IIB 116TH CONGRESS 1ST SESSION H. R. 3469 IN THE SENATE OF THE UNITED STATES DECEMBER 10, 2019 Received; read twice and referred to the Committee on Commerce, Science, and Transportation AN ACT To direct the Transportation Security Administration to carry out covert testing and risk mitigation improvement of aviation security operations, and for other purposes. Be it enacted by the Senate and House of Representa- 1 tives of the United States of America in Congress assembled, 2 VerDate Sep 11 2014 23:55 Dec 10, 2019 Jkt 099200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H3469.RFS H3469 kjohnson on DSK79L0C42 with BILLS 2 HR 3469 RFS SECTION 1. SHORT TITLE. 1 This Act may be cited as the ‘‘Covert Testing and 2 Risk Mitigation Improvement Act of 2019’’. 3 SEC. 2. TSA COVERT TESTING AND RISK MITIGATION IM- 4 PROVEMENT. 5 (a) IN GENERAL.—Not later than 180 days after the 6 date of the enactment of this Act and annually thereafter, 7 the Administrator of the Transportation Security Admin- 8 istration shall implement the following: 9 (1) A system for conducting risk-informed 10 headquarters-based covert tests of aviation security 11 operations, including relating to airport passenger 12 and baggage security screening operations, that can 13 yield statistically valid data that can be used to iden- 14 tify and assess the nature and extent of 15 vulnerabilities to such operations that are not miti- 16 gated by current security practices. The Adminis- 17 trator shall execute annually not fewer than three 18 risk-informed covert testing projects designed to 19 identify systemic vulnerabilities in the transportation 20 security system, and shall document the assumptions 21 and rationale guiding the selection of such projects. 22 (2) A long-term headquarters-based covert test- 23 ing program, employing static but risk-informed 24 threat vectors, designed to assess changes in overall 25 screening effectiveness. 26 VerDate Sep 11 2014 23:55 Dec 10, 2019 Jkt 099200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H3469.RFS H3469 kjohnson on DSK79L0C42 with BILLS 3 HR 3469 RFS (b) MITIGATION.— 1 (1) IN GENERAL.—The Administrator of the 2 Transportation Security Administration shall estab- 3 lish a system to address and mitigate the 4 vulnerabilities identified and assessed pursuant to 5 the testing conducted under subsection (a). 6 (2) ANALYSIS.—Not later than 60 days after 7 the identification of any such vulnerability, the Ad- 8 ministrator shall ensure a vulnerability described in 9 paragraph (1) is analyzed to determine root causes. 10 (3) DETERMINATION.—Not later than 120 days 11 after the identification of any such vulnerability, the 12 Administrator shall make a determination regarding 13 whether or not to mitigate such vulnerability. The 14 Administrator shall prioritize mitigating 15 vulnerabilities based on their ability to reduce risk. 16 If the Administrator determines— 17 (A) to not mitigate such vulnerability, the 18 Administrator shall document the reasons for 19 the decision; or 20 (B) to mitigate such vulnerability, the Ad- 21 ministrator shall establish and document— 22 (i) key milestones appropriate for the 23 level of effort required to so mitigate such 24 vulnerability; and 25 VerDate Sep 11 2014 23:55 Dec 10, 2019 Jkt 099200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H3469.RFS H3469 kjohnson on DSK79L0C42 with BILLS 4 HR 3469 RFS (ii) a date by which measures to so 1 mitigate such vulnerability shall be imple- 2 mented by the Transportation Security Ad- 3 ministration. 4 (4) RETESTING.—Not later than 180 days after 5 the date on which measures to mitigate a vulner- 6 ability are completed by the Transportation Security 7 Administration pursuant to paragraph (3)(B)(ii), the 8 Administrator shall conduct a covert test in accord- 9 ance with subsection (a) of the aviation security op- 10 eration with respect to which such vulnerability was 11 identified to assess the effectiveness of such meas- 12 ures to mitigate such vulnerability. 13 (c) COMPILATION OF LISTS.— 14 (1) IN GENERAL.—Not later than 60 days after 15 completing a covert testing protocol under sub- 16 section (a), the Administrator of the Transportation 17 Security Administration shall compile a list (includ- 18 ing a classified annex if necessary) of the 19 vulnerabilities identified and assessed pursuant to 20 such testing. Each such list shall contain, at a min- 21 imum, the following: 22 (A) A brief description of the nature of 23 each vulnerability so identified and assessed. 24 VerDate Sep 11 2014 23:55 Dec 10, 2019 Jkt 099200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H3469.RFS H3469 kjohnson on DSK79L0C42 with BILLS 5 HR 3469 RFS (B) The date on which each vulnerability 1 was so identified and assessed. 2 (C) Key milestones appropriate for the 3 level of effort required to mitigate each vulner- 4 ability, as well as an indication of whether each 5 such milestone has been met. 6 (D) An indication of whether each vulner- 7 ability has been mitigated or reduced and, if so, 8 the date on which each such vulnerability was 9 so mitigated or reduced. 10 (E) If a vulnerability has not been fully 11 mitigated, the date by which the Administrator 12 shall so mitigate such vulnerability or a deter- 13 mination that it is not possible to fully mitigate 14 such vulnerability. 15 (F) The results of any subsequent covert 16 testing undertaken to assess whether mitigation 17 efforts have eliminated or reduced each vulner- 18 ability. 19 (2) SUBMISSION TO CONGRESS.—The Adminis- 20 trator shall submit to the Committee on Homeland 21 Security of the House of Representatives and the 22 Committee on Commerce, Science, and Transpor- 23 tation of the Senate a comprehensive document 24 tracking the status of the information required 25 VerDate Sep 11 2014 23:55 Dec 10, 2019 Jkt 099200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H3469.RFS H3469 kjohnson on DSK79L0C42 with BILLS 6 HR 3469 RFS under paragraph (1) together with the Transpor- 1 tation Security Administration’s annual budget re- 2 quest. 3 (d) GAO REVIEW.—Not later than 3 years after the 4 date of the enactment of this Act, the Comptroller General 5 of the United States shall review and submit to the Ad- 6 ministrator of the Transportation Security Administration 7 and the Committee on Homeland Security of the House 8 of Representatives and the Committee on Commerce, 9 Science, and Transportation of the Senate a report on the 10 effectiveness of the Transportation Security Administra- 11 tion’s processes for conducting covert testing projects that 12 yield statistically valid data that can be used to assess the 13 nature and extent of vulnerabilities to aviation security op- 14 erations that are not effectively mitigated by current secu- 15 rity operations. 16 Passed the House of Representatives December 9, 2019. Attest: CHERYL L. JOHNSON, Clerk. VerDate Sep 11 2014 23:55 Dec 10, 2019 Jkt 099200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H3469.RFS H3469 kjohnson on DSK79L0C42 with BILLS