> We did not want to contact FlyCASS first as it appeared to be operated only by one person...
It seems pretty remarkable that airlines are buying such a security sensitive piece of software from a one person shop. If you make it very far into selling any piece of SaaS software to most companies in corporate America, at the absolute minimum they're going to ask you for your SOC2 audit report.
SOC2 is pretty damn easy to get through with minimal findings as far as audits go, but there are definitely several criteria that would should generate some red flags in your report if the company is operated by a single person. And I would have assumed that if your writing software that integrates with TSA access systems, the requirements would be a whole lot more rigorous than SOC2.
The "airlines" that are using something like FlyCASS are themselves smaller operations and typically running on razor thin margins (if not just unprofitable and wishfully thinking that money will suddenly appear and make their business viable). Literally everything on their backend is held together with more duct tape than the average small business.
You could be an "airline" by purchasing a couple of older airliners and converting them to cargo use. Is it valuable for new airlines to get started? Should we force them out of business because they don't already have the systems in place that take years to decades to build out? Should they pay $$$ for boutique systems designed for a large passenger airline when they have 2 aircraft flying 1 route between nowhere and nowhere?
Requirements and audits really aren't the answer here. The fundamental design problem is that the TSA has used authentication "airline XXX says you're an employee" with a very large blanket authorization "you're allowed to bypass all security checks at any airport nationwide" without even the basic step of "does your airline even operate here?"
I'm curious why a small cargo airline would even need to use the KCM system. If they don't fly passengers, then wouldn't their crew access the aircraft from the cargo ramp (with a SIDA badge) and never need to enter the passenger terminal/sterile area?
Get lucky and get an interline agreement with a larger pax-facing carrier? Sure no one is going to ride on your little cargo planes but your crew gets to fly on someone elses metal.
I mean, yes, in this particular situation it seems like there is many layers of screw ups from several different organizations.
Though given that airlines are responsible for the safety of their crew, passengers, and anyone in the vicinity of their aircraft, requiring them to do some basic vetting of their chosen vendors related to safety and security doesn’t seem unreasonable.
It seems pretty remarkable that airlines are buying such a security sensitive piece of software from a one person shop. If you make it very far into selling any piece of SaaS software to most companies in corporate America, at the absolute minimum they're going to ask you for your SOC2 audit report.
SOC2 is pretty damn easy to get through with minimal findings as far as audits go, but there are definitely several criteria that would should generate some red flags in your report if the company is operated by a single person. And I would have assumed that if your writing software that integrates with TSA access systems, the requirements would be a whole lot more rigorous than SOC2.