ith the authors of this page or responsible for its content.
Version Release: October 2005







GUIDANCE PACKAGE

Biometrics for Airport Access Control

Response to Section 4011(a)(5)



30 September 2005
Version Release: October 2005

Introduction Pg 1

This guidance document includes basic criteria and standards that TSA
believes biometric products should meet in order to meet the technical
requirements of acceptable performance for airport access control
systems. These criteria and standards are based on TSA's technical
expertise, in consultation with the National Institute of Standards and
Technology and representatives of the aviation industry and the
biometric identifier industry. TSA will use these criteria and
standards to evaluate biometric sub-systems for inclusion on the
Qualified Products List (QPL). Generally, a biometric product that
does not satisfy these criteria and standards will not be placed on the
Qualified Products List. However, in some cases a device that does not
meet all the criteria and standards may be approved for placement on
the list if TSA believes its performance will be comparable to devices
that meet the criteria and standards. In other cases, it is possible
that a device that meets all the standards and criteria may exhibit
features that TSA believes make it ineligible for placement on the QPL.
Version Release: October 2005

Introduction Pg 2
EXECUTIVE SUMMARY

BIOMETRICS FOR AIRPORT ACCESS CONTROL
GUIDANCE PACKAGE


Overview

This guidance package addresses biometrics for airport access control. Access control
addresses the examination of one or more of three factors regarding an individuals
identity: something they know, something they have, or something they are. Biometrics
is the field of technology devoted to identifying individuals using biological traits or
something they are. It uses automated methods of recognizing a person based on one
or more physiological or behavioral characteristics.
On December 17, 2004, President Bush signed into law the Intelligence Reform and
Terrorism Prevention Act of 2004. The legislative language of this act in Title IV
Transportation Security, Section 4011 Provision for the Use of Biometric or Other
Technology, directs TSA to issue, not later than March 31, 2005, guidance for use of
biometric technology in airport access control systems. TSA encourages airport
operators to use this guidance document to improve upon their existing access control
systems by incorporating biometric technologies. Such improvements are not required.
Regulations governing airport security: These are found in Title 49, Code of Federal
Regulations (CFR), Chapter XII, in particular Part 1542: Airport Security. Part 1542
requires airport operators to adopt and carry out a security program approved by TSA and
requires that an airport operator must, in its security program:
Establish a secured area Air Operations Area (AOA) and/or Security
Identification Display Area (SIDA);
Control entry into the secure area via access control systems; and
Perform the access control functions required and procedures to control
movement within the secured area, including identification media.
A majority of airports in the U.S. fall under the Part 1542 regulations and thus have some
type of access control system for their secured areas. Currently, very few of these
airports have access control systems with biometrics, some of which were implemented
through TSA pilot programs at a limited number of access points.
Section 4011(a)(5) of the Intelligence Reform and Terrorism Prevention Act (the Intel
Bill) directs the Assistant Secretary of Homeland Security (TSA), in consultation with
representatives of the aviation industry, biometric identifier industry, and the National
Institute of Standards and Technology (NIST), to issue guidance to establish, at a
minimum:
(A) comprehensive technical and operational system requirements and
performance standards for the use of biometric identifier technology in airport Version Release: October 2005

Introduction Pg 3
access control systems (including airport perimeter access control systems) to
ensure that the biometric identifier systems are effective, reliable, and secure;
(B) a list of products and vendors that meet the requirements and standards set
forth in subparagraph (A);
(C) procedures for implementing biometric identifier systems to ensure that
individuals do not use an assumed identity to enroll in a biometric identifier
system and to resolve failures to enroll, false matches, and false non-matches; and
(D) best practices for incorporating biometric identifier technology into airport
access control systems in the most effective manner, including a process to best
utilize existing airport access control systems, facilities, and equipment and
existing data networks connecting airports.

The TSA guidance is primarily directed to two groups: (1) airport operators, who own
and operate the access control systems at their airports; and (2) manufacturers of
biometric devices, who need to submit their devices for qualification (including
performance testing) in order to be potentially placed on a TSA biometric Qualified
Products List (QPL). A major component of the TSA guidance is to provide criteria that
a manufacturer of biometrics devices will be expected to meet in order to have itself and
its device(s) included on the QPL. Manufacturers will find this TSA guidance crucial to
understanding the technical and operational requirements that their biometric devices
should meet and the standards to which they should conform. (Note that as used in this
document, the term airport operators may also include other
organizations/subcontractors designated and approve to perform access control
administrative functions.)
Airport operators who choose to incorporate biometrics are encouraged to use this
guidance to procure and integrate the biometric component into their legacy (i.e.,
existing) access control systems and to update their airport security programs. The end
users of biometric access control systems are airport, air carrier and airport tenant
employees, who access secure areas of airports.
TSA has generated the following Guidance Package to comply with Section 4011(a)(5)
of the Intel Bill. The package is comprised of three major documents, referred to as
Volumes, each with Chapters that address key aspects of the guidance:

VOLUME 1 - REQUIREMENTS DOCUMENT
Chapter I - Technical Requirements
Chapter II - Operational Requirements
Chapter
III
-
Standards


VOLUME 2 - IMPLEMENTATION GUIDANCE DOCUMENT
Chapter I - Identity Authentication
Chapter II - Resolving Failures
Chapter III - Best Practices for Implementation with Legacy Systems

VOLUME 3 - PLAN FOR BIOMETRIC QUALIFIED PRODUCTS LIST
(QPL) Version Release: October 2005

Introduction Pg 4
Chapter I - Management Plan
Chapter II - Test Plan
Chapter III - Business Model
Chapter IV - Schedule for Initial Qualified Products List (QPL)

These documents delineate what TSA requires to place products on the QPL, as well as
other guidance. Each of these guidance documents is briefly described below.

Volume 1 - Requirements Document

The Requirements Document addresses paragraph (A) of Section 4011 of the
legislation, to establish comprehensive technical and operational system requirements
and performance standards This document is focused on the requirements
1
for the
biometric sub-system portion of the airport access control function, not on the
qualification process for these biometric products.

The Technical Requirements chapter contains the technical specification that
establishes the total metrics that a manufacturers device must meet in order to qualify
through independently conducted, scenario-based performance tests and other forms of
evaluation. Technical Requirements contain quantitative qualification requirements
including biometric matching error rates, failure to enroll (FTE) rates, and transaction
times; reliability/availability requirements; and power/physical requirements.

The Operational Requirements chapter addresses the biometric sub-system from the
perspective of the operations of the existing access control systems. This includes
guidance on compatibility with existing credentials, new secondary/backup procedures
for resolving FTE and False Reject Rate (FRR), biometric sub-system administrative
burden, user enrollment requirements (e.g., protocol regarding effort level and duration),
threshold adjustments, and revocation of access privileges (biometrics do not interfere
with access control capability).

The Standards chapter identifies and summarizes guidance regarding standards from the
following organizations: NIST (National Institute of Standards and Technology), ANSI
(American National Standards Institute), INCITS (International Committee for
Information Technology Standards), and RTCA (formerly the Radio Technical
Commission for Aeronautics). It addresses biometrics standards conformance issues
and establishes a timetable for conformance. This information is aimed at the biometric
manu