Access Control and Badging

Feb. 15, 2008
As 100 percent employee screening becomes higher profile, other issues remain.

There have been a number of high-profile airport security breaches in the U.S. by employees during the past year. The Transportation Security Administration says it is working with industry associations like Airports Council International-North America and the American Association of Airport Executives to close the gaps. In the meantime, the promise of biometrics remains on the horizon, as does the Congress-mandated 100 percent employee screening pilot program. Tenant operations, represented by the National Air Transportation Association, continue to express frustration regarding the background check process, particularly as it relates to firms with multiple bases.

One of the more prominent airport employee breaches was last November at O’Hare, when a raid led to the arrest of 28 workers. Temp agency Ideal Staffing had given the undocumented workers fake identity badges — in some cases, deactivated badges were used to get them through security.

Bob Cammaroto, acting general manager of the transportation sector network management — commercial airports at TSA, says the incident illustrates the concerns that arise around employee access control and badging.

“The value of those situations to us, whether it’s the incident at O’Hare or any others, is that they point out to us and remind us of what we already know, and that is that vulnerabilities exist and vulnerabilities continue to exist no matter what we do,” says Cammaroto. “But it helps us, especially under the current leadership, to focus our resources in the right areas where our vulnerabilities may be most visible, and helps us to tweak areas and set the priorities. Because we, — like everybody else in this business — have limited resources, we try to focus those resources on the holes. And a situation like the one that happened at O’Hare does help us figure out where some of the holes lie, and it give us a little more impetus to close those holes.”

Charles Chambers, senior vice president of security and facilitation at ACI-NA, agrees. “There’s always a high level of concern about employee badging and screening and incidents do occasionally occur. Our dialogue with TSA and our airport members has always included that element as a very important part of the security situation at airports.”

Cammaroto says the incident could really be viewed as nothing new. “That’s the old worry, that you can’t legislate morality.”

He says many regulations currently in place have come out of similar breaches, many of which he sees as beginning in the ‘80s. “Certainly now, in the post-9/11 world, we recognize that really smart, capable people are really out there trying to do us harm. They’ve got a great deal of patience, a great deal of professionalism, and a great deal of qualifications to do long-term planning on their own timeline and their own way. We’re always in a reactive mode because you can’t ignore the last incident.

“We’re also trying very hard to stay ahead of the next incident. That comes down to risk assessment, and where we find ourselves most exposed.

When something like the incident at O’Hare occurs, it gives us pause to stop, and maybe we’re looking at one aspect of security but that helps jolt us back to reality and helps us not forget about the other pieces. It has to keep us focused, and that’s helpful.”

The Technological Advantage
Cammaroto sees technology, and biometrics in particular, as the best opportunity for improving access control and badging.

“We’re at a cusp right now,” Cammaroto says. “We’re really moving from the late ‘80s, early ‘90s type of approach to a more technological approach. The science and technology has caught up to where we want to be theoretically, so it’s really an exciting time for us.”

Though TSA is enthusiastic about the technology, some are still looking for guidance as to how it should be used. “There’s a lot of attention right now on the use of biometrics in the aviation environment, largely because of some isolated incidents that have happened at airports over the past year,” says Carter Morris, senior vice president of transportation security policy at AAAE. “It’s also because airports themselves are looking for some guidance from TSA so that they can start to deploy biometric solutions in a standardized way.”

According to Cammaroto, airports will find out sooner rather than later, saying that a Notice of Proposed Rulemaking on biometrics is in the industry’s future. In particular, he says, the goal will be to combine access control and airport ID systems. He points out that TSA “isn’t married” to a particular biometrics system, so airports should have some freedom in choosing what works best for each facility.

Some airports already have biometrics systems in place. In Chicago, O’Hare and Midway just completed installation of a new system in late October, though representatives of the airports declined to comment on any details surrounding the project.

Cammaroto is optimistic that biometrics could solve many of the problems and security lapses airports are currently facing.

“The idea of someone loaning a card, or finding or stealing a card to gain access, will to a great degree be diminished,” Cammaroto says. “That’s a weakness in the system right now that we’ll be addressing.”

Which isn’t to say there’s not enough security currently in place, of course, or that biometrics will be a cure-all.

“Certainly we have other layers of security that provide us greater security beyond merely the card and the swipe and the automated access system that exists today,” Cammaroto says. “We have ramp patrols, we have video cameras, we have the challenge process, we have robust training programs for the persons who have the unescorted access out onto the ramp. It’s not just one thing. Any one thing can certainly fail at some point, whether it’s a technological failure, a power failure, or simply a human failing.”

Cammaroto also notes that Special Committee 207 of RTCA, Inc. is expected to come out with updated guidelines of RTCA DO-230A - Standards for Airport Security Access Control Systems sometime this summer.

Streamlining the Process
Of course, the issue of badging centers around background checks, another issue that TSA is working to improve. According to Morris at AAAE, the AAAE Clearinghouse had actually managed to get the background check time down to some 40 minutes for an employee with no issues. Then, on October 1 of last year, new rules went into effect for additional employee vetting, backing up background check clearances for new airport hires across the country — just in time for the holidays. Since then, things have gotten better. Many seem to view the incident as water under the bridge — though not without its lessons.

“I think folks were a little surprised at how many records were transmitted, how large the population truly was,” Cammaroto says. “There was a learning curve on the airport operators’ side in terms of doing the input; there was a learning on the part of the Clearinghouse and handling the input; and I think internally here within TSA, we probably had the easier lift because we had the system set up and the databases were available. But it was certainly a three-way process and I think we’ve all learned from that and we’re building on that.”

Still, some would have liked more time to adapt. Comments Morris, “What we’d like to see TSA saying is, ‘we’ve been changing these standards on you on a daily basis right up until this October 1 deadline, and we’re going to give you a few months to comply with our new requirements.’”

“All’s well that ends well at this point, but it was a bit of a hassle,” says Eric Byer, vice president of government and industry affairs at NATA.

The AAAE Clearinghouse and TSA seem to view the situation as necessary growing pains, and see such inconveniences as improving efficiency in the future. “Anything you do at 40 different airports that affects a million different people who have badges at airports around the country is going to be disruptive,” says Morris at AAAE. But, he notes, fingerprint-based criminal history record checks have gone from taking 52 days to an average of 40 minutes since the Clearinghouse came onto the scene.

Since the October 1 changes, checks have gone up to taking some 72 hours. “That doesn’t seem like a lot, but you kind of get spoiled by the performance and track record that we’ve had in the four to five years prior,” Morris says. The Clearinghouse is working with TSA to try to “drive down” the amount of time the checks are taking now.

Byer says the amount of time the checks take is a big concern for NATA members — particularly for companies’ employees that need badges at multiple airports. But it’s one area in which change is not necessarily on the horizon, though improvements would be feasible.

“I don’t think you’re going to see anything substantial at this point,” Byer says. Still, he maintains that it would be more convenient for companies if they didn’t have to pay for the same background check multiple times.

Cammaroto says such decisions are left up to the airports. “Some of that can be obviated. In many cases, the airports choose not to run the risk of there being a mistake upstream, or that perhaps someone’s not being forthright with them in terms of a check being done. Some airports will choose instead to do the checks themselves, even though they may have done them elsewhere. We don’t want to take that latitude away from airport operators.”

Comments Morris at AAAE, “We have solicited TSA input, and basically approval of this transferability concept; where somebody who is cleared at one facility shows up on the Clearinghouse as having been cleared, allowing another facility to decide how much more of check they want to do, or whether they want to go ahead and take the green light that’s already up there and make that good enough to issue their badge. I think the important thing there is, we’ve got a process and solution in place right now that will provide these airports a lot of options.”

Chambers notes that ACI-NA is working with TSA to improve some immediate security concerns. He says TSA recently spot-checked certain airports to compare the airport’s list of active badges against the vendors and concessionaires list of employees.

TSA also sent out a letter to airport operators dated December 17, 2007 asking operators to meet with employers of businesses on-site and stress the importance of vigilance in keeping track of and returning identification media. The letter also asks operators to encourage use of E-verify, a free online program that verifies employment eligibility, particularly to improve the review process of the I-9 form.

“There’s no requirement that [I-9 documents] actually be verified,” says Chambers at ACI-NA. “So what we’re looking at is encouraging people to check the social security number using this system.”

Chambers says ACI-NA, working with TSA, AAAE and other industry stakeholders, “is also looking at coming up with best practices. We’ll go out and survey airports and come up with some ideas for best practices as it relates to auditing and controlling and providing badges for employees.”
Chambers says TSA also vets employees daily against a set of databases, to check for any employees who may have run into problems since their initial background check.

The ‘100 Precent’ Test
A pilot program, initially to take place at seven airports, is now in the works for 100 percent employee screening, thanks to a mandate from Congress. “What that study will help us to determine is, in part, what is the viability of 100 percent employee screening?” says TSA’s Cammaroto. “If everybody that had to come on to the airport to work has to go through some sort of physical inspection a la the passengers checkpoint, what will that do for us in terms of real security versus potentially a deterrent value, versus potentially a semblance of security but perhaps not real security?”

There appears to be an industry consensus that the idea of employee screening similar to passenger screening is preposterous.

“When you’re coming to work on the ramp of an airport, there are many items on the ramp of the airport that had you had those items at the passenger checkpoint, they’d have been taken from you,” Cammaroto says, “because some of those items are necessary to run the system itself.”

He says the goal of the pilot program will be to find the right mix of security measures to put in place. “The idea is [to get] a mix to ensure that the person working on the ramp on a day-by-day basis has some reasonable cause to believe that they may well be either approached or undergo some scrutiny, that’s either obvious or not, over the course of their workday.”

The Committee of Appropriations is allotting $15 million for the pilot. Specifically, three airports are to screen all employees either at the airport perimeter or passenger checkpoints for at least 90 days. Four other airports are to test other enhanced screening methods including behavior recognition, biometrics, cameras, and body imaging. At the time of this writing, industry association and TSA are working together to determine how best to implement the program.

Comments Morris at AAAE, “The multi-layered approach, the alternative measure approach is the one we’ve been working on with TSA; we know that TSA agrees that that’s the right approach.”