International Aviation Security: TSA Should Improve Industry Coordination and Its Security Directive and Emergency Amendment Review Process
Fast Facts
The Transportation Security Administration identifies threats to airlines and vulnerabilities at airports. If immediate action is needed, TSA may direct airlines to implement specific security measures. For example, TSA has required additional screening procedures for electronics on U.S.-bound flights.
TSA has a process for reviewing such directives to determine whether to update, cancel, or make them permanent. TSA’s process does not clearly define when or how to involve stakeholders. It is also not clear about how to cancel directives or make requirements within directives permanent.
Our 3 recommendations address these issues.
TSA officials brief airline representatives on a new directive
People giving a presentation to others in a conference room
Highlights
What GAO Found
As of March 2019, there were 46 Transportation Security Administration (TSA) security directives and emergency amendments (i.e., directives) in effect related to air carrier operations at foreign airports. Twenty-eight directives addressed threats (e.g., explosives in laptops) and 18 pertained to vulnerabilities identified at foreign airports (e.g., inadequate perimeter fencing).
TSA reviews directives, but its process does not fully define how to coordinate with industry representatives and TSA has not incorporated the security measures of many longstanding directives into air carrier security programs in accordance with TSA policy. Representatives from four domestic air carriers stated that coordination with TSA on directives has improved. However, representatives from six air carriers and two associations indicated that TSA has issued revised directives that are vague or difficult to implement—which, for example, contributed to TSA officials offering different interpretations of aircraft cabin search requirements—because TSA did not sufficiently include them in the review process. Better defining how TSA coordinates with air carriers and other stakeholders would help ensure that TSA issues directives that enable air carriers to effectively secure their operations against the identified threats or vulnerabilities. In addition, when TSA officials have coordinated with air carriers, they have not documented the input provided. Documenting the input could help ensure that TSA is consistently addressing air carrier concerns and retaining knowledge about who, what, when, where, and why coordination occurred.
Further, TSA policy states that directives are not intended to be permanent and are expected to eventually be canceled or incorporated into security programs. GAO analysis found that TSA issued more than one half (25) of the directives prior to 2014, meaning they have been in effect for more than 5 years. Several have been in effect for more than 10 years (see figure).
Years the Transportation Security Administration (TSA) Issued Security Directives/Emergency Amendments
As of July 2019, TSA officials had begun the process to migrate directives into security programs as deemed appropriate, but had not yet finalized their plans for doing so. Defining the process for incorporating directives into security programs, including expected timeframes, and taking actions to implement this process, as applicable, could better ensure that TSA clarifies and streamlines security requirements in a timely manner.
Why GAO Did This Study
Approximately 300 airports in foreign countries offer last point of departure flights to the United States. When threat information or vulnerabilities at foreign airports indicate an immediate need for air carriers to implement additional security measures, TSA may issue new or revise existing security directives (for domestic air carriers) and emergency amendments (for foreign air carriers).
The TSA Modernization Act includes a provision for GAO to examine TSA's review process for directives that apply at last point of departure airports. This report (1) identifies key characteristics of the TSA directives and (2) assesses TSA's process to review directives. GAO reviewed TSA policies and procedures, analyzed TSA program information, and interviewed TSA officials and representatives from a nongeneralizable sample of 10 air carriers, selected to represent carriers with high numbers of U.S.-bound flights, and three industry associations.
Recommendations
GAO recommends that TSA (1) better define how to coordinate with air carriers when reviewing directives, (2) document air carrier input, and (3) define a process, including time frames, for cancelling or incorporating security measures from directives into security programs. DHS concurred with all three recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Transportation Security Administration | The Administrator of TSA should ensure that the Assistant Administrator for Policy, Plans, and Engagement and the Assistant Administrator for Global Operations better define (e.g., develop guiding principles) how TSA is to coordinate with air carriers and other stakeholders during the review of security directives and emergency amendments, and implement such guidance (Recommendation 1). |
Closed – Implemented
In response to our recommendation, on November 21, 2019, TSA issued a memorandum to all staff that establishes a formal process to collect, record, and incorporate feedback received from industry stakeholders and pertinent federal agencies during the review process for all TSA security directives and emergency amendments (directives). We reviewed the specifics of this process as outlined in the memo, which contains sensitive information. TSA reported that the process outlined in the memorandum went into effect on November 30, 2019. Moreover, TSA reported that it is updating its management directive Standard Operating Procedures for Security Policy Development, Coordination, and Issuance. The changes include a new section on recording feedback received from industry and pertinent federal agencies during the review process for all TSA directives. By better defining how to coordinate with air carriers and implementing such guidance, TSA can better ensure that it more consistently coordinates with air carriers over time, air carriers concerns are addressed, and it issues directives that enable air carriers to effectively secure their operations against the identified threats or vulnerabilities.
|
| Transportation Security Administration | The Administrator of TSA should ensure input provided by air carriers and other stakeholders is documented during the security directive and emergency amendment review process (Recommendation 2). |
Closed – Implemented
In response to our recommendation, on November 21, 2019, TSA issued a memorandum to all staff that establishes a formal process to collect, record, and incorporate feedback received from industry stakeholders and pertinent federal agencies during the review process for all TSA directives. The process requires TSA to document feedback received in a log specific to the review of each directive and adjudicate the feedback. TSA reported that the process outlined in the memorandum went into effect on November 30, 2019. In March 2020, TSA provided examples of feedback logs for reviews completed since implementation of the memo. Documenting the input will help TSA ensure that it is consistently addressing air carrier concerns and retaining knowledge about who, what, when, where, and why coordination occurred.
|
| Transportation Security Administration | The Administrator of TSA should ensure that the Assistant Administrator for Policy, Plans, and Engagement defines a process for cancelling or incorporating security directives and emergency amendments into security programs, including time frames, and take action to implement this process, as applicable (Recommendation 3). |
Closed – Implemented
In response to our recommendation, TSA developed standard guidelines to determine if the measures in a directive should become baseline measures and therefore incorporated into the appropriate TSA security program, or if the directive should be cancelled or allowed to sunset based on changes in the circumstances of its issuance. Specifically, in June 2020, TSA developed guidelines stating that vulnerability-driven directives were to be given three years to sunset and threat-driven directives were to be given up to five years to sunset. However, TSA officials stated that certain circumstances could alter these timeframes, including a host government's ability to resolve an identified vulnerability at one of their airports or threat landscape changes. TSA prepared a work plan with timelines to incorporate the security measures in the current directives into the appropriate security programs. TSA anticipates that the security measures in all current directives will be migrated into appropriate security programs, allowed to sunset, or cancelled by 2022. By defining the process for cancelling or incorporating directives into security programs, including expected time frames, and taking actions to implement this process, as applicable, TSA can better ensure that it clarifies and streamlines the security requirements for air carriers that operate at last point of departure airports in a timely manner and in a way that uses limited resources efficiently. Further, taking these steps helps to ensure that requirements in directives that should become permanent are incorporated into security programs.
|