The ARMS Act directs the Transportation Security Administration to create a headquarters-based covert testing program for aviation security operations, with risk-informed scenarios that can yield valid data on vulnerabilities. It requires not fewer than three covert testing project scenarios each year and ensures every Category X airport is included at least once per fiscal year.
The bill also establishes a process to mitigate identified vulnerabilities, including root-cause analysis, a formal mitigation decision with milestones if mitigation is chosen, and a mandate to retest after mitigation.
Over the longer term, the Act requires annual reporting to Congress detailing testing results, vulnerabilities identified, mitigation progress, and retesting outcomes, with unclassified information and possible classified annexes. It also calls for a GAO review within three years to assess the effectiveness of the covert testing program and how well identified vulnerabilities are being mitigated.
At a Glance
What It Does
The TSA must establish a risk-informed, HQ-based covert testing program for aviation security operations, plus a long-term testing plan based on annual risk assessments of emerging threats. It requires multiple testing scenarios and documentation of methodology to ensure statistical validity.
Who It Affects
Directly affects TSA, Category X airports (high-risk aviation sites), and airport security operations personnel; also involves DHS and the Congress through reporting and oversight.
Why It Matters
Creates a data-driven mechanism to identify and fix security gaps, mandates timely mitigation and retesting, and builds accountability through annual public summaries and GAO oversight.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The ARMS Act compels TSA to run a formal covert testing program focused on aviation security operations, using risk-informed scenarios developed at headquarters. The program requires not fewer than three testing scenarios each year and ensures that all Category X airports are tested at least once per year, so high-risk locations are regularly evaluated.
When vulnerabilities are found, TSA must perform a root-cause analysis within 90 days and decide within 150 days whether to mitigate the vulnerability. If mitigation is chosen, the agency must set milestones and a completion date for implementing the measures.
After mitigation is completed, TSA will retest the affected operation within 180 days to assess effectiveness.Annually, TSA must report testing results, vulnerabilities, mitigation progress, and retesting outcomes to Congress, with unclassified material and a classified annex as needed. A public summary of performance data for Category X airports will be posted online, though scenario details and sensitive methods will be kept confidential.
Three years after enactment, the GAO will review the program’s effectiveness and the quality of the testing data used to gauge vulnerabilities.Overall, the bill creates a systematic, data-driven loop: test, analyze, fix, and verify, with ongoing oversight to ensure vulnerabilities are addressed and security improvements are measurable.
The Five Things You Need to Know
Not fewer than three HQ-based covert testing scenarios must be conducted each year.
All Category X airports must be included in covert testing at least once per fiscal year.
A root-cause analysis must occur within 90 days of identifying a vulnerability.
Mitigation decisions must be made within 150 days, with milestones and a completion date if pursued.
An annual TSA report (unclassified with a possible classified annex) plus a public data summary for Category X airports is required; GAO will conduct a review in three years.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Covert testing framework and initial program
The act requires TSA to establish a risk-informed, headquarters-based covert testing program for aviation security operations, designed to yield statistically valid data identifying vulnerabilities not mitigated by current operations. It also directs the development of a long-term, risk-informed testing program based on annual threat assessments. This creates a formal, repeatable process for evaluating screening and security protocols at scale.
Methodology and scenario execution
TSA must conduct the covert testing project scenarios under annual risk assessments of emerging threats and include not fewer than three testing scenarios. The agency is required to document the methodology, assumptions, and rationale guiding scenario selection and execution to ensure statistical validity and actionable results.
Mitigation process and timing
When a vulnerability is identified, TSA must establish a process to mitigate it. A root-cause analysis is required within 90 days to identify origins and contributing factors. Within 150 days, TSA must decide whether to mitigate and, if so, document milestones and a completion date for implementing the measures.
Reporting and public disclosure
Annually, TSA must compile and submit an unclassified report detailing all covert testing results, identified vulnerabilities, mitigation status, and retesting outcomes, with a classified annex as needed. The agency must publish a public summary of Category X airport performance data, including total tests, pass/fail rates, and trend observations, while protecting sensitive details that could compromise security.
GAO oversight
Three years after enactment, the Comptroller General must report to TSA and Congress on the effectiveness of CIA-type covert testing processes in yielding data to assess unmitigated vulnerabilities and the overall quality of the mitigation response.
This bill is one of many.
Codify tracks hundreds of bills on Transportation across all five countries.
Explore Transportation in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- TSA security operations teams gain clearer, data-driven insight for vulnerability identification and risk prioritization.
- Category X airports receive focused attention and a structured path to remediation at high-risk locations.
- Airlines and security staff benefit from standardized mitigation milestones and improved security protocols.
- Congressional committees and DHS obtain regular, standardized data to inform oversight and budget decisions.
Who Bears the Cost
- TSA and DHS budgets and staffing must support additional covert testing, analysis, reporting, and remediation efforts.
- Category X airports may incur costs related to implementing mitigations, testing, and potential operational adjustments.
- Airport security screeners and contractors may need training and changes to screening procedures as mitigations are deployed.
- Security vendors and service providers may face increased demand for testing and remediation solutions.
- GAO and Congressional staff incur administrative costs associated with oversight and review.
Key Issues
The Core Tension
The central dilemma is balancing aggressive, risk-informed testing and rapid remediation with the practical realities of operating a large, high-stakes security program and the need to protect sensitive vulnerabilities from public disclosure.
The bill’s testing regime raises tensions between security rigor and operational practicality. On one hand, covert testing can reveal gaps that, if unaddressed, leave the aviation system vulnerable.
On the other, the process could strain airport operations, require significant resources, and raise concerns about the potential inadvertent exposure of vulnerabilities through public reporting. The act carefully separates test methodologies and airport-specific details from public disclosures to protect security, but the need to publish performance summaries for Category X airports creates a dynamic tension between transparency and security.
The program’s success hinges on timely root-cause analysis, realistic mitigation milestones, and the ability to retest effectively without disrupting daily operations.
A key implementation challenge is ensuring that category-level data do not inadvertently create incentives to prioritize certain airports over others or overlook non-category airports that may harbor latent risks. The annual reporting and the GAO review are intended to provide accountability, yet the actual value depends on the quality and timeliness of mitigation actions and retesting results.
Finally, funding and staffing constraints could slow remediation, undermining the intended risk-reduction benefits if resources are not adequately aligned with the testing cadence and scope.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.