The House Committee on Homeland Security sent to the floor last week legislation authored by the late Rep. Elijah E. Cummings (D-Md.), chairman of the Committee on Oversight and Reform, intended to help secure our skies and improve the Transportation Security Administration’s (TSA) security operations.
Cummings introduced H.R. 3469, the “Covert Testing and Risk Mitigation Improvement Act” in June with the intent to improve the effectiveness and integrity of the covert tests TSA conducts of airport checkpoint security operations to identify vulnerabilities in security operations.
“We honored Chairman Cummings’ legacy in a small but appropriate way, by considering a bill he authored to make concrete improvements to our government,” said Rep. Bennie G. Thompson (D-Miss.), chairman of the House Committee on Homeland Security. “Congressman Cummings’ bill, the Covert Testing and Risk Mitigation Improvement Act, directs TSA to not only carry out and refine its covert testing programs, but also to use the information gathered to improve the agency’s security operations. When passed, his legislation will make our skies safer. I thank my colleagues for their support of this important bill and for helping to carry forward Chairman Cummings’ work.”
Under the legislation, TSA would implement a system for conducting risk-informed headquarters-based covert tests of aviation security operations, including relating to airport passenger and baggage security screening operations. The system would be intended to yield statistically valid data that can be used to identify and assess the nature and extent of vulnerabilities to such operations that are not mitigated by current security practices.
The legislation, which has 24 co-sponsors, states that TSA must annually execute three or more risk-informed covert testing projects designed to identify systemic vulnerabilities in the transportation security system, and shall document the assumptions and rationale guiding the selection of such projects.
The long-term headquarters-based covert testing program would employ static but risk-informed threat vectors, designed to assess changes in overall screening effectiveness.
Not later than 60 days after completing a covert testing protocol, TSA would compile a list of the vulnerabilities identified and assessed as a result of the test. Each list must contain:
- a brief description of the nature of each vulnerability identified and assessed; the date on which each vulnerability was identified and assessed;
- key milestones appropriate for the level of effort required to mitigate each vulnerability, as well as an indication of whether each such milestone has been met;
- an indication of whether each vulnerability has been mitigated or reduced and, if so, the date on which each vulnerability was mitigated or reduced;
- if a vulnerability has not been fully mitigated, the date by which the TSA administrator will do so or a determination that it is not possible to fully mitigate the vulnerability; and
- the results of any subsequent covert testing undertaken to assess whether mitigation efforts have eliminated or reduced each vulnerability.
This information would then be prepared and submitted to Congress along with the TSA’s annual budget request.
Finally, the legislation includes a requirement for the Government Accountability Office (GAO) to review and report on TSA’s covert testing procedures within three years.
In April, GAO said TSA needed to improve its covert testing after it found a process introduced in 2015 intended to address vulnerabilities found in testing hadn’t fully worked.