An Eye On The Sky … And The Ground: The FAA’s ITS System: A Backgrounder

April 23, 2021

By a Biometrica staffer

Imagine flying an airplane with nothing but a magnetic compass to guide you. Sounds impossible? But that was, in reality, the only navigation tool aviators once had to guide them on flights, making early aviation a risky business. Pilots had to fly 200-500 feet above ground so that they could actually see roads and railways below, the Federal Aviation Administration (FAA) says on the history of aviation. Night landings had to be made by the light of bonfires. Fatal accidents, sadly, were routine. All this was after World War I, by when some technical advancement had already taken place.

Then in 1925, the Air Mail Act allowed the creation of a profitable commercial airline industry, and four major domestic players dominated commercial travel for most of the 20th century: United, American, Eastern, and Transcontinental and Western Air (TWA). But, as air travel increased, so did the need to focus on safety. Some airport operators began providing an early form of air traffic control (ATC) based on visual signals. Early controllers stood on the field and waved flags to communicate with pilots. Industry leaders began to believe that for the airplane to reach its full potential, federal action to maintain safety and standards were necessary. And so, the Air Commerce Act was passed in 1926.

This landmark legislation charged the Secretary of Commerce with fostering air commerce, issuing and enforcing air traffic rules, licensing pilots, certifying aircraft, establishing airways, and operating and maintaining aids to air navigation. Several other pieces of legislation were passed over the years, including the likes of the Civil Aeronautics Act of 1938, the Federal Aviation Act, and the Airport and Airway Development Act. For more on the history of the FAA and aviation safety, click here.

“Between 2001 and 2007, aviation witnessed one of its safest periods for scheduled air carriers,” the FAA says on its website, adding that there were only 11 fatal accidents in total across those years, not counting one major event from that period, of course (more on that in the next para). Fatal accidents became rare events with only .01 accidents per 100,000 flight hours or .018 accidents per 100,000 departures, the FAA added.

An event from the 21st century, though, that had a deep impact on aviation safety came in 2001. In the immediate aftermath of the 9/11 attack, for the first time in U.S. aviation history, the FAA put a ground stop on all traffic. “In the overnight hours of September 11, members of FAA’s Flight Standards Service developed an initial lead identifying the names of potential hijackers and provided those names to the FBI. The tragic events of this day radically changed the FAA,” it says on its website.

On November 19, 2001, the president signed the Aviation and Transportation Security Act, which among other provisions, established a new agency responsible for aviation security – the Transportation Security Administration (TSA), within the Department of Transportation (DOT). FAA remained responsible for aviation security until Feb. 13, 2002, when TSA took over those responsibilities. But, the FAA is still responsible for certain aspects of aviation safety within the DOT. Here’s an overview of those, and the Privacy Impact Assessment (PIA), Investigative Tracking System (ITS).

Overview Of The System

Aviation safety does not necessarily only mean preventing accidents in the sky. Neither does it only mean dealing with hijacking and terrorism. It also includes conducting background checks of those involved in the industry, to prevent any internal risks.

Coming back to the FAA, within the DOT, it has the following responsibilities:

• Regulating civil aviation to promote safety;
• Encouraging and developing civil aeronautics, including new aviation technology;
• Developing and operating a system of air traffic control and navigation for both civil and military aircraft;
• Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
• Regulating U.S. commercial space transportation

And one of the programs that it uses to fulfil those duties, is the ITS. The ITS records, tracks, and reports on investigations pertaining to security background checks and clearances on employees, contractors and other individuals with access to FAA facilities, systems or information, as well as internal administrative investigations relative to inappropriate conduct and associated disciplinary actions and tort claims against FAA. also supports the FAA’s mandate to investigate the actual or probable violation by pilots, aircraft owners, or aircraft mechanics of civil and criminal laws regulating controlled substances. Within FAA, the Office of the Assistant Administrator for Security and Hazardous Materials has the lead responsibility for managing ITS and all related investigatory activities.

The ITS system contains Personally Identifiable Information (PII) pertaining to the following categories of individuals, consisting of current or former employees and contractors (many of whom work in safety sensitive positions), other individuals with access to FAA facilities, systems or information, individuals involved in tort claims against FAA, and members of the public who are subjects of investigations regarding the actual or probable violation of civil and criminal laws regulating controlled substances:

• current and former applicants for FAA employment;
• current and former FAA employees;
• individuals considered for access to classified information or restricted areas and/or security determinations such as current and former contractors, employees of contractors, experts, instructors, and consultants to federal programs;
• aircraft owners;
• flight instructors;
• airport operators;
• pilots, mechanics, designated FAA representatives;
• other individuals certificated by FAA;
• individuals involved in tort claims against the FAA;
• employees, grantees, sub-grantees, contractors, subcontractors, and applicants for FAA-funded programs; and
• other individuals who are of interest to the FAA, law enforcement, or other  agencies investigating personnel or safety-related complaints.

What Kind Of PII Data Does The FAA Enter Into ITS?

PII is collected and entered into ITS in two major ways: by manual data entry and by automated agency downloads. Manually-entered PII consists of the following information which is collected from the individuals through the Office of Personnel Management (OPM) e-QIP (Electronic Questionnaire for Investigations Processing), the Standard Form 85p Questionnaire for Public Trust Positions or the DOT Form 1681 Identification Card/Credential Application when they apply for jobs at FAA or request a FAA identification badge:

• name,
• date of birth,
• place of birth,
• social security number (SSN),
• employment status,
• organizational and employment affiliations,
• foreign national status,
• results of background checks,
• home mailing address, and home and work phone number(s).

Downloaded PII consists of  results of investigations and inquiries conducted by the FAA Office of the Assistant Administrator for Security and Hazardous Materials and the FAA Security and Hazardous Materials Divisions in regional offices and designated FAA centers; information received in various formats as the result of investigations conducted by  Federal, State, local, and foreign investigative or law enforcement  agencies, which relate to the mission and function of the Assistant  Administrator for Security and Hazardous Materials and field offices; and information received in various formats as the result of investigations conducted by authorized personnel of the FAA, other Federal agencies, and State and local drug enforcement agencies regarding the actual or probable violation by pilots, aircraft owners, or aircraft mechanics of civil and criminal laws regulating controlled substances.

Downloaded PII is received via regular downloads from the following internal and external Federal agency databases, as necessary to directly support FAA’s personnel and other security investigative efforts:

• Federal Personnel and Payroll System (FPPS) maintained by the Department of Interior (DOI) and accessed via DOT’s FPPS Web Printing system;
• Personnel Investigations Processing System maintained by Office of Personnel Management (PIPS/OPM);
• FAA Medical Certification System, called MedXPress, maintained by  FAA Civil Aerospace Medical Institute (CAMI);
• National Driver Registry (NDR) maintained by DOT’s National Highway Traffic Safety Administration (NHTSA);
• FAA Aviation Safety – Flight Standards Service  Airmen and Aircraft Registry database ; and 
• Identification Management System (IDMS) maintained by FAA ASH internally (expected in future).

Why does the ITS need this information? To facilitate the FAA’s security programs and its mission to promote civil aviation safety, the website says. The PII within ITS is used to maintain the categories of records listed above, as well as for uses associated with the following programs: Access to Classified Information, and the National Industrial Security Program.

For more on another example of how PII is typically used in background screenings and monitoring, you can also take a look at Biometrica’s FAQ page, under the question: Could you elaborate on the continuous monitoring aspect?

How Does The ITS Use Information, And Keep It Secure?

The ITS is a web-based application system and an on-line repository of sensitive, unclassified information that can be accessed only by authorized FAA users in ASH (personnel security specialists, internal investigators, system administrators) and AHR (human resource specialists). The information is used to do the following, the website says:

• Monitor the status of a wide range of FAA personnel security investigations, including current employees as well as applicants, contract employees, and any other individuals with access to FAA facilities, systems, or information.
• Track internal investigations involving the following types of allegations: alleged employee misconduct, alleged criminal activity by airmen and other FAA certificate holders, unapproved aircraft parts, counterfeit certificates, falsification of official documents, security violations, property theft, and other investigative services as requested by other FAA organizational elements.
• Check the records of airmen (commercial and private pilots) contained in the FAA Airmen and Aircraft Registry database against a “Driving Under the Influence (DUI)/Driving While Intoxicated (DWI)” module within ITS. This module is designed to assist the FAA in matching airmen who have recently completed their medical exams to the National Driver Register’s (NDR) list of individuals who have a DUI or DWI conviction or administrative action.
• Track the assignment of correspondence through a “control assignments” module in ITS. This module assists FAA in tracking and responding to complaints received about individuals through the FAA Administrator Hotline (1-866-835-5322), FAA Safety hotline (1-866-835-5322), or from the DOT Office of the Inspector General; or through Freedom of Information Act (FOIA) and Privacy Act requests from individuals interested in and/or subject to investigations; or through other controlled correspondence related to those individuals.
• Track support provided to law enforcement agencies regarding certificated airmen or aircraft via a “Law Enforcement (LE) support” module in ITS. This module assists FAA with monitoring and documenting the sharing of pertinent investigatory information with those authorized individuals at the Federal, State, tribal, local and foreign levels. In addition, ITS is used to grant and monitor access to Classified and National Security Information for authorized individuals.

Of course, with information comes accountability. The ITS also has a number of security measures and safeguards in place to protect the PII that it stores. According to the DOT website, those include:

• The ITS records are stored in approved security file cabinets and containers, in file folders, on lists and forms, and in computer storage media.
• Access to and use of these records is limited to those persons whose official duties require such access and use.
• Computer processing of information is conducted according to established FAA computer security regulations.
• A risk assessment of the FAA computer facility that has physical controls used to process this system of records has been performed and any weaknesses resolved .
• All users have signed a system “rules of behavior” document.   

Paper records generated by ITS are retained in accordance with the current version of FAA Order 1350.15, Records Organization, Transfer and Destruction Standards, which provides a retention period of approximately 5 years. Click here to know more. The ITS is a system of records subject to the Privacy Act and uses information only in accordance with the Privacy Act System of Records Notices:  DOT/FAA 815, Investigative Record System, the website says.

Over the last two decades, aviation deaths have been falling dramatically, a Reuters article said citing the Aviation Safety Network (ASN). America has not had a fatal U.S. passenger airline crash since February 2009, the article added. The total number of crashes globally also declined over 50% in 2020, with a sharp decline in flights due to the covid-19 pandemic, the same article said, citing a Dutch consulting firm.

Still, a reminder from recent times of how important every step of the process is in an industry like aviation is the story of MH 370, the Malaysian Airlines flight that vanished in 2014. One of the theories put forth was that the pilot in command, Zaharie Ahmad Shah, ran amok and possibly due to his mental state at that time. Even a year after MH370, there was the case of the Germanwings Airbus that was deliberately crashed into the French Alps on March 24, 2015. The co-pilot, Andreas Lubitz, had waited for the pilot to use the bathroom and then locked him out. Lubitz had a record of depression.