Home Office seeks to improve data on airport ‘insider threats’
Improvements to pass system will attempt to address ‘potential security vulnerability’
The Home Office aims to make improvements to the database of people granted access to security-restricted areas in airports. The aim of the work is to address to dangers posed by “insider threats”.
The Access Pass Holder Information Distribution System is a central national database of everyone who has been granted access to the airside area at each of the UK’s major airports – of which there are about 50.
The aim of the platform, which the Home Office describes as “a key critical component of the overall Homeland Security portfolio,” is to allow the “security service, the National Crime Agency, and police to have an accurate, up-to-date picture of who has access to security-restricted areas”.
Over the coming weeks and months, authorities aim to make “enhancements” to APHIDS intended to address two major issues.
The first of these is the dangers posed by the possibility of an “insider threat”.
“The lack of consolidated airside pass data and access presents a potential security vulnerability for exploitation by a constantly evolving insider threat,” the department said in a recently published contract notice. “It means HM Government and law-enforcement agencies cannot uniquely identify all staff with airside access at UK airports and then identify potential threats.”
The second issue intended to be addressed via upgrades to APHIDS is proposed European legislative changes that would require all employees issued with an airport or airline crew identification card to undergo a “government enhanced background check and continuous vetting”.
“There are a number of additional roles – such as instructors – that also require these checks,” the department said. “Yet, Home Office have no consolidated way of identifying who holds these passes and roles to enable this continuous vetting.”
To enable the enhancements needed to address these problems, the Home Office is seeking to appoint a supplier partner to “provide ongoing second- and third-line support for the APHIDS solution, in order to maintain a sustained service”.
The chosen provider will work with civil servants form a range of Home Office units, as well as officials from the Department for Transport, Civil Aviation Authority, the national police ACRO Criminal Records Office, and representatives from third-party data providers.
“The APHIDS support service will need to be scalable and provide capacity for expansion, supporting up to 1,000 unique users with the capacity to enable up to 58 concurrent data uploads from data providers with no noticeable performance degradation,” the contract notice said. “The supplier is required to on-board to the authorities’ IT service management tooling and work within the defined ITIL processes to provide the required support service and manage incidents, have processes in place for secure development, continuous integration [and] deployment and DevSecOps, software maintenance, configuration and change management, incident and problem management, data sanitisation and continuous improvement.
It added: “The supplier will be responsible for ensuring business as usual is maintained for the APHIDS service. For example: defects; uplift of third-party software versions; [and] essential uplifts required due to modernisations to dependencies.”
The chosen supplier will be appointed to an initial one-year contract, due to come into effect on 1 April – after the completion of an eight-week “mobilisation period”. A one-year extension will be available to the Home Office upon conclusion of the initial 12-month term.
Work will largely take place across the two main locations of the department’s Homeland Security Group: in Croydon; and its headquarters in central London. All supplier staff will require security clearance.
Bids for the project closed on 3 January and, in the coming weeks, the department intends to evaluate proposals from up to four potential suppliers.
Department spared £10m fine despite ‘serious breach of the law’
Personal details of civil servant and supplier exposed by inadequately redacted document, discovered by PublicTechnology
Move to introduce code of practice for the likes of facial recognition and fingerprints is believed to be a world first
Regulator says that, while the original £500k penalty was proportionate, the reduced punishment signals changing approach to public sector