do you--is that presently your comment that that is kind of uncoordinated? Or---- Mr. Cassidy. That is exactly right. What we have been striving for, and in fact we were involved in a working group that made a number of recommendations in the 1990s. What we are looking for is development of a team concept so we have all the stakeholders involved with one common goal, and there is enhanced communications, you know, amongst all the stakeholders. I think that we have a very good example of that with our safety programs, where we do have commercial air safety teams, where we have stakeholders from the manufacturers, from the labor groups, from the operators. I think that there is a tremendous power, tremendous synergy when we get them all coordinated and working in a focused manner. Mr. Thompson. Thank you. I yield back, Mr. Chairman. Mr. Walberg [presiding]. Thank you. I recognize myself for 5 minutes of questioning. Mr. Crosby, let me ask you: How frequently does your airport revoke credentials because a worker poses a threat or violates a security policy? Mr. Crosby. Fortunately, security violations aren't overly common. But we have a prescribed matrix of penalties for security violations. As far as how often a security badge is revoked for a violation, it is not very often, sir. At our airport, we are the 30th largest airport in the country, I would say a couple a year. More often, there are suspensions and retraining that happens for minor violations. But major violations we do suspend on occasion. Mr. Walberg. Can you discuss for us the different camera systems that the Portland International Airport has installed? Who controls the different cameras on sites, for instance? Mr. Crosby. Yes, sir. The core closed circuit television system around the airport that we have enhanced over the last couple of years is the Port Authority's. But we recognize that we are in a partnership with others. We have given access to many of those cameras around the screening areas to TSA so they can better manage the customer service side of things with the line management and put their resources there. We also work closely with Customs and Border Protection in our Federal inspection station, where they have access to those cameras. So it is a collaborative process. It really has enhanced our ability to respond and find out really what has happened when something is reported. Mr. Walberg. Thanks. If one of your employees witnesses a breach of security, how can the employee report that to TSA? What is the process? Mr. Crosby. Well actually, our process is report it to the airport dispatch, the airport 9-1-1. That is what we train all of our badge holders on. If you see something, to use the DHS phrase, ``see something, say something.'' But that has been a core value at most airports for many years before that catch-phrase came out. Every airport badge holder is required to report a security violation if they see it. We don't want them to put themselves in danger. So they call--everyone knows at our airport to call extension 4000 to get the immediate response from our law enforcement. Mr. Walberg. Thank you. Captain Cassidy, thanks for being here. Based on your experience, how do you think access control and perimeter security can be improved? Mr. Cassidy. Well, I think---- Mr. Walberg. Give us your list. Mr. Cassidy. It is pretty big. I think that the high level, you know, looking at it from the 33,000-foot level, we need a standard consistent approach to perimeter security. That clearly does not exist today. In my verbal remarks, I touched a little bit on the SIDA, the identification display area. I think one of the big issues that we have is the fact that there is really a bipartite rule with respect to passenger operations and cargo operations. Passengers have one standard, whereas there are cargo facilities, and we have no idea what kind of screening, what kind of access, what kind of perimeter security is being applied in those cargo facilities, which then enter our airspace. That would be at the very top of my list. It is clearly in line with our desire to have one level of safety and one level of security. I applaud Congressman Cravaack for, you know, putting the Safe Skies bill forward which tries to achieve one level of safety with regard to fatigue issues and crew duty limits. I think we should apply the same to security. Even within the various airports, each airport has its own individual airport security program. Depending on the needs of that particular airport, the access issues change a little bit, so even the way that they get access through some of the control points, through the gates to the airplanes, differs from airport to airport. Mr. Walberg. Okay. So those are the top two that you would say would go a long way. Mr. Cassidy. I would say one consistent approach to screening and access right across the board regardless if it is cargo or passenger would be at the very top of the list. Mr. Walberg. What process is in place for you to report as a pilot--report suspicious activity? Mr. Cassidy. Any number of ways. First of all, typically most crewmembers have--and I don't have my crew badge with me--but typically there is a list of quick-call numbers that you have on your crew badge which takes you right to your security folks, as well as airport security. I think that we have enough awareness, especially post-9/ 11, that anybody who approaches a uniformed crewmember at a dispatch desk, at a gate, will know immediately to be able to relay the information to airport security. Mr. Walberg. Have you ever reported? Mr. Cassidy. Yes. Mr. Walberg. What was the outcome? Mr. Cassidy. I have reported on any number of occasions. A very simple--and it is not particularly sexy--but, you know, I will be walking through the terminal waiting for a flight and I will notice a bag sitting in the corridor unescorted, unaccompanied. I can't tell you how many times I have just made a simple report like that. Grabbed the CSA, who has made an announcement over the P.A. system--CSA, customer service agent, pardon me-- who has made an announcement over the passenger system. If they are not able to have somebody claim the bag, then they notify airport security. That happens thousands of times a day in all of our airports right now. Mr. Walberg. Okay. Thank you. My time has expired. I recognize the Ranking Member for her question. Ms. Jackson Lee. Chairman, thank you very much. Let me thank the witnesses for their testimony that I reviewed. I was delayed at another meeting. I want to follow the line of reasoning that I followed earlier, and I think it is imperative that we provide a safe perimeter, and also a safe opportunity for departing passengers to board. Finally for that plane to become airborne, if you will, and land at its destination. I think that is our ultimate responsibility. You have heard in our earlier testimony and questioning how crucial that is. Each of us has, I would say, a very large part sometimes that poses inconvenience. But I think in the midst of inconvenience, we should also be rational as well. So I am interested in us being rational, and that my line of questioning will pose along the lines of how important it is that we all team up on this concept called securing the airport. It is enormously difficult to hear at one of our great airports, Atlanta-Hartsfield, that people are entering it as if they are entering a carnival or they are getting away with not paying tickets for a baseball game, and two and three and four people are passing through the turnstile. As I said, we have been discussing this perimeter and badging issue for a very long time, and we continue to have these incidents. So let me go to you, Mr. Swift. You are committed to making sure that your employees are credentialed. Is that not correct? Mr. Swift. Absolutely. Ms. Jackson Lee. First of all, let me say that I am glad that we see our airports as opportunities for minority and small and women-owned businesses. I want to make sure that you know that I am completely supportive of those opportunities, and frankly believe there should be more. So you are committed to the credentialing. What would be--first, what is the cost that you have to pay for credentialing? What would you want to see to expedite the process? Mr. Swift. Firstly, the cost is $50 for the fingerprinting and $60 for the badge. If you have been fingerprinted in the last 10 years, you don't have to get it done again. However with the rate of turnover that takes place in any retail or food-and-beverage operation, this is a significant cost, especially when you are talking about 200 percent turnover on an annual basis. The second part of your question, ma'am? Sorry. Ms. Jackson Lee. What would you like to see happening now to, one, do our chief mission, which is to secure that airport and those passengers and all others that work there, and that comports with a responsible way of dealing with your businesses, plural, meaning the concessions that are in airports? Mr. Swift. Clearly, the first responsibility as a concessionaire, when I send an employee for approval for their application, I make sure the application is completely filled out. If I do my job on that end, I don't understand why it takes anywhere from 10 days to 30 days to process the employee. The problem we have with that is on the street, if I send someone to get a job, within 2 or 3 days, they can be processed and hired. We recognize the security issue as it relates to the airport, but it doesn't work well with us who are operating in the airport to not know exactly how long it should take us. A day or two slip is acceptable, but when it gets in the 30-day range, it is unacceptable. Ms. Jackson Lee. Where do you place that burden of the time frame? Mr. Swift. Well, we are not on the other side of once that application is submitted, so we don't know whether or not that time frame takes place at the airport, in terms of the fingerprint process, TSA. We just know that it takes too long. Ms. Jackson Lee. But the airport is where you submit the data to. Is that correct? Mr. Swift. That is correct. Ms. Jackson Lee. Okay. Let me--as I pursue my questions, I want to acknowledge Ed Finnegan, who has been such a great leader on a number of issues--thank him for his presence. Captain Cassidy, let me pursue. You would agree that flight attendants should be included in this process that is utilized by the pilots? Mr. Cassidy. Yes, ma'am, absolutely. We have come out very clearly in favor of having flight attendants included in the Known Crewmember program. Ms. Jackson Lee. Where do you think the burden of the delay in badges may fall? Mr. Cassidy. Well--is this related to Known Crewmember or employee badges? Ms. Jackson Lee. Employee badges--if you would just give a general sense of it. Mr. Cassidy. You know, that is a little bit out of my area of expertise. But I know that there is a pretty significant screening process that I had to go through to get the access badges, the SIDA badges, for access at the airport that I am domiciled at. When we turn those in, we would have to go through a whole security class, training video, and I think a 2- or 3-hour class to regain that before it even began the processing phase. So as Mr. Swift said, that is on the other side of the fence. So I don't really have enough feeling for what happens once---- Ms. Jackson Lee. Well, why don't you talk about the experience with the pilots? Mr. Cassidy. Pardon me? Ms. Jackson Lee. Why don't you talk about the experience with the pilots for securing that document? Mr. Cassidy. For securing the Known Crewmember? Ms. Jackson Lee. Yes. Yes. Mr. Cassidy. Well, it is actually a very, very effective program because what it does, it relies on existing employee databases. All pilots and flight attendants go through a very rigorous screening and background check process. Each airline maintains employee databases. So, every time you transit one of the Known Crewmember portals that our 20 pilot groups do, you have an instant query that is done to the pilot's active employment status with the airline. That query is continuously happening. So that combined with the other form of ID makes for a very, very seamless transit. The best thing about it, I don't think we have really emphasized it, is that by having this alternate screening method, what it does is it allows the known travelers, the known crewmembers who are very, very well-known and background- checked to get through. It allows TSA and all the other law enforcement agencies to focus their resources on the people they don't know about. I think that is a hugely important aspect of these advanced screening programs. Ms. Jackson Lee. So, you are comfortable and believe that it is a working system? Mr. Cassidy. Yes, ma'am. I was at the very first airport on the very first day it stood up. From that day until right now it has worked flawlessly. Ms. Jackson Lee. So it should be a tool that we should look to expand. Mr. Cassidy. One of many tools in a multilayered security environment, absolutely. Ms. Jackson Lee. Let me just pose this question to Mr. Crosby coming out of Portland International Airport. You are well aware that data for badging comes to the airport and they have a responsibility. So I would make the point that I, having lived with a lot of airports since--in my early days of being elected to the Houston City Council, I know there is a lot of work that is being done there. But I do believe that the airports have a heightened responsibility to have a process to heighten their review so that TSA can intervene at an appropriate time and get this done. What is your assessment of that? Mr. Crosby. My assessment of that, ma'am, is that airports have a lot of hardworking people that process tens of thousands of applications every day with a lot of what is on-going changing requirements that TSA has given us. We do a really good job at that the vast majority of the time. With any document collection processor, there is always going to be an opportunity to review and check and cross-check for errors. The good news is that bad people haven't gotten through the system. But clerical errors, a lot--there are things that we can do that are highlighted by the IG report and some airports have voluntarily done to have better cross-checks in place to make sure that the information that we are getting from the applicant is given to the Federal Government is complete. Ms. Jackson Lee. Mr. Chairman, if you would just yield to me a moment more, I just want to pursue this. Do you think it is reasonable to have employees use one badge identification and allow several individuals to enter a secured area? Mr. Crosby. I am not sure I understand the question. Ms. Jackson Lee. Do you believe that it is appropriate for an employee of a concession, of the airport, under the airport's jurisdiction, because you have locked in areas where you have to badge. To have an employee that has a badge allow three and four and five employees to follow in behind them without using their badge or maybe they don't have a badge. Mr. Crosby. I understand. Ms. Jackson Lee. What are airports doing about that? Mr. Crosby. Yes, ma'am. Well, first of all we are--in our training we highlight what the rules allow and don't allow. The rules do not allow for multiple badged people to enter through a gateway without swiping their badge. If you have a badge---- Ms. Jackson Lee. But multiple people, they enter on one badge. I left my badge at home, et cetera. Mr. Crosby. Correct, ma'am. They have to swipe it if they have the badge---- Ms. Jackson Lee. What is your oversight? I mean I am disappointed--you happen to be from an airport, so don't think I am calling out Portland, but what is the oversight for that not happening? Mr. Crosby. The oversight is--because there are escorting provisions in the rules. You have to allow for some flexibility when you have visiting guests. I mean, Mr. Swift knows, Captain Cassidy knows that sometimes you have to escort officials on business into the secured areas. So there has to be provisions for escorting un- badged, un-badged people. The way the system works without having bad things happen is that you have to hold people accountable. That is what we do at our airport. We have cameras at key access points. Whenever we determine there has been a piggybacking violation, as this is called, we put a penalty on that person for doing it. Ms. Jackson Lee. Do you report it to TSA? Mr. Crosby. Absolutely. All of our security violations that are reported to us, we give TSA full access to. Ms. Jackson Lee. All right. I yield back, Mr. Chairman. Thank you. Mr. Cravaack [presiding]. The gentlelady yields back. I will yield myself 5 minutes. Thank you very much for being here today, what I consider extremely important, obviously from previous testimony regarding the security of our airlines. I would also like to recognize Ed Finnegan again, from the 8th District of Minnesota. Thank you for taking even more time away from your family and being here today. So thank you very much. Captain Cassidy, with all the experience and hours that you have in flying in many different airports throughout the country, if not around the world, you mentioned in your testimony examples of al-Qaeda basically probing our security measures in trying to gain access to the shadow of the aircraft. What procedures do you think, as a first-line observer, that need to be implemented in ensuring that the shadow of the aircraft remains secure? Mr. Cassidy. Well, I think that you know a robust criminal history and background check, including fingerprinting is an absolute requirement to make sure that we have as much data available for potential threats to the aircraft. The other thing I think that we have to recognize is that we are never going to live in a world where we are 100 percent risk-free with regard to security issues. It is just that world does not exist. So what we have to do is apply multiple layers of security. That comes with prescreening methods, working with our agencies, using intelligence-based methods just as they did when they were able to intercept a potential terrorist who was basically going to have a little bit of a clone of the underwear bomber. Fortunately, they were able to identify the threat and thwart it offshore before it even got to the airplane shadow. I think that probably one of the biggest ways that we can help to mitigate that security threat is to recognize the fact that we have a tremendously talented pool of folks that are in our airports right now. They are the operators, they are the pilots, they are the flight attendants. If you operate an airplane day-in, day-out, if you staff an airplane day-in, day-out, even though you can't quite identify something that is a little bit different, you know that something is different. By having a coordinated approach, by having stakeholder teams that work together, identify security breaches, do a data-driven analysis of what caused those breaches, hopefully we can take a more kind of data-driven approach to enhancing our security environment; rather than just taking an ad hoc one that looks at the last time that the caterer inadvertently got in the airplane. Try to figure out what went wrong after it happened. What we need to do is develop a system that looks at precursors to security breaches and try to identify those things before they get to the airplane shadow. I think that as we have with safety systems--we have something called the Safety Management System which aggregates all these different safety events, safety data, and looks at precursors. We look at one kind of coordinated way of enhancing safety. We haven't quite got there yet with security, but I think that is probably where we need to go next is to take an enlightened view towards security, and look at security management systems which incorporate all those different layers of safety. Of course, the very last layer of safety, and I applaud you for your support of that, is the Federal Flight Deck Officer program. When all else fails, it is really extremely reassuring to know that there is a pilot in the front who is prepared to defend that airplane and keep it from being used for very, very evil intentions. So all those things work in tandem, not any one solution is the answer. But a coordinated kind of more kind of data-driven approach is clearly the way to approach that. Mr. Cravaack. I would tend to agree. The information that I am receiving as well, having layered approaches of security is obviously the way to go. At the same time making sure that we use a risk-based analysis and identifying those that are safe risks, those that are either unknown or potential risks. I would strongly agree with that. One point you made, and I wanted to make sure that this does not go unnoticed, what would you consider the last line of defense of any passenger aircraft or cargo aircraft for that matter? Mr. Cassidy. That would be the Federal Flight Deck Officer program. We are very pleased to be involved in the incipient-- the development of the program. We are very proud supporters of it. We continue to be enthusiastic supporters of the Federal Flight Deck Officer program. Mr. Cravaack. I would tend to agree with you, Captain. Thank you. Also, Mr. Crosby, you did mention that when you do report to TSA--what you considered a breach of security, you report to the TSA. Have you had satisfactory response from the TSA? Mr. Crosby. Yes, we have, Congressman. TSA has an open book to look at all security violations that we investigate. Every time we have a reported violation, our Department investigates it and makes a determination of whether there has been a violation and issues the proper penalty, a due process for all things. We allow TSA to see that whole process. Mr. Cravaack. Excellent. Thank you very much, sir. My time has expired. I will recognize Mr. Davis from Illinois. Mr. Davis. Thank you very much, Mr. Chairman, and I thank our witnesses for being here. Mr. Crosby, in your testimony you made several references to the importance of the airport's need to leverage local experience, expertise, and knowledge. How do you envision that being phased into a Federal system cooperatively for use that may be applied in many different or in several different locations? Mr. Crosby. Well, Congressman, I think it is--the system that we have had in place at airports has evolved over time, and before Federal credentialing was necessary in other transportation venues, and it has worked well. I will give you two examples. One, we get the criminal history record information back from the Federal Government that may not be fully complete and we locally adjudicate it. Meaning if there is a person who has been arrested for a crime, but the information we get from the Federal Government doesn't show a conviction, we are able to meet with the applicant, verify the information, help them get the court documentation they may need, and really verify whether this person is a threat and whether they meet the threshold for getting a badge. Second, I think that the local application is that all access control systems--while our badge colors may look the same--the captain and I have, we work at the same airport, most airports tailor access to what that person needs to do their job. That is what is critically important. With the advancement in access control systems, an airport may have 100, 1,000 different doors in and around the airport, but you only get access to the ones that Alaska Airlines needs not the ones that Delta. That makes for people having less of an opportunity to do bad things if we control their access to do their job. Mr. Davis. Captain Cassidy, and Mr. Swift, both, how do you view your interactions with Federal or local authorities in a cooperative way, that would meet both the needs that represent say, the needs of pilots in a sense, and the needs of vendors in a sense? How does that work to become more effective as well as more facilitative of your needs? Mr. Cassidy. Do you want to go first? Mr. Swift. Well, one side of that, of course, from a concessionaire's perspective is try to help. How can we do this better, faster, easier, and make sure it is accurate? One thing that we are entertaining is the possibility of all our employees fill out an application on-line. That will help to guarantee that there is no difference in what is stated on the application and what the applicant wrote. Unfortunately, many of the applications are done by hand. We can understand why there are problems with understanding certain numbers and letters--don't look the same to everyone. So we think that that is something we would suggest is a simple software package that allows an employee to step up to a computer, fill out the application, and now we can be sure that everyone is looking at the same document. We think that, in itself, would help as part of the process. We think there is a cooperative effort on everyone's part to do it. It is just that it is a massive process where you are processing over half a million applications a year. It is significant. Mr. Cassidy. I picked up on one word in particular, and that was collaborative. I think that that is the really key ingredient to a successful relationship is working collaboratively together with the various law enforcement agencies, both at the Federal level and also the local level. We have a good relationship, especially with the program managers for the Federal Flight Deck Officer, with TSA officials tasked with various aspects of security. The local relationships are really where the rubber hits the road, and that really varies from airport to airport. We have dedicated committee volunteers. We have over 400 volunteers working in our safety and security structure, many of them have previous law enforcement backgrounds. So they have much more of a conduit to kind-of relating to the local enforcement officers. The challenge is really the sharing of intelligence, the sharing of data. That is where I would like to see some improvements where we have a better sharing of information which indicates what the security threats are. We are going to continue to work in that effort. Mr. Davis. Thank you, gentlemen, very much. I appreciate your being here. I yield back, Mr. Chairman. Mr. Cravaack. The gentleman yields back. The witnesses--thank you very much. We have a second round of questions if you would be so inclined. I would like to recognize the Ranking Member. Ms. Jackson Lee. Mr. Chairman, thank you very much and to the witnesses. Let me pose again, to Captain Cassidy, how important the airline crew, captain, flight attendants are to be trained to report breaches or to--and I think there is a balance. You are there to serve. We realize that. You are there to promote the brand of the airline. We appreciate that. But how important are the eyes and ears of those who are familiar with airports? Mr. Cassidy. Well, I think it is incredibly important. I think, you know, looking at first, the pilots and the flight attendants, the airplane crew--you notice that I talk about us as one cohesive crew, not the pilots separated by the flight attendants because, really, especially when the planes pushes back from the gate, they are really the eyes and ears of the activity in the cabin. Their ability to communicate irregular situations to us, to indicate potential security threats, allows us to take appropriate action, lock down the flight deck, and decide whether or not we have to take the next step and consider diverting the airplane to a location to get on the ground as expeditiously as possible to try to ameliorate some of the threat, try to reduce the threat and avoid taking it further down the road. Now, expanding that tight circle of trust that exists between the pilots and the flight attendants, we also have mechanics, service employees that service the airplanes, that man the gates. In fact when you are on the ground, your ground security coordinator is typically the lead customer service agent for the airline before the cabin door shuts and you push back. So it is incredibly important that we figure a way to work as efficiently and as collaboratively as possible. Before I came over here, I pulled up some statistics and I think the Bureau of Transportation statistics said that there was about 480,000 airline employees employed in the United States in 2010. When you look at the component that you have very well- known, very well-trained employees that form a significant majority of that, you have a massive talent pool of folks that can work together and become the eyes and ears with respect to potential security threats. Ms. Jackson Lee. Do you feel that you have a direct or immediate access to report a breach that you have seen? Do you know what to do? If a captain--you could be coming through and you see three people go through a door. You know, there was a badge---- Mr. Cassidy. Right. Ms. Jackson Lee [continuing]. And the door is open and three people go through. Have we made our airline crews sensitive enough--they are going about their business. They may be rushing to their flight. Is there an easy number, an easy call to make to say this is what I saw at door number 2468? Mr. Cassidy. 9-1-1. You can go to any place in any airport, any concession---- Ms. Jackson Lee. Is that a 9-1-1 to the airport or a 9-1-1 to police? Mr. Cassidy. Typically it goes--it depends on the airport and I think Mr. Crosby would back me up on this, but it is going to get routed fairly expeditiously. You can also go to a concession stand and say you have an emergency. They are going to have law enforcement there quicker than you would probably realize because of the way that they are stationed around the terminals. Ms. Jackson Lee. So you would feel comfortable in doing that because I would imagine you would see three uniformed concession--I mean I call him by his name, but different things that are in the airport and they look legitimate. Do you keep going or do you call 9-1-1? I mean I think that is a very sensitive question. We need to try to understand so we can---- Mr. Cassidy. Right. Ms. Jackson Lee [continuing]. Improve our circumstances. Mr. Cassidy. We have 53,000 members that we represent. We are the biggest pilot union in the world. I am very, very confident that the vast, vast majority of those members would feel the same way that I would, and that is where we would say something. I can give you an example. One of the times I was flying I was walking around doing my pre-flight on the ramp, and I noticed that one of the service folks, the rampers that carry the bags and whatnot, had no identification on him, none. So I went up to the individual and I said, ``Do you have an airport ID? Do you have a SIDA badge?'' Fortunately he pulled one out of his pocket and put it around his neck and thanked me. But had he not had that, the very first thing I would have done was gone to his supervisor and said, ``We have somebody walking around in a sterile area, on the ramp, around all these airplanes and we have no idea who that person is.'' I am very confident that the flight attendants that I work with and the pilots and the mechanics would do likewise. Ms. Jackson Lee. We need to just continue to reinforce that is what---- Mr. Cassidy. Yes, ma'am. Ms. Jackson Lee [continuing]. Is what we need, to make it clear or approving that that be done. Do you think that the airlines themselves, the corporate entities, need to recognize that value that you have in doing that and reinforce that in their employees as well, and airports? Mr. Cassidy. Yes, ma'am. I can't emphasize enough how important it is for the airlines and the airports to really understand the talent and the potential that you have when you empower all those different employees to be part of the stakeholder team, be part of the team that can make a difference in the security systems at that particular airport. I think we have already done that with safety systems, as I said before. I think it is time to look at the next frontier and apply that same kind of standard to security systems. Ms. Jackson Lee. Mr. Chairman, I thank you for indulging. Let me--I just want to finish this line of reasoning. Captain, do you also believe it is important, because I would like to work with the Chairman and I would like to work with this Chairman as well, because of his expertise, that cabin security. You know, we have gotten comfortable because-- and I only use that term comfortable--but we always cite we have got the reinforced door and we have got the on-deck pilots, which I appreciate. That--but your responsibility is make sure that plane stays up and not down, even though you may be equipped to come running out of there. I know you would like not to run out of there. We have had a number of incidences. One in particular that deals with the pilot. But the point is my concern is that we have comfort with, well, the brave passengers will jump up. Do we need to look at cabin security as well as an issue? Mr. Cassidy. I think it is an evolving thing. We have to understand what the potential threats are. I think that with regard to the security behind the flight deck door, we go through recurrent training annually. Airlines typically do it as an integrated crew. We participate in security training with the flight attendants, and discuss things such as what do you do if you find an unidentified suspicious-looking device sitting in an overhead bin? What happens if you have an unruly passenger? How do you communicate it to the pilot, and everything in between? So I think that the training is there. But am I going to tell you that it couldn't get better? Absolutely not, it can always get better. But I am very pleased to say that we work very well together. Ms. Jackson Lee. We would like to help you get better. I understand that we have got a few of friends that are engaged in negotiations with their pilots, in particular United. I would like to get a briefing. I, frankly, believe that when you have an extended negotiation that you can't resolve you really do raise a question about focused effectiveness. I think pilots, flight attendants, being right on the airplanes are so important that any delayed negotiations. So how can we ramp that negotiation up as they proceed to try to settle this issue? Mr. Cassidy. Ma'am, I would be happy to give you a brief on what the status is right now of the negotiations. I think that I would be remiss if I also didn't point out that I think it is a tribute to the professionalism and the quality of the men and women that we have flying for us that despite the distractions of all these negotiations we still fly the safest skies in the world and we still have the safest air transportation in the history of the world right here, right now. Ms. Jackson Lee. I absolutely want to get that on the record. That is why I believe they need to ramp up their efforts and get this resolved, so that the men and women who are at this high level can not only fly airplanes, but be quick eyes to help the traveling public. I know the Chairman has been very indulgent. Here is my last point, Mr. Chairman, as I conclude. I also believe judgment should be key. Let us see--as you well know, you might have heard the story of a 2-year-old toddler that was on the no-fly list. I am really going to point back at our good friends, captains, you are--he or she is the king of that flight, and rightly so. I would just ask publicly that a 2-year-old on a no-fly list, let us report it and let them fly. Obviously, we have had a series of issues on the no-fly list, and I guess I am going to ask on the record--this will not be--I would want a response back--what is the penalty for an airline who indicates that a toddler could fly and their name is on a no-fly list? Because everyone always says what the FAA is going to do, they cite agencies that are probably not even relevant, but that is what they know to cite. I think that gives all of us a bad name, if we have to clarify the no-fly list. But if a toddler has got their name on the no-fly, in this incident the pilot or the airline--let us not say pilot--the airline made the toddler get off. Obviously they couldn't get off by themselves. So I am really concerned about that. I will conclude on this note. I believe that what we have discovered in this hearing is a fracture that has to connect the Transportation Security Administration as a front line in receiving all reports on breaches, every one of them. I appreciate, Captain, that it will be 9-1-1, but then the airport, if they have 9-1-1--and it may be an issue that is relevant for 9-1-1. But that 9-1-1 call and the response, that should go to the TSA. Mr. Crosby, I believe I didn't get the next sentence from you as to whether or not the airport is reporting this to TSA. So let this be a statement from me as the Ranking Member on this committee. I know that I want to work with the Chairman and Chairman Cravaack, who is here, that we have got to have a zero tolerance on missing the reporting of any breach that is occurring in the Nation's airports, to make good on our promise to secure America. I think that should be a demand out of this particular hearing. As I asked Mr. Sammon, Assistant Secretary Sammon, to begin doing that now and communicating with airports, and if you have to go back through old dusty, rusty records that happen to be 2 months old or a year old, we have to start where you can find your records. Those breaches need to be reported. All of our workers need to feel free to do so. Although we don't want to compromise security, we need to work with our small businesses, and TSA needs to develop a time line that does not compromise security, but in fact responds to some of the concerns that have been expressed in this hearing. Mr. Chairman, you have been overly indulgent. Thank you very much. I yield back to you. Mr. Cravaack. I thank the gentlelady. I thank the witnesses for their testimony today and the Members' valuable questions as well. Members of the committee may have some additional questions for the witnesses, and we ask you to respond to these in writing. The hearing record will be open for the next 10 days. Without objection, so ordered. The committee stands adjourned with your thanks. [Whereupon, at 12:28 p.m., the subcommittee was adjourned.]