PIA update

Privacy Impact Assessment Update
for the

Crew Member Self Defense Training
(CMSDT) Program
DHS/TSA/PIA-014(a)
July 24, 2013
Contact Point
Monte Kleman
Federal Air Marshal Service
Flight Programs Division
[email protected]
Reviewing Official
Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security
(202)343-1717

Privacy Impact Assessment Update
Transportation Security Administration
Crew Member Self Defense Training Program
Page 2

Abstract
The Department of Homeland Security (DHS) Transportation Security Administration
(TSA) Crew Member Self-Defense Training (CMSDT) Program is a voluntary self-defense
training course for U.S. commercial and cargo air carrier crew members. The CMSDT Program
trains crew members on how to defend the flight deck against acts of criminal violence or air
piracy. TSA previously published a Privacy Impact Assessment (PIA) on this program on
February 6, 2008. TSA has collected CMSDT Program information principally through
completion of an electronic registration form hosted on the TSA.gov web site. At times,
information was collected through paper forms. TSA is updating the PIA to reflect that it plans
to: (1) collect information from crew members solely through electronic means; and (2) conduct
personnel security suitability checks on American Association of Community College (AACC)
Site Coordinators so that they may be granted access to an existing secure TSA web-based
system in order to process registrations on behalf of crew members.

Introduction
TSA implemented the CMSDT Program in order to comply with Section 603 of the
Vision 100 – Century of Aviation Reauthorization Act (Pub. L. 108-176), which requires TSA to
provide a voluntary program of self-defense training for crew members of air carriers providing
scheduled passenger air transportation. TSA’s Office of Law Enforcement/Federal Air Marshal
Service (OLE/FAMS) is responsible for administering the CMSDT Program and has developed a
training approach that combines distributed learning technology with hands-on instruction in
self-defense techniques. Crew members interested in the training are able to obtain information
from the TSA CMSDT web page 1 to identify a classroom training location and to register online
or directly with the point of contact listed for the training site (via telephone). TSA collects the
crew member’s name, last four numerals of the Social Security Number (SSN), contact
information, employer information including the employer-issued employee identification
number, and course location preferences to verify a crew member’s eligibility for the CMSDT
Program and to provide the self-defense training. Upon completion of self-paced instruction, an
eligible crew member can attend a one-day, hands-on training session in self-defense techniques
applicable to the aircraft environment. In order to maintain proficiency, eligible crew members
may repeat the training as many times as they would like. These one-day courses are conducted
at select community colleges located throughout the United States, under a Cooperative
Agreement with the AACC.

1

http://www.tsa.gov/stakeholders/crew-member-self-defense-training-program-0

Privacy Impact Assessment Update
Transportation Security Administration
Crew Member Self Defense Training Program
Page 3

Reason for the PIA Update
TSA is updating the CMSDT Program PIA to reflect that it now permits crew members
to register electronically using the CMSDT Module, which is a subsystem of the TSA Federal
Flight Deck Officer (FFDO) Information Dashboard and Distribution System (FIDDS). FIDDS
is a secure web-based information/collaboration system that provides messaging and dashboard
capabilities for the FFDO Program. 2 TSA leverages FIDDS to replace the process of obtaining
CMSDT Program training and enrollment data via Internet links on the TSA.gov web site. The
CMSDT Module within FIDDS provides a web-based interface that allows TSA CMSDT
Program Administrators to verify crew members’ employment and determine eligibility to
participate in the CMSDT Program. It also alleviates the need for third-party contractors to
provide employment verification services on behalf of TSA. Once TSA verifies the crew
member’s position and employment status with his or her respective airline, TSA sends a
confirmation email to the AACC Site Coordinator containing links to the CMSDT Module and
authorizes the crew member’s participation in the requested class. The CMSDT Module allows
AACC Site Coordinators to complete online crew member registration, schedule classes, and
assign specific AACC training locations and times.
Once the AACC Site Coordinators have completed the online crew member registration,
the CMSDT Module allows crew members to receive necessary instructional materials; confirm
and record their attendance at a training class; submit voluntary feedback regarding the quality of
the instruction, instructors, and facilities used to deliver the training; receive information about
recurring and/or advanced self-defense training opportunities; and check training schedules,
course dates, and view AACC training locations.
TSA is also updating the CMSDT Program PIA to reflect that it is conducting personnel
security suitability checks on AACC Site Coordinators. Because AACC Site Coordinators now
receive access to the CMSDT Module to record scheduled training dates, times, locations, and
note training completion, they must successfully complete a suitability check prior to gaining
access to the CMSDT Module per the DHS Sensitive Systems Policy Directive 4300A and the
DHS Homeland Security Acquisition Regulation (HSAR). 3 The suitability check consists of a
fingerprint-based criminal history records check, a credit check, and local law enforcement
agency checks. AACC Site Coordinators submit fingerprints to TSA and use the Office of
Personnel Management (OPM) web-based e-QIP System to submit a Standard Form 86 (SF-86)4
to complete the suitability check.

2

For more information about the FFDO Program, see DHS/TSA/PIA-013 FFDO Program PIA at
www.dhs.gov/privacy.
3
http://www.dhs.gov/homeland-security-acquisition-regulations#0
4
http://www.opm.gov/investigations/e-qip-application/completingsf86.pdf

Privacy Impact Assessment Update
Transportation Security Administration
Crew Member Self Defense Training Program
Page 4

Privacy Impact Analysis
The System and the Information Collected and Stored within the System
Previously, no interface existed between the CMSDT Program and the FIDDS System.
TSA stored CMSDT Program Administrator and trainee information on individual forms within
data files. The CMSDT Program now interfaces with the FIDDS System via the CMSDT
Module and stores information in a centralized database. Although the data maintained by the
CMSDT Program (previously detailed in the February 6, 2008 PIA 5) has not changed, TSA will
now collect fingerprints and the SF-86 from AACC Site Coordinators in order to verify
suitability for access to the CMSDT Module. This process provides CMSDT Program
Administrators direct access to CMSDT Program data through the CMSDT Module. The SF-86
collects biographic and biometric information including, but not limited to, the following:

5

•

Full Name and other names used;

•

SSN (voluntary);

•

Current and Previous Residences;

•

Date of Birth;

•

Place of Birth;

•

Citizenship information;

•

Gender;

•

Weight;

•

Height;

•

Eye and hair color;

•

Fingerprints;

•

Marital status and date of marriage;

•

Name, date and place of birth, address, and citizenship of spouse, children, and
relatives;

•

Passport information and number;

•

Current and previous employers, applicable dates, and contact information (including
federal or military service);

DHS/TSA/PIA-014 Crew Member Self Defense Training (CMSDT) Program PIA:
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_cmsdt.pdf

Privacy Impact Assessment Update
Transportation Security Administration
Crew Member Self Defense Training Program
Page 5

•

Selective Service Registration Number (if applicable);

•

Educational information;

•

Financial record information;

•

Known acquaintances and contact information (including foreign nationals abroad);

•

Criminal history information (if applicable); and

•

Suitability determination, for example, the date and the fact that the security checks
have been completed.

Uses of the System and the Information
With the exception of requesting biographic and biometric information associated with
the suitability checks and allowing AACC Site Coordinators access to the CMSDT Module,
there are no additional changes to the uses of the system and the information obtained.

Retention
There are no changes to the retention schedule for CMSDT Program-related information
with the exception of data pertaining to the suitability check and the SF-86. TSA retains this
information in accordance with National Archives Records Administration (NARA) General
Record Schedule NC1-GRS-80-1 item 23a. TSA will destroy the information no later than 5
years after the individual ceases to participate in the program.

Internal Sharing and Disclosure
FIDDS System IT Administrators now have access to information contained in the
CMSDT Module. TSA now shares information pertaining to the suitability check and the SF-86
with the Office of Personnel Security for use in the Department of Homeland Security Integrated
Security Management System (ISMS) 6.

External Sharing and Disclosure
TSA now shares SF-86 information with the Office of Personnel Management (OPM)
and fingerprints with the Federal Bureau of Investigations (FBI) as permitted by the Privacy Act
6

http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_psams_isms.pdf and
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_psams.pdf

Privacy Impact Assessment Update
Transportation Security Administration
Crew Member Self Defense Training Program
Page 6

and in accordance with the routine uses identified in the DHS/ALL-023 DHS Personnel Security
Management System of Records Notice (SORN), February 23, 2010, 75 FR 8088-8092.
In addition to the entities listed in Section 5.1 of the February 6, 2008 CMSDT
Program PIA, TSA may share individual information with others as permitted by the Privacy Act
and in accordance with the routine uses identified in the applicable SORN, including the
DHS/ALL-004 General Information Technology Access Account Records System (GITAARS)
SORN, November 27, 2012, 77 FR 70792-70795.

Notice
In addition to the notice provided in Section 6.1 of the February 6, 2008 CMSDT
Program PIA, the AACC Site Coordinators receive notice on OPM Standard Forms associated
with the suitability vetting process via web links contained in the CMSDT Module.

Individual Access, Redress, and Correction
DHS/ALL/PIA-001 Personnel Security Activities Management System PIA dated
September 12, 2007, 7 addresses the individual access, redress, and correction parameters
associated with the suitability check and submission of the SF-86.

Technical Access and Security
Previously, the CMSDT Program did not operate and maintain a consolidated, automated
system for processing and storing Personally Identifiable Information (PII). The CMSDT
Module provides single sign-on authentication and authorization capabilities to users and
CMSDT Program Administrators that establish strict access controls for CMSDT Program data.
Although an interface exists between the CMSDT Module and the FIDDS System, the
security features of the FIDDS System prevents CMSDT Program users from accessing data
maintained on FFDO Program participants, and vice versa. Additional access and security
parameters are defined below:
• AACC Site Coordinators (one or more at each training site): Site Coordinators
are employed by AACC member institutions. They view and modify training class
schedule and training location information details; submit class cancellation requests;
modify instructor user information; modify site inventory lists; submit site inventory
reports; send bulk email to students registered for a particular class; close-out a particular

7

http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_psams.pdf

Privacy Impact Assessment Update
Transportation Security Administration
Crew Member Self Defense Training Program
Page 7

class, which includes specifying attendance and adding incident reports; and receive
various automated notifications such as inventory report past due notices, new
registrations, and registration cancellations.
• FIDDS System IT Administrators: FIDDS Administrators are government
employees that manage the FIDDS System and administer approved changes, daily
system reviews, and all required maintenance during the operations and maintenance
phase of the FIDDS System.
• CMSDT Program Administrators: CMSDT Program Administrators are
government employees tasked with managing the CMSDT Program. They view and
modify training class schedule and site details; view a variety of reports on the number of
crew members trained, number of classes offered, and projected cost of the CMSDT
Program; view pending and previous registration suitability reviews and their results;
modify documents; access control lists in the on-line training document library; modify
user profile information; send bulk email to students registered for a particular class;
modify automated notification email templates and other various configuration settings
such as lookup list values; and modify the list of Frequently Asked Questions (FAQs) and
CMSDT Program information available to public.
The role-based access parameters, auditing measures, federal IT security requirements,
and training requirements listed in Section 8.0 of the February 6, 2008 CMSDT Program PIA
remain in effect.

Technology
The FIDDS sub-system allows the CMSDT Program to leverage an existing secure TSA
web-based system in order to automate paper-based processes associated with the registration
process.

Responsible Official
Monte Kleman
Federal Air Marshal Service
Flight Programs Division
Transportation Security Administration
Department of Homeland Security

Privacy Impact Assessment Update
Transportation Security Administration
Crew Member Self Defense Training Program
Page 8

Approval Signature
Original signed copy on file with the DHS Privacy Office

________________________________

Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security