oversight

General Aviation Security: Weaknesses Exist in TSA's Process for Ensuring Foreign Flight Students Do Not Pose a Security Threat

Published by the Government Accountability Office on 2012-07-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

             United States Government Accountability Office

GAO          Report to Congressional Requesters




July 2012
             GENERAL AVIATION
             SECURITY
             Weaknesses Exist in
             TSA’s Process for
             Ensuring Foreign
             Flight Students Do
             Not Pose a Security
             Threat




GAO-12-875
                                               July 2012

                                               GENERAL AVIATION SECURITY
                                               Weaknesses Exist in TSA's Process for Ensuring
                                               Foreign Flight Students Do Not Pose a Security
                                               Threat
Highlights of GAO-12-875, a report to
congressional requesters




Why GAO Did This Study                         What GAO Found
U.S. government threat assessments             The Transportation Security Administration (TSA) and aircraft operators have
have discussed plans by terrorists to          taken several important actions to enhance general aviation security, and TSA is
use general aviation aircraft—                 gathering input from operators to develop additional requirements. For example,
generally, aircraft not available to the       TSA requires that certain general aviation aircraft operators implement security
public for transport—to conduct                programs. Aircraft operators under these programs must, among other things,
attacks. Also, the September 11, 2001,         develop and maintain TSA-approved security programs. TSA has also conducted
terrorists learned to fly at flight schools,   outreach to the general aviation community to establish a cooperative
which are within the general aviation          relationship with general aviation stakeholders. In 2008, TSA developed a
community. TSA, within DHS, has
                                               proposed rule that would have imposed security requirements on all aircraft over
responsibilities for general aviation
                                               12,500 pounds, including large aircraft that Department of Homeland Security
security, and developed AFSP to
ensure that foreign students enrolling
                                               (DHS) analysis has shown could cause significant damage in an attack. In
at flight schools do not pose a security       response to industry concerns about the proposed rule’s costs and security
threat. GAO was asked to assess (1)            benefits, TSA is developing a new proposed rule. Officials from all six industry
TSA and general aviation industry              associations GAO spoke with stated that TSA has reached out to gather
actions to enhance security and TSA            industry’s input, and three of the six associations stated that TSA has improved
efforts to obtain information on these         its efforts to gather input since the 2008 notice of proposed rulemaking.
actions and (2) TSA efforts to ensure          TSA vets foreign flight student applicants through its Alien Flight Student
foreign flight students do not pose a
                                               Program (AFSP), but weaknesses exist in the vetting process and in DHS’s
security threat. GAO reviewed TSA
                                               process for identifying flight students who may be in the country illegally. From
analysis comparing FAA data from
January 2006 to September 2011 on              January 2006 through September 2011, more than 25,000 foreign nationals had
foreign nationals applying for airman          applied for Federal Aviation Administration (FAA) airman certificates (pilot’s
certificates with AFSP data, and               licenses), indicating they had completed flight training. However, TSA
interviewed 22 general aviation                computerized matching of FAA data determined that some known number of
operators at eight airports selected to        foreign nationals did not match with those in TSA’s database, raising questions
reflect geographic diversity and               as to whether they had been vetted. In addition, AFSP is not designed to
variations in types of operators. This is      determine whether a foreign flight student entered the country legally; thus, a
a public version of a sensitive security       foreign national can be approved for training through AFSP after entering the
report GAO issued in June 2012.                country illegally. A March 2010 U.S. Immigration and Customs Enforcement
Information TSA deemed sensitive has           (ICE) flight school investigation led to the arrest of six such foreign nationals,
been omitted, including two                    including one who had a commercial pilot’s license. As a result, TSA and ICE
recommendations on TSA’s vetting of            jointly worked on vetting names of foreign students against immigration
foreign nationals.                             databases, but have not specified desired outcomes and time frames, or
                                               assigned individuals with responsibility for fully instituting the program. Having a
What GAO Recommends
                                               road map, with steps and time frames, and assigning individuals the
GAO recommends that TSA identify               responsibility for fully instituting a pilot program could help TSA and ICE better
how often and why foreign nationals            identify and prevent potential risk. The sensitive security version of this report
are not vetted under AFSP and                  discussed additional information related to TSA’s vetting process for foreign
develop a plan for assessing the               nationals seeking flight training.
results of efforts to identify AFSP-
approved foreign flight students who
entered the country illegally. DHS
concurred with GAO’s
recommendations and indicated
actions it is taking in response.
View GAO-12-875. For more information,
contact Steve Lord at (202) 512-4379 or
lords@gao.gov.

                                                                                        United States Government Accountability Office
Contents


Letter                                                                                      1
               Background                                                                   8
               TSA and Aircraft Operators Have Taken Actions to Secure General
                 Aviation; TSA Obtains Information through Outreach and
                 Inspections                                                              14
               Weaknesses Exist in Processes for Conducting Security Threat
                 Assessments and for Identifying Potential Immigration
                 Violations                                                               20
               Conclusions                                                                32
               Recommendations for Executive Action                                       33
               Agency Comments and Our Evaluation                                         33

Appendix I     Scope and Methodology                                                      36



Appendix II    Examples of Federal, State, and Industry Efforts to Enhance
               General Aviation Security                                                  41



Appendix III   Comments from the Department of Homeland Security                          44



Appendix IV    GAO Contact and Staff Acknowledgments                                      46



Tables
               Table 1: Examples of Federal General Aviation Security Measures            14
               Table 2: Reviews Conducted as Part of the AFSP Security Threat
                        Assessment                                                        21


Figures
               Figure 1: Composition of FAA-Registered General Aviation Aircraft            9
               Figure 2: Full, Private Charter, and Twelve-Five Security Program
                        Requirements                                                      12




               Page i                                     GAO-12-875 General Aviation Security
Abbreviations

ADIS                     Arrival and Departure Information System
AFSP                     Alien Flight Student Program
ATSA                     Aviation and Transportation Security Act
DHS                      Department of Homeland Security
DOD                      Department of Defense
FAA                      Federal Aviation Administration
FBI                      Federal Bureau of Investigation
ICE                      U.S. Immigration and Customs Enforcement
NOTAM                    Notices to Airmen
OSPIE                    Office of Security Policy and Industry
                         Engagement
PARIS                    Performance and Results Information System
SEVP                     Student and Exchange Visitor Program
TSA                      Transportation Security Administration
US-VISIT                 U.S. Visitor and Immigrant Status Indicator
                         Technology




This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.




Page ii                                              GAO-12-875 General Aviation Security
United States Government Accountability Office
Washington, DC 20548




                                   July 18, 2012

                                   The Honorable Peter T. King
                                   Chairman
                                   The Honorable Bennie G. Thompson
                                   Ranking Member
                                   Committee on Homeland Security
                                   House of Representatives

                                   The Honorable Mike Rogers
                                   Chairman
                                   The Honorable Sheila Jackson Lee
                                   Ranking Member
                                   Subcommittee on Transportation Security
                                   Committee on Homeland Security
                                   House of Representatives

                                   The Honorable Charles Dent
                                   House of Representatives

                                   General aviation includes nonscheduled aircraft operations such as air
                                   medical-ambulance, corporate aviation, and privately owned aircraft—
                                   generally, aircraft not available to the general public for transport.
                                   Altogether, more than 200,000 general aviation aircraft—from small
                                   aircraft with minimal load capacities to business jets and larger aircraft
                                   such as privately operated Boeing 747s—operate at more than 19,000
                                   facilities. Such facilities include publicly or privately owned airports, most
                                   of which primarily or exclusively serve general aviation aircraft, and
                                   heliports. While there have been no terrorist attacks conducted using
                                   general aviation aircraft in the United States, according to Transportation
                                   Security Administration (TSA) officials, U.S. government threat
                                   assessments have discussed plans by terrorist organizations to use
                                   general aviation aircraft to conduct attacks against U.S. targets. Similarly,
                                   the September 11, 2001, terrorists learned to fly on general aviation
                                   aircraft at flight schools in Florida, Arizona, and Minnesota. Further,
                                   analysis conducted on behalf of TSA has indicated that larger general
                                   aviation aircraft, such as midsized and larger jets often used for business
                                   purposes, may be able to cause significant damage to buildings and other
                                   structures.




                                   Page 1                                        GAO-12-875 General Aviation Security
According to TSA officials, general aviation also includes over 7,000 flight
training providers and individual certified flight instructors that can provide
flight training. TSA, through its Alien Flight Student Program (AFSP),
established requirements and standards governing the provision of flight
training to foreign flight student candidates. For example, foreign flight
student candidates must submit specific biographical information and
fingerprints to TSA. TSA uses this information to conduct a security threat
assessment, including checks of a flight student candidate’s criminal
history and immigration status, as well as whether the candidate matches
records in terrorism-related databases or on watch lists, among other
things. 1

The Aviation and Transportation Security Act (ATSA) gives TSA broad
responsibility for securing the nation’s civil aviation system, which
includes general aviation operations. 2 Although TSA has not undertaken
to directly regulate many aspects of general aviation, the agency has
issued and in some instances oversees implementation of requirements
and guidance covering certain aspects of the industry. For example, TSA
established and oversees implementation of a security program that
requires aircraft operators of certain aircraft weighing over 12,500 pounds
to carry out specific security measures, such as designating a security
coordinator and ensuring the availability of law enforcement to respond to
an incident. 3 Aircraft operators required to adopt and carry out such
security programs must, among other things, prepare a written security
program describing the procedures used to comply with applicable



1
 Generally, nonimmigrants wishing to visit the United States gain permission to apply for
admission to the country in one of two ways. First, those eligible for the visa waiver
program, which allows foreign nationals from some countries to apply for admission
without a visa, apply online to establish eligibility to travel under the program prior to
departing for the United States (visitors from certain countries not part of the visa waiver
program, such as citizens of Canada and the British Overseas Territory of Bermuda, may
also apply for admission to the United States without a visa under certain circumstances).
Second, those not eligible for the visa waiver program must visit the U.S. consular office
with jurisdiction over their place of residence or the area in which they are physically
present but not resident to obtain a visa.
2
 See generally Pub. L. No. 107-71, § 101(a), 115 Stat. 597 (2001) (codified at 49 U.S.C. §
114(d)).
3
 Specifically, this TSA security program—the Twelve-Five Standard Security Program—
applies to aircraft weighing more than 12,500 pounds in scheduled or charter service, that
carry passengers, cargo, or both, and that do not fall under other security programs. See
49 C.F.R. § 1544.101(d).




Page 2                                                GAO-12-875 General Aviation Security
requirements, have the program approved by TSA, and ensure the
program is available for inspection upon request by TSA. These general
aviation aircraft operators are also subject to TSA inspections to
determine their compliance with applicable security requirements.
However, many general aviation aircraft operations, such as certain
privately owned aircraft, do not fall within the scope of existing TSA
security programs. The Department of Homeland Security (DHS) and the
Federal Bureau of Investigation (FBI) jointly estimate that such privately
owned aircraft, many of which are jets of up to the size of a commercial
passenger airliner, constitute approximately 15 percent of all general
aviation aircraft. 4

In October 2008, TSA issued a notice of proposed rulemaking to amend
current and implement new aviation security regulations to enhance the
security of general aviation by expanding the scope of current
requirements and by adding new requirements for certain large aircraft
operators and airports serving those aircraft. 5 This proposed
rulemaking—the Large Aircraft Security Program—if implemented, would
have, among other things, expanded the population of aircraft operators
required to have TSA-approved security programs to all aircraft
exceeding 12,500 pounds and subjected such aircraft operators to
compliance audits. 6 However, in light of concerns expressed by the
aviation industry, including concerns about the cost of implementing
provisions of the proposed rule, TSA delayed issuing a final rule and
instead plans to issue a new proposed rule in late 2012 or 2013.

In November 2004, we reported that while the federal government
provided guidance and funding for general aviation and enforced certain
regulatory requirements, most of the responsibility for assessing and
enhancing general aviation security fell on airport and aircraft operators. 7
Among other things, we reported that TSA and other federal agencies


4
 See DHS-FBI Joint Intelligence Bulletin, Al Q’aida and the Threat to General Aviation,
(Sept. 2, 2011).
5
 See 73 Fed. Reg. 64,790 (Oct. 30, 2008).
6
 For purposes of this report, references to an aircraft’s weight (e.g., “aircraft exceeding
12,500 pounds”) refer to an aircraft’s maximum certificated takeoff weight.
7
 GAO, General Aviation Security: Increased Federal Oversight Is Needed, but Continued
Partnership with the Private Sector Is Critical to Long-Term Success, GAO-05-144
(Washington, D.C.: Nov. 10, 2004).




Page 3                                                  GAO-12-875 General Aviation Security
had not conducted an overall systematic assessment of threats to, or
vulnerabilities of, general aviation to determine how to better prepare
against terrorist threats, and recommended that they develop a plan for
implementing a risk management approach to help identify threats to and
vulnerabilities of general aviation security. We also reported that there
were limitations in the monitoring of flight student programs, prior to
TSA’s assumption of this responsibility from the Department of Justice,
and made a recommendation to strengthen that oversight. DHS
concurred with our recommendations and has taken steps that address
them, such as conducting a comprehensive risk assessment for aviation
and surface transportation, including general aviation. In May 2011, we
also reported on physical security measures that 13 general aviation
airports have in place to prevent unauthorized access. 8 The 13 airports
we visited had multiple security measures in place to protect against
unauthorized access, although the specific measures and potential
vulnerabilities varied across the airports. DHS concurred with the
observations in our report.

You asked us to assess the status of TSA and industry efforts to address
general aviation security. Accordingly, this report addresses the following
questions: (1) What actions have TSA and general aviation aircraft
operators taken, if any, to enhance security, and how has TSA obtained
information on the implementation of the operators’ actions? (2) To what
extent has TSA ensured that foreign flight students seeking flight training
in the United States do not pose a security threat?

This report is a public version of a prior sensitive report that we provided
to you in June 2012. DHS deemed some of the information in the prior
report sensitive security information, which must be protected from public
disclosure. 9 Therefore, this report omits sensitive information regarding
potential vulnerabilities we identified related to TSA’s vetting process for
foreign nationals seeking flight training, and associated recommendations
we made. In addition, we have omitted sensitive background information
on the potential damage that could be caused by different types of
general aviation aircraft crashing into buildings. The information provided
in this report is more limited in scope, as it excludes such sensitive


8
 GAO, General Aviation: Security Assessments at Selected Airports, GAO-11-298
(Washington, D.C.: May 20, 2011).
9
See 49 C.F.R. pt. 1520.




Page 4                                            GAO-12-875 General Aviation Security
information, but the overall methodology used for both reports is the
same.

To address the objectives, we examined laws and regulations—including
provisions of ATSA, the Implementing Recommendations of the 9/11
Commission Act of 2007 (9/11 Commission Act), and TSA regulations
governing aircraft operators and the AFSP—related to the security of
general aviation operations. 10 We also interviewed representatives from
six industry associations based on their participation in TSA’s Aviation
Security Advisory Committee and on their focus on general aviation
security issues. 11 The associations are the American Association of
Airport Executives, Aircraft Owners and Pilots Association, Experimental
Aircraft Association, General Aviation Manufacturers Association,
National Air Transportation Association, and National Business Aviation
Association. In addition, we interviewed 22 general aviation operators—
including 5 private operators that operate at least one aircraft weighing
more than 12,500 pounds, 12 7 private charter companies that also
perform as private operators, and 10 flight schools—located at eight
selected airports to observe and discuss security initiatives implemented.
We selected these airports based on their geographic dispersion
(Southern California, North Texas, and Central Florida) as well as
variation in the types of general aviation operations present (such as
charter and private operations) and size of aircraft based at each airport.
While the information gathered from the interviews is nongeneralizable to
all general aviation operators, it provided important perspective to our
analysis. As part of this work, we assessed the reliability of TSA data in
its Performance and Results Information System (PARIS) by interviewing


10
 See, e.g., Pub. L. No. 110-53, § 1617, 121 Stat. 266, 488-49 (2007) (codified at 49
U.S.C. § 44901(k)); 49 C.F.R. pts. 1544, 1552.
11
  Originally established in 1988, following the 1988 Pan American World Airways Flight
103 bombing over Lockerbie, Scotland, the Aviation Security Advisory Committee was
developed to allow all segments of the population to have input into aviation security
considerations. The committee’s charter expired in 2010, but was subsequently
reestablished by TSA in November 2011, with plans to reestablish the General Aviation
Working Group as well. The working group continued to meet informally while the
committee was inactive, according to working group members we interviewed.
12
  Civil aircraft must generally operate in accordance with the Federal Aviation
Administration’s General Operating and Flight Rules, codified at title 14, part 91 of the
Code of Federal Regulations. For purposes of this report, we refer to individuals operating
aircraft under part 91 (often referred to as “part 91” operators) for personal,
noncommercial, or noncharter use generally as “private” operators.




Page 5                                                GAO-12-875 General Aviation Security
TSA officials and reviewing documentation on controls implemented to
ensure the integrity of the data in the database and found these data to
be sufficiently reliable for use in this report. 13

To identify any actions TSA and general aviation aircraft operators have
taken to enhance security and how TSA has obtained information on the
implementation of the operators’ actions, we examined documentation on
TSA’s inspection processes for monitoring implementation of aircraft
operator security programs, and on TSA processes for obtaining
information on voluntary security initiatives implemented by general
aviation operators not covered by TSA security programs, such as
guidance for TSA personnel who conduct outreach to general aviation
operators. We reviewed a report conducted on behalf of DHS examining
the potential damage that could be caused by different types of general
aviation aircraft. 14 We also reviewed the methodology and assumptions
associated with this report and found them to be reasonable and well
documented. We also interviewed TSA officials on efforts to interact with
general aviation associations as a means to obtain information on
security initiatives implemented by general aviation operators, including
the agency’s interaction with members of the Aviation Security Advisory
Committee. We interviewed TSA Federal Security Directors and
Transportation Security Inspectors whose areas of operation encompass
the airports we selected, as well as airport officials responsible for
security at each airport. We also reviewed TSA data from fiscal year 2005
through fiscal year 2011 on the compliance of general aviation operators
that fall under TSA security programs and flight training providers. We
chose these dates because they reflect the time frame after the
publication of our previous report on general aviation security. 15

To assess the extent to which TSA has ensured that foreign flight
students seeking flight training in the United States do not pose a security
threat, we reviewed our recent reports related to DHS vetting, and
documentation related to TSA procedures for conducting security threat



13
  All TSA inspection activities must be documented and entered into PARIS, along with
any findings and actions taken.
14
  Homeland Security Institute, General Aviation Risk Assessment, Volume 1, Final Report
(May 31, 2007).
15
 GAO-05-144.




Page 6                                              GAO-12-875 General Aviation Security
assessments of AFSP candidates. 16 We also reviewed documentation on
TSA compliance procedures for flight schools participating in the AFSP
program and reviewed summary statistics for fiscal year 2005 through
fiscal year 2011 on flight school compliance compiled by TSA. 17 We
spoke to TSA inspection officials to discuss common issues associated
with compliance inspections and efforts to address compliance
deficiencies. We evaluated TSA’s efforts to assess risk for the AFSP
against Standards for Internal Control in the Federal Government. 18 We
also obtained data from the Federal Aviation Administration (FAA) airmen
registry on foreign nationals who had applied for FAA airman certificates
(private, recreational, or sport certificates) for the period January 2006
through September 2011 and provided the data to TSA so that the
agency could conduct a matching process to determine whether the
foreign nationals in the FAA airmen registry were in the AFSP database
and whether they had been successfully vetted through AFSP. 19 We
selected these dates because 2006 was the first full year after TSA
assumed responsibility for AFSP from the Department of Justice, and
September 2011 was the end of the fiscal year for our reporting period.
We excluded airmen applying for a U.S. certificate based on an existing
foreign airman certificate. We found the FAA and TSA data and the
approach, methodology, and results of the data matching process to be
sufficiently reliable for our purposes. We used the results of TSA’s
analysis to identify whether foreign nationals in the FAA airmen registry
were in the AFSP database as well as whether foreign nationals who


16
  See GAO, Actions Needed to Address Limitations in TSA’s Transportation Worker
Security Threat Assessments and Growing Workload, GAO-12-60, (Washington, D.C.:
Dec. 8, 2011), and Transportation Worker Identification Credential: Internal Control
Weaknesses Need to be Corrected to Help Achieve Security Objectives, GAO-11-657
(Washington, D.C.: May 10, 2011).
17
  We recently reported on U.S. Immigration and Customs Enforcement’s (ICE) oversight
of the Student and Exchange Visitor Program (SEVP). Specifically, ICE certifies schools to
accept foreign nationals on student visas in academic and vocational programs, including
those that provide flight training. SEVP-certified flight schools are a relatively small
percentage of schools nationwide that offer flight training to foreign nationals. See GAO,
Student and Exchange Visitor Program: DHS Needs to Assess Security Risks and
Strengthen Oversight of Schools, GAO-12-572 (Washington, D.C.: June 18, 2012).
18
  GAO, Internal Control: Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999).
19
  Given the specific parameters we specified for matching FAA airmen registry data
against the AFSP database, we provided TSA with airmen registry data we had obtained
from FAA to allow for easier review and analysis of TSA results.




Page 7                                               GAO-12-875 General Aviation Security
             were in the FAA airmen registry were in the TSA AFSP database but had
             not been successfully vetted through AFSP. Appendix I provides more
             details about our objectives, scope, and methodology.

             We conducted this performance audit from March 2011 through July 2012
             in accordance with generally accepted government auditing standards.
             Those standards require that we plan and perform the audit to obtain
             sufficient, appropriate evidence to provide a reasonable basis for our
             findings and conclusions based on our audit objectives. We believe that
             the evidence obtained provides a reasonable basis for our findings and
             conclusions based on our audit objectives.


             According to a September 2011 DHS/FBI joint bulletin, more than 68
Background   percent of general aviation aircraft registered with the Federal Aviation
             Administration are personally owned aircraft—mostly small, single- or
             twin-engine propeller aircraft—used for recreation or personal
             transportation. Corporate- or business-owned aircraft compose
             approximately 15 percent of general aviation aircraft. Regarding the types
             of general aviation in the general aviation aircraft fleet, FAA data indicate
             that about 63 percent of general aviation aircraft are single-engine piston
             aircraft, while about 4 percent are turboprop. Figure 1 shows the
             composition of the general aviation fleet.




             Page 8                                       GAO-12-875 General Aviation Security
Figure 1: Composition of FAA-Registered General Aviation Aircraft




                                        Pursuant to ATSA, TSA assumed from FAA responsibility for securing the
                                        nation’s civil aviation system.20 Consistent with its statutory obligations,
                                        TSA has undertaken a direct role in ensuring the security of commercial
                                        aviation through its performance and management of the passenger and
                                        baggage screening operations at TSA-regulated airports, among other



                                        20
                                          See 49 U.S.C. § 114(d).




                                        Page 9                                       GAO-12-875 General Aviation Security
things. 21 In contrast, TSA has taken a less direct role in securing general
aviation, in that it generally establishes standards that operators may
voluntarily implement and provides recommendations and advice to
general aviation owners and operators, except to the extent such
operations fall under existing TSA security requirements or where
otherwise specifically directed by statute. 22 Responsibility for securing
general aviation airports and aircraft is generally shared with state and
local governments and the private sector, such as airports and aircraft
owners and operators.

Certain general aviation operations fall within the scope of existing TSA
security requirements. For example, charter aircraft operations,
depending on the size of the aircraft and the specific nature of their
operations, among other factors, may be required to implement TSA-
approved security programs and are subject to TSA processes for
monitoring compliance with program requirements. 23 Certain aircraft
weighing more than 12,500 pounds in scheduled or charter service and
that do not fall under another security program must implement a
“Twelve-Five” security program, which must include, among other
elements, procedures for bomb or air piracy threats. 24 Aircraft weighing
more than 12,500 pounds that enplane from or deplane into an airport




21
  See, e.g., 49 U.S.C. § 44901. Commercial aviation, for purposes of this report, includes
that sector of the nation’s civil aviation system that provides for the transportation of
individuals by scheduled or chartered operations for a fee, including airports and air
carriers regulated pursuant to 49 C.F.R. parts 1542 and 1544. The term TSA-regulated
airports refers to all airports that implement TSA-approved security programs pursuant to
49 C.F.R. part 1542 and at which TSA performs, or oversees the performance of,
screening activities.
22
  See, e.g., Pub. L. No. 107-71, § 132, 115 Stat. at 635-36 (requiring that TSA implement
a security program for charter air carriers weighing 12,500 pounds or more, subsequently
implemented as the “Twelve-Five Standard Security Program”).
23
  Air charter is, in general, the business of renting an entire aircraft (i.e., chartering) as
opposed to individuals purchasing seats (e.g., tickets) on the aircraft. According to TSA,
742 charter operators were registered with the Twelve-Five or Private Charter Standard
Security Programs as of December 2011. TSA officials stated that approximately another
1,300 charter operators do not fall under these security programs because they weigh
12,500 pounds or less.
24
  A “scheduled” passenger operation would be a flight from identified air terminals at a set
time, which is held out to the public and announced by a timetable or schedule published
in an advertising medium such as a newspaper or magazine. See 49 C.F.R. § 1540.5.




Page 10                                                 GAO-12-875 General Aviation Security
sterile area, 25 or that weigh greater than 100,309.3 pounds or have
passenger-seating configurations of 61 or more seats (and are not a
government charter), must implement a “Private Charter” security
program. These operators must implement many of the requirements that
a commercial air carrier—that is, generally, a scheduled passenger
operation with either a passenger seating configuration of 61 or more
seats or 60 or fewer seats but that enplanes from or deplanes into a
sterile area—must implement a “Full” security program. Figure 2
summarizes requirements that must be implemented pursuant to these
security programs.




25
  The sterile area is the portion of an airport defined in the airport security program that
provides passengers access to boarding aircraft and to which access is generally
controlled through the screening of persons and property. See 49 C.F.R. § 1540.5.




Page 11                                                 GAO-12-875 General Aviation Security
Figure 2: Full, Private Charter, and Twelve-Five Security Program Requirements




                                         Note: For requirements applicable to a partial or full all-cargo program, see 49 C.F.R. § 1544.101(b),
                                         (h)-(i).


                                         Within TSA, different offices have responsibility for managing different
                                         elements of general aviation security, including AFSP. The General
                                         Aviation Branch of TSA’s Office of Security Policy and Industry


                                         Page 12                                                     GAO-12-875 General Aviation Security
Engagement (OSPIE) provides oversight, guidance, and information
necessary for general aviation security, such as the agency’s
Recommended Security Action Items for General Aviation Aircraft
Operators, which provides operators with best practices for securing their
aircraft, among other things. 26 OSPIE also manages and administers
security programs for certain charter and air cargo operators. Specifically,
OSPIE works with operators covered under TSA’s security programs to
develop security plans and register with TSA. OSPIE is also responsible
for administering security threat assessments for foreign nationals
applying to AFSP. 27

TSA’s Office of Security Operations is primarily responsible for
conducting inspections of general aviation aircraft operators that fall
under TSA security programs, as well as of flight training providers who
provide training to foreign nationals registered with AFSP. The office also
assists TSA management and TSA inspectors with guidance and subject-
matter expertise in ensuring compliance, by regulated entities and other
persons, with security requirements, and is tasked with coordinating with
internal and external stakeholders to ensure that security measures are
carried out efficiently and consistently.

Other federal agencies, such as FAA, also play a role in ensuring the
security of general aviation operations, as do state and local governments
and industry partners. Appendix II provides examples of some of these
efforts.




26
 TSA announced in September 2011 that the Office of Transportation Sector Network
Management would transition into OSPIE.
27
  This function used to be handled by TSA’s Office of Transportation Threat Assessment
and Credentialing, but became part of OSPIE as part of a TSA-wide reorganization that
was announced in September 2011.




Page 13                                            GAO-12-875 General Aviation Security
                                              TSA has worked to enhance general aviation security by developing
TSA and Aircraft                              various security programs and working with aviation industry stakeholders
Operators Have Taken                          to enhance their security efforts through the development of new security
                                              guidelines. The agency works to obtain information on the security
Actions to Secure                             practices of industry stakeholders through compliance inspections and
General Aviation; TSA                         outreach and is working with its industry partners to develop new security
Obtains Information                           regulations.

through Outreach and
Inspections
TSA and Industry Efforts                      As shown in table 1, TSA and other industry stakeholders have taken a
to Enhance General                            number of actions to enhance general aviation security. Among other
Aviation Security                             measures, TSA worked with members of the General Aviation Working
                                              Group of the Aviation Security Advisory Committee in 2003 and 2004 to
                                              develop recommended guidelines for general aviation airport security.

Table 1: Examples of Federal General Aviation Security Measures

Security measure                   Description
Risk assessments                   TSA has conducted or commissioned five assessments examining threats, vulnerabilities, and
                                   consequences associated with potential terrorist use of general aviation aircraft. For example, in
                                                                                           a
                                   May 2007, TSA and the Homeland Security Institute published an assessment of, among other
                                   things, the potential destructive capability of various sizes of general aviation aircraft. In November
                                   2010, TSA released its assessment of vulnerabilities associated with general aviation airports.
Security guidelines for general    In 2003 and 2004, TSA and the Aviation Security Advisory Committee developed guidelines or best
aviation aircraft operators and    practices designed to establish nonregulatory security standards for general aviation airport
airport characteristic             security. These guidelines are based on industry best practices and an airport characteristic
measurement tool                   measurement tool that allows airport operators to assess the level of risk associated with their
                                   airport to determine which security enhancements are most appropriate for their facility. According
                                   to the Acting General Manager for General Aviation, the committee is in the process of updating
                                   these guidelines, with an expected release in mid-2012.
Hotline to report suspicious       TSA implemented a hotline (1-866-GA-SECURE, or 1-866-427-3287) in December 2002 that allows
activity                           individuals to report suspicious activities to a central command structure.
Special flight rules area within   Pursuant to FAA regulations, general aviation operations are generally prohibited within a 15-
15 nautical miles of               nautical mile area of the Washington, D.C., metropolitan area unless otherwise authorized by TSA.
Washington, D.C., metropolitan     This limits access at Potomac Airpark, Washington Executive/Hyde Field, and College Park Airport
area                               (referred to as the “Maryland-3”) to only cleared and vetted pilots operating in compliance with
                                   specific flight planning and air traffic control procedures.
Airspace restrictions              TSA advises FAA to impose airspace restrictions at various locations throughout the United States
                                   to limit or prohibit aircraft operations in certain areas when intelligence officials report heightened
                                   security sensitivity. This includes the Air Defense Identification Zone around Washington, D.C., and
                                   restrictions that are put into effect when the President travels outside of Washington, D.C.




                                              Page 14                                                GAO-12-875 General Aviation Security
Security measure                Description
Twelve-Five Standard Security   Aircraft weighing more than 12,500 pounds in scheduled or charter service that carry passengers or
Program                         cargo or both, and that do not fall under another security program must implement a “Twelve-Five”
                                standard security program, which must include, among other elements, procedures regarding bomb
                                or air piracy threats.
                                          Source: GAO analysis of TSA and FAA information.
                                          a
                                           The Homeland Security Studies and Analysis Institute (Homeland Security Institute) is a federally
                                          funded research and development center established by the Secretary of Homeland Security with a
                                          mission to assist the Secretary and others in addressing national policy and security issues where
                                          scientific, technical, and analytical expertise is required.


                                          A more detailed list of federal, state, and industry general aviation
                                          security initiatives can be found in appendix II.

                                          Independent of regulatory requirements, operators of private general
                                          aviation aircraft not covered under existing security programs we spoke to
                                          indicated that they implement a variety of security measures to enhance
                                          security for their aircraft. For example, 7 of the 12 operators that perform
                                          as private operators that we interviewed stated that they park their aircraft
                                          in hangars to protect them from possible misuse or vandalism. Further, 2
                                          of the 12 operators stated they had hired security personnel to guard their
                                          aircraft if they are required to stay at an airport without hangar facilities.
                                          Seven of the 12 operators stated that they implement these security
                                          measures because of security concerns associated with operating their
                                          aircraft. For example, the 7 operators stated that their aircraft represent a
                                          major investment for their company and help generate a stream of
                                          income that must be protected, and that protecting the well-being of
                                          senior executives was a priority.


TSA Inspections and                       TSA obtains information directly from aircraft operators that fall under the
Industry Outreach                         Twelve-Five and Private Charter security programs (see fig. 2) through its
                                          review and approval of the security programs developed by these
                                          operators and through periodic inspections to determine the extent to
                                          which operators comply with their security programs. 28 TSA
                                          Transportation Security Inspectors are responsible for conducting these
                                          periodic inspections and determining whether operators are in compliance
                                          with program requirements or whether a violation has occurred.




                                          28
                                            TSA standard operating procedures provide that aircraft operators implementing TSA
                                          security programs must be inspected a minimum of once a year.




                                          Page 15                                                    GAO-12-875 General Aviation Security
As part of the inspection process, TSA inspectors examine certain key
security areas with respect to Twelve-Five and Private Charter
operations, including the roles and responsibilities of aircraft operator
personnel and whether the operator has procedures for addressing
emergencies. For example, TSA’s 2009 Inspector Handbook provides
guidance to TSA inspectors to examine, among other things, whether
aircraft operators under its security programs

•   ensure that individuals are denied boarding if they do not have valid
    identification,
•   ensure that passenger identification documents are checked against
    flight manifests, and
•   have adequate procedures for addressing incidents where indications
    of tampering or unauthorized access of aircraft are discovered.
Inspectors are required to record inspection results, including any
violations of program requirements, in TSA’s PARIS database and to
close the violations when the problem is resolved. Violations may be
resolved with on-the-spot counseling; however, some violations may
result in TSA sending a warning notice to the operator or in civil penalties
for the operator. If warranted, follow-up inspections may be conducted,
based on any findings made during an inspection. TSA officials stated
that inspection results in PARIS are used to inform TSA of security
challenges that may be faced by aircraft operators and to allow the
agency to better address security concerns expressed by these
operators.

TSA inspection data indicate that from 2007 through 2011, aircraft
operator compliance with security requirements has been well over 90
percent and has generally increased. TSA officials attribute the increase
in compliance to a better understanding of security program requirements
by operators, and to increased TSA outreach. Agency data illustrate that
the reasons for noncompliance among aircraft operators varied. For
example, in fiscal year 2011, inspectors found that Private Charter aircraft
operators did not always provide advance notice to the Federal Security
Director of upcoming private charter operations or of subsequent changes
or additions, which occurred in 7 percent of 424 inspections for this item.
Program compliance violations detected by inspectors were sometimes
resolved either by counseling with the aircraft operator or by initiating an
investigation of the incident, which could result in TSA issuing a warning
notice or civil penalties being assessed.




Page 16                                      GAO-12-875 General Aviation Security
In addition to taking steps to obtain information on security measures
enacted by general aviation aircraft operators that fall under TSA security
programs, the agency has also taken steps to obtain information on
security measures implemented by general aviation airport operators.
Specifically, the 9/11 Commission Act required TSA to, among other
things, develop a standardized threat and vulnerability assessment
program for general aviation airport operators and implement a program
to perform such assessments on a risk management basis. 29 To help
comply with the act’s requirement, TSA distributed a survey in 2010 to
approximately 3,000 general aviation airports to identify any
vulnerabilities at the airports, and received responses from 1,164 (39
percent) of the airports. In this survey, airport officials were asked to
respond to questions on security measures implemented by the general
aviation airport operators, such as whether hangar doors were secured
when unattended, and whether the airport had closed-circuit camera
coverage for hangar areas. This survey also included questions about the
types of perimeter fencing and physical barriers installed, as well as the
type of security measures in use at these airports. The survey found that,
while most general aviation airports had initiated some security
measures, the extent to which different security measures had been
implemented varied by airport. For example, survey results indicated that
more than 97 percent of larger general aviation airports responding to the
survey had developed an emergency contact list, but less than 19 percent
had developed measures to positively identify passengers, cargo, and
baggage. The survey also found that nearly 44 percent of airports
responding to the survey required security awareness training for all
tenants and employees and more than 48 percent of airports had
established community watch programs.

According to TSA officials, the results of the survey were analyzed to
identify the general strengths and weaknesses in the general aviation
community, and to show an overall picture of general aviation security
measures at a national and regional level. In addition, TSA officials said
that the information collected in the survey can be used to help determine
a plan of action to mitigate security concerns at general aviation airports.
For example, TSA used the survey to identify approximately 300 airports
that it considers to be higher risk and could therefore be prioritized to



29
 See, e.g., Pub. L. No. 110-53, § 1617, 121 Stat. 266, 488-49 (2007) (codified at 49
U.S.C. § 44901(k)(1)).




Page 17                                              GAO-12-875 General Aviation Security
                      receive security grants, should they become available. TSA officials
                      added that information from the survey allowed the agency to establish a
                      baseline for security measures in place at general aviation airports.

                      In addition to the survey, TSA also gathers information on security
                      measures implemented by operators through outreach activities its
                      inspectors conduct at general aviation airports, designed to establish a
                      cooperative relationship with general aviation airport stakeholders and
                      encourage voluntary adoption of security enhancements. However, TSA
                      officials stated that this type of outreach by its inspectors is not mandatory
                      and therefore is not conducted regularly. In addition, while inspectors are
                      encouraged to record results of these outreach visits in PARIS, inspectors
                      do not always do so in practice.


Additional Security   According to aviation industry officials, there are approximately 9,900
Measures Taken by     general aviation aircraft over 12,500 pounds not covered under either the
Operators             Twelve-Five or Private Charter security programs. Analysis by the
                      Homeland Security Institute indicates that some of these larger aircraft
                      may be able to cause significant damage in terms of fatalities and
                      economic costs, particularly general aviation aircraft with a maximum
                      takeoff weight of 71,000 pounds. 30 According to industry data, there are
                      over 800 general aviation aircraft weighing over 71,000 pounds.

                      TSA officials we spoke to stated that, unlike for aircraft that fall under the
                      Twelve-Five or Private Charter security programs, the agency does not
                      have a systematic mechanism to collect information on the security
                      measures implemented by other general aviation aircraft operators that
                      do not fall under TSA security programs. Rather, the agency has
                      developed informal mechanisms for obtaining information on security
                      measures enacted by these operators, such as outreach conducted by
                      TSA inspectors, and has contacted general aviation industry associations
                      to obtain this information as well as obtain information on the concerns of
                      these operators regarding costs and other challenges associated with
                      potential security requirements.




                      30
                        DHS deemed details on estimated numbers of fatalities and economic costs as sensitive
                      security information. Thus, they are not included in this report.




                      Page 18                                            GAO-12-875 General Aviation Security
As previously mentioned, TSA issued a notice of proposed rulemaking for
a Large Aircraft Security Program in October 2008, which would have
resulted in all general aviation aircraft larger than 12,500 pounds,
including those not currently covered under existing security programs,
being subject to TSA security requirements and inspections. However,
industry associations and others expressed concerns about the extent to
which TSA obtained industry views and information in the proposed rule’s
development. They also questioned the security benefit of the proposed
rule and stated that it could negatively affect the aviation industry given its
broad scope. For example, officials from three of the six industry
associations we interviewed stated that many of the proposed rule’s
measures, such as having third-party contractors conduct inspections of
private aircraft operators for a fee, would impose substantial logistical and
cost burdens on the general aviation industry. These association officials
added that any revised rule that TSA develops must take into account the
security measures already put in place by general aviation aircraft
operators as well as the costs associated with implementing any
additional security measures.

TSA managers responsible for general aviation security operations stated
that, in response to these concerns, the agency was revising the
proposed rule to make it more focused and risk-based, and that the
agency plans to issue a supplemental notice of proposed rulemaking in
late 2012 or early 2013. Further, officials from all six of the industry
associations we interviewed stated that TSA has reached out to industry
in developing its new rule and three of the six associations stated that
TSA has performed a better job of reaching out to industry in its ongoing
development of the new rule than it did with the rule it proposed in 2008.
For example, the vice president from one association stated that as part
of its development of its supplemental notice of proposed rulemaking,
TSA has more actively sought information on these security measures,
which better allows the agency to ensure the requirements would impose
as limited a burden as possible while maximizing security. He also stated
that TSA periodically solicits information on its proposed rule and on
industry security measures from industry associations through its Aviation
Security Advisory Committee.




Page 19                                       GAO-12-875 General Aviation Security
                              TSA has not ensured that all foreign nationals seeking flight training in the
Weaknesses Exist in           United States have been vetted through AFSP prior to beginning this
Processes for                 training or established controls to help verify the identity of individuals
                              seeking flight training who claim U.S. citizenship. TSA also faces
Conducting Security           challenges in obtaining criminal history information to conduct its security
Threat Assessments            threat assessments as part of the vetting process, but is working to
and for Identifying           establish processes to identify foreign nationals with immigration
                              violations.
Potential Immigration
Violations

Foreign Nationals’ Security   Some foreign nationals receiving flight training may not have undergone a
Threat Assessments            TSA security threat assessment. Under AFSP, foreign nationals seeking
                              flight training in the United States must receive a TSA security threat
                              assessment before receiving flight training to determine whether each
                              applicant is a security threat to the United States. 31 This threat
                              assessment is in addition to screening that the Department of State
                              conducts on foreign nationals who apply for nonimmigrant visas and that
                              U.S. Customs and Border Protection conducts on travelers seeking
                              admission into the United States at ports of entry.

                              According to TSA regulations, an individual poses a security threat when
                              the individual is suspected of posing, or is known to pose, a threat to
                              transportation or national security, a threat of air piracy or terrorism, a
                              threat to airline or passenger security, or a threat to civil aviation
                              security. 32 According to TSA officials, when a foreign national applies to
                              AFSP to obtain flight training, TSA uses information submitted by the
                              foreign national—such as name, date of birth, and passport information—
                              to conduct a criminal history records check, a review of the Terrorist
                              Screening Database, and a review of the Department of Homeland
                              Security’s TECS system, as shown in table 2. 33




                              31
                               Foreign nationals may apply to AFSP after they have already been admitted into the
                              United States or before they obtain a visa or arrive in the United States.
                              32
                               See 49 C.F.R. § 1540.115(c).
                              33
                                U.S. Immigration and Customs Enforcement and U.S. Customs and Border Protection
                              also check foreign nationals against federal databases to determine whether
                              nonimmigrants have immigration violations.




                              Page 20                                            GAO-12-875 General Aviation Security
Table 2: Reviews Conducted as Part of the AFSP Security Threat Assessment

Type of vetting                  Description
Criminal history records check   Criminal history record checks, which are fingerprint-based, require an adjudicator to review the
                                 applicant’s criminal history. According to TSA officials responsible for conducting these reviews,
                                 AFSP has no specific disqualifying offenses; however, if a foreign national applying to AFSP has
                                 criminal violations, TSA will forward this information to FAA to determine whether the violation
                                 disqualifies that individual from holding an FAA certificate.
Terrorist Screening Database     Information in the Terrorist Screening Center’s consolidated database of known or suspected
                                 terrorists—the Terrorist Screening Database—is used for security-related screening of foreign
                                 nationals applying to AFSP. For example, the Selectee List, a subset of the Terrorist Screening
                                 Database, contains information on individuals who must undergo additional security screening
                                 before being permitted to board an aircraft. The No Fly List, another subset of the Terrorist
                                 Screening Database, contains information on individuals who are prohibited from boarding an
                                 aircraft. If a foreign national is on one of these lists, TSA analysts will perform additional
                                 research to determine whether he or she is eligible to receive flight training.
Review of DHS TECS System        TECS, an updated and modified version of the former Treasury Enforcement Communications
                                 System, is an information-sharing platform that allows users to access different databases
                                 relevant to the antiterrorism and law enforcement mission of numerous other federal agencies.
                                 TSA reviews information contained in TECS to determine if an AFSP applicant has prior
                                 immigration-related violations. If the AFSP applicant has prior immigration-related violations,
                                                                 a
                                 such as a previous overstay, TSA will conduct additional TECS queries to determine if the
                                 applicant is eligible to obtain flight training.
                                        Source: GAO analysis of DHS information.
                                        a
                                         An overstay is an individual who is admitted to the country legally on a temporary basis—either with
                                        a visa, or in some cases, as a visitor who was allowed to enter without a visa—but then overstayed
                                        his or her authorized period of admission.


                                        According to TSA data, about 116,000 foreign nationals applied to AFSP
                                        from fiscal year 2006 through fiscal year 2011, and TSA’s AFSP security
                                        threat assessments resulted in 107 training requests submitted by foreign
                                        nationals being denied from 2006 through 2011 because of national
                                        security reasons, immigration violations, or disqualifying criminal
                                        offenses.

                                        According to TSA officials, most foreign nationals taking training from a
                                        U.S. flight training provider will apply for an FAA airman certificate once




                                        Page 21                                                     GAO-12-875 General Aviation Security
their flight training is completed. 34 Information obtained by FAA as part of
this application for certification is placed in the airmen registry. Consistent
with ATSA, TSA strives to coordinate with other federal agencies to
secure the nation’s transportation systems. 35 According to TSA, this may
include coordinating with FAA and U.S. Immigration and Customs
Enforcement (ICE) to identify individuals who pose a threat to
transportation security. For example, FAA provides TSA with data on
individuals new to the airmen registry database on a daily basis, including
biographic information on foreign nationals applying for airman certificates
based on their foreign license. According to a report by the DHS Office of
Inspector General, in early 2009, TSA used these data to perform a one-
time, biographic, name-based security threat assessment for each of the
4 million individual FAA airman certificate holders. 36 These security threat
assessments consisted of matching the biographic data provided by FAA
against the Terrorist Screening Database to determine whether credible
information indicated that the individual holding a certificate was involved,
or suspected of being involved, in any activity that could pose a threat to
transportation or national security. FAA certificate holders suspected of
being in the Terrorist Screening Database were referred to TSA’s
Transportation Threat Assessment and Credentialing office for
investigation. The airman vetting activities had been transferred to TSA in
October 2009 after a TSA and FAA work group developed business
processes and an interagency agreement was signed, according to
FAA. 37 Since then, TSA has vetted both new FAA airman certificate



34
  Pursuant to 14 C.F.R. part 61, FAA grants different types of airman certifications, which
allow pilots varying levels of flight privileges. For example, a sport pilot certification allows
a pilot to fly only light sport aircraft, a recreational pilot certification allows for flights within
a limited area, while a private pilot certification allows a pilot to transport passengers, but
not for compensation. See 14 C.F.R. §§ 61.96-61.101 (recreational pilots), 61.102-61.117
(private pilots), and 61.301-61.327 (sport pilots). Our analysis examined foreign nationals
seeking their first airman certification at the sport pilot, recreational pilot, or private pilot
level.
35
  See, e.g., 49 U.S.C. § 114(f), (h).
36
  DHS Office of Inspector General, Transportation Security Administration (TSA) Vetting
of Airmen Certificates and General Aviation Airport Access and Security Procedures, OIG-
11-96 (Washington, D.C.: July 7, 2011).
37
  According to FAA, the FAA Security and Investigations Division assumed responsibility
for airman vetting after September 11, 2001. FAA obtained watch lists and compared
them against the airmen registry. FAA began providing airman data to TSA periodically in
2003.




Page 22                                                     GAO-12-875 General Aviation Security
applicants and holders on an ongoing basis against the Terrorist
Screening Database.

In addition to vetting names of FAA airman certificate holders against the
Terrorist Screening Database, TSA also vets foreign nationals applying
for flight training through the AFSP, including training that occurs before a
student applies for an FAA airman certificate. To determine whether
foreign nationals applying for FAA airman certificates had previously
applied to AFSP and been vetted by TSA, we obtained data from FAA’s
airmen registry on foreign nationals who had applied for airman
certificates and provided these data to TSA so that the agency could
conduct a matching process to determine whether the foreign nationals in
the FAA airmen registry were in TSA’s AFSP database and the extent to
which they had been successfully vetted through the AFSP database. 38
The results of our review of TSA’s analyses are as follows: 39

•    TSA’s analysis indicated that some of the 25,599 foreign nationals in
     the FAA airmen registry were not in the TSA AFSP database,
     indicating that these individuals had not applied to the AFSP or been
     vetted by TSA before taking flight training and receiving an FAA
     airman certificate. 40




38
  Specifically, we obtained FAA airmen registry data on 25,599 foreign nationals applying
for their first FAA airman private pilot certificate, sport pilot certificate, or recreational pilot
certificate from January 2006 through September 2011. The data did not include
information on foreign nationals applying for FAA airman certificates based on an airman
certification issued by another government, thus the data we obtained were for foreign
nationals who had obtained flight training in the United States and therefore would have
been required to have applied for vetting under AFSP. As a check of TSA’s analysis, we
reviewed the results of TSA’s matching process and examined their methodology and
found both to be reasonable. We then used the results of TSA’s analysis to determine how
many foreign nationals in the FAA airmen registry were not in the TSA AFSP database,
which would indicate that they had not been vetted through AFSP, as well as foreign
nationals from the FAA airmen registry who were in the TSA AFSP database, but had not
been successfully vetted through AFSP.
39
  As stated previously, TSA receives FAA airmen registry data on a daily basis; however,
given the specific parameters we specified for matching FAA airmen registry data against
the AFSP database, we provided TSA with airmen registry data we had obtained from
FAA to allow for easier review and analysis of TSA results.
40
  For its analysis, TSA used a software tool that performs “fuzzy matching” of data such
as names, dates, or telephone numbers. The specific number is deemed sensitive security
information and is therefore not included in this report.




Page 23                                                   GAO-12-875 General Aviation Security
•    TSA’s analysis indicated that an additional number of the 25,599
     foreign nationals in the FAA airmen registry were also in the TSA
     AFSP database but had not been successfully vetted, meaning that
     they had received an FAA airman certificate but had not been
     successfully vetted or received permission from TSA to begin flight
     training.
As stated previously, TSA continuously vets all new and existing FAA
airmen certificate holders against the Terrorist Screening Database,
which would include the foreign nationals identified through TSA’s
analysis. However, this vetting does not occur until after the foreign
national has obtained flight training. Thus, foreign nationals obtaining
flight training with the intent to do harm, such as three of the pilots and
leaders of the September 11 terrorist attacks, could have already
obtained the training needed to operate an aircraft before they received
any type of vetting.

In commenting on the results of the analysis, TSA’s Program Manager for
AFSP could not explain with certainty why some of the foreign nationals
applying for FAA airman certificates may not have been vetted though
TSA’s security threat assessment process. The Program Manager stated,
however, that certain individuals can receive exemptions from the vetting
requirement as a result of a Department of Defense (DOD) attaché
endorsement at a U.S. embassy or consulate overseas. 41

TSA takes steps to help ensure that foreign nationals are obtaining
security threat assessments prior to beginning flight training. Specifically,
TSA regulations require flight training providers to maintain
documentation on foreign nationals who receive AFSP approval to begin
flight training as well as documentation on those who are taking flight
training under DOD endorsements. Similarly, TSA standard operating
procedures for inspectors indicate they should review documentation over
the course of their inspections of the flight training provider, including
documentation indicating the foreign national was approved for flight
training under AFSP and, if available, the DOD endorsement letter that


41
  Foreign nationals are not required to be vetted by AFSP if they are DOD endorsees,
which requires that the foreign national present the flight school an acceptable written
statement from a U.S. DOD attaché in the individual’s country of residence together with a
government-issued picture identification. See 49 C.F.R. § 1552.3(h)(2). According to TSA
officials, these endorsement letters may be granted for foreign military members to assist
in their training.




Page 24                                              GAO-12-875 General Aviation Security
                           informs them of the status of the foreign national in question as a DOD
                           endorsee, which would exempt them from receiving a security threat
                           assessment under AFSP. Our review of compliance data from TSA’s
                           PARIS database for fiscal year 2011 found that TSA inspectors have
                           encountered and documented instances where foreign nationals
                           attending flight school presented to the flight training provider DOD
                           endorsement letters, which would indicate they are exempt from security
                           threat assessment requirements. Additional details are considered
                           sensitive security information.


Flight School Compliance   TSA’s fiscal year 2011 Compliance Work Plan for Transportation Security
with Requirements          Inspectors requires that a minimum of one comprehensive inspection per
                           year must be performed on each of the approximately 7,000 known flight
                           training providers. The work plan was revised in 2011 to require a
                           minimum of two comprehensive inspections per year for each of the
                           4,500 certified flight instructors who train foreign students, and TSA’s
                           program manager stated that the agency was able to inspect all of these
                           entities at least twice in 2011. In general, the inspection process requires
                           inspectors to, among other things, review documents maintained by the
                           flight training provider, including the flight training records of both U.S.
                           citizens and alien flight students, and also ensure that foreign students
                           have registered with TSA’s AFSP database and were granted permission
                           to begin flight training from TSA. 42 The results of the inspections are to be
                           reported in TSA’s PARIS database consistent with the reporting
                           requirements of the work plan and other TSA guidance. As warranted,
                           any follow-up inspections are to be performed based on findings made
                           during the inspection process.

                           As of January 2012, inspection results show that the rate of compliance
                           with AFSP requirements increased from 89 percent in fiscal year 2005 to
                           96 percent in fiscal year 2011. 43 TSA officials attribute the increase in



                           42
                             TSA also requires that inspectors review records maintained by the flight training
                           provider for all flight students who identify themselves as U.S. citizens, nationals of the
                           United States, or DOD endorsees. Flight training providers are required to retain flight
                           training records on all students for a period of 5 years. Inspectors also review security
                           awareness training records maintained by providers for at least 1 year after the employee
                           is no longer employed by the flight training provider.
                           43
                             In addition to regular periodic inspections, TSA conducted eight special emphasis
                           inspections in calendar year 2011.




                           Page 25                                               GAO-12-875 General Aviation Security
compliance to a better understanding of AFSP requirements by flight
training providers, among other things. Agency data also illustrate that the
reasons for noncompliance among providers varied. For example, in
fiscal year 2011, the reasons for noncompliance included violations such
as missing photographs of foreign students, which occurred in 9 percent
of 1,800 inspections for this item. In 7 percent of about 2,800 inspections,
providers did not document and retain employee records related to
completion of the required Security Awareness Training. When inspectors
checked for retention of records of U.S. citizenship by the flight training
provider, the provider was not in compliance in about 5 percent of the
nearly 2,800 inspections performed in this area. Compliance violations
detected by inspectors were sometimes resolved either by counseling
with the flight training provider or by initiating an investigation of the
incident, which could result in civil penalties being assessed.

As part of its compliance inspection process, TSA inspectors also review
records of documentation provided by U.S. citizens applying for flight
training, which are maintained by flight training providers. TSA regulations
governing AFSP require individuals claiming U.S. citizenship to provide
one of the following documents, among other information, to flight training
providers before accessing flight training: 44

•    a valid, unexpired U.S. passport
•    an original or government-issued birth certificate
•    original certificate of birth abroad and a government-issued picture
     identification
•    original certificate of U.S. citizenship with raised seal and government-
     issued picture identification or
•    original U.S. Naturalization Certificate with raised seal and
     government-issued picture identification.
Flight school personnel are required to review the credentials presented
by individuals claiming U.S. citizenship and to maintain records, and TSA
inspectors, as part of the inspection process, review these records to
ensure flight training provider compliance with regulatory requirements.
Additional details are considered sensitive security information.




44
  See 49 CFR. § 1552 3(h)(1). Similarly, foreign nationals must present a copy of their
current unexpired passport and visa.




Page 26                                              GAO-12-875 General Aviation Security
Use of Criminal History   We have previously reported on the challenges TSA faces in ensuring it
Information               has the necessary information and appropriate staffing to effectively
                          conduct security threat assessments for screening and credentialing
                          programs, which include AFSP. As we reported in December 2011,
                          criminal history record checks are a key element of the security threat
                          assessment process for TSA’s screening and credentialing programs,
                          helping to ensure that the agency detects those applicants with potentially
                          disqualifying criminal offenses. 45 However, as we reported, the level of
                          access that TSA credentialing programs have to the Department of
                          Justice’s FBI criminal history records is the level of access accorded for
                          noncriminal-justice purposes (i.e., equal to that of a private company
                          doing an employment check on a new applicant, according to TSA),
                          which limits TSA in accessing certain criminal history data related to
                          charges and convictions. TSA said that it had been difficult to effectively
                          and efficiently conduct security threat assessment adjudication of criminal
                          history records because of the limited access it has as a noncriminal
                          justice-purpose requestor of criminal history records—and that this
                          limitation had increased the risk that the agency was not detecting
                          potentially disqualifying criminal offenses. We reported that while TSA
                          was seeking criminal justice-type access to FBI systems, the FBI reported
                          that it is legally unable to provide this access. The FBI and TSA were
                          collaborating on options, but had not identified the extent to which a
                          potential security risk may exist under the current process, and the costs
                          and benefits of pursuing alternatives to provide additional access.

                          In December 2011, we recommended that TSA and the FBI conduct a
                          joint risk assessment of TSA’s access to criminal history records. DHS
                          concurred with this recommendation and indicated it would work with the
                          Department of Justice to assess the extent of security risk, among other
                          things, and evaluate the costs and benefits of each alternative. In
                          response to our recommendations, the FBI reported that it was pursuing
                          several strategies to provide TSA with access to the most complete
                          criminal history information available for noncriminal justice-related
                          purposes, including reaching out to states that do not provide criminal
                          history records for noncriminal justice purposes as well as working to
                          develop technical solutions. As of February 2012, TSA officials indicated
                          that they are continuing to work with the FBI to address our
                          recommendation.



                          45
                           GAO-12-60.




                          Page 27                                     GAO-12-875 General Aviation Security
                         TSA officials responsible for overseeing security threat assessments
                         stated that the process for conducting criminal history record checks for
                         AFSP is substantively the same as that used for other TSA screening and
                         credentialing programs. While there is no information indicating that any
                         foreign nationals seeking flight training should not have been allowed to
                         do so because of unidentified criminal offenses, we believe that TSA
                         should continue to work with the FBI on joint risk assessments of TSA’s
                         access to criminal history records for credentialing programs, including
                         AFSP.


Immigration Violations   There have been instances of overstays or other immigration-related
                         violations for foreign nationals taking flight training in the United States,
                         most notably for three of the September 11 hijackers. 46 Specifically, three
                         of the six pilots and apparent leaders were out of status on or before
                         September 11, including two in overstay status. 47 AFSP was implemented
                         to help address such security concerns. As previously discussed, as part
                         of AFSP, TSA conducts security threat assessments for foreign nationals
                         requesting flight training in the United States. According to TSA officials,
                         the purpose of the security threat assessment, which includes a check of
                         the Terrorist Screening Database and a criminal history records check, is
                         to determine whether the foreign national requesting flight training
                         presents a security threat; the checks are not designed to determine
                         whether an applicant is in the country legally. As part of the security threat
                         assessment, TSA also conducts reviews of DHS’s TECS database to
                         determine if any negative immigration-related information is associated
                         with the foreign national seeking flight training. However, TSA officials
                         acknowledged that it is possible for a foreign national to be approved by
                         TSA through AFSP and to complete flight training after entering the
                         country illegally or overstaying his or her allotted time to be in the country
                         legally.




                         46
                           In-country overstays refer to nonimmigrants who have exceeded their authorized
                         periods of admission and remain in the United States without lawful status, while out-of-
                         country overstays refer to individuals who have departed the United States but who, on
                         the basis of arrival and departure information, stayed beyond their authorized periods of
                         admission.
                         47
                          See GAO, Homeland Security: Overstay Tracking Is a Key Component of a Layered
                         Defense, GAO-04-170T (Washington, D.C.: Oct. 16, 2003).




                         Page 28                                               GAO-12-875 General Aviation Security
In 2010, ICE investigated a Boston-area flight school after local police
stopped the flight school owner for a traffic violation and discovered that
he was in the country illegally. Twenty-five of the foreign nationals at this
flight school had applied to AFSP and had been approved by TSA to
begin flight training after their security threat assessment was completed;
however, the ICE investigation and our subsequent inquiries revealed the
following issues:

•   Eight of the 25 foreign nationals who received approval by TSA to
    begin flight training were in “entry without inspection” status, meaning
    they had entered the country illegally.
    •     Six of these foreign nationals were later arrested by ICE as a
          result of the investigation. TSA indicated 1 individual had been
          approved to begin flight training at two other schools, although the
          flight schools indicated that he did not complete training.
    •     Three of the 8 foreign nationals in “entry without inspection” status
          obtained FAA airman certificates: 2 held FAA private pilot
          certificates and one held an FAA commercial pilot certificate.
•   Seventeen of the 25 foreign nationals who received approval by TSA
    to begin flight training were in “overstay” status, meaning they had
    overstayed their authorized period of admission into the United
    States.
    •     Sixteen of these were arrested by ICE as a result of the
          investigation.
    •     Four of the 17 foreign nationals in “overstay” status obtained FAA
          airman certificates: 3 held FAA private pilot certificates and 1 held
          a commercial pilot certificate.
•   In addition, the flight school owner held two FAA airman certificates.
    Specifically, he was a certified Airline Transport Pilot (cargo pilot) and
    a Certified Flight Instructor. However, he had never received a TSA
    security threat assessment or been approved by TSA to obtain flight
    training. He had registered with TSA as a flight training provider under
    AFSP.
•   Further, TSA data indicated that an additional foreign national
    arrested as a result of this flight school investigation for “entry without
    inspection” had previously completed flight training through an airline.
According to the AFSP program manager, TSA reviews TECS to
determine if the student has prior immigration violations, including




Page 29                                         GAO-12-875 General Aviation Security
overstays. 48 However, the program manager stated that this TECS review
is not designed to determine how long the student is authorized to stay in
the country or whether the student had entered the country legally.
Rather, if the TECS review indicates that the foreign national has
previous immigration-related violations, such as overstaying the
authorized period of admission, TSA is to conduct additional TECS
queries to determine if the individual is eligible to receive flight training.
Further, according to TSA, prospective flight students may apply for
AFSP before entering the United States, rendering moot the question of
whether the foreign national had entered the country legally or
overstayed. 49

The AFSP program manager stated that even though the foreign
nationals were later found to be overstays, at the time of the review and
adjudication of their security threat assessments, they were determined to
be in legal status. According to TSA, none of the individuals that TSA
processed and approved under AFSP had derogatory information within
TECS, and visa overstay information is contained within TECS. However,
ICE data we reviewed indicated that 16 of the 17 foreign nationals
associated with the flight school who were found by ICE to be in overstay
status at the time of the investigation had already been in overstay status
at the time they received AFSP approval to begin flight training. This
includes the 4 foreign nationals who were able to obtain FAA airman
certificates. Further, the AFSP program manager stated that foreign
nationals who may have entered the country illegally but who did not have
prior immigration violations, did not have a criminal history, or were not on
the terrorist watch list, could be successfully vetted through an AFSP
security threat assessment and approved to receive flight training. The
program manager added that under the current AFSP process, TSA
cannot always determine at the time of application if an individual entered
the United States “without inspection” (illegally) because applicants can
apply to AFSP more than 180 days prior to the start date of training and
applicants are not necessarily in the United States at the time of
application.


48
  As previously discussed, in addition to the TECS review, the security threat assessment
consists of a check of the prospective flight student’s biographical information against the
Terrorist Screening Database and a Criminal History Records Check.
49
  Foreign nationals applying to AFSP have 180 days from the time they are approved to
begin flight training in the United States to begin flight training. According to TSA, they
may submit their applications before entering the country.




Page 30                                                GAO-12-875 General Aviation Security
Senior officials from TSA and ICE stated that the agencies have initiated
a process in which TSA and ICE check the names of AFSP applicants
against the U.S. Visitor and Immigrant Status Indicator Technology (US-
VISIT) program’s Arrival and Departure Information System (ADIS) to
help address this gap, as well as to identify foreign nationals taking flight
training who become overstays. 50 Specifically, in March 2011, TSA vetted
a list of current alien flight students in TSA’s AFSP database against
names in USVISIT’s ADIS to determine if any were potential overstays.
This review resulted in the identification of 142 possible overstays. In May
2011, TSA provided ICE with the results of its analysis, and ICE vetting
further reduced the list of possible overstays to 22. In September and
October of 2011, ICE initiated 22 investigations based on the results of
this analysis, which resulted in three arrests.

According to TSA and ICE officials, this initial matching of names in the
AFSP database against ADIS was conducted once to give the agencies
an indication of how many foreign nationals seeking flight training in the
United States may be in violation of their immigration status and what the
workload associated with conducting such matches would be. Information
from this review could then be used to initiate investigations of individuals
suspected of being in the country illegally either by overstaying their
allotted time in the country or who may have entered the country illegally.
The TSA and ICE officials added, however, that such a process would
have to be conducted more regularly to systematically identify foreign
nationals taking flight training who may be in violation of their immigration
status or who may have entered the country illegally. They stated that
establishing a more regular process of matching names of foreign
nationals in the AFSP database against ADIS would allow the agencies to
better identify foreign nationals seeking flight training who have violated
the terms of their admission as well as those who have entered the
country illegally.

However, several issues related to how a name matching program would
work are being considered, such as which agency would vet names in the


50
  The US-VISIT program is an automated visitor system to integrate information on the
entry and exit from the United States of foreign nationals. The purpose of US-VISIT is to
enhance the security of U.S. citizens and visitors, facilitate legitimate trade and travel, and
ensure the integrity of the U.S. immigration system. ADIS is a database that stores
traveler arrival, status management, and departure data. Arrival and departure data are
received from, among other things, air and sea carrier manifests and U.S. Customs and
Border Protection data entries at ports of entry.




Page 31                                                 GAO-12-875 General Aviation Security
              AFSP database against ADIS, and how frequently names associated with
              potential violations would be provided to ICE. ICE and TSA officials stated
              that they have not specified desired outcomes or time frames, or
              established performance measures to evaluate the success of the
              program. Standards for program management state that specific desired
              outcomes or results should be conceptualized, defined, and documented
              in the planning process as part of a road map, along with the appropriate
              steps and time frames needed to achieve those results. 51 The standards
              also call for assigning responsibility and accountability for ensuring the
              results of program activities are carried out. Having a road map, with
              appropriate steps and time frames, and individuals assigned with
              responsibility and accountability for fully instituting a pilot program, as well
              as instituting that pilot program if it was found to help identify foreign
              nationals taking flight training who may be in violation of their immigration
              status or who may have entered the country illegally, could help TSA and
              ICE account for flight students with potential immigration violations, and
              thus better position TSA to identify and prevent a potential risk.


              Since our 2004 report on general aviation security, TSA has taken steps
Conclusions   to enhance communications and interactions with general aviation
              industry stakeholders as well as improve the vetting of foreign nationals
              enrolling in U.S. flight schools. AFSP was implemented to help prevent
              future occurrences of foreign nationals obtaining flight training to commit
              terrorist attacks, as they did for the September 11, 2001, attacks. Key to
              the effectiveness of this effort is the ability of TSA to conduct meaningful
              security threat assessments on foreign nationals seeking flight training to
              help determine whether these individuals pose a security threat.
              However, as shown in TSA’s analysis, there are discrepancies between
              the data found in FAA’s airmen registry and TSA’s AFSP database,
              raising questions about whether some foreign nationals with airman
              certificates (pilot’s licenses) have completed required security threat
              assessments. In addition, working with ICE to develop a plan that assigns
              responsibilities and accountability and time frames for assessing the joint
              TSA and ICE pilot program to identify foreign nationals who may have
              immigration violations—including those who entered the country illegally
              to obtain flight training—and instituting that program if it is found to be
              effective, could better position TSA and ICE to determine the benefits of



              51
               Project Management Institute, The Standard for Program Management © (2006).




              Page 32                                         GAO-12-875 General Aviation Security
                      checking TSA data on foreign nationals pursuing flight training in the
                      United States.


                      To better ensure that TSA is able to develop effective and efficient
Recommendations for   security programs for general aviation operators, we recommend that the
Executive Action      Administrator of TSA take the following action:

                      •   Take steps to identify any instances where foreign nationals receive
                          FAA airman certificates (pilot’s licenses) without first undergoing a
                          TSA security threat assessment and examine those instances so that
                          TSA can identify the reasons for these occurrences and strengthen
                          controls to prevent future occurrences.
                      To better ensure that TSA is able to identify foreign nationals with
                      immigration violations who may be applying to the Alien Flight Student
                      Program, we recommend the Secretary of Homeland Security direct the
                      Administrator of TSA and the Director of ICE to collaborate to take the
                      following action:

                      •   Develop a plan, with time frames, and assign individuals with
                          responsibility and accountability for assessing the results of a pilot
                          program to check TSA AFSP data against information DHS has on
                          applicants’ admissibility status to help detect and identify violations,
                          such as overstays and entries without inspection, by foreign flight
                          students, and institute that pilot program if it is found to be effective.

                      We provided a draft of this report to the Departments of Homeland
Agency Comments       Security and Transportation for comment. DHS, in written comments
and Our Evaluation    received July 13, 2012, concurred with the recommendations and
                      identified actions taken, planned, or under way to implement the
                      recommendations. The Department of Transportation’s Deputy Director of
                      Audit Relations stated in an e-mail received on June 4, 2012, that the
                      department had no comments on the report. Written comments are
                      summarized below and official DHS comments are reproduced in
                      appendix III. In addition, DHS and DOT provided written technical
                      comments, which we incorporated into the report, as appropriate.

                      In response to our recommendation that TSA take steps to identify
                      instances where foreign nationals receive FAA airman certificates (pilot’s
                      licenses) without first undergoing a TSA security threat assessment, DHS
                      stated that TSA receives a daily feed from FAA of all new FAA certificates
                      issued, and that TSA vets these against certificates in the Terrorist



                      Page 33                                        GAO-12-875 General Aviation Security
Screening Database on a daily basis. While this is a beneficial practice,
we believe that it would be preferable for TSA to vet prospective flight
students before they begin flight training, rather than after they have
completed training and received a pilot’s certificate and are thus capable
of flying an aircraft. In addition, while TSA vets the names of new
certificate holders against the Terrorist Screening Database on a daily
basis, the AFSP vetting process includes additional criminal history
records checks and a check for derogatory immigration-related
information. To help improve the AFSP vetting process, DHS also stated
that TSA signed a memorandum of understanding with FAA in February
2012 to exchange data. The memorandum, which FAA signed in March
2012, outlines a process for FAA to provide certain data from its airmen
registry on a monthly basis, via encrypted e-mail and password protected,
to a designated point of contact within TSA, and authorizes TSA to use
the data to ensure flight training providers are providing TSA with
applicant/candidate information in order to conduct the appropriate
background check prior to flight instruction. This is an important first step
toward addressing our recommendation, provided that TSA uses the data
to identify instances where foreign nationals receive FAA airman
certificates without first undergoing a TSA security threat assessment,
identifies reasons for these occurrences, and strengthens controls to
prevent future occurrences, as we recommended.

In response to our recommendation that TSA and ICE collaborate and
develop a plan with time frames for assessing the results of a pilot
program to check TSA AFSP data against information DHS has on
applicants’ admissibility status, and to institute that pilot program if it is
found to be effective, DHS stated that TSA will prepare a plan by
December 31, 2012, to assess the results of the pilot with ICE to
determine the lawful status of the active AFSP population. The plan is to
include specific details on time frames and accountability and
recommendations for next steps. We believe that these are positive
actions that could help TSA address the weaknesses identified in this
report and we will continue to work with TSA to monitor progress on the
proposed solutions as the agency proceeds.

In its comments, DHS also referred to additional recommendations
related to TSA’s vetting of foreign nationals. Because DHS deemed the
details of these recommendations and its response as sensitive security
information, they are not included in the public version of this report.




Page 34                                        GAO-12-875 General Aviation Security
We are sending copies of this report to the Secretaries of Homeland
Security and Transportation, the TSA Administrator, and appropriate
congressional committees. In addition, this report is available at no
charge on the GAO website at http://www.gao.gov.

If you or your staff have any questions about this report, please contact
me at (202) 512-4379 or lords@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this report. Key contributors to this report are acknowledged in
appendix IV.




Stephen M. Lord
Director, Homeland Security and Justice Issues




Page 35                                     GAO-12-875 General Aviation Security
Appendix I: Scope and Methodology
             Appendix I: Scope and Methodology




             This report addresses the following questions: (1) What actions have the
             Transportation Security Administration (TSA) and general aviation aircraft
             operators taken to enhance security and how has TSA obtained
             information on the implementation of the operators’ actions? (2) To what
             extent has TSA ensured that foreign flight students seeking flight training
             in the United States do not pose a security threat?

             To address these questions, we examined laws and regulations—
             including provisions of the Aviation and Transportation Security Act
             (ATSA), Implementing Recommendations of the 9/11 Commission Act of
             2007 (9/11 Commission Act), and TSA regulations governing aircraft
             operators and the Alien Flight Student Program (AFSP)—related to the
             security of general aviation operations. 1 We also interviewed
             representatives from six industry associations based on their participation
             in TSA’s Aviation Security Advisory Committee and on their focus on
             general aviation security issues: the American Association of Airport
             Executives, Aircraft Owners and Pilots Association, Experimental Aircraft
             Association, General Aviation Manufacturers Association, National Air
             Transportation Association, and National Business Aviation Association.
             We also interviewed officials from TSA’s Office of Security Operations,
             Office of Intelligence and Analysis, and Office of Security Policy and
             Industry Outreach, as well as U.S. Immigration and Customs
             Enforcement (ICE) and the Federal Aviation Administration (FAA). In
             addition, we conducted site visits and interviewed representatives from a
             nonprobability sample of 22 general aviation operators located at selected
             airports—including 5 private operators that operate at least one aircraft
             weighing more than 12,500 pounds, 7 private charter operators that also
             perform as private operators, and 10 flight schools—to observe and
             discuss security initiatives implemented. We selected these airports
             based on geographic dispersion (Southern California, North Texas, and
             Central Florida) as well as variation in the types of general aviation
             operations present (such as charter and private operations) and size of
             aircraft based at each airport. Because we selected a nonprobability
             sample of operators to interview, the information obtained cannot be
             generalized to all general aviation operators. However, the interviews
             provided important perspective to our analysis and corroborated
             information we gathered through other means.



             1
              See generally Pub. L. No. 107-71, 115 Stat. 597 (2001); Pub. L. No. 110-53 121 Stat.
             266 (2007); 49 C.F.R. pts. 1544, 1552.




             Page 36                                             GAO-12-875 General Aviation Security
Appendix I: Scope and Methodology




To identify actions TSA and general aviation aircraft operators have taken
to enhance security and how TSA has obtained information on the
implementation of the operators’ actions, we examined documentation on
TSA’s inspection processes for monitoring aircraft operators’
implementation of security programs, including the Transportation
Security Inspector Inspections Handbook, the National Investigations and
Enforcement Manual, and the Compliance Work Plan for Transportation
Security Inspectors. We also reviewed documentation related to aircraft
operators’ implementation of voluntary security initiatives not covered by
TSA security programs, such as guidance for TSA personnel who
conduct outreach to general aviation operators. We reviewed a report
conducted on behalf of DHS examining the potential damage that could
be caused by different types of general aviation aircraft. 2 We also
reviewed the methodology and assumptions associated with this report
and found them to be reasonable and well documented. Also, we
reviewed National Safe Skies Alliance’s General Aviation Airport
Vulnerability Assessment, which contains survey data on security
measures implemented from a sample of general aviation airports, and
TSA’s General Aviation Airport Vulnerability Briefing. We also interviewed
TSA officials on efforts to interact with general aviation associations as a
means to obtain information on security initiatives implemented by private
general aviation operators, including the agency’s interaction with
members of the Aviation Security Advisory Committee. We also
interviewed TSA Federal Security Directors and Transportation Security
Inspectors whose areas of operation encompass the airports we selected,
as well as airport officials responsible for security at each airport. Finally,
we reviewed TSA data from fiscal years 2005 through 2011 on the
compliance of general aviation operators and flight training providers that
fall under TSA security programs with program requirements. We chose
these dates because they reflect the time frame after the publication of
our previous report on general aviation security. 3 For example, we
obtained compliance data for general aviation operators covered under
the Twelve-Five and Private Charter standard security programs stored in
TSA’s Performance and Results Information System (PARIS) for fiscal
years 2005 through 2011. We identified the frequency that aircraft
operators and flight training providers were reported to be in compliance


2
 Homeland Security Institute, General Aviation Risk Assessment, Volume 1, Final Report
(May 31, 2007).
3
GAO-05-144.




Page 37                                            GAO-12-875 General Aviation Security
Appendix I: Scope and Methodology




with program requirements. As part of this work, we assessed the
reliability of TSA data in PARIS by interviewing TSA officials and
reviewing documentation on controls implemented to ensure the integrity
of the data in the database and found the data to be sufficiently reliable
for use in this report.

To assess the extent to which TSA has ensured that foreign flight
students seeking flight training in the United States do not pose a security
threat, we reviewed our recent reports related to DHS security threat
assessment processes, and TSA guidance related to procedures for
conducting security threat assessments of several agency programs,
including AFSP. 4 We interviewed TSA officials who perform security
threat assessments and inspections of flight training providers for AFSP
to better understand program operations. To determine whether foreign
nationals applying for FAA airman certificates had previously applied to
AFSP and been vetted by TSA, we obtained from FAA data on foreign
nationals from FAA’s Comprehensive Airmen Information System, also
known as the airmen registry. Specifically, we obtained FAA airmen
registry data, including names and dates of birth, on 25,599 foreign
nationals applying for their first FAA airman private pilot certificate, sport
pilot certificate, or recreational pilot certificates from January 2006
through September 2011. We selected these dates because 2006 was
the first full year after TSA assumed responsibility for AFSP from the
Department of Justice and September 2011 was the end of the fiscal year
for our reporting period. The data did not include information on foreign
nationals applying for FAA airman certificates based on an existing
foreign airmen certificate issued by another government, thus ensuring
that the data we obtained were for foreign nationals who had obtained
flight training in the United States and therefore would have been required
to have applied for vetting under AFSP. We provided the FAA airmen
registry data to TSA so that the agency could conduct a matching process
to determine whether the foreign nationals in the FAA airmen registry
were in the AFSP database and the extent to which they had been
successfully vetted through AFSP. As stated previously, TSA receives
FAA airmen registry data on a daily basis; however, given the specific



4
 See GAO, Actions Needed to Address Limitations in TSA’s Transportation Worker
Security Threat Assessments and Growing Workload, GAO-12-60 (Washington, D.C.:
Dec. 8, 2011), and Transportation Worker Identification Credential: Internal Control
Weaknesses Need to be Corrected to Help Achieve Security Objectives, GAO-11-657
(Washington, D.C.: May 10, 2011).




Page 38                                             GAO-12-875 General Aviation Security
Appendix I: Scope and Methodology




parameters we specified for matching FAA airmen registry data against
the AFSP database, we provided TSA with airmen registry data we had
obtained from FAA to allow for easier review and analysis of TSA results.
We found the FAA and TSA data and the approach, methodology, and
results of the data matching process to be sufficiently reliable for our
purposes. We used the results of TSA’s analysis to identify whether
foreign nationals in the FAA airmen registry were not in the AFSP
database, and therefore not approved for flight training through AFSP, as
well as foreign nationals who were in the FAA airmen registry and were in
the AFSP database, but had not been successfully vetted though AFSP.
As part of this work, we also assessed the reliability of data in the FAA
airmen registry as well as data in the AFSP database by interviewing FAA
and TSA officials, and reviewing documentation on controls implemented
to ensure the integrity of the data in the database and found both to be
sufficiently reliable for use in this report.

We also spoke to TSA inspection officials to discuss common issues
associated with compliance inspections and efforts to address
compliance deficiencies. We reviewed documentation on TSA compliance
procedures for flight training providers participating in the AFSP program
and reviewed summary statistics for the period fiscal year 2005 through
fiscal year 2011, on flight school compliance compiled by TSA. We also
performed an analysis on compliance data for flight training providers. We
ascertained the reliability of AFSP inspection results derived from PARIS,
by interviewing TSA officials and reviewing documentation on controls
implemented to ensure the integrity of the data in the database, and
found the inspection data sufficiently reliable for use in this report. We
also spoke with cognizant TSA and ICE officials to discuss the pre-pilot
initiative under way with ICE to detect foreign nationals registered with
AFSP who overstayed their period of admission in the country or entered
the country illegally. We also reviewed documentation from an ICE
investigation related to a Boston-area flight training provider. We
compared the names of foreign nationals ICE identified in this
investigation with the names of AFSP candidates assigned to the flight
school, to ascertain which of the AFSP candidates had undergone a
security threat assessment and passed, but were subsequently found via
the ICE investigation to have either overstayed their admission period or
entered the country without inspection. We also evaluated TSA’s efforts




Page 39                                    GAO-12-875 General Aviation Security
Appendix I: Scope and Methodology




to assess risk for the AFSP against Standards for Internal Control in the
Federal Government. 5

We conducted this performance audit from March 2011 through July 2012
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.




5
 GAO, Internal Control: Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov.1999).




Page 40                                             GAO-12-875 General Aviation Security
Appendix II: Examples of Federal, State, and
                                             Appendix II: Examples of Federal, State, and
                                             Industry Efforts to Enhance General Aviation
                                             Security


Industry Efforts to Enhance General Aviation
Security

Security measure                                  Description
Federal Efforts to Enhance General Aviation Security
Risk assessments                                  TSA has conducted or commissioned five assessments examining threats,
                                                  vulnerabilities, and consequences associated with potential terrorist use of general
                                                  aviation aircraft. For example, in May 2007, TSA and the Homeland Security Institute
                                                  published an assessment of, among other things, the potential destructive capability
                                                  of various sizes of general aviation aircraft. In November 2010, TSA released its
                                                  assessment of vulnerabilities associated with general aviation airports.
Security guidelines for general aviation aircraft In 2003 and 2004, TSA and the Aviation Security Advisory Committee developed
operators and airport characteristic              guidelines or best practices designed to establish nonregulatory security standards
measurement tool                                  for general aviation airport security. These guidelines are based on industry best
                                                  practices and an airport characteristic measurement tool that allows airport operators
                                                  to assess the level of risk associated with their airport to determine which security
                                                  enhancements are most appropriate for their facility. According to the Acting General
                                                  Manager for General Aviation, the committee is in the process of updating these
                                                  guidelines, with an expected release in mid-2012.
Hotline to report suspicious activity             TSA implemented a hotline (1-866-GA-SECURE, or 1-866-427-3287) in December
                                                  2002, which allows individuals to report suspicious activities to a central command
                                                  structure.
Special flight rules area within 15 nautical      Pursuant to FAA regulations, general aviation operations are generally prohibited
miles of Washington, D.C., metropolitan area      within a 15-mile area of the Washington, D.C., metropolitan area unless otherwise
                                                  authorized by TSA. This limits access at Potomac Airpark, Washington
                                                  Executive/Hyde Field, and College Park Airport (referred to as the “Maryland-3”) to
                                                  only cleared and vetted pilots operating in compliance with specific flight planning
                                                  and air traffic control procedures.
Airspace restrictions                             TSA advises FAA to impose airspace restrictions at various locations throughout the
                                                  United States to limit or prohibit aircraft operations in certain areas when intelligence
                                                  officials report heightened security sensitivity. This includes the Air Defense
                                                  Identification Zone around Washington, D.C., and restrictions that are put into effect
                                                  when the President travels outside of Washington, D.C.
Notices to Airmen (NOTAM)                         FAA has used Flight Data Center NOTAMs to advertise temporary flight restrictions
                                                  and warn of airport closures.
Twelve-Five Standard Security Program             Aircraft weighing more than 12,500 pounds in scheduled or charter service that carry
                                                  passengers or cargo or both, and that do not fall under another security program
                                                  must implement a “Twelve-Five” standard security program, which must include,
                                                  among other elements, procedures for bomb or air piracy threats.
Airman certificate with security features         FAA, in July 2003, discontinued issuing paper airman certificates and began issuing
                                                  certificates that incorporate a number of security features reducing the ability to
                                                  create counterfeit certificates. The new certificates are made of high-quality plastic
                                                                                                                                         a
                                                  card stock and include micro printing, a hologram, and an ultraviolet-sensitive layer.
Requirement to carry photo identification         An FAA requirement, adopted in October 2002, requires a pilot to carry government-
                                                  issued or other form of photo identification acceptable to the FAA Administrator along
                                                  with the pilot certificate when operating an aircraft.
Requirement to notify FAA of aircraft transfers   FAA, in February 2008, issued a final rule requiring those who transfer ownership of
                                                  U.S.-registered aircraft to notify the FAA Aircraft Registry within 21 days from the
                                                  transaction.




                                             Page 41                                                 GAO-12-875 General Aviation Security
                                                 Appendix II: Examples of Federal, State, and
                                                 Industry Efforts to Enhance General Aviation
                                                 Security




Security measure                                     Description
Pilot project security protocol for Part 91          The National Business Aviation Association proposed a security protocol for Part 91
operators                                            operators, enabling operators with a TSA Access Certificate to operate internationally
                                                     without the need for a waiver. TSA launched a pilot project in cooperation with the
                                                     National Business Aviation Association with Part 91 operators at Teterboro Airport in
                                                     New Jersey and later expanded the pilot to two additional airports.
Education/outreach efforts
Airport Watch                                        The Aircraft Owners and Pilots Association implemented the Airport Watch program
                                                     to help increase security awareness. The program includes warning signs for airports,
                                                     informational literature, and a training videotape to educate pilots and airport
                                                     employees on potential security enhancements for their airports and aircraft. It helped
                                                     to increase awareness of TSA’s centralized toll-free 1-866-GA-SECURE (1-866-427-
                                                     3287) hotline.
General aviation security educational materials The Experimental Aircraft Association distributed Airport Watch videotapes and other
                                                educational materials concerning security practices and airspace restrictions.
Program to address security of aerial                The National Agricultural Aircraft Association produced the Professional Aerial
application operations                               Applicators Support System, an annual education program that addresses security of
                                                     aerial application operations. It is presented at state and regional agricultural aviation
                                                     association meetings throughout the country.
Guidance on best practices
Security procedure recommendations for all           The National Air Transportation Association, on September 24, 2001, issued a series
aviation businesses                                  of recommended security procedures for all aviation businesses through its Business
                                                     Aviation Security Task Force. The recommendations focused on immediate steps to
                                                     be taken, plus longer-term actions. Examples included signage, appointing a single
                                                     manager responsible for security at all locations, developing a “security mission
                                                     statement,” methods to verify identification, seeking local law enforcement assistance
                                                     to develop a security plan, and a host of others, including an advisory poster that was
                                                     created and distributed free to all association members.
Flight school and rental security                    FAA, in January 2002, issued a number of recommended actions addressing security
                                                     for flight schools and those renting aircraft. These recommendations are designed to
                                                     provide security against the unauthorized use of a flight school or rental aircraft.
Security recommendations from National               The National Association of State Aviation Officials, in December 2002, submitted to
Association of State Aviation Officials              federal and state authorities a document outlining general aviation security
                                                     recommendations. This included securing unattended aircraft, developing a security
                                                     plan, and establishing a means to report suspicious activity. In addition, airports
                                                     should establish a public awareness campaign, perform regular inspections of airport
                                                     property, and control movement of persons and vehicles in the aircraft operating
                                                     area.
Security recommendations to U.S. Parachute           The U.S. Parachute Association disseminated security recommendations to its 219
Association skydiving clubs                          skydiving clubs and centers across the United States, most of them based on general
                                                     aviation airports. Some recommendations were aimed at ensuring security of jump
                                                     aircraft during operations, as well as periods when aircraft are idle.
Assist aircraft sellers in identifying unusual       The General Aviation Manufacturers Association, in conjunction with the U.S.
financial transactions                               Department of the Treasury, worked to help aircraft sellers identify unusual financial
                                                     transactions. The publication entitled Guidelines for Establishing Anti-Money
                                                     Laundering Procedures and Practices Related to the Purchase of General Aviation
                                                     Aircraft was developed in consultation with manufacturers, aviation-finance
                                                     companies, used-aircraft brokers, and fractional ownership companies.




                                                 Page 42                                                 GAO-12-875 General Aviation Security
                                                Appendix II: Examples of Federal, State, and
                                                Industry Efforts to Enhance General Aviation
                                                Security




Security measure                                     Description
Examples of state efforts to improve
general aviation security
Security plan for publicly owned airports            All publicly owned general aviation airports in Alabama must prepare and implement
(Alabama)                                            a written security plan that is consistent with TSA’s May 2004 Security Guidelines for
                                                     General Aviation Airports. The plan was to be submitted and on file by January 1,
                                                     2006, with the Aeronautics Bureau of the Alabama Department of Transportation in
                                                     order for the airport to be eligible to receive a state-issued airport improvement grant.
Security plan for publicly owned airports            Florida requires that certain public-use general aviation airports implement a security
(Florida)                                            plan consistent with guidelines published by the Florida Airports Council.
Airport security enhancements (New Jersey)           New Jersey requires that all aircraft parked or stored more than 24 hours be secured
                                                     by a two-lock system, that hangar doors have working locking devices and be closed
                                                     and locked when unattended, that permanent signs providing emergency contact
                                                     phone numbers be posted where specified, and that communications equipment
                                                     provided by the Division of Aeronautics for emergency notification by the division or
                                                     law enforcement agencies be available.
Background checks for flight students (New           New York law requires flight students to complete a criminal background check and
York)                                                wait for written permission to be sent to his or her flight school before beginning flight
                                                     training. Airports must also register with the state and supply contact information and
                                                     a security plan consistent with TSA’s May 2004 Guidelines for General Aviation
                                                     Airports.
State troopers provide airports with security        Virginia trained selected state troopers to provide airports with security audits at no
audits (Virginia)                                    charge to the airport operator.
Security assessment of public-use general            Washington contracted with a consultant to perform a security assessment of public-
aviation airports (Washington)                       use general aviation airports.
                                                Source: TSA, FAA, and industry associations.
                                                a
                                                 Further, the FAA Modernization and Reform Act of 2012 requires the Administrator of FAA to issue
                                                improved pilot licenses that, among other things, are resistant to tampering, alteration, and
                                                counterfeiting, that include a photograph of the individual to whom the license is issued, and be
                                                capable of accommodating iris and fingerprint biometric identifiers. See Pub. L. No. 112-95, § 321,
                                                126 Stat. 11, 71-72 (2012).




                                                Page 43                                                    GAO-12-875 General Aviation Security
Appendix III: Comments from the
             Appendix III: Comments from the Department
             of Homeland Security



Department of Homeland Security




             Page 44                                      GAO-12-875 General Aviation Security
Appendix III: Comments from the Department
of Homeland Security




Page 45                                      GAO-12-875 General Aviation Security
Appendix IV: GAO Contact and Staff
                  Appendix IV: GAO Contact and Staff
                  Acknowledgments



Acknowledgments

                  Stephen M. Lord, (202) 512-4379 or lords@gao.gov
GAO Contact
                  In addition to the contact named above, Jessica Lucas-Judy, Assistant
Acknowledgments   Director, and Robert Rivas, Analyst-in-Charge, managed this assignment.
                  Erika D. Axelson, Orlando Copeland, Katherine Davis, Gloria Hernandez-
                  Saunders, Adam Hoffman, Richard Hung, Mitchell Karpman, Stanley
                  Kostyla, Thomas Lombardi, Marvin McGill, Jessica Orr, Anthony Pordes,
                  Minette Richardson, and Robert Robinson made significant contributions
                  to this report.




(441088)
                  Page 46                                   GAO-12-875 General Aviation Security
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.