Operational challenges amid the Coronavirus pandemic are complicating airport badging protocols.
With a large number of airport employees, tenants and consultants working from home or laid off in recent months, Security Identification (ID) badges are being expired or revoked. In response, airports are grappling with secure badging protocols that require these badges be returned to airport security.
Transportation Security Administration (TSA) regulations and security programs require routine badging audits. If those audits find a significant number of credentials are unaccounted for, whether in the Security Identification Display Area (SIDA), Sterile (passenger boarding) Area or Air Operations Area (AOA), airport security must rebadge the entire population for that area.
Logistical constraints, limited staffing levels, and high costs associated with rebadging are confounding security credentials offices. Widespread rebadging efforts come as many airports are already overwhelmed by the safety and security challenges associated with significantly reduced passenger travel volumes, reduced airport income causing reduced budgets and spending, and layoffs and furloughs amid the global pandemic.
ID badges have been used with increasing frequency for decades. At a minimum, badges are used to assert a person’s identity. Often, they also function simultaneously as a key that enables facility access and indicates membership in a group such as “employee” or “visitor”.
If lost or stolen, a badge could provide access to secure areas of the airport to uncleared personnel.
Some badging systems incorporate cutting-edge biometrics such as fingerprint, face or iris recognition. If the badge is used for access, it often incorporates technology that prevents easy duplication. “Smart cards” provide security functions not available with barcode technology or radio frequency identification (RFID) technology. Smart cards range from basic memory cards to full microprocessor-based cards.
At airports, badging programs ensure access is limited to those who clear security background checks. Recent episodes, however, reveal the security lapses that can occur when badges are not electronically validated. Off-duty airline workers have been caught using their ID badge to circumvent security checkpoints. Others have used their badge to smuggle contraband to accomplices in the passenger boarding area.
TSA checkpoints and airport security are often equipped with the means to quickly perform electronic validation of badges. However, when badges are used as electronic keys and provide expedited access through checkpoints, the badge itself becomes a target for thieves. If lost or stolen, the badge could provide access to secure areas of the airport to uncleared personnel.
In response, Congress enacted the FAA Extension, Safety, and Security Act of 2016, requiring TSA to notify congressional committees of any Category I-IV airport where 5 percent of SIDA badges are unaccounted for. The threshold for Category X airports is 3 percent. A quarterly TSA reporting system conveys the numbers of lost, stolen or unaccounted for badges.
Declines in air travel during the pandemic have resulted in widespread airport transportation job losses. Many laid-off employees are not coming into the airport to return their badges. Sector employment has fallen from a peak of 512,100 jobs in March to a low of 378,600 in June. Construction contracts have been cancelled or postponed, resulting in contractor badges being revoked or expiring – most often, these are not being returned. If an airport needs to rebadge their workforce, remote work policies add further complication.
At many airports, rounds of layoffs or personnel reduction measures have affected the badging office as well. With fewer security personnel to assist with an already overwhelming task, the rebadging effort has become, as one airport executive says, “outrageously difficult.”
Airports are quickly approaching the rebadging threshold of unaccounted for badges. Failure to comply with TSA rebadging protocols come with a high cost. When Daniel K. Inouye International Airport rebadged its 23,000 employees in 2018, TSA notified the airport that failure to address the badging concerns may incur a fine of $13,066 per violation. Complete inaction would have resulted in $25 million in fines.
Automation tools can simplify background check procedures and rebadging efforts. Identity Management and Credentialing System (IMCS) technology can streamline the entire badge lifecycle — from the application process to badge issuance and access controls. Automated badging programs can also include reporting capabilities that submit badge audit reports directly to TSA.
Software-based systems help to implement and manage badging. They implement the policies and procedures in a systematic way that enforces such policies and regulatory requirements. Furthermore, IMCS technology can provide integration to other electronic systems. These include security threat assessment vetting and criminal background checks for badge holders, for collecting and securely storing their personal information, and for crucial integration with other corporate systems such as those used by security, human resources or accounting departments.
After a thorough background check confirms a person is suitable for a badge, their identity is normally validated in person, via a driver’s license or other government-issued photo ID. If biometrics such as fingerprints or facial recognition are built into the badging system, that information is collected after identity validation and must be stored in a secure location.
Rebadging is more than an administrative or financial concern. Employees should recognize their badges’ inherent value and the security vulnerabilities associated with unreturned badges.
Often, a badge is imprinted with a person’s name or other personally identifiable information (PII). While this is helpful, displaying this information may leave his or her personal information vulnerable to unwanted exposure. Seemingly harmless information on a badge can be used along with details from other sources to aid in identity theft, for example.
Future badging programs may learn from the current challenges by revising badge designs. Companies and airports often consider badges as extensions of their branding, printing them with logos, addresses and other details. From a security perspective, however, it may be prudent to omit any information about the company and its location. That way, if a badge is lost or stolen, thieves can’t use that information to identify the location and gain access. And while instructions for returning a lost badge are helpful (e.g., “if found, please return to…”), a post office box as the return address is safer than printing a physical address.
As airports work through operational challenges of the pandemic, Burns will continue to monitor TSA badging guidance and any technology advances that can assist airports in balancing the needs of secure travel and operations.