[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4126 Introduced in House (IH)]
<DOC>
119th CONGRESS
1st Session
H. R. 4126
To direct the Transportation Security Administration to carry out
covert testing and risk mitigation improvement of aviation security
operations, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 25, 2025
Mr. Crane introduced the following bill; which was referred to the
Committee on Homeland Security
_______________________________________________________________________
A BILL
To direct the Transportation Security Administration to carry out
covert testing and risk mitigation improvement of aviation security
operations, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Aviation Risk Mitigation and
Security Act'' or the ``ARMS Act''.
SEC. 2. TSA COVERT TESTING AND RISK MITIGATION IMPROVEMENT.
(a) In General.--Not later than 180 days after the date of the
enactment of this Act, the Administrator of the Transportation Security
Administration (TSA) shall establish the following to strengthen
aviation security operations:
(1) In accordance with subsection (b), a system for
conducting risk-informed, headquarters-based covert testing
project scenarios for aviation security operations, including
relating to airport passenger and baggage security screening
operations, that can yield statistically valid data that can be
utilized to identify and assess the nature and extent of any
vulnerabilities to such operations that are not mitigated by
current security operations.
(2) A long-term headquarters-based covert testing program,
employing static but risk-informed threat vectors, based on
annual risk assessments of emerging threats, designed to assess
the effectiveness of aviation security operations on an annual
basis.
(b) Methodology.--The Administrator of the TSA shall conduct the
risk-informed, headquarters-based covert testing project scenarios for
aviation security operations under paragraph (1) of subsection (a)
based on annual risk assessments of emerging threats. The Administrator
shall--
(1) conduct not fewer than three such covert testing
project scenarios to identify any systemic vulnerabilities in
aviation security operations, and ensure that each Category X
airport in the United States is included in such covert testing
project scenarios at least once per fiscal year; and
(2) document the methodology, assumptions, and rationale
guiding the selection and execution of such covert testing
project scenarios to ensure statistical validity and actionable
results.
(c) Mitigation.--
(1) In general.--The Administrator of the TSA shall
establish a process to address and mitigate any vulnerabilities
to aviation security operations identified and assessed
pursuant to the covert testing project scenarios conducted
under paragraph (1) of subsection (a).
(2) Analysis.--Not later than 90 days after identifying a
vulnerability referred to in paragraph (1), the Administrator
of the TSA shall conduct a root cause analysis to determine the
origin and contributing factors relating to such vulnerability.
(3) Determination.--Not later than 150 days after
conducting the analysis under paragraph (2), the Administrator
of the TSA shall make a determination regarding whether or not
to mitigate the vulnerability referred to in such paragraph,
and shall prioritize mitigating such vulnerability based on the
ability to reduce risk. If the Administrator determines--
(A) to not mitigate such vulnerability, the
Administrator shall document the justification relating
thereto; or
(B) to mitigate such vulnerability, the
Administrator shall establish and document--
(i) key milestones appropriate for the
level of effort required to so mitigate such
vulnerability; and
(ii) a date by which measures to so
mitigate such vulnerability shall be
implemented by the TSA.
(4) Retesting.--Not later than 180 days after the date on
which measures to mitigate a vulnerability are completed by the
TSA pursuant to paragraph (3)(B)(ii), and to the extent
applicable, the Administrator of the TSA shall conduct a covert
testing project scenario in accordance with subsection (a)(1)
for the aviation security operation with respect to which such
vulnerability was identified to assess the effectiveness of
such measures to mitigate such vulnerability.
(d) Annual Reporting.--
(1) Compilation of test results.--Not later than November
30 of the first full fiscal year that begins after the date of
the enactment of this Act and annually thereafter, the
Administrator of the TSA, in consultation with the Secretary of
Homeland Security, shall produce a report detailing the results
of all covert testing project scenarios for aviation security
operations under subsection (a)(1) conducted in the immediately
preceding fiscal year by the TSA. Each such report shall--
(A) be submitted in unclassified form, but may
contain a classified annex in accordance with paragraph
(2); and
(B) include--
(i) a summary of all vulnerabilities to
aviation security operations that were
identified and the respective dates of such
identifications;
(ii) the status of mitigation efforts under
subsection (c), including key milestones and
expected completion dates;
(iii) the results of retesting under such
subsection on previously mitigated
vulnerabilities;
(iv) justifications for vulnerabilities
that remain unmitigated under such subsection,
and a determination of whether full mitigation
is feasible; and
(v) an assessment of security improvements
based on covert testing data trends.
(2) Submission to congress.--The Administrator of the TSA
shall submit to the Committee on Homeland Security of the House
of Representatives and the Committee on Commerce, Science, and
Transportation of the Senate each report required under
paragraph (1) together with the Transportation Security
Administration's annual budget request. Each such report may
include classified and sensitive security information, and any
such information shall be submitted as a classified annex.
(3) Public disclosure of covert testing performance at
category x airports.--
(A) In general.--Not later than November 30 of the
first full fiscal year that begins after the date of
the enactment of this Act and annually thereafter, the
Administrator of the TSA shall publish, and maintain on
a publicly accessible website of the TSA, a summary of
performance data acquired as a result of covert testing
project scenarios conducted at Category X airports
under subsection (b)(1) during the immediately
preceding fiscal year. Each such summary shall--
(i) include, at a minimum--
(I) the total number of tests
carried out as part of such covert
testing project scenarios conducted at
Category X airports;
(II) the aggregate pass rate and
failure rate, expressed as percentages,
for all such covert tests, calculated
across all tested locations and covert
testing project scenarios; and
(III) general observations or trend
data regarding changes in performance
compared to the prior fiscal year; and
(ii) not include test scenario details,
methodologies, or airport-specific data that
could compromise aviation security operations.
(B) Exception.--Clause (ii) of subparagraph (A)
shall not apply with respect to summary-level
statistics regarding the overall performance of TSA
screening operations at Category X airports for
purposes of public availability of the annual summaries
under such subparagraph.
(e) GAO Review.--Not later than three years after the date of the
enactment of this Act, the Comptroller General of the United States
shall submit to the Administrator of the TSA, the Committee on Homeland
Security of the House of Representatives, and the Committee on
Commerce, Science, and Transportation of the Senate a report on the
effectiveness of the TSA's processes for conducting covert testing that
yields statistically valid data that can be utilized to assess the
nature and extent of any vulnerabilities to aviation security
operations that are not effectively mitigated by current security
operations.
<all>