[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


         SECURING OUR SKIES: OVERSIGHT OF AVIATION CREDENTIALS

=======================================================================

                                 HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                    TRANSPORTATION AND PUBLIC ASSETS

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                            FEBRUARY 3, 2016

                               __________

                           Serial No. 114-103

                               __________

Printed for the use of the Committee on Oversight and Government Reform


[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]



         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      
                             _____________
                             
                             
                       U.S. GOVERNMENT PUBLISHING OFFICE
23-402 PDF                    WASHINGTON : 2017                       
________________________________________________________________________________________           
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, gpo@custhelp.com.  
           
            
             
             COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK, MULVANEY, South Carolina       BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Massachusetts              BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
                 David Rapallo, Minority Staff Director
Michael Kiko, Staff Director, Subcommittee on Transportation and Public 
                                 Assets
                           Ari Wisch, Counsel
                         Michael Ding, Counsel
                           Willie Marx, Clerk

                                 ------                                

             Subcommittee on Transportation & Public Assets

                     JOHN L. MICA Florida, Chairman
                     
MICHAEL R. TURNER, Ohio              TAMMY DUCKWORTH, Illinois, Ranking 
JOHN J. DUNCAN, JR. Tennessee            Member
JUSTIN AMASH, Michigan               BONNIE WATSON COLEMAN, New Jersey
THOMAS MASSIE, Kentucky              MARK DESAULNIER, California
GLENN GROTHMAN, Wisconsin, Vice      BRENDAN F. BOYLE, Pennsylvania
    Chair
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 3, 2016.................................     1

                               WITNESSES

Mr. Darby LaJoye, Deputy Assistant Administrator, Office of 
  Security Operations, Transportation Security Administration, 
  U.S. Department of Homeland Security
    Oral Statement...............................................     5
    Written Statement............................................     8
Mr. John Roth, Inspector General, Office of Inspector General, 
  U.S. Department of Homeland Security
    Oral Statement...............................................    17
    Written Statement............................................    19
Ms. Margaret Gilligan, Associate Administrator for Aviation 
  Safety, Federal Aviation Administration, U.S. Department of 
  Transportation
    Oral Statement...............................................    32
    Written Statement............................................    34
Ms. Kathleen M. Carroll, Vice President, Government Affairs, HID 
  Global (On Behalf of the Security Industry Association ``SIA'')
    Oral Statement...............................................    38
    Written Statement............................................    40

                                APPENDIX

TSA's responses to the Committee's Questions for the Record, 
  Submitted by Chairman Mica.....................................    58
TSA Warehouse Information by Quarter FY12, Submitted by Chairman 
  Mica...........................................................    71

 
         SECURING OUR SKIES: OVERSIGHT OF AVIATION CREDENTIALS

                              ----------                              


                      Wednesday, February 3, 2016

                  House of Representatives,
  Subcommittee on Transportation and Public Assets,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 1:05 p.m., in 
Room 2154, Rayburn House Office Building, Hon. John L. Mica 
[chairman of the subcommittee] presiding.
    Present: Representatives Mica, Duckworth, and DeSaulnier.
    Mr. Mica. I call this hearing of the Transportation and 
Public Assets Oversight Subcommittee to order, and I welcome 
everyone this morning.
    Without objection, the chair is authorized to declare a 
recess at any time. We do expect some votes pretty quickly into 
the beginning of this session, so we'll try to get our opening 
statements made, and then we will hear from our witnesses. And 
the order will be after we've heard from all the witnesses to 
go back and have questions offered to the witnesses.
    So I'll start with my opening statement. And, again, 
welcome, everyone.
    We have an important responsibility in transportation 
oversight, and that's to make certain that the laws and all of 
the caveats that we set forth for public agencies, particularly 
for security and safety, are complied with by agencies. And the 
purpose of this hearing is 15 years after 9/11 we want to look 
at credentialing, we want to look at vetting of employees, and 
we want to look at what poses the biggest risk as far as 
security to our Nation's aviation system.
    Unfortunately, even 15 years--2001, this is 2016--15 years 
later we still seek a system that has not complied with the 
laws that we have passed multiple times with the requests we've 
had, and we see failures. One of the biggest failures is the 
most recent report that we had. And the DHS, Department of 
Homeland Security inspector general found that 73 individuals 
with links to terrorism passed TSA's vetting process. They were 
not properly vetted.
    These are people that work at our airports. These are 
people that have access to aviation equipment, to airplanes. 
Even TSA employees are not properly vetted.
    And, unfortunately, we've also found through that report 
that tens of thousands of incomplete records are even lacking 
full names. They had 14,000 immigrants listed in the database 
that did not have alien registration numbers, and 75,000 of 
these records lacked passport numbers. Again, this is not 
acceptable.
    When we passed the aviation security bill, and in 
subsequent legislation I tried to get a--we used to have a 
folded piece of paper for an airline pilot license. An airline 
pilot has access to the controls, flying the plane. I can tell 
you today, after numerous enactments of laws and edicts and 
meetings, we still have a pilot's license. And I borrowed this 
one from our ranking member. She's a pilot, Ms. Duckworth.
    We asked that the pilot's license have a photo of the pilot 
on it. The only photo on this license are the Wright brothers, 
Orville and Wilbur. Orville and Wilbur, I blew it up here. 
Okay? It's a joke.
    We asked that this also has some biometric capability. 
Anything in your wallet has a better electronic strip and 
capability than this license.
    Now, you say it's too difficult to do with the pilots that 
we have. This is a Mickey Mouse. This happens to be Minnie 
Mouse pass to Disney World, and I borrowed this. My wife was 
there the other day with her sister visiting. They take your 
thumb print, and they know when you enter, who enters, who 
leaves. This is Minnie Mouse, and this is Mickey Mouse, the FAA 
pilot license.
    So this is what we have, people going into the airports, 
people who, secure areas, either working for TSA or airports, 
not properly vetted, a responsibility of TSA. We have pilots 
who are flying planes, we don't know who they are. You cannot 
tell.
    Again, the frustration level has just peaked with me, 
because time and time again we've gone in, we've passed edicts, 
laws, for compliance.
    Now, this particular Mickey Mouse, Disney World pass has a 
biometric for a thumb, and that we're told by FBI it possibly 
could be compromised. But we have nothing. I've tried to get 
not only a thumb, but also iris, and it took a dozen years to 
get a standard in place. We'll find out where they are. Because 
between iris and thumb, which some European nations, some of 
the defense agencies, some nuclear facilities, some other 
government facilities, both in the United States and outside, 
have the capability to do both, and then we're sure of who is 
entering and who is leaving. But I'm telling you, this is one 
of the most frustrating things that we've seen.
    We've seen examples of employees with accomplices, for 
example, in New York, were able to smuggle more than 150 guns 
on half a dozen flights between Atlanta and New York City.
    Just a few weeks ago, the FAA suspended a program allowing 
safety inspectors to bypass TSA checkpoints after one was 
caught with a firearm in a bag he was carrying.
    So, again, we have examples of the Transportation inspector 
general opened nearly 70 pilot license fraud cases since 2011, 
just the last few years, including a foreign national who 
hacked into FAA's record system, stole the pilot's identity, 
and to illegally obtain a license and crashed an airplane.
    We had recently one of our oversight agencies found 
hundreds and thousands of IDs missing, not accounted for, SIDA 
badges, TSA badges, airport identity badges, badges that some 
of the officers wear, everything you could imagine stolen or 
missing or unaccounted for. None of this is acceptable.
    So we have other examples we can cite where it has been 
done, both the private sector, other government agencies, 
Canada to the north. And, again, I cited Disney World as a good 
example.
    So with that, I will yield to our ranking member, Ms. 
Duckworth, welcome her, and give her back her FAA Mickey Mouse 
pilot license with Orville and Wilbur. And you are much better 
looking than either of those dudes.
    I yield.
    Ms. Duckworth. Thank you, Mr. Chairman. And I'm also much 
more alive as well.
    Mr. Mica. I visited their gravesite, and they are there, 
they're very much dead.
    Ms. Duckworth. Yes. Well, thank you so much for holding 
this hearing, Mr. Chairman. I am somewhat astonished that the 
inspector general for the Department of Transportation could 
not find the time to be here. But we'll deal with that at 
another time.
    Our Nation's 440 airports are complex mazes of public and 
secure spaces. Chicago O'Hare, for example, which served more 
than 34 million passengers in 2014 alone, has 8 active runways, 
189 gates, nearly 23,000 parking spaces, and approximately 
167,000 square feet of concession space.
    In addition to being responsible for screening all 
passengers who come into the airport to board a flight, the TSA 
must oversee the procedures that airports implement to ensure 
that all controlled areas, such as passenger loading areas, 
cargo and baggage handling areas, and perimeter areas, are 
accessed only by authorized personnel.
    The first step in this process is identifying the 
individuals who should have access to secured areas and the 
level of access that they should be given.
    Now, our Nation has different models for issuing access 
credentials in the various transportation modes. In the 
aviation realm, each airport issues its own set of access 
credentials. And before an airport can issue a badge allowing 
access to a controlled area, a person to be credentialed must 
be screened against terrorism databases and pass a check of 
lawful authority to work in the United States conducted by the 
TSA using data collected by each airport.
    They must also complete a criminal history records check. 
This check is then conducted by the FBI using fingerprints and 
data collected by the airports, but the results are adjudicated 
by each individual airport to determine whether an individual 
has a disqualifying conviction. The Department of Homeland 
Security's Office of Inspector General has repeatedly found 
numerous flaws and lapses in the management of this 
complicated, multiagency process.
    In 2011, the IG determined that airports issued badges to 
individuals despite omissions and even inaccuracies in the 
records used to conduct the background checks. In some cases, 
airports even issued badges to individuals who have not 
undergone security threat assessments at all.
    This finding was troubling enough, yet what truly concerns 
me is that just last year, 4 years after that very alarming 
2011 finding, the DHS inspector general found that airports 
continue to lack accurate quality controls necessary to ensure 
criminal background checks are properly adjudicated.
    They found systemic problems with the credentialing process 
also. For example, unlike tourism screenings, which are 
continually updated on a near real-time basis, criminal records 
checks are conducted only once every 2 years. Between checks, 
airports have to rely on the willingness of the credentialed 
person to self-report any disqualifying arrests or convictions. 
This dangerous loophole must be closed.
    Officials have also uncovered airport employees illegally 
using stolen or fraudulent credentials. In 2007, more than 100 
vendor employees at O'Hare were caught using stolen badges to 
access secured areas at the airport. In one instance, an 
uncleared individual rummaged through a box of active security 
badges to select one that looked most like him and matched his 
likeness.
    Other incidents have involved cleared personnel who misused 
the access granted to them. Following a 2014 incident involving 
the smuggling of over 100 guns, some of which were loaded onto 
multiple flights between Atlanta and New York, TSA asked its 
Aviation Security Advisory Committee to recommend ways of 
strengthening the control of employees' access to secured 
airport areas. This committee made 28 recommendations in April. 
Fewer than half of those have been implemented.
    America's airports are vital hubs that support billions of 
dollars in commerce and connect Americans from coast to coast. 
Yet, their importance also makes them high-value targets to our 
enemies that seek to harm Americans, weaken our economy, and 
instill fear throughout the populous. The front gates to our 
Nation's commercial aviation system must be worthy of all they 
defend. We must ensure that anyone passing through the gates, 
including airport employees, do not pose a threat to our 
Nation's security.
    I look forward to hearing from our witnesses today on how 
TSA will strengthen its coordination with airport authorities 
across the country to implement critical security 
recommendations and dramatically enhance how we control access 
to secured areas.
    Congress has an important role to play in this effort, and 
if additional authorities over oversight actions are needed, I 
would like to use this afternoon to examine those potential 
reforms.
    Again, I thank the chairman for this very timely and 
important hearing, and I yield back.
    Mr. Mica. Well, thank you. And the title of this, I guess, 
was originally ``Securing Our Skies: Oversight of Aviation 
Credentials.'' I think a more fitting title, after hearing our 
opening statements, would be ``Aviation Credentials in Chaos.'' 
That might sum it up better. I thank you for your opening 
statement.
    And we will hold the record open, with your agreement, for 
5 legislative days for members who would like to submit a 
written record.
    Mr. Mica. And as I said, we'll probably be in and out 
because of the vote schedule this afternoon.
    I would like to now recognize our panel of witnesses. I'm 
pleased to welcome Darby LaJoye, deputy assistant administrator 
for the Office of Security Operations at the Transportation 
Security Administration within DHS; the Honorable John Roth, 
who is the inspector general for the U.S. Department of 
Homeland Security; Margaret Gilligan, and she is the associate 
administrator for aviation safety at the FAA within the 
Department of Transportation.
    Welcome back.
    Kathleen Carroll, who is vice president of government 
affairs at HID Global, speaking on behalf of the security 
industry.
    So those are our witnesses. Some of you have been here 
before. I know the inspector general has.
    This is an investigation in an oversight subcommittee of 
Congress. We do swear in all of our witnesses. If you'll stand 
now, please, raise your right hand.
    Do you solemnly swear or affirm that the testimony you are 
about to give before this subcommittee of Congress is the whole 
truth and nothing but the truth?
    And all the witnesses, the record will reflect, answered in 
the affirmative.
    Let's go first, from TSA representative, Mr. LaJoye.
    You're welcome and recognized, sir.
    We do give you about 5 minutes. If you have additional 
information you want submitted for the record, just request and 
we'll put it in.
    Thank you.

                       WITNESS STATEMENTS

                   STATEMENT OF DARBY LAJOYE

    Mr. LaJoye. Good afternoon, Chairman Mica, Ranking Member 
Duckworth, and members of the subcommittee. Thank you for the 
opportunity to appear before you today to discuss TSA's role in 
airport access control and aviation worker credentialing.
    TSA ensures airport access control is executed in 
partnership with airports, air carriers, and other Federal 
agencies. Collectively, we employ a risk-based approach that 
includes vetting and credentialing of airport and airline 
employees, development and execution of security plans, TSA 
inspections, assessments, and testing of access control, along 
with random screening of aviation workers.
    TSA requires airport and airline employees to successfully 
complete a security threat assessment prior to receiving an 
access credential to a secure area of an airport. The 
assessment includes a daily check against the Terrorist 
Screening Database, ensuring there are no known ties to 
terrorism when applicants apply for a credential and throughout 
the term of a worker's airport employment.
    TSA also verifies all individuals have lawful presence and 
have not committed a disqualifying offense in the past 10 
years. TSA recognizes the value of conducting frequent criminal 
history record checks and has established a requirement for 
airports or airlines to do so every 2 years for all credential 
holders. Later this month, we will begin to a pilot a new FBI 
automated capability called Rap Back, providing employers with 
current information on criminal activity committed by 
credential holders.
    We recognize the value of automated access to additional 
intelligence-related data to inform TSA's vetting decisions. 
Working closely with DHS and the interagency partners, we've 
recently received approval for automated access to additional 
data addressing a key IG recommendation. We expect to begin 
receiving automated access in the coming weeks.
    While TSA is responsible for conducting vetting of aviation 
workers, airport operators are responsible for issuing and 
managing the credentials that allow an individual access to 
airports' sterile or secure areas. TSA requires airport 
operators to conduct recurring comprehensive audits of all 
airport-issued credentials and to maintain records of those 
audits for 1 year, subject to TSA inspection.
    Individuals who are responsible for reporting lost or 
stolen credentials, and airport ID systems must be capable of 
immediately denying access to any lost or stolen credentials. 
If the percentage of unaccounted-for or lost credentials 
reaches a certain threshold, the airport must reissue all 
credentials in that access category.
    TSA also requires airport operators to control entry to 
nonpublic areas of the airport and provide for detection and 
response to unauthorized presence in these controlled areas and 
to aircraft. To enforce these standards, our inspectors conduct 
assessments and audits and employ a progressive methodology 
that provides for a range of enforcement measures, from helping 
stakeholders with corrective actions to issuing fines.
    We've made progress in addressing the insider threat at 
America'sairports, which were highlighted by the Atlanta gun-
smuggling incident in 2014. In addition to new vetting and 
regulatory measures, TSA and airport authority resources are 
deployed on a random basis to screen airport and airline 
workers throughout the day. In 2015, we increased the number of 
employee screenings from 2 million to nearly 13 million, and 90 
percent of airports have reduced access points, resulting in 
nearly 500 fewer nationwide.
    Finally, under the leadership of Administrator Neffenger, 
TSA has renewed its commitment to security effectiveness. In 
late May, after reviewing the DHS IG's covert testing results, 
TSA began implementing a range of measures to address the 
shortfalls noted. We have refocused on our primary security 
mission, retrained our entire workforce, improved processes and 
procedures, enhanced our technology, implemented new measures 
of effectiveness, and analyzed systemic issues. Notably, we 
have begun to employ a doctrinal approach to counterterrorism 
leading to screening improvements across the agency.
    In January, we began to send all new hire officers to basic 
training at the TSA Academy at the Federal Law Enforcement 
Training Center. This will drive consistency, professionalism, 
dedication, and connectedness to a common agency culture. Also, 
thanks to the help of Congress, we halted FY '16 staff 
reductions, providing appropriate officers to pursue screening 
effectiveness.
    The administrative intent is to place mission first, invest 
deliberately in a well-trained and disciplined workforce, and 
deliver mission excellence. We are confident that the agency is 
better positioned today to deter, detect, and disrupt threats 
against our aviation system, and we will continue to pursue a 
range of improvements to protect the traveling public.
    I am proud to represent TSA's hard-working nationwide team 
of officers, inspectors, explosive specialists, air marshals, 
and a dedicated network of professional staff who support them.
    I look forward to answering your questions.
    [Prepared statement of Mr. LaJoye follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Mica. Thank you so much.
    We'll go now to the inspector general, Mr. Roth.
    You're welcome and recognized.

                     STATEMENT OF JOHN ROTH

    Mr. Roth. Chairman Mica, Ranking Member Duckworth, and 
members of the subcommittee, thank you for inviting me here 
this afternoon to testify.
    Since 2004, we have published more than 120 audit and 
inspection reports about TSA's programs and operations. Our 
work includes evaluations of passenger and baggage screening, 
TSA PreCheck, acquisitions, equipment deployment, and 
maintenance. We have also used covert testing to determine 
whether unauthorized and potentially dangerous individuals and 
items could gain access to secure airport areas.
    The audit I am discussing this afternoon looked at how well 
TSA vets airport workers who have unrestricted access to secure 
areas of the airport. While we found that TSA's efforts to 
screen against the terrorist watch list were generally 
effective, we found that TSA did not have access to the 
complete terror watch list, known as the TIDE database. As a 
result, we identified 73 airport workers contained within that 
database who had been cleared to work in sensitive areas.
    TSA officials recognize that not receiving the full 
database represents a weakness in its program and informed us 
that TSA could not guarantee that it can consistently identify 
all questionable individuals without receiving these 
categories. Fortunately, at the request of DHS, the National 
Counterterrorism Center, working as part of the interagency 
process, has changed their policy as a result of this audit, 
and TSA now or will soon have access to this information.
    TSA is considerably challenged, however, when it comes to 
verifying workers' criminal histories and immigration status. 
First, TSA does not currently vet airport workers' criminal 
histories after they are initially cleared to work, but rely on 
individuals to self-report disqualifying crimes. As a result, 
individuals could lose their job if they report these crimes, 
so they have little incentive to do so.
    Under the law, the 450 commercial airports maintain the 
ultimate authority to review and determine whether an 
individual's criminal history contains disqualifying crimes 
under Federal law. TSA officials informed us that airport 
officials rarely or almost never document the results of their 
reviews electronically. Thus, TSA cannot systematically 
determine whether individuals have been convicted of 
disqualifying crimes.
    Instead, TSA performs annual manual inspections of 
commercial airport security operations, including the review of 
documents that aviation workers have submitted when applying 
for credentials. However, due to the large workload involved, 
particularly at larger airports, this inspection process looked 
at as few as 1 percent of all aviation workers' applications.
    We also found weaknesses in the verification process for an 
individual's authorization to work in the United States. 
Airport operators are required to ensure that aviation workers 
are authorized to work in the United States before they send 
their information to TSA for review. However, our review of TSA 
data showed that TSA has denied credentials to over 4,800 
people because they could not show their lawful status to work. 
This occurred even after or even despite the fact that these 
individuals had been previously cleared by the airports as 
being authorized to work in the United States.
    Lastly, the records TSA uses for vetting individuals is not 
reliable, as it contains incomplete or inaccurate data. For 
example, we found that there were 87,000 active aviation 
workers who did not have Social Security numbers listed, even 
though Social Security numbers are the best way to match 
individuals to existing records.
    An additional 75,000 records listed individuals with active 
aviation worker credentials as citizens of non-U.S. countries, 
but did not include passport numbers. Of those records, over 
14,000 individuals also did not list alien registration 
numbers.
    TSA did not have appropriate checks in place to reject such 
records from vetting. Without complete and accurate 
information, TSA risked credentialing and providing unescorted 
access to secure airport areas for a worker who could 
potentially harm the Nation's air transportation system.
    We made six recommendations in our report. TSA has agreed 
with all of our recommendations and has provided target 
completion dates for corrective action. We are satisfied with 
TSA's corrective actions to date, but we will continue to 
follow up on implementation of these actions.
    Mr. Chairman, thanks again for inviting me here to testify. 
I look forward to discussing your work with you and other 
members of the subcommittee.
    [Prepared statement of Mr. Roth follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Mica. Thank you.
    We will recognize FAA representative Margaret Gilligan.
    Welcome back, and you're recognized.

                 STATEMENT OF MARGARET GILLIGAN

    Ms. Gilligan. Thank you, Chairman Mica. Thank you, Ranking 
Member Duckworth and members of the subcommittee. I welcome 
this opportunity to appear before you today on the issue of 
oversight of aviation credentials. I know this is an issue of 
significant interest to Chairman Mica because we have appeared 
on this issue under your leadership before, sir.
    The mission of the FAA is ensuring the highest levels of 
safety for the millions of passengers flying every day. The 
agency is charged with the oversight of airlines and aircraft 
manufacturers, the safety of our Nation's airports, and 
training our air traffic controllers. Taken together, we 
operate the safest and most efficient airspace system in the 
world.
    The FAA issues 23 different types of airman certificates, 
including those to pilots, mechanics, dispatchers, flight 
attendants, and air traffic controllers. There are more than 
800,000 active pilot certificate holders alone.
    A pilot certificate is a credential attesting to the 
training and competence of the pilot. It is the same as a 
lawyer who must have evidence of admission to the bar or a 
doctor who is board certified in a specialty.
    In all these cases, the credential is not used as 
identification media, and it does not impart security access to 
courtrooms, to operating rooms, or to airports. A pilot never 
uses his or her pilot certificate to gain access to airport 
areas. Instead, he or she uses the security credential issued 
by the airport, as required by TSA.
    Since 2002, FAA has taken actions to enhance the security 
of pilot certificates. We require pilots to carry a valid 
government-issued photo ID in addition to a pilot certificate 
whenever they're flying. This allows an FAA inspector or others 
to confirm both the pilot's identity and his or her pilot 
qualification.
    The FAA phased out paper certificates and incorporated 
tamper- and counterfeit-resistant features, including 
microprinting, a hologram, and a UV-sensitive layer. In 2010, 
FAA issued a notice of proposed rulemaking to require a photo 
on pilot certificates and to improve the process for getting a 
student pilot certificate.
    While we were preparing that final rule, the FAA 
Modernization and Reform Act required that the pilot 
certificate accommodate fingerprints, iris, and comply with 
specific security standards. Unfortunately, our 2010 proposal 
did not include those security requirements, and to allow the 
pilot community as well as the general public to comment on the 
full statutory mandate, we needed to draft a new proposal.
    However, at the same time, the security and intelligence 
communities determined that allowing student pilots to operate 
an aircraft as pilot in command prior to being vetted was an 
unacceptable security risk. The administration committed to 
closing that security gap, and last month, FAA published a 
final rule requiring student pilots to appear before an FAA 
inspector or other authorized designee to verify the student's 
identity. The student pilot certificate will be issued once TSA 
completes its vetting.
    We recognize that the 2012 legislation included specific 
direction on airman certificates, and we regret that we are not 
further along in the process of implementing those provisions. 
But as our 2013 report to Congress outlined, there are major 
challenges to implementing the congressional direction. While 
the National Institute for Standards and Technology has issued 
standards for the collection of iris images, there are no 
approved GSA products--there are no GSA-approved products for 
the collection or use of iris biometrics.
    Before we require collection of biometrics, we need to 
understand where and how they would be used. There are no 
requirements that airports use iris or other biometric 
information for authorizing access at airports. So neither FAA 
nor TSA have estimated the costs to develop and install such an 
infrastructure at nearly 550 airports eligible for Federal 
grant funds or the more than 5,000 airports that are open to 
the public. As part of our rule to require biometrics, we will 
have to estimate what the costs of that infrastructure system 
will be to the airports and to the taxpayer.
    In our report to Congress and in the preliminary work we 
have done on the rule, we estimated that the new certificates 
will cost more than a billion dollars over 12 years. As both 
Congress and the administration are committed to minimizing the 
costs to the public of Federal actions, that cost estimate 
alone may be our biggest challenge. The reality is that to 
include biometric information on pilot certificates drives 
costs and may not be the most effective way to meet our 
security objectives.
    FAA has worked with TSA to develop options to accomplish 
the congressional direction. We will work to publish a 
proposal, although demonstrating benefits to justify a billion 
or more dollars in costs will be very difficult, and we will 
keep Congress informed on our progress.
    That concludes my remarks, sir, and I'll be happy to answer 
any questions.
    [Prepared statement of Ms. Gilligan follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Mica. Thank you. And we'll hold the questions.
    Let's get to Ms. Carroll, who's vice president of HID 
Global.
    Welcome, and you're recognized.

                STATEMENT OF KATHLEEN M. CARROLL

    Ms. Carroll. Good afternoon, Chairman Mica and Ranking 
Member Duckworth. Thank you for the opportunity to appear 
before you today to discuss how private industry can contribute 
to and support all stakeholders in securing our Nation's 
airports.
    I am testifying on behalf of the Security Industry 
Association, a nonprofit international trade association 
representing more than 600 companies. I am the chair of SIA's 
Government Relations Committee, and I also chair the Privacy 
and Public Policy Working Group at the IBIA.
    We believe that to confront the ever-evolving threats to 
aviation security, all stakeholders should be working more 
closely with private industry. We recognize that TSA has been 
working diligently toward solutions that further enhance 
security in the Nation's airports. To that end, TSA requested 
that the Aviation Security Advisory Council analyze the 
adequacy of existing security measures and recommend additional 
measures to improve employee access controls.
    One of those recommendations included biometric 
confirmation of identity for badge issuance. Biometrics are 
already in use at several airports across the Nation, including 
BWI and San Francisco. These biometric deployments enhance 
security by tying the badge to the holder of the badge. 
Biometric technology has improved substantially in recent 
years, and industry continues to invest in further 
advancements.
    There are several key measures to help ensure optimum 
performance of a biometric system that should be included in 
any standard that TSA establishes. One is false acceptance 
rates, which sets the level of security. Another is the false 
rejection rate, which delivers a good customer experience. You 
can't have one without the other.
    Another key measure is liveness detection, which eliminates 
spoofing. For example, liveness detections would solve the 
worry around the biometrics that were stolen during the OPM 
breach. Biometric information is worthless if it isn't usable. 
With liveness detection, the only way it is usable is if the 
living human being presents their biometrics.
    Beyond biometrics, the security industry suggests that 
airport worker credentials follow a federated model. Many 
airport employees work at multiple airports and often need to 
go through the vetting process and carry a badge for each 
airport.
    In a federated model, such as the U.S. Government's 
Personal Identity Verification program, each Federal employee 
is vetted to an acceptable and known process across all Federal 
agencies. PIV credentials use the Public Key Infrastructure as 
one of several security features so that the credential can be 
trusted for access to all government buildings and computer 
networks. PKI also allows for instant revocation of a 
credential across all these systems from a central location.
    A federated credential system would significantly enhance 
airport security, be more convenient for airport employees, and 
reduce the costs of having to issue multiple credentials.
    As the ASAC and TSA have recognized, the best security 
relies on a risk-based approach, and one that is layered so 
that a breach in any one layer does not compromise security. 
The use of CCTV cameras, physical access control systems, and 
physical barriers are just some of the layers in use at 
airports today.
    The ASAC report also recommends an audit process that 
reconciles a badge holder's work schedule with the access 
control system to identify anomalies or irregularities, such as 
an employee using his or her badge at the airport outside their 
normal work hours. Unfortunately, this looks into the past and 
will not detect such anomalies in real time when a security 
breach might be occurring.
    The security industry has developed identity management 
systems that serve as systems of record for every airport 
worker and will detect anomalies or deviations from normal work 
patterns in real time. These systems will alert airport 
security if anomalies deviations occur so they can be 
investigated immediately if necessary.
    Equally important, such identity management systems, which 
are being used by several major airports throughout the 
country, are structured so that they enforce all TSA guidelines 
for badging and meet airport security policy as determined by 
each airport. These same systems can conduct audits recommended 
by the ASAC to ensure that an authorized signatory is in 
compliance with badging requirements.
    In the future, as TSA explores the use of social media to 
track and assess emerging threats that may pose a risk to 
aviation, identity management systems could prove to be a 
valuable tool in automating this vital undertaking.
    It's important to remember that the credential is just one 
piece of the security solution. The infrastructure must be in 
place to authenticate and authorize badge holders in an always-
connected environment.
    I want to thank the committee again for including the 
security industry in this important discussion. We welcome the 
opportunity to contribute to improve the aviation and airport 
security nationwide. I look forward to your questions.
    [Prepared statement of Ms. Carroll follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Mica. Well, thank you. We now have 9 minutes left in 
this vote. I have to depart. And we will not be convened before 
2 o'clock, and probably sometime between 2 and 2:10 we will 
reconvene. So you are free to disappear until then. But we will 
proceed with questions at that time.
    The subcommittee stands in recess.
    [Recess.]
    Mr. Mica. We will call the subcommittee back to order, and 
thank you for your patience while we conducted our votes. We 
have heard from all four witnesses, and now we'll proceed with 
some questions.
    Well, let's see, Ms. Gilligan, you have been here before. 
As you cited today, you said you made apologies for not having 
some of this done and trying to get things done. April 14, 
2011, you testified before us, Congress, the Transportation 
Committee. I know FAA has not acted on these directions as 
quickly or as comprehensively as this committee intended. So 
was yesterday Groundhog Day?
    Ms. Duckworth. Yes.
    Mr. Mica. We keep hearing the same thing over and over. Did 
you want to respond?
    Ms. Gilligan. Well, Mr. Mica, as I noted in my testimony 
this morning, we do understand that you are very frustrated 
with this. Having said that, as I also testified, there are 
tremendous challenges in moving this forward, not the least of 
which is the amount of costs that it's likely to drive. And 
that's why we are going to try to work with TSA, and quite 
honestly now, with Ms. Carroll's organization.
    Mr. Mica. With Ms. Carroll's organization? Ms. Carroll, 
don't you have examples where this can be done fairly cost-
effectively? Most of these pilots' licenses only cost--the cost 
is minimal. I know Disney can't be paying a fortune for their 
card.
    Ms. Carroll. Well, it depends. I mean----
    Mr. Mica. How much would a card be?
    Ms. Carroll. A card?
    Mr. Mica. A range. A range.
    Ms. Carroll. Okay. Depending on what kind of electronics 
are in there, what kind of security features, $2.50.
    Mr. Mica. Well, again, I want to know who has the card and 
who is getting access. We don't know that now.
    Ms. Carroll. Who get--that gives----
    Mr. Mica. Who is in possession of the card and who is 
gaining the access? Are we identifying who the person is? And 
do we have that information embedded in the card?
    Ms. Carroll. For certain programs, yes, sir, we do.
    Mr. Mica. They already have that. You already produce some 
of that, don't you?
    Ms. Carroll. We do. We make the U.S. green card, sir.
    Mr. Mica. Does that have a fingerprint?
    Ms. Carroll. It does not have the fingerprint.
    Mr. Mica. It doesn't? Well, it sure as hell should. That's 
another waste of money.
    We sat with these people after 9/11, State Department and 
others. They are all producing garbage IDs. I mean, I am going 
to put Ms. Duckworth on staff. She has a 1904 pilot's license, 
1904 pilot's license she pulled up. It has a picture, it has 
the name, it has the signature. It has a physical description. 
Now here it's not embedded. And then it has the fingerprints. 
1904.
    Here is Amelia Earhart's picture, all identifying 
information. I'm pretty sure the other side is fingerprints. 
And here we are in 2016, 15 years after 9/11, we don't know 
who's going in and who's coming out. There is no way to ensure 
it.
    The TWIC card, we should do another hearing on that, 
Transportation Worker Identification. They spent half a 
billion, $500 million total? It's just incredible. Now they 
have to come with a driver's license. They have a card, but it 
doesn't have a reader. We still don't have a reader, do we, at 
the ports, to read them? Does anyone know? DHS know?
    Mr. LaJoye. Not as of yet.
    Mr. Mica. Not as of yet. See? Fifteen years. And Mickey 
Mouse, or at least I called the FAA card Mickey Mouse, but the 
Minnie Mouse one, we know who it is.
    You spoke a little bit about identity management systems, 
okay, but they're in very few airports or many airports? What's 
the status?
    Ms. Carroll. There are 21 airports. Boston Logan----
    Mr. Mica. Out of 450.
    Ms. Carroll. Yeah, 21 out of 450, right.
    Mr. Mica. Are they all the largest category, in the largest 
category?
    Ms. Carroll. DFW, Sea-Tac.
    Mr. Mica. Pretty much----
    Ms. Carroll. Yeah, pretty much the bigger ones, yes, sir.
    Mr. Mica. But they're not everywhere?
    Ms. Carroll. No, sir.
    Mr. Mica. That's troubling, even when you have the systems. 
And that's interesting that the systems also can identify 
erratic----
    Ms. Carroll. Yes, sir. It can detect anomalies in patterns 
of access and where people go, and it automatically alerts 
security if there is an anomaly. So, for example----
    Mr. Mica. But there's no requirement, and they have 
voluntarily put them in place.
    Ms. Carroll. Yes, sir.
    Mr. Mica. But, again, we have seen that these folks target 
our soft areas. So you have 21, so we have another 430 
locations that you can--you don't have that in place.
    Iris. Where are we on iris, Ms. Gilligan?
    Ms. Gilligan. Well, sir, I think as you know, the National 
Institute for Standards and Technology did issue a standard for 
the collection of iris.
    Mr. Mica. Right. But you said there was no GSA----
    Ms. Gilligan. Right, at this point. One of the requirements 
in the statute was that the system be linked to PIV 
requirements, and GSA has apparently----
    Mr. Mica. Information, what is PIV requirements?
    Ms. Gilligan. Ms. Carroll used it earlier, sir. I don't 
know what it stands for.
    Ms. Carroll. So I'm not a real technology expert, I'm more 
of a policy person, but the PIV card is the credential that 
follows the standard developed by NIST. It's a FIPS 201 
standard. And so it was developed for all Federal employees so 
that they had---
    Mr. Mica. Right. So that's the standard.
    Ms. Carroll. That's the standard, right.
    Mr. Mica. But we have--we don't have that in place.
    Ms. Gilligan. There are no systems--to your earlier point--
there are not yet any approved vendors of systems to be able to 
read and take advantage of the iris biometric.
    Mr. Mica. But you developed--I didn't mean to interrupt, 
but I do. Actually, I'm from New York originally. This is 
interesting, guys, listen. I read these old books--I collect 
old books--usually before 1800, printed in America. And they 
are little capsules of time and space. Somebody wrote them on 
what they observed at that time and space. This doesn't count 
against my time. Turn it off.
    So I am reading this book, and this is back in the 1790s, 
and it's a guy that came from England, and he wrote his 
memoirs. He says: I am in New York now visiting. He said people 
in New York have a habit of interrupting people when they're 
talking. And that's over 200 years ago. I do the same thing. 
It's just--I think it's in the DNA or maybe the water system.
    I'll give you one more quick one, and this is an aside 
since it's a small group. I got another book, a guy visited 
here 1828. Listen to this. He came to the House of 
Representatives. He's from England. He says, I have come to the 
Chamber of the House of Representatives, and he says, it's a 
strange body that meets there. He says, the Members stand up, 
he says, there's no one in the room, he says, and they give a 
speech, and the stenographer takes it down. Obviously, for the 
consumption of their constituents back home. This is before C-
SPAN. This is 1828.
    Then his other observation, in 1828, he says, I am here in 
the United States visiting, and he says, 1828 is an election, 
they elect the chief magistrate of the United States. They used 
to call them that. He says, and in this year everything circles 
around who shall be the next chief elected executive of the 
United States and nothing else gets done. Do things change 
much?
    That was a terrible aside, but I thought I could share that 
with you all. There are some prerogatives as chairman.
    But, again, not much has changed on this. I don't know what 
to do. It's troubling too to hear--you talked about TSA setting 
standards for IDs. Who talked about that? Carroll? Ms. Carroll?
    Ms. Carroll. Yes, sir, the ASAC recommended that the----
    Mr. Mica. But they haven't.
    Ms. Carroll. Well, the recommendation just came out.
    Mr. Mica. But they haven't.
    Ms. Carroll. Set standards, no.
    Mr. Mica. How about that? Let's do a letter too, as a 
result of the hearing, staff, I won't dictate it now, we would 
like you to set standards for this credentialing. But that's 
not done yet. It just came out.
    Ms. Carroll. Yeah. I mean the recommendation to set the 
standards. But I mean, you know, the FIPS 201 standards, and 
NIST has done significant work on setting standards for 
biometrics as well.
    Mr. Mica. But it's all out there, but they have to adopt 
it. And then what was troubling is no full use of all the 
databases. And I think that's being corrected now. Is that 
right, LaJoye?
    Mr. LaJoye. Yes, sir, it is.
    Mr. Mica. And I don't like to ask this, but you started 
giving us some numbers, like there is 70--well, there's 87,000 
with no Social Security number in the base?
    Mr. Roth. That's correct. Of the 900,000 names that we 
pulled, there are about 87,000, or about 10 percent, had no 
Social Security number in the database.
    Mr. Mica. And then 75,000, what was that figure?
    Mr. Roth. The 75,000, if I recall, was no passport number. 
And then a subset of that had no alien identification number.
    Mr. Mica. So they could technically have people who are 
aliens working, without us knowing about it, at the airports?
    Mr. Roth. Yeah. The issue we had with TSA's data set was 
that there wasn't an ability, any assurance that the data could 
be used. So when you run it against the terrorist database or 
you run it----
    Mr. Mica. And the 73 that you found, were they airport 
workers, TSA workers, combination of the above, or people who 
just got into secure areas?
    Mr. Roth. They would be airport workers that held a secure 
identification badge, in other words to be able to go into the 
secure areas of the airport next to the aircraft, checked 
baggage, that kind of thing.
    Mr. Mica. I don't know why TSA can't contract--it's not 
that expensive--with someone who can do sort of a nonstop 
criminal check. Do you know any reason? We can talk to the 
administrator about that. That's a big gap too. And the self-
reporting, as the IG pointed out, doesn't cut it, the last 
thing they want to do.
    Do you think that's possible, Mr. LaJoye? I know you don't 
set policy, but----
    Mr. LaJoye. Well, Mr. Chairman, one of the things that 
we've recognized, along with the ASAC, is we are piloting the 
Rap Back program with the FBI that would allow us to get 
recurrent vetting with criminal records history checks similar 
to what we do with TSDB today. So that pilot is going to start 
in March, and we are hopeful that we can roll it out before the 
end of the year.
    Mr. Mica. A couple of other quick ones before I yield.
    The employee assessment is only done every 2 years. Is that 
correct? Or is that just for employment and then----
    Mr. LaJoye. Again, that's an interim measure we put in 
place, you know, until we have----
    Mr. Mica. But you've been hiring people without that 
employee and putting them to work without that assessment 
completed. Is that not correct?
    Mr. LaJoye. Well, again, we put out, it was a few months 
ago, the requirement. We knew we wanted to work with the ASAC 
to get to the FBI Rap Back. But in the meantime, knowing it 
would take some amount of time, months, better part of a year 
to get that across the airports, we did require that they go 
out and conduct criminal history records checks at the renewal 
point or every 2 years thereafter.
    Mr. Mica. One of my sheriffs called me and said he had 
fired a couple of deputies for really serious offenses and 
misconduct. He said the next thing you know they were over in 
Daytona Beach as TSA screeners. He asked me what's going on and 
I couldn't tell him. But they, as we've checked, they hadn't 
been cleared, hadn't been properly vetted, but they could get a 
job.
    How quickly, Ms. Gilligan, how quickly does FAA revoke a 
license after disqualifying information is received?
    Ms. Gilligan. We issue the revocation based on a request by 
TSA that they have made a determination that someone holds a 
pilot certificate and is a risk to national security. So as 
soon as we receive the notification the process--the action is 
taken by our counsel's office.
    Mr. Mica. But they could still use that ID with another 
form of ID and you'd never know who that person was.
    Ms. Gilligan. No. When the pilot certificate is revoked, 
they are required to turn it in. And if they don't, we pursue 
that, so that we do--retrieve the pilot certificate when it's 
been revoked.
    Mr. Mica. I want to give everyone a chance. Ms. Duckworth, 
we will go to you. I have more questions, unfortunately. Go 
ahead, Ms. Duckworth.
    Ms. Duckworth. I just want to follow up on that Ms. 
Gilligan. When you said the pilot certificate is revoked you 
retrieved it. What about when it's changed or they get a new 
certification?
    Ms. Gilligan. I'm sorry, I was responding specifically to 
Mr. Mica's question. We have a process where TSA notifies us if 
they have determined, after someone has gotten a pilot 
certificate, that they now pose a risk to national security, 
and based on that notification we revoke that certificate.
    Separately, any time a pilot gets a new rating or raises to 
a new level, they must present themselves to an inspector or to 
another designated--usually a flight instructor or other 
designated representative, have their photo ID. Our folks will 
then confirm that they demonstrate that they have met the 
requirements to become a commercial pilot, for example, or that 
they have passed their type rating in a 737, whatever it may 
be. And that information is transmitted then to the registry 
and the new certificate is issued.
    Ms. Duckworth. Right. But you don't take--you don't recover 
their old certificate with the old information.
    Ms. Gilligan. I don't--apologize, ma'am, I actually don't 
know the answer to that. I thought they turn--I thought they 
give their old certificate when they get their new one.
    Ms. Duckworth. I have both my old one and my new one.
    Ms. Gilligan. Okay. Then you're right.
    Ms. Duckworth. So something to take a look at.
    So I'd like to take a look at the credentialing process and 
effectiveness and security lapses. My whole point today is just 
to make sure you guys get the resources and the support you 
need to do what you need to do to keep our people safe. And if 
there is something that we find out today where you need 
congressional help, legislative help, you need appropriations, 
you need something, let us know. That's really what I am 
interested in, to make sure you get the resources to do what 
you need to do.
    And so, Mr. Roth, there are many issues to be discussed 
today, but the central one is this. In 2011, that inspector 
general's report concluded that individuals who pose a threat 
may obtain airport badges and gain access to secured areas. Do 
you believe that individuals who pose a threat may still be 
able to obtain airport badges and gain access to secured areas 
today?
    Mr. Roth. Yes, I do, for a number of reasons. One is, as I 
highlight in my testimony, the TSA, as a regulator who has to 
regulate the 450 airports who make the determination with 
regard to criminal history, for example, can only do a fraction 
of the regulation that they probably need to do to check on how 
well the airports are adjudicating some of the criminal 
history. That would be one thing.
    The second is that TSA's database is very, very filled with 
errors, and it is going to be difficult to do any kind of 
matching between TSA's database and, for example, the criminal 
history databases or even the terrorist watch list databases.
    And third, the way the legislation works, it's really a 
box-checking exercise. You've either been convicted or not 
convicted of certain offenses. If you have not been convicted 
of those offenses, you are free to get--and you have you the 
ability to work in the United States--you have unrestricted 
access to the most secure areas within the airport. It's 
functionally the same level of security clearance that an 
individual with PreCheck would have. It isn't a holistic: We 
will look at this person and determine whether or not he is a 
threat to aviation security. Rather, if he is convicted of a 
certain level of crimes, he doesn't get it. Or if he is 
convicted, he doesn't get it. If he isn't convicted, then he 
gets it, regardless of what could be in his background.
    Ms. Duckworth. So what do you think are the most important 
outstanding recommendations that your office has made to TSA 
that have yet to be implemented?
    Mr. Roth. We are in the process of--we made six 
recommendations. Two of those have been closed, one of which 
was the most serious one, in our view, which was the lack of 
TSA having all the information in the TIDE database. So that's 
been worked out. There are a number of ones in which they are 
working towards getting a solution towards it. So we are 
satisfied that they are making progress in the right direction.
    The difficulty, as I see it, is that TSA is working in a 
system where airports have certain authority and TSA has 
certain authority, and any time you have a split in authority 
like that, it's going to be very difficult to ensure that 
things don't fall through the cracks.
    Ms. Duckworth. Mr. LaJoye, do you have any comments on 
that? Or what do you need to help you to be able to meet all 
six of those recommendations?
    Mr. LaJoye. Well, I think at this point, Ranking Member, to 
the IG's point, it's just a matter of putting some technical 
fixes in place with data quality, is how I would characterize 
it. This is an intensely manual process, as you can imagine. 
And so errors in data, you know, inhibits our ability at times 
to effectively vet. And so to the extent to which we can, you 
know, incorporate some logic into a system to cut down on data 
entries, we have gone out and we have changed our national 
inspection manual for all of our inspectors. When they go to a 
badging office, look at the original documents.
    So there is a number of things we are putting in place. But 
with respect to the IG's open comments, I think at this point 
it's just a matter of putting the technical fixes in place.
    Ms. Duckworth. And do you have a plan for those technical 
fixes? Do you have the support you need to put those technical 
fixes into place? And what is that timeline? Are you saying 
that--you know, the IG is saying you are on your way to meeting 
those, but on your way could be 6 months or it could be 6 
years.
    Mr. LaJoye. I think we're acting deliberately, sensitive to 
the fact that there is the cyber issues, you know, we have to--
with respect to privacy. And so I couldn't characterize it as 
years. I'd characterize it more as months. And, again, getting 
back to our office I could get you specific timelines on some 
of them, but I can assure you there is a deliberate plan to 
close these in short order.
    Ms. Duckworth. I would love to see, and if it's all right 
with the chairman, a report back as to the timeline as to when 
they will be closing all six of the recommendations from the 
IG.
    Mr. Mica. Okay. And we can ask the staff to follow up with 
questions. There will be questions submitted. And if we can get 
a response for the record.
    Mr. LaJoye. Absolutely.
    Mr. Mica. Without objection, we will do that.
    Ms. Duckworth. Thank you, Mr. Chairman. I yield back.
    Mr. Mica. Okay. Well, a couple more questions here. There 
is obviously a huge number of lost or stolen credentials. You 
found a lot of that, Mr. Roth?
    Mr. Roth. In our earlier audit we did find a number of 
essentially lost credentials. We are currently doing an audit 
of the SIDA badge process to see whether or not that has 
improved. Hopefully, we will have that audit out later this 
year.
    Mr. Mica. And even if you had the pilot's license, which 
has no photo on it, has no biometric way to tell that that's 
the individual, and another form of ID, which might not have 
any form of biometric, we still don't know who's entering. Is 
that correct?
    Mr. Roth. My understanding is that the way the SIDA badge 
works in a large majority of the circumstances----
    Mr. Mica. Right now I'm talking about the pilot's license.
    Mr. Roth. That I cannot comment on.
    Mr. Mica. It's a fact, Ms. Gilligan. We don't know, we have 
no way of knowing because we still have this, as I've termed 
it, Mickey Mouse pilot's license. We have no biometric. We 
don't know who those people are. And then if it's a stolen or 
lost one--we had a hearing some years ago on credentials. I 
never realized how you can duplicate credentials. And college 
kid and students are incredible at reproducing these IDs. But 
we really don't know who that individual is unless there is a 
biometric.
    Ms. Gilligan. But at this point the pilot certificate is 
not used to gain access in any situation.
    Mr. Mica. I know. It can't be. They can use a driver's 
license. But the whole purpose was for us to know who is in 
control of the aircraft, who the pilot is. We have had at least 
one instance, we saw the European, sometimes some things happen 
with people who have taken control of aircraft or gained access 
with false credentials.
    Do we know with--the other thing is vetting people. I think 
you can screen them through metal detectors, but you need to be 
reviewing these individuals that are working behind a secure 
area--or in secure areas. And we don't do a very good job of 
that.
    TSA has failed in vetting some of those folks, right, Mr. 
Roth?
    Mr. Roth. That's correct. To be more accurate, it's the 
airport.
    Mr. Mica. What worries me after this hearing is you have 
just said we have got thousands of people working there. We 
don't even know--well, 10 percent of them we don't have Social 
Security numbers of. Then we have 75,000 that you mentioned, 
14,000 no passports. They could be aliens.
    One of my concerns is--I've seen some of the big airports 
on the East Coast, Chicago, they do employ a lot of folks from 
different nationalities, no offense, and they should be able to 
work. But there are people we don't know about as far as their 
background, and then we're not vetting them.
    We don't know about Egypt, what took place there yet, do 
we, Mr. LaJoye, with that? They thought that the plane that was 
taken down supposedly by ISIS was an inside airport job. Do we 
know that?
    Mr. LaJoye. Well, I think that's probably worth a closed 
session discussing any particulars we have on that, but I am 
not prepared to comment beyond that, Mr. Chairman.
    Mr. Mica. But a lot of things indicated it was an inside 
job.
    And the other thing too is everything we have done with TSA 
is always a reaction; 9/11. We finally put in some standards. 
You know, everybody says private screening failed. It wasn't 
private screening that failed, it was the Federal Government 
that didn't put any standards in for the screeners. And part of 
that they got--the government got lobbied, don't put anything 
that would cost the airlines another penny. So it was the 
failure--it was the failure of the government to put in 
policies for what could not be brought onboard. There was no 
Federal prohibition to box cutters.
    I remember when we looked at it after 9/11, the direction 
to pilots, and we actually read from the manual for dealing 
with hijacking, was to land the plane in Havana and contact the 
Swiss consul there. That was the instructions, to cooperate, 
basically, with the hijackers and then land the plane there. 
That was the government's instructions to the pilot.
    So the government failed. And the government to me is 
failing to take steps. Everything we've done, the metal 
detectors, the shoe bomb, they saw a flaw in those. So what did 
we do? Of course I remember going to Italy, where they made 
most of the--we brought--we actually brought the metal defector 
capability down lower to the floor. But today most people 
take--have to take off their shoes unless you've got PreCheck 
or some situation. That's a result of Richard Reid and his--
going after the diaper bomber explosives. Now we have the body 
scanners. It's always a reaction.
    And here, again, I think they can easily determine what our 
most vulnerable points are. Liquid bombing, a vulnerable point, 
now we all have to take our liquids out. So it's always after 
the fact.
    Is there any progress you can report, speaking of liquid 
bombs? There is equipment that we went to purchase, and that 
sat around for a while, that could detect liquids that posed a 
risk, and that equipment was dumbed down or not used. Is there 
any current effort to buy that equipment or deploy that 
equipment, Mr. LaJoye?
    Mr. LaJoye. Well, again, there is various pieces of 
technology with respect to liquids. Some of it we do employ, 
some of it we have not yet deployed. We could perhaps give you 
a full briefing on the various different pieces of technology 
that are available.
    Mr. Mica. I can tell the committee and staff. We looked at 
it, we had a whistleblower, equipment was sold to them, had 
that capability. They neither could train their people or 
operate it. So basically they disarm ability of the equipment 
to detect that. So we still--we can't bring things on to this 
day. But that equipment is available.
    Let me look here. Renewal and lost. Okay. I heard that you 
can--can you renew your--I am going to say license, you keep 
saying certificate--but can you renew that license by either 
electronic request or by phone?
    Ms. Gilligan. The pilot certificate is not renewed. It 
doesn't need to be renewed. But as Member Duckworth mentioned, 
most pilots add additional capabilities to their certificate 
over time. Any time you----
    Mr. Mica. So it's just permanent? It's never--okay. Go 
ahead.
    Ms. Gilligan. Well, any time you are getting----
    Mr. Mica. So embedded in it would be only the information 
about additional capability of flying, say, certain aircraft 
or, like, civil versus commercial----
    Ms. Gilligan. Right.
    Mr. Mica. --versus cargo or whatever, or big planes, small 
planes.
    Ms. Gilligan. That's right. Every time someone adds a 
capability to their credential----
    Mr. Mica. That's interesting, because provided by Ms. 
Duckworth, again, incredible research--in fact, maybe we could 
divide some of the staff money to add it on to your pay for the 
work you've done on this one. But this even has license 
renewals here----
    Ms. Gilligan. That would likely have been the medical. So 
pilots do renew their medical certificate.
    Mr. Mica. Inspector's endorsement. That's what it says. And 
the renewal. We don't have that--there is no renewal.
    Ms. Gilligan. We don't require renewal.
    Mr. Mica. Okay. Okay. Just, again, and lost, you have any 
information on lost or stolen credentials, Mr. Roth?
    Mr. Roth. Again, the airports have an obligation when a 
SIDA badge is reported lost or stolen or that employee quits, 
leaves, to turn it off.
    Mr. Mica. And they are required to notify TSA?
    Mr. LaJoye. They're required to notify the airport, Mr. 
Chairman, where then the airport is required to immediately 
deactivate the badge.
    Mr. Mica. But do you get a notification on them?
    Mr. LaJoye. We would not if it's a lost or stolen badge. 
Again, that would happen to the airport. Now, we do inspect, 
right, because every airport they have thresholds they can't 
exceed. So we went back----
    Mr. Mica. There is a law or regulation that says when 7 
percent of the credentials are compromised they have to reissue 
all new. Is that----
    Mr. LaJoye. We can--I mean, I can brief you specifically on 
what the requirements are, but it's lower than what you just 
cited, Mr. Chairman. But we went back over a 5-year period, 
understanding this is an area where the majority of airports 
are really very compliant because the cost of noncompliance is 
steep. It's exceedingly expensive for them to rebadge their 
population. So we went back over 5 years, almost 450 airports, 
and we only had 23 instances of airports having to rebadge any 
part of their population.
    So, again, this is really an area where the airports have a 
high level of compliance with respect to maintaining control of 
those lost and stolen badges.
    Mr. Mica. So you're basically relying mostly on a driver's 
license for identification, right?
    Mr. LaJoye. I'm referring to SIDA badges that are lost.
    Mr. Mica. Well, let's say for a passenger--or for a pilot, 
because the pilot has an ID that doesn't have a picture and 
information.
    Ms. Gilligan. But, Mr. Chairman, the pilots do have SIDA 
badges.
    Mr. Mica. Yes.
    Ms. Gilligan. Pilots are vetted through the airport system, 
just as all employees are.
    Mr. Mica. But they're all different, as we've heard.
    Ms. Gilligan. There are differences. And as I think Ms. 
Carroll makes the case, there is value in looking at how to 
perhaps refine that process. But I don't want to leave the 
impression that pilots aren't----
    Mr. Mica. And some of this too is--I can't blame you all 
totally because I have seen what happens. The airports lobby 
for keeping everything they're doing, and they don't want to 
change it, my God, you can't change it. The airlines are just 
as bad. Oh, no, they can't do this. You can't require that. 
There can't be standardization. They're just as bad. And then 
some of you are left in the lurch. So I'll give you that much 
credit.
    But we still have credentials, as I called it, in chaos. 
And somehow it's gotten us to this stage, but it's in spite--we 
have been very lucky and fortunate so far. I try to stay a 
little bit ahead of the curve. I think we need to have a 
sitdown with the new Administrator again. He was good to come 
in at the beginning. I know he's trying to institute some 
changes and reforms, things that make sense. But I think there 
are some of these items that we need to go over.
    I think we probably should look at some of the results--
sometimes we do these hearings and nothing gets done. But what 
we might do, staff on both sides, make a list of some of these 
items. And then they have we have authorizers, Mr.--from New 
York--Katko, he is an authorizer. He has also passed a couple 
of bills. We are not an authorizing committee. We are 
investigation and oversight. But if we just look at these and 
do nothing, not much comes as a positive result.
    So if we could, staff, let's put together, work with the 
minority, the things that we have uncovered here today that we 
could.
    And if you get a chance, we will sit down with the 
Administrator and see where we could do more.
    FAA, we'll have another Groundhog Day in a couple of years 
and we'll hear that they're on their way. But they also have 
some constraints, I know. And then the private sector has the 
solutions.
    Don't you have the solutions, Ms. Carroll?
    Ms. Carroll. Yes, sir, we do. And all we want to do is help 
in whatever way we can.
    Mr. Mica. You are doing both the fingerprint and iris. You 
have that capability?
    Ms. Carroll. Yes, sir.
    Mr. Mica. You have readers for both?
    Ms. Carroll. We have readers for all, yes, sir. And we have 
the systems to overlay.
    Mr. Mica. I think the staff, when we were putting this 
together, 15 years ago I was at some of the European airports, 
and they had the finger and iris in operation. That's 15 years 
ago.
    Ms. Carroll. Well, sir, just a point of clarification. In 
the United States, especially, fingerprints seems to be the 
default because they have to do criminal background checks and 
things like that. And so most of our databases for criminal 
background checks are fingerprints. And so that seems to be--
especially for workers.
    Mr. Mica. For a passenger. Like I have PreCheck.
    Ms. Carroll. Perfect. Iris is a good solution for 
passengers because of the----
    Mr. Mica. I think CLEAR might have that. Does CLEAR have 
that?
    Ms. Carroll. I'm not sure. I'm not sure. Yeah.
    Mr. Mica. They may have. And we've looked at turning that 
over to the private sector, all of the people who could qualify 
for PreCheck or credentialing, and then let TSA keep some of 
the rest of the mix. But, again, we don't know who is getting 
on. We don't know where the credentials are. The credentials 
are lacking information.
    Let's see if I have got any final questions. We will be 
submitting, as I said, some questions for you to respond to.
    One last question about--we rely quite a bit on a driver's 
license. The Feds have set some REAL ID standards, I guess, and 
I guess there are still some States in noncompliance. Where are 
we with that, Mr. LaJoye?
    Mr. LaJoye. Some of the initial enforcement of that will 
begin in 2018, and final enforcement will begin in 2020, Mr. 
Chairman, you know, at the point----
    Mr. Mica. I'm sorry? 2000--give me the----
    Mr. LaJoye. Some of the initial enforcement of the REAL ID-
compliant driver's license to gain access to the checkpoint 
will begin in 2018, with final enforcement beginning in 2020 on 
that.
    Mr. Mica. But we're still 2 years out. But you're accepting 
the flawed IDs now.
    Mr. LaJoye. Well, again, I mean, it's----
    Mr. Mica. It's noncompliant. Yes. I mean, yes, you are.
    Mr. LaJoye. Well, again, we will start enforcement of that 
in 2 years. It gives time for States to----
    Mr. Mica. We can pick out the States you should enforce it.
    Ms. Duckworth. Like Illinois.
    Mr. Mica. Illinois.
    And then final for Ms. Gilligan. When does FAA expect to 
establish a pilot records database?
    Ms. Gilligan. We're working closely, actually, sir, with 
one of the representatives from the family groups from Colgan 
who has a technical background.
    Mr. Mica. This is way, way back.
    Ms. Gilligan. The requirement for the pilot records 
database was in the FAA Extension and Safety Act of 2010.
    Mr. Mica. And what year is this?
    Ms. Gilligan. 2016. So we are working to establish--we have 
done a pilot program. We do understand what is required. The 
dilemma is that there are a number of kinds of records that 
airlines have kept over the years, including paper records and 
microfiche and----
    Mr. Mica. But you can set standards----
    Ms. Gilligan. Yes, sir, but----
    Mr. Mica. --for the records. Have you?
    Ms. Gilligan. Set standards for the records?
    Mr. Mica. For what is required as far as keeping for a 
database.
    Ms. Gilligan. Yes, we have informed the airlines----
    Mr. Mica. And then it can be electronically transmitted.
    Ms. Gilligan. We have informed the airlines of the records 
that they need to maintain in accordance with the statute, and 
that began in 2011 after the passage of the statute.
    Mr. Mica. But yet we still don't have a database.
    Ms. Gilligan. We have not been able to establish the 
integrated database at this point.
    Mr. Mica. Again, it's just very, very, very, very, very, 
very frustrating.
    Anything else, Ms. Duckworth?
    Ms. Duckworth. Not at this time, Mr. Chairman.
    Mr. Mica. Okay. I will ask the staff to go through and see 
what questions we want to submit. We appreciate your response 
for the record. We leave leave the record open for--instead of 
5 days, let's change it to 10 days, because we'll submit a 
bunch of questions to them that have not been answered here.
    Mr. Mica. We appreciate your participation. Our intent is 
to try to do better. And we have a responsibility for oversight 
and making certain we move this process forward and keep us 
safe and secure.
    There being no further business before the subcommittee, 
this subcommittee hearing is adjourned.
    [Whereupon, at 2:51 p.m., the subcommittee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]