Section 1: Short Title

This Act may be cited as the ‘Aviation Risk Mitigation and Security Act’ or the ‘ARMS Act’.

Section 2: TSA Covert Testing and Risk Mitigation Improvement

The Transportation Security Administration (TSA) shall establish the following to strengthen aviation security operations:

• A system for conducting risk-informed, headquarters-based covert testing project scenarios for aviation security operations, including relating to airport passenger and baggage security screening operations.
• A long-term headquarters-based covert testing program, employing static but risk-informed threat vectors, based on annual risk assessments of emerging threats.

Section 3: Methodology

The Administrator of the TSA shall conduct the risk-informed, headquarters-based covert testing project scenarios under paragraph (1) of subsection (a) based on annual risk assessments of emerging threats.

1. Conduct not fewer than three such covert testing project scenarios to identify any systemic vulnerabilities in aviation security operations.
2. Document the methodology, assumptions, and rationale guiding the selection and execution of such covert testing project scenarios to ensure statistical validity and actionable results.

Section 4: Mitigation

The Administrator of the TSA shall establish a process to address and mitigate any vulnerabilities to aviation security operations identified and assessed pursuant to the covert testing project scenarios conducted under paragraph (1) of subsection (a).

1. Conduct a root cause analysis to determine the origin and contributing factors relating to such vulnerability.
2. Make a determination regarding whether or not to mitigate the vulnerability referred to in such paragraph, and shall prioritize mitigating such vulnerability based on the ability to reduce risk.

Section 5: Annual Reporting

The Administrator of the TSA shall produce a report detailing the results of all covert testing project scenarios for aviation security operations under subsection (a)(1) conducted in the immediately preceding fiscal year.

1. Be submitted in unclassified form, but may contain a classified annex in accordance with paragraph (2);
2. Include—
   • A summary of all vulnerabilities to aviation security operations that were identified and the respective dates of such identifications;
   • The status of mitigation efforts under subsection (c), including key milestones and expected completion dates;
   • The results of retesting on previously mitigated vulnerabilities;
   • Justifications for vulnerabilities that remain unmitigated under such section, and a determination of whether full mitigation is feasible;
   • An assessment of security improvements based on covert testing data trends.

Section 6: Public Disclosure of Covert Testing Performance

The Administrator of the TSA shall publish, and maintain on a publicly accessible website of the TSA, a summary of performance data acquired as a result of covert testing project scenarios conducted at Category X airports under subsection (b)(1) during the immediately preceding fiscal year.

1. Include—
   • The total number of tests carried out as part of such covert testing project scenarios conducted at Category X airports;
   • The aggregate pass rate and failure rate, expressed as percentages, for all such covert tests, calculated across all tested locations and covert testing project scenarios.
   • General observations or trend data regarding changes in performance compared to the prior fiscal year.
2. Not include test scenario details, methodologies, or airport-specific data that could compromise aviation security operations.

Section 7: GAO Review

Not later than three years after the date of the enactment of this Act, the Comptroller General of the United States shall submit to the Administrator of the TSA, the Committee on Homeland Security of the House of Representatives, and the Committee on Commerce, Science, and Transportation of the Senate a report on the effectiveness of the TSA’s processes for conducting covert testing that yields statistically valid data that can be utilized to assess the nature and extent of any vulnerabilities to aviation security operations that are not effectively mitigated by current security operations.