Aircraft Repair Station Security, 59874-59890 [E9-27624]

Download as PDF 59874 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules DEPARTMENT OF HOMELAND SECURITY Transportation Security Administration 49 CFR Parts 1520 and 1554 [Docket No. TSA–2004–17131] RIN 1652–AA38 Aircraft Repair Station Security sroberts on DSKD5P82C1PROD with PROPOSALS AGENCY: Transportation Security Administration (TSA), DHS. ACTION: Notice of proposed rulemaking (NPRM). SUMMARY: TSA is proposing to issue regulations to improve the security of domestic and foreign aircraft repair stations as required by the Vision 100– Century of Aviation Reauthorization Act. The proposed regulations establish requirements for repair stations that are certificated by the Federal Aviation Administration (FAA) under 14 CFR part 145 to adopt and implement a standard security program and to comply with security directives issued by TSA. This rule proposes to codify the scope of TSA’s existing inspection program and to require regulated parties to allow TSA and Department of Homeland Security (DHS) officials to enter, inspect, and test property, facilities, and records relevant to repair stations. The proposed regulations also provide procedures for TSA to notify repair stations of any deficiencies in their security programs, and to determine whether a particular repair station presents an immediate risk to security. The proposal includes a process whereby a repair station may seek review of a determination by TSA that the station has not adequately addressed security deficiencies or that the repair station poses an immediate risk to security. DATES: Submit comments by January 19, 2010. ADDRESSES: You may submit comments, identified by Docket No. TSA–2004– 17131, to the Federal Docket Management System (FDMS), a government-wide, electronic docket management system, using any one of the following methods: Electronically: You may submit comments through the Federal eRulemaking portal at http:// www.regulations.gov. Follow the online instructions for submitting comments. Mail, Fax, or In Person: Address, hand-deliver, or fax your written comments to the Docket Management System, U.S. Department of Transportation, 1200 New Jersey Avenue SE., West Building Ground VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 Floor, Room W12–140, Washington, DC 20590–0001; Fax: 202–493–2251. The Department of Transportation (DOT), which maintains and processes TSA’s official regulatory dockets, will scan the submission and post it to FDMS. See SUPPLEMENTARY INFORMATION for format and other information about comment submissions. FOR FURTHER INFORMATION CONTACT: Celio Young, Office of Security Operations, TSA–29, Transportation Security Administration, 601 South 12th Street, Arlington, VA 20598–6029; telephone (571) 227–3580; facsimile (571) 227–1905; e-mail celio.young@dhs.gov. SUPPLEMENTARY INFORMATION: Comments Invited TSA invites interested persons to participate in this rulemaking by submitting written comments, data, or views. We also invite comments relating to the economic, environmental, energy, recordkeeping, or federalism impacts that might result from adopting the proposals in this document. See ADDRESSES above for information on where to submit comments. With each comment, please identify the docket number at the beginning of your comments. TSA encourages commenters to provide their names and addresses. The most helpful comments reference a specific portion of the rulemaking, explain the reason for any recommended change, and include supporting data. You may submit comments and material electronically, in person, or by mail as provided under ADDRESSES, but please submit your comments and material by only one means. If you submit comments by mail or delivery, submit them in two copies, in an unbound format, no larger than 8.5 by 11 inches, suitable for copying and electronic filing. If you want TSA to acknowledge receipt of your comments submitted by mail, include with your comments a self-addressed, stamped postcard on which the docket number appears. We will stamp the date on the postcard and mail it to you. TSA will file in the public docket address, as well as items sent to the address or email under FOR FURTHER INFORMATION CONTACT, in the public docket, except for comments containing confidential information and sensitive security information (SSI).1 Should you 1 ‘‘Sensitive Security Information’’ or ‘‘SSI’’ is information obtained or developed in the conduct of security activities, the disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 wish your personally identifiable information redacted prior to filing in the docket, please so state. TSA will consider all comments that are in the docket on or before the closing date for comments and will consider comments filed late to the extent practicable. The docket is available for public inspection before and after the closing date. Handling of Confidential or Proprietary Information and Sensitive Security Information (SSI) Submitted in Public Comments Do not submit comments that include trade secrets, confidential commercial or financial information, or SSI to the public regulatory docket. Please submit such comments separately from other comments on the rulemaking. Comments containing this type of information should be appropriately marked as containing such information and submitted by mail to the address listed in FOR FURTHER INFORMATION CONTACT section. TSA will not place comments containing SSI in the public docket and will handle them in accordance with applicable safeguards and restrictions on access. TSA will hold documents containing SSI, confidential business information, or trade secrets in a separate file to which the public does not have access, and place a note in the public docket explaining that commenters have submitted such documents. TSA may include a redacted version of the comment in the public docket. If an individual requests to examine or copy information that is not in the public docket, TSA will treat it as any other request under the Freedom of Information Act (FOIA) (5 U.S.C. 552) and the Department of Homeland Security’s (DHS’) FOIA regulation found in 6 CFR part 5. Reviewing Comments in the Docket Please be aware that anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comments, if submitted on behalf of an association, business, labor union, etc.). You may review the applicable Privacy Act statement published in the Federal Register on April 11, 2000 (65 FR 19477) and modified on January 17, 2008 (73 FR 3316). You may review TSA’s electronic public docket on the Internet at http:// www.regulations.gov. In addition, DOT’s Docket Management Facility provides a physical facility, staff, equipment, and transportation. The protection of SSI is governed by 49 CFR part 1520. E:\FR\FM\18NOP2.SGM 18NOP2 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules assistance to the public. To obtain assistance or to review comments in TSA’s public docket, you may visit this facility between 9 a.m. to 5 p.m., Monday through Friday, excluding legal holidays, or call (202) 366–9826. This docket operations facility is located in the West Building Ground Floor, Room W12–140 at 1200 New Jersey Avenue, SE., Washington, DC 20590. Availability of Rulemaking Document You may obtain an electronic copy using the Internet by (1) Searching the Federal Docket Management System (FDMS) Web page at http://www.regulations.gov; (2) Accessing the Government Printing Office’s Web page at http:// www.gpoaccess.gov/fr/index.html; or (3) Visiting TSA’s Security Regulations Web page at http:// www.tsa.gov and accessing the link for ‘‘Research Center’’ at the top of the page. In addition, copies of the rulemaking document are available by writing or calling the individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this rulemaking. Outline of the Notice of Proposed Rulemaking I. Background A. Introduction B. Statutory Requirements C. Summary of Proposed Rule D. FAA Safety Regulations E. Public Listening Session and Comments F. Repair Station Site Visits II. Summary of the Proposed Rule A. Repair Station Standard Security Program B. Repair Station Profile C. Security Inspections D. Immediate Risk to Security III. Section-by-Section Analysis IV. Rulemaking Analyses and Notices A. Paperwork Reduction Act B. International Compatibility C. Regulatory Impact Analyses 1. Regulatory Evaluation Summary 2. Executive Order 12866 Assessment 3. Initial Regulatory Flexibility Analysis (IRFA) 4. International Trade Impact Assessment 5. Unfunded Mandates Reform Act Assessment D. Executive Order 13132, Federalism E. Environmental Analysis F. Energy Impact Analysis TSA is proposing to issue regulations to provide for the security of maintenance and repair work conducted on aircraft and aircraft components at domestic and foreign repair stations, of the aircraft and aircraft components located at these repair stations, and of the repair station facilities as required by Vision 100—Century of Aviation Reauthorization Act, codified at 49 U.S.C. 44924 (Vision 100). For purposes of this rulemaking, ‘‘repair stations’’ are those facilities certificated by the FAA to perform maintenance, repair, overhaul, or alterations on U.S. aircraft or aircraft components, including engines, hydraulics, avionics, safety equipment, airframes, and interiors. According to the FAA, there are 4,227 domestic repair stations located in the United States and 694 foreign repair stations located outside the United States that have an FAA certificate under part 145 of the FAA’s rules.2 In addition, for purposes of this rulemaking, the term ‘‘component’’ includes any article, airframe, aircraft engine, propeller, appliance, or part that is under repair. The term is used broadly to encompass both articles and appliances as defined by the FAA.3 Aircraft repair stations vary widely in size, type of repair work performed, number of employees, and proximity to an airport. The FAA issues ratings to certificated repair stations for the work that can be performed at the repair station.4 These include airframe ratings, power plant ratings, propeller ratings, radio ratings, instrument ratings, and accessory ratings. Within each rating there are different classes for particular aircraft and equipment. The FAA also issues limited ratings for certificated repair stations that only work on a particular type of airframe or equipment or performs only specialized maintenance operations.5 The FAA certificates repair stations with few employees located in industrial parks and in residences that may work on small components, such as aircraft radios or seat cushions, as well as repair stations with many employees that perform major aircraft overhauls located in close proximity to an airport runway.6 Because repair station sroberts on DSKD5P82C1PROD with PROPOSALS I. Background A. Introduction Civil aviation remains a target of terrorist activity worldwide. Terrorists continue to seek opportunities to destroy public confidence in the safety and security of travel, deny the ability of the public to move and travel freely, and damage international economic security. VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 2 FAA Fact Sheet, ‘‘FAA Oversight of Repair Stations,’’ March 29, 2007. See ‘‘FAA Certificated Repair Stations Directory,’’ Advisory Circular (AC) 140–7R, for a list of FAA certificated repair stations. 3 See 14 CFR 1.1 and 145.3(b). 4 14 CFR 145.59. 5 14 CFR 145.61. 6 Approximately 2,803 domestic repair stations have fifteen or fewer employees and 1,407 have five or fewer employees. Approximately 3,000 certificated domestic repair stations are not located on an airport. PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 59875 characteristics vary widely, TSA believes that existing security measures, as well as the corresponding security threat, also vary widely. Repair stations are closely regulated and monitored by the FAA and both the FAA and the air carriers inspect work done at repair stations. FAA performance standards for foreign and domestic repair stations are the same. While the FAA has implemented extensive safety requirements for both foreign and domestic repair stations, supplementing those requirements with specific security measures for both foreign and domestic repair stations would further reduce the likelihood that terrorists would be able to gain access to aircraft under repair at a repair station. As terrorist organizations continue to seek new and creative means of using aircraft to undermine the security and safety of the traveling public, the importance of requiring all aircraft repair stations to have measures in place to prevent persons from commandeering, tampering, or sabotaging aircraft has increased as well. Enhancement of repair station security will mitigate the potential threat that an aircraft could be used as a weapon or that an aircraft could be destroyed. This rulemaking sets forth proposed regulations to require all FAA certificated repair stations to adopt and carry out a standard security program. The proposed regulations list performance standards for security measures that would be included in the standard security program. The proposed regulations also would require repair stations to carry out Security Directives issued by TSA in the event of a specific threat. In addition, the proposed regulations codify the scope of TSA’s authority to conduct inspections of both domestic and foreign repair stations. The proposed regulations also provide procedures for TSA to notify repair stations of deficiencies in their security program and to determine whether a particular repair station represents an immediate risk to security. Finally, the proposal contains a process whereby a repair station may seek review of a determination by TSA that security deficiencies have not been addressed or that the repair station poses an immediate risk to security. B. Statutory Requirements Vision 100 requires DHS to promulgate security regulations for domestic and foreign aircraft repair E:\FR\FM\18NOP2.SGM 18NOP2 59876 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules stations.7 The statute includes the following additional requirements regarding security audits of foreign repair stations: • TSA must complete a security review and audit of foreign repair stations certificated by the FAA no later than six months after regulations are issued.8 When conducting the audit, TSA must give priority to those repair stations that pose a significant risk to security. If security audits are not completed within six months from the date regulations are issued, the FAA is barred from certificating any new foreign repair stations until the security audits are completed for existing repair stations. • TSA must notify the FAA of any security issues or vulnerabilities identified during the audit and require foreign repair stations to address any such issues or vulnerabilities within 90 days. If, after 90 days, TSA determines that the foreign repair station does not maintain and carry out effective security measures, TSA must notify the FAA and the FAA must suspend the repair station’s certificate until such time as TSA determines that the repair station does maintain and carry out effective security measures. • TSA must notify the FAA if TSA determines that a foreign repair station poses an immediate risk to security and the FAA must revoke the repair station’s certificate. TSA must establish an appeal procedure to be used when a certificate is revoked. C. Summary of Proposed Rule sroberts on DSKD5P82C1PROD with PROPOSALS TSA is proposing regulations to: • Codify TSA’s inspection authority. • Require foreign and domestic repair stations certificated by the FAA under part 145 of the FAA’s rules to allow TSA and DHS officials to enter, inspect, audit, and test property, facilities, and records relevant to repair stations. • Require foreign and domestic repair stations certificated by the FAA to adopt and carry out a standard security program issued by TSA to safeguard the security of the repair station, the repair work conducted at the repair station, 7 This section of Vision 100 is codified at 49 U.S.C. 44924. The requirement to promulgate regulations is described in 49 U.S.C. 44924(f). The statute also requires that the Under Secretary for Border and Transportation Security issue the final regulations. The Under Secretary delegated authority for issuing such regulations to TSA on September 16, 2005. TSA sent a Report to Congress on August 24, 2004, as required at 49 U.S.C. 44924(g). 8 In the Implementing Recommendations of the 9/11 Commission Act of 2007 (Pub. L. 110–53, 121 Stat. 266, Aug. 3, 2007), the original 18-month deadline for completing security inspections of foreign repair stations was reduced to 6 months. VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 and all aircraft and aircraft components at the repair station. • Require each security program to describe the specific measures the repair station has implemented to identify individuals authorized access to the repair station, aircraft, and aircraft components; control access to the repair station, aircraft, and aircraft components; challenge individuals who are not authorized access and use escort measures for authorized visitors; provide security awareness training to all employees; verify employee background information; designate a security coordinator; and establish a contingency plan. • Require each repair station to comply with Security Directives issued by TSA. • Establish a process to notify the FAA to suspend a certificate upon written notification by TSA that a repair station has not corrected security deficiencies identified during a security audit within 90 days and to permit appeal of a certificate suspension. • Establish a process to notify the FAA to revoke a certificate upon written notification by TSA that a repair station is an immediate risk to security and to permit appeal of a certificate revocation. In developing these proposals, TSA has consulted with FAA officials responsible for repair station safety matters. D. FAA Safety Regulations The security regulations proposed in this NPRM are designed to build upon the extensive certification and safety requirements for repair stations instituted by the FAA. The FAA certificates repair stations, as well as repairmen who work in repair stations.9 The FAA requires that in order to receive certification, repair stations must establish and maintain a quality control system acceptable to the FAA that ensures the airworthiness of the articles on which the repair station or any of its contractors performs maintenance, preventive maintenance, or alterations.10 The quality control system must describe the procedures the repair station uses to inspect incoming raw materials, perform preliminary inspection of all articles that are maintained at the repair station, qualify and monitor noncertificated persons 9 See 14 CFR part 145 and 14 CFR part 65. While the FAA only certificates certain repair station personnel who work in the United States, it does require that those repair station personnel located outside the United States have practical experience or training in the work being performed. Supervisors in repair stations located outside the United States must understand, read, and write English. 14 CFR 145.153. 10 14 CFR 145.211. PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 who perform maintenance, preventive maintenance, or alterations for repair stations, and conduct final inspections of maintained articles. In addition, the FAA requires that a certificated repair station inspect each article upon which it has performed maintenance, preventive maintenance, or alterations before approving that article for return to service.11 The FAA conducts safety inspections of both foreign and domestic repair stations. While these quality control measures provide a significant layer of protection and oversight of the components and aircraft under repair, the proposed regulations would supplement those measures by requiring that FAA certificated repair stations also adopt and carry out a security program that would include procedures to control access to the repair station itself, the components and aircraft under repair, and the work being performed; verify the identity of repair station employees; and establish a security coordinator to serve as the point of contact for securityrelated matters. E. Public Listening Session and Comments On February 27, 2004, TSA held a public listening session to receive input from stakeholders and other interested parties on repair station security issues. TSA also invited written comments to be submitted by March 29, 2004.12 TSA requested specific comments on the following issues: • Security measures that are currently deployed. • Existing security vulnerabilities. • Standards that should be in place to prevent unauthorized access, tampering, and any other security breaches. • Current security system costs. • Whether security requirements should be tailored to the type of authorization the repair station holds, number of employees, proximity to an airport, number of repairs completed, or other characteristics. • Whether aircraft operators should play a role in ensuring that repair stations maintain a secure workplace. • Whether any repair station operator has experienced a breach in security. Twelve parties, representing air carriers, repair station operators and employees, manufacturers, and unions, spoke during the public meeting.13 While several parties questioned the need for security regulations, most 11 14 CFR 145.211. FR 8357 (Feb. 24, 2004). 13 A transcript of the public meeting and copies of all filed comments are available in docket number TSA–2004–17131 at http://regulations.gov/ search. 12 69 E:\FR\FM\18NOP2.SGM 18NOP2 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules recognized the importance of protecting the security of the aircraft, the maintenance work that repair stations perform on aircraft and aircraft components, and the facility itself, noting that TSA is required by statute to develop such regulations. Most parties also agreed that the regulations should be tailored to reflect security measures that may already be in place, as well as other factors, such as those listed by TSA in its request for comments. Concerns were expressed regarding the expedited timing of the regulations and the security audits, the potential financial burdens resulting from the imposition of new regulations, particularly on small repair stations, and the appeal process. Several parties recommended that the regulations define what constitutes an ‘‘immediate risk to security,’’ as well as ‘‘existing repair stations.’’ Other parties discussed security initiatives that had been employed at their facilities since September 11, 2001. TSA also received 21 written comments, representing the views of repair station operators and employees, unions, air carriers, aircraft owners, and manufacturers regarding potential security regulations. The majority of those submitting written comments also supported the need for security regulations, and agreed that the regulations should be tailored to reflect the particular characteristics of a repair station. Some commenters suggested that TSA include general security criteria for domestic and foreign repair stations and others offered recommendations regarding specific provisions that should be included in the regulations, such as access controls, personnel identification, employee background checks, and security awareness training. The comments provide valuable input as to how repair station security issues should be addressed and the proposal reflects many of the issues, as well as the recommendations, contained in these initial comments. TSA looks forward to receiving further comments on the proposed regulations. sroberts on DSKD5P82C1PROD with PROPOSALS F. Repair Station Site Visits In addition to the information gathered during the public listening session and through written comments, TSA visited repair stations to conduct research on the physical characteristics of repair stations, the type of repair work performed, and the extent of security measures that had been implemented. The following site visits were conducted: VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 • June 2005—1 repair station in Hamburg, Germany, and 1 repair station in Amsterdam, the Netherlands. • August 2005—5 repair stations in Singapore. • November 2006—9 repair stations in the state of Arizona. • December 2006—3 repair stations in Naples, Italy. • January 2007—3 repair stations in the state of Georgia. • May 2007—1 repair station in Singapore and 1 repair station in Guangzhou, China. • July 2007—1 repair station in Teterboro, New Jersey. • May 2008—3 repair stations in Bogota, Colombia. These repair station site visits provided valuable insight into the different types of facilities certificated by the FAA, the different types of repair work conducted at the facilities, and the different types of security measures deployed by the various facilities. All of the stations visited had some security measures in place. For example, one foreign repair station had over 10,000 employees with many buildings and its own airport. This facility had perimeter fencing, security guards, and surveillance cameras to control access to the facility. Its employees were required to display identification media. Another foreign repair station had only seven employees and was located at an industrial park. That facility was planning to install surveillance cameras to be monitored by a private security company. In two countries the government had mandated security requirements for certain repair stations. In the United States, one domestic repair station facility with 40 employees relied on personal recognition to identify individuals authorized entry into the facility, while another domestic repair station with fifteen employees used identification media and surveillance cameras. By conducting these site visits, TSA was able to study security measures already deployed and develop a proposal that reflects repair station diversity. II. Summary of the Proposed Rule TSA proposes to add a new part 1554 to its regulations, entitled ‘‘Aircraft Repair Station Security.’’ The new part would require aircraft repair stations that are certificated by the FAA under 14 CFR part 145, both domestic and foreign, to adopt and carry out a standard security program. The regulations would require repair stations to safeguard the security of the aircraft and components located at the station, the maintenance and repair work performed there, as well as the PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 59877 repair station’s facilities as required by 49 U.S.C. 44924. For a more detailed discussion of the proposed regulations, see the Section-by-Section Analysis portion of this preamble. TSA is also proposing changes to its regulations regarding the protection of sensitive security information (SSI) to specify that a repair station security program is categorized as SSI and that the repair station operator or owner is subject to the SSI requirements described in 49 CFR part 1520.14 A. Repair Station Standard Security Program FAA certificated repair stations, whether located at airports that have a TSA security program,15 at general aviation airports, or at off airport properties, could be a target of terrorist activity and TSA is proposing that each FAA certificated repair station implement and carry out a standard security program issued by TSA to mitigate that risk. If the repair station is already incorporated within an airport’s security program and uses the airport’s access control measures, TSA will consider the repair station to be in compliance with the security measures proposed in these regulations. The proposed regulations list the general security requirements that each repair station would be required to carry out in the standard security program. The standard security program would require each repair station to include (1) a description of access controls for the facility as well as for the aircraft and/or aircraft components; (2) a description of the measures used to identify employees and others who are authorized to access aircraft and/or aircraft components; (3) a description of the procedures to challenge unauthorized individuals; (4) a description of security awareness training for employees; (5) the name of the designated security coordinator; (6) a contingency plan; and (7) a description of the means used to verify employee background information. The complete security program contents are discussed in the Section by Section analysis. These requirements are consistent with the recommendations included in the written comments received by TSA, 14 ‘‘Sensitive Security Information’’ or ‘‘SSI’’ is information obtained or developed in the conduct of security activities, the disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. The protection of SSI is governed by 49 CFR part 1520. 15 See 49 CFR part 1542 for a description of airport security program requirements. Aircraft repair stations located at a commercial airport may be included within the airport security program. E:\FR\FM\18NOP2.SGM 18NOP2 sroberts on DSKD5P82C1PROD with PROPOSALS 59878 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules as well as with established security procedures for aircraft operators, air carriers, and airports.16 Recognizing that a ‘‘one size fits all’’ approach would not appropriately address the diversity in repair station characteristics, TSA believes that repair stations should have some flexibility regarding the particular equipment, facilities, and measures that would be listed in the standard security program and used to comply with the proposed regulations. While TSA would provide a standard security program which would contain the majority of security measures that a repair station must adopt to comply with the proposed regulations, certain measures in the standard security program that the repair station must adopt may differ depending upon risk factors considered by TSA. TSA would not require repair stations that are not located on or adjacent to an airport to implement the same physical security measures in the standard security program as those repair stations that are located on or adjacent to an airport. In adopting this approach, TSA considered the security risks of repair station operations to determine whether there were any factors that could increase the security risks of a repair station. The factors TSA considered were (1) size and type of aircraft to which employees had access; (2) the type of repair work permitted by the FAA certificate; (3) whether the repair station was located on an airport and the type of airport; and (4) the number of employees at the repair station. Based on the information acquired during the repair stations site visits, an examination of FAA safety requirements, and discussions with FAA safety inspectors, TSA determined that while all of the characteristics examined had some effect on security risks, repair stations that are located on or adjacent to an airport could pose a higher security risk. TSA found that at airport locations, there was greater accessibility to aircraft and proximity to a runway, thereby increasing the possibility that an aircraft could be commandeered and used as a weapon or sabotaged. At off-airport locations, TSA found that repair station employees had little, if any, access to operational aircraft or runways. Repair station employees at off airport locations typically are not the last individuals with access to aircraft prior to the reintroduction of the aircraft into service. TSA believes that it would be difficult for an individual to damage an 16 See, generally, TSA security regulations at 49 CFR parts 1540, 1542, 1544, and 1546. VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 aircraft at a repair station location that is only rated to repair aircraft components if the individual does not have access to aircraft. FAA safety regulations require inspection of the repair work and the component before it is installed in an aircraft and before the aircraft is deemed to be airworthy. Thus, TSA believes it is less likely that a terrorist would attempt to target an aircraft by sabotaging a component at an off airport location. This assessment of the greater risk posed by repair stations located on or adjacent to an airport was also supported by several commenters. One commenter noted that repair stations located within an airport posed the greatest risk to security because of the larger number of entry points in such a location. Another explained that repair facilities located off airport generally only work on aircraft components and that the multiple layers of testing and oversight already conducted by the FAA serves as an important security function as well. Another commenter agreed, stating that repair stations that do not have access to aircraft do not pose a security risk because the airworthiness of the components are tested before they are released into service. Based on this risk assessment, TSA would specify particular security measures in the standard security program that would apply to repair stations on or adjacent to an airport, but that would not be required for other repair stations. TSA believes that this approach would be consistent with its efforts to strengthen security measures at the non public areas of the airport. In addition, TSA would not require repair stations on or adjacent to airports that only serve aircraft with a maximum certificated take-off weight (MTOW) of 12,500 pounds or less to include the same security measures in the standard security program as repair stations located on or adjacent to airports that serve larger aircraft. TSA has long recognized that aircraft with a MTOW over 12,500 pounds pose a greater risk to security because such aircraft are of sufficient size and weight to inflict significant damage and loss of lives.17 Smaller aircraft may be a less attractive target for terrorists. Therefore, the security program would not include the same requirements for repair stations that are located on or adjacent to an airport that serves small aircraft. While the proposed regulations apply to all FAA certificated repair stations, TSA requests comment on whether it should exempt certain repair stations after it conducts security reviews and audits. 17 See PO 00000 49 CFR 1544.101(d) and 1550.7. Frm 00006 Fmt 4701 Sfmt 4702 For instance, TSA may consider whether to exempt repair stations that only perform maintenance on aircraft that are 12,500 MTOW or less. TSA also requests comments on whether there are other considerations that could be used to determine potential exemptions. TSA is aware that the FAA may certificate repair stations operating on a Federal government facility, such as a U.S. military base. TSA believes that the security at such a facility would likely meet and exceed the security requirements proposed herein. Therefore, TSA would not apply its requirements to any FAA certificated repair station at which the Federal government has assumed responsibility for security measures. The issue of requiring drug and alcohol testing of repair station employees was raised during the public listening session. TSA is not proposing to include drug and alcohol testing as part of its security program requirements. TSA notes that the FAA has instituted alcohol and drug testing as part of its safety regulations.18 TSA believes that such testing should remain under the purview of the FAA. TSA believes that the standard security program would be useful to repair stations that have not developed or implemented a security program, particularly small repair stations that may lack the resources to create their own security program. Further, the standard security program would provide consistency in format and content for the thousands of security programs that would be implemented under this proposal. TSA anticipates requesting comment from repair stations on the standard security program before a final rule is adopted and will make a draft of the standard security program available for review and comment by the repair stations subject to the regulations either electronically, through meetings, or both.19 B. Repair Station Profile To assess the security risks of a repair station and to establish the priority by which repair stations must be inspected, TSA would require each repair station to provide a brief profile, to include general information as to location, such as whether the repair station is located 18 See 14 CFR part 121 at Appendix I and Appendix J. The FAA requires part 145 certificate holders and non-certificated repair stations that perform safety sensitive functions for air carriers and commercial operators under 14 CFR parts 121 and 135 to implement an FAA Antidrug Program. 19 Security programs will be sensitive security information and will not be available to the general public. See Section-by-Section analysis for § 1520.3 in this preamble. E:\FR\FM\18NOP2.SGM 18NOP2 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules on or adjacent to an airport,20 the total number of employees, and the number of employees with access to large aircraft. The type of information is discussed in the Section by Section analysis. We note that while the FAA holds some of this information, it does not have all of it. We invite comments on the burdens associated with TSA collecting this profile. As explained above, TSA has determined that repair stations located on or adjacent to an airport pose a higher security risk than those that are not located on or adjacent to an airport. In addition, TSA has determined that repair stations on airports that perform work on aircraft over 12,500 MTOW pose a higher security risk. Identifying these higher risk repair stations will enable TSA to make certain that they are given a higher priority when scheduling inspections. Further, the profile will assist TSA in determining which measures included in the standard security program must be implemented to address the higher risk posture of repair stations that are located on or adjacent to an airport. sroberts on DSKD5P82C1PROD with PROPOSALS C. Security Inspections The proposed regulations would codify TSA’s inspection authority and would require repair stations to permit TSA and DHS officials to enter, inspect, and test property, facilities, and records relevant to repair stations. The purpose of the inspection would be to assess threats to aviation security, enforce TSA security regulations, directives, and requirements, evaluate all aspects of the repair station security program, verify whether the security program is being implemented and whether it is effective, as well as to identify and correct security deficiencies. Such oversight is also necessary to monitor continuing compliance with the security requirements. Since the inspection program is critical to the enforcement of the security program requirement, TSA’s inspection authority would extend to all repair stations. TSA would initiate foreign repair station inspections by giving priority to those foreign repair stations that pose the greatest risk to aviation security as required by Vision 100, and that have identified themselves through the profile as being located on or adjacent to an airport and as performing repair work on large aircraft. Pursuant to the inspection process and consistent with Vision 100, TSA is proposing to notify the repair station 20 If located on an airport, whether the repair station participates in the airport security program will impact the need for the repair station to comply with the proposed security regulations. VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 and the FAA of any deficiencies in a security program and to permit the repair station 90 days to correct such deficiencies. If the deficiencies are not corrected within 90 days, TSA would notify the FAA that it must suspend the repair station’s certificate until such time as TSA determines that the deficiencies are resolved. The proposed regulations also contain a process whereby a repair station may request further review of TSA’s determination regarding security deficiencies. D. Immediate Risk to Security The proposed regulation contains a specific process whereby a repair station that poses an immediate risk to security is identified and the FAA is notified of such a determination. The FAA must revoke the certificate of a station that TSA determines poses an immediate risk to security. Whether the threat is immediate would be evaluated on a case by case basis considering existing and potential circumstances as information is received and analyzed. The proposal provides a repair station with the opportunity to obtain the releasable materials upon which the determination was made and to seek review of such a determination. III. Section-by-Section Analysis Part 1520—Protection of Sensitive Security Information 59879 covered persons subject to its SSI requirements. This change would require that repair station operators adhere to the SSI rules and protect SSI from public dissemination. Access to SSI is strictly limited to those persons with a need to know, as defined in 49 CFR 1520.11. In general, a person has a need to know specific SSI when he or she requires access to the information in order to carry out transportation security activities that are governmentapproved, -accepted, -funded, -recommended, or -directed, including for purposes of training on, and supervision of, such activities or to provide legal or technical advice regarding security-related requirements. Accordingly, the protection of SSI would apply to each repair station standard security program pursuant to part 1554. Part 1554—Aircraft Repair Station Security (New) Section 1554.1—Scope and Purpose Section 1554.1 of the proposed regulation sets forth the scope and purpose of new part 1554. The proposed regulations would apply to all repair stations, both domestic and foreign, that are certificated by the FAA pursuant to 14 CFR part 145. The purpose of the proposed regulations would be to safeguard the security of domestic and foreign aircraft repair stations as required by 49 U.S.C. 44924. The requirements would not apply to any FAA certificated repair station at which the U.S. government has assumed responsibility for security measures. Section 1520.5—Sensitive Security Information Protection of Sensitive Security Information (SSI), as codified at 49 CFR part 1520, would apply to each repair station required to adopt and carry out a security program. Airport and aircraft operator security programs and plans, amendments, security directives and information circulars, technical specifications of security screening and detection systems and devices, among other types of information, all constitute SSI under current § 1520.5 and are prohibited from public disclosure. TSA is proposing to amend its part 1520 rules to include a repair station security program as SSI. This change would prevent the public disclosure of the security measures implemented and utilized by a repair station covered under the new rules because such disclosure would pose a threat to transportation security. It would also ensure that the repair station standard security program is protected just as other TSA required security programs are protected. Section 1554.3—Terms Used in This Part Section 1554.3 of the proposed rule sets forth the definitions of certain terms used in this part. The term ‘‘repair station’’ is defined as any maintenance facility that is certificated by FAA pursuant to 14 CFR part 145 to perform maintenance, preventive maintenance, repair, overhaul, or alterations of an aircraft, airframe, aircraft engine, propeller, appliance, or component part.21 Since the proposed regulations apply to both foreign and domestic repair stations, the section defines ‘‘domestic repair station’’ as any FAAcertificated repair station located within the fifty States, the District of Columbia, or the territories and possessions of the United States. A ‘‘foreign repair station’’ is defined as any FAA-certificated repair station located outside of the fifty States, the District of Columbia, or the Section 1520.7—Covered Persons TSA proposes to amend § 1520.7 to include repair station operators as 21 The proposed definition is consistent with the description of the applicability of the FAA’s repair station regulations at 14 CFR 145.1. PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 E:\FR\FM\18NOP2.SGM 18NOP2 59880 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules territories and possessions of the United States. sroberts on DSKD5P82C1PROD with PROPOSALS Section 1554.5—TSA Inspection Authority Section 1554.5 would codify TSA’s authority to inspect repair stations and would require repair stations to permit TSA and DHS officials to enter, inspect, and test property, facilities, and records relevant to repair stations. This section would allow TSA to assess threats, enforce regulations, security directives, and requirements, inspect all facilities and equipment, test the adequacy of security measures, verify the implementation of security measures, review security programs and other records, and perform such other duties as appropriate. This section also would allow TSA to request evidence of compliance, including copies of records in English. The proposed regulatory language is consistent with the inspection authority currently codified at 49 CFR 1542.5 and 1546.3, which apply to certain U.S. airports and foreign air carriers. TSA has established protocols and procedures on conducting inspections outside the United States through its Foreign Airport and Foreign Air Carrier Assessment Programs. These established procedures require advance notice to the facility to be inspected and coordination with the U.S. Department of State and the appropriate foreign government authorities. TSA inspectors are required to have TSA identification media and credentials with them when inspecting facilities and must display them when requested to do so. TSA will use these established procedures when conducting inspections of foreign repair stations. TSA is also amenable to working with the U.S. Department of State and foreign government authorities to facilitate inspections of U.S. repair stations that are certificated by a foreign government authority. TSA currently permits such inspections of U.S. airports and air carriers by foreign government authorities consistent with ICAO Annex 17, Section 2.1. TSA has kept ICAO apprised of the rulemaking and will continue its efforts to harmonize its regulations with those of other countries through its participation in ICAO. Section 1554.101—Adoption and Implementation Section 1554.101 would require each repair station to adopt and carry out a security program designed to safeguard aircraft and aircraft components located within the repair station, the maintenance and repair work performed VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 Section 1554.103—Security Program Content, Availability, and Amendment The standard security program must include: (1) A description of the measures used to identify individuals who are authorized to enter the repair station to prevent unauthorized individuals from entering the repair station; (2) a description of the measures used to control access to the repair station and to detect and prevent the entry, presence, and movement of unauthorized individuals and vehicles into or within the repair station; (3) a description of the measures used to control access to the aircraft and/or aircraft components to allow only authorized individuals to have such access; (4) a description of the measures used to challenge any individual entering the repair station to ascertain the authority of the individual to enter or be present in the repair station and measures to escort an individual who does not have unescorted authority while within the repair station; (5) a description of the measures to train all individuals with authorized access to aircraft and components on the provisions of this part and the security program; (6) a description of the measures used to verify employee background information through confirmation of prior employment and any other means as appropriate to validate employee information; (7) the name, 24-hour contact information, duties, and training requirements of the designated security coordinator who will serve as the primary and immediate contact for security-related activities and communications with TSA; (8) a contingency plan; (9) a diagram with dimensions detailing boundaries and pertinent physical features of the repair station; (10) a list and description of all entry points; and (11) an emergency response contact list. The regulations also would require that the security program be in writing, and signed by the repair station operator, owner, or other authorized person. Each repair station would not have to submit the security program to TSA, but would have to make it available to TSA upon request or during an inspection. The individual standard security program requirements are discussed below. Section 1554.103 would describe the general requirements describing the measures that each repair station must adopt in the standard security program. (1) Identification of Authorized Individuals The proposed regulations would require the repair station to adopt and there, and the facility itself. Repair stations would be required to use the TSA standard security program unless otherwise authorized by TSA. This section would also require a repair station to submit a profile. The purpose of the profile would be to provide basic information regarding repair station operations to assist TSA in determining what measures the repair station must include in its security program to meet the security requirements. The profile would also assist TSA in prioritizing repair stations for purposes of conducting inspections. TSA would make the profile template available to all repair stations either through the TSA web site, by mail, or both. The profile would request the following types of information: • Identification of the repair stations, such as FAA certificate number, repair station name as it appears on the FAA certificate, and repair station address. • Description of location (on or adjacent to an airport, off airport in a business location, off airport private residence). • Security coordinator who will serve as the TSA point of contact. • If on an airport, the name and three letter designator of the airport. • Total number of employees. • Number of employees authorized unescorted access to aircraft over 12,500 MTOW. The name and location of each repair station would assist TSA in identifying the repair station and determining its proximity to an airport since, as explained above, TSA would consider such repair stations to be a higher risk than those that are not located on or adjacent to an airport. The profile information would also help TSA to prioritize its inspections. Repair stations would also be required to update their profile information within 30 calendar days if a change in the information submitted occurs. This requirement would enable TSA to maintain current information on each regulated repair station and make certain that it is appraised of changes that could impact the security posture of a repair station. Repair stations would not be required to alert TSA to changes in total number of employees or number of employees who work on large aircraft to prevent the submission of a new profile every time an employee is hired or terminated. PO 00000 Frm 00008 Fmt 4701 Sfmt 4702 E:\FR\FM\18NOP2.SGM 18NOP2 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules sroberts on DSKD5P82C1PROD with PROPOSALS describe measures to identify individuals to prevent unauthorized individuals from entering the repair station. The specific requirements for a personnel identification media system would be included in the standard security program. Personal recognition may be sufficient at certain repair station locations. During the inspection process, TSA would use the following factors to evaluate whether the personnel identification media system must be implemented and what type of features the system must use: • Number of employees and number of shifts. • Physical size of the repair station. • Number of visitors. • Proximity of other businesses or operations. • Type of work, size of aircraft, and length of runway. • Number of entry points into the repair station. • Airport security features. • Other factors that increase ability of unauthorized individuals or vehicles to access the repair station. For example, a repair station with 50 employees who work multiple shifts at a repair station, located adjacent to an airport with many access points, might be required to adopt and carry out the personnel identification media system. Such a repair station would be considered to be a higher risk because of its proximity to an airport. Further, the large number of employees working multiple shifts would make it difficult for employees to rely solely on personal recognition as workers from different shifts may not be able to recognize each other. A repair station located in a residence with a single employee would not be required to adopt the personnel identification media system in the security program. TSA would not anticipate requiring a repair station located at an airport to adopt a personnel identification media system if employees were required to obtain and display airport identification media. broad spectrum, including standard locks with key control, card swipe access locks, cipher locks, locks with coded keys, biometric access cards, fencing, security guards, surveillance cameras, and motion detectors. As part of the standard security program, the repair station would be required to describe all of the entry points to the facility and the specific access control measures used for each. During the inspection process, TSA would determine whether the access control measures deployed at the entry point are appropriate. A repair station located on or adjacent to an airport that performs substantial maintenance on large aircraft would be required to have more stringent access controls. Such controls could include such measures as card swipe access locks, security guards, electronically monitored access or motion detectors, fencing or a combination of such controls. A repair station located in a private residence or in a small component shop in an industrial park would be required to have less sophisticated controls, such as standard locks with key control and an inventory system to track the number of keys. A repair station would be able to select the above or other measures that would provide a appropriate level of security. Access controls would also be required to restrict unauthorized access to components located within the facility, such as locked storage containers and inventory control of keys. (2) Repair Station Access Control Measures The standard security program would specify the access control security requirements for all repair stations. Such requirements would include measures to control access to the facility and to the aircraft and components within the repair station, to challenge any individuals to determine if they are authorized to enter or be present in the facility, and to respond if unauthorized individuals or vehicles are discovered. Acceptable access control measures would be specified in the security program. Such measures would cover a (4) Challenge Procedures The security program would describe the procedures to be followed when challenging individuals who cannot be readily identified. Only those individuals who are designated and trained in escort procedures would be permitted to escort visitors to the repair station. The responsibilities of the escort would be specified in the security program. At a small facility with few employees, the ability to observe individuals present within the facility may be sufficient to ensure that access to repair work and/or components is controlled. At large repair station VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 (3) Aircraft Access Control Measures In addition, the security program would include measures to control access to aircraft, such as requiring repair stations located on or adjacent to an airport to secure large aircraft by locking or disabling the aircraft, keeping the aircraft in a secure hangar during non-operational hours, fencing, surveillance cameras, lighting, and security guards. PO 00000 Frm 00009 Fmt 4701 Sfmt 4702 59881 facilities, such as those that use a personnel identification media system, employees may have to escort individuals as part of their responsibilities. (5) Security Training Measures The security program would include measures to conduct initial and recurrent security training programs, such as providing guidance to repair station personnel on how to implement and maintain the security measures included in the security program. The security program would also specify that the training curriculum be updated to reflect current security requirements. The repair station would be required to maintain records of initial and recurrent security training for each employee. The standard security program would include a model curriculum that the repair station could modify based on the specific security requirements applicable to that repair station. (6) Employee Background Verification The security program would include the measures by which the repair station verifies the employment history of its employees and conducts background checks, to the extent permitted by the laws of the country in which the repair station is located. The employment history, length of employment, and measures used to verify the individual’s employment would be listed in the security program. (7) Security Coordinator Each repair station would be required to designate a security coordinator who would serve as the immediate and primary point of contact for securityrelated activities and communications with TSA. Each repair station would include the name, responsibilities, and contact information of the security coordinator in the security program and would also specify the training curriculum required for the security coordinator. The security coordinator would not necessarily need to be on-site at the repair station, but they must be able to coordinate incident management at any time. (8) Contingency Plan The security program would include a contingency plan to include the specific measures that would be taken to address security-related incidents. The security program would include such items as the names of the repair station employees designated to perform specific tasks, the name and contact information for any contingency response organizations that would assist the repair station, a description of the E:\FR\FM\18NOP2.SGM 18NOP2 59882 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules DHS threat advisory levels and the additional security measures that would be implemented based on the threat level, and set forth the responsibilities of all personnel involved. The plan would also provide for training and regular practices, if appropriate. sroberts on DSKD5P82C1PROD with PROPOSALS Other Security Program Requirements The proposed regulations would also require that each security program include a diagram of the repair station detailing the boundaries and describing the physical features of the repair station. The security program would also include a list and description of all entry points into the repair station that would be supplied by the repair station operator. These requirements would assist TSA in assessing the security vulnerability of the repair station and determining whether security measures are appropriate. The security program would also include emergency response contact information. Section 1554.103(b) would require that the security program be in writing, and hand-signed by the repair station operator, owner, or other authorized person. The security program would be required to be accessible to employees at the repair station facility and be written in English and in the official language of the repair station’s country. The security program could be accessible electronically so long as it meets all of the requirements. This section would also include a requirement that repair stations must restrict the distribution, disclosure, and availability of sensitive security information as described in 49 CFR part 1520. Section 1554.103(c) would require a repair station to notify TSA of any amendment to the standard security program and would require that the repair station acknowledge receipt and adopt an emergency amendment issued by TSA within the time prescribed in the emergency amendment. If the repair station cannot implement the emergency amendment, the repair station must immediately notify TSA to obtain approval of alternative measures. They may contact their TSA inspector or the TSA Repair Stations Office at TSA headquarters. Section 1554.105—Security Directives This section would require a repair station to comply with any Security Directive issued by TSA mandating security measures. Security Directives may be issued when TSA determines that additional or specific security measures are necessary to respond to a threat assessment or a specific threat against aviation. Upon receipt of a VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 Security Directive, the repair station would be required to comply with the measures in the time prescribed or immediately notify TSA if it is unable to implement the specified security measures so that the repair station can obtain approval of alternative measures. The repair station would also be required to restrict the availability of a Security Directive to only those individuals with an operational need to know. Section 1554.201—Notification of Security Deficiencies; Suspension of Certificate Proposed § 1554.201 implements the requirements of 49 U.S.C. 44924(c)(1) regarding the suspension of a repair station certificate. Vision 100 requires audits to be conducted of foreign repair stations within a specified timeframe.22 TSA would comply with that requirement and intends to perform ongoing audits and inspections of all repair stations covered by the proposed regulation in order to check for compliance with the final regulations. The proposed regulation would provide that TSA would notify the repair station and the FAA in writing of any security deficiencies identified by TSA during an audit. Repair stations would be required to respond within 90 days of receipt of the written notification that the deficiency has been corrected and include a written explanation of the efforts, methods, and procedures used to correct the deficiency. TSA may re-audit the repair station to verify that the deficiencies have been corrected. The proposal specifies that TSA would provide written notification to the FAA if the repair station failed to respond and/or to correct the deficiencies within the 90day period and that, consistent with the statute, FAA would suspend the repair station certificate. The suspension would remain in effect until TSA makes a determination that the deficiencies had been corrected; TSA would then notify the FAA requesting that the suspension be lifted.23 This section also provides that a repair station may seek review of a TSA determination that deficiencies have not been corrected and includes the redress procedures. 22 In the Implementing Recommendations of the 9/11 Commission Act of 2007 (Pub. L 110–53, 121 Stat. 266, Aug. 3, 2007), the 18-month deadline for completing security inspections of foreign repair stations was reduced to 6 months. 23 If the repair station certificate covered more than one facility, but not all the facilities were found to have security deficiencies, TSA would specify that only the facility that was found to be deficient be suspended. PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 Section 1554.203—Immediate Risk to Security; Revocation of Certificate and Review Process Proposed § 1554.203 implements 49 U.S.C. 44924(c)(2) and requires that if TSA makes an initial determination that a repair station poses an immediate risk to security, TSA would notify the repair station and the FAA that the station’s certificate must be revoked. The repair station may seek review of TSA’s determination that the station poses an immediate risk to security; however, the revocation would remain in effect unless and until the review is complete and a determination is made that the repair station does not pose an immediate risk to security. Proposed § 1554.203(b) would allow the repair station to request the releasable materials upon which the determination is based. Proposed § 1554.203(c) would permit the repair station to request a review and to provide a response to TSA. The response may include any information that the repair station deems relevant to a final decision. TSA would conduct an initial review of the basis for the determination and the response and, if the determination is upheld, a final review by the TSA Assistant Secretary. TSA would notify the FAA of its final determination. Section 1554.205—Nondisclosure of Certain Information This section preserves TSA’s authority not to disclose classified information or other information protected by law or regulation. IV. Rulemaking Analyses and Notices A. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.) requires that TSA consider the impact of paperwork and other information collection burdens imposed on the public and, under the provisions of PRA section 3507(d), obtain approval from the Office of Management and Budget (OMB) for each collection of information it conducts, sponsors, or requires through regulations. This proposed rule contains new information collection activities subject to the PRA. Accordingly, TSA has submitted the following information requirements to OMB for its review. Title: Aircraft Repair Station Security. Summary: This proposal would require all aircraft and aircraft component repair stations certificated by the FAA under 14 CFR part 145 to adopt and maintain a security program that meets general security requirements as required by 49 U.S.C. 44924(f). The E:\FR\FM\18NOP2.SGM 18NOP2 sroberts on DSKD5P82C1PROD with PROPOSALS Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules proposed regulations also authorize TSA to conduct security audits, assessments, and inspections of repair stations. Repair stations will be required to implement a TSA standard security program which must include the specific security measures used by the repair station to comply with the regulation. In addition to the actual security measures, the security program must also contain any amendments to the security program, a contingency plan, a diagram of the facility with dimensions detailing boundaries and physical features, the name and contact information for the person responsible for security-related activities and communications with TSA, a list and description of all entry points and an emergency response contact list. The security program may be kept electronically or in hard copy format. It does not have to be submitted to TSA, but must be made available for review when TSA conducts a security audit or inspection. Other records that must also be made available during the audit or inspection would include employee training records, employee background information, and any security directives issued by TSA. Use of: This proposal would support the information needs of TSA in order to ensure the security of maintenance and repair work conducted on air carrier aircraft and aircraft components at repair stations, as well as the security of the aircraft and the facility. Respondents (including number of): The likely respondents to this proposed information requirement are the owners and/or operators of repair stations certificated by the FAA under 14 CFR part 145, which is estimated to number approximately 5,460 over the next ten years. Frequency: Each of the respondents initially would submit a repair station profile and develop and carry out a standard security program provided by TSA. Annual Burden Estimate: Annualized over the next three years, the average yearly burden to create security programs is estimated to be 12,620 hours for all respondents. Thus, the total annual time burden estimate is approximately 13,817 hours. The estimated annual costs beyond the time burden is approximately $45,200 for all respondents when annualized over the next three years. TSA is soliciting comments to— (1) Evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 (2) Evaluate the accuracy of the agency’s estimate of the burden; (3) Enhance the quality, utility, and clarity of the information to be collected; and (4) Minimize the burden of the collection of information on those who are to respond, including using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology. Individuals and organizations may submit comments on the information collection requirements by January 19, 2010. Direct the comments to the address listed in the ADDRESSES section of this document, and fax a copy of them to the Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: DHS–TSA Desk Officer, at (202) 395– 5806. A comment to OMB is most effective if OMB receives it within 30 days of publication. TSA will publish the OMB control number for this information collection in the Federal Register after OMB approves it. As protection provided by the Paperwork Reduction Act, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. B. International Compatibility In keeping with U.S. obligations under the Convention on International Civil Aviation, it is TSA policy to comply with ICAO Standards and Recommended Practices where possible. TSA has determined that these proposed regulations are consistent with ICAO Standards and Recommended Practices for security of airports and facilities contained in Annex 17 of the Convention, the ICAO Security Manual and the ICAO Security Audit Reference Manual. C. Regulatory Impact Analyses 1. Regulatory Evaluation Summary Changes to Federal regulations must undergo several economic analyses. First, Executive Order 12866, Regulatory Planning and Review (58 FR 51735, October 4, 1993), directs each Federal agency to propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 (5 U.S.C. 601 et seq., as amended by the Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996) requires agencies to analyze the economic impact of regulatory changes on small PO 00000 Frm 00011 Fmt 4701 Sfmt 4702 59883 entities. Third, the Trade Agreements Act (19 U.S.C. 2531–2533) prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. In developing U.S. standards, the Trade Act requires agencies to consider international standards, where appropriate, as the basis of U.S. standards. Fourth, the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531–1538) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation). TSA has prepared a separate detailed analysis document, which is available to the public in the docket.24 With respect to these four analyses, TSA provides the following conclusions, supported by additional summary information. a. This proposed rule is not an economically ‘‘significant regulatory action’’ as defined in the Executive Order. However, this rulemaking may be considered significant because of Congressional and stakeholder interest in security since the events of September 11, 2001. b. The Initial Regulatory Flexibility Analysis (IRFA) shows that there may be a significant impact on a substantial number of small entities. c. This proposed rule imposes no significant barriers to international trade. d. This proposed rule does not impose an unfunded mandate on State, local, or tribal governments, or on the private sector in excess of $100 million (adjusted for inflation) in any one year. 2. Executive Order 12866 Assessment This summary highlights the costs and benefits of the proposed rule to amend the transportation security regulations to further enhance and improve the security of repair stations. TSA has determined that this is not a major rule within the definition of Executive Order (EO) 12866, as annual costs to all parties do not pass the $100 million threshold in any year. The Initial Regulatory Flexibility Analysis (IRFA) shows that there may be a significant impact on a substantial number of small entities. There are no significant economic impacts for the required analyses of international trade 24 See information on viewing the Docket under ‘‘Reviewing Comments in the Docket’’ above. The Regulatory Evaluation is categorized as ‘‘Supporting and Related Materials.’’ E:\FR\FM\18NOP2.SGM 18NOP2 59884 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules or unfunded mandates. Both in this summary and the economic evaluation, descriptive language is used to try to relate the consequences of the regulation. The tables are numbered as they appear in the economic evaluation. Although the regulatory evaluation attempts to mirror the terms and wording of the regulation, no attempt is made to precisely replicate the regulatory language and readers are cautioned that the actual regulatory text, not the text of the evaluation, is binding. Comparison of Costs and Hypothetical Benefits Comparison of the total undiscounted domestic costs of the proposed rule with potential benefits from the proposed aircraft repair station security program relies on a breakeven comparison based on the extent to which the program must reduce the underlying baseline risk of specific attack impact scenarios in order for the program benefits to be greater than the expected costs. Such a comparison is presented in Table 2 following the ‘‘Benefits’’ section below. This comparison is discussed briefly above and in greater depth in the body of the analysis. Benefits A major line of defense against an aviation-related terrorist act is the prevention of explosives, weapons, and/ or incendiary devices from getting on board a plane. To date, efforts have been primarily related to inspection of baggage, passengers, and cargo, and security measures at airports that serve air carriers. With this rule, attention is given to aircraft that are located at repair stations, and to aircraft parts that are at repair stations, themselves to reduce the likelihood of an attack against aviation and the country. Since repair station personnel have direct access to all parts of an aircraft, the potential exists for a terrorist to seek to commandeer or compromise an aircraft when the aircraft is at one of these facilities. Moreover, as TSA tightens security in other areas of aviation, repair stations increasingly may become attractive targets for terrorist organizations attempting to evade aviation security protections currently in place. To better inform the comparison of the costs of the repair station security program in the proposed rule with the benefits to homeland security it might afford due to reduced risk of successful terror attack involving an aircraft, a breakeven analysis was performed. In this analysis, the annualized costs of the program, discounted at seven percent, are compared to the expected benefits of avoiding or preventing three attack scenarios of varying consequence. For each scenario, the required extent of annual risk reduction due to the proposed program, expressed as the frequency with which attacks must be averted, is reported in the final column of the break-even analysis (Table 2) below. TABLE 2—FREQUENCY OF ATTACKS AVERTED FOR AIRCRAFT REPAIR STATION SECURITY COSTS TO EQUAL EXPECTED BENEFITS, BY ATTACK SCENARIO [Annualized at 7 percent] 1 2 3 Minimal ............. Aircraft Target .. Moderate .......... Value of a statistical life (VSL) at $5.8M ($ million) Moderate injuries Valuation of moderate injuries at 1.55% of VSL ($ million) Severe injuries Valuation of serious injuries at 18.75% of VSL ($ million) Estimated aircraft market value ($ million) Total impact ($ million) Attacks averted by repair station security required to break even A Attack scenario Lives lost B = A × 5.8 C D = C × .0899 E F = E × 1.0875 G H = B+D+F+G = H ÷ $24.5M * 3 132 250 $17.4 765.6 1,450.0 10 $0.9 0.0 0.0 $0.0 0.0 815.6 750 $9.3 21.8 9.3 $27.6 787.4 2,274.9 one every 1.1 years. one every 32.1 years. one every 92.7 years. * The total cost of the rule annualized at 7 percent. Costs analyzed. Table 31 that follows provides the 10-year cost of the preferred alternative and two other alternatives, As required, alternatives to the primary rule requirements were undiscounted and at three and seven percent discount rates. TABLE 31—TOTAL 10-YEAR COSTS BY SCENARIO AND DISCOUNT RATE [2006$ millions] Total by scenario Undiscounted 3% Discount sroberts on DSKD5P82C1PROD with PROPOSALS Primary Scenario ............................................................................................................. Security Threat Assessments .......................................................................................... Vulnerability Assessments ............................................................................................... $344.4 347.0 347.1 Using a seven percent discount rate, TSA estimated the 10-year cost impacts for the primary scenario of this proposed rule would total $241.0 million. This total is distributed among domestic repair stations, which would incur total costs of $118.6 million; foreign repair stations, which would incur costs of $68.7 million; and TSAprojected Federal Government costs, which would be $53.7 million. regulation.’’ To achieve that principle, the RFA requires agencies to solicit and consider flexible regulatory proposals and to explain the rationale for their actions. The RFA covers a wide range of small entities, including small businesses, not-for-profit organizations, and small governmental jurisdictions. Agencies must perform a review to determine whether a proposed or final rule will have a significant economic VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 3. Initial Regulatory Flexibility Analysis (IRFA) The Regulatory Flexibility Act of 1980 (RFA) establishes ‘‘as a principle of regulatory issuance that agencies shall endeavor, consistent with the objective of the rule and of applicable statutes, to fit regulatory and informational requirements to the scale of the business, organizations, and governmental jurisdictions subject to PO 00000 Frm 00012 Fmt 4701 Sfmt 4702 E:\FR\FM\18NOP2.SGM $293.3 295.7 295.8 7% Discount 18NOP2 $241.0 243.1 243.3 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules impact on a substantial number of small entities. If the determination is that it will, the agency must prepare a regulatory flexibility analysis as described in the RFA. However, if an agency determines that a proposed or final rule is not expected to have a significant economic impact on a substantial number of small entities, section 605(b) of the 1980 RFA, as amended, provides that the head of the agency may so certify and a regulatory flexibility analysis is not required. The certification must include a statement providing the factual basis for this determination, and the reasoning should be clear. As part of implementing this NPRM, TSA expects security to be integrated into actions the same way safety has and to become an integral component of doing business rather than adding layers or extra program costs. The primary cost to repair stations resulting from this NPRM would be additional hours for personnel to perform the duties of the repair station security coordinator. For many stations this may constitute an insignificant impact, while for others the costs to comply with the proposed rule may prove significant. TSA has conducted an initial regulatory flexibility analysis and believes the proposed requirements may result in a significant economic impact on a substantial number of small entities. TSA requests comments, particularly those supported by data, on this preliminary conclusion. Reason for the Proposed Rule In 2003, Congress enacted Vision 100—Century of Aviation Reauthorization Act (Vision 100), Public Law 108–176, (117 Stat. 2490, December 12, 2003). Vision 100, which was signed into law by President George W. Bush on December 12, 2003, expands TSA’s authority to address the security of the civil aviation system by requiring TSA to issue final regulations to ensure the security of both domestic and foreign aircraft repair stations. sroberts on DSKD5P82C1PROD with PROPOSALS Objectives of the Proposed Rule The requirements proposed in this NPRM are designed to increase overall civil aviation security by bolstering the level of security at domestic and foreign aircraft repair stations. Descriptions and Estimates of the Number of Small Entities Aircraft repair stations are classified by the U.S. Census Bureau as falling primarily within the North American Industry Classification System (NAICS), code 488190 Other Support Activities for Air Transportation. In its account of VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 the industry, the U.S. Census Bureau describes firms in this market as ‘‘providing specialized services for air transportation (except air traffic control and other airport operations).’’ 25 The Small Business Administration defines a small business within this NAICS code as one having annual revenues of $7.0 million or less.26 More details about the industry can be obtained by reading the ‘‘Discussion of the Industry and Status Quo’’ section of the Regulatory Evaluation. To estimate the number of small businesses in the aircraft repair station industry affected by this NPRM, TSA accessed information maintained by Dun & Bradstreet, a provider of international and U.S. business data. The data obtained for this effort did not identify the type of maintenance the repair stations are certificated to perform or their location. This made it difficult for TSA to determine compliance costs for the identified small businesses (this is discussed more below). Through its research, TSA obtained Dun & Bradstreet revenue and employment records for 2,276 domestic aircraft repair stations. Of this total, 2,123 reflected small businesses, as defined by SBA, and 153 did not. TSA was unable to find data on the remaining domestic repair stations. For the purposes of this analysis, and to remain conservative in its estimates, TSA assumed that the remaining domestic repair stations are also small. TSA thus estimated that 4,115 of 4,268 domestic aircraft repair stations are small businesses, as defined by SBA. Description and Estimate of Compliance Requirements In order to address the need for security measures at aircraft repair stations and to fulfill the obligations set forth by Congress, TSA is proposing to add a new part 1554 to its regulations, entitled ‘‘Aircraft Repair Station Security.’’ The new part would require all aircraft repair stations that are certificated by the FAA under 14 CFR part 145, both domestic and foreign, to adopt and carry out a security program that includes specific security requirements. The regulations would require repair stations to safeguard aircraft and components located at the 25 U.S. Census Bureau, ‘‘2002 NAICS Definitions.’’ Retrieved from http:// www.census.gov/epcd/naics02/def/ ND488190.HTM#N488190 on January 31, 2007. 26 U.S. Small Business Administration, ‘‘Table of Small Business Size Standards Matched to North American Industry Classification System Codes.’’ http://www.sba.gov/idc/groups/public/documents/ sba_homepage/serv_sstd_tablepdf.pdf. PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 59885 station, the maintenance and repair work conducted there, as well as the repair station’s facilities, as required by 49 U.S.C. 44924. TSA is also proposing changes to its regulations regarding the protection of sensitive security information (SSI) to specify that a repair station security program is categorized as SSI and that the repair station operator or owner is subject to the SSI requirements. The proposed rule would require repair stations to establish security programs. TSA would provide a standard security program that would include the following: Access controls, a personnel identification system, security awareness training, the designation of a security coordinator, employee background verification, and a contingency plan. While repair stations would have some flexibility regarding the particular equipment, facilities, and measures used to comply with the general security requirements, their security methods would need to address each of these requirements in a manner commensurate with the station’s security risk. For example, small repair stations may meet the requirement for a personal identification system through employee recognition and challenge procedures, while TSA would require stations located on or adjacent to an airport and having 50 or more employees to implement a formal badging system. The proposed rule would require each repair station to complete and return to TSA a brief profile form. The profile would identify information, such as whether the repair station is located at an airport,27 the total number of employees, and the number of employees with unescorted access to aircraft with a maximum certificated takeoff weight (MTOW) exceeding 12,500 pounds. These indicators would assist TSA in conducting a risk-based analysis of the repair station in order to determine what measures would be needed to meet the security requirements proposed in the regulations. The proposed regulations also would establish TSA’s authority to conduct security audits, assessments, and inspections in order to ascertain the adequacy of the measures employed by the repair stations to implement and maintain the security requirements. The proposed inspections and appeals processes are described in detail in the NPRM. 27 If located on an airport, whether the repair station participates in the airport security program will impact the repair station’s compliance with the proposed security regulations. E:\FR\FM\18NOP2.SGM 18NOP2 59886 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules In its effort to fulfill the requirements of the RFA, TSA attempted to estimate all costs of complying with the above described requirements for each firm for which it had Dun & Bradstreet data and to calculate those costs as a percent of the repair station’s reported revenues. TSA determined that this methodology would best conclude whether the proposed rule would represent a considerable economic burden to a large number of small businesses. After completing this preliminary analysis (described below), TSA has tentatively concluded that the proposed rule may impose a significant economic impact on a substantial number of small entities. The agency seeks comment on this preliminary conclusion. Compliance costs for the proposed rule would vary across firms. A small business with one employee who only services one component of a particular aircraft may incur very low compliance costs. Such a business is likely to be operated from a small shop or even a private residence. Conversely, a larger repair station that works on more complex systems or even entire aircraft may incur higher costs as a result of this NPRM. These types of facilities may be located at an airport, in an industrial park, or may be part of an aircraft manufacturing facility. For example, in the ‘‘Cost of Compliance’’ section above, TSA estimated repair stations located on or adjacent to an airport would require 8 hours on average to complete their security programs whereas repair stations located off-airport would require only 4. Unfortunately, TSA was unable to pair the data from Dun & Bradstreet with repair station data provided by the FAA. As a result, TSA could not estimate compliance costs particular to repair station characteristics such as whether it is located on an airport or performs substantial maintenance on commercial aircraft. Therefore, in order to characterize compliance costs as a percentage of repair station revenues, TSA estimated unit compliance costs based on weighted averages so as not to underestimate the costs of the rule. As a result, these estimates likely overstate the costs to some small businesses while understating them for others. TSA welcomes comments that will assist it in more accurately estimating compliance costs for small businesses. Using the assumptions and methods described above, TSA estimated the average compliance costs to be about $3,013 for a business with one employee to $4,216 for a business with 45 employees. Of this total, $2,733 represents costs for security coordinators, and $253 represents costs for development and implementation of security programs. The remainder is comprised of employee training costs. These totals exclude costs for repair stations located on or adjacent to an airport and having 50 or more employees to implement a badging system. TSA assumed that firms with 100 or more employees likely already have a badging system. Based on the Dun and Bradstreet data, TSA estimated the average compliance cost for firms reported as having between 50 and 99 employees would be approximately $4,728 before adding costs to implement a badging system. These firms employ an average of 64 individuals. Using the estimate of $25 per badge cited in the Regulatory Evaluation, badges would add an average of nearly $1,600 to these repair stations’ compliance costs, resulting in a total cost of $6,328. Firms having between 50 and 99 employees in the Dun and Bradstreet sample reported average revenue of nearly $6 million. The estimated compliance costs would therefore constitute less than one percent of their annual revenues. Since the proposed ID requirement would affect a subset of these repair stations— only those which are located on or adjacent to an airport—TSA does not believe the proposed ID requirement would result in a significant impact on affected repair stations. Table 32 below shows the distribution of compliance costs, excluding ID costs, as a percent of repair station revenues. TABLE 32—SMALL REPAIR STATION BUSINESS DISTRIBUTION OF COMPLIANCE COST-REVENUE RATIOS Compliance costs as a percentage of revenue Number of small businesses Cumulative percentage of small businesses 692 1,015 1,527 1,712 1,759 2,100 32.6 47.8 71.9 80.6 82.9 98.9 Total .............................................................................................................. sroberts on DSKD5P82C1PROD with PROPOSALS ≤1.0 ...................................................................................................................... ≤2.0 ...................................................................................................................... ≤3.0 ...................................................................................................................... ≤4.0 ...................................................................................................................... ≤5.0 ...................................................................................................................... ≤10.0 .................................................................................................................... 2,123 100.0 The table uses rounded percentages to show that TSA’s initial assessment is that the NPRM may have a significant impact on a substantial number of small businesses. TSA believes that for 47.8 percent of the small businesses, the compliance costs will result in an economic impact of two percent of annual revenue or less, and for 71.9 percent of the small businesses, the compliance costs will be less than three percent of annual revenue. TSA requests comment on these estimates. Significant Alternatives Considered During the course of drafting this NPRM, TSA considered regulatory VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 alternatives. These alternatives included requiring security threat assessments for certain repair station employees and requiring each repair station to complete a vulnerability self-assessment. Both of these alternatives would have increased the burden on repair stations and thus on small entities. A description of these alternatives and the reasons they were not adopted can be found in the section of the Regulatory Evaluation titled, ‘‘Alternatives Considered.’’ Additionally, as noted above, TSA requests comment on whether it should exempt certain repair stations after it conducts security reviews and audits. For instance, TSA may consider PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 whether to exempt repair stations that only perform maintenance on small aircraft (aircraft having a maximum certificated takeoff weight of 12,500 pounds or less). To help the agency evaluate the impact of this alternative, TSA requests comments, supported by data, on the number of repair stations that work exclusively on such aircraft and their compliance costs under the proposed rule. Identification of Duplication, Overlap and Conflict With Other Federal Rules TSA has no knowledge of any duplicative, overlapping, or conflicting Federal rules. E:\FR\FM\18NOP2.SGM 18NOP2 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules Preliminary Conclusion Based on this preliminary analysis, TSA believes the proposed requirements may result in a significant economic impact on a substantial number of small entities. However, TSA holds a final assessment in abeyance until such time as information becomes available to facilitate the development of a Final Regulatory Flexibility Analysis (FRFA). TSA requests comments, particularly those supported by data, to inform this process. 4. International Trade Impact Assessment The Trade Agreement Act of 1979 prohibits Federal agencies from engaging in any standards or related activities that create unnecessary obstacles to the foreign commerce of the United States. Legitimate domestic objectives, such as security, are not considered unnecessary obstacles. The statute also requires consideration of international standards and, where appropriate, that they be the basis for U.S. standards. In addition, it is the policy of TSA to remove or diminish, to the extent feasible, barriers to international trade, including both barriers affecting the export of American goods and services to foreign countries and barriers affecting the import of foreign goods and services into the U.S. In keeping with U.S. obligations under the Convention on International Civil Aviation, it is TSA’s policy to comply with International Civil Aviation Organization (ICAO) Standards and Recommended Practices where possible. TSA has determined that there are no ICAO Standards and Recommended Practices that correspond to the regulatory standards established by this notice of proposed rulemaking (NPRM). TSA has assessed the potential effect of this NPRM and has determined that it is unlikely it would create barriers to international trade. The full evaluation provides an analysis of a number of issues directly related to international trade that were considered with this proposed rule. sroberts on DSKD5P82C1PROD with PROPOSALS 5. Unfunded Mandates Reform Act Assessment The Unfunded Mandates Reform Act of 1995 is intended, among other things, to curb the practice of imposing unfunded Federal mandates on State, local, and tribal governments. Title II of the Act requires each Federal agency to prepare a written statement assessing the effects of any Federal mandate in a proposed or final agency rule that may result in a $100 million or more expenditure (adjusted annually for VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 59887 inflation) in any one year by State, local, and tribal governments, in the aggregate, or by the private sector; such a mandate is deemed to be a ‘‘significant regulatory action.’’ This rulemaking does not contain such a mandate. The requirements of Title II of the Act, therefore, do not apply. of the EPCA. TSA has also analyzed this proposed rule under E.O. 13211, ‘‘Actions Concerning Regulations That Significantly Affect Energy Supply, Distribution, or Use,’’ 66 FR 28355 (May 18, 2001). TSA has determined that this is not a ‘‘significant energy action’’ under that order. D. Executive Order 13132, Federalism TSA has analyzed this proposed rule under the principles and criteria of Executive Order 13132, Federalism. We have determined that this action will not have a substantial direct effect on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government, and therefore will not have federalism implications. List of Subjects E. Environmental Analysis TSA has reviewed this action under DHS Management Directive 5100.1, Environmental Planning Program (effective April 19, 2006) which guides TSA compliance with the National Environmental Policy Act of 1969 (NEPA) (42 U.S.C. 4321–4347). TSA has determined that this proposal is covered by the following categorical exclusions (CATEX) listed in the DHS directive: Number A3(a) (administrative and regulatory activities involving the promulgation of rules and the development of policies); paragraph A4 (information gathering and data analysis); paragraph A7(d) (conducting audits, surveys, and data collection of a minimally intrusive nature, to include vulnerability, risk, and structural integrity assessments of infrastructures); paragraph B3 (proposed activities and operations to be conducted in existing structures that are compatible with ongoing functions); paragraph B11 (routine monitoring and surveillance activities that support homeland security, such as patrols, investigations, and intelligence gathering), and H1 (approval or disapproval of security plans required under legislative mandates where such plans do not have a significant effect on the environment). In addition, TSA has determined that this proposal meets the three conditions required for a CATEX to apply, as described in paragraph 3.2, (Conditions and Extraordinary Circumstances). F. Energy Impact Analysis The energy impact of this NPRM has been assessed in accordance with the Energy Policy and Conservation Act (EPCA) Public Law 94–163, as amended (42 U.S.C. 6362). TSA has determined that this rulemaking is not a major regulatory action under the provisions PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 49 CFR Part 1520 Air carriers, Aircraft, Aircraft repair stations, Airports, Maritime carriers, Rail hazardous materials receivers, Rail hazardous materials shippers, Rail transit systems, Railroad carriers, Railroad safety, Railroads, Reporting and recordkeeping requirements, Security measures, Vessels. 49 CFR Part 1554 Aircraft, Aircraft repair stations, Aviation safety, Reporting and recordkeeping requirements, Security measures. The Proposed Amendment In consideration of the foregoing, the Transportation Security Administration proposes to amend Chapter XII of Title 49, Code of Federal Regulations, to read as follows: Subchapter B—Security Rules for All Modes of Transportation PART 1520—PROTECTION OF SENSITIVE SECURITY INFORMATION 1. The authority citation for part 1520 continues to read as follows: Authority: 46 U.S.C. 70102–70106, 70117; 49 U.S.C. 114, 40113, 44901–44907, 44913– 44914, 44916–44918, 44935–44936, 44942, 46105. 2. In § 1520.5, revise paragraph (b)(1)(i) to read as follows: § 1520.5 Sensitive security information. * * * * * (b) * * *; (1) * * *; (i) Any aircraft operator, airport operator, fixed base operator, repair station, or air cargo security program, or security contingency plan under this chapter; * * * * * 3. In § 1520.7, add paragraph (o) to read as follows: § 1520.7 Covered persons. * * * * * (o) Each operator or owner of an aircraft repair station required to have a security program under part 1554 of this chapter. E:\FR\FM\18NOP2.SGM 18NOP2 59888 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules Subchapter C—Civil Aviation Security § 1554.5 PART 1554—AIRCRAFT REPAIR STATION SECURITY Subpart A—General Sec. 1554.1 Scope and purpose. 1554.3 Terms used in this part. 1554.5 TSA inspection authority. Subpart B—Security Program 1554.101 Adoption and implementation. 1554.103 Security Program content, availability, and amendment. 1554.105 Security Directives. Subpart C—Compliance and Enforcement 1554.201 Notification of security deficiencies; suspension of certificate. 1554.203 Immediate risk to security; revocation of certificate and review process. 1554.205 Nondisclosure of certain information. Authority: 49 U.S.C. 114, 40113, 44903, 44924. Subpart A—General § 1554.1 Scope and purpose. This part applies to domestic and foreign repair stations that are certificated by the Federal Aviation Administration pursuant to 14 CFR part 145 except for a repair station certificated by the Federal Aviation Administration at which the U.S. Government has assumed responsibility for security. The purpose of this part is to provide for the security of maintenance and repair work conducted on aircraft and aircraft components at domestic and foreign repair stations, of the aircraft and aircraft components located at the repair stations, and of the repair station facilities, as required in 49 U.S.C. 44924. sroberts on DSKD5P82C1PROD with PROPOSALS § 1554.3 Terms used in this part. In addition to the terms in §§ 1500.3 and 1540.5 of this chapter, the following terms apply in this part: Repair station means a domestic or foreign facility certificated by the Federal Aviation Administration pursuant to 14 CFR part 145 that is authorized to perform maintenance, preventive maintenance, or alterations of an aircraft, airframe, aircraft engine, propeller, appliance, or component part. (1) Domestic repair station means a repair station located within the fifty States, the District of Columbia, or the territories and possessions of the United States. (2) Foreign repair station means a repair station located outside the fifty States, the District of Columbia, or the territories and possessions of the United States. VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 TSA inspection authority. (a) General. Each repair station must allow TSA and other authorized DHS officials, at any time and in a reasonable manner, without advance notice, to enter, conduct any audits, assessments, tests, or inspections of any property, facilities, equipment, and operations; and to view, inspect, and copy records as necessary to carry out TSA’s securityrelated statutory or regulatory authorities, including its authority to— (1) Assess threats to transportation security; (2) Enforce security-related regulations, directives, and requirements; (3) Inspect, maintain, and test security facilities, equipment, and systems; (4) Ensure the adequacy of security measures; (5) Verify the implementation of security measures; (6) Review security programs; and, (7) Carry out such other duties, and exercise such other powers, relating to transportation security as the Assistant Secretary of Homeland Security for the TSA considers appropriate, to the extent authorized by law. (b) Evidence of compliance. At the request of TSA, each repair station operator must provide evidence of compliance with its security program and with this part, including copies of records. (1) All records required under this part must be available in English. (2) All responses and submissions provided to TSA or its designee, pursuant to this part, must be in English, unless otherwise requested by TSA. (c) Access to repair station. (1) TSA and DHS officials working with TSA may enter, without advance notice, and be present within any area without access media or identification media issued or approved by the repair station in order to inspect, test, or perform any other such duties as TSA may direct. (2) Repair stations may request TSA inspectors and DHS officials working with TSA to present their credentials for examination, but the credentials may not be photocopied or otherwise reproduced. Subpart B—Security Program § 1554.101 Adoption and implementation. (a) General. Each repair station must adopt and carry out a security program to safeguard aircraft and aircraft components located within the repair station and its facilities, the repair and maintenance work conducted at the repair station, and the repair station facility itself. PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 (b) Repair station profile. No later than 30 calendar days after final rules are published in the Federal Register or no later than 30 calendar days after FAA certification, each repair station must submit a profile in a manner prescribed by TSA. Each repair station must report changes in profile information as specified by TSA within 30 calendar days of the date of the change. (c) Repair station security program. Unless otherwise authorized by TSA, each repair station must use the TSA standard repair station security program. § 1554.103 Security program content, availability, and amendment. (a) Content of security program. Each security program must— (1) Include measures to identify all individuals who are authorized to enter the repair station to prevent unauthorized individuals from entering the repair station. (2) Include measures to control access to the repair station. Such measures must be designed to prevent, detect and resolve any unauthorized entry, presence, and movement of individuals and vehicles into or within the repair station. (3) Include measures to control access to the aircraft and aircraft components to allow only authorized individuals to have access to the aircraft and aircraft components within the repair station. (4) Include measures to challenge any individual entering the repair station or who is present in the repair station to ascertain the authority of that individual to enter or be present in the area and measures to escort an unauthorized individual while within the repair station. (5) Include measures to conduct initial and recurrent security training of all individuals with authorized access to aircraft and components on the provisions of this part and the security program and to maintain a record of training completed by each employee. (6) Include measures to verify employee background information through confirmation of prior employment and any other means as appropriate to validate employee information. (7) Include the name, means of contact on a 24 hour basis, duties, and training requirements of the security coordinator(s) who will serve as the primary and immediate contact for security-related activities and communications with TSA. (8) Include a contingency plan. (9) Include a diagram with dimensions detailing boundaries and physical features of the repair station. E:\FR\FM\18NOP2.SGM 18NOP2 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules (10) Include a list and description of all repair station entry points. (11) Include an emergency response contact list. (12) Be in writing and signed by the operator, owner, or any person delegated authority in this matter. (b) Availability. (1) The repair station security program must— (i) Be written both in English and in the official language of the repair station’s country. (ii) Be accessible at each facility. (2) Each repair station must restrict the distribution, disclosure, and availability of sensitive security information (SSI) as defined in part 1520 of this chapter to persons with a need to know and refer all requests for SSI by other persons to TSA. (c) Amendment. (1) A repair station must notify TSA of any amendment to the standard security program. (2) If TSA finds that there is a situation requiring immediate action to respond to a security threat, TSA may issue an emergency amendment to the standard security program. TSA will provide an explanation of the reason for the amendment. Each repair station must acknowledge receipt and adopt the emergency amendment within the time prescribed. If a repair station is unable to implement the emergency amendment, the repair station immediately must notify TSA to obtain approval of alternative measures. sroberts on DSKD5P82C1PROD with PROPOSALS § 1554.105 Security Directives. (a) General. When TSA determines that additional security measures are necessary to respond to a threat assessment or to a specific threat against civil aviation, TSA issues a Security Directive setting forth mandatory measures. (b) Compliance. Each repair station required to have a security program must comply with each Security Directive TSA issues to the repair station within the time prescribed. Each repair station that receives a Security Directive must— (1) Verbally acknowledge receipt of the Security Directive. (2) Specify the method by which security measures have been or will be implemented to meet the effective date. (3) Notify TSA to obtain approval of alternative measures, if the repair station is unable to implement the measures in the Security Directive. (c) Availability. Each repair station that receives a Security Directive and each person who receives information from a Security Directive must— (1) Restrict the availability of the Security Directive and the information contained in the document to persons who have an operational need to know. VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 (2) Refuse to release the Security Directive or the information contained in the document to persons other than those who have an operational need to know without the prior written consent of TSA. Subpart C—Compliance and Enforcement § 1554.201 Notification of security deficiencies; suspension of certificate. (a) General. Each repair station that does not establish and carry out a security program, as specified in this part, may be subject to suspension of its FAA certificate, as provided by 49 U.S.C. 44924(c)(1). (b) Notice of security deficiencies. TSA provides written notification to a repair station and to the FAA of any security deficiency identified by TSA. (c) Response. A repair station must provide TSA with a written explanation in English of all efforts, methods, and procedures used to correct the security deficiencies identified by TSA within 45 days of receipt of the written notification described in paragraph (b) of this section. (d) Suspension of certificate. If the repair station does not correct security deficiencies within 90 days of the repair station’s receipt of the written notice of security deficiencies, or if TSA determines that the security deficiencies have not been addressed sufficiently to comply with this section, TSA provides written notification to the repair station and to the FAA that the station’s certificate shall be suspended. The notification includes an explanation of the basis for the suspension. The suspension remains in place until such time as TSA determines that the security deficiencies have been corrected. (e) Reply. No later than 20 calendar days after the date of receipt of the notification of suspension, the repair station may serve upon TSA a written request for review of the basis for the determination that the security deficiencies have not been addressed sufficiently. The request must be in English and may include any information that the repair station believes TSA should consider regarding its determination. The suspension remains in effect until the review is complete. (f) TSA Review. Not later than 30 calendar days, or such longer period as TSA may determine for good cause, after TSA receives the repair station’s request for review, TSA reviews its initial determination and issue a Final Determination on the repair station and PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 59889 the FAA in accordance with this paragraph. (1) TSA considers the initial notification, the repair station’s reply, and any other relevant materials before issuing the Final Determination. (2) If TSA determines that security deficiencies exist and have not been addressed, TSA serves upon the repair station and the FAA a Final Determination. The Final Determination shall include a statement that TSA has reviewed all of the relevant information available and has determined that the repair station is not in compliance with this section. (3) If TSA determines that security deficiencies do not exist or have been corrected in a manner consistent with the requirements of this part, TSA notifies the repair station and the FAA that the repair station’s certification may be reinstated. § 1554.203 Immediate risk to security; revocation of certificate and review process. (a) Notice. TSA determines whether any repair station poses an immediate risk to security. If such a determination is made, TSA provides written notification of its determination to the repair station and to the FAA that the certificate must be revoked. The notification includes an explanation of the basis for the revocation. TSA does not include classified information or other information described in paragraph (e) of this section. (b) Request for review. Not later than 30 days after receipt of the notice, a repair station may file a request for review of the determination that the repair station poses an immediate risk to security. The revocation remains in effect until the review is complete. The request must be made in writing, in English, signed by the repair station operator or owner, and include— (1) A statement that a review is requested; and (2) A response to the determination of immediate risk to security, including any information TSA should consider in reviewing the basis for the determination. (c) TSA Review. Not later than 30 calendar days, or such longer period as TSA may determine for good cause, after TSA receives the repair station’s request for review, TSA examines the basis for the determination that the repair station poses an immediate risk to security, the repair station’s response, and any other relevant materials. (d) Final determination. If TSA determines that the repair station poses an immediate risk to security, the TSA Assistant Secretary or his or her E:\FR\FM\18NOP2.SGM 18NOP2 59890 Federal Register / Vol. 74, No. 221 / Wednesday, November 18, 2009 / Proposed Rules sroberts on DSKD5P82C1PROD with PROPOSALS designee reviews the notification, the materials upon which the notification was based, the repair station’s response and any other available information. If the TSA Assistant Secretary or his or her designee determines that the repair station continues to pose an immediate risk to security, the TSA Assistant Secretary or his or her designee submits to the repair station and to the FAA a Final Determination. The Final Determination includes a statement that the TSA Assistant Secretary or his or her designee personally has reviewed all VerDate Nov<24>2008 16:58 Nov 17, 2009 Jkt 220001 of the relevant information available and has determined that the repair station poses an immediate risk to security. If TSA determines that the repair station does not pose an immediate risk to security, TSA notifies the repair station and the FAA. A Final Determination constitutes a final agency action for purposes of 49 U.S.C. 46111. § 1554.205 Nondisclosure of certain information. In connection with the procedures under this subpart, TSA does not PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 disclose classified information, as defined in Executive Order 12968 section 1.1(d), and TSA reserves the right not to disclose any other information or material not warranting disclosure or protected from disclosure under law or regulation. Issued in Arlington, Virginia, on November 12, 2009. Gale Rossides, Acting Administrator. [FR Doc. E9–27624 Filed 11–17–09; 8:45 am] BILLING CODE 9110–05–P E:\FR\FM\18NOP2.SGM 18NOP2

Agencies

[Federal Register Volume 74, Number 221 (Wednesday, November 18, 2009)]
[Proposed Rules]
[Pages 59874-59890]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-27624]



[[Page 59873]]

-----------------------------------------------------------------------

Part V





Department of Homeland Security





-----------------------------------------------------------------------



Transportation Security Administration



-----------------------------------------------------------------------



49 CFR Parts 1520 and 1554



Aircraft Repair Station Security; Proposed Rule

Federal Register / Vol. 74 , No. 221 / Wednesday, November 18, 2009 / 
Proposed Rules

[[Page 59874]]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

49 CFR Parts 1520 and 1554

[Docket No. TSA-2004-17131]
RIN 1652-AA38


Aircraft Repair Station Security

AGENCY: Transportation Security Administration (TSA), DHS.

ACTION: Notice of proposed rulemaking (NPRM).

-----------------------------------------------------------------------

SUMMARY: TSA is proposing to issue regulations to improve the security 
of domestic and foreign aircraft repair stations as required by the 
Vision 100-Century of Aviation Reauthorization Act. The proposed 
regulations establish requirements for repair stations that are 
certificated by the Federal Aviation Administration (FAA) under 14 CFR 
part 145 to adopt and implement a standard security program and to 
comply with security directives issued by TSA. This rule proposes to 
codify the scope of TSA's existing inspection program and to require 
regulated parties to allow TSA and Department of Homeland Security 
(DHS) officials to enter, inspect, and test property, facilities, and 
records relevant to repair stations. The proposed regulations also 
provide procedures for TSA to notify repair stations of any 
deficiencies in their security programs, and to determine whether a 
particular repair station presents an immediate risk to security. The 
proposal includes a process whereby a repair station may seek review of 
a determination by TSA that the station has not adequately addressed 
security deficiencies or that the repair station poses an immediate 
risk to security.

DATES: Submit comments by January 19, 2010.

ADDRESSES: You may submit comments, identified by Docket No. TSA-2004-
17131, to the Federal Docket Management System (FDMS), a government-
wide, electronic docket management system, using any one of the 
following methods:
    Electronically: You may submit comments through the Federal 
eRulemaking portal at http://www.regulations.gov. Follow the online 
instructions for submitting comments.
    Mail, Fax, or In Person: Address, hand-deliver, or fax your written 
comments to the Docket Management System, U.S. Department of 
Transportation, 1200 New Jersey Avenue SE., West Building Ground Floor, 
Room W12-140, Washington, DC 20590-0001; Fax: 202-493-2251. The 
Department of Transportation (DOT), which maintains and processes TSA's 
official regulatory dockets, will scan the submission and post it to 
FDMS.
    See SUPPLEMENTARY INFORMATION for format and other information 
about comment submissions.

FOR FURTHER INFORMATION CONTACT: Celio Young, Office of Security 
Operations, TSA-29, Transportation Security Administration, 601 South 
12th Street, Arlington, VA 20598-6029; telephone (571) 227-3580; 
facsimile (571) 227-1905; e-mail celio.young@dhs.gov.

SUPPLEMENTARY INFORMATION:

Comments Invited

    TSA invites interested persons to participate in this rulemaking by 
submitting written comments, data, or views. We also invite comments 
relating to the economic, environmental, energy, recordkeeping, or 
federalism impacts that might result from adopting the proposals in 
this document. See ADDRESSES above for information on where to submit 
comments.
    With each comment, please identify the docket number at the 
beginning of your comments. TSA encourages commenters to provide their 
names and addresses. The most helpful comments reference a specific 
portion of the rulemaking, explain the reason for any recommended 
change, and include supporting data. You may submit comments and 
material electronically, in person, or by mail as provided under 
ADDRESSES, but please submit your comments and material by only one 
means. If you submit comments by mail or delivery, submit them in two 
copies, in an unbound format, no larger than 8.5 by 11 inches, suitable 
for copying and electronic filing.
    If you want TSA to acknowledge receipt of your comments submitted 
by mail, include with your comments a self-addressed, stamped postcard 
on which the docket number appears. We will stamp the date on the 
postcard and mail it to you.
    TSA will file in the public docket address, as well as items sent 
to the address or email under FOR FURTHER INFORMATION CONTACT, in the 
public docket, except for comments containing confidential information 
and sensitive security information (SSI).\1\ Should you wish your 
personally identifiable information redacted prior to filing in the 
docket, please so state. TSA will consider all comments that are in the 
docket on or before the closing date for comments and will consider 
comments filed late to the extent practicable. The docket is available 
for public inspection before and after the closing date.
---------------------------------------------------------------------------

    \1\ ``Sensitive Security Information'' or ``SSI'' is information 
obtained or developed in the conduct of security activities, the 
disclosure of which would constitute an unwarranted invasion of 
privacy, reveal trade secrets or privileged or confidential 
information, or be detrimental to the security of transportation. 
The protection of SSI is governed by 49 CFR part 1520.
---------------------------------------------------------------------------

Handling of Confidential or Proprietary Information and Sensitive 
Security Information (SSI) Submitted in Public Comments

    Do not submit comments that include trade secrets, confidential 
commercial or financial information, or SSI to the public regulatory 
docket. Please submit such comments separately from other comments on 
the rulemaking. Comments containing this type of information should be 
appropriately marked as containing such information and submitted by 
mail to the address listed in FOR FURTHER INFORMATION CONTACT section.
    TSA will not place comments containing SSI in the public docket and 
will handle them in accordance with applicable safeguards and 
restrictions on access. TSA will hold documents containing SSI, 
confidential business information, or trade secrets in a separate file 
to which the public does not have access, and place a note in the 
public docket explaining that commenters have submitted such documents. 
TSA may include a redacted version of the comment in the public docket. 
If an individual requests to examine or copy information that is not in 
the public docket, TSA will treat it as any other request under the 
Freedom of Information Act (FOIA) (5 U.S.C. 552) and the Department of 
Homeland Security's (DHS') FOIA regulation found in 6 CFR part 5.

Reviewing Comments in the Docket

    Please be aware that anyone is able to search the electronic form 
of all comments received into any of our dockets by the name of the 
individual submitting the comment (or signing the comments, if 
submitted on behalf of an association, business, labor union, etc.). 
You may review the applicable Privacy Act statement published in the 
Federal Register on April 11, 2000 (65 FR 19477) and modified on 
January 17, 2008 (73 FR 3316).
    You may review TSA's electronic public docket on the Internet at 
http://www.regulations.gov. In addition, DOT's Docket Management 
Facility provides a physical facility, staff, equipment, and

[[Page 59875]]

assistance to the public. To obtain assistance or to review comments in 
TSA's public docket, you may visit this facility between 9 a.m. to 5 
p.m., Monday through Friday, excluding legal holidays, or call (202) 
366-9826. This docket operations facility is located in the West 
Building Ground Floor, Room W12-140 at 1200 New Jersey Avenue, SE., 
Washington, DC 20590.

Availability of Rulemaking Document

    You may obtain an electronic copy using the Internet by
    (1) Searching the Federal Docket Management System (FDMS) Web page 
at http://www.regulations.gov;
    (2) Accessing the Government Printing Office's Web page at http://www.gpoaccess.gov/fr/index.html; or
    (3) Visiting TSA's Security Regulations Web page at http://www.tsa.gov and accessing the link for ``Research Center'' at the top 
of the page.
    In addition, copies of the rulemaking document are available by 
writing or calling the individual in the FOR FURTHER INFORMATION 
CONTACT section. Make sure to identify the docket number of this 
rulemaking.

Outline of the Notice of Proposed Rulemaking

I. Background
    A. Introduction
    B. Statutory Requirements
    C. Summary of Proposed Rule
    D. FAA Safety Regulations
    E. Public Listening Session and Comments
    F. Repair Station Site Visits
II. Summary of the Proposed Rule
    A. Repair Station Standard Security Program
    B. Repair Station Profile
    C. Security Inspections
    D. Immediate Risk to Security
III. Section-by-Section Analysis
IV. Rulemaking Analyses and Notices
    A. Paperwork Reduction Act
    B. International Compatibility
    C. Regulatory Impact Analyses
    1. Regulatory Evaluation Summary
    2. Executive Order 12866 Assessment
    3. Initial Regulatory Flexibility Analysis (IRFA)
    4. International Trade Impact Assessment
    5. Unfunded Mandates Reform Act Assessment
    D. Executive Order 13132, Federalism
    E. Environmental Analysis
    F. Energy Impact Analysis

I. Background

A. Introduction

    Civil aviation remains a target of terrorist activity worldwide. 
Terrorists continue to seek opportunities to destroy public confidence 
in the safety and security of travel, deny the ability of the public to 
move and travel freely, and damage international economic security.
    TSA is proposing to issue regulations to provide for the security 
of maintenance and repair work conducted on aircraft and aircraft 
components at domestic and foreign repair stations, of the aircraft and 
aircraft components located at these repair stations, and of the repair 
station facilities as required by Vision 100--Century of Aviation 
Reauthorization Act, codified at 49 U.S.C. 44924 (Vision 100).
    For purposes of this rulemaking, ``repair stations'' are those 
facilities certificated by the FAA to perform maintenance, repair, 
overhaul, or alterations on U.S. aircraft or aircraft components, 
including engines, hydraulics, avionics, safety equipment, airframes, 
and interiors. According to the FAA, there are 4,227 domestic repair 
stations located in the United States and 694 foreign repair stations 
located outside the United States that have an FAA certificate under 
part 145 of the FAA's rules.\2\
---------------------------------------------------------------------------

    \2\ FAA Fact Sheet, ``FAA Oversight of Repair Stations,'' March 
29, 2007. See ``FAA Certificated Repair Stations Directory,'' 
Advisory Circular (AC) 140-7R, for a list of FAA certificated repair 
stations.
---------------------------------------------------------------------------

    In addition, for purposes of this rulemaking, the term 
``component'' includes any article, airframe, aircraft engine, 
propeller, appliance, or part that is under repair. The term is used 
broadly to encompass both articles and appliances as defined by the 
FAA.\3\
---------------------------------------------------------------------------

    \3\ See 14 CFR 1.1 and 145.3(b).
---------------------------------------------------------------------------

    Aircraft repair stations vary widely in size, type of repair work 
performed, number of employees, and proximity to an airport. The FAA 
issues ratings to certificated repair stations for the work that can be 
performed at the repair station.\4\ These include airframe ratings, 
power plant ratings, propeller ratings, radio ratings, instrument 
ratings, and accessory ratings. Within each rating there are different 
classes for particular aircraft and equipment. The FAA also issues 
limited ratings for certificated repair stations that only work on a 
particular type of airframe or equipment or performs only specialized 
maintenance operations.\5\ The FAA certificates repair stations with 
few employees located in industrial parks and in residences that may 
work on small components, such as aircraft radios or seat cushions, as 
well as repair stations with many employees that perform major aircraft 
overhauls located in close proximity to an airport runway.\6\ Because 
repair station characteristics vary widely, TSA believes that existing 
security measures, as well as the corresponding security threat, also 
vary widely.
---------------------------------------------------------------------------

    \4\ 14 CFR 145.59.
    \5\ 14 CFR 145.61.
    \6\ Approximately 2,803 domestic repair stations have fifteen or 
fewer employees and 1,407 have five or fewer employees. 
Approximately 3,000 certificated domestic repair stations are not 
located on an airport.
---------------------------------------------------------------------------

    Repair stations are closely regulated and monitored by the FAA and 
both the FAA and the air carriers inspect work done at repair stations. 
FAA performance standards for foreign and domestic repair stations are 
the same. While the FAA has implemented extensive safety requirements 
for both foreign and domestic repair stations, supplementing those 
requirements with specific security measures for both foreign and 
domestic repair stations would further reduce the likelihood that 
terrorists would be able to gain access to aircraft under repair at a 
repair station. As terrorist organizations continue to seek new and 
creative means of using aircraft to undermine the security and safety 
of the traveling public, the importance of requiring all aircraft 
repair stations to have measures in place to prevent persons from 
commandeering, tampering, or sabotaging aircraft has increased as well. 
Enhancement of repair station security will mitigate the potential 
threat that an aircraft could be used as a weapon or that an aircraft 
could be destroyed.
    This rulemaking sets forth proposed regulations to require all FAA 
certificated repair stations to adopt and carry out a standard security 
program. The proposed regulations list performance standards for 
security measures that would be included in the standard security 
program. The proposed regulations also would require repair stations to 
carry out Security Directives issued by TSA in the event of a specific 
threat.
    In addition, the proposed regulations codify the scope of TSA's 
authority to conduct inspections of both domestic and foreign repair 
stations. The proposed regulations also provide procedures for TSA to 
notify repair stations of deficiencies in their security program and to 
determine whether a particular repair station represents an immediate 
risk to security. Finally, the proposal contains a process whereby a 
repair station may seek review of a determination by TSA that security 
deficiencies have not been addressed or that the repair station poses 
an immediate risk to security.

B. Statutory Requirements

    Vision 100 requires DHS to promulgate security regulations for 
domestic and foreign aircraft repair

[[Page 59876]]

stations.\7\ The statute includes the following additional requirements 
regarding security audits of foreign repair stations:
---------------------------------------------------------------------------

    \7\ This section of Vision 100 is codified at 49 U.S.C. 44924. 
The requirement to promulgate regulations is described in 49 U.S.C. 
44924(f). The statute also requires that the Under Secretary for 
Border and Transportation Security issue the final regulations. The 
Under Secretary delegated authority for issuing such regulations to 
TSA on September 16, 2005. TSA sent a Report to Congress on August 
24, 2004, as required at 49 U.S.C. 44924(g).
---------------------------------------------------------------------------

     TSA must complete a security review and audit of foreign 
repair stations certificated by the FAA no later than six months after 
regulations are issued.\8\ When conducting the audit, TSA must give 
priority to those repair stations that pose a significant risk to 
security. If security audits are not completed within six months from 
the date regulations are issued, the FAA is barred from certificating 
any new foreign repair stations until the security audits are completed 
for existing repair stations.
---------------------------------------------------------------------------

    \8\ In the Implementing Recommendations of the 9/11 Commission 
Act of 2007 (Pub. L. 110-53, 121 Stat. 266, Aug. 3, 2007), the 
original 18-month deadline for completing security inspections of 
foreign repair stations was reduced to 6 months.
---------------------------------------------------------------------------

     TSA must notify the FAA of any security issues or 
vulnerabilities identified during the audit and require foreign repair 
stations to address any such issues or vulnerabilities within 90 days. 
If, after 90 days, TSA determines that the foreign repair station does 
not maintain and carry out effective security measures, TSA must notify 
the FAA and the FAA must suspend the repair station's certificate until 
such time as TSA determines that the repair station does maintain and 
carry out effective security measures.
     TSA must notify the FAA if TSA determines that a foreign 
repair station poses an immediate risk to security and the FAA must 
revoke the repair station's certificate. TSA must establish an appeal 
procedure to be used when a certificate is revoked.

C. Summary of Proposed Rule

    TSA is proposing regulations to:
     Codify TSA's inspection authority.
     Require foreign and domestic repair stations certificated 
by the FAA under part 145 of the FAA's rules to allow TSA and DHS 
officials to enter, inspect, audit, and test property, facilities, and 
records relevant to repair stations.
     Require foreign and domestic repair stations certificated 
by the FAA to adopt and carry out a standard security program issued by 
TSA to safeguard the security of the repair station, the repair work 
conducted at the repair station, and all aircraft and aircraft 
components at the repair station.
     Require each security program to describe the specific 
measures the repair station has implemented to identify individuals 
authorized access to the repair station, aircraft, and aircraft 
components; control access to the repair station, aircraft, and 
aircraft components; challenge individuals who are not authorized 
access and use escort measures for authorized visitors; provide 
security awareness training to all employees; verify employee 
background information; designate a security coordinator; and establish 
a contingency plan.
     Require each repair station to comply with Security 
Directives issued by TSA.
     Establish a process to notify the FAA to suspend a 
certificate upon written notification by TSA that a repair station has 
not corrected security deficiencies identified during a security audit 
within 90 days and to permit appeal of a certificate suspension.
     Establish a process to notify the FAA to revoke a 
certificate upon written notification by TSA that a repair station is 
an immediate risk to security and to permit appeal of a certificate 
revocation.
    In developing these proposals, TSA has consulted with FAA officials 
responsible for repair station safety matters.

D. FAA Safety Regulations

    The security regulations proposed in this NPRM are designed to 
build upon the extensive certification and safety requirements for 
repair stations instituted by the FAA. The FAA certificates repair 
stations, as well as repairmen who work in repair stations.\9\ The FAA 
requires that in order to receive certification, repair stations must 
establish and maintain a quality control system acceptable to the FAA 
that ensures the airworthiness of the articles on which the repair 
station or any of its contractors performs maintenance, preventive 
maintenance, or alterations.\10\ The quality control system must 
describe the procedures the repair station uses to inspect incoming raw 
materials, perform preliminary inspection of all articles that are 
maintained at the repair station, qualify and monitor noncertificated 
persons who perform maintenance, preventive maintenance, or alterations 
for repair stations, and conduct final inspections of maintained 
articles. In addition, the FAA requires that a certificated repair 
station inspect each article upon which it has performed maintenance, 
preventive maintenance, or alterations before approving that article 
for return to service.\11\ The FAA conducts safety inspections of both 
foreign and domestic repair stations.
---------------------------------------------------------------------------

    \9\ See 14 CFR part 145 and 14 CFR part 65. While the FAA only 
certificates certain repair station personnel who work in the United 
States, it does require that those repair station personnel located 
outside the United States have practical experience or training in 
the work being performed. Supervisors in repair stations located 
outside the United States must understand, read, and write English. 
14 CFR 145.153.
    \10\ 14 CFR 145.211.
    \11\ 14 CFR 145.211.
---------------------------------------------------------------------------

    While these quality control measures provide a significant layer of 
protection and oversight of the components and aircraft under repair, 
the proposed regulations would supplement those measures by requiring 
that FAA certificated repair stations also adopt and carry out a 
security program that would include procedures to control access to the 
repair station itself, the components and aircraft under repair, and 
the work being performed; verify the identity of repair station 
employees; and establish a security coordinator to serve as the point 
of contact for security-related matters.

E. Public Listening Session and Comments

    On February 27, 2004, TSA held a public listening session to 
receive input from stakeholders and other interested parties on repair 
station security issues. TSA also invited written comments to be 
submitted by March 29, 2004.\12\ TSA requested specific comments on the 
following issues:
---------------------------------------------------------------------------

    \12\ 69 FR 8357 (Feb. 24, 2004).
---------------------------------------------------------------------------

     Security measures that are currently deployed.
     Existing security vulnerabilities.
     Standards that should be in place to prevent unauthorized 
access, tampering, and any other security breaches.
     Current security system costs.
     Whether security requirements should be tailored to the 
type of authorization the repair station holds, number of employees, 
proximity to an airport, number of repairs completed, or other 
characteristics.
     Whether aircraft operators should play a role in ensuring 
that repair stations maintain a secure workplace.
     Whether any repair station operator has experienced a 
breach in security.
    Twelve parties, representing air carriers, repair station operators 
and employees, manufacturers, and unions, spoke during the public 
meeting.\13\ While several parties questioned the need for security 
regulations, most

[[Page 59877]]

recognized the importance of protecting the security of the aircraft, 
the maintenance work that repair stations perform on aircraft and 
aircraft components, and the facility itself, noting that TSA is 
required by statute to develop such regulations. Most parties also 
agreed that the regulations should be tailored to reflect security 
measures that may already be in place, as well as other factors, such 
as those listed by TSA in its request for comments. Concerns were 
expressed regarding the expedited timing of the regulations and the 
security audits, the potential financial burdens resulting from the 
imposition of new regulations, particularly on small repair stations, 
and the appeal process. Several parties recommended that the 
regulations define what constitutes an ``immediate risk to security,'' 
as well as ``existing repair stations.'' Other parties discussed 
security initiatives that had been employed at their facilities since 
September 11, 2001.
---------------------------------------------------------------------------

    \13\ A transcript of the public meeting and copies of all filed 
comments are available in docket number TSA-2004-17131 at http://regulations.gov/search.
---------------------------------------------------------------------------

    TSA also received 21 written comments, representing the views of 
repair station operators and employees, unions, air carriers, aircraft 
owners, and manufacturers regarding potential security regulations. The 
majority of those submitting written comments also supported the need 
for security regulations, and agreed that the regulations should be 
tailored to reflect the particular characteristics of a repair station. 
Some commenters suggested that TSA include general security criteria 
for domestic and foreign repair stations and others offered 
recommendations regarding specific provisions that should be included 
in the regulations, such as access controls, personnel identification, 
employee background checks, and security awareness training. The 
comments provide valuable input as to how repair station security 
issues should be addressed and the proposal reflects many of the 
issues, as well as the recommendations, contained in these initial 
comments. TSA looks forward to receiving further comments on the 
proposed regulations.

F. Repair Station Site Visits

    In addition to the information gathered during the public listening 
session and through written comments, TSA visited repair stations to 
conduct research on the physical characteristics of repair stations, 
the type of repair work performed, and the extent of security measures 
that had been implemented. The following site visits were conducted:
     June 2005--1 repair station in Hamburg, Germany, and 1 
repair station in Amsterdam, the Netherlands.
     August 2005--5 repair stations in Singapore.
     November 2006--9 repair stations in the state of Arizona.
     December 2006--3 repair stations in Naples, Italy.
     January 2007--3 repair stations in the state of Georgia.
     May 2007--1 repair station in Singapore and 1 repair 
station in Guangzhou, China.
     July 2007--1 repair station in Teterboro, New Jersey.
     May 2008--3 repair stations in Bogota, Colombia.
    These repair station site visits provided valuable insight into the 
different types of facilities certificated by the FAA, the different 
types of repair work conducted at the facilities, and the different 
types of security measures deployed by the various facilities. All of 
the stations visited had some security measures in place. For example, 
one foreign repair station had over 10,000 employees with many 
buildings and its own airport. This facility had perimeter fencing, 
security guards, and surveillance cameras to control access to the 
facility. Its employees were required to display identification media. 
Another foreign repair station had only seven employees and was located 
at an industrial park. That facility was planning to install 
surveillance cameras to be monitored by a private security company. In 
two countries the government had mandated security requirements for 
certain repair stations.
    In the United States, one domestic repair station facility with 40 
employees relied on personal recognition to identify individuals 
authorized entry into the facility, while another domestic repair 
station with fifteen employees used identification media and 
surveillance cameras. By conducting these site visits, TSA was able to 
study security measures already deployed and develop a proposal that 
reflects repair station diversity.

II. Summary of the Proposed Rule

    TSA proposes to add a new part 1554 to its regulations, entitled 
``Aircraft Repair Station Security.'' The new part would require 
aircraft repair stations that are certificated by the FAA under 14 CFR 
part 145, both domestic and foreign, to adopt and carry out a standard 
security program. The regulations would require repair stations to 
safeguard the security of the aircraft and components located at the 
station, the maintenance and repair work performed there, as well as 
the repair station's facilities as required by 49 U.S.C. 44924. For a 
more detailed discussion of the proposed regulations, see the Section-
by-Section Analysis portion of this preamble.
    TSA is also proposing changes to its regulations regarding the 
protection of sensitive security information (SSI) to specify that a 
repair station security program is categorized as SSI and that the 
repair station operator or owner is subject to the SSI requirements 
described in 49 CFR part 1520.\14\
---------------------------------------------------------------------------

    \14\ ``Sensitive Security Information'' or ``SSI'' is 
information obtained or developed in the conduct of security 
activities, the disclosure of which would constitute an unwarranted 
invasion of privacy, reveal trade secrets or privileged or 
confidential information, or be detrimental to the security of 
transportation. The protection of SSI is governed by 49 CFR part 
1520.
---------------------------------------------------------------------------

A. Repair Station Standard Security Program

    FAA certificated repair stations, whether located at airports that 
have a TSA security program,\15\ at general aviation airports, or at 
off airport properties, could be a target of terrorist activity and TSA 
is proposing that each FAA certificated repair station implement and 
carry out a standard security program issued by TSA to mitigate that 
risk. If the repair station is already incorporated within an airport's 
security program and uses the airport's access control measures, TSA 
will consider the repair station to be in compliance with the security 
measures proposed in these regulations.
---------------------------------------------------------------------------

    \15\ See 49 CFR part 1542 for a description of airport security 
program requirements. Aircraft repair stations located at a 
commercial airport may be included within the airport security 
program.
---------------------------------------------------------------------------

    The proposed regulations list the general security requirements 
that each repair station would be required to carry out in the standard 
security program. The standard security program would require each 
repair station to include (1) a description of access controls for the 
facility as well as for the aircraft and/or aircraft components; (2) a 
description of the measures used to identify employees and others who 
are authorized to access aircraft and/or aircraft components; (3) a 
description of the procedures to challenge unauthorized individuals; 
(4) a description of security awareness training for employees; (5) the 
name of the designated security coordinator; (6) a contingency plan; 
and (7) a description of the means used to verify employee background 
information. The complete security program contents are discussed in 
the Section by Section analysis.
    These requirements are consistent with the recommendations included 
in the written comments received by TSA,

[[Page 59878]]

as well as with established security procedures for aircraft operators, 
air carriers, and airports.\16\
---------------------------------------------------------------------------

    \16\ See, generally, TSA security regulations at 49 CFR parts 
1540, 1542, 1544, and 1546.
---------------------------------------------------------------------------

    Recognizing that a ``one size fits all'' approach would not 
appropriately address the diversity in repair station characteristics, 
TSA believes that repair stations should have some flexibility 
regarding the particular equipment, facilities, and measures that would 
be listed in the standard security program and used to comply with the 
proposed regulations. While TSA would provide a standard security 
program which would contain the majority of security measures that a 
repair station must adopt to comply with the proposed regulations, 
certain measures in the standard security program that the repair 
station must adopt may differ depending upon risk factors considered by 
TSA.
    TSA would not require repair stations that are not located on or 
adjacent to an airport to implement the same physical security measures 
in the standard security program as those repair stations that are 
located on or adjacent to an airport. In adopting this approach, TSA 
considered the security risks of repair station operations to determine 
whether there were any factors that could increase the security risks 
of a repair station. The factors TSA considered were (1) size and type 
of aircraft to which employees had access; (2) the type of repair work 
permitted by the FAA certificate; (3) whether the repair station was 
located on an airport and the type of airport; and (4) the number of 
employees at the repair station.
    Based on the information acquired during the repair stations site 
visits, an examination of FAA safety requirements, and discussions with 
FAA safety inspectors, TSA determined that while all of the 
characteristics examined had some effect on security risks, repair 
stations that are located on or adjacent to an airport could pose a 
higher security risk. TSA found that at airport locations, there was 
greater accessibility to aircraft and proximity to a runway, thereby 
increasing the possibility that an aircraft could be commandeered and 
used as a weapon or sabotaged. At off-airport locations, TSA found that 
repair station employees had little, if any, access to operational 
aircraft or runways. Repair station employees at off airport locations 
typically are not the last individuals with access to aircraft prior to 
the reintroduction of the aircraft into service. TSA believes that it 
would be difficult for an individual to damage an aircraft at a repair 
station location that is only rated to repair aircraft components if 
the individual does not have access to aircraft. FAA safety regulations 
require inspection of the repair work and the component before it is 
installed in an aircraft and before the aircraft is deemed to be 
airworthy. Thus, TSA believes it is less likely that a terrorist would 
attempt to target an aircraft by sabotaging a component at an off 
airport location.
    This assessment of the greater risk posed by repair stations 
located on or adjacent to an airport was also supported by several 
commenters. One commenter noted that repair stations located within an 
airport posed the greatest risk to security because of the larger 
number of entry points in such a location. Another explained that 
repair facilities located off airport generally only work on aircraft 
components and that the multiple layers of testing and oversight 
already conducted by the FAA serves as an important security function 
as well. Another commenter agreed, stating that repair stations that do 
not have access to aircraft do not pose a security risk because the 
airworthiness of the components are tested before they are released 
into service.
    Based on this risk assessment, TSA would specify particular 
security measures in the standard security program that would apply to 
repair stations on or adjacent to an airport, but that would not be 
required for other repair stations. TSA believes that this approach 
would be consistent with its efforts to strengthen security measures at 
the non public areas of the airport.
    In addition, TSA would not require repair stations on or adjacent 
to airports that only serve aircraft with a maximum certificated take-
off weight (MTOW) of 12,500 pounds or less to include the same security 
measures in the standard security program as repair stations located on 
or adjacent to airports that serve larger aircraft. TSA has long 
recognized that aircraft with a MTOW over 12,500 pounds pose a greater 
risk to security because such aircraft are of sufficient size and 
weight to inflict significant damage and loss of lives.\17\ Smaller 
aircraft may be a less attractive target for terrorists. Therefore, the 
security program would not include the same requirements for repair 
stations that are located on or adjacent to an airport that serves 
small aircraft. While the proposed regulations apply to all FAA 
certificated repair stations, TSA requests comment on whether it should 
exempt certain repair stations after it conducts security reviews and 
audits. For instance, TSA may consider whether to exempt repair 
stations that only perform maintenance on aircraft that are 12,500 MTOW 
or less. TSA also requests comments on whether there are other 
considerations that could be used to determine potential exemptions.
---------------------------------------------------------------------------

    \17\ See 49 CFR 1544.101(d) and 1550.7.
---------------------------------------------------------------------------

    TSA is aware that the FAA may certificate repair stations operating 
on a Federal government facility, such as a U.S. military base. TSA 
believes that the security at such a facility would likely meet and 
exceed the security requirements proposed herein. Therefore, TSA would 
not apply its requirements to any FAA certificated repair station at 
which the Federal government has assumed responsibility for security 
measures.
    The issue of requiring drug and alcohol testing of repair station 
employees was raised during the public listening session. TSA is not 
proposing to include drug and alcohol testing as part of its security 
program requirements. TSA notes that the FAA has instituted alcohol and 
drug testing as part of its safety regulations.\18\ TSA believes that 
such testing should remain under the purview of the FAA.
---------------------------------------------------------------------------

    \18\ See 14 CFR part 121 at Appendix I and Appendix J. The FAA 
requires part 145 certificate holders and non-certificated repair 
stations that perform safety sensitive functions for air carriers 
and commercial operators under 14 CFR parts 121 and 135 to implement 
an FAA Antidrug Program.
---------------------------------------------------------------------------

    TSA believes that the standard security program would be useful to 
repair stations that have not developed or implemented a security 
program, particularly small repair stations that may lack the resources 
to create their own security program. Further, the standard security 
program would provide consistency in format and content for the 
thousands of security programs that would be implemented under this 
proposal. TSA anticipates requesting comment from repair stations on 
the standard security program before a final rule is adopted and will 
make a draft of the standard security program available for review and 
comment by the repair stations subject to the regulations either 
electronically, through meetings, or both.\19\
---------------------------------------------------------------------------

    \19\ Security programs will be sensitive security information 
and will not be available to the general public. See Section-by-
Section analysis for Sec.  1520.3 in this preamble.
---------------------------------------------------------------------------

B. Repair Station Profile

    To assess the security risks of a repair station and to establish 
the priority by which repair stations must be inspected, TSA would 
require each repair station to provide a brief profile, to include 
general information as to location, such as whether the repair station 
is located

[[Page 59879]]

on or adjacent to an airport,\20\ the total number of employees, and 
the number of employees with access to large aircraft. The type of 
information is discussed in the Section by Section analysis. We note 
that while the FAA holds some of this information, it does not have all 
of it. We invite comments on the burdens associated with TSA collecting 
this profile. As explained above, TSA has determined that repair 
stations located on or adjacent to an airport pose a higher security 
risk than those that are not located on or adjacent to an airport. In 
addition, TSA has determined that repair stations on airports that 
perform work on aircraft over 12,500 MTOW pose a higher security risk. 
Identifying these higher risk repair stations will enable TSA to make 
certain that they are given a higher priority when scheduling 
inspections.
---------------------------------------------------------------------------

    \20\ If located on an airport, whether the repair station 
participates in the airport security program will impact the need 
for the repair station to comply with the proposed security 
regulations.
---------------------------------------------------------------------------

    Further, the profile will assist TSA in determining which measures 
included in the standard security program must be implemented to 
address the higher risk posture of repair stations that are located on 
or adjacent to an airport.

C. Security Inspections

    The proposed regulations would codify TSA's inspection authority 
and would require repair stations to permit TSA and DHS officials to 
enter, inspect, and test property, facilities, and records relevant to 
repair stations. The purpose of the inspection would be to assess 
threats to aviation security, enforce TSA security regulations, 
directives, and requirements, evaluate all aspects of the repair 
station security program, verify whether the security program is being 
implemented and whether it is effective, as well as to identify and 
correct security deficiencies. Such oversight is also necessary to 
monitor continuing compliance with the security requirements. Since the 
inspection program is critical to the enforcement of the security 
program requirement, TSA's inspection authority would extend to all 
repair stations. TSA would initiate foreign repair station inspections 
by giving priority to those foreign repair stations that pose the 
greatest risk to aviation security as required by Vision 100, and that 
have identified themselves through the profile as being located on or 
adjacent to an airport and as performing repair work on large aircraft.
    Pursuant to the inspection process and consistent with Vision 100, 
TSA is proposing to notify the repair station and the FAA of any 
deficiencies in a security program and to permit the repair station 90 
days to correct such deficiencies. If the deficiencies are not 
corrected within 90 days, TSA would notify the FAA that it must suspend 
the repair station's certificate until such time as TSA determines that 
the deficiencies are resolved. The proposed regulations also contain a 
process whereby a repair station may request further review of TSA's 
determination regarding security deficiencies.

D. Immediate Risk to Security

    The proposed regulation contains a specific process whereby a 
repair station that poses an immediate risk to security is identified 
and the FAA is notified of such a determination. The FAA must revoke 
the certificate of a station that TSA determines poses an immediate 
risk to security. Whether the threat is immediate would be evaluated on 
a case by case basis considering existing and potential circumstances 
as information is received and analyzed. The proposal provides a repair 
station with the opportunity to obtain the releasable materials upon 
which the determination was made and to seek review of such a 
determination.

III. Section-by-Section Analysis

Part 1520--Protection of Sensitive Security Information

Section 1520.5--Sensitive Security Information

    Protection of Sensitive Security Information (SSI), as codified at 
49 CFR part 1520, would apply to each repair station required to adopt 
and carry out a security program. Airport and aircraft operator 
security programs and plans, amendments, security directives and 
information circulars, technical specifications of security screening 
and detection systems and devices, among other types of information, 
all constitute SSI under current Sec.  1520.5 and are prohibited from 
public disclosure. TSA is proposing to amend its part 1520 rules to 
include a repair station security program as SSI. This change would 
prevent the public disclosure of the security measures implemented and 
utilized by a repair station covered under the new rules because such 
disclosure would pose a threat to transportation security. It would 
also ensure that the repair station standard security program is 
protected just as other TSA required security programs are protected.

Section 1520.7--Covered Persons

    TSA proposes to amend Sec.  1520.7 to include repair station 
operators as covered persons subject to its SSI requirements. This 
change would require that repair station operators adhere to the SSI 
rules and protect SSI from public dissemination. Access to SSI is 
strictly limited to those persons with a need to know, as defined in 49 
CFR 1520.11. In general, a person has a need to know specific SSI when 
he or she requires access to the information in order to carry out 
transportation security activities that are government-approved, -
accepted, -funded, -recommended, or -directed, including for purposes 
of training on, and supervision of, such activities or to provide legal 
or technical advice regarding security-related requirements. 
Accordingly, the protection of SSI would apply to each repair station 
standard security program pursuant to part 1554.

Part 1554--Aircraft Repair Station Security (New)

Section 1554.1--Scope and Purpose

    Section 1554.1 of the proposed regulation sets forth the scope and 
purpose of new part 1554. The proposed regulations would apply to all 
repair stations, both domestic and foreign, that are certificated by 
the FAA pursuant to 14 CFR part 145. The purpose of the proposed 
regulations would be to safeguard the security of domestic and foreign 
aircraft repair stations as required by 49 U.S.C. 44924. The 
requirements would not apply to any FAA certificated repair station at 
which the U.S. government has assumed responsibility for security 
measures.

Section 1554.3--Terms Used in This Part

    Section 1554.3 of the proposed rule sets forth the definitions of 
certain terms used in this part. The term ``repair station'' is defined 
as any maintenance facility that is certificated by FAA pursuant to 14 
CFR part 145 to perform maintenance, preventive maintenance, repair, 
overhaul, or alterations of an aircraft, airframe, aircraft engine, 
propeller, appliance, or component part.\21\ Since the proposed 
regulations apply to both foreign and domestic repair stations, the 
section defines ``domestic repair station'' as any FAA-certificated 
repair station located within the fifty States, the District of 
Columbia, or the territories and possessions of the United States. A 
``foreign repair station'' is defined as any FAA-certificated repair 
station located outside of the fifty States, the District of Columbia, 
or the

[[Page 59880]]

territories and possessions of the United States.
---------------------------------------------------------------------------

    \21\ The proposed definition is consistent with the description 
of the applicability of the FAA's repair station regulations at 14 
CFR 145.1.
---------------------------------------------------------------------------

Section 1554.5--TSA Inspection Authority

    Section 1554.5 would codify TSA's authority to inspect repair 
stations and would require repair stations to permit TSA and DHS 
officials to enter, inspect, and test property, facilities, and records 
relevant to repair stations. This section would allow TSA to assess 
threats, enforce regulations, security directives, and requirements, 
inspect all facilities and equipment, test the adequacy of security 
measures, verify the implementation of security measures, review 
security programs and other records, and perform such other duties as 
appropriate. This section also would allow TSA to request evidence of 
compliance, including copies of records in English.
    The proposed regulatory language is consistent with the inspection 
authority currently codified at 49 CFR 1542.5 and 1546.3, which apply 
to certain U.S. airports and foreign air carriers. TSA has established 
protocols and procedures on conducting inspections outside the United 
States through its Foreign Airport and Foreign Air Carrier Assessment 
Programs. These established procedures require advance notice to the 
facility to be inspected and coordination with the U.S. Department of 
State and the appropriate foreign government authorities. TSA 
inspectors are required to have TSA identification media and 
credentials with them when inspecting facilities and must display them 
when requested to do so. TSA will use these established procedures when 
conducting inspections of foreign repair stations.
    TSA is also amenable to working with the U.S. Department of State 
and foreign government authorities to facilitate inspections of U.S. 
repair stations that are certificated by a foreign government 
authority. TSA currently permits such inspections of U.S. airports and 
air carriers by foreign government authorities consistent with ICAO 
Annex 17, Section 2.1.
    TSA has kept ICAO apprised of the rulemaking and will continue its 
efforts to harmonize its regulations with those of other countries 
through its participation in ICAO.

Section 1554.101--Adoption and Implementation

    Section 1554.101 would require each repair station to adopt and 
carry out a security program designed to safeguard aircraft and 
aircraft components located within the repair station, the maintenance 
and repair work performed there, and the facility itself. Repair 
stations would be required to use the TSA standard security program 
unless otherwise authorized by TSA.
    This section would also require a repair station to submit a 
profile. The purpose of the profile would be to provide basic 
information regarding repair station operations to assist TSA in 
determining what measures the repair station must include in its 
security program to meet the security requirements. The profile would 
also assist TSA in prioritizing repair stations for purposes of 
conducting inspections. TSA would make the profile template available 
to all repair stations either through the TSA web site, by mail, or 
both. The profile would request the following types of information:
     Identification of the repair stations, such as FAA 
certificate number, repair station name as it appears on the FAA 
certificate, and repair station address.
     Description of location (on or adjacent to an airport, off 
airport in a business location, off airport private residence).
     Security coordinator who will serve as the TSA point of 
contact.
     If on an airport, the name and three letter designator of 
the airport.
     Total number of employees.
     Number of employees authorized unescorted access to 
aircraft over 12,500 MTOW.
    The name and location of each repair station would assist TSA in 
identifying the repair station and determining its proximity to an 
airport since, as explained above, TSA would consider such repair 
stations to be a higher risk than those that are not located on or 
adjacent to an airport. The profile information would also help TSA to 
prioritize its inspections. Repair stations would also be required to 
update their profile information within 30 calendar days if a change in 
the information submitted occurs. This requirement would enable TSA to 
maintain current information on each regulated repair station and make 
certain that it is appraised of changes that could impact the security 
posture of a repair station. Repair stations would not be required to 
alert TSA to changes in total number of employees or number of 
employees who work on large aircraft to prevent the submission of a new 
profile every time an employee is hired or terminated.

Section 1554.103--Security Program Content, Availability, and Amendment

    Section 1554.103 would describe the general requirements describing 
the measures that each repair station must adopt in the standard 
security program. The standard security program must include:
    (1) A description of the measures used to identify individuals who 
are authorized to enter the repair station to prevent unauthorized 
individuals from entering the repair station;
    (2) a description of the measures used to control access to the 
repair station and to detect and prevent the entry, presence, and 
movement of unauthorized individuals and vehicles into or within the 
repair station;
    (3) a description of the measures used to control access to the 
aircraft and/or aircraft components to allow only authorized 
individuals to have such access;
    (4) a description of the measures used to challenge any individual 
entering the repair station to ascertain the authority of the 
individual to enter or be present in the repair station and measures to 
escort an individual who does not have unescorted authority while 
within the repair station;
    (5) a description of the measures to train all individuals with 
authorized access to aircraft and components on the provisions of this 
part and the security program;
    (6) a description of the measures used to verify employee 
background information through confirmation of prior employment and any 
other means as appropriate to validate employee information;
    (7) the name, 24-hour contact information, duties, and training 
requirements of the designated security coordinator who will serve as 
the primary and immediate contact for security-related activities and 
communications with TSA;
    (8) a contingency plan;
    (9) a diagram with dimensions detailing boundaries and pertinent 
physical features of the repair station;
    (10) a list and description of all entry points; and
    (11) an emergency response contact list.
    The regulations also would require that the security program be in 
writing, and signed by the repair station operator, owner, or other 
authorized person. Each repair station would not have to submit the 
security program to TSA, but would have to make it available to TSA 
upon request or during an inspection.
    The individual standard security program requirements are discussed 
below.
(1) Identification of Authorized Individuals
    The proposed regulations would require the repair station to adopt 
and

[[Page 59881]]

describe measures to identify individuals to prevent unauthorized 
individuals from entering the repair station. The specific requirements 
for a personnel identification media system would be included in the 
standard security program. Personal recognition may be sufficient at 
certain repair station locations. During the inspection process, TSA 
would use the following factors to evaluate whether the personnel 
identification media system must be implemented and what type of 
features the system must use:
     Number of employees and number of shifts.
     Physical size of the repair station.
     Number of visitors.
     Proximity of other businesses or operations.
     Type of work, size of aircraft, and length of runway.
     Number of entry points into the repair station.
     Airport security features.
     Other factors that increase ability of unauthorized 
individuals or vehicles to access the repair station.
    For example, a repair station with 50 employees who work multiple 
shifts at a repair station, located adjacent to an airport with many 
access points, might be required to adopt and carry out the personnel 
identification media system. Such a repair station would be considered 
to be a higher risk because of its proximity to an airport. Further, 
the large number of employees working multiple shifts would make it 
difficult for employees to rely solely on personal recognition as 
workers from different shifts may not be able to recognize each other. 
A repair station located in a residence with a single employee would 
not be required to adopt the personnel identification media system in 
the security program. TSA would not anticipate requiring a repair 
station located at an airport to adopt a personnel identification media 
system if employees were required to obtain and display airport 
identification media.
(2) Repair Station Access Control Measures
    The standard security program would specify the access control 
security requirements for all repair stations. Such requirements would 
include measures to control access to the facility and to the aircraft 
and components within the repair station, to challenge any individuals 
to determine if they are authorized to enter or be present in the 
facility, and to respond if unauthorized individuals or vehicles are 
discovered.
    Acceptable access control measures would be specified in the 
security program. Such measures would cover a broad spectrum, including 
standard locks with key control, card swipe access locks, cipher locks, 
locks with coded keys, biometric access cards, fencing, security 
guards, surveillance cameras, and motion detectors.
    As part of the standard security program, the repair station would 
be required to describe all of the entry points to the facility and the 
specific access control measures used for each. During the inspection 
process, TSA would determine whether the access control measures 
deployed at the entry point are appropriate. A repair station located 
on or adjacent to an airport that performs substantial maintenance on 
large aircraft would be required to have more stringent access 
controls. Such controls could include such measures as card swipe 
access locks, security guards, electronically monitored access or 
motion detectors, fencing or a combination of such controls. A repair 
station located in a private residence or in a small component shop in 
an industrial park would be required to have less sophisticated 
controls, such as standard locks with key control and an inventory 
system to track the number of keys. A repair station would be able to 
select the above or other measures that would provide a appropriate 
level of security.
    Access controls would also be required to restrict unauthorized 
access to components located within the facility, such as locked 
storage containers and inventory control of keys.
(3) Aircraft Access Control Measures
    In addition, the security program would include measures to control 
access to aircraft, such as requiring repair stations located on or 
adjacent to an airport to secure large aircraft by locking or disabling 
the aircraft, keeping the aircraft in a secure hangar during non-
operational hours, fencing, surveillance cameras, lighting, and 
security guards.
(4) Challenge Procedures
    The security program would describe the procedures to be followed 
when challenging individuals who cannot be readily identified. Only 
those individuals who are designated and trained in escort procedures 
would be permitted to escort visitors to the repair station. The 
responsibilities of the escort would be specified in the security 
program. At a small facility with few employees, the ability to observe 
individuals present within the facility may be sufficient to ensure 
that access to repair work and/or components is controlled. At large 
repair station facilities, such as those that use a personnel 
identification media system, employees may have to escort individuals 
as part of their responsibilities.
(5) Security Training Measures
    The security program would include measures to conduct initial and 
recurrent security training programs, such as providing guidance to 
repair station personnel on how to implement and maintain the security 
measures included in the security program. The security program would 
also specify that the training curriculum be updated to reflect current 
security requirements. The repair station would be required to maintain 
records of initial and recurrent security training for each employee. 
The standard security program would include a model curriculum that the 
repair station could modify based on the specific security requirements 
applicable to that repair station.
(6) Employee Background Verification
    The security program would include the measures by which the repair 
station verifies the employment history of its employees and conducts 
background checks, to the extent permitted by the laws of the country 
in which the repair station is located. The employment history, length 
of employment, and measures used to verify the individual's employment 
would be listed in the security program.
(7) Security Coordinator
    Each repair station would be required to designate a security 
coordinator who would serve as the immediate and primary point of 
contact for security-related activities and communications with TSA. 
Each repair station would include the name, responsibilities, and 
contact information of the security coordinator in the security program 
and would also specify the training curriculum required for the 
security coordinator. The security coordinator would not necessarily 
need to be on-site at the repair station, but they must be able to 
coordinate incident management at any time.
(8) Contingency Plan
    The security program would include a contingency plan to include 
the specific measures that would be taken to address security-related 
incidents. The security program would include such items as the names 
of the repair station employees designated to perform specific tasks, 
the name and contact information for any contingency response 
organizations that would assist the repair station, a description of 
the

[[Page 59882]]

DHS threat advisory levels and the additional security measures that 
would be implemented based on the threat level, and set forth the 
responsibilities of all personnel involved. The plan would also provide 
for training and regular practices, if appropriate.
Other Security Program Requirements
    The proposed regulations would also require that each security 
program include a diagram of the repair station detailing the 
boundaries and describing the physical features of the repair station. 
The security program would also include a list and description of all 
entry points into the repair station that would be supplied by the 
repair station operator. These requirements would assist TSA in 
assessing the security vulnerability of the repair station and 
determining whether security measures are appropriate. The security 
program would also include emergency response contact information.
    Section 1554.103(b) would require that the security program be in 
writing, and hand-signed by the repair station operator, owner, or 
other authorized person. The security program would be required to be 
accessible to employees at the repair station facility and be written 
in English and in the official language of the repair station's 
country. The security program could be accessible electronically so 
long as it meets all of the requirements. This section would also 
include a requirement that repair stations must restrict the 
distribution, disclosure, and availability of sensitive security 
information as described in 49 CFR par