This bill, known as the Aviation Risk Mitigation and Security Act or ARMS Act, mandates the Transportation Security Administration (TSA) to significantly enhance aviation security through comprehensive covert testing. Within 180 days of enactment, the TSA must establish a system for conducting risk-informed, headquarters-based covert testing scenarios to identify vulnerabilities in passenger and baggage screening operations, ensuring statistically valid data. Additionally, it requires a long-term covert testing program using static, risk-informed threat vectors based on annual risk assessments to evaluate security effectiveness annually. The TSA must conduct at least three covert testing scenarios to identify systemic vulnerabilities, ensuring all Category X airports are included at least once per fiscal year. Following the identification of any vulnerability, the Administrator must establish a process for mitigation, including a root cause analysis within 90 days and a determination to mitigate within 150 days, prioritizing risk reduction. If mitigation proceeds, key milestones and an implementation date must be set, followed by retesting within 180 days to assess the effectiveness of the implemented measures. The bill also mandates annual reporting to Congress by November 30, detailing test results, identified vulnerabilities, mitigation statuses, and retesting outcomes. Furthermore, the TSA is required to publish an annual summary of aggregate performance data from covert testing at Category X airports on its public website, including total tests and pass/fail rates, without compromising sensitive security information. Finally, the Comptroller General will conduct a review within three years to assess the effectiveness of the TSA's covert testing processes.