The Notice of Proposed Rulemaking (NPRM) on Beyond Visual Line of Sight (BVLOS) drone flights issued by the Federal Aviation Administration (FAA) on Aug. 5 contained a surprise: The FAA is not the only federal agency involved in the rulemaking and will not be the only agency issuing a final rule. The Transportation Security Administration (TSA), most known for screening passengers at US airports, was revealed as having played a big role in developing the NPRM and will issue a separate, concurrent final BVLOS rule.
The voluminous, 731-page NPRM includes multiple sections referencing TSA, making clear the security agency will be heavily involved in the FAA Part 108 regulations that will govern BVLOS drone flights in the US.
There is “some surprise at TSA’s abrupt inclusion,” Commercial Drone Alliance (CDA) Policy Director Liz Forro told Commercial UAV News. “I think we'll be looking at TSA’s sections with particular scrutiny because we really haven't had a lot of engagement with them until very recently. It will be interesting to see what they're proposing, given that they haven't really interacted with this industry much.”
The NPRM states TSA’s inclusion is necessary “to ensure that the decision to regulate these UAS operations under Part 108 does not inadvertently create a security gap under TSA regulations. Under this proposal, which has been developed in consultation with FAA, TSA would continue to ensure the security of the national airspace by imposing appropriate security requirements.”
TSA will be particularly involved in oversight of UAV package delivery operations, but will also be regulating “a broader set of activities than package delivery operations,” according to the NPRM.
TSA has around 60,000 employees, the vast majority of whom are deployed to screen passengers and luggage at 450 US airports. The agency, however, also has a remit to oversee the security of more than four million miles of roadways, nearly 140,000 miles of railroad tracks, over 600,000 bridges and tunnels, around 360 maritime ports, and approximately 2.75 million miles of pipeline.
TSA’s previous involvement with UAVs has primarily been screening drones at airport checkpoints (generally, small drones are allowed through) and in checked baggage (there are restrictions on lithium batteries, fuel cells, and parachute system components), as well as assessing the threat of UAVs interfering with aircraft in airspace around airports.
Earlier this year, TSA deployed an agency-owned Skydio X10 drone over San Francisco International Airport (SFO) in an effort to better understand “the severe disruptions UAS can have on aviation and flight operations,” according to the agency.
“The drone provided photographic evidence of … possible attack trajectories from altitude,” Assistant Supervisory Air Marshal Jason Goff, who oversaw the January exercise at SFO, said. “Assessments like this allow us to demonstrate the capabilities of sUAS by conducting elevated, or aerial, observations of airport operations. They also help us verify viable locations for a possible attack.”
In the context of the Part 108 NPRM’s release, a statement made by Acting Supervisory Air Marshal Ty Fletcher on the occasion of the SFO drone tests now appears particularly relevant. “UAS also pose a potential threat to surface and other transportation systems,” he said. “Surface transportation presents a particularly challenging environment to detect and mitigate UAS. The sprawling nature of railroad rights-of-way, highways, pipelines and the rail transport industry makes oversight challenging.”
Extensive Background Checks
In the NPRM, the FAA says TSA has recommended requiring that “certain covered persons who are engaged in BVLOS operations undergo up to a Level 3 security threat assessment conducted by TSA.” According to the NPRM, “covered persons would include those who perform the functions of an operations supervisor; perform the functions of a flight coordinator; have unescorted access to the UAS; have unescorted access to the cargo loaded for transport on the UAS; or have unescorted access to the control or the flightpath of the UAS.”
A Level 3 assessment is the highest-level background screening done by TSA. It includes a check of government watchlists to scan for individuals who may “have links to terrorism or otherwise pose a threat to transportation or national security,” according to Department of Homeland Security (DHS) documents related to covered employees working in public transportation, railroads, and bus operations. TSA is part of DHS.
The watchlist screening is ongoing. “If an individual initially ‘passed’ the security threat assessment, but is later placed on a watchlist, TSA can quickly take appropriate action to disqualify the worker or otherwise minimize the threat,” according to DHS.
Under a Level 3 assessment, TSA will also check covered persons’ immigration status “to verify that an individual who is not a US citizen or national is in the country lawfully, has not overstayed a visa and is not in removal proceedings,” according to DHS.
A Level 3 assessment additionally includes a fingerprint-based criminal history records check. TSA submits fingerprints to the Federal Bureau of Investigation, which alerts the agency to any criminal records associated with the fingerprints. TSA also submits the fingerprints to DHS’s Office of Biometric Identity Management, which has a “biometric repository and provides additional, important information for TSA to use as part of the vetting process.”
If a criminal record shows up, TSA determines “whether the individual has a conviction for a disqualifying criminal offense,” according to DHS. “Each vetting program that includes a Level 3 security threat assessment has a list of crimes that are disqualifying if conviction or release from prison occurred within a certain time period.”
The Part 108 NPRM notes that those undergoing the threat assessment will be required to make payment to TSA “to recover all vetting costs, and applicants submit those fees to TSA during the enrollment process.” The NPRM states that anyone “adversely affected by security vetting may seek redress from TSA.”
The NPRM says that persons required to get a threat assessment “would most likely visit a TSA enrollment center to provide identification verification documents needed for the assessment.”
According to the NPRM, TSA believes such vetting is necessary because “an individual with bad intent performing such functions could cause great harm to the public by using UAS to conduct attacks or strikes on civilian populations or transporting prohibited cargo over residential or urban areas where no guardrails exist to restrict where the UAS travels.”
The FAA notes that TSA administers security vetting “among similarly situated surface, maritime, and aviation transportation workers. FAA believes, and TSA concurs, that similar requirements are advisable for these proposed Part 108 UAS operations.”
Securing Package Delivery
The NPRM makes clear that TSA will have a big role in regulating drone package delivery operations.
UAV operators conducting package delivery services will likely be required to get a security program from TSA, somewhat like those now required for airlines and charter aircraft operators. The security program could include, for example, a requirement for drone operators to appoint a security coordinator.
The NPRM emphasizes that “FAA approval [for BVLOS package delivery operations] is not sufficient. TSA approval is also required. These proposed requirements are intended to avoid any unintended consequences regarding the security of UAS operations under proposed Part 108, consistent with TSA’s responsibility for aviation security.”
CDA’s Forro said drone operators submitting comments on the NPRM will want to make sure TSA has an “understanding of the way that drone operations work” and how UAVs differ from manned aviation. “The level of security vetting they're proposing, I'm not sure gives us the warm fuzzies that they really understand how UAS, particularly package delivery operations,
The NPRM also addresses cybersecurity, although it is not clear from the text how much TSA will be involved in that aspect of drone security.
“FAA has proposed that operators must develop and implement cybersecurity policies and processes,” the NPRM states. “Highly automated systems are integral to UAS operations, and this reliance on these systems can, if not properly protected, result in a significant vulnerability.”
Bill Irby, CEO of AgEagle Aerial Systems, which produces flight hardware, sensors, and software for drone operators, said the final Part 108 rule should include strong cybersecurity regulations.
“I think it's an absolutely critical thing that needs to happen,” he told Commercial UAV News. “But I would also say that there's not going to be a whole lot of difference between drones and manned aviation on what the cybersecurity requirements are. There's no reason that it should be. So any types of data links will need to be approved, whether it's command and control data or sensors sending data back, all those need to be approved.”
Comments