Aircraft Repair Station Security, 2119-2143 [2014-00415]

Download as PDF Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations existing transportation facility, transit power substations, transit venting structures, and transit maintenance facilities. Portions of the right-of-way that have not been disturbed or that are not maintained for transportation purposes are not in the existing operational right-of-way. (13) Federally-funded projects: (i) That receive less than $5,000,000 of Federal funds; or (ii) With a total estimated cost of not more than $30,000,000 and Federal funds comprising less than 15 percent of the total estimated project cost. * * * * * (d) * * * (5) [Reserved] * * * * * Title 49—Transportation PART 622—ENVIRONMENTAL IMPACT AND RELATED PROCEDURES 4. The authority citation for part 622 is revised to read as follows: ■ Authority: 42 U.S.C. 4321 et seq.; 49 U.S.C. 303 and 5323(q); 23 U.S.C. 139 and 326; Pub. L. 109–59, 119 Stat. 1144, sections 6002 and 6010; 40 CFR parts 1500–1508; 49 CFR 1.81; and Pub. L. 112–141, 126 Stat. 405, sections 1315, 1316 and 1317. Gregory G. Nadeau, Deputy Administrator, Federal Highway Administration. Peter Rogoff, Administrator, Federal Transit Administration. Availability of Rulemaking Document [FR Doc. 2014–00370 Filed 1–10–14; 8:45 am] BILLING CODE 4910–22–P DEPARTMENT OF HOMELAND SECURITY Transportation Security Administration 49 CFR Part 1554 [Docket No. TSA–2004–17131 RIN 1652–AA38 Aircraft Repair Station Security Transportation Security Administration (TSA), Department of Homeland Security (DHS). ACTION: Final rule. AGENCY: The Transportation Security Administration (TSA) is issuing regulations to improve the security of domestic and foreign aircraft repair stations as required by the Vision 100— Century of Aviation Reauthorization Act. The regulations codify the scope of TSA’s existing inspection authority and require repair stations certificated by the ehiers on DSK2VPTVN1PROD with RULES SUMMARY: VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 Federal Aviation Administration (FAA) under 14 CFR part 145 to allow TSA and Department of Homeland Security (DHS) officials to enter, conduct inspections, and view and copy records as needed to carry out TSA’s securityrelated statutory and regulatory responsibilities. The regulations also require these repair stations to comply with security directives when issued by TSA. The regulations also require certain repair stations to implement a limited number of security measures. The regulations establish procedures for TSA to notify repair stations of any deficiencies with their security measures and to determine whether a particular repair station presents an immediate risk to security. The regulations include a process whereby a repair station may seek review of a determination by TSA that the station has not adequately addressed security deficiencies or that the repair station poses an immediate risk to security. DATES: Effective February 27, 2014. FOR FURTHER INFORMATION CONTACT: Shawn Gallagher, Office of Security Operations, TSA–29, Transportation Security Administration, 601 South 12th Street, Arlington, VA 20598–6029; telephone (571) 227–3378; facsimile (571) 603–4344; email ARS@tsa.dhs.gov. SUPPLEMENTARY INFORMATION: You can get an electronic copy using the Internet by— (1) Searching the electronic Federal Docket Management System (FDMS) Web page at http://www.regulations.gov; (2) Accessing the Government Printing Office’s Web page at http:// www.gpo.gov/fdsys/browse/ collection.action?collectionCode=FR to view the daily published Federal Register edition; or accessing the ‘‘Search the Federal Register by Citation’’ in the ‘‘Related Resources’’ column on the left, if you need to do a Simple or Advanced search for information, such as a type of document that crosses multiple agencies or dates; or (3) Visiting TSA’s Security Regulations Web page at http:// www.tsa.gov and accessing the link for ‘‘Research Center’’ at the top of the page. In addition, copies are available by writing or calling the individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this rulemaking. Small Entity Inquiries The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996 requires TSA to comply with small PO 00000 Frm 00045 Fmt 4700 Sfmt 4700 2119 entity requests for information and advice about compliance with statutes and regulations within TSA’s jurisdiction. Any small entity that has a question regarding this document may contact the person listed in FOR FURTHER INFORMATION CONTACT. Persons can obtain further information regarding SBREFA on the U.S. Small Business Administration’s (SBA) Web page at http://www.sba.gov/advo/laws/law_ lib.html. Abbreviations and Terms Used in This Document AOA Air Operations Area CFR Code of Federal Regulations DHS Department of Homeland Security EA Emergency Amendment E.O. Executive Order EPCA Energy Policy and Conservation Act EU European Union FAA Federal Aviation Administration FR Federal Register FRFA Final Regulatory Flexibility Analysis GA General Aviation ICAO International Civil Aviation Organization IRFA Initial Regulatory Flexibility Analysis MTOW Maximum Certificated Take-off Weight NAICS North American Industry Classification System NEPA National Environmental Policy Act of 1969 NPRM Notice of Proposed Rulemaking NTSB National Transportation Safety Board OMB Office of Management and Budget PRA Paperwork Reduction Act of 1995 RFA Regulatory Flexibility Act of 1980 SBA United States Small Business Administration SBREFA Small Business Regulatory Enforcement Fairness Act of 1996 SD Security Directive SIDA Security Identification Display Area SSI Sensitive Security Information TSA Transportation Security Administration U.S. United States of America U.S.C. United States Code Table of Contents I. Background A. Summary of the Rule B. Purpose of the Rule C. Costs and Benefits D. Changes From the NPRM II. Public Comments on the NPRM and TSA Responses A. Summary B. Need for Security Regulations C. Relationship to FAA Regulations D. ‘‘One Size Fits All’’ Approach to Security E. Relationship to Foreign Laws and Standards F. Application to Domestic Repair Stations G. Exemptions for Certain Types of Repair Stations H. Protection of Sensitive Security Information I. Scope of the Final Rule J. Terms Used in the Final Rule E:\FR\FM\13JAR1.SGM 13JAR1 2120 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations K. TSA Inspection Authority L. Security Program Adoption and Implementation M. Security Directives N. Suspension and Revocation of Certificates O. Nondisclosure of Certain Information P. Other Comments on the Rulemaking Q. Implementation Issues R. Comments From the Small Business Administration S. Comments on the Regulatory Impact Assessment III. Rulemaking Analyses and Notices A. International Compatibility B. Economic Impact Analyses 1. Regulatory Impact Analysis Summary 2. Executive Orders 12866 and 13563 Assessments 3. Regulatory Flexibility Act Assessment 4. International Trade Impact Assessment 5. Unfunded Mandates Reform Act Assessment C. Paperwork Reduction Act D. Executive Order 13132, Federalism E. Environmental Analysis F. Energy Impact Analysis ehiers on DSK2VPTVN1PROD with RULES I. Background A. Summary of the Rule TSA is issuing regulations to improve security at repair stations located within and outside the United States as required by Vision 100-Century of Aviation Reauthorization Act, Public Law 108–176 (117 Stat. 2489, December 12, 2003), codified at 49 U.S.C. 44924 (Vision 100).1 The statutory requirements of Vision 100 are discussed in the preamble of the Notice of Proposed Rulemaking (NPRM) published in the Federal Register on November 18, 2009. See 74 FR 59874, 59875. There are approximately a total of 4,067 repair stations located in the United States and 707 located outside the United States certificated by FAA under part 145 as of August 2013.2 The final rule contains the following requirements: • Application. The regulations apply to repair stations certificated by the FAA under 14 CFR part 145, except repair stations located on a U.S. or foreign government military base. All repair stations are subject to inspection as provided in the rule and to Security Directives should there be a security need. However, the rule text requires only certain repair stations, discussed below, to carry out security measures on a regular basis. • TSA Inspection Authority. Repair stations must allow TSA and other authorized DHS officials to enter, conduct inspections, and view and copy records as needed to carry out TSA’s 1 While Vision 100 refers to foreign and domestic repair stations, TSA is adopting FAA terminology to refer to repair stations located ‘‘within’’ or ‘‘outside’’ the United States. VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 security-related statutory and regulatory responsibilities. For repair stations not required to carry out security measures on a regular basis (i.e., those repair stations not located on or adjacent to an airport, as further defined below), TSA does not intend to inspect such facilities, except (1) for compliance with security directives issued by TSA and with airport security programs required by TSA (for those repair stations that are included in an airport security program), and (2) to respond to security information provided to TSA by U.S. or foreign government entities. • Implementation of Security Measures. The security measures in this rule cover repair stations that are on or adjacent to certain airports. TSA will consider a repair station to be ‘‘on airport’’ if it is on an air operations area (AOA) or security identification display area (SIDA) of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as ‘‘on airport.’’ 3 • Security Measures. Certain repair stations, as described above, are required to (1) designate a point of contact(s) to carry out specified responsibilities; (2) prevent the unauthorized operation of large aircraft capable of flight that are left unattended; and (3) verify background information of those individuals who are designated as the TSA point(s) of contact and those who have access to any keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. See section 1554.101. • Security Directives. Repair stations are required to comply with Security Directives (SDs) issued by TSA. See section 1554.103. • Notification of Deficiencies; Suspension of Certificate and Review Process. The regulations describe the process whereby TSA will notify the repair station and the FAA of a security deficiency identified by TSA and provide an opportunity for the repair station to obtain review of a determination by TSA to suspend its operating certification. • Immediate Risk to Security; Revocation of Certificate and Review Process. The regulations specify that when TSA determines a repair station poses an immediate risk to security, TSA will notify the repair station and the FAA that the certificate must be revoked. The regulations also provide the process for the repair station to obtain review of such a determination. 2 Data taken from the FAA Safety Performance Analysis System (SPAS) database, August 2013. 3 Large aircraft are defined as aircraft with a maximum certificated take-off weight of more than 12,500 pounds. PO 00000 Frm 00046 Fmt 4700 Sfmt 4700 B. Purpose of the Rule While the FAA has implemented extensive safety requirements for repair stations located within and outside the United States, supplementing those safety provisions with the security requirements contained in the final rule will further reduce the likelihood that terrorists would be able to use large aircraft as a weapon. As terrorist organizations continue to target civil aviation, TSA believes it is important for aircraft repair stations that are located on or adjacent to an airport to have specific security measures in place to prevent terrorists from commandeering large aircraft that are capable of flight and are not attended. Enhancement of security at repair stations that have access to runways will mitigate the potential threat that a large aircraft could be used as a weapon. In developing this rule, TSA consulted with the FAA and built upon the certification and safety requirements FAA has instituted requiring repair stations to establish and maintain a quality control system. See 14 CFR 145.211. While these quality control measures provide a significant layer of protection and oversight of articles and aircraft under repair, this final rule supplements those measures by requiring repair stations that are located on or adjacent to an airport, as defined in the final rule, to implement security measures to prevent the unauthorized operation of large aircraft capable of flight left unattended. C. Costs and Benefits In accordance with Executive Orders (E.O.) 12866 and 13563, TSA includes in this preamble a summary of the costs and benefits associated with the Aircraft Repair Station Security final rule. The table below summarizes the costs and benefits of the final rule to U.S. and foreign entities. A detailed estimate of these costs and benefits can be found in the regulatory impact analysis accompanying this final rule; the E:\FR\FM\13JAR1.SGM 13JAR1 2121 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations regulatory impact analysis is available in the docket. Estimates Category Primary estimate Units Low estimate High estimate Discount rate (percent) Year dollar Period covered Notes Benefits Annualized Monetized ($millions/year) ............ Annualized Quantified ...................................... Qualitative ........................................................ None None None None ........ ........ ........ ........ None None None None ........ ........ ........ ........ None None None None ....... ....... ....... ....... NA NA NA NA ........... ........... ........... ........... 7 3 7 3 ............... .............. .............. .............. NA ........... NA. NA ........... NA. Not Quantified. Not Quantified. This final rule satisfies the Congressional mandate in Vision 100 for TSA to promulgate regulations to better ensure the security of aircraft repair stations. The security measures required by this final rule will better secure the aircraft on repair stations located on or adjacent to an airport and working on aircraft with a MTOW of more than 12,500 lbs. and mitigate the risk of a terrorist attack originating at these aircraft repair stations Costs Annualized Monetized ($/year) ........................ Annualized Quantified ...................................... $2,314,614 $2,318,596 None ........ None ........ N/A ........... N/A .......... None ........ None ........ N/A .......... N/A .......... None ....... None ....... 2012 2012 2012 2012 ........ ........ ........ ........ 7 3 7 3 ............... .............. .............. .............. 10 10 10 10 Years Years. Years Years. None. None. Qualitative ........................................................ Transfers Federal Annualized Monetized ($year) ........... None ........ None ........ From/To From: Other Annualized Monetized ($year) ............... None ........ None ........ From/To None ........ None ........ None ....... None ....... From: NA ........... NA ........... 7 ............... 3 .............. NA ........... NA. None. 7 ............... 3 .............. NA ........... NA. None. N/A .......... NA ........... NA ........... None. NA ........... NA ........... NA ........... None. To: None ........ None ........ None ....... None ....... NA ........... NA ........... To: Effects State, Local, and/or Tribal Government .......... None ........ None ........ None ....... Small Business ................................................ Prepared FRFA Wages .............................................................. None. Growth ............................................................. Not Measured. D. Changes From the NPRM 2. Scope and Purpose 3. Terms TSA adopts as final the proposed rule with changes based primarily on the public comments received. This section summarizes the regulatory text changes that TSA has made to the NPRM in this final rule. A detailed description of the responses to the public comments is included in Section II. TSA modified the language in § 1554.1 to eliminate the reference to ‘‘U.S. government’’ and inserted ‘‘a U.S. or foreign government military installation’’ in its place to respond to questions raised in some comments. This change will eliminate from the scope of the final rule FAA part 145certificated repair stations located on a military base, whether within or outside the United States. The change clarifies TSA’s intention not to exclude from the scope of the final rule those repair stations that are subject to government regulation. Commenting parties noted that TSA used different terms than the FAA to describe repair stations and repair work and found that the different terms were confusing. TSA eliminated the terms section to avoid confusion. TSA also eliminated the terms ‘‘foreign repair station’’ and ‘‘domestic repair station’’ from the final rule and uses the terms ‘‘repair station located within the United States’’ and ‘‘repair station located outside the United States’’ to be consistent with FAA part 145 regulations. ehiers on DSK2VPTVN1PROD with RULES 1. Part 1520 TSA eliminated the amendments to part 1520 of its rules because it has eliminated the proposed requirement to adopt and implement a security program. VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 PO 00000 Frm 00047 Fmt 4700 Sfmt 4700 E:\FR\FM\13JAR1.SGM 13JAR1 2122 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations 4. Security Program Adoption and Implementation II. Public Comments on the NPRM and TSA Responses In response to commenters who requested exemptions from the proposed requirement to adopt and carry out a security program, TSA has eliminated the requirement to adopt and implement a security program. As will be explained below, TSA will only require certain repair stations located on or adjacent to an airport to adopt and carry out security measures to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has conducted a security risk assessment and determined that other repair stations represent a minimal risk to aviation security. TSA has eliminated all security measures regarding preventing access to repair stations. This change will reduce the regulatory requirements and the costs of implementation. While TSA has retained the requirement to verify employee background information, it has reduced the application of that requirement to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has clarified that it will accept employment history checks or background checks conducted on individuals who have obtained a FAA airman certificate or a SIDA badge. All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. A. Summary TSA received 177 public submissions. Sixty-seven submissions were from repair station owner/operators. Other commenters included private individuals, industry associations, labor unions, foreign governments, airport owner/operators, domestic and foreign aircraft operators, State agencies, and the Small Business Administration (SBA). The discussion below groups the comments by the primary issues raised in the public submissions. 5. Profile Information TSA has eliminated the requirement proposed in § 1554.101(b) for repair stations to submit profile information to TSA. TSA will use information available from the FAA. 6. Security Directives TSA has added language to permit repair stations to comment upon a security directive issued by TSA. This language is consistent with the regulatory language used for airport operators and aircraft operators under 49 CFR 1542.303(e) and 1544.305(e). ehiers on DSK2VPTVN1PROD with RULES 7. Compliance and Enforcement In response to comments, TSA has clarified the process in part 1554, subpart C, which a repair station may use to seek review of a TSA determination that a certificate must be suspended or revoked. VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 B. Need for Security Regulations Comments: Thirty-three commenters said the proposed rule is unnecessary because repair stations already have adequate security or are already sufficiently regulated. Ten of these commenters cited procedures and controls already in place to safeguard security, such as quality controls, employee background checks, access controls, and general safety procedures already approved by the FAA. Seven commenters said the proposed regulations added a duplicate layer of security already provided by other TSA requirements described in current TSA security programs or SDs. A few commenters said that TSA should not regulate repair stations if they are part of an airline that already has an air carrier security program. TSA response: Vision 100 requires TSA to issue regulations ‘‘to ensure the security of foreign and domestic repair stations.’’ 49 U.S.C. 44924(f). TSA believes that the security regulations described in the final rule will reduce the likelihood that a terrorist could commandeer a large aircraft capable of flight and use it as a weapon. The final rule supplements the safety requirements imposed by the FAA, but does not duplicate FAA regulations. TSA disagrees with those comments that claim the final rule will duplicate other TSA security requirements. TSA does not currently regulate aircraft repair stations and the requirements referenced by the commenters do not apply to aircraft repair stations. TSA has eliminated the proposed requirement to adopt and implement a security program, thus there will not be duplication with airport security programs. Air carrier-owned and -operated maintenance repair and overhaul facilities conducting maintenance under the authority of a certificate issued under 14 CFR parts 121 or 135 are not subject to the requirements of this rule, since the statute and this rule PO 00000 Frm 00048 Fmt 4700 Sfmt 4700 specifically requires regulation of repair stations certificated under part 145 of the FAA regulations. Comments: Several commenters asked TSA to consider a repair station to be in full compliance with the rule if it is already incorporated within an airport’s security program and uses the airport’s access control measures. TSA Response: TSA is aware that some repair stations may be incorporated within an existing airport security program and has eliminated the proposed requirement that repair stations adopt and implement a security program to avoid unnecessary duplication. Comments: Eight commenters stated that repair stations in general do not pose a risk to security, especially compared to other facilities or operations in the aviation system. Ten commenters claimed that TSA did not conduct any type of risk analysis that quantified the security risks at repair stations or the benefits of the proposed rule. An association said TSA had correctly used a risk-based approach to determine the security measures that repair stations would be required to carry out under the proposed rule and concluded that this approach is the most effective way to advance repair station security. TSA Response: TSA agrees that the security risks posed by repair stations vary and that the most effective way to advance repair station security is to use a risk-based approach to address security matters. In developing this rule, TSA conducted a security risk analysis, including visits to repair stations located within the United States and outside the United States, interviews with industry and FAA experts, and a review of intelligence concerning a repair station’s susceptibility to a terrorist attack. The NPRM described the site visits TSA made to repair stations between June 2005 and May 2008. See 74 FR 59877. Since that time, TSA has visited 47 repair stations located outside the United States and 928 repair station facilities within the United States to observe and discuss repair station security practices. The site visits provided valuable insight into the different types of facilities certificated by the FAA, the different types of repair work performed at those facilities, and the different security measures that are deployed. In addition, TSA considered whether certain factors could increase the security risks of a repair station. The risk factors TSA considered were: (1) The size and type of aircraft to which employees had access; (2) the type of E:\FR\FM\13JAR1.SGM 13JAR1 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations repair work permitted by the FAA certificate; (3) whether the repair station was located on an airport and the type of airport; and (4) the number of employees at the repair station. Comments: An industry association stated that aircraft operators that use repair stations should not be responsible for ensuring that repair stations comply with the regulation. TSA Response: TSA agrees that aircraft operators that use repair stations will not be responsible for ensuring that the FAA part 145-certificated repair stations comply with the final rule. ehiers on DSK2VPTVN1PROD with RULES C. Relationship to FAA Regulations Comments: Some commenters asked the FAA and TSA to coordinate their efforts to avoid placing any unnecessary burdens on repair station owners or operators. For example, one commenter pointed out that TSA could obtain repair station profile information from the FAA. Several commenters expressed concern regarding TSA’s authority to request the FAA to suspend or revoke the operating certificate of a repair station. A few of these commenters said that because the FAA issues the repair station certificate and is the Federal agency responsible for the oversight and regulation of repair stations, the FAA should be the one Federal entity that is able to suspend or revoke the certificate. Other commenters questioned whether TSA, the FAA, or the National Transportation Safety Board (NTSB) has jurisdiction over the appeals process for certificate suspensions and revocations. Eight commenters said the rule would compromise aircraft safety. Three of these commenters claimed the FAA would lose oversight of repair stations and would no longer conduct mandatory inspections and surveillance. One commenter said the cost of the rule would cause repair facilities to divert operating funds away from aircraft safety. Two commenters noted the possibility that repair station operators would turn in their repair station rating and would instead operate using mechanics holding Airframe & Powerplant certification, resulting in a decrease in safety. TSA response: TSA has coordinated its efforts with the FAA throughout the rulemaking process and the final rule does not duplicate FAA’s authority to regulate repair station safety matters or interfere in any way with the FAA certification process. In response to the comments requesting that TSA reduce the burden on repair stations by using FAA profile information, TSA eliminated the requirement for repair stations to provide profile information VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 from the final rule. TSA will obtain the profile information from the FAA. The final rule is consistent with the statutory provisions regarding the processes for suspension and revocation of a repair station certificate. Under 49 U.S.C. 44924(c), TSA must notify the FAA Administrator when a repair station poses an immediate security risk or is found to have security deficiencies. The statute requires the FAA Administrator to act upon the TSA determination to suspend or revoke a repair station’s certificate. Since the suspension or revocation is based on a determination that involves security, neither the FAA nor the NTSB has jurisdiction over the appeals process. The final rule includes a process whereby repair stations may request review of a TSA determination that the repair station certificate must be suspended or revoked. The procedure is consistent with the procedure now in place for TSA to withdraw approval of the security program of an airport operator, aircraft operator, foreign air carrier, indirect air carrier, or certified cargo screening facility, as provided in 49 CFR part 1540, subpart D. TSA disagrees with the comments that claim the rule would compromise aircraft safety, and that FAA would lose oversight of repair stations. FAA authority over repair station safety is not affected by this rule and repair stations must continue to comply with FAA safety regulations. This rule will supplement existing FAA safety requirements with security measures to ensure that unattended, large aircraft capable of flight cannot be commandeered. The costs of the rule are summarized in Section III.C below and described in detail in the regulatory impact analysis accompanying this final rule. As explained therein, TSA has minimized the cost burden of compliance, particularly to small businesses, by using a risk-based approach and eliminating the requirement for repair stations to implement a security program. In addition, if a repair station operator turned in the repair station rating and instead used mechanics holding Airframe & Powerplant certifications, the repair station operator would not be permitted to perform maintenance on passenger aircraft unless hired by an aircraft operator, in which case the maintenance work would be subject to the safety requirements of parts 121 or 135 of the FAA rules. D. ‘‘One Size Fits All’’ Approach to Security Comments: Twenty-seven commenters indicated the proposed rule PO 00000 Frm 00049 Fmt 4700 Sfmt 4700 2123 did not adequately accommodate or account for the diversity of repair stations to which it would apply. A commenter noted that TSA recognized that a ‘‘one size fits all approach’’ would not appropriately address the diversity in repair station characteristics. Other commenters asked TSA for more information on how the security program would accommodate the different levels of risk posed by different types of repair stations. TSA response: TSA recognizes that just as aircraft repair stations vary widely in size, type of repairs, and numbers of employees, existing security measures also vary widely. As stated in the NPRM, TSA agrees that a ‘‘one size fits all’’ approach will not adequately address the diversity of certificated repair stations. As will be discussed below in Section G, repair stations that are not on or adjacent to an airport as defined in the final rule, are not required to implement security measures. E. Relationship to Foreign Laws and Standards Comments: Several commenters, including representatives of foreign governments, addressed the relationship of the proposed rule to other countries’ security laws and standards. Commenters said TSA should recognize the equivalency of the security requirements of other countries and the European Union (EU). They also questioned the legal basis for application of the final rule without consultation and agreement as laid out in international and bilateral aviation agreements such as the EU-U.S. Air Transport Agreement. Other commenters noted the potential conflict of the proposed rule’s requirements with national or EU laws or regulations in areas such as unannounced inspections and background checks of repair station employees. TSA response: TSA acknowledges the concerns of foreign governments regarding TSA authority to apply security requirements to part 145certificated repair stations located outside the United States. TSA is aware of and has complied with its obligations under the EU–U.S. Air Transport Agreement, as well as other bilateral and multilateral instruments. TSA has discussed and will continue to discuss current and proposed security requirements with its international partners in order to enhance the compatibility of security regulations and standards, including the possibility of developing protocols for reciprocity and mutual recognition of repair station security regulations. TSA will address E:\FR\FM\13JAR1.SGM 13JAR1 ehiers on DSK2VPTVN1PROD with RULES 2124 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations any specific conflicts between the final rule and any national or EU laws or regulations that may arise. TSA has established procedures for conducting inspections outside the United States through its Foreign Airport and Foreign Air Carrier Assessment Programs and intends to use those same procedures when conducting inspections of FAAcertificated repair stations located outside the United States. These established procedures require coordination with the U.S. Department of State and the appropriate foreign government authorities. With regard to background checks, TSA will require repair stations that are on or adjacent to an airport, as defined in this rule, to verify background information of those individuals who are designated as the TSA point(s) of contact and those who have access to any keys or other means used to prevent the operation of large aircraft. The repair station may either verify the individual’s employment history, confirm that the individual holds a FAA airman certificate, or (for a repair station located in the United States) confirm that the individual has obtained a security threat assessment, such as by holding a SIDA badge. TSA will not require any other specific type of background check since the laws regarding the ability to conduct certain background checks vary widely. However, repair stations may conduct other background checks consistent with applicable laws. Comments: Two commenters were concerned the proposed rule did not cover FAA-certificated repair stations in Canada. One of these commenters said Canadian facilities could pose the same security risks as FAA part 145 certificated facilities and contended that they should be subject to the regulation. TSA Response: TSA is aware that the final rule will not cover repair stations located in Canada and agrees that these repair stations could pose the same security risk as other repair stations. Canadian repair stations are covered under part 43 of the FAA regulations and operate under a bilateral agreement between the FAA and the Transport Canada Civil Aviation Authority. Since they are not certificated under Part 145 of the FAA regulations, they are not within the scope of this rule. Comments: One commenter said some foreign repair stations are already under regulatory oversight by established government authorities and should be exempt from the rule. TSA Response: A repair station that is regulated by a governmental authority is not exempt from the final rule. While a VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 repair station may be regulated by a government agency for safety or other purposes, as is the case with the FAA, TSA cannot be assured that such regulation would encompass the security requirements in the final rule. F. Application of the Final Rule to Domestic Repair Stations Comments: Eight commenters said Congress omitted the word ‘‘domestic’’ from the statute and concluded that TSA does not have authority to impose regulations on domestic repair stations. One repair station owner/operator acknowledged that 49 U.S.C. 44924(f) requires TSA to issue regulations to ensure the security of both domestic and foreign repair stations. However, the commenter noted the remainder of the statute refers only to foreign repair stations and concluded that Vision 100 does not give TSA authority to suspend the certificates of domestic repair stations. Several commenters stated that the rule should apply only to foreign repair stations, that domestic repair stations pose a lower security threat than foreign repair stations, and that TSA is overstepping its authority to regulate both domestic and foreign repair stations. TSA response: TSA disagrees with the comments that claim the regulation should apply only to repair stations located outside the United States, that repair stations located within the United States necessarily pose a lower security threat than those located outside the United States, and that TSA is overstepping its authority to regulate aircraft repair stations. TSA is required to issue regulations to ‘‘ensure the security of foreign and domestic aircraft repair stations.’’ See 49 U.S.C. 44924(f). Therefore, the final rule applies to repair stations that are certificated by the FAA under part 145 of its regulations. By including all FAA part 145-certificated repair stations in the scope of the rule, TSA will be able to verify that repair stations certificated by the U.S. government are in compliance with the final rule. TSA will not suspend a repair station certificate. The statute provides that the FAA must suspend a certificate upon notification by TSA until such time as TSA determines the repair station maintains and carries out effective security measures. See 49 U.S.C. 44924(c). While the final rule is consistent with the statutory language, TSA has ample statutory authority to address all domestic transportation security matters. For example, 49 U.S.C. 114(f) gives TSA the authority to: Assess threats to transportation; develop policies, strategies, and plans for PO 00000 Frm 00050 Fmt 4700 Sfmt 4700 dealing with threats to transportation security; enforce security-related regulations and requirements; inspect, maintain, and test security facilities, equipment, and systems; and work in conjunction with the Administrator of the FAA with respect to any actions or activities that may affect aviation safety or air carrier operations. Section 611 of Vision 100 discusses the need to ‘‘strengthen oversight of domestic and foreign repair stations’’ and to ‘‘ensure that foreign repair stations that are certified by the Administrator under part 145 of title 14, Code of Federal Regulations, are subject to an equivalent level of safety, oversight, and quality control as those located in the United States.’’ 4 Exempting repair stations within the United States from the enforcement provisions of the final rule would not permit TSA to effectively oversee the security of repair stations located within the United States or ensure that repair stations located outside the United States are subject to an equivalent level of safety, oversight, or quality control. Regulating only repair stations outside the United States would not help TSA meet the statutory objective to ensure the security of foreign and domestic aircraft repair stations. In fact, the majority of FAA part 145certificated repair stations are located in the United States and U.S. aircraft continue to be a prime target of terrorist threats. Exempting U.S. repair stations from the final rule would create a significant gap in TSA’s efforts to secure U.S. aircraft and the traveling public. Repair stations located in the United States present an immediate opportunity for terrorists to attempt to harm U.S. aviation interests. For that reason, and consistent with statutory language, the final rule applies to FAA part 145-certificated repair stations. G. Exemptions for Certain Types of Repair Stations Many commenters requested TSA to exempt particular types of repair stations from the rule. Nineteen commenters stated that off-airport repair stations do not pose a security threat and contended the final rule should apply only to repair stations located on airport grounds. Another commenter agreed off-airport repair stations are less desirable targets than on-airport repair stations because they do not have access to operational aircraft. However, one commenter observed there are offairport repair stations that repair complete aircraft. 4 H.R. E:\FR\FM\13JAR1.SGM Conf. Rep. No. 108–334, at 83 (2003). 13JAR1 ehiers on DSK2VPTVN1PROD with RULES Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations A number of commenters requested additional types of repair stations be exempted from the regulation, including: Stations with a small number of employees, stations servicing hot-air balloons, and stations servicing aircraft with a MTOW below 12,500 pounds. In contrast, a labor union urged TSA not to exempt any repair stations from the rule. Eighteen commenters stated repair stations servicing aircraft with a MTOW below 12,500 pounds should be exempt from the rule. Several other commenters said any weight threshold used for this rule should be consistent with the threshold adopted in the General Aviation Security final rule. A few others suggested weight thresholds ranging as high as 100,000 pounds. Eleven commenters requested TSA to exempt repair stations that work only on aircraft components and do not have access to complete aircraft. Commenters stated these repair stations do not pose a security threat because existing FAA rules require testing of the airworthiness of the repaired components prior to installation. TSA response: TSA agrees with commenters that repair stations located on or adjacent to an airport could pose a higher security risk than other repair stations. As the commenters point out and as discussed in the NPRM, TSA found that repair station employees at off-airport locations had little, if any, access to operational aircraft or runways and are not the last individuals with access to aircraft prior to the reintroduction of the aircraft into service. TSA concluded that it may be more difficult for potential terrorists to attempt to attack aviation interests from an off-airport repair station location. TSA also agrees with commenters that it would be difficult for a terrorist to damage an aircraft at a repair station that is rated to repair only aircraft component parts. FAA safety regulations require inspection of the repair work and the component part prior to installation in an aircraft and before the aircraft is determined to be airworthy. TSA agrees with the commenters who believe that it is less likely that a terrorist would attempt to target an aircraft by attempting to sabotage or tamper with a component part at an off-airport location. In addition, TSA agrees with those commenters that repair stations that do not work on large aircraft pose less of a security risk. TSA has long recognized that aircraft with a MTOW of more than 12,500 pounds may be a greater security risk because the aircraft are of sufficient size and weight to inflict significant damage and loss of lives. See Security VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 Programs for Aircraft 12,500 Pounds or More, 67 FR 8295 (Feb. 22, 2002). Smaller aircraft may be a less attractive target for terrorists. TSA believes that it must maintain its authority to conduct security inspections to ensure that repair stations do not pose a risk to transportation security and to make clear that repair stations must comply with security directives issued by TSA to respond to a specific threat. However, TSA has determined that only higher risk repair stations will be required to adopt security measures. Repair stations considered to be higher risk include those located on or adjacent to an airport. TSA will consider a repair station to be ‘‘on airport’’ if it is located on an AOA or SIDA of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area of any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as ‘‘on airport.’’ These repair stations present the highest risk to security due to their proximity to an airport and a runway and the presence of operational aircraft of a size and weight that could inflict significant damage and loss of lives. These repair stations must implement security measures described in the final rule. TSA has retained the current definition of large aircraft used in its regulations, and will change that definition throughout the regulations should another definition be adopted in the General Aviation Security rulemaking proceeding. Other repair stations, in general, represent a minimal risk to aviation security because they are not located on or adjacent to an airport and do not have access to aircraft of sufficient size and weight to inflict significant damage or loss of lives. All FAA part 145 certificated repair stations are subject to other requirements in the rule, such as submission to TSA inspection and compliance with security directives. H. Protection of Sensitive Security Information (SSI) Comments: Two repair station owners/operators and an industry association supported the proposed SSI regulations. Another repair station owner/operator said the proposed SSI requirements may be redundant, because some corporations already have controls for business purposes to protect PO 00000 Frm 00051 Fmt 4700 Sfmt 4700 2125 information from public disclosure. Another commenter warned the SSI requirements could adversely affect corporate operations and the availability of an operator’s procedural documentation to its employees. An airport owner/operator expressed concern that the proposed rule would impose SSI responsibilities on repair stations even if they pose a low security risk. A repair station owner/operator and an industry association suggested the SSI provisions should apply to repair station owners but not to operators. Three commenters, including the European Commission, expressed concern about the applicability of the SSI provisions to foreign nationals who own and operate aircraft repair stations. They also said the proposed SSI provisions might be incompatible with the data protection directives of other nations or the EU. TSA response: TSA has eliminated the proposed requirement to adopt and implement a security program and has, therefore, eliminated the proposed changes to part 1520. TSA’s SSI regulations already require security directives (SDs) to be treated as SSI. 49 CFR 1520.5. Part 1520 applies to entities that receive a TSA SD, including U.S. and foreign air carriers for their operations both within and outside the United States. While businesses may have procedures in place to protect certain types of information, they may not include specific SSI protections. Repair stations will be responsible for developing procedures to safeguard against unauthorized disclosure of a SD. When an individual is not in physical possession of SSI, that individual must store the SSI in a secure container, such as a locked desk, office, or file cabinet. TSA disagrees with the comments that the SSI regulations could make it difficult to share security information with repair station employees. The SSI regulations permit disclosure to persons with a need to know. 49 CFR 1520.9. TSA appreciates the concerns of the European Commission regarding the applicability of SSI requirements to foreign repair stations; however, TSA does not believe that this will cause difficulties with regard to EU legislation and data protection policies. TSA already applies SSI requirements to foreign air carriers operating under a TSA-accepted Model Security Program or who receive a TSA-issued emergency amendment. The EU has not objected to or raised concerns regarding conflicts with EU data protection laws and regulations in those instances. TSA will continue to discuss with the EU any specific conflicting regulatory requirements that may arise. E:\FR\FM\13JAR1.SGM 13JAR1 2126 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations I. Scope of the Final Rule Comments: A repair station owner/ operator supported the scope of the rule as proposed. Another repair station owner/operator suggested the words ‘‘or excluded from this part by TSA’’ be added to account for situations in which a repair station is already incorporated within an airport’s security program or in which the repair station does not constitute a security threat. An industry association suggested the addition of ‘‘or host government’’ after ‘‘U.S. Government’’ in recognition of the fact that many other governments already have standards that meet or exceed those in the proposed rule. TSA response: TSA has modified the language in the final rule. The final rule does not apply to FAA part 145certificated repair stations located on a U.S. or foreign government military installation. However, certificated repair stations that are regulated or under the oversight of a governmental entity are not exempt from the final rule. As explained previously, only higher risk repair stations will be required to implement security measures. ehiers on DSK2VPTVN1PROD with RULES J. Terms Used in the Final Rule Comments: Four commenters addressed the proposed definition of ‘‘repair station.’’ One industry association suggested narrowing the definition to include only repair stations that convey aircraft directly into commercial flight operations under parts 121 or 135 of the FAA’s regulations. Another industry association suggested narrowing the definition to include only those repair stations authorized to perform maintenance or alteration of civil aviation aircraft located on a commercial airport. A third industry association objected to the proposed definition because it does not recognize mixed maintenance operations, in which a repair station is co-located at a larger facility that is not otherwise covered by TSA security requirements. A repair station owner/operator asked whether the scope and boundaries of a repair station for purposes of the TSA rule would differ from the scope and boundaries of the repair station for FAA purposes. TSA response: In response to the comments, TSA has eliminated the terms to avoid confusion with FAA terminology. TSA is aware of the existence of mixed-use facilities, for example those that combine maintenance and manufacturing stations. It will be the repair station operator’s responsibility to delineate the parts of the station used VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 for activities subject to this final rule and those that are not. If a repair station determines it is not possible to make such a delineation then the entire station would need to meet the requirements of this final rule. K. TSA Inspection Authority Comments: Several commenters suggested that TSA’s authority to enter a repair station should be limited to normal business hours or after business hours with an escort upon reasonable notice, unless there is a known specific threat. These comments point out that, with prior notification, a repair station could make certain that the correct personnel are available to answer questions and provide documentation. Two labor unions supported unannounced inspections, saying repair stations must constantly ensure that they are complying with security requirements, and that advance notice would nullify the benefit of a security inspection. Four commenters supported the proposed language authorizing TSA to conduct unannounced inspections. However, they expressed concern that TSA indicated it would follow existing protocols for inspection of repair stations located outside the United States and provide advance notice to the facility being inspected and the host government. The commenters asserted that giving advance notice would nullify the benefit of the security inspection. Eight commenters, including a foreign government and the European Commission, said TSA could not legally inspect repair stations located outside the United States without prior notification and the approval of the authorities of the country in which the repair station is located. TSA response: TSA will follow current agency practices regarding inspections of repair station facilities outside the United States. TSA will always coordinate any inspections with the host government prior to starting an inspection. With regard to repair stations within the United States, TSA acknowledges the concerns expressed regarding such government inspections. While TSA anticipates that in some cases it will notify these repair stations of scheduled inspections, this regulation allows TSA to conduct an inspection without advance notice at any time and in a reasonable manner. In those instances where notice is given, TSA will give the repair station the opportunity to gather evidence of compliance and to arrange to have the appropriate personnel available to assist TSA. However, TSA anticipates that unannounced inspections will be conducted in the United States, PO 00000 Frm 00052 Fmt 4700 Sfmt 4700 particularly if warranted by a security incident at a repair station. Some inspections can be effective only if they are unannounced in order to determine whether the regulated party is in compliance when it is unaware that TSA may be inspecting. Terrorists will seek to take advantage of vulnerabilities whenever they occur. TSA must have the ability to respond to information, operations, and specific circumstances whenever they develop and to assess the security of regulated entities at any time, including weekends or holidays. Comments: Several commenters said the rule should clearly define the scope of TSA audits and should specify that the repair station property, facility, and records to be inspected are only those relevant to repair station security. In addition, a repair station owner/ operator and an industry association stated that business records, corporate correspondence, and aircraft maintenance records should be offlimits without a search warrant. They said the proposed rule language was too broad and should be narrowed in the final rule. TSA response: TSA disagrees that the inspection authority is overly broad and has not modified the language in the final rule. The statute authorizes TSA to ‘‘complete a security review and audit.’’ See 49 U.S.C. 44924(a). In addition, TSA has authority to ‘‘inspect, maintain, and test security facilities, equipment, and systems.’’ See 49 U.S.C. 114(f)(9). The regulatory text states specifically that the purpose of the inspection is to ‘‘carry out TSA’s security-related or regulatory authorities.’’ Thus, TSA will seek access to records relevant only to security. The inspection authority section in new § 1554.5 includes audits, assessments, or inspections and is consistent with existing TSA rules, such as in § 1542.5 (airport operators) and § 1580.5 (railroad operators). Also in connection with scope, TSA notes that consistent with its statutory authority (which currently allows inspections for security reasons irrespective of this final rule), inspections will be for compliance with this final rule’s requirements and for security reasons only. For repair stations not subject to security measures under this rule (that is, those repair stations not located on or adjacent to an airport, as defined in this rule), TSA does not intend to inspect such facilities except as necessary to comply with the requirement in 49 U.S.C. 44924 to conduct a security audit of all part 145 certificated repair stations located outside the United States, to evaluate security risks as conditions warrant, and, in the event that TSA issues a E:\FR\FM\13JAR1.SGM 13JAR1 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations ehiers on DSK2VPTVN1PROD with RULES security directive to such a repair station, for compliance with the security directive. Comments: Some commenters said repair station security policy may require anyone inside the repair station to have an identification badge, and suggested that TSA and DHS officials comply with established security programs at the site. A few commenters asked how repair station personnel would know if TSA or DHS credentials are valid. One of them asked if repair station personnel could record the names and badge numbers of TSA and DHS inspectors. TSA response: The final rule allows repair stations to request inspectors to present their credentials for examination. Repair stations may not photocopy or otherwise reproduce the credential to prevent unauthorized individuals from using fake credentials to access a repair station. Repair stations may issue access or identification media to inspectors for their use while conducting inspections of the facilities. However, they may not prevent an inspector from conducting an inspection because the inspector was not issued identification media by the repair station. TSA will assist repair stations to develop training to identify TSA and DHS credentials. Comments: A repair station owner/ operator observed that TSA and DHS officials would need an escort for their own safety. Several other commenters were concerned that untrained TSA personnel could damage aircraft parts during their inspections or cause a disruption of work. TSA response: TSA appreciates that it must properly train its inspectors so that they avoid dangers to themselves, to employees, and other individuals at the repair station, and to property. TSA intends to use only properly trained and credentialed personnel to conduct inspections. L. Security Program Adoption and Implementation Comments: A repair station owner/ operator supported the proposed requirement to submit a profile because it would prevent use of a ‘‘one size fits all’’ approach to repair station security. One commenter asked TSA to accept the company profile used for FAA repair station approvals. Another repair station owner/operator said that TSA should eliminate this requirement or provide more information on what would constitute an adequate profile. Several commenters said that the proposed rule provided no guidance on how repair stations would report changes in profile information or how they would know VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 which changes were significant enough to require reporting. TSA response: TSA concurs with the majority of comments regarding the submission of a profile and has not included the requirement in the final rule. TSA will use existing repair station profile information from the FAA. Comments: Several commenters questioned how TSA could achieve its stated objective of appropriately addressing the diversity in repair station characteristics while requiring repair stations to use a standard security program, unless otherwise authorized by TSA. They expressed concern about having to adopt a ‘‘canned’’ or ‘‘cookiecutter’’ security program. In contrast, two labor unions said that there needs to be a baseline security standard applied to all repair stations and that allowing for any variation presents an opportunity for disparities in security from station to station. TSA response: TSA has eliminated the requirement to adopt and carry out a security program in the final rule. Comments: Some commenters expressed the belief that a 30-day deadline for a repair station to submit a profile was insufficient, particularly for small entities, those located overseas, and large corporations with many subsidiaries or joint ventures. Three of them suggested that 90 days would be more realistic. TSA response: TSA has eliminated the requirement for repair stations to submit a profile so there is no longer a 30-day deadline requirement. Comments: Two repair station owners/operators objected to the fact that the proposed rule does not define specific minimum performance standards, and entities may be subject to inconsistent compliance expectations. Another commenter asked that the detail provided in the preamble regarding the security program be included in the regulatory language. TSA response: TSA has eliminated the language in the NPRM regarding the security program requirements. The final rule describes security measures that repair stations on an airport or adjacent to an airport, as defined in the final rule, must adopt. In order to reduce the potential regulatory burden and implementation costs of the proposed rule, TSA has removed all security measures that restrict access to a repair station in the final rule. Instead, repair stations will be required to prevent unauthorized operation of large, unattended aircraft that are capable of flight. Large aircraft are defined as aircraft with a maximum certificated take-off weight of more than 12,500 pounds and attended aircraft means PO 00000 Frm 00053 Fmt 4700 Sfmt 4700 2127 aircraft to which access is limited to authorized individuals and property. The final rule explains that preventing unauthorized operation may be accomplished in several ways and a repair station may even develop its own measure so long as it obtains approval from TSA. The final rule states that a repair station may block the path of the aircraft so that it cannot be moved and control the key to a vehicle used for that purpose, park the aircraft in a locked hangar and control the key to the hangar, or move stairs away from the aircraft and shut and lock, if feasible, all cabin and cargo doors and control the key. Controlling the key, if used, is described as making sure that keys are only available to an authorized individual who has undergone an employment history check or a security threat assessment. Comments: Ten commenters addressed the provision of the proposed rule requiring the security programs to include measures to identify all individuals authorized to enter the repair station. Three of the commenters said the actual language of the provision was not detailed enough to establish TSA’s intent. A repair station owner/ operator expressed support for TSA’s statement in the NPRM that TSA will deem repair stations with established personnel identification media systems as compliant with the requirement. The commenter asked TSA to incorporate that language into the final rule. Three of the commenters also questioned TSA’s intent with regard to compliance by small repair stations. They said small repair stations should be able to rely on simple identification measures such as personal recognition. TSA Response: In response to the comments, TSA has eliminated this requirement in the final rule. Comments: A repair station owner/ operator said it is already in compliance with many elements of the proposed standard security program, including use of an employee identification system. Another repair station owner/ operator said TSA should not require repair stations with established and existing escort policies and programs to replicate ‘‘redundant’’ government escort procedures, because it would cause confusion among employees and would impose excessive labor costs. With regard to the proposed training requirements, three commenters said existing International Civil Aviation Organization (ICAO) and EU requirements should be sufficient to meet the requirements, and a repair station owner/operator said security training already is part of its operations. E:\FR\FM\13JAR1.SGM 13JAR1 ehiers on DSK2VPTVN1PROD with RULES 2128 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations TSA response: TSA has eliminated these security requirements in the final rule. TSA acknowledges that many repair stations may already have existing measures that meet or exceed the requirements described in the final rule. Comments: Twenty-one commenters expressed divergent views regarding the requirement for employee background checks. Three commenters supported the proposed rule and said it should be imposed on repair station employees to the same degree it is imposed on FAAcertificated mechanics. Five commenters said the requirement to check previous employment might not be possible under EU Directive 95/46/ EC and national legislation. A repair station owner/operator said TSA failed to recognize the limits imposed by Federal and State labor laws, as well as union contracts. One industry association said other laws and FAA regulations already require confirmation of citizenship and other information related to employment history. Another industry association also stated this requirement would be redundant for airport-based facilities. Seven commenters said the requirement was too vague and lacked details, such as screening criteria and adjudication procedures. One industry association said the phrase ‘‘any other means as appropriate to validate employee information’’ is unclear and said the final rule should have specific requirements such as the number of years or number of employers to include. Another industry association said it was unclear whether TSA intended employers to conduct a criminal history or a security threat assessment, but that neither should be required. Another commenter said the rule should include language that prevents operators from having to repeat background checks they have already conducted. TSA response: TSA has retained the requirement to verify employee background information, but has limited the number of repair stations that must implement security measures and has reduced the number of individuals whose background information must be verified. TSA recognizes that many countries have different laws and regulations regarding this matter, and not all repair stations have a need or the ability to conduct certain types of background checks. The final rule requires that only the individual or individuals responsible for compliance with the final rule and recordkeeping, designated as TSA point(s) of contact, and authorized access to keys used to secure large aircraft must undergo a VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 background check. The final rule does not mandate the number of individuals who must undergo a background check, but the number must be sufficient to ensure that a point of contact is available on a 24-hour-a-day basis and all large aircraft capable of flight are secured when not attended. The final rule includes four examples of background checks that are acceptable and allows a repair station to use another means if approved by TSA. (1) Verification of employment history for the most recent five year period or the time since the employee’s 18th birthday, whichever is shorter. Verification may be accomplished via telephone, email, or in writing. If the verification is performed by telephone, the repair station must record the date and the name of person who verified the employment. If there is a gap in employment of six months or more that is not satisfactorily explained, employment history is not verified for purposes of this rule. Employment history verification records must be maintained for at least 180 days after the employment ends. (2) Confirmation that the employee holds an airman certificate issued by the FAA is sufficient since TSA vets all such certificate holders. (3) For a repair station located within the United States confirmation that an employee has successfully completed a security threat assessment pursuant to part 1540 of TSA’s regulations, such as by holding a SIDA badge. (4) For a repair station located outside the United States, confirmation that an employee has obtained a security threat assessment commensurate to a security threat assessment described in part 1540 of TSA’s regulations. TSA is aware that many repair stations already conduct security threat assessments or other background checks on their employees. If the background check is commensurate with the requirement of the final rule, TSA will not require duplicative or redundant measures. Comment: A few commenters urged TSA to require drug and alcohol testing of personnel at foreign repair stations, just as the FAA requires such testing under its authority over domestic repair stations. The European Commission commented that such testing in EU member nations is a matter for the law enforcement services in those nations. TSA response: As stated in the NPRM, drug and alcohol testing is a safety issue that is under the purview of the FAA and is not included as a requirement in the final rule. Comments: A repair station owner/ operator said the NPRM provided no PO 00000 Frm 00054 Fmt 4700 Sfmt 4700 training criteria or scope of incident management for the security coordinator. An industry association recommended TSA specify all training requirements in one place and requested that the expectations for the training of security coordinators be defined. One repair station owner/operator indicated that 24-hour contact would not be feasible for a small component repair station located outside of an airport. A second owner/operator said the requirement should be imposed at the airport level, not at the facility level. A third owner-operator suggested TSA allow repair stations to designate an alternate security coordinator. TSA response: TSA has eliminated the requirement to train a security coordinator in the final rule. The repair station must designate one or more individuals, as necessary, to serve as TSA point(s) of contact and to be responsible for compliance with the final rule and recordkeeping. Training is not required to perform these responsibilities. TSA does not agree that an airport Security Coordinator would be sufficient to serve as the primary and immediate contact for repair station security-related activities and communications with TSA, unless TSA determines the repair station is incorporated within the airport security program and the airport is responsible for the security of the repair station itself. Comments: A commenter stated that requiring a repair station to make its security program available for review by TSA is insufficient. The commenter said TSA should review and approve each security program. A repair station owner/operator asked to whom the security program must be accessible. One industry association asked if airport operators would be able to access and review a repair station’s security program to verify that the airport operator is contacted for all security related issues or incidents. The European Commission and a repair station owner/operator opposed the proposed English language requirement, noting that it would be burdensome for foreign repair stations. The European Commission pointed out that English is the official language of only three of the 27 EU member states and said the requirements for oral and written communications to be in English would be impossible to implement. TSA response: The proposed requirement to adopt and implement a security program has been eliminated in the final rule. With regard to the proposed English language requirements, while TSA has E:\FR\FM\13JAR1.SGM 13JAR1 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations ehiers on DSK2VPTVN1PROD with RULES eliminated the security program requirement, it retains the requirement in the inspection provision to request documents in English. TSA notes that this requirement is consistent with FAA regulations, such as 14 CFR 145.219, which requires a certificated repair station to retain records of compliance in English. M. Security Directives (SDs) Comments: Several commenters objected to the requirement to comply with SDs and asserted TSA has used SDs to issue requirements without notice and the opportunity for public comment, thus circumventing the rulemaking process. Several industry associations expressed concern that TSA will require repair stations to comply with SDs that are not applicable to their circumstances. A commenter suggested TSA allow electronic acknowledgement of receipt of an SD so that a record of compliance is maintained. Other commenters thought verbal acknowledgement would be impractical and burdensome to TSA and to repair stations, particularly small facilities. Two repair station owners/ operators said TSA should specify the method of compliance in the SD. A repair station owner/operator requested TSA identify the process for obtaining approval for alternative measures of complying with an SD. An industry association asserted that foreign repair stations are not under TSA jurisdiction, and a repair station owner/operator said the requirement to comply with SDs might be incompatible with foreign security requirements. One commenter requested TSA avoid using common aviation-related abbreviations for TSA-related items. As an example, the commenter said Security Directives should be called ‘‘TSA Directives.’’ TSA response: The term ‘‘Security Directive’’ is a standard term used throughout TSA’s regulations to describe the regulatory document issued by TSA when TSA determines that additional security measures are necessary to respond to a threat assessment or to a specific threat against civil aviation. See 49 CFR 1542.303, 1544.305, 1548.19, and 1549.109. TSA declines to rename these documents. TSA intends to maintain its current practice and issue SDs to repair stations when necessary to respond to a threat assessment or a specific threat against aviation. TSA has added language to the final rule to clarify that repair stations may comment on SDs issued by TSA in § 1554.103(d). TSA may amend an SD based on those comments. TSA will include in an SD the procedures to VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 acknowledge receipt, to implement the requirements, and to request alternative measures if a particular measure is incompatible with a security requirement imposed by a foreign government or cannot reasonably be implemented. N. Suspension and Revocation of Certificates Comments: A few commenters asserted the statutory provisions regarding the suspension and revocation of certificates apply only to repair stations located outside the United States and thus the final rule should not apply to repair stations within the United States. Commenters claimed the proposed rule includes procedures for appealing the revocation of certification, but not for appealing the suspension of certification. Some recommended following the FAA process in 14 CFR part 13. Several commenters said the rule should include the criteria TSA would use when initiating a suspension or reinstating a certification. Another industry association added TSA is as likely to err in its judgment, as the industry is likely to err in compliance. Several commenters also expressed concern about the consequences of suspension and the resulting economic burden, especially on small businesses. Several commenters objected to the appeal process because it did not provide for appeal of TSA’s decision to an impartial third party. One repair station owner/operator stated the proposal violates the current rules of discovery and does not reflect current judicial process, and other commenters urged that final certification authority be left to the FAA or NTSB. Other commenters warned that even though the suspension and review may be temporary, either action would jeopardize a repair station’s ability to remain viable and the rule should include specific timelines that TSA must meet. Commenters expressed concern because the proposed rule provided no guidelines for TSA’s determination of revocation and there are no effective checks on TSA’s power to revoke. They also objected that under the proposed rule, a certificate remains revoked during the review process. One industry association requested TSA follow the procedures already in place for the revocation of an FAA airman certificate, including appeal to an administrative law judge and then to the NTSB. Another industry association observed that in some TSA actions against individual airmen, certificates were revoked while the documentation supporting TSA’s actions were PO 00000 Frm 00055 Fmt 4700 Sfmt 4700 2129 withheld. A repair station owner/ operator requested harmonization with FAA’s enforcement process, which includes voluntary self-disclosure, administrative corrections, processes to handle repeat offenders, and published guidelines for legal enforcement, including suspending or revoking domestic repair station certificates. An industry association expressed the belief that review of a revocation must be reconciled with existing FAA and TSA regulations. An anonymous commenter pointed out that the statute requires consulting with the Administrator to establish procedures to appeal a revocation of a certificate. Nineteen commenters said that the proposed rule did not provide enough detail or left too much to interpretation by those who would enforce it. A few commenters expressed concern about a lack of key definitions such as ‘‘immediate risk to security’’ and procedural protections such as other tools to achieve compliance objectives, and time limits for review, which could lead to inconsistencies and certificate revocation without due process. TSA response: TSA has clarified the regulatory language that provides for judicial review of a final agency order. TSA has also modified the language in the final rule to specify that repair stations have the opportunity to petition for reconsideration of a TSA determination that a repair station certificate must be suspended or revoked. The certificate enforcement actions in the final rule are consistent with TSA’s procedures governing the withdrawal of approval of a security program. 49 CFR 1540.301. TSA agrees with commenters that the FAA has the authority to issue, suspend, or revoke certificates and the statute requires the FAA to suspend or revoke a certificate if notified by TSA to do so. 49 U.S.C. 44924(c). Since any certificate action initiated by TSA will involve compliance with TSA’s security regulations, the basis for the certificate action must remain with TSA and not the FAA or the NTSB. Further, TSA has general authority to enforce securityrelated regulations and requirements. 49 U.S.C. 114(f)(7). TSA has consulted with the FAA in the development of the final rule. TSA appreciates the concerns expressed regarding the impact of a suspension or revocation of a certificate on a repair station business. TSA intends to follow current enforcement practices and anticipates that most instances of non-compliance will not result in certificate action. When appropriate, TSA will use a progressive enforcement process whereby instances E:\FR\FM\13JAR1.SGM 13JAR1 2130 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations of non-compliance can be resolved with non-certificate action, including counseling, administrative actions, and civil penalties. See 49 CFR part 1503. ehiers on DSK2VPTVN1PROD with RULES O. Nondisclosure of Certain Information Comment: Two repair station owners/ operators expressed concern that the proposed regulations would preclude them from obtaining information needed to appeal TSA determinations. TSA response: TSA has retained the language from the NPRM in § 1554.205 in the final rule. In accordance with E.O. 12968, TSA does not disclose classified information. In accordance with 49 CFR 1520, TSA also does not disclose SSI to individuals without a ‘‘need to know.’’ However, consistent with current enforcement practice, TSA will provide the repair station with the information it collected and upon which the enforcement action is based. P. Other Comments on the Rulemaking Comment: One commenter suggested repair station operators be required to amend their FAA repair station manuals to make all personnel aware of TSA security concerns. TSA response: The FAA repair station manual is outside the scope of this rulemaking and TSA authority. TSA, however, has shared this comment with FAA. Comment: Several industry associations said that TSA should allow them and repair station owner/operators to review the standard security program prior to implementation of the rule. TSA response: TSA held briefing sessions with industry representatives in the United States and overseas. During the sessions, TSA provided a draft security program template for review and received comments. TSA notes that the requirement to adopt and implement a security program has been eliminated in the final rule. Comment: A commenter asserted that a substantial number of maintenance workers at repair stations are not certified and that some may not be legally working in the United States. TSA response: TSA notes that all employees hired after November 1, 1986, must complete Form I–9, Employment Eligibility Verification, issued by U.S. Citizenship and Immigration Services of the Department of Homeland Security to document that they are authorized to work in the United States. Comment: Ten commenters requested a more collaborative rulemaking process. Another commenter recommended consulting with four specific industry associations and other industry organizations during revision VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 of the proposed rule. One industry association also suggested the creation of a Repair Station Sector Coordinating Council as a formal means of obtaining industry input for the rulemaking process. An association requested TSA to issue a Supplemental NPRM to make certain that the concerns raised in the public comments are addressed. Two commenters stated the lack of ability to review details of the Standard Security Program as part of the proposed regulations, specifically the associated information deemed by TSA to be SSI, render this rulemaking non-compliant with the requirements of the Administrative Procedure Act and applicable case law defining adequate rulemaking notice and opportunity to comment. TSA response: The NPRM containing the proposed regulations was published in the Federal Register for public comment. 74 FR 59874 (Nov. 18, 2009). TSA has reviewed all of the comments it received during the public comment periods in 2004 and 2009, as well as those received during the public listening session conducted in 2004, and has adjusted the final rule to address the comments as necessary. TSA has met all requirements of the Administrative Procedure Act. As noted above, TSA met with the repair station industry to receive comment on the security program template format. TSA held briefing sessions with industry representatives in the United States and overseas. During the sessions, TSA provided a draft security program template for review and received comments, although it ultimately determined not to include the security program requirement in the final rule. TSA will continue to consult with its stakeholders and sees no need for a coordinating council at this time. Q. Implementation Issues Comments: Five commenters said TSA lacks the budget and staffing levels needed to implement the security programs and provide oversight of repair stations as detailed in the rule. Two commenters said TSA is understaffed and suggested this rulemaking would serve only to divert necessary resources from the agency’s other security programs. Two other commenters requested TSA secure the necessary resources to make certain the proposed program is implemented efficiently and immediately. Several commenters said TSA would likely need to hire new inspectors to implement the rule, and two commenters requested any new TSA inspectors be required to complete mandatory training to ensure all PO 00000 Frm 00056 Fmt 4700 Sfmt 4700 inspectors understand the safety measures and precautions that must be taken when performing security audits at repair stations. TSA response: The costs to the government to enforce the final rule are included in the regulatory impact analysis. TSA is aware of the complexity of work performed at repair stations. TSA has developed the appropriate inspection guidance documents and relevant training for its inspectors. Comments: Two commenters questioned the statutory requirement that TSA complete a security review and audit of all foreign repair stations certificated by the FAA no later than six months after the final rule is issued. Both said that the six-month period is too short. One requested that the period be extended to 12 months, while the other requested that the compliance period be extended to 18 months, the time specified in Vision 100. One commenter warned that if TSA does not extend the timeframe, the ability of new repair stations to be certified could be impeded, which would negatively affect the aircraft repair industry. TSA response: In the Implementing Recommendations of the 9/11 Commission Act of 2007 (Pub. L. 110– 53, 121 Stat. 266, Aug. 3, 2007), the original 18-month deadline for completing security audits of repair stations located outside the United States was reduced to six months. TSA is committed to meeting the statutory deadline. TSA has hired inspectors and developed a database that will serve as an inspection scheduling and tracking tool. TSA has also developed an implementation plan for inspecting repair stations located outside the United States. Comment: An industry association suggested TSA collaborate with foreign authorities to help implement the proposed program in their respective countries. According to the association, this approach would allow TSA to use its resources more efficiently. TSA response: TSA will continue to meet and work with its international partners to discuss implementation of the final rule. Comments: Ten commenters said the proposed rule did not include a compliance date or adequate details on TSA’s implementation plans, such as whether some repair stations would have to come into compliance before others. An aircraft manufacturer recommended adding a long-term compliance date for including measures to control access to a repair station because a business plan would need to be modified in order to accommodate E:\FR\FM\13JAR1.SGM 13JAR1 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations ehiers on DSK2VPTVN1PROD with RULES increased capital expenses. The commenter also suggested providing a more flexible ‘‘phase-in period’’ for repair stations that recognizes current industry business models in order to enable repair stations to adequately and appropriately address any identified security lapses. The commenter further recommended adopting a compliance schedule similar to that of 14 CFR parts 1, 21, 43, and 45, which focus on addressing potential industry constraints with meeting new compliance requirements. One commenter recommended an 18-month period, to allow adequate time to prepare for necessary costs and ensure that repair stations have an adequate understanding of what is required of them. One industry association suggested using a compliance date of 180 days from the publication of the final rule. TSA response: The final rule will be effective 45 days after the date of publication in the Federal Register. TSA will conduct appropriate outreach and communication to industry representatives and the aircraft repair station community to discuss specific implementation timeframes and issues. TSA notes that it has eliminated the requirement to adopt and carry out a security program in the final rule. In addition, TSA anticipates that many of these repair stations already have security measures in place that may meet or exceed the measures contained in the final rule. Comment: One commenter requested more information on the fees charged for TSA repair station audits, noting that the initial audit will require an additional charge for repair stations if the FAA is conducting the audits. TSA response: TSA is not charging a fee to conduct security audits or inspections. Comment: One industry association suggested TSA establish a 24-hour point of contact to answer compliance-related questions. TSA response: TSA has established a dedicated email address, ARS@tsa.dhs.gov, where repair stations can send questions. In addition, repair stations will be provided with the name and contact information for inspectors who will be available to respond to questions. R. Comments From the Small Business Administration Comment: The Small Business Administration Office of Advocacy (SBA) recommended that TSA limit the scope of the rule. SBA offered the following three alternatives to meet the objectives of Vision 100 while VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 minimizing significant economic impacts on small repair stations: (1) Exempt all repair stations that are not located at a commercial airport or that do not have access to aircraft; (2) adopt a risk-based, tiered approach based on size of aircraft and access to aircraft; and (3) align the final rule with the threshold level TSA ultimately adopts in the proposed General Aviation Security rule. TSA response: TSA has reduced the scope of the final rule and has eliminated the proposed requirement to adopt and implement a security program. TSA has analyzed the possible security risk associated with repair stations and agrees that those not located on or adjacent to an airport, as defined in the final rule pose a lower risk to transportation security. This riskbased approach will minimize the economic impact on small repair stations consistent with SBA’s recommendation. The aircraft size threshold in this final rule is consistent with TSA’s current regulatory threshold. TSA agrees that its regulations should be consistent and will evaluate all of its regulations to determine whether changes are needed to enhance consistent regulatory treatment once the General Aviation Security rule is final. Comment: SBA recommended that TSA provide clear guidance to small business regarding the implementation of the security program. TSA response: TSA has eliminated the requirement to implement a security program. TSA will work with all stakeholders to provide guidance on the final rule. Comment: SBA was concerned that the costs of the regulation were understated, explaining that TSA either failed to estimate or underestimated costs of inspections, correcting security deficiencies, complying with security directives, implementing access control measures, implementing the security program, appealing suspension and revocation determinations, and implementing identification media systems. SBA recommended that TSA reassess its cost estimates. TSA response: TSA has added estimates or updated its previous estimates in the regulatory impact analysis to reflect the requirements in the final rule. TSA notes that the requirement to implement a security program has been eliminated and the application of security measure requirements has been reduced significantly. The costs of complying with future SDs cannot be estimated. SDs are issued on a limited basis to respond to a specific threat. The measures required to respond to the PO 00000 Frm 00057 Fmt 4700 Sfmt 4700 2131 threat and the frequency of such threats cannot be reasonably predicted. TSA does permit regulated entities to comment on a SD and propose alternate measures if the measures cannot be reasonably implemented. Comment: SBA recommended that TSA address the concerns of small businesses regarding SSI and develop procedures to assist small businesses to control SSI. TSA response: The requirements for the protection of SSI are described in part 1520 of TSA’s regulations. TSA will provide assistance and will answer specific questions regarding the protection of SSI. The SSI regulations explain that SDs are SSI. Those repair stations that receive a SD will be required to safeguard it to prevent access by individuals who are not authorized to possess SSI. Repair station employees must have access to the SD to ensure that security measures are implemented. To protect SSI, TSA only requires that SSI be stored in a locked cabinet or desk drawer, or electronically as a password-protected file. Therefore, TSA believes that the costs of protecting SSI will be minimal and will only be incurred if the repair station receives a SD. Comment: SBA recommended that TSA address concerns expressed by small businesses regarding the appeals process if TSA determines that a repair station certificate must be suspended or revoked. It also recommended that intermediate processes such as warnings, or requests for information be used since small businesses may go out of business if closed pending appeal of a suspension. TSA response: Since TSA has eliminated the proposed requirement to adopt and carry out a security program; we do not expect that there will be many instances that would require suspension or revocation of a certificate. This expectation is based on the repair station visits TSA conducted that demonstrated the vast majority of repair stations already have reasonable and sufficient security measures in place. While some aspects of the appeals process are specified in the statute, TSA has clarified the regulatory language that provides for judicial review of a final agency order. TSA has also modified the language in the final rule to specify that repair stations have the opportunity to petition for reconsideration of a TSA determination that a certificate must be suspended or revoked. The final rule is consistent with TSA’s current regulations regarding withdrawal of a security program. 49 CFR 1540.301. TSA agrees that intermediate processes will be E:\FR\FM\13JAR1.SGM 13JAR1 2132 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations ehiers on DSK2VPTVN1PROD with RULES used. This is consistent with TSA’s current inspection protocols used to inspect airports and air carrier or aircraft operator operations. TSA anticipates that in most instances repair stations will be able to implement immediate measures to correct security deficiencies without the need for any formal enforcement mechanism. When necessary, TSA will use a progressive process whereby instances of noncompliance can be resolved with noncertificate action, including counseling, administrative action, and civil penalties. See 49 CFR part 1503. Comment: SBA recommended that TSA consider how its proposed rule would affect non-typical and ‘‘hybrid’’ repair station facilities. For example, some repair stations are tenants in large facilities in which the landlord is not a regulated entity, some only occupy a workbench within a large building, and some work on the ‘‘air side’’ of an airport where pilots and other visitors frequently walk up to an open hangar to ask questions. TSA response: TSA understands that there is a wide variety of certificated repair stations that differ in size, type of repairs, and number of employees. TSA has eliminated the proposed requirement to implement a security program and has reduced the number of repair stations that will be required to implement the security measures described in the final rule. TSA is aware of the existence of ‘‘hybrid’’ or mixed-use facilities, for example, those that combine maintenance and manufacturing stations. It will be the part 145 certificated repair station’s responsibility to delineate the parts of the station that are subject to the final rule and those that are not. If a repair station determines it is not possible to make such a delineation, the entire repair station must be in compliance with the final rule. S. Comments on the Regulatory Impact Assessment Comment: One association addressed the cost of complying with the proposed amendments to part 1520, which would designate repair station security programs as SSI and would include repair station owners and operators as entities subject to SSI requirements. The association said that it was not possible to estimate and comment on the cost of controlling SSI, because TSA had failed to indicate what it would consider an adequate and secure information management system. TSA response: TSA has eliminated the requirement to carry out a security program and the proposed amendment VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 to part 1520 to treat the security program as SSI. However, part 1520 requires that SDs be treated as SSI. If a repair station receives a SD, a system for securely managing and controlling SSI could be storing that information or material in a secure container (e.g., locked desk or filing cabinet) that prevents the unauthorized disclosure of this information or material. SSI materials may also be stored electronically as password-protected files. Considering these options are compliant with part 1520, TSA does not believe that there will be any additional cost burden on repair stations to control access to SDs. Comment: Several commenters questioned the attack scenarios found in the economic analysis and stated that the probability of these attack scenarios actually occurring is remote. One stated that the basic premise of the scenarios is off because the break even analysis assumes that the majority of repair stations have access to airports and aircraft. TSA Response: TSA has analyzed the security risks of the repair station population and has revised the implementation plan to only require repair stations located on or adjacent to an airport, as defined in the final rule, to adopt and implement security measures. Comments: Seventeen commenters stated that TSA had significantly underestimated the cost of compliance. Two commenters stated that the costs estimated are too low and that TSA should redo the cost analysis and the Initial Regulatory Flexibility Analysis (IRFA). Commenters provided lists of items that they claim TSA failed to address adequately, including the costs of creating and implementing a security program, facility access control measures, personnel identification media systems, security coordinators, and security awareness training. One repair station owner/operator said that the estimate that an off-airport repair station would require only four hours to complete and implement a security program seemed extraordinarily low, as did other estimates of average compliance costs in the NPRM. Another operator stated that rule familiarization had taken 10 hours. It estimated that writing a program would cost $12,000 and the actual implementation cost could exceed $80,000. An industry association and a repair station owner/operator said that the analysis failed to consider the cost of fencing, guards, cameras, badges, and access control systems, which they said that small repair stations and general aviation airports may not already have. PO 00000 Frm 00058 Fmt 4700 Sfmt 4700 The industry association said that the cost to establish access control would not be feasible for a small repair station at a general aviation airport. One commenter said that it had priced three ‘‘off-the-shelf’’ non-biometric photo ID badge systems at an average cost of $2,346; similarly, the commenter said it priced a 750-foot perimeter fence with access gates at $14,905. The commenter noted that the sum of these two estimates far exceeds TSA’s estimate of total compliance costs of $4,216 for a business with 45 employees. Various commenters estimated the cost of background checks and a badge system as $4,600 to $6,000, and a security system as $17,250. An industry association stated that the rule would require repair stations to add at least one full time position, which would create a financial burden for small repair stations and make it harder for them to remain competitive. Another association stated that TSA was asking repair stations to prove their approach was sufficient; while stations with professional security staff could do this, it was unreasonable to expect small GA repair stations to do this. A third commenter estimated salary for security staff as $70,350. One industry association also stated that TSA had underestimated training costs and should double them. Another commenter estimated training costs at up to $2,000 per employee. One industry association stated that the analysis failed to consider that small entities do not physically separate work areas, which the NPRM would require. The contingency plan requirement for identifying unauthorized persons is not defined. It noted that small stations do not routinely escort visitors and do not have staff who can be assigned to do this without losing productive work. The escort requirement will disproportionately affect small stations. An operator stated that TSA had based its analysis on small repair stations, which calls into question whether the agency has met the requirements of E.O. 12866, the Regulatory Flexibility Act (RFA), and the Trade Agreement Act. TSA response: In order to address the concerns of the commenters and better estimate the costs of compliance associated with the security measures described in the final rule, TSA has revised its cost estimates. TSA has eliminated the requirement to adopt and implement a security program. Specifically, TSA has eliminated all security measures regarding preventing access to repair stations and will only require certain repair stations to prevent the unauthorized operation of large E:\FR\FM\13JAR1.SGM 13JAR1 ehiers on DSK2VPTVN1PROD with RULES Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations aircraft that are unattended. This change will reduce the regulatory requirement and the costs of implementation. While TSA has retained the requirement to verify employee background information, it has reduced the application of that requirement only to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft. TSA has clarified that it will accept the background check obtained by individuals who have obtained a FAA airman certificate or a SIDA badge. All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. The cost estimates for both the NPRM and the final rule are listed in Chapter 4 of the regulatory impact analysis accompanying this final rule. That chapter also describes the reasons for the differences in the cost estimates. In conjunction with the NPRM, TSA published a regulatory impact analysis that addressed the requirements of EO 12866, the RFA, the Unfunded Mandates Reform Act, and the Trade Agreement Act. The cost estimates in that regulatory impact analysis were not based on small repair stations. However, the IRFA considered the cost impact of the proposed regulations on repair stations classified under SBA standards as ‘‘small’’ businesses. In the final rule, TSA has updated these analyses, considering all costs incurred by TSA and any repair stations notified to adopt security measures under the final rule. Comments: Forty-eight commenters argued that complying with the proposed requirements in part 1554 would be too costly, and some said that the compliance costs would force repair stations out of business. Six commenters stated that taxpayers and the flying public would also feel the financial burden. Twelve commenters said that the proposed rule would likely result in small GA repair stations either closing their businesses or surrendering their repair station certificates in favor of becoming maintenance repair shops that would not be required to comply with the proposed rule. Fifty commenters said that small aircraft repair stations in particular would suffer significant economic and staffing losses because of the proposed rule. Many of these commenters said that because small repair stations each employ a small number of people, the compliance cost per employee would be significant. TSA response: With respect to the comments about station closings, TSA recognizes that some aircraft repair VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 stations will incur costs associated with the implementation of security measures, but TSA has reduced the requirements of this final rule and therefore, the costs of implementation. TSA has eliminated the requirement of all security measures regarding preventing access to repair stations and will only require repair stations to prevent the unauthorized operation of large aircraft. All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. Additionally, the requirement to adopt security measures was revised to include only repair stations located on or adjacent to an airport, as defined in the final rule. TSA has prepared a Final Regulatory Flexibility Analysis (FRFA) as part of the economic analysis of the final rule. This analysis can be found in the regulatory impact analysis, and presents the estimated compliance costs small businesses would incur as a percentage of annual revenues. TSA has kept the costs of implementation of this rule on small businesses to a minimum by eliminating the security program requirement for all repair stations. Further, the security measures in this final rule allow flexibility in implementation. III. Rulemaking Analyses and Notices A. International Compatibility In keeping with U.S. obligations under the Convention on International Civil Aviation, it is TSA policy to comply with International Civil Aviation Organization (ICAO) Standards and Recommended Practices where possible. TSA has determined that these regulations are consistent with ICAO Standards and Recommended Practices for security of airports and facilities contained in Annex 17 of the Convention, the ICAO Security Manual and the ICAO Security Audit Reference Manual. B. Economic Impact Analyses 1. Regulatory Impact Analysis Summary Changes to Federal regulations must undergo several economic analyses. First, E.O. 12866, Regulatory Planning and Review (58 FR 51735, October 4, 1993), as supplemented by E.O. 13563, Improving Regulation and Regulatory Review (76 FR 3821, January 21, 2011), directs each Federal agency to propose or adopt a regulation only if the agency makes a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), as amended by the Small Business PO 00000 Frm 00059 Fmt 4700 Sfmt 4700 2133 Regulatory Enforcement Fairness Act (SBREFA) of 1996, requires agencies to consider the economic impact of regulatory changes on small entities when an agency is required to issue a NPRM. Third, the Trade Agreements Act (19 U.S.C. 2531–2533) prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. In developing U.S. standards, the Trade Act requires agencies to consider international standards, where appropriate, as the basis of U.S. standards. Fourth, the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531–1538) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation). In conducting the following four analyses, TSA has determined: 1. This final rule is a ‘‘significant regulatory action,’’ although not an economically significant regulatory action, under section 3(f)(1) of E.O. 12866. Accordingly, the Office of Management and Budget has reviewed this regulation. 2. This final rule imposes no significant barriers to international trade. 3. This final rule does not impose an unfunded mandate on State, local, or tribal governments, or on the private sector in excess of $100 million (adjusted for inflation) in any one year. These analyses, as well as the Final Regulatory Flexibility Analysis, are summarized below and are detailed in the regulatory impact analysis accompanying the final rule. 2. Executive Orders 12866 and 13563 Assessments Executive Orders 12866 and 13563 direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. Costs TSA issued an NPRM on November 18, 2009 (74 FR 68774). This final rule makes the following major changes to E:\FR\FM\13JAR1.SGM 13JAR1 2134 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations the NPRM. The first major change is the elimination of the requirement for a repair station to submit a security profile to TSA. TSA will obtain data from the FAA and conduct field visits to acquire other data and information. TSA has also eliminated the requirement to adopt and implement a security program and all security measures preventing access to repair stations. While TSA has retained the requirement to verify employee background information, it has reduced the application of that requirement to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has clarified that it will accept employment history checks or background checks conducted on individuals who have obtained a FAA airman certificate or a SIDA badge. TSA assessed the risk profile of the repair station population and determined that not all repair stations present sufficient risk to warrant security program requirements. Therefore, TSA is only requiring those repair stations located on or adjacent to certain airports, as defined in this final rule, to adopt security measures. As noted above, TSA will consider a repair station to be ‘‘on airport’’ if it is on an AOA or SIDA of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area of any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as ‘‘on airport.’’ Under the NPRM, approximately 4,800 repair stations certificated under part 145 would have been affected by the rulemaking’s affirmative requirements, while under this final rule, that number has been reduced to an estimated 678 repair stations. In response to public comments and changes in final rule implementation, TSA has adjusted the estimated costs for the final rule. The regulatory impact analysis accompanying this final rule summarizes the revised cost estimates of the regulation. Total In summary, over the 10-year period of the analysis, TSA estimates the aggregate costs of the Aircraft Repair Station Security Final Rule to total approximately $23.22 million, undiscounted. This total is distributed among repair stations located within the United States, which would incur total costs of $8.7 million; repair stations located outside the United States, which would incur costs of $14.18 million; and TSA, which would incur costs of $0.34 million. Chapter 2 of the regulatory impact analysis, available in the public docket, provides detailed estimates of these costs. The following table presents the annual costs of the rule over the 10year period of analysis, broken out into costs incurred by TSA, repair stations located within the United States, and repair stations located outside the United States, respectively. TABLE 1—TOTAL COST OF THE AIRCRAFT REPAIR STATION SECURITY FINAL RULE [$ millions] Year Repair stations within the United States TSA Costs 1 ..................................... 2 ..................................... 3 ..................................... 4 ..................................... 5 ..................................... 6 ..................................... 7 ..................................... 8 ..................................... 9 ..................................... 10 ................................... $0.06 0.03 0.02 0.04 0.04 0.02 0.04 0.03 0.02 0.04 Total ........................ 0.34 Changes in Cost Estimates From Notice of Proposed Rulemaking The cost estimates for this final rule differ from those reported in the NPRM Repair stations outside the United States $0.9 0.9 0.9 0.9 0.9 0.9 0.9 0.9 0.8 0.8 8.70 Total (undiscounted) Discounted, 3 percent Discounted, 7 percent $1.37 1.31 1.34 1.37 1.40 1.42 1.46 1.48 1.51 1.54 $2.34 2.24 2.25 2.29 2.31 2.30 2.36 2.36 2.37 2.41 $2.27 2.11 2.06 2.03 1.99 1.93 1.92 1.86 1.81 1.79 $2.19 1.96 1.83 1.75 1.65 1.53 1.47 1.37 1.29 1.22 14.18 23.22 19.78 16.26 due to the elimination of security program, facility access control and other requirements as described above. TSA also uses more recently available data from its outreach efforts and from FAA databases to update population projections and program costs. The following tables present the cost estimates of the final rule compared to those presented in the NPRM. TABLE 2—CHANGES IN COSTS FROM THE NPRM TO THE FINAL RULE 10-Year total rule costs ($ millions) Estimate ehiers on DSK2VPTVN1PROD with RULES NPRM Total (undiscounted) ........................................................................................................ 3% Discount ..................................................................................................................... 7% Discount ..................................................................................................................... VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 PO 00000 Frm 00060 Fmt 4700 Sfmt 4700 Final rule $344.4 $293.3 $241.0 E:\FR\FM\13JAR1.SGM 13JAR1 $23.22 $19.78 $16.26 Difference ($321.18) ($273.52) ($224.74) Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations 2135 TABLE 3—CHANGES IN COSTS INCURRED BY REPAIR STATIONS LOCATED WITHIN THE UNITED STATES 10-Year total costs ($ millions) Cost segment Major cost driving changes NPRM Final rule Difference Security Programs .............. $1.6 $0 ($1.6) Point of Contact .................. 113.2 5.8 (107.4) ID Media System ................ Aircraft Access Control ....... 0.5 0.0 0 2.7 (0.5) 2.7 Training ............................... Inspections .......................... 53.2 0.0 0 0.16 (53.2) 0.16 Revocation Appeals ............ 0.0 0.004 0.004 Total (undiscounted) .... 168.5 8.7 (159.8) 3% Discounted Total ... 143.9 7.4 (136.5) 7% Discounted Total ... 118.6 6.1 All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. TSA is requiring only a point of contact on a 24-hour a day basis. TSA eliminated ID Media System requirements. This is a new cost in the final rule for on-airport and adjacent repair stations. TSA has eliminated all training requirements. This is a new cost in the final rule for on-airport and adjacent repair stations. TSA now includes a cost estimate for the fraction of repair stations estimated to require an appeal due to suspension or revocation. This fraction is based on historical data from FAA. (112.5) TABLE 4—CHANGES IN COSTS INCURRED BY REPAIR STATIONS LOCATED OUTSIDE THE UNITED STATES 10-Year total costs ($ millions) Cost segment Major cost driving changes NPRM Final rule Difference $0.7 $0 ($0.7) Point of Contact ....................................................................... 18.5 3.8 (14.7) Personnel ID System .............................................................. 0.1 0 (0.1) Aircraft Access Control ............................................................ 0.0 10.2 10.2 Training .................................................................................... 78.4 0 (78.4) Inspection ................................................................................ 0.0 0.10 0.10 Revocation Appeals ................................................................ 0.0 0.05 0.05 Employment History Checks ................................................... 0.0 .08 .08 Total (undiscounted) ........................................................ 97.7 14.2 (83.5) 3% Discounted Total ........................................................ ehiers on DSK2VPTVN1PROD with RULES Security Programs ................................................................... 83.4 12.0 (71.4) 7% Discounted Total ........................................................ 68.7 9.9 (58.8) VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 PO 00000 Frm 00061 Fmt 4700 Sfmt 4700 E:\FR\FM\13JAR1.SGM 13JAR1 All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. TSA is requiring only a point of contact on a 24-hour a day basis. TSA eliminated Personnel ID System requirements. This is a new cost in the final rule for on-airport repair stations. TSA has eliminated all training requirements. This is a new cost in the final rule for on-airport repair stations. TSA now includes a cost estimate for the fraction of repair stations estimated to require an appeal due to suspension or revocation. This fraction is based on historical data from FAA. This is a new cost in the final rule for on-airport repair stations. 2136 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations TABLE 5—CHANGES TO TSA COSTS 10-Year total costs ($ millions) Estimate Major cost driving changes NPRM Final rule Difference Total (undiscounted) ........... $78.2 $0.3 ($77.9) 3% Discounted Total ... 66.1 0.3 (65.8) 7% Discounted Total ... 53.7 0.2 (53.5) ehiers on DSK2VPTVN1PROD with RULES Benefits TSA is issuing regulations to provide for the security of maintenance, preventive maintenance, or alterations on aircraft or articles of aircraft performed at repair stations located both within and outside the United States, of the aircraft and articles located at these repair stations, and of the repair station facilities as required by Vision 100. As terrorist organizations continue to target civil aviation, Congress has indicated the importance of aircraft repair station security. TSA opted to require only those repair stations located on or adjacent to certain airports, as defined in this final rule, to adopt security measures. These facilities represent potential risks due to both their location on or adjacent to an airport and airport runways and their ability to perform maintenance on and have access to aircraft with a MTOW of more than 12,500 lbs. Therefore, the opportunity exists for a terrorist to commandeer an operational aircraft and use it as a weapon against a populated target. TSA uses a break-even analysis to frame the relationship between the potential benefits of the rulemaking and the costs of implementing the rule. When it is not possible to quantify or monetize the important incremental benefits of a regulation, OMB recommends conducting a threshold, or ‘‘break-even’’ analysis. According to OMB Circular No. A–4, ‘‘Regulatory Analysis,’’ such an analysis answers the question, ‘‘How small could the value of the non-quantified benefits be (or how large would the value of the nonquantified costs need to be) before the rule would yield zero net benefits?’’ 5 Consequently, to better inform the comparison of the costs of implementing the rule with the benefits to homeland security of the Aircraft Repair Station Security final rule, TSA performed a break-even analysis. In the break-even analysis, TSA compared the annualized cost of the rule’s 5 Http://www.whitehouse.gov/sites/default/files/ omb/assets/regulatory_matters_pdf/a-4.pdf. VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 TSA has reduced the requirements of this final rule resulting in a reduction of inspection time and resources. requirements to the expected benefits of preventing a potential terrorist attack. The type of terrorist attack addressed by this final rule is an aircraft as weapon scenario against a populated target such as an office building. This attack would result from the infiltration of an on-airport repair station and subsequent commandeering of an aircraft. To assess the potential impact of an attack originating at a repair station, TSA considers a representative attack scenario and estimates the monetary value of the losses associated with this scenario. This attack scenario is taken from the second iteration of TSA’s Transportation Sector Security Risk Assessment (TSSRA 2.0). TSSRA 2.0 is a SSI report that was produced in response to DHS Appropriations legislation (Pub. L. 110–396/Division D and Pub. L. 111–83), which requires DHS through TSA to conduct a comprehensive risk assessment. In order to compare the losses in the scenario with the cost of the final rule, TSA assigns a statistical monetary value to potential passenger, crew casualties and bystander, and also takes into account property damage associated with the aircraft and infrastructure involved in the attack scenario. TSA uses a Customs and Border Protection (CBP) Value of a Statistical Life (VSL) estimate of $6.3 million 6 to represent the amount an individual is willing to pay to achieve a small reduction in mortality risk. In order to estimate the value of injuries, TSA used the Department of Transportation (DOT) published guidance 7 for values of moderate injuries at 4.7 percent of VSL and severe injuries at 26.6 percent of VSL. Consequently, for a severe injury, TSA estimates a value of $1,675,800 ($6,300,000 VSL × 0.266) and for a 6 U.S. Customs and Border Protection, Report, ‘‘Valuing Mortality Risk Reductions in Homeland Security Regulatory Analyses.’’ Final Report, CBP, June 2008. 7 U.S. Department of Transportation memorandum, ‘‘Revised Departmental Guidance: Treatment of the Value of Preventing Fatalities and Injuries in Preparing Economic Analyses—2011 Revision,’’ July 29, 2011. Http://ostpxweb.dot.gov/ policy/reports/vsl_guidance_072911.pdf. PO 00000 Frm 00062 Fmt 4700 Sfmt 4700 moderate injury, TSA estimates a value of $296,100 ($6,300,000 VSL × 0.047). The following paragraphs describe a scenario for which TSA believes this final rule will help reduce the likelihood of occurrence and their corresponding estimated monetary consequences. This analysis does not consider the indirect, macroeconomic consequences these terrorist attacks could cause. Consequently, the economic impacts of this terrorist attack estimated for this break-even analysis is a lower-bound estimate. This attack scenario describes the impact of a situation where a commercial aircraft is stolen from a repair station (with no passengers on board) and used as a missile to attack an office building. The scenario results in loss of life, severe and moderate injuries, destruction of the aircraft, and damage to the building. Again, TSSRA 2.0 uses the average building size and capacity of a number of office buildings to estimate an average building size of 49 stories with an average of 176 people per story. TSSRA 2.0 estimates 2,992 fatalities for this scenario. TSSRA 2.0 assumes the attacker(s) will hit the office building approximately a third of the way down the building and due to the size of the aircraft, it is assumed that anyone above the impact site will die due to the inability to escape the building (17 stories × 176 people). Using the CBP VSL of $6.3 million, the monetary estimate associated with the loss of life is $18,849.6 million (2,992 × $6.3 million). TSSRA 2.0 also estimates 880 severe injuries, which is equal to the number of occupants of 5-stories of the representative office building. TSSRA 2.0 assumes that several floors directly below the impact site would be affected by the force of the impact and the resultant fires. In addition, people exiting the building from these floors would be more likely to have injuries requiring hospital treatment. Again using the DOT guidance on the valuation of injuries, the monetary estimate associated with severe injuries is $1,474.7 million (880 severe injuries E:\FR\FM\13JAR1.SGM 13JAR1 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations × $1,675,800). TSSRA 2.0 estimates 2,376 moderate injuries, which is equal to one-half of the remaining population of the representative office building (0.5 × (8,624 ¥ 2,992 ¥ 880). TSSRA 2.0 assumes that at least half of the remaining occupants not killed or severely injured would be moderately injured due to smoke, falling debris, or the action of evacuating the building. The monetary estimate associated with the moderate injuries is $703.5 million (2,376 moderate injuries × $296,100). TSSRA 2.0 assumes this type of attack requires replacement of the entire building. TSSRA 2.0 estimates the cost of replacement using an average construction cost of $846.8 million for recently built large buildings in the United States. To estimate the value of the lost aircraft, TSA uses $22.6 million, which is the 2009 weighted average market value of all two-engine narrow-body and two-engine wide-body air carrier aircraft.8 The total monetary valuation of the losses of life, aircraft and buildings, and injuries represented in this scenario is $21,897.2 million ($18,849.6 million for fatalities + $1,474.7 million for severe injuries + $703.5 million for moderate injuries + $22.6 million for loss of aircraft + $846.8 million for replacement of the building). In this analysis, the comparison is made between the estimated monetary consequence of this scenario and the annualized cost of the Aircraft Repair Station Security final rule, discounted at seven percent ($2.3 million).9 The ‘‘required risk reduction in attack frequency’’ to break even is estimated by dividing the total consequences of a specific attack scenario by the annualized cost of the regulation, discounted at seven percent. In order to break even, the rule will need to reduce the existing or baseline frequency of terrorist attack by one attack every 9,460 years for attacks of a similar magnitude. These results are presented in table form in both the Executive Summary and Chapter 5 of the regulatory impact analysis. 2137 ehiers on DSK2VPTVN1PROD with RULES Alternatives As alternatives to the preferred regulatory regime presented in the final rule, TSA examined four other options. For most regulatory alternatives, TSA considered categorizing repair stations into three risk tiers based on a station’s location with respect to an airport and the size of aircraft on which a repair station performs work. Tier 1, in general, would include all repair stations located on or adjacent to a part 1542 regulated airport (or commensurate foreign airport) and those repair stations located on or adjacent to a GA airport (or commensurate foreign airport) that conduct maintenance, preventive maintenance, or alterations on aircraft or articles for aircraft with a MTOW of more than 12,500 pounds. In Alternative 1 TSA would notify only Tier 1 repair stations to adopt and implement a security program. Tier 2, in general, would include repair stations located off-airport that conducts maintenance, preventive maintenance, or alterations on articles for aircraft with a MTOW of more than 12,500 pounds. Tier 3, in general, would include all remaining repair stations. Under Alternative 2, TSA would notify both Tier 1 and Tier 2 repair stations to adopt and implement a security program, since these repair stations work on aircraft or articles for aircraft with a MTOW of more than 12,500 lbs. Tier 2 repair stations would incur most of the requirements in the security program with which Tier 1 repair stations must comply; however, Tier 2 would not be required to comply with certain of the security program requirements. The third and fourth alternatives require Security Threat Assessments (STAs) for different subsets of repair station employees. Alternative 2A includes an STA requirement for employees of on-airport repair stations located within the United States in addition to the other security requirements and associated costs of the final rule. Alternative 2B includes STAs for employees of both Tier 1 and Tier 2 repair stations located within the United States as defined in Alternative 2, in addition to the security requirements and associated costs of Alternative 2. TSA would not require STAs for employees of repair stations located outside the United States. This decision was based upon a consideration of privacy laws in foreign countries and TSA’s determination that ICAO standards already address employee background checks. TSA rejects Alternative 1 and opted to remove any security program requirements for all repair stations and only require repair stations on or adjacent to an airport that have access to runways and operational aircraft to implement security measures. TSA rejects the regulatory regimes in Alternatives 2 and Alternative 2B because repair stations in Tier 2 in these alternatives do not have access to operational aircraft and runways. TSA is unable to identify credible attack scenarios that could originate at offairport repair stations. Alternative 2A, while offering a regulatory framework that covers onairport repair stations with access to runways and operational aircraft, was rejected by TSA in favor of the final rule because TSA does not believe that the STA requirement provides enough risk reduction to justify the additional costs. Since TSA is unable to perform STAs on employees at repair stations located outside the United States, all the risk reduction yielded by this requirement would be in domestic aviation. Therefore, Alternative 2A provides lower marginal risk reduction per dollar of cost than the final rule. Further, the additional costs of the STA requirement would put an undue burden on repair stations located in the United States and disadvantage them against foreign competitors. For these reasons, TSA decided to withhold the STA requirement from the final rule. While TSA has retained the requirement to verify employee background information in this final rule, it has reduced the application of that requirement to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has clarified that it will accept employment history checks or background checks conducted on individuals who have obtained a FAA airman certificate or a SIDA badge. The following table presents the 10-year costs of the alternatives compared to the costs of the final rule. The alternatives costs are discussed in detail in Chapter 3 of the regulatory impact analysis accompanying the final rule. 8 Federal Aviation Administration, 2007, ‘‘Economic Values for FAA Investment and Regulatory Decisions, a Guide.’’ Prepared by GRA, Inc. December 31, 2004 (updated). Table 5–2. TSA calculates a weighted average value for aircraft in rows 1 and 2. TSA converted this weighted average aircraft value from a 2003 estimate to the 2009 equivalent weighted average value of $22.6 million using the FAA recommended method described in the document in Section 9.6 (page 9–9), which relies on the BLS producer price index series for civil aircraft available in the producer price index values (2003–2009 annual values), a factor of 1.31, for commodities at http://stats.bls.gov/ppi/ home.htm. 9 See the OMB No. A–4, ‘‘Regulatory Analysis,’’ Accounting Statement in the Executive Summary in the regulatory impact analysis. This amount is the annual payment that, if invested each year at a 7 percent interest rate, would accrue to the cost of the rule after a 10-year period. VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 PO 00000 Frm 00063 Fmt 4700 Sfmt 4700 E:\FR\FM\13JAR1.SGM 13JAR1 2138 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations TABLE 6—COMPARISON OF ALTERNATIVES TO THE PROPOSED FINAL RULE COSTS [$ millions] 10-Year total costs by alternative ehiers on DSK2VPTVN1PROD with RULES Final Rule (preferred) ...................................................................................................... Alternative 1 (Tier 1 only) ................................................................................................ Alternative 2 (Tier 1 and Tier 2) ...................................................................................... Alternative 2A (STAs—on-airport only) ........................................................................... Alternative 2B (STAs—Tier 1 and Tier 2) ....................................................................... 3. Regulatory Flexibility Act Assessment The Regulatory Flexibility Act (RFA) of 1980 establishes ‘‘as a principle of regulatory issuance that agencies shall endeavor, consistent with the objective of the rule and of applicable statutes, to fit regulatory and informational requirements to the scale of the business, organizations, and governmental jurisdictions subject to regulation.’’ To achieve that principle, the RFA requires agencies to solicit and consider flexible regulatory proposals and to explain the rationale for their actions. Sections 603(a) and 604(a) of the Regulatory Flexibility Act require that, when an agency issues an interim final rule or promulgates a final rule ‘‘after being required to publish a general notice of proposed rulemaking,’’ the agency must consider the economic impact of the rule on small entities. The term ‘‘small entities’’ comprises small businesses, not-for-profit organizations that are independently owned and operated and are not dominant in their fields, and governmental jurisdictions with populations of less than 50,000. A Final Regulatory Flexibility Analysis discussing the impact of this final rule on small entities is available in the docket. Based on available data, we estimate that about 44 percent of entities directly regulated by the final rule requirements are small under the Regulatory Flexibility Act and the SBA size standards (compared to the 96 percent of entities affected by the NPRM provisions). This is due to the changes in the applicability and security requirements (detailed explanation of applicability changes on section I. Background, of this final rule). In this final rule TSA allows flexibility in which security measures repair stations may select in order to prevent commandeering of an aircraft. In addition, this flexibility allows repair stations to choose cost-effective security measures thus mitigating concerns regarding cost burdens for small repair stations. As long as the security requirements are met, the repair station may implement the measures that best VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 suit its business model and physical layout. TSA estimates that approximately 85 percent of small repair stations will incur compliance costs that represent less than represent 1 percent of annual revenues and approximately 97 percent of small repair stations will incur compliance costs that represent less than 2 percent of annual revenues. 4. International Trade Impact Assessment The Trade Agreement Act of 1979 prohibits Federal agencies from establishing any standards or engaging in any related activities that create unnecessary obstacles to the foreign commerce of the United States. Legitimate domestic objectives, such as security, are not considered unnecessary obstacles. The statute also requires consideration of international standards and, where appropriate, that they be the basis for U.S. standards. This final rule does not implicate Executive Order 13609 because neither the economic impact of the final rule nor that imposed on repair stations located outside the United States is ‘‘significant’’ as defined in EO 12866. Further, TSA is imposing the same security requirements on repair stations located outside the United States as it is imposing on those located within the United States and is subjecting those repair stations located outside the United States to the same standard inspection practices as are already in place for other foreign entities regulated by TSA. TSA considered the economic role of repair stations located outside the United States, as well as U.S. obligations under numerous treaties. Although some public comments suggested that TSA should focus only on repair stations located outside the United States, treaty obligations and the statutory language made it clear that the regulations could not target only those repair stations. The final rule simply requires entities located outside the United States to comply with the same regulatory requirements applied to repair stations located within the United States and does not create non-tariff PO 00000 Frm 00064 Discounted, 3 percent Undiscounted Fmt 4700 Sfmt 4700 $23.2 240.6 350.6 261.5 381.0 $19.8 207.1 301.6 225.3 328.2 Discounted, 7 percent $16.3 172.6 251.3 188.1 273.9 barriers to international trade. Because the requirements for repair stations located outside the United States will be the same as those imposed on repair stations located within the United States, TSA does not anticipate trade retaliation or unnecessary obstacles to foreign trade. Any differences that may occur can be attributed to the legitimate domestic objective of security, which under the Trade Agreement Act of 1979 is not considered an unnecessary obstacle. 5. Unfunded Mandates Assessment The Unfunded Mandates Reform Act of 1995 (UMRA), Public Law 104–4, is intended, among other things, to curb the practice of imposing unfunded Federal mandates on State, local, and tribal governments. Title II of the UMRA establishes requirements for Federal Agencies to assess the effects of their regulatory actions on State, local, and tribal governments and the private sector. Under section 202 of the UMRA, TSA generally must prepare a written statement, including a cost-benefit analysis, for proposed and final rules with ‘‘Federal mandates’’ that may result in expenditures by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million (adjusted for inflation) or more in any one year. TSA has determined that this rule does not impose a Federal mandate that may exceed $100 million in expenditures of State, local, or tribal governments in the aggregate, nor does the final rule impose a $100 million mandate on the private sector. Therefore, the final rule does not contain such a mandate and the requirements of Title II do not apply. C. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.) requires that TSA consider the impact of paperwork and other information collection burdens imposed on the public and, under the provisions of PRA section 3507(d), obtain approval from the Office of Management and Budget (OMB) for each collection of information it conducts, sponsors, or E:\FR\FM\13JAR1.SGM 13JAR1 2139 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations requires through regulations. This rule contains the following new information collection requirements. Accordingly, TSA submitted a copy of these sections to OMB for its review. OMB approved the collection of this information and assigned OMB Control Number 1652– 0060. The regulations apply to repair stations certificated by the FAA under 14 CFR part 145, except repair stations located on a U.S. or foreign government military base. All such repair stations must allow TSA and other authorized DHS officials to enter, conduct inspections, and view and copy records as needed to carry out TSA’s securityrelated statutory and regulatory responsibilities. All such repair stations must comply with Security Directives if issued by TSA which could include requirements to maintain records or provide information to TSA. The security measures in this rule cover repair stations that are on or adjacent to certain airports. TSA will consider a repair station to be ‘‘on airport’’ if it is on an air operations area or security identification display area of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area of any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as ‘‘on airport.’’ 10 The repair stations, as described above, are required to designate a point of contact(s) to carry out specified responsibilities; and verify background information of those individuals who are designated as the TSA point(s) of contact and those who have access to any keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. The regulations also describe the process whereby TSA will notify the repair station and the FAA of a security deficiency identified by TSA and provide an opportunity for the repair station to obtain review of a determination by TSA to suspend its operating certification. The regulations specify that when TSA determines a repair station poses an immediate risk to security, TSA will notify the repair station and the FAA that the certificate must be revoked. The regulations also provide the process for the repair station to obtain review of such a determination. In order to comply with the regulations, repair stations outside of the United States, will be responsible for maintaining updated employment history records to demonstrate compliance with this final rule. These records must be made available to TSA upon request. Repair stations located within the United States will be able to use security threat assessments that have been obtained for other reasons to comply with this rule. TSA is required to conduct a security review and audit of the repair stations located outside the United States See 49 U.S.C. 44924(a). TSA will conduct a paper audit of all 707 repair stations that are located outside the United States. The paper audit will consist of a letter describing the rule and the repair station will be required to respond to four questions to verify whether the repair station is required to implement security measures. Based upon subject matter expert (SME) best estimates, the paper audit is expected to take one hour for a repair station employee, assumed to be the point of contact, to complete. Seventy-eight repair stations located outside the United States meet the definition of on or adjacent to an airport and will undergo an annual desk audit in which the repair station will be asked to describe how it is complying with the rule. Each desk audit is estimated to require one hour for the repair station to read the letter sent by TSA and respond. The likely respondents to this information collection are the owners and/or operators of repair stations certificated by the FAA under 14 CFR part 145, which is estimated to number approximately 1,158 unique respondents over the next three years (451 repair stations located within the United States and 707 repair stations located outside the United States). The average yearly burden for recordkeeping is estimated to be 2 hours for repair stations located outside the United States. The average yearly burden for suspension and revocation appeals is estimated to be 10 hours for repair stations located within the United States and 100 hours for repair stations located outside the United States. The average yearly burden for paper audits is estimated to be 236 hours for repair stations located outside the United States. The average yearly burden for desk audits is estimated to be 80 hours for repair stations located outside the United States. Therefore, the total average annual time burden estimate is approximately 428 hours. The following table shows the information collections and corresponding hour burdens for entities falling under the requirements of the final rule. TABLE 7—COLLECTION AND HOUR BURDENS FOR ENTITIES WITHIN AND OUTSIDE THE UNITED STATES Number of responses Time per response Collection Year 1 Year 2 Recordkeeping 0.025 hours .. 227 Suspension/Revocation Appeals 5 5 6.0 2.0 1 9 30 300 10 100 0 707 236 As needed On-Airport RS within the United States ... On-Airport RS outside the United States ehiers on DSK2VPTVN1PROD with RULES Year 3 Average annual time burden Continuous as needed On-Airport RS outside the United States 10 hours ....... 12 hours ....... 1 8 Paper Audits 1 8 One-Time On-Airport RS outside the United States 1 hour ........... 707 0 10 Large aircraft are defined as aircraft with a maximum certificated take-off weight of more than 12,500 pounds. VerDate Mar<15>2010 3-Year time burden 13:45 Jan 10, 2014 Jkt 232001 PO 00000 Frm 00065 Fmt 4700 Sfmt 4700 E:\FR\FM\13JAR1.SGM 13JAR1 2140 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations TABLE 7—COLLECTION AND HOUR BURDENS FOR ENTITIES WITHIN AND OUTSIDE THE UNITED STATES—Continued Number of responses Time per response Collection Year 1 Year 2 Desk Audits 3-Year time burden Year 3 Average annual time burden Annual On-Airport RS outside the United States 1 hour ........... 78 80 82 240 80 Total Burden (responses) ................. ...................... ........................ ........................ ........................ 1,212 404 Total Burden (hours) ......................... ...................... ........................ ........................ ........................ 1,283 428 While comments were received on the issues discussed above in Section II, there were no comments received on the information collection burden estimates contained in the NPRM. As protection provided by the PRA, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. ehiers on DSK2VPTVN1PROD with RULES D. Executive Order 13132 on Federalism TSA has analyzed this final rule under the principles and criteria of E.O. 13132 on Federalism. We determined that this action will not have a substantial direct effect on the States, or the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government, and, therefore, does not have federalism implications. E. Environmental Analysis TSA has reviewed this action under DHS Management Directive 5100.1, Environmental Planning Program (effective April 19, 2006), which guides TSA compliance with the National Environmental Policy Act of 1969 (NEPA) (42 U.S.C. 4321–4347). TSA has determined that this proposal is covered by the following categorical exclusions (CATEX) listed in the DHS directive: Number A3(a) (administrative and regulatory activities involving the promulgation of rules and the development of policies); paragraph A4 (information gathering and data analysis); paragraph A7(d) (conducting audits, surveys, and data collection of a minimally intrusive nature, to include vulnerability, risk, and structural integrity assessments of infrastructures); paragraph B3 (proposed activities and operations to be conducted in existing structures that are compatible with ongoing functions); paragraph B11 (routine monitoring and surveillance activities that support homeland security, such as patrols, investigations, and intelligence gathering), and H1 VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 (approval or disapproval of security plans required under legislative mandates where such plans do not have a significant effect on the environment). In addition, TSA has determined that this proposal meets the three conditions required for a CATEX to apply, as described in paragraph 3.2, (Conditions and Extraordinary Circumstances). F. Energy Impact Analysis The energy impact of the action has been assessed in accordance with the Energy Policy and Conservation Act (EPCA), Public Law 94–163, as amended (42 U.S.C. 6362). We have determined that this rulemaking is not a major regulatory action under the provisions of the EPCA. List of Subjects in 49 CFR Part 1554 Aircraft, Aviation safety, Repair stations, Reporting and recordkeeping requirements, Security measures. The Amendments In consideration of the foregoing, the Transportation Security Administration amends Chapter XII of Title 49, Code of Federal Regulations, by adding a new part 1554 to subchapter C to read as follows: PART 1554—AIRCRAFT REPAIR STATION SECURITY Subpart A—General Sec. 1554.1 Scope. 1554.3 TSA inspection authority. Subpart B—Security Measures 1554.101 Security Measures. 1554.103 Security Directives. Subpart C—Compliance and Enforcement 1554.201 Notification of security deficiencies; suspension of certificate and review process. 1554.203 Immediate risk to security; revocation of certificate and review process. 1554.205 Nondisclosure of certain information. Authority: 49 U.S.C. 114, 40113, 44903, 44924. PO 00000 Frm 00066 Fmt 4700 Sfmt 4700 Subpart A—General § 1554.1 Scope. (a) This part applies to repair stations that are certificated by the Federal Aviation Administration (FAA) pursuant to 14 CFR part 145, except for a part 145 certificated repair station located on a U.S. or foreign government military installation. (b) In addition to the terms in 49 CFR 1500.3 and 1540.5, for purposes of this part, ‘‘large aircraft’’ means any aircraft with a maximum certificated takeoff weight of more than 12,500 pounds and ‘‘attended’’ aircraft means an aircraft to which access is limited to authorized individuals and property. § 1554.3 TSA inspection authority. (a) General. Each repair station must allow TSA and other authorized DHS officials, at any time and in a reasonable manner, without advance notice, to enter, conduct any audits, assessments, or inspections of any property, facilities, equipment, and operations; and to view, inspect, and copy records as necessary to carry out TSA’s security-related statutory or regulatory authorities, including its authority to— (1) Assess threats to transportation security; (2) Enforce security-related regulations, directives, and requirements; (3) Inspect, assess, and audit security facilities, equipment, and systems (4) Ensure the adequacy of security measures; (5) Verify the implementation of security measures; (6) Review security plans; and (7) Carry out such other duties, and exercise such other powers, relating to transportation security as the TSA Administrator considers appropriate, to the extent authorized by law. (b) Evidence of compliance. At the request of TSA, each repair station must provide evidence of compliance with this part, including copies of records required by this part. E:\FR\FM\13JAR1.SGM 13JAR1 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations (1) All records required under this part must be provided in English upon TSA’s request. (2) All responses and submissions provided to TSA or its designee, pursuant to this part, must be in English, unless otherwise requested by TSA. (c) Access to repair station. (1) TSA and DHS officials working with TSA may enter, and be present within any area without access media or identification media issued or approved by the repair station in order to inspect, assess, or perform any other such duties as TSA may direct. (2) Repair stations may request TSA inspectors and DHS officials working with TSA to present their credentials for examination, but the credentials may not be photocopied or otherwise reproduced. Subpart B—Security Measures ehiers on DSK2VPTVN1PROD with RULES § 1554.101 Security Measures. (a) Applicability of this section. This section applies to part 145 certificated repair stations located— (1) On airport. On an air operations area or security identification display area of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area of any commensurate airport outside the United States regulated by a government entity; or (2) Adjacent to an airport. Adjacent to an area of the airport described in paragraph (a)(1) of this section if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described in paragraph (a)(1) of this section. (b) Security Measures. Each repair station described in paragraph (a) of this section must carry out the following measures: (1) Provide TSA with the name and means of contact on a 24-hour basis of a person or persons designated by the repair station with responsibility for— (i) Compliance with the regulations in this part; (ii) Serving as the primary point(s) of contact for security-related activities and communications with TSA; (iii) Maintaining a record of all employees responsible for controlling keys or other means used to control access to aircraft described in paragraph (b)(2) of this section; and (iv) Maintaining all records necessary to comply with paragraph (b)(3) of this section. (2) When not attended, prevent the unauthorized operation of all large VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 aircraft capable of flight, by using one or more of the means listed in paragraphs (b)(2)(i) through (iv) of this section. In these examples, a key, if used, must only be available to an individual authorized by the repair station who has successfully undergone a check as described in paragraph (b)(3) of this section. (i) Block the path of the aircraft such that it cannot be moved, and control the vehicle key if a vehicle is used to block the path. (ii) Park the aircraft in a locked hangar and control the key to the hangar. (iii) Move stairs away from the aircraft and shut and, if feasible, lock all cabin and/or cargo doors, and control the key. (iv) Other means approved in writing by TSA. (3) Verify background information of those individuals who are designated as the TSA point(s) of contact and those who have access to any keys or other means used to prevent the operation of large aircraft described in paragraph (b)(2) of this section by one or more of the following means: (i) Verify an employee’s employment history. The repair station obtains the employee’s employment history for the most recent five year period or the time period since the employee’s 18th birthday, whichever period is shorter. The repair station verifies the employee’s employment history for the most recent 5-year period via telephone, email, or in writing. If the information is verified telephonically, the repair station must record the date of the communication and with whom the information was verified. If there is a gap in employment of six months or longer, without a satisfactory explanation of the gap, employment history is not verified. The repair station must retain employment history verification records for at least 180 days after the individual’s employment ends. The repair station must maintain these records electronically or in hardcopy, and provide them to TSA upon request. (ii) Confirm an employee holds an airman certificate issued by the Federal Aviation Administration. (iii) Confirm an employee of a repair station located within the United States has obtained a security threat assessment or comparable security threat assessment pursuant to part 1540, subpart C of this chapter, such as by holding a SIDA identification media issued by an airport operator that holds a complete program under 49 CFR part 1542. (iv) Confirm an employee of a repair station located outside the United States has successfully completed a security threat assessment commensurate to a PO 00000 Frm 00067 Fmt 4700 Sfmt 4700 2141 security threat assessment described in part 1540, subpart C of this chapter. (v) Other means approved in writing by TSA. § 1554.103 Security Directives. (a) General. When TSA determines that additional security measures are necessary to respond to a threat assessment or to a specific threat against civil aviation, TSA issues a Security Directive setting forth mandatory measures. (b) Compliance. Each repair station must comply with each Security Directive TSA issues to the repair station within the time prescribed. Each repair station that receives a Security Directive must— (1) Acknowledge receipt of the Security Directive as directed by TSA; (2) Specify the method by which security measures have been or will be implemented to meet the effective date; and (3) Notify TSA to obtain approval of alternative measures if the repair station is unable to implement the measures in the Security Directive. (c) Availability. Each repair station that receives a Security Directive and each person who receives information from a Security Directive must— (1) Restrict the availability of the Security Directive and the information contained in the document to persons who have an operational need to know; and (2) Refuse to release the Security Directive or the information contained in the document to persons other than those who have an operational need to know without the prior written consent of TSA. (d) Comments. Each repair station that receives a Security Directive may comment on the Security Directive by submitting data, views, or arguments in writing to TSA. TSA may amend the Security Directive based on comments received. Submission of a comment does not delay the effective date of the Security Directive. Subpart C—Compliance and Enforcement § 1554.201 Notification of security deficiencies; suspension of certificate and review process. (a) General. A repair station may be subject to suspension of its FAA certificate, if security deficiencies are identified and are not corrected. (b) Notice of security deficiencies. TSA provides written notification to a repair station and to the FAA of any security deficiency identified by TSA. (c) Response. A repair station must provide TSA with a written explanation E:\FR\FM\13JAR1.SGM 13JAR1 ehiers on DSK2VPTVN1PROD with RULES 2142 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations in English of all efforts, methods, and procedures used to correct the security deficiencies identified by TSA within 45 calendar days of receipt of the written notification described in paragraph (b) of this section. (d) Suspension of certificate. If the repair station does not correct security deficiencies within 90 calendar days of the repair station’s receipt of the written notice of security deficiencies, or if TSA determines that the security deficiencies have not been addressed sufficiently to comply with this section, the TSA designated official will provide written notification to the repair station and to the FAA that the repair station’s certificate must be suspended. The notification will include an explanation of the basis for the suspension. The suspension remains in effect until TSA determines that the security deficiencies have been corrected. (e) Petition for reconsideration. The repair station may petition TSA to reconsider its determination under paragraph (d) of this section by serving a petition for reconsideration no later than 20 calendar days after the repair station receives the notification. The repair station must serve the petition on the TSA designated official. Submission of a petition for reconsideration will not automatically stay the suspension. The repair station may request TSA to notify the FAA to stay the suspension pending review of and decision on the petition. The petition must be in writing, in English, signed by the repair station operator or owner, and include— (1) A statement that reconsideration is requested; and (2) A response to the suspension, including any information TSA should consider in reviewing the suspension. (f) Review by the TSA designated official. The TSA designated official will consider all relevant material and information and will act on the petition no later than 15 calendar days after TSA receives the petition. The TSA designated official will either notify the repair station and the FAA that the suspension be withdrawn or affirm the suspension. The decision of the TSA designated official constitutes a final agency order subject to judicial review in accordance with 49 U.S.C. 46110. (g) Service of documents. Service may be accomplished by personal delivery, certified mail, or express courier. Documents served on a repair station will be served at its official place of business. Documents served on TSA must be served at the address contained in the written notice of suspension. (1) A certificate of service may be attached to a document tendered for filing. A certificate of service must VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 consist of a statement, dated and signed by the person filing the document, that the document was personally delivered, served by certified mail on a specific date, or served by express courier on a specific date. (2) The date of service is— (i) The date of personal delivery; (ii) If served by certified mail, the mailing date shown on the certificate of service, the date shown on the postmark if there is no certificate of service, or other mailing date shown by other evidence if there is no certificate of service or postmark; or (iii) If served by express courier, the service date shown on the certificate of service, or by other evidence if there is no certificate of service. (h) Extension of time. TSA may grant an extension of time to the limits set forth in this section for good cause shown. A repair station must request an extension of time in writing, and TSA must receive it at least two days before the due date in order to be considered. TSA may grant itself an extension of time for good cause. § 1554.203 Immediate risk to security; revocation of certificate and review process. (a) Notice. The TSA designated official will determine whether any repair station poses an immediate risk to security. If such a determination is made, TSA will provide written notification of its determination to the repair station and to the FAA that the certificate must be revoked. The notification will include an explanation of the basis for the revocation. TSA does not include classified information or other information described in § 1554.205. (b) Petition for reconsideration. The repair station may petition TSA to reconsider its determination by serving a petition for reconsideration no later than 20 calendar days after the repair station receives the notification. The repair station must serve the petition on the TSA designated official. Submission of a petition for reconsideration will not automatically stay the revocation. The repair station may request TSA to notify FAA to stay the revocation pending review of and decision on the petition. The petition must be in writing, in English, signed by the repair station operator or owner, and include— (1) A statement that a review is requested; and (2) A response to the determination of immediate risk to security, including any information TSA should consider in reviewing the basis for the determination. PO 00000 Frm 00068 Fmt 4700 Sfmt 4700 (c) Review by the Administrator. The TSA designated official transmits the petition together with all relevant information to the Administrator for reconsideration. The Administrator will act on the petition within 15 calendar days of receipt by either directing the TSA designated official to notify FAA and the repair station that the determination is rescinded and the certificate may be reinstated or by affirming the determination. The decision by the Administrator constitutes a final agency order subject to judicial review in accordance with 49 U.S.C. 46110. (d) Service of documents. Service may be accomplished by personal delivery, certified mail, or express courier. Documents served on a repair station will be served at its official place of business. Documents served on TSA must be served at the address contained in the written notice of revocation. (1) A certificate of service may be attached to a document tendered for filing. A certificate of service must consist of a statement, dated and signed by the person filing the document, that the document was personally delivered, served by certified mail on a specific date, or served by express courier on a specific date. (2) The date of service is— (i) The date of personal delivery; (ii) If served by certified mail, the mailing date shown on the certificate of service, the date shown on the postmark if there is no certificate of service, or other mailing date shown by other evidence if there is no certificate of service or postmark; or (iii) If served by express courier, the service date shown on the certificate of service, or by other evidence if there is no certificate of service. (e) Extension of time. TSA may grant an extension of time to the limits set forth in this section for good cause shown. A repair station must request an extension of time in writing, and TSA must receive it at least two days before the due date in order to be considered. TSA may grant itself an extension of time for good cause. § 1554.205 Nondisclosure of certain information. In connection with the procedures under this subpart, TSA does not disclose classified information, as defined in Executive Order 12968, section 1.1(d), or any successor order, and TSA reserves the right not to disclose any other information or material not warranting disclosure or protected from disclosure under law or regulation. E:\FR\FM\13JAR1.SGM 13JAR1 Federal Register / Vol. 79, No. 8 / Monday, January 13, 2014 / Rules and Regulations Dated: January 7, 2014. John S. Pistole, Administrator. [FR Doc. 2014–00415 Filed 1–10–14; 8:45 am] ehiers on DSK2VPTVN1PROD with RULES BILLING CODE 9110–05–P VerDate Mar<15>2010 13:45 Jan 10, 2014 Jkt 232001 PO 00000 Frm 00069 Fmt 4700 Sfmt 9990 E:\FR\FM\13JAR1.SGM 13JAR1 2143

Agencies

[Federal Register Volume 79, Number 8 (Monday, January 13, 2014)]
[Rules and Regulations]
[Pages 2119-2143]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-00415]

-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

49 CFR Part 1554

[Docket No. TSA-2004-17131
RIN 1652-AA38

Aircraft Repair Station Security

AGENCY: Transportation Security Administration (TSA), Department of
Homeland Security (DHS).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Transportation Security Administration (TSA) is issuing
regulations to improve the security of domestic and foreign aircraft
repair stations as required by the Vision 100--Century of Aviation
Reauthorization Act. The regulations codify the scope of TSA's existing
inspection authority and require repair stations certificated by the
Federal Aviation Administration (FAA) under 14 CFR part 145 to allow
TSA and Department of Homeland Security (DHS) officials to enter,
conduct inspections, and view and copy records as needed to carry out
TSA's security-related statutory and regulatory responsibilities. The
regulations also require these repair stations to comply with security
directives when issued by TSA. The regulations also require certain
repair stations to implement a limited number of security measures. The
regulations establish procedures for TSA to notify repair stations of
any deficiencies with their security measures and to determine whether
a particular repair station presents an immediate risk to security. The
regulations include a process whereby a repair station may seek review
of a determination by TSA that the station has not adequately addressed
security deficiencies or that the repair station poses an immediate
risk to security.

DATES: Effective February 27, 2014.

FOR FURTHER INFORMATION CONTACT: Shawn Gallagher, Office of Security
Operations, TSA-29, Transportation Security Administration, 601 South
12th Street, Arlington, VA 20598-6029; telephone (571) 227-3378;
facsimile (571) 603-4344; email ARS@tsa.dhs.gov.

SUPPLEMENTARY INFORMATION:

Availability of Rulemaking Document

You can get an electronic copy using the Internet by--
(1) Searching the electronic Federal Docket Management System
(FDMS) Web page at http://www.regulations.gov;
(2) Accessing the Government Printing Office's Web page at http://www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR to view
the daily published Federal Register edition; or accessing the ``Search
the Federal Register by Citation'' in the ``Related Resources'' column
on the left, if you need to do a Simple or Advanced search for
information, such as a type of document that crosses multiple agencies
or dates; or
(3) Visiting TSA's Security Regulations Web page at http://www.tsa.gov and accessing the link for ``Research Center'' at the top
of the page.
In addition, copies are available by writing or calling the
individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to
identify the docket number of this rulemaking.

Small Entity Inquiries

The Small Business Regulatory Enforcement Fairness Act (SBREFA) of
1996 requires TSA to comply with small entity requests for information
and advice about compliance with statutes and regulations within TSA's
jurisdiction. Any small entity that has a question regarding this
document may contact the person listed in FOR FURTHER INFORMATION
CONTACT. Persons can obtain further information regarding SBREFA on the
U.S. Small Business Administration's (SBA) Web page at http://www.sba.gov/advo/laws/law_lib.html.

Abbreviations and Terms Used in This Document

AOA Air Operations Area
CFR Code of Federal Regulations
DHS Department of Homeland Security
EA Emergency Amendment
E.O. Executive Order
EPCA Energy Policy and Conservation Act
EU European Union
FAA Federal Aviation Administration
FR Federal Register
FRFA Final Regulatory Flexibility Analysis
GA General Aviation
ICAO International Civil Aviation Organization
IRFA Initial Regulatory Flexibility Analysis
MTOW Maximum Certificated Take-off Weight
NAICS North American Industry Classification System
NEPA National Environmental Policy Act of 1969
NPRM Notice of Proposed Rulemaking
NTSB National Transportation Safety Board
OMB Office of Management and Budget
PRA Paperwork Reduction Act of 1995
RFA Regulatory Flexibility Act of 1980
SBA United States Small Business Administration
SBREFA Small Business Regulatory Enforcement Fairness Act of 1996
SD Security Directive
SIDA Security Identification Display Area
SSI Sensitive Security Information
TSA Transportation Security Administration
U.S. United States of America
U.S.C. United States Code

Table of Contents

I. Background
A. Summary of the Rule
B. Purpose of the Rule
C. Costs and Benefits
D. Changes From the NPRM
II. Public Comments on the NPRM and TSA Responses
A. Summary
B. Need for Security Regulations
C. Relationship to FAA Regulations
D. ``One Size Fits All'' Approach to Security
E. Relationship to Foreign Laws and Standards
F. Application to Domestic Repair Stations
G. Exemptions for Certain Types of Repair Stations
H. Protection of Sensitive Security Information
I. Scope of the Final Rule
J. Terms Used in the Final Rule

[[Page 2120]]

K. TSA Inspection Authority
L. Security Program Adoption and Implementation
M. Security Directives
N. Suspension and Revocation of Certificates
O. Nondisclosure of Certain Information
P. Other Comments on the Rulemaking
Q. Implementation Issues
R. Comments From the Small Business Administration
S. Comments on the Regulatory Impact Assessment
III. Rulemaking Analyses and Notices
A. International Compatibility
B. Economic Impact Analyses
1. Regulatory Impact Analysis Summary
2. Executive Orders 12866 and 13563 Assessments
3. Regulatory Flexibility Act Assessment
4. International Trade Impact Assessment
5. Unfunded Mandates Reform Act Assessment
C. Paperwork Reduction Act
D. Executive Order 13132, Federalism
E. Environmental Analysis
F. Energy Impact Analysis

I. Background

A. Summary of the Rule

TSA is issuing regulations to improve security at repair stations
located within and outside the United States as required by Vision 100-
Century of Aviation Reauthorization Act, Public Law 108-176 (117 Stat.
2489, December 12, 2003), codified at 49 U.S.C. 44924 (Vision 100).\1\
The statutory requirements of Vision 100 are discussed in the preamble
of the Notice of Proposed Rulemaking (NPRM) published in the Federal
Register on November 18, 2009. See 74 FR 59874, 59875. There are
approximately a total of 4,067 repair stations located in the United
States and 707 located outside the United States certificated by FAA
under part 145 as of August 2013.\2\ The final rule contains the
following requirements:
---------------------------------------------------------------------------

\1\ While Vision 100 refers to foreign and domestic repair
stations, TSA is adopting FAA terminology to refer to repair
stations located ``within'' or ``outside'' the United States.
\2\ Data taken from the FAA Safety Performance Analysis System
(SPAS) database, August 2013.
---------------------------------------------------------------------------

Application. The regulations apply to repair stations
certificated by the FAA under 14 CFR part 145, except repair stations
located on a U.S. or foreign government military base. All repair
stations are subject to inspection as provided in the rule and to
Security Directives should there be a security need. However, the rule
text requires only certain repair stations, discussed below, to carry
out security measures on a regular basis.
TSA Inspection Authority. Repair stations must allow TSA
and other authorized DHS officials to enter, conduct inspections, and
view and copy records as needed to carry out TSA's security-related
statutory and regulatory responsibilities. For repair stations not
required to carry out security measures on a regular basis (i.e., those
repair stations not located on or adjacent to an airport, as further
defined below), TSA does not intend to inspect such facilities, except
(1) for compliance with security directives issued by TSA and with
airport security programs required by TSA (for those repair stations
that are included in an airport security program), and (2) to respond
to security information provided to TSA by U.S. or foreign government
entities.
Implementation of Security Measures. The security measures
in this rule cover repair stations that are on or adjacent to certain
airports. TSA will consider a repair station to be ``on airport'' if it
is on an air operations area (AOA) or security identification display
area (SIDA) of an airport covered by an airport security program under
49 CFR part 1542 in the United States, or on the security restricted
area any commensurate airport outside the United States regulated by a
government entity. TSA will consider a repair station to be adjacent to
an airport if there is an access point between the repair station and
the airport of sufficient size to allow the movement of large aircraft
between the repair station and the area described as ``on airport.''
\3\
---------------------------------------------------------------------------

\3\ Large aircraft are defined as aircraft with a maximum
certificated take-off weight of more than 12,500 pounds.
---------------------------------------------------------------------------

Security Measures. Certain repair stations, as described
above, are required to (1) designate a point of contact(s) to carry out
specified responsibilities; (2) prevent the unauthorized operation of
large aircraft capable of flight that are left unattended; and (3)
verify background information of those individuals who are designated
as the TSA point(s) of contact and those who have access to any keys or
other means used to prevent the unauthorized operation of large
aircraft capable of flight that are left unattended. See section
1554.101.
Security Directives. Repair stations are required to
comply with Security Directives (SDs) issued by TSA. See section
1554.103.
Notification of Deficiencies; Suspension of Certificate
and Review Process. The regulations describe the process whereby TSA
will notify the repair station and the FAA of a security deficiency
identified by TSA and provide an opportunity for the repair station to
obtain review of a determination by TSA to suspend its operating
certification.
Immediate Risk to Security; Revocation of Certificate and
Review Process. The regulations specify that when TSA determines a
repair station poses an immediate risk to security, TSA will notify the
repair station and the FAA that the certificate must be revoked. The
regulations also provide the process for the repair station to obtain
review of such a determination.

B. Purpose of the Rule

While the FAA has implemented extensive safety requirements for
repair stations located within and outside the United States,
supplementing those safety provisions with the security requirements
contained in the final rule will further reduce the likelihood that
terrorists would be able to use large aircraft as a weapon. As
terrorist organizations continue to target civil aviation, TSA believes
it is important for aircraft repair stations that are located on or
adjacent to an airport to have specific security measures in place to
prevent terrorists from commandeering large aircraft that are capable
of flight and are not attended. Enhancement of security at repair
stations that have access to runways will mitigate the potential threat
that a large aircraft could be used as a weapon.
In developing this rule, TSA consulted with the FAA and built upon
the certification and safety requirements FAA has instituted requiring
repair stations to establish and maintain a quality control system. See
14 CFR 145.211. While these quality control measures provide a
significant layer of protection and oversight of articles and aircraft
under repair, this final rule supplements those measures by requiring
repair stations that are located on or adjacent to an airport, as
defined in the final rule, to implement security measures to prevent
the unauthorized operation of large aircraft capable of flight left
unattended.

C. Costs and Benefits

In accordance with Executive Orders (E.O.) 12866 and 13563, TSA
includes in this preamble a summary of the costs and benefits
associated with the Aircraft Repair Station Security final rule. The
table below summarizes the costs and benefits of the final rule to U.S.
and foreign entities. A detailed estimate of these costs and benefits
can be found in the regulatory impact analysis accompanying this final
rule; the

[[Page 2121]]

regulatory impact analysis is available in the docket.

--------------------------------------------------------------------------------------------------------------------------------------------------------
Estimates Units
---------------------------------------------------------------------------------------------------
Category Primary Discount rate Notes
estimate Low estimate High estimate Year dollar (percent) Period covered
--------------------------------------------------------------------------------------------------------------------------------------------------------
Benefits
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annualized Monetized None........... None........... None.......... NA............ 7.............. NA............ Not Quantified.
($millions/year).
None........... None........... None.......... NA............ 3.............. NA............
Annualized Quantified......... None........... None........... None.......... NA............ 7.............. NA............ Not Quantified.
None........... None........... None.......... NA............ 3.............. NA............
---------------------------------------------------------------------------------------------------
Qualitative................... This final rule satisfies the Congressional mandate in Vision 100 for TSA to promulgate
regulations to better ensure the security of aircraft repair stations. The security measures
required by this final rule will better secure the aircraft on repair stations located on or
adjacent to an airport and working on aircraft with a MTOW of more than 12,500 lbs. and mitigate
the risk of a terrorist attack originating at these aircraft repair stations
--------------------------------------------------------------------------------------------------------------------------------------------------------
Costs
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annualized Monetized ($/year). $2,314,614..... N/A............ N/A........... 2012.......... 7.............. 10 Years...... None.
$2,318,596..... N/A............ N/A........... 2012.......... 3.............. 10 Years......
Annualized Quantified......... None........... None........... None.......... 2012.......... 7.............. 10 Years...... None.
None........... None........... None.......... 2012.......... 3.............. 10 Years......
---------------------------------------------------------------------------------------------------
Qualitative...................
--------------------------------------------------------------------------------------------------------------------------------------------------------
Transfers
--------------------------------------------------------------------------------------------------------------------------------------------------------
Federal Annualized Monetized None........... None........... None.......... NA............ 7.............. NA............ None.
($year).
None........... None........... None.......... NA............ 3.............. NA............
--------------------------------------------------------------------------------------------------------------------------------------------------------
From/To From: To:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Other Annualized Monetized None........... None........... None.......... NA............ 7.............. NA............ None.
($year).
None........... None........... None.......... NA............ 3.............. NA............
--------------------------------------------------------------------------------------------------------------------------------------------------------
From/To From: To:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Effects
--------------------------------------------------------------------------------------------------------------------------------------------------------
State, Local, and/or Tribal None........... None........... None.......... N/A........... NA............. NA............ None.
Government.
--------------------------------------------------
Small Business................ Prepared FRFA NA............ NA............. NA............ None.
--------------------------------------------------
Wages......................... None.
--------------------------------------------------
Growth........................ Not Measured.
--------------------------------------------------------------------------------------------------------------------------------------------------------

D. Changes From the NPRM

TSA adopts as final the proposed rule with changes based primarily
on the public comments received. This section summarizes the regulatory
text changes that TSA has made to the NPRM in this final rule. A
detailed description of the responses to the public comments is
included in Section II.
1. Part 1520
TSA eliminated the amendments to part 1520 of its rules because it
has eliminated the proposed requirement to adopt and implement a
security program.
2. Scope and Purpose
TSA modified the language in Sec. 1554.1 to eliminate the
reference to ``U.S. government'' and inserted ``a U.S. or foreign
government military installation'' in its place to respond to questions
raised in some comments. This change will eliminate from the scope of
the final rule FAA part 145-certificated repair stations located on a
military base, whether within or outside the United States. The change
clarifies TSA's intention not to exclude from the scope of the final
rule those repair stations that are subject to government regulation.
3. Terms
Commenting parties noted that TSA used different terms than the FAA
to describe repair stations and repair work and found that the
different terms were confusing. TSA eliminated the terms section to
avoid confusion. TSA also eliminated the terms ``foreign repair
station'' and ``domestic repair station'' from the final rule and uses
the terms ``repair station located within the United States'' and
``repair station located outside the United States'' to be consistent
with FAA part 145 regulations.

[[Page 2122]]

4. Security Program Adoption and Implementation
In response to commenters who requested exemptions from the
proposed requirement to adopt and carry out a security program, TSA has
eliminated the requirement to adopt and implement a security program.
As will be explained below, TSA will only require certain repair
stations located on or adjacent to an airport to adopt and carry out
security measures to prevent the unauthorized operation of large
aircraft capable of flight that are left unattended. TSA has conducted
a security risk assessment and determined that other repair stations
represent a minimal risk to aviation security. TSA has eliminated all
security measures regarding preventing access to repair stations. This
change will reduce the regulatory requirements and the costs of
implementation. While TSA has retained the requirement to verify
employee background information, it has reduced the application of that
requirement to those individuals who are designated as the TSA point of
contact and those who have access to the keys or other means used to
prevent the unauthorized operation of large aircraft capable of flight
that are left unattended. TSA has clarified that it will accept
employment history checks or background checks conducted on individuals
who have obtained a FAA airman certificate or a SIDA badge. All
proposed regulations regarding the content, format and availability of
a security program have been eliminated in the final rule.
5. Profile Information
TSA has eliminated the requirement proposed in Sec. 1554.101(b)
for repair stations to submit profile information to TSA. TSA will use
information available from the FAA.
6. Security Directives
TSA has added language to permit repair stations to comment upon a
security directive issued by TSA. This language is consistent with the
regulatory language used for airport operators and aircraft operators
under 49 CFR 1542.303(e) and 1544.305(e).
7. Compliance and Enforcement
In response to comments, TSA has clarified the process in part
1554, subpart C, which a repair station may use to seek review of a TSA
determination that a certificate must be suspended or revoked.

II. Public Comments on the NPRM and TSA Responses

A. Summary

TSA received 177 public submissions. Sixty-seven submissions were
from repair station owner/operators. Other commenters included private
individuals, industry associations, labor unions, foreign governments,
airport owner/operators, domestic and foreign aircraft operators, State
agencies, and the Small Business Administration (SBA). The discussion
below groups the comments by the primary issues raised in the public
submissions.

B. Need for Security Regulations

Comments: Thirty-three commenters said the proposed rule is
unnecessary because repair stations already have adequate security or
are already sufficiently regulated. Ten of these commenters cited
procedures and controls already in place to safeguard security, such as
quality controls, employee background checks, access controls, and
general safety procedures already approved by the FAA. Seven commenters
said the proposed regulations added a duplicate layer of security
already provided by other TSA requirements described in current TSA
security programs or SDs. A few commenters said that TSA should not
regulate repair stations if they are part of an airline that already
has an air carrier security program.
TSA response: Vision 100 requires TSA to issue regulations ``to
ensure the security of foreign and domestic repair stations.'' 49
U.S.C. 44924(f). TSA believes that the security regulations described
in the final rule will reduce the likelihood that a terrorist could
commandeer a large aircraft capable of flight and use it as a weapon.
The final rule supplements the safety requirements imposed by the
FAA, but does not duplicate FAA regulations. TSA disagrees with those
comments that claim the final rule will duplicate other TSA security
requirements. TSA does not currently regulate aircraft repair stations
and the requirements referenced by the commenters do not apply to
aircraft repair stations. TSA has eliminated the proposed requirement
to adopt and implement a security program, thus there will not be
duplication with airport security programs.
Air carrier-owned and -operated maintenance repair and overhaul
facilities conducting maintenance under the authority of a certificate
issued under 14 CFR parts 121 or 135 are not subject to the
requirements of this rule, since the statute and this rule specifically
requires regulation of repair stations certificated under part 145 of
the FAA regulations.
Comments: Several commenters asked TSA to consider a repair station
to be in full compliance with the rule if it is already incorporated
within an airport's security program and uses the airport's access
control measures.
TSA Response: TSA is aware that some repair stations may be
incorporated within an existing airport security program and has
eliminated the proposed requirement that repair stations adopt and
implement a security program to avoid unnecessary duplication.
Comments: Eight commenters stated that repair stations in general
do not pose a risk to security, especially compared to other facilities
or operations in the aviation system. Ten commenters claimed that TSA
did not conduct any type of risk analysis that quantified the security
risks at repair stations or the benefits of the proposed rule. An
association said TSA had correctly used a risk-based approach to
determine the security measures that repair stations would be required
to carry out under the proposed rule and concluded that this approach
is the most effective way to advance repair station security.
TSA Response: TSA agrees that the security risks posed by repair
stations vary and that the most effective way to advance repair station
security is to use a risk-based approach to address security matters.
In developing this rule, TSA conducted a security risk analysis,
including visits to repair stations located within the United States
and outside the United States, interviews with industry and FAA
experts, and a review of intelligence concerning a repair station's
susceptibility to a terrorist attack.
The NPRM described the site visits TSA made to repair stations
between June 2005 and May 2008. See 74 FR 59877. Since that time, TSA
has visited 47 repair stations located outside the United States and
928 repair station facilities within the United States to observe and
discuss repair station security practices. The site visits provided
valuable insight into the different types of facilities certificated by
the FAA, the different types of repair work performed at those
facilities, and the different security measures that are deployed.
In addition, TSA considered whether certain factors could increase
the security risks of a repair station. The risk factors TSA considered
were: (1) The size and type of aircraft to which employees had access;
(2) the type of

[[Page 2123]]

repair work permitted by the FAA certificate; (3) whether the repair
station was located on an airport and the type of airport; and (4) the
number of employees at the repair station.
Comments: An industry association stated that aircraft operators
that use repair stations should not be responsible for ensuring that
repair stations comply with the regulation.
TSA Response: TSA agrees that aircraft operators that use repair
stations will not be responsible for ensuring that the FAA part 145-
certificated repair stations comply with the final rule.

C. Relationship to FAA Regulations

Comments: Some commenters asked the FAA and TSA to coordinate their
efforts to avoid placing any unnecessary burdens on repair station
owners or operators. For example, one commenter pointed out that TSA
could obtain repair station profile information from the FAA. Several
commenters expressed concern regarding TSA's authority to request the
FAA to suspend or revoke the operating certificate of a repair station.
A few of these commenters said that because the FAA issues the repair
station certificate and is the Federal agency responsible for the
oversight and regulation of repair stations, the FAA should be the one
Federal entity that is able to suspend or revoke the certificate. Other
commenters questioned whether TSA, the FAA, or the National
Transportation Safety Board (NTSB) has jurisdiction over the appeals
process for certificate suspensions and revocations. Eight commenters
said the rule would compromise aircraft safety. Three of these
commenters claimed the FAA would lose oversight of repair stations and
would no longer conduct mandatory inspections and surveillance. One
commenter said the cost of the rule would cause repair facilities to
divert operating funds away from aircraft safety. Two commenters noted
the possibility that repair station operators would turn in their
repair station rating and would instead operate using mechanics holding
Airframe & Powerplant certification, resulting in a decrease in safety.
TSA response: TSA has coordinated its efforts with the FAA
throughout the rulemaking process and the final rule does not duplicate
FAA's authority to regulate repair station safety matters or interfere
in any way with the FAA certification process. In response to the
comments requesting that TSA reduce the burden on repair stations by
using FAA profile information, TSA eliminated the requirement for
repair stations to provide profile information from the final rule. TSA
will obtain the profile information from the FAA.
The final rule is consistent with the statutory provisions
regarding the processes for suspension and revocation of a repair
station certificate. Under 49 U.S.C. 44924(c), TSA must notify the FAA
Administrator when a repair station poses an immediate security risk or
is found to have security deficiencies. The statute requires the FAA
Administrator to act upon the TSA determination to suspend or revoke a
repair station's certificate. Since the suspension or revocation is
based on a determination that involves security, neither the FAA nor
the NTSB has jurisdiction over the appeals process. The final rule
includes a process whereby repair stations may request review of a TSA
determination that the repair station certificate must be suspended or
revoked. The procedure is consistent with the procedure now in place
for TSA to withdraw approval of the security program of an airport
operator, aircraft operator, foreign air carrier, indirect air carrier,
or certified cargo screening facility, as provided in 49 CFR part 1540,
subpart D.
TSA disagrees with the comments that claim the rule would
compromise aircraft safety, and that FAA would lose oversight of repair
stations. FAA authority over repair station safety is not affected by
this rule and repair stations must continue to comply with FAA safety
regulations. This rule will supplement existing FAA safety requirements
with security measures to ensure that unattended, large aircraft
capable of flight cannot be commandeered. The costs of the rule are
summarized in Section III.C below and described in detail in the
regulatory impact analysis accompanying this final rule. As explained
therein, TSA has minimized the cost burden of compliance, particularly
to small businesses, by using a risk-based approach and eliminating the
requirement for repair stations to implement a security program. In
addition, if a repair station operator turned in the repair station
rating and instead used mechanics holding Airframe & Powerplant
certifications, the repair station operator would not be permitted to
perform maintenance on passenger aircraft unless hired by an aircraft
operator, in which case the maintenance work would be subject to the
safety requirements of parts 121 or 135 of the FAA rules.

D. ``One Size Fits All'' Approach to Security

Comments: Twenty-seven commenters indicated the proposed rule did
not adequately accommodate or account for the diversity of repair
stations to which it would apply. A commenter noted that TSA recognized
that a ``one size fits all approach'' would not appropriately address
the diversity in repair station characteristics. Other commenters asked
TSA for more information on how the security program would accommodate
the different levels of risk posed by different types of repair
stations.
TSA response: TSA recognizes that just as aircraft repair stations
vary widely in size, type of repairs, and numbers of employees,
existing security measures also vary widely. As stated in the NPRM, TSA
agrees that a ``one size fits all'' approach will not adequately
address the diversity of certificated repair stations. As will be
discussed below in Section G, repair stations that are not on or
adjacent to an airport as defined in the final rule, are not required
to implement security measures.

E. Relationship to Foreign Laws and Standards

Comments: Several commenters, including representatives of foreign
governments, addressed the relationship of the proposed rule to other
countries' security laws and standards. Commenters said TSA should
recognize the equivalency of the security requirements of other
countries and the European Union (EU). They also questioned the legal
basis for application of the final rule without consultation and
agreement as laid out in international and bilateral aviation
agreements such as the EU-U.S. Air Transport Agreement. Other
commenters noted the potential conflict of the proposed rule's
requirements with national or EU laws or regulations in areas such as
unannounced inspections and background checks of repair station
employees.
TSA response: TSA acknowledges the concerns of foreign governments
regarding TSA authority to apply security requirements to part 145-
certificated repair stations located outside the United States. TSA is
aware of and has complied with its obligations under the EU-U.S. Air
Transport Agreement, as well as other bilateral and multilateral
instruments. TSA has discussed and will continue to discuss current and
proposed security requirements with its international partners in order
to enhance the compatibility of security regulations and standards,
including the possibility of developing protocols for reciprocity and
mutual recognition of repair station security regulations. TSA will
address

[[Page 2124]]

any specific conflicts between the final rule and any national or EU
laws or regulations that may arise.
TSA has established procedures for conducting inspections outside
the United States through its Foreign Airport and Foreign Air Carrier
Assessment Programs and intends to use those same procedures when
conducting inspections of FAA-certificated repair stations located
outside the United States. These established procedures require
coordination with the U.S. Department of State and the appropriate
foreign government authorities.
With regard to background checks, TSA will require repair stations
that are on or adjacent to an airport, as defined in this rule, to
verify background information of those individuals who are designated
as the TSA point(s) of contact and those who have access to any keys or
other means used to prevent the operation of large aircraft. The repair
station may either verify the individual's employment history, confirm
that the individual holds a FAA airman certificate, or (for a repair
station located in the United States) confirm that the individual has
obtained a security threat assessment, such as by holding a SIDA badge.
TSA will not require any other specific type of background check since
the laws regarding the ability to conduct certain background checks
vary widely. However, repair stations may conduct other background
checks consistent with applicable laws.
Comments: Two commenters were concerned the proposed rule did not
cover FAA-certificated repair stations in Canada. One of these
commenters said Canadian facilities could pose the same security risks
as FAA part 145 certificated facilities and contended that they should
be subject to the regulation.
TSA Response: TSA is aware that the final rule will not cover
repair stations located in Canada and agrees that these repair stations
could pose the same security risk as other repair stations. Canadian
repair stations are covered under part 43 of the FAA regulations and
operate under a bilateral agreement between the FAA and the Transport
Canada Civil Aviation Authority. Since they are not certificated under
Part 145 of the FAA regulations, they are not within the scope of this
rule.
Comments: One commenter said some foreign repair stations are
already under regulatory oversight by established government
authorities and should be exempt from the rule.
TSA Response: A repair station that is regulated by a governmental
authority is not exempt from the final rule. While a repair station may
be regulated by a government agency for safety or other purposes, as is
the case with the FAA, TSA cannot be assured that such regulation would
encompass the security requirements in the final rule.

F. Application of the Final Rule to Domestic Repair Stations

Comments: Eight commenters said Congress omitted the word
``domestic'' from the statute and concluded that TSA does not have
authority to impose regulations on domestic repair stations. One repair
station owner/operator acknowledged that 49 U.S.C. 44924(f) requires
TSA to issue regulations to ensure the security of both domestic and
foreign repair stations. However, the commenter noted the remainder of
the statute refers only to foreign repair stations and concluded that
Vision 100 does not give TSA authority to suspend the certificates of
domestic repair stations. Several commenters stated that the rule
should apply only to foreign repair stations, that domestic repair
stations pose a lower security threat than foreign repair stations, and
that TSA is overstepping its authority to regulate both domestic and
foreign repair stations.
TSA response: TSA disagrees with the comments that claim the
regulation should apply only to repair stations located outside the
United States, that repair stations located within the United States
necessarily pose a lower security threat than those located outside the
United States, and that TSA is overstepping its authority to regulate
aircraft repair stations. TSA is required to issue regulations to
``ensure the security of foreign and domestic aircraft repair
stations.'' See 49 U.S.C. 44924(f). Therefore, the final rule applies
to repair stations that are certificated by the FAA under part 145 of
its regulations. By including all FAA part 145-certificated repair
stations in the scope of the rule, TSA will be able to verify that
repair stations certificated by the U.S. government are in compliance
with the final rule. TSA will not suspend a repair station certificate.
The statute provides that the FAA must suspend a certificate upon
notification by TSA until such time as TSA determines the repair
station maintains and carries out effective security measures. See 49
U.S.C. 44924(c).
While the final rule is consistent with the statutory language, TSA
has ample statutory authority to address all domestic transportation
security matters. For example, 49 U.S.C. 114(f) gives TSA the authority
to: Assess threats to transportation; develop policies, strategies, and
plans for dealing with threats to transportation security; enforce
security-related regulations and requirements; inspect, maintain, and
test security facilities, equipment, and systems; and work in
conjunction with the Administrator of the FAA with respect to any
actions or activities that may affect aviation safety or air carrier
operations. Section 611 of Vision 100 discusses the need to
``strengthen oversight of domestic and foreign repair stations'' and to
``ensure that foreign repair stations that are certified by the
Administrator under part 145 of title 14, Code of Federal Regulations,
are subject to an equivalent level of safety, oversight, and quality
control as those located in the United States.'' \4\ Exempting repair
stations within the United States from the enforcement provisions of
the final rule would not permit TSA to effectively oversee the security
of repair stations located within the United States or ensure that
repair stations located outside the United States are subject to an
equivalent level of safety, oversight, or quality control.
---------------------------------------------------------------------------

\4\ H.R. Conf. Rep. No. 108-334, at 83 (2003).
---------------------------------------------------------------------------

Regulating only repair stations outside the United States would not
help TSA meet the statutory objective to ensure the security of foreign
and domestic aircraft repair stations. In fact, the majority of FAA
part 145-certificated repair stations are located in the United States
and U.S. aircraft continue to be a prime target of terrorist threats.
Exempting U.S. repair stations from the final rule would create a
significant gap in TSA's efforts to secure U.S. aircraft and the
traveling public. Repair stations located in the United States present
an immediate opportunity for terrorists to attempt to harm U.S.
aviation interests. For that reason, and consistent with statutory
language, the final rule applies to FAA part 145-certificated repair
stations.

G. Exemptions for Certain Types of Repair Stations

Many commenters requested TSA to exempt particular types of repair
stations from the rule. Nineteen commenters stated that off-airport
repair stations do not pose a security threat and contended the final
rule should apply only to repair stations located on airport grounds.
Another commenter agreed off-airport repair stations are less desirable
targets than on-airport repair stations because they do not have access
to operational aircraft. However, one commenter observed there are off-
airport repair stations that repair complete aircraft.

[[Page 2125]]

A number of commenters requested additional types of repair
stations be exempted from the regulation, including: Stations with a
small number of employees, stations servicing hot-air balloons, and
stations servicing aircraft with a MTOW below 12,500 pounds. In
contrast, a labor union urged TSA not to exempt any repair stations
from the rule.
Eighteen commenters stated repair stations servicing aircraft with
a MTOW below 12,500 pounds should be exempt from the rule. Several
other commenters said any weight threshold used for this rule should be
consistent with the threshold adopted in the General Aviation Security
final rule. A few others suggested weight thresholds ranging as high as
100,000 pounds.
Eleven commenters requested TSA to exempt repair stations that work
only on aircraft components and do not have access to complete
aircraft. Commenters stated these repair stations do not pose a
security threat because existing FAA rules require testing of the
airworthiness of the repaired components prior to installation.
TSA response: TSA agrees with commenters that repair stations
located on or adjacent to an airport could pose a higher security risk
than other repair stations. As the commenters point out and as
discussed in the NPRM, TSA found that repair station employees at off-
airport locations had little, if any, access to operational aircraft or
runways and are not the last individuals with access to aircraft prior
to the reintroduction of the aircraft into service. TSA concluded that
it may be more difficult for potential terrorists to attempt to attack
aviation interests from an off-airport repair station location.
TSA also agrees with commenters that it would be difficult for a
terrorist to damage an aircraft at a repair station that is rated to
repair only aircraft component parts. FAA safety regulations require
inspection of the repair work and the component part prior to
installation in an aircraft and before the aircraft is determined to be
airworthy. TSA agrees with the commenters who believe that it is less
likely that a terrorist would attempt to target an aircraft by
attempting to sabotage or tamper with a component part at an off-
airport location.
In addition, TSA agrees with those commenters that repair stations
that do not work on large aircraft pose less of a security risk. TSA
has long recognized that aircraft with a MTOW of more than 12,500
pounds may be a greater security risk because the aircraft are of
sufficient size and weight to inflict significant damage and loss of
lives. See Security Programs for Aircraft 12,500 Pounds or More, 67 FR
8295 (Feb. 22, 2002). Smaller aircraft may be a less attractive target
for terrorists.
TSA believes that it must maintain its authority to conduct
security inspections to ensure that repair stations do not pose a risk
to transportation security and to make clear that repair stations must
comply with security directives issued by TSA to respond to a specific
threat. However, TSA has determined that only higher risk repair
stations will be required to adopt security measures. Repair stations
considered to be higher risk include those located on or adjacent to an
airport. TSA will consider a repair station to be ``on airport'' if it
is located on an AOA or SIDA of an airport covered by an airport
security program under 49 CFR part 1542 in the United States, or on the
security restricted area of any commensurate airport outside the United
States regulated by a government entity. TSA will consider a repair
station to be adjacent to an airport if there is an access point
between the repair station and the airport of sufficient size to allow
the movement of large aircraft between the repair station and the area
described as ``on airport.'' These repair stations present the highest
risk to security due to their proximity to an airport and a runway and
the presence of operational aircraft of a size and weight that could
inflict significant damage and loss of lives. These repair stations
must implement security measures described in the final rule. TSA has
retained the current definition of large aircraft used in its
regulations, and will change that definition throughout the regulations
should another definition be adopted in the General Aviation Security
rulemaking proceeding.
Other repair stations, in general, represent a minimal risk to
aviation security because they are not located on or adjacent to an
airport and do not have access to aircraft of sufficient size and
weight to inflict significant damage or loss of lives. All FAA part 145
certificated repair stations are subject to other requirements in the
rule, such as submission to TSA inspection and compliance with security
directives.

H. Protection of Sensitive Security Information (SSI)

Comments: Two repair station owners/operators and an industry
association supported the proposed SSI regulations. Another repair
station owner/operator said the proposed SSI requirements may be
redundant, because some corporations already have controls for business
purposes to protect information from public disclosure. Another
commenter warned the SSI requirements could adversely affect corporate
operations and the availability of an operator's procedural
documentation to its employees. An airport owner/operator expressed
concern that the proposed rule would impose SSI responsibilities on
repair stations even if they pose a low security risk. A repair station
owner/operator and an industry association suggested the SSI provisions
should apply to repair station owners but not to operators. Three
commenters, including the European Commission, expressed concern about
the applicability of the SSI provisions to foreign nationals who own
and operate aircraft repair stations. They also said the proposed SSI
provisions might be incompatible with the data protection directives of
other nations or the EU.
TSA response: TSA has eliminated the proposed requirement to adopt
and implement a security program and has, therefore, eliminated the
proposed changes to part 1520. TSA's SSI regulations already require
security directives (SDs) to be treated as SSI. 49 CFR 1520.5. Part
1520 applies to entities that receive a TSA SD, including U.S. and
foreign air carriers for their operations both within and outside the
United States. While businesses may have procedures in place to protect
certain types of information, they may not include specific SSI
protections.
Repair stations will be responsible for developing procedures to
safeguard against unauthorized disclosure of a SD. When an individual
is not in physical possession of SSI, that individual must store the
SSI in a secure container, such as a locked desk, office, or file
cabinet. TSA disagrees with the comments that the SSI regulations could
make it difficult to share security information with repair station
employees. The SSI regulations permit disclosure to persons with a need
to know. 49 CFR 1520.9.
TSA appreciates the concerns of the European Commission regarding
the applicability of SSI requirements to foreign repair stations;
however, TSA does not believe that this will cause difficulties with
regard to EU legislation and data protection policies. TSA already
applies SSI requirements to foreign air carriers operating under a TSA-
accepted Model Security Program or who receive a TSA-issued emergency
amendment. The EU has not objected to or raised concerns regarding
conflicts with EU data protection laws and regulations in those
instances. TSA will continue to discuss with the EU any specific
conflicting regulatory requirements that may arise.

[[Page 2126]]

I. Scope of the Final Rule

Comments: A repair station owner/operator supported the scope of
the rule as proposed. Another repair station owner/operator suggested
the words ``or excluded from this part by TSA'' be added to account for
situations in which a repair station is already incorporated within an
airport's security program or in which the repair station does not
constitute a security threat. An industry association suggested the
addition of ``or host government'' after ``U.S. Government'' in
recognition of the fact that many other governments already have
standards that meet or exceed those in the proposed rule.
TSA response: TSA has modified the language in the final rule. The
final rule does not apply to FAA part 145-certificated repair stations
located on a U.S. or foreign government military installation. However,
certificated repair stations that are regulated or under the oversight
of a governmental entity are not exempt from the final rule. As
explained previously, only higher risk repair stations will be required
to implement security measures.

J. Terms Used in the Final Rule

Comments: Four commenters addressed the proposed definition of
``repair station.'' One industry association suggested narrowing the
definition to include only repair stations that convey aircraft
directly into commercial flight operations under parts 121 or 135 of
the FAA's regulations. Another industry association suggested narrowing
the definition to include only those repair stations authorized to
perform maintenance or alteration of civil aviation aircraft located on
a commercial airport. A third industry association objected to the
proposed definition because it does not recognize mixed maintenance
operations, in which a repair station is co-located at a larger
facility that is not otherwise covered by TSA security requirements. A
repair station owner/operator asked whether the scope and boundaries of
a repair station for purposes of the TSA rule would differ from the
scope and boundaries of the repair station for FAA purposes.
TSA response: In response to the comments, TSA has eliminated the
terms to avoid confusion with FAA terminology.
TSA is aware of the existence of mixed-use facilities, for example
those that combine maintenance and manufacturing stations. It will be
the repair station operator's responsibility to delineate the parts of
the station used for activities subject to this final rule and those
that are not. If a repair station determines it is not possible to make
such a delineation then the entire station would need to meet the
requirements of this final rule.

K. TSA Inspection Authority

Comments: Several commenters suggested that TSA's authority to
enter a repair station should be limited to normal business hours or
after business hours with an escort upon reasonable notice, unless
there is a known specific threat. These comments point out that, with
prior notification, a repair station could make certain that the
correct personnel are available to answer questions and provide
documentation. Two labor unions supported unannounced inspections,
saying repair stations must constantly ensure that they are complying
with security requirements, and that advance notice would nullify the
benefit of a security inspection. Four commenters supported the
proposed language authorizing TSA to conduct unannounced inspections.
However, they expressed concern that TSA indicated it would follow
existing protocols for inspection of repair stations located outside
the United States and provide advance notice to the facility being
inspected and the host government. The commenters asserted that giving
advance notice would nullify the benefit of the security inspection.
Eight commenters, including a foreign government and the European
Commission, said TSA could not legally inspect repair stations located
outside the United States without prior notification and the approval
of the authorities of the country in which the repair station is
located.
TSA response: TSA will follow current agency practices regarding
inspections of repair station facilities outside the United States. TSA
will always coordinate any inspections with the host government prior
to starting an inspection. With regard to repair stations within the
United States, TSA acknowledges the concerns expressed regarding such
government inspections. While TSA anticipates that in some cases it
will notify these repair stations of scheduled inspections, this
regulation allows TSA to conduct an inspection without advance notice
at any time and in a reasonable manner. In those instances where notice
is given, TSA will give the repair station the opportunity to gather
evidence of compliance and to arrange to have the appropriate personnel
available to assist TSA. However, TSA anticipates that unannounced
inspections will be conducted in the United States, particularly if
warranted by a security incident at a repair station. Some inspections
can be effective only if they are unannounced in order to determine
whether the regulated party is in compliance when it is unaware that
TSA may be inspecting. Terrorists will seek to take advantage of
vulnerabilities whenever they occur. TSA must have the ability to
respond to information, operations, and specific circumstances whenever
they develop and to assess the security of regulated entities at any
time, including weekends or holidays.
Comments: Several commenters said the rule should clearly define
the scope of TSA audits and should specify that the repair station
property, facility, and records to be inspected are only those relevant
to repair station security. In addition, a repair station owner/
operator and an industry association stated that business records,
corporate correspondence, and aircraft maintenance records should be
off-limits without a search warrant. They said the proposed rule
language was too broad and should be narrowed in the final rule.
TSA response: TSA disagrees that the inspection authority is overly
broad and has not modified the language in the final rule. The statute
authorizes TSA to ``complete a security review and audit.'' See 49
U.S.C. 44924(a). In addition, TSA has authority to ``inspect, maintain,
and test security facilities, equipment, and systems.'' See 49 U.S.C.
114(f)(9). The regulatory text states specifically that the purpose of
the inspection is to ``carry out TSA's security-related or regulatory
authorities.'' Thus, TSA will seek access to records relevant only to
security. The inspection authority section in new Sec. 1554.5 includes
audits, assessments, or inspections and is consistent with existing TSA
rules, such as in Sec. 1542.5 (airport operators) and Sec. 1580.5
(railroad operators).
Also in connection with scope, TSA notes that consistent with its
statutory authority (which currently allows inspections for security
reasons irrespective of this final rule), inspections will be for
compliance with this final rule's requirements and for security reasons
only. For repair stations not subject to security measures under this
rule (that is, those repair stations not located on or adjacent to an
airport, as defined in this rule), TSA does not intend to inspect such
facilities except as necessary to comply with the requirement in 49
U.S.C. 44924 to conduct a security audit of all part 145 certificated
repair stations located outside the United States, to evaluate security
risks as conditions warrant, and, in the event that TSA issues a

[[Page 2127]]

security directive to such a repair station, for compliance with the
security directive.
Comments: Some commenters said repair station security policy may
require anyone inside the repair station to have an identification
badge, and suggested that TSA and DHS officials comply with established
security programs at the site. A few commenters asked how repair
station personnel would know if TSA or DHS credentials are valid. One
of them asked if repair station personnel could record the names and
badge numbers of TSA and DHS inspectors.
TSA response: The final rule allows repair stations to request
inspectors to present their credentials for examination. Repair
stations may not photocopy or otherwise reproduce the credential to
prevent unauthorized individuals from using fake credentials to access
a repair station. Repair stations may issue access or identification
media to inspectors for their use while conducting inspections of the
facilities. However, they may not prevent an inspector from conducting
an inspection because the inspector was not issued identification media
by the repair station. TSA will assist repair stations to develop
training to identify TSA and DHS credentials.
Comments: A repair station owner/operator observed that TSA and DHS
officials would need an escort for their own safety. Several other
commenters were concerned that untrained TSA personnel could damage
aircraft parts during their inspections or cause a disruption of work.
TSA response: TSA appreciates that it must properly train its
inspectors so that they avoid dangers to themselves, to employees, and
other individuals at the repair station, and to property. TSA intends
to use only properly trained and credentialed personnel to conduct
inspections.

L. Security Program Adoption and Implementation

Comments: A repair station owner/operator supported the proposed
requirement to submit a profile because it would prevent use of a ``one
size fits all'' approach to repair station security. One commenter
asked TSA to accept the company profile used for FAA repair station
approvals. Another repair station owner/operator said that TSA should
eliminate this requirement or provide more information on what would
constitute an adequate profile. Several commenters said that the
proposed rule provided no guidance on how repair stations would report
changes in profile information or how they would know which changes
were significant enough to require reporting.
TSA response: TSA concurs with the majority of comments regarding
the submission of a profile and has not included the requirement in the
final rule. TSA will use existing repair station profile information
from the FAA.
Comments: Several commenters questioned how TSA could achieve its
stated objective of appropriately addressing the diversity in repair
station characteristics while requiring repair stations to use a
standard security program, unless otherwise authorized by TSA. They
expressed concern about having to adopt a ``canned'' or ``cookie-
cutter'' security program. In contrast, two labor unions said that
there needs to be a baseline security standard applied to all repair
stations and that allowing for any variation presents an opportunity
for disparities in security from station to station.
TSA response: TSA has eliminated the requirement to adopt and carry
out a security program in the final rule.
Comments: Some commenters expressed the belief that a 30-day
deadline for a repair station to submit a profile was insufficient,
particularly for small entities, those located overseas, and large
corporations with many subsidiaries or joint ventures. Three of them
suggested that 90 days would be more realistic.
TSA response: TSA has eliminated the requirement for repair
stations to submit a profile so there is no longer a 30-day deadline
requirement.
Comments: Two repair station owners/operators objected to the fact
that the proposed rule does not define specific minimum performance
standards, and entities may be subject to inconsistent compliance
expectations. Another commenter asked that the detail provided in the
preamble regarding the security program be included in the regulatory
language.
TSA response: TSA has eliminated the language in the NPRM regarding
the security program requirements. The final rule describes security
measures that repair stations on an airport or adjacent to an airport,
as defined in the final rule, must adopt. In order to reduce the
potential regulatory burden and implementation costs of the proposed
rule, TSA has removed all security measures that restrict access to a
repair station in the final rule. Instead, repair stations will be
required to prevent unauthorized operation of large, unattended
aircraft that are capable of flight. Large aircraft are defined as
aircraft with a maximum certificated take-off weight of more than
12,500 pounds and attended aircraft means aircraft to which access is
limited to authorized individuals and property.
The final rule explains that preventing unauthorized operation may
be accomplished in several ways and a repair station may even develop
its own measure so long as it obtains approval from TSA. The final rule
states that a repair station may block the path of the aircraft so that
it cannot be moved and control the key to a vehicle used for that
purpose, park the aircraft in a locked hangar and control the key to
the hangar, or move stairs away from the aircraft and shut and lock, if
feasible, all cabin and cargo doors and control the key. Controlling
the key, if used, is described as making sure that keys are only
available to an authorized individual who has undergone an employment
history check or a security threat assessment.
Comments: Ten commenters addressed the provision of the proposed
rule requiring the security programs to include measures to identify
all individuals authorized to enter the repair station. Three of the
commenters said the actual language of the provision was not detailed
enough to establish TSA's intent. A repair station owner/operator
expressed support for TSA's statement in the NPRM that TSA will deem
repair stations with established personnel identification media systems
as compliant with the requirement. The commenter asked TSA to
incorporate that language into the final rule. Three of the commenters
also questioned TSA's intent with regard to compliance by small repair
stations. They said small repair stations should be able to rely on
simple identification measures such as personal recognition.
TSA Response: In response to the comments, TSA has eliminated this
requirement in the final rule.
Comments: A repair station owner/operator said it is already in
compliance with many elements of the proposed standard security
program, including use of an employee identification system. Another
repair station owner/operator said TSA should not require repair
stations with established and existing escort policies and programs to
replicate ``redundant'' government escort procedures, because it would
cause confusion among employees and would impose excessive labor costs.
With regard to the proposed training requirements, three commenters
said existing International Civil Aviation Organization (ICAO) and EU
requirements should be sufficient to meet the requirements, and a
repair station owner/operator said security training already is part of
its operations.

[[Page 2128]]

TSA response: TSA has eliminated these security requirements in the
final rule. TSA acknowledges that many repair stations may already have
existing measures that meet or exceed the requirements described in the
final rule.
Comments: Twenty-one commenters expressed divergent views regarding
the requirement for employee background checks. Three commenters
supported the proposed rule and said it should be imposed on repair
station employees to the same degree it is imposed on FAA-certificated
mechanics. Five commenters said the requirement to check previous
employment might not be possible under EU Directive 95/46/EC and
national legislation. A repair station owner/operator said TSA failed
to recognize the limits imposed by Federal and State labor laws, as
well as union contracts. One industry association said other laws and
FAA regulations already require confirmation of citizenship and other
information related to employment history. Another industry association
also stated this requirement would be redundant for airport-based
facilities.
Seven commenters said the requirement was too vague and lacked
details, such as screening criteria and adjudication procedures. One
industry association said the phrase ``any other means as appropriate
to validate employee information'' is unclear and said the final rule
should have specific requirements such as the number of years or number
of employers to include. Another industry association said it was
unclear whether TSA intended employers to conduct a criminal history or
a security threat assessment, but that neither should be required.
Another commenter said the rule should include language that prevents
operators from having to repeat background checks they have already
conducted.
TSA response: TSA has retained the requirement to verify employee
background information, but has limited the number of repair stations
that must implement security measures and has reduced the number of
individuals whose background information must be verified. TSA
recognizes that many countries have different laws and regulations
regarding this matter, and not all repair stations have a need or the
ability to conduct certain types of background checks. The final rule
requires that only the individual or individuals responsible for
compliance with the final rule and recordkeeping, designated as TSA
point(s) of contact, and authorized access to keys used to secure large
aircraft must undergo a background check. The final rule does not
mandate the number of individuals who must undergo a background check,
but the number must be sufficient to ensure that a point of contact is
available on a 24-hour-a-day basis and all large aircraft capable of
flight are secured when not attended.
The final rule includes four examples of background checks that are
acceptable and allows a repair station to use another means if approved
by TSA.
(1) Verification of employment history for the most recent five
year period or the time since the employee's 18th birthday, whichever
is shorter. Verification may be accomplished via telephone, email, or
in writing. If the verification is performed by telephone, the repair
station must record the date and the name of person who verified the
employment. If there is a gap in employment of six months or more that
is not satisfactorily explained, employment history is not verified for
purposes of this rule. Employment history verification records must be
maintained for at least 180 days after the employment ends.
(2) Confirmation that the employee holds an airman certificate
issued by the FAA is sufficient since TSA vets all such certificate
holders.
(3) For a repair station located within the United States
confirmation that an employee has successfully completed a security
threat assessment pursuant to part 1540 of TSA's regulations, such as
by holding a SIDA badge.
(4) For a repair station located outside the United States,
confirmation that an employee has obtained a security threat assessment
commensurate to a security threat assessment described in part 1540 of
TSA's regulations.
TSA is aware that many repair stations already conduct security
threat assessments or other background checks on their employees. If
the background check is commensurate with the requirement of the final
rule, TSA will not require duplicative or redundant measures.
Comment: A few commenters urged TSA to require drug and alcohol
testing of personnel at foreign repair stations, just as the FAA
requires such testing under its authority over domestic repair
stations. The European Commission commented that such testing in EU
member nations is a matter for the law enforcement services in those
nations.
TSA response: As stated in the NPRM, drug and alcohol testing is a
safety issue that is under the purview of the FAA and is not included
as a requirement in the final rule.
Comments: A repair station owner/operator said the NPRM provided no
training criteria or scope of incident management for the security
coordinator. An industry association recommended TSA specify all
training requirements in one place and requested that the expectations
for the training of security coordinators be defined. One repair
station owner/operator indicated that 24-hour contact would not be
feasible for a small component repair station located outside of an
airport. A second owner/operator said the requirement should be imposed
at the airport level, not at the facility level. A third owner-operator
suggested TSA allow repair stations to designate an alternate security
coordinator.
TSA response: TSA has eliminated the requirement to train a
security coordinator in the final rule. The repair station must
designate one or more individuals, as necessary, to serve as TSA
point(s) of contact and to be responsible for compliance with the final
rule and recordkeeping. Training is not required to perform these
responsibilities. TSA does not agree that an airport Security
Coordinator would be sufficient to serve as the primary and immediate
contact for repair station security-related activities and
communications with TSA, unless TSA determines the repair station is
incorporated within the airport security program and the airport is
responsible for the security of the repair station itself.
Comments: A commenter stated that requiring a repair station to
make its security program available for review by TSA is insufficient.
The commenter said TSA should review and approve each security program.
A repair station owner/operator asked to whom the security program must
be accessible. One industry association asked if airport operators
would be able to access and review a repair station's security program
to verify that the airport operator is contacted for all security
related issues or incidents.
The European Commission and a repair station owner/operator opposed
the proposed English language requirement, noting that it would be
burdensome for foreign repair stations. The European Commission pointed
out that English is the official language of only three of the 27 EU
member states and said the requirements for oral and written
communications to be in English would be impossible to implement.
TSA response: The proposed requirement to adopt and implement a
security program has been eliminated in the final rule.
With regard to the proposed English language requirements, while
TSA has

[[Page 2129]]

eliminated the security program requirement, it retains the requirement
in the inspection provision to request documents in English. TSA notes
that this requirement is consistent with FAA regulations, such as 14
CFR 145.219, which requires a certificated repair station to retain
records of compliance in English.

M. Security Directives (SDs)

Comments: Several commenters objected to the requirement to comply
with SDs and asserted TSA has used SDs to issue requirements without
notice and the opportunity for public comment, thus circumventing the
rulemaking process. Several industry associations expressed concern
that TSA will require repair stations to comply with SDs that are not
applicable to their circumstances.
A commenter suggested TSA allow electronic acknowledgement of
receipt of an SD so that a record of compliance is maintained. Other
commenters thought verbal acknowledgement would be impractical and
burdensome to TSA and to repair stations, particularly small
facilities. Two repair station owners/operators said TSA should specify
the method of compliance in the SD. A repair station owner/operator
requested TSA identify the process for obtaining approval for
alternative measures of complying with an SD.
An industry association asserted that foreign repair stations are
not under TSA jurisdiction, and a repair station owner/operator said
the requirement to comply with SDs might be incompatible with foreign
security requirements.
One commenter requested TSA avoid using common aviation-related
abbreviations for TSA-related items. As an example, the commenter said
Security Directives should be called ``TSA Directives.''
TSA response: The term ``Security Directive'' is a standard term
used throughout TSA's regulations to describe the regulatory document
issued by TSA when TSA determines that additional security measures are
necessary to respond to a threat assessment or to a specific threat
against civil aviation. See 49 CFR 1542.303, 1544.305, 1548.19, and
1549.109. TSA declines to rename these documents. TSA intends to
maintain its current practice and issue SDs to repair stations when
necessary to respond to a threat assessment or a specific threat
against aviation. TSA has added language to the final rule to clarify
that repair stations may comment on SDs issued by TSA in Sec.
1554.103(d). TSA may amend an SD based on those comments. TSA will
include in an SD the procedures to acknowledge receipt, to implement
the requirements, and to request alternative measures if a particular
measure is incompatible with a security requirement imposed by a
foreign government or cannot reasonably be implemented.

N. Suspension and Revocation of Certificates

Comments: A few commenters asserted the statutory provisions
regarding the suspension and revocation of certificates apply only to
repair stations located outside the United States and thus the final
rule should not apply to repair stations within the United States.
Commenters claimed the proposed rule includes procedures for appealing
the revocation of certification, but not for appealing the suspension
of certification. Some recommended following the FAA process in 14 CFR
part 13. Several commenters said the rule should include the criteria
TSA would use when initiating a suspension or reinstating a
certification. Another industry association added TSA is as likely to
err in its judgment, as the industry is likely to err in compliance.
Several commenters also expressed concern about the consequences of
suspension and the resulting economic burden, especially on small
businesses. Several commenters objected to the appeal process because
it did not provide for appeal of TSA's decision to an impartial third
party. One repair station owner/operator stated the proposal violates
the current rules of discovery and does not reflect current judicial
process, and other commenters urged that final certification authority
be left to the FAA or NTSB. Other commenters warned that even though
the suspension and review may be temporary, either action would
jeopardize a repair station's ability to remain viable and the rule
should include specific timelines that TSA must meet.
Commenters expressed concern because the proposed rule provided no
guidelines for TSA's determination of revocation and there are no
effective checks on TSA's power to revoke. They also objected that
under the proposed rule, a certificate remains revoked during the
review process. One industry association requested TSA follow the
procedures already in place for the revocation of an FAA airman
certificate, including appeal to an administrative law judge and then
to the NTSB. Another industry association observed that in some TSA
actions against individual airmen, certificates were revoked while the
documentation supporting TSA's actions were withheld. A repair station
owner/operator requested harmonization with FAA's enforcement process,
which includes voluntary self-disclosure, administrative corrections,
processes to handle repeat offenders, and published guidelines for
legal enforcement, including suspending or revoking domestic repair
station certificates. An industry association expressed the belief that
review of a revocation must be reconciled with existing FAA and TSA
regulations. An anonymous commenter pointed out that the statute
requires consulting with the Administrator to establish procedures to
appeal a revocation of a certificate.
Nineteen commenters said that the proposed rule did not provide
enough detail or left too much to interpretation by those who would
enforce it. A few commenters expressed concern about a lack of key
definitions such as ``immediate risk to security'' and procedural
protections such as other tools to achieve compliance objectives, and
time limits for review, which could lead to inconsistencies and
certificate revocation without due process.
TSA response: TSA has clarified the regulatory language that
provides for judicial review of a final agency order. TSA has also
modified the language in the final rule to specify that repair stations
have the opportunity to petition for reconsideration of a TSA
determination that a repair station certificate must be suspended or
revoked. The certificate enforcement actions in the final rule are
consistent with TSA's procedures governing the withdrawal of approval
of a security program. 49 CFR 1540.301. TSA agrees with commenters that
the FAA has the authority to issue, suspend, or revoke certificates and
the statute requires the FAA to suspend or revoke a certificate if
notified by TSA to do so. 49 U.S.C. 44924(c). Since any certificate
action initiated by TSA will involve compliance with TSA's security
regulations, the basis for the certificate action must remain with TSA
and not the FAA or the NTSB. Further, TSA has general authority to
enforce security-related regulations and requirements. 49 U.S.C.
114(f)(7). TSA has consulted with the FAA in the development of the
final rule.
TSA appreciates the concerns expressed regarding the impact of a
suspension or revocation of a certificate on a repair station business.
TSA intends to follow current enforcement practices and anticipates
that most instances of non-compliance will not result in certificate
action. When appropriate, TSA will use a progressive enforcement
process whereby instances

[[Page 2130]]

of non-compliance can be resolved with non-certificate action,
including counseling, administrative actions, and civil penalties. See
49 CFR part 1503.

O. Nondisclosure of Certain Information

Comment: Two repair station owners/operators expressed concern that
the proposed regulations would preclude them from obtaining information
needed to appeal TSA determinations.
TSA response: TSA has retained the language from the NPRM in Sec.
1554.205 in the final rule. In accordance with E.O. 12968, TSA does not
disclose classified information. In accordance with 49 CFR 1520, TSA
also does not disclose SSI to individuals without a ``need to know.''
However, consistent with current enforcement practice, TSA will provide
the repair station with the information it collected and upon which the
enforcement action is based.

P. Other Comments on the Rulemaking

Comment: One commenter suggested repair station operators be
required to amend their FAA repair station manuals to make all
personnel aware of TSA security concerns.
TSA response: The FAA repair station manual is outside the scope of
this rulemaking and TSA authority. TSA, however, has shared this
comment with FAA.
Comment: Several industry associations said that TSA should allow
them and repair station owner/operators to review the standard security
program prior to implementation of the rule.
TSA response: TSA held briefing sessions with industry
representatives in the United States and overseas. During the sessions,
TSA provided a draft security program template for review and received
comments. TSA notes that the requirement to adopt and implement a
security program has been eliminated in the final rule.
Comment: A commenter asserted that a substantial number of
maintenance workers at repair stations are not certified and that some
may not be legally working in the United States.
TSA response: TSA notes that all employees hired after November 1,
1986, must complete Form I-9, Employment Eligibility Verification,
issued by U.S. Citizenship and Immigration Services of the Department
of Homeland Security to document that they are authorized to work in
the United States.
Comment: Ten commenters requested a more collaborative rulemaking
process. Another commenter recommended consulting with four specific
industry associations and other industry organizations during revision
of the proposed rule. One industry association also suggested the
creation of a Repair Station Sector Coordinating Council as a formal
means of obtaining industry input for the rulemaking process. An
association requested TSA to issue a Supplemental NPRM to make certain
that the concerns raised in the public comments are addressed. Two
commenters stated the lack of ability to review details of the Standard
Security Program as part of the proposed regulations, specifically the
associated information deemed by TSA to be SSI, render this rulemaking
non-compliant with the requirements of the Administrative Procedure Act
and applicable case law defining adequate rulemaking notice and
opportunity to comment.
TSA response: The NPRM containing the proposed regulations was
published in the Federal Register for public comment. 74 FR 59874 (Nov.
18, 2009). TSA has reviewed all of the comments it received during the
public comment periods in 2004 and 2009, as well as those received
during the public listening session conducted in 2004, and has adjusted
the final rule to address the comments as necessary. TSA has met all
requirements of the Administrative Procedure Act. As noted above, TSA
met with the repair station industry to receive comment on the security
program template format. TSA held briefing sessions with industry
representatives in the United States and overseas. During the sessions,
TSA provided a draft security program template for review and received
comments, although it ultimately determined not to include the security
program requirement in the final rule. TSA will continue to consult
with its stakeholders and sees no need for a coordinating council at
this time.

Q. Implementation Issues

Comments: Five commenters said TSA lacks the budget and staffing
levels needed to implement the security programs and provide oversight
of repair stations as detailed in the rule. Two commenters said TSA is
understaffed and suggested this rulemaking would serve only to divert
necessary resources from the agency's other security programs. Two
other commenters requested TSA secure the necessary resources to make
certain the proposed program is implemented efficiently and
immediately.
Several commenters said TSA would likely need to hire new
inspectors to implement the rule, and two commenters requested any new
TSA inspectors be required to complete mandatory training to ensure all
inspectors understand the safety measures and precautions that must be
taken when performing security audits at repair stations.
TSA response: The costs to the government to enforce the final rule
are included in the regulatory impact analysis. TSA is aware of the
complexity of work performed at repair stations. TSA has developed the
appropriate inspection guidance documents and relevant training for its
inspectors.
Comments: Two commenters questioned the statutory requirement that
TSA complete a security review and audit of all foreign repair stations
certificated by the FAA no later than six months after the final rule
is issued. Both said that the six-month period is too short. One
requested that the period be extended to 12 months, while the other
requested that the compliance period be extended to 18 months, the time
specified in Vision 100. One commenter warned that if TSA does not
extend the timeframe, the ability of new repair stations to be
certified could be impeded, which would negatively affect the aircraft
repair industry.
TSA response: In the Implementing Recommendations of the 9/11
Commission Act of 2007 (Pub. L. 110-53, 121 Stat. 266, Aug. 3, 2007),
the original 18-month deadline for completing security audits of repair
stations located outside the United States was reduced to six months.
TSA is committed to meeting the statutory deadline. TSA has hired
inspectors and developed a database that will serve as an inspection
scheduling and tracking tool. TSA has also developed an implementation
plan for inspecting repair stations located outside the United States.
Comment: An industry association suggested TSA collaborate with
foreign authorities to help implement the proposed program in their
respective countries. According to the association, this approach would
allow TSA to use its resources more efficiently.
TSA response: TSA will continue to meet and work with its
international partners to discuss implementation of the final rule.
Comments: Ten commenters said the proposed rule did not include a
compliance date or adequate details on TSA's implementation plans, such
as whether some repair stations would have to come into compliance
before others. An aircraft manufacturer recommended adding a long-term
compliance date for including measures to control access to a repair
station because a business plan would need to be modified in order to
accommodate

[[Page 2131]]

increased capital expenses. The commenter also suggested providing a
more flexible ``phase-in period'' for repair stations that recognizes
current industry business models in order to enable repair stations to
adequately and appropriately address any identified security lapses.
The commenter further recommended adopting a compliance schedule
similar to that of 14 CFR parts 1, 21, 43, and 45, which focus on
addressing potential industry constraints with meeting new compliance
requirements. One commenter recommended an 18-month period, to allow
adequate time to prepare for necessary costs and ensure that repair
stations have an adequate understanding of what is required of them.
One industry association suggested using a compliance date of 180 days
from the publication of the final rule.
TSA response: The final rule will be effective 45 days after the
date of publication in the Federal Register. TSA will conduct
appropriate outreach and communication to industry representatives and
the aircraft repair station community to discuss specific
implementation timeframes and issues. TSA notes that it has eliminated
the requirement to adopt and carry out a security program in the final
rule. In addition, TSA anticipates that many of these repair stations
already have security measures in place that may meet or exceed the
measures contained in the final rule.
Comment: One commenter requested more information on the fees
charged for TSA repair station audits, noting that the initial audit
will require an additional charge for repair stations if the FAA is
conducting the audits.
TSA response: TSA is not charging a fee to conduct security audits
or inspections.
Comment: One industry association suggested TSA establish a 24-hour
point of contact to answer compliance-related questions.
TSA response: TSA has established a dedicated email address,
ARS@tsa.dhs.gov, where repair stations can send questions. In addition,
repair stations will be provided with the name and contact information
for inspectors who will be available to respond to questions.

R. Comments From the Small Business Administration

Comment: The Small Business Administration Office of Advocacy (SBA)
recommended that TSA limit the scope of the rule. SBA offered the
following three alternatives to meet the objectives of Vision 100 while
minimizing significant economic impacts on small repair stations: (1)
Exempt all repair stations that are not located at a commercial airport
or that do not have access to aircraft; (2) adopt a risk-based, tiered
approach based on size of aircraft and access to aircraft; and (3)
align the final rule with the threshold level TSA ultimately adopts in
the proposed General Aviation Security rule.
TSA response: TSA has reduced the scope of the final rule and has
eliminated the proposed requirement to adopt and implement a security
program. TSA has analyzed the possible security risk associated with
repair stations and agrees that those not located on or adjacent to an
airport, as defined in the final rule pose a lower risk to
transportation security. This risk-based approach will minimize the
economic impact on small repair stations consistent with SBA's
recommendation. The aircraft size threshold in this final rule is
consistent with TSA's current regulatory threshold. TSA agrees that its
regulations should be consistent and will evaluate all of its
regulations to determine whether changes are needed to enhance
consistent regulatory treatment once the General Aviation Security rule
is final.
Comment: SBA recommended that TSA provide clear guidance to small
business regarding the implementation of the security program.
TSA response: TSA has eliminated the requirement to implement a
security program. TSA will work with all stakeholders to provide
guidance on the final rule.
Comment: SBA was concerned that the costs of the regulation were
understated, explaining that TSA either failed to estimate or
underestimated costs of inspections, correcting security deficiencies,
complying with security directives, implementing access control
measures, implementing the security program, appealing suspension and
revocation determinations, and implementing identification media
systems. SBA recommended that TSA reassess its cost estimates.
TSA response: TSA has added estimates or updated its previous
estimates in the regulatory impact analysis to reflect the requirements
in the final rule. TSA notes that the requirement to implement a
security program has been eliminated and the application of security
measure requirements has been reduced significantly. The costs of
complying with future SDs cannot be estimated. SDs are issued on a
limited basis to respond to a specific threat. The measures required to
respond to the threat and the frequency of such threats cannot be
reasonably predicted. TSA does permit regulated entities to comment on
a SD and propose alternate measures if the measures cannot be
reasonably implemented.
Comment: SBA recommended that TSA address the concerns of small
businesses regarding SSI and develop procedures to assist small
businesses to control SSI.
TSA response: The requirements for the protection of SSI are
described in part 1520 of TSA's regulations. TSA will provide
assistance and will answer specific questions regarding the protection
of SSI. The SSI regulations explain that SDs are SSI. Those repair
stations that receive a SD will be required to safeguard it to prevent
access by individuals who are not authorized to possess SSI. Repair
station employees must have access to the SD to ensure that security
measures are implemented. To protect SSI, TSA only requires that SSI be
stored in a locked cabinet or desk drawer, or electronically as a
password-protected file. Therefore, TSA believes that the costs of
protecting SSI will be minimal and will only be incurred if the repair
station receives a SD.
Comment: SBA recommended that TSA address concerns expressed by
small businesses regarding the appeals process if TSA determines that a
repair station certificate must be suspended or revoked. It also
recommended that intermediate processes such as warnings, or requests
for information be used since small businesses may go out of business
if closed pending appeal of a suspension.
TSA response: Since TSA has eliminated the proposed requirement to
adopt and carry out a security program; we do not expect that there
will be many instances that would require suspension or revocation of a
certificate. This expectation is based on the repair station visits TSA
conducted that demonstrated the vast majority of repair stations
already have reasonable and sufficient security measures in place.
While some aspects of the appeals process are specified in the statute,
TSA has clarified the regulatory language that provides for judicial
review of a final agency order. TSA has also modified the language in
the final rule to specify that repair stations have the opportunity to
petition for reconsideration of a TSA determination that a certificate
must be suspended or revoked. The final rule is consistent with TSA's
current regulations regarding withdrawal of a security program. 49 CFR
1540.301. TSA agrees that intermediate processes will be

[[Page 2132]]

used. This is consistent with TSA's current inspection protocols used
to inspect airports and air carrier or aircraft operator operations.
TSA anticipates that in most instances repair stations will be able to
implement immediate measures to correct security deficiencies without
the need for any formal enforcement mechanism. When necessary, TSA will
use a progressive process whereby instances of non-compliance can be
resolved with non-certificate action, including counseling,
administrative action, and civil penalties. See 49 CFR part 1503.
Comment: SBA recommended that TSA consider how its proposed rule
would affect non-typical and ``hybrid'' repair station facilities. For
example, some repair stations are tenants in large facilities in which
the landlord is not a regulated entity, some only occupy a workbench
within a large building, and some work on the ``air side'' of an
airport where pilots and other visitors frequently walk up to an open
hangar to ask questions.
TSA response: TSA understands that there is a wide variety of
certificated repair stations that differ in size, type of repairs, and
number of employees. TSA has eliminated the proposed requirement to
implement a security program and has reduced the number of repair
stations that will be required to implement the security measures
described in the final rule.
TSA is aware of the existence of ``hybrid'' or mixed-use
facilities, for example, those that combine maintenance and
manufacturing stations. It will be the part 145 certificated repair
station's responsibility to delineate the parts of the station that are
subject to the final rule and those that are not. If a repair station
determines it is not possible to make such a delineation, the entire
repair station must be in compliance with the final rule.

S. Comments on the Regulatory Impact Assessment

Comment: One association addressed the cost of complying with the
proposed amendments to part 1520, which would designate repair station
security programs as SSI and would include repair station owners and
operators as entities subject to SSI requirements. The association said
that it was not possible to estimate and comment on the cost of
controlling SSI, because TSA had failed to indicate what it would
consider an adequate and secure information management system.
TSA response: TSA has eliminated the requirement to carry out a
security program and the proposed amendment to part 1520 to treat the
security program as SSI. However, part 1520 requires that SDs be
treated as SSI. If a repair station receives a SD, a system for
securely managing and controlling SSI could be storing that information
or material in a secure container (e.g., locked desk or filing cabinet)
that prevents the unauthorized disclosure of this information or
material. SSI materials may also be stored electronically as password-
protected files. Considering these options are compliant with part
1520, TSA does not believe that there will be any additional cost
burden on repair stations to control access to SDs.
Comment: Several commenters questioned the attack scenarios found
in the economic analysis and stated that the probability of these
attack scenarios actually occurring is remote. One stated that the
basic premise of the scenarios is off because the break even analysis
assumes that the majority of repair stations have access to airports
and aircraft.
TSA Response: TSA has analyzed the security risks of the repair
station population and has revised the implementation plan to only
require repair stations located on or adjacent to an airport, as
defined in the final rule, to adopt and implement security measures.
Comments: Seventeen commenters stated that TSA had significantly
underestimated the cost of compliance. Two commenters stated that the
costs estimated are too low and that TSA should redo the cost analysis
and the Initial Regulatory Flexibility Analysis (IRFA). Commenters
provided lists of items that they claim TSA failed to address
adequately, including the costs of creating and implementing a security
program, facility access control measures, personnel identification
media systems, security coordinators, and security awareness training.
One repair station owner/operator said that the estimate that an
off-airport repair station would require only four hours to complete
and implement a security program seemed extraordinarily low, as did
other estimates of average compliance costs in the NPRM. Another
operator stated that rule familiarization had taken 10 hours. It
estimated that writing a program would cost $12,000 and the actual
implementation cost could exceed $80,000.
An industry association and a repair station owner/operator said
that the analysis failed to consider the cost of fencing, guards,
cameras, badges, and access control systems, which they said that small
repair stations and general aviation airports may not already have. The
industry association said that the cost to establish access control
would not be feasible for a small repair station at a general aviation
airport. One commenter said that it had priced three ``off-the-shelf''
non-biometric photo ID badge systems at an average cost of $2,346;
similarly, the commenter said it priced a 750-foot perimeter fence with
access gates at $14,905. The commenter noted that the sum of these two
estimates far exceeds TSA's estimate of total compliance costs of
$4,216 for a business with 45 employees. Various commenters estimated
the cost of background checks and a badge system as $4,600 to $6,000,
and a security system as $17,250.
An industry association stated that the rule would require repair
stations to add at least one full time position, which would create a
financial burden for small repair stations and make it harder for them
to remain competitive. Another association stated that TSA was asking
repair stations to prove their approach was sufficient; while stations
with professional security staff could do this, it was unreasonable to
expect small GA repair stations to do this. A third commenter estimated
salary for security staff as $70,350.
One industry association also stated that TSA had underestimated
training costs and should double them. Another commenter estimated
training costs at up to $2,000 per employee.
One industry association stated that the analysis failed to
consider that small entities do not physically separate work areas,
which the NPRM would require. The contingency plan requirement for
identifying unauthorized persons is not defined. It noted that small
stations do not routinely escort visitors and do not have staff who can
be assigned to do this without losing productive work. The escort
requirement will disproportionately affect small stations.
An operator stated that TSA had based its analysis on small repair
stations, which calls into question whether the agency has met the
requirements of E.O. 12866, the Regulatory Flexibility Act (RFA), and
the Trade Agreement Act.
TSA response: In order to address the concerns of the commenters
and better estimate the costs of compliance associated with the
security measures described in the final rule, TSA has revised its cost
estimates. TSA has eliminated the requirement to adopt and implement a
security program. Specifically, TSA has eliminated all security
measures regarding preventing access to repair stations and will only
require certain repair stations to prevent the unauthorized operation
of large

[[Page 2133]]

aircraft that are unattended. This change will reduce the regulatory
requirement and the costs of implementation. While TSA has retained the
requirement to verify employee background information, it has reduced
the application of that requirement only to those individuals who are
designated as the TSA point of contact and those who have access to the
keys or other means used to prevent the unauthorized operation of large
aircraft. TSA has clarified that it will accept the background check
obtained by individuals who have obtained a FAA airman certificate or a
SIDA badge. All proposed regulations regarding the content, format and
availability of a security program have been eliminated in the final
rule. The cost estimates for both the NPRM and the final rule are
listed in Chapter 4 of the regulatory impact analysis accompanying this
final rule. That chapter also describes the reasons for the differences
in the cost estimates.
In conjunction with the NPRM, TSA published a regulatory impact
analysis that addressed the requirements of EO 12866, the RFA, the
Unfunded Mandates Reform Act, and the Trade Agreement Act. The cost
estimates in that regulatory impact analysis were not based on small
repair stations. However, the IRFA considered the cost impact of the
proposed regulations on repair stations classified under SBA standards
as ``small'' businesses. In the final rule, TSA has updated these
analyses, considering all costs incurred by TSA and any repair stations
notified to adopt security measures under the final rule.
Comments: Forty-eight commenters argued that complying with the
proposed requirements in part 1554 would be too costly, and some said
that the compliance costs would force repair stations out of business.
Six commenters stated that taxpayers and the flying public would also
feel the financial burden. Twelve commenters said that the proposed
rule would likely result in small GA repair stations either closing
their businesses or surrendering their repair station certificates in
favor of becoming maintenance repair shops that would not be required
to comply with the proposed rule. Fifty commenters said that small
aircraft repair stations in particular would suffer significant
economic and staffing losses because of the proposed rule. Many of
these commenters said that because small repair stations each employ a
small number of people, the compliance cost per employee would be
significant.
TSA response: With respect to the comments about station closings,
TSA recognizes that some aircraft repair stations will incur costs
associated with the implementation of security measures, but TSA has
reduced the requirements of this final rule and therefore, the costs of
implementation. TSA has eliminated the requirement of all security
measures regarding preventing access to repair stations and will only
require repair stations to prevent the unauthorized operation of large
aircraft. All proposed regulations regarding the content, format and
availability of a security program have been eliminated in the final
rule. Additionally, the requirement to adopt security measures was
revised to include only repair stations located on or adjacent to an
airport, as defined in the final rule.
TSA has prepared a Final Regulatory Flexibility Analysis (FRFA) as
part of the economic analysis of the final rule. This analysis can be
found in the regulatory impact analysis, and presents the estimated
compliance costs small businesses would incur as a percentage of annual
revenues.
TSA has kept the costs of implementation of this rule on small
businesses to a minimum by eliminating the security program requirement
for all repair stations. Further, the security measures in this final
rule allow flexibility in implementation.

III. Rulemaking Analyses and Notices

A. International Compatibility

In keeping with U.S. obligations under the Convention on
International Civil Aviation, it is TSA policy to comply with
International Civil Aviation Organization (ICAO) Standards and
Recommended Practices where possible. TSA has determined that these
regulations are consistent with ICAO Standards and Recommended
Practices for security of airports and facilities contained in Annex 17
of the Convention, the ICAO Security Manual and the ICAO Security Audit
Reference Manual.

B. Economic Impact Analyses

1. Regulatory Impact Analysis Summary
Changes to Federal regulations must undergo several economic
analyses. First, E.O. 12866, Regulatory Planning and Review (58 FR
51735, October 4, 1993), as supplemented by E.O. 13563, Improving
Regulation and Regulatory Review (76 FR 3821, January 21, 2011),
directs each Federal agency to propose or adopt a regulation only if
the agency makes a reasoned determination that the benefits of the
intended regulation justify its costs. Second, the Regulatory
Flexibility Act (5 U.S.C. 601 et seq.), as amended by the Small
Business Regulatory Enforcement Fairness Act (SBREFA) of 1996, requires
agencies to consider the economic impact of regulatory changes on small
entities when an agency is required to issue a NPRM. Third, the Trade
Agreements Act (19 U.S.C. 2531-2533) prohibits agencies from setting
standards that create unnecessary obstacles to the foreign commerce of
the United States. In developing U.S. standards, the Trade Act requires
agencies to consider international standards, where appropriate, as the
basis of U.S. standards. Fourth, the Unfunded Mandates Reform Act of
1995 (2 U.S.C. 1531-1538) requires agencies to prepare a written
assessment of the costs, benefits, and other effects of proposed or
final rules that include a Federal mandate likely to result in the
expenditure by State, local, or tribal governments, in the aggregate,
or by the private sector, of $100 million or more annually (adjusted
for inflation).
In conducting the following four analyses, TSA has determined:
1. This final rule is a ``significant regulatory action,'' although
not an economically significant regulatory action, under section
3(f)(1) of E.O. 12866. Accordingly, the Office of Management and Budget
has reviewed this regulation.
2. This final rule imposes no significant barriers to international
trade.
3. This final rule does not impose an unfunded mandate on State,
local, or tribal governments, or on the private sector in excess of
$100 million (adjusted for inflation) in any one year.
These analyses, as well as the Final Regulatory Flexibility
Analysis, are summarized below and are detailed in the regulatory
impact analysis accompanying the final rule.
2. Executive Orders 12866 and 13563 Assessments
Executive Orders 12866 and 13563 direct agencies to assess the
costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). Executive
Order 13563 emphasizes the importance of quantifying both costs and
benefits, of reducing costs, of harmonizing rules, and of promoting
flexibility.
Costs
TSA issued an NPRM on November 18, 2009 (74 FR 68774). This final
rule makes the following major changes to

[[Page 2134]]

the NPRM. The first major change is the elimination of the requirement
for a repair station to submit a security profile to TSA. TSA will
obtain data from the FAA and conduct field visits to acquire other data
and information. TSA has also eliminated the requirement to adopt and
implement a security program and all security measures preventing
access to repair stations. While TSA has retained the requirement to
verify employee background information, it has reduced the application
of that requirement to those individuals who are designated as the TSA
point of contact and those who have access to the keys or other means
used to prevent the unauthorized operation of large aircraft capable of
flight that are left unattended. TSA has clarified that it will accept
employment history checks or background checks conducted on individuals
who have obtained a FAA airman certificate or a SIDA badge.
TSA assessed the risk profile of the repair station population and
determined that not all repair stations present sufficient risk to
warrant security program requirements. Therefore, TSA is only requiring
those repair stations located on or adjacent to certain airports, as
defined in this final rule, to adopt security measures. As noted above,
TSA will consider a repair station to be ``on airport'' if it is on an
AOA or SIDA of an airport covered by an airport security program under
49 CFR part 1542 in the United States, or on the security restricted
area of any commensurate airport outside the United States regulated by
a government entity. TSA will consider a repair station to be adjacent
to an airport if there is an access point between the repair station
and the airport of sufficient size to allow the movement of large
aircraft between the repair station and the area described as ``on
airport.'' Under the NPRM, approximately 4,800 repair stations
certificated under part 145 would have been affected by the
rulemaking's affirmative requirements, while under this final rule,
that number has been reduced to an estimated 678 repair stations.
In response to public comments and changes in final rule
implementation, TSA has adjusted the estimated costs for the final
rule. The regulatory impact analysis accompanying this final rule
summarizes the revised cost estimates of the regulation.
Total
In summary, over the 10-year period of the analysis, TSA estimates
the aggregate costs of the Aircraft Repair Station Security Final Rule
to total approximately $23.22 million, undiscounted. This total is
distributed among repair stations located within the United States,
which would incur total costs of $8.7 million; repair stations located
outside the United States, which would incur costs of $14.18 million;
and TSA, which would incur costs of $0.34 million. Chapter 2 of the
regulatory impact analysis, available in the public docket, provides
detailed estimates of these costs. The following table presents the
annual costs of the rule over the 10-year period of analysis, broken
out into costs incurred by TSA, repair stations located within the
United States, and repair stations located outside the United States,
respectively.

Table 1--Total Cost of the Aircraft Repair Station Security Final Rule
[$ millions]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Repair stations Repair stations
Year TSA Costs within the United outside the Total Discounted, 3 Discounted, 7
States United States (undiscounted) percent percent
--------------------------------------------------------------------------------------------------------------------------------------------------------
1.......................................... $0.06 $0.9 $1.37 $2.34 $2.27 $2.19
2.......................................... 0.03 0.9 1.31 2.24 2.11 1.96
3.......................................... 0.02 0.9 1.34 2.25 2.06 1.83
4.......................................... 0.04 0.9 1.37 2.29 2.03 1.75
5.......................................... 0.04 0.9 1.40 2.31 1.99 1.65
6.......................................... 0.02 0.9 1.42 2.30 1.93 1.53
7.......................................... 0.04 0.9 1.46 2.36 1.92 1.47
8.......................................... 0.03 0.9 1.48 2.36 1.86 1.37
9.......................................... 0.02 0.8 1.51 2.37 1.81 1.29
10......................................... 0.04 0.8 1.54 2.41 1.79 1.22
------------------------------------------------------------------------------------------------------------
Total.................................. 0.34 8.70 14.18 23.22 19.78 16.26
--------------------------------------------------------------------------------------------------------------------------------------------------------

Changes in Cost Estimates From Notice of Proposed Rulemaking
The cost estimates for this final rule differ from those reported
in the NPRM due to the elimination of security program, facility access
control and other requirements as described above. TSA also uses more
recently available data from its outreach efforts and from FAA
databases to update population projections and program costs. The
following tables present the cost estimates of the final rule compared
to those presented in the NPRM.

Table 2--Changes in Costs From the NPRM to the Final Rule
----------------------------------------------------------------------------------------------------------------
10-Year total rule costs ($ millions)
Estimate -----------------------------------------------------
NPRM Final rule Difference
----------------------------------------------------------------------------------------------------------------
Total (undiscounted)...................................... $344.4 $23.22 ($321.18)
3% Discount............................................... $293.3 $19.78 ($273.52)
7% Discount............................................... $241.0 $16.26 ($224.74)
----------------------------------------------------------------------------------------------------------------

[[Page 2135]]

Table 3--Changes in Costs Incurred by Repair Stations Located Within the United States
----------------------------------------------------------------------------------------------------------------
10-Year total costs ($ millions)
Cost segment ------------------------------------------------ Major cost driving
NPRM Final rule Difference changes
----------------------------------------------------------------------------------------------------------------
Security Programs....................... $1.6 $0 ($1.6) All proposed
regulations regarding
the content, format
and availability of a
security program have
been eliminated in
the final rule.
Point of Contact........................ 113.2 5.8 (107.4) TSA is requiring only
a point of contact on
a 24-hour a day
basis.
ID Media System......................... 0.5 0 (0.5) TSA eliminated ID
Media System
requirements.
Aircraft Access Control................. 0.0 2.7 2.7 This is a new cost in
the final rule for on-
airport and adjacent
repair stations.
Training................................ 53.2 0 (53.2) TSA has eliminated all
training
requirements.
Inspections............................. 0.0 0.16 0.16 This is a new cost in
the final rule for on-
airport and adjacent
repair stations.
Revocation Appeals...................... 0.0 0.004 0.004 TSA now includes a
cost estimate for the
fraction of repair
stations estimated to
require an appeal due
to suspension or
revocation. This
fraction is based on
historical data from
FAA.
------------------------------------------------
Total (undiscounted)................ 168.5 8.7 (159.8)
------------------------------------------------
3% Discounted Total................. 143.9 7.4 (136.5)
------------------------------------------------
7% Discounted Total................. 118.6 6.1 (112.5)
----------------------------------------------------------------------------------------------------------------

Table 4--Changes in Costs Incurred by Repair Stations Located Outside the United States
----------------------------------------------------------------------------------------------------------------
10-Year total costs ($ millions)
Cost segment ------------------------------------------------ Major cost driving
NPRM Final rule Difference changes
----------------------------------------------------------------------------------------------------------------
Security Programs..................... $0.7 $0 ($0.7) All proposed regulations
regarding the content,
format and availability
of a security program
have been eliminated in
the final rule.
Point of Contact...................... 18.5 3.8 (14.7) TSA is requiring only a
point of contact on a
24-hour a day basis.
Personnel ID System................... 0.1 0 (0.1) TSA eliminated Personnel
ID System requirements.
Aircraft Access Control............... 0.0 10.2 10.2 This is a new cost in
the final rule for on-
airport repair
stations.
Training.............................. 78.4 0 (78.4) TSA has eliminated all
training requirements.
Inspection............................ 0.0 0.10 0.10 This is a new cost in
the final rule for on-
airport repair
stations.
Revocation Appeals.................... 0.0 0.05 0.05 TSA now includes a cost
estimate for the
fraction of repair
stations estimated to
require an appeal due
to suspension or
revocation. This
fraction is based on
historical data from
FAA.
Employment History Checks............. 0.0 .08 .08 This is a new cost in
the final rule for on-
airport repair
stations.
------------------------------------------------
Total (undiscounted).............. 97.7 14.2 (83.5)
------------------------------------------------
3% Discounted Total............... 83.4 12.0 (71.4)
------------------------------------------------
7% Discounted Total............... 68.7 9.9 (58.8)
----------------------------------------------------------------------------------------------------------------

[[Page 2136]]

Table 5--Changes to TSA Costs
----------------------------------------------------------------------------------------------------------------
10-Year total costs ($ millions)
Estimate ------------------------------------------------ Major cost driving
NPRM Final rule Difference changes
----------------------------------------------------------------------------------------------------------------
Total (undiscounted).................... $78.2 $0.3 ($77.9) TSA has reduced the
requirements of this
final rule resulting
in a reduction of
inspection time and
resources.
------------------------------------------------
3% Discounted Total................. 66.1 0.3 (65.8)
------------------------------------------------
7% Discounted Total................. 53.7 0.2 (53.5)
----------------------------------------------------------------------------------------------------------------

Benefits
TSA is issuing regulations to provide for the security of
maintenance, preventive maintenance, or alterations on aircraft or
articles of aircraft performed at repair stations located both within
and outside the United States, of the aircraft and articles located at
these repair stations, and of the repair station facilities as required
by Vision 100. As terrorist organizations continue to target civil
aviation, Congress has indicated the importance of aircraft repair
station security. TSA opted to require only those repair stations
located on or adjacent to certain airports, as defined in this final
rule, to adopt security measures. These facilities represent potential
risks due to both their location on or adjacent to an airport and
airport runways and their ability to perform maintenance on and have
access to aircraft with a MTOW of more than 12,500 lbs. Therefore, the
opportunity exists for a terrorist to commandeer an operational
aircraft and use it as a weapon against a populated target.
TSA uses a break-even analysis to frame the relationship between
the potential benefits of the rulemaking and the costs of implementing
the rule. When it is not possible to quantify or monetize the important
incremental benefits of a regulation, OMB recommends conducting a
threshold, or ``break-even'' analysis. According to OMB Circular No. A-
4, ``Regulatory Analysis,'' such an analysis answers the question,
``How small could the value of the non-quantified benefits be (or how
large would the value of the non-quantified costs need to be) before
the rule would yield zero net benefits?'' \5\ Consequently, to better
inform the comparison of the costs of implementing the rule with the
benefits to homeland security of the Aircraft Repair Station Security
final rule, TSA performed a break-even analysis. In the break-even
analysis, TSA compared the annualized cost of the rule's requirements
to the expected benefits of preventing a potential terrorist attack.
---------------------------------------------------------------------------

\5\ Http://www.whitehouse.gov/sites/default/files/omb/assets/regulatory_matters_pdf/a-4.pdf.
---------------------------------------------------------------------------

The type of terrorist attack addressed by this final rule is an
aircraft as weapon scenario against a populated target such as an
office building. This attack would result from the infiltration of an
on-airport repair station and subsequent commandeering of an aircraft.
To assess the potential impact of an attack originating at a repair
station, TSA considers a representative attack scenario and estimates
the monetary value of the losses associated with this scenario. This
attack scenario is taken from the second iteration of TSA's
Transportation Sector Security Risk Assessment (TSSRA 2.0). TSSRA 2.0
is a SSI report that was produced in response to DHS Appropriations
legislation (Pub. L. 110-396/Division D and Pub. L. 111-83), which
requires DHS through TSA to conduct a comprehensive risk assessment.
In order to compare the losses in the scenario with the cost of the
final rule, TSA assigns a statistical monetary value to potential
passenger, crew casualties and bystander, and also takes into account
property damage associated with the aircraft and infrastructure
involved in the attack scenario. TSA uses a Customs and Border
Protection (CBP) Value of a Statistical Life (VSL) estimate of $6.3
million \6\ to represent the amount an individual is willing to pay to
achieve a small reduction in mortality risk. In order to estimate the
value of injuries, TSA used the Department of Transportation (DOT)
published guidance \7\ for values of moderate injuries at 4.7 percent
of VSL and severe injuries at 26.6 percent of VSL. Consequently, for a
severe injury, TSA estimates a value of $1,675,800 ($6,300,000 VSL x
0.266) and for a moderate injury, TSA estimates a value of $296,100
($6,300,000 VSL x 0.047).
---------------------------------------------------------------------------

\6\ U.S. Customs and Border Protection, Report, ``Valuing
Mortality Risk Reductions in Homeland Security Regulatory
Analyses.'' Final Report, CBP, June 2008.
\7\ U.S. Department of Transportation memorandum, ``Revised
Departmental Guidance: Treatment of the Value of Preventing
Fatalities and Injuries in Preparing Economic Analyses--2011
Revision,'' July 29, 2011. Http://ostpxweb.dot.gov/policy/reports/vsl_guidance_072911.pdf.
---------------------------------------------------------------------------

The following paragraphs describe a scenario for which TSA believes
this final rule will help reduce the likelihood of occurrence and their
corresponding estimated monetary consequences. This analysis does not
consider the indirect, macroeconomic consequences these terrorist
attacks could cause. Consequently, the economic impacts of this
terrorist attack estimated for this break-even analysis is a lower-
bound estimate.
This attack scenario describes the impact of a situation where a
commercial aircraft is stolen from a repair station (with no passengers
on board) and used as a missile to attack an office building. The
scenario results in loss of life, severe and moderate injuries,
destruction of the aircraft, and damage to the building. Again, TSSRA
2.0 uses the average building size and capacity of a number of office
buildings to estimate an average building size of 49 stories with an
average of 176 people per story. TSSRA 2.0 estimates 2,992 fatalities
for this scenario. TSSRA 2.0 assumes the attacker(s) will hit the
office building approximately a third of the way down the building and
due to the size of the aircraft, it is assumed that anyone above the
impact site will die due to the inability to escape the building (17
stories x 176 people). Using the CBP VSL of $6.3 million, the monetary
estimate associated with the loss of life is $18,849.6 million (2,992 x
$6.3 million).
TSSRA 2.0 also estimates 880 severe injuries, which is equal to the
number of occupants of 5-stories of the representative office building.
TSSRA 2.0 assumes that several floors directly below the impact site
would be affected by the force of the impact and the resultant fires.
In addition, people exiting the building from these floors would be
more likely to have injuries requiring hospital treatment. Again using
the DOT guidance on the valuation of injuries, the monetary estimate
associated with severe injuries is $1,474.7 million (880 severe
injuries

[[Page 2137]]

x $1,675,800). TSSRA 2.0 estimates 2,376 moderate injuries, which is
equal to one-half of the remaining population of the representative
office building (0.5 x (8,624 - 2,992 - 880). TSSRA 2.0 assumes that at
least half of the remaining occupants not killed or severely injured
would be moderately injured due to smoke, falling debris, or the action
of evacuating the building. The monetary estimate associated with the
moderate injuries is $703.5 million (2,376 moderate injuries x
$296,100).
TSSRA 2.0 assumes this type of attack requires replacement of the
entire building. TSSRA 2.0 estimates the cost of replacement using an
average construction cost of $846.8 million for recently built large
buildings in the United States.
To estimate the value of the lost aircraft, TSA uses $22.6 million,
which is the 2009 weighted average market value of all two-engine
narrow-body and two-engine wide-body air carrier aircraft.\8\
---------------------------------------------------------------------------

\8\ Federal Aviation Administration, 2007, ``Economic Values for
FAA Investment and Regulatory Decisions, a Guide.'' Prepared by GRA,
Inc. December 31, 2004 (updated). Table 5-2. TSA calculates a
weighted average value for aircraft in rows 1 and 2. TSA converted
this weighted average aircraft value from a 2003 estimate to the
2009 equivalent weighted average value of $22.6 million using the
FAA recommended method described in the document in Section 9.6
(page 9-9), which relies on the BLS producer price index series for
civil aircraft available in the producer price index values (2003-
2009 annual values), a factor of 1.31, for commodities at http://stats.bls.gov/ppi/home.htm.
---------------------------------------------------------------------------

The total monetary valuation of the losses of life, aircraft and
buildings, and injuries represented in this scenario is $21,897.2
million ($18,849.6 million for fatalities + $1,474.7 million for severe
injuries + $703.5 million for moderate injuries + $22.6 million for
loss of aircraft + $846.8 million for replacement of the building).
In this analysis, the comparison is made between the estimated
monetary consequence of this scenario and the annualized cost of the
Aircraft Repair Station Security final rule, discounted at seven
percent ($2.3 million).\9\ The ``required risk reduction in attack
frequency'' to break even is estimated by dividing the total
consequences of a specific attack scenario by the annualized cost of
the regulation, discounted at seven percent. In order to break even,
the rule will need to reduce the existing or baseline frequency of
terrorist attack by one attack every 9,460 years for attacks of a
similar magnitude. These results are presented in table form in both
the Executive Summary and Chapter 5 of the regulatory impact analysis.
---------------------------------------------------------------------------

\9\ See the OMB No. A-4, ``Regulatory Analysis,'' Accounting
Statement in the Executive Summary in the regulatory impact
analysis. This amount is the annual payment that, if invested each
year at a 7 percent interest rate, would accrue to the cost of the
rule after a 10-year period.
---------------------------------------------------------------------------

Alternatives
As alternatives to the preferred regulatory regime presented in the
final rule, TSA examined four other options. For most regulatory
alternatives, TSA considered categorizing repair stations into three
risk tiers based on a station's location with respect to an airport and
the size of aircraft on which a repair station performs work. Tier 1,
in general, would include all repair stations located on or adjacent to
a part 1542 regulated airport (or commensurate foreign airport) and
those repair stations located on or adjacent to a GA airport (or
commensurate foreign airport) that conduct maintenance, preventive
maintenance, or alterations on aircraft or articles for aircraft with a
MTOW of more than 12,500 pounds. In Alternative 1 TSA would notify only
Tier 1 repair stations to adopt and implement a security program.
Tier 2, in general, would include repair stations located off-
airport that conducts maintenance, preventive maintenance, or
alterations on articles for aircraft with a MTOW of more than 12,500
pounds. Tier 3, in general, would include all remaining repair
stations. Under Alternative 2, TSA would notify both Tier 1 and Tier 2
repair stations to adopt and implement a security program, since these
repair stations work on aircraft or articles for aircraft with a MTOW
of more than 12,500 lbs. Tier 2 repair stations would incur most of the
requirements in the security program with which Tier 1 repair stations
must comply; however, Tier 2 would not be required to comply with
certain of the security program requirements.
The third and fourth alternatives require Security Threat
Assessments (STAs) for different subsets of repair station employees.
Alternative 2A includes an STA requirement for employees of on-airport
repair stations located within the United States in addition to the
other security requirements and associated costs of the final rule.
Alternative 2B includes STAs for employees of both Tier 1 and Tier 2
repair stations located within the United States as defined in
Alternative 2, in addition to the security requirements and associated
costs of Alternative 2. TSA would not require STAs for employees of
repair stations located outside the United States. This decision was
based upon a consideration of privacy laws in foreign countries and
TSA's determination that ICAO standards already address employee
background checks.
TSA rejects Alternative 1 and opted to remove any security program
requirements for all repair stations and only require repair stations
on or adjacent to an airport that have access to runways and
operational aircraft to implement security measures.
TSA rejects the regulatory regimes in Alternatives 2 and
Alternative 2B because repair stations in Tier 2 in these alternatives
do not have access to operational aircraft and runways. TSA is unable
to identify credible attack scenarios that could originate at off-
airport repair stations.
Alternative 2A, while offering a regulatory framework that covers
on-airport repair stations with access to runways and operational
aircraft, was rejected by TSA in favor of the final rule because TSA
does not believe that the STA requirement provides enough risk
reduction to justify the additional costs. Since TSA is unable to
perform STAs on employees at repair stations located outside the United
States, all the risk reduction yielded by this requirement would be in
domestic aviation. Therefore, Alternative 2A provides lower marginal
risk reduction per dollar of cost than the final rule. Further, the
additional costs of the STA requirement would put an undue burden on
repair stations located in the United States and disadvantage them
against foreign competitors. For these reasons, TSA decided to withhold
the STA requirement from the final rule. While TSA has retained the
requirement to verify employee background information in this final
rule, it has reduced the application of that requirement to those
individuals who are designated as the TSA point of contact and those
who have access to the keys or other means used to prevent the
unauthorized operation of large aircraft capable of flight that are
left unattended. TSA has clarified that it will accept employment
history checks or background checks conducted on individuals who have
obtained a FAA airman certificate or a SIDA badge. The following table
presents the 10-year costs of the alternatives compared to the costs of
the final rule. The alternatives costs are discussed in detail in
Chapter 3 of the regulatory impact analysis accompanying the final
rule.

[[Page 2138]]

Table 6--Comparison of Alternatives to the Proposed Final Rule Costs
[$ millions]
----------------------------------------------------------------------------------------------------------------
Discounted, 3 Discounted, 7
10-Year total costs by alternative Undiscounted percent percent
----------------------------------------------------------------------------------------------------------------
Final Rule (preferred).................................... $23.2 $19.8 $16.3
Alternative 1 (Tier 1 only)............................... 240.6 207.1 172.6
Alternative 2 (Tier 1 and Tier 2)......................... 350.6 301.6 251.3
Alternative 2A (STAs--on-airport only).................... 261.5 225.3 188.1
Alternative 2B (STAs--Tier 1 and Tier 2).................. 381.0 328.2 273.9
----------------------------------------------------------------------------------------------------------------

3. Regulatory Flexibility Act Assessment
The Regulatory Flexibility Act (RFA) of 1980 establishes ``as a
principle of regulatory issuance that agencies shall endeavor,
consistent with the objective of the rule and of applicable statutes,
to fit regulatory and informational requirements to the scale of the
business, organizations, and governmental jurisdictions subject to
regulation.'' To achieve that principle, the RFA requires agencies to
solicit and consider flexible regulatory proposals and to explain the
rationale for their actions.
Sections 603(a) and 604(a) of the Regulatory Flexibility Act
require that, when an agency issues an interim final rule or
promulgates a final rule ``after being required to publish a general
notice of proposed rulemaking,'' the agency must consider the economic
impact of the rule on small entities. The term ``small entities''
comprises small businesses, not-for-profit organizations that are
independently owned and operated and are not dominant in their fields,
and governmental jurisdictions with populations of less than 50,000.
A Final Regulatory Flexibility Analysis discussing the impact of
this final rule on small entities is available in the docket.
Based on available data, we estimate that about 44 percent of
entities directly regulated by the final rule requirements are small
under the Regulatory Flexibility Act and the SBA size standards
(compared to the 96 percent of entities affected by the NPRM
provisions). This is due to the changes in the applicability and
security requirements (detailed explanation of applicability changes on
section I. Background, of this final rule). In this final rule TSA
allows flexibility in which security measures repair stations may
select in order to prevent commandeering of an aircraft. In addition,
this flexibility allows repair stations to choose cost-effective
security measures thus mitigating concerns regarding cost burdens for
small repair stations. As long as the security requirements are met,
the repair station may implement the measures that best suit its
business model and physical layout.
TSA estimates that approximately 85 percent of small repair
stations will incur compliance costs that represent less than represent
1 percent of annual revenues and approximately 97 percent of small
repair stations will incur compliance costs that represent less than 2
percent of annual revenues.
4. International Trade Impact Assessment
The Trade Agreement Act of 1979 prohibits Federal agencies from
establishing any standards or engaging in any related activities that
create unnecessary obstacles to the foreign commerce of the United
States. Legitimate domestic objectives, such as security, are not
considered unnecessary obstacles. The statute also requires
consideration of international standards and, where appropriate, that
they be the basis for U.S. standards. This final rule does not
implicate Executive Order 13609 because neither the economic impact of
the final rule nor that imposed on repair stations located outside the
United States is ``significant'' as defined in EO 12866. Further, TSA
is imposing the same security requirements on repair stations located
outside the United States as it is imposing on those located within the
United States and is subjecting those repair stations located outside
the United States to the same standard inspection practices as are
already in place for other foreign entities regulated by TSA.
TSA considered the economic role of repair stations located outside
the United States, as well as U.S. obligations under numerous treaties.
Although some public comments suggested that TSA should focus only on
repair stations located outside the United States, treaty obligations
and the statutory language made it clear that the regulations could not
target only those repair stations. The final rule simply requires
entities located outside the United States to comply with the same
regulatory requirements applied to repair stations located within the
United States and does not create non-tariff barriers to international
trade. Because the requirements for repair stations located outside the
United States will be the same as those imposed on repair stations
located within the United States, TSA does not anticipate trade
retaliation or unnecessary obstacles to foreign trade. Any differences
that may occur can be attributed to the legitimate domestic objective
of security, which under the Trade Agreement Act of 1979 is not
considered an unnecessary obstacle.
5. Unfunded Mandates Assessment
The Unfunded Mandates Reform Act of 1995 (UMRA), Public Law 104-4,
is intended, among other things, to curb the practice of imposing
unfunded Federal mandates on State, local, and tribal governments.
Title II of the UMRA establishes requirements for Federal Agencies to
assess the effects of their regulatory actions on State, local, and
tribal governments and the private sector. Under section 202 of the
UMRA, TSA generally must prepare a written statement, including a cost-
benefit analysis, for proposed and final rules with ``Federal
mandates'' that may result in expenditures by State, local, and tribal
governments, in the aggregate, or by the private sector, of $100
million (adjusted for inflation) or more in any one year. TSA has
determined that this rule does not impose a Federal mandate that may
exceed $100 million in expenditures of State, local, or tribal
governments in the aggregate, nor does the final rule impose a $100
million mandate on the private sector. Therefore, the final rule does
not contain such a mandate and the requirements of Title II do not
apply.

C. Paperwork Reduction Act

The Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.)
requires that TSA consider the impact of paperwork and other
information collection burdens imposed on the public and, under the
provisions of PRA section 3507(d), obtain approval from the Office of
Management and Budget (OMB) for each collection of information it
conducts, sponsors, or

[[Page 2139]]

requires through regulations. This rule contains the following new
information collection requirements. Accordingly, TSA submitted a copy
of these sections to OMB for its review. OMB approved the collection of
this information and assigned OMB Control Number 1652-0060.
The regulations apply to repair stations certificated by the FAA
under 14 CFR part 145, except repair stations located on a U.S. or
foreign government military base. All such repair stations must allow
TSA and other authorized DHS officials to enter, conduct inspections,
and view and copy records as needed to carry out TSA's security-related
statutory and regulatory responsibilities. All such repair stations
must comply with Security Directives if issued by TSA which could
include requirements to maintain records or provide information to TSA.
The security measures in this rule cover repair stations that are
on or adjacent to certain airports. TSA will consider a repair station
to be ``on airport'' if it is on an air operations area or security
identification display area of an airport covered by an airport
security program under 49 CFR part 1542 in the United States, or on the
security restricted area of any commensurate airport outside the United
States regulated by a government entity. TSA will consider a repair
station to be adjacent to an airport if there is an access point
between the repair station and the airport of sufficient size to allow
the movement of large aircraft between the repair station and the area
described as ``on airport.'' \10\ The repair stations, as described
above, are required to designate a point of contact(s) to carry out
specified responsibilities; and verify background information of those
individuals who are designated as the TSA point(s) of contact and those
who have access to any keys or other means used to prevent the
unauthorized operation of large aircraft capable of flight that are
left unattended.
---------------------------------------------------------------------------

\10\ Large aircraft are defined as aircraft with a maximum
certificated take-off weight of more than 12,500 pounds.
---------------------------------------------------------------------------

The regulations also describe the process whereby TSA will notify
the repair station and the FAA of a security deficiency identified by
TSA and provide an opportunity for the repair station to obtain review
of a determination by TSA to suspend its operating certification. The
regulations specify that when TSA determines a repair station poses an
immediate risk to security, TSA will notify the repair station and the
FAA that the certificate must be revoked. The regulations also provide
the process for the repair station to obtain review of such a
determination.
In order to comply with the regulations, repair stations outside of
the United States, will be responsible for maintaining updated
employment history records to demonstrate compliance with this final
rule. These records must be made available to TSA upon request. Repair
stations located within the United States will be able to use security
threat assessments that have been obtained for other reasons to comply
with this rule.
TSA is required to conduct a security review and audit of the
repair stations located outside the United States See 49 U.S.C.
44924(a). TSA will conduct a paper audit of all 707 repair stations
that are located outside the United States. The paper audit will
consist of a letter describing the rule and the repair station will be
required to respond to four questions to verify whether the repair
station is required to implement security measures. Based upon subject
matter expert (SME) best estimates, the paper audit is expected to take
one hour for a repair station employee, assumed to be the point of
contact, to complete. Seventy-eight repair stations located outside the
United States meet the definition of on or adjacent to an airport and
will undergo an annual desk audit in which the repair station will be
asked to describe how it is complying with the rule. Each desk audit is
estimated to require one hour for the repair station to read the letter
sent by TSA and respond.
The likely respondents to this information collection are the
owners and/or operators of repair stations certificated by the FAA
under 14 CFR part 145, which is estimated to number approximately 1,158
unique respondents over the next three years (451 repair stations
located within the United States and 707 repair stations located
outside the United States).
The average yearly burden for recordkeeping is estimated to be 2
hours for repair stations located outside the United States. The
average yearly burden for suspension and revocation appeals is
estimated to be 10 hours for repair stations located within the United
States and 100 hours for repair stations located outside the United
States. The average yearly burden for paper audits is estimated to be
236 hours for repair stations located outside the United States. The
average yearly burden for desk audits is estimated to be 80 hours for
repair stations located outside the United States. Therefore, the total
average annual time burden estimate is approximately 428 hours. The
following table shows the information collections and corresponding
hour burdens for entities falling under the requirements of the final
rule.

Table 7--Collection and Hour Burdens for Entities Within and Outside the United States
--------------------------------------------------------------------------------------------------------------------------------------------------------
Number of responses Average
------------------------------------------------ 3-Year time annual
Collection Time per response burden time
Year 1 Year 2 Year 3 burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
Recordkeeping Continuous as needed
------------------------------------------------------------------------------------------------------------
On-Airport RS outside the United States 0.025 hours.................... 227 5 5 6.0 2.0
------------------------------------------------------------------------------------------------------------
Suspension/Revocation Appeals As needed
------------------------------------------------------------------------------------------------------------
On-Airport RS within the United States. 10 hours....................... 1 1 1 30 10
On-Airport RS outside the United States 12 hours....................... 8 8 9 300 100
------------------------------------------------------------------------------------------------------------
Paper Audits One-Time
------------------------------------------------------------------------------------------------------------
On-Airport RS outside the United States 1 hour......................... 707 0 0 707 236
------------------------------------------------------------------------------------------------------------

[[Page 2140]]

Desk Audits Annual
------------------------------------------------------------------------------------------------------------
On-Airport RS outside the United States 1 hour......................... 78 80 82 240 80
---------------------------------------------------------------------------
Total Burden (responses)........... ............................... .............. .............. .............. 1,212 404
---------------------------------------------------------------------------
Total Burden (hours)............... ............................... .............. .............. .............. 1,283 428
--------------------------------------------------------------------------------------------------------------------------------------------------------

While comments were received on the issues discussed above in
Section II, there were no comments received on the information
collection burden estimates contained in the NPRM.
As protection provided by the PRA, as amended, an agency may not
conduct or sponsor, and a person is not required to respond to, a
collection of information unless it displays a currently valid OMB
control number.

D. Executive Order 13132 on Federalism

TSA has analyzed this final rule under the principles and criteria
of E.O. 13132 on Federalism. We determined that this action will not
have a substantial direct effect on the States, or the relationship
between the National Government and the States, or on the distribution
of power and responsibilities among the various levels of government,
and, therefore, does not have federalism implications.

E. Environmental Analysis

TSA has reviewed this action under DHS Management Directive 5100.1,
Environmental Planning Program (effective April 19, 2006), which guides
TSA compliance with the National Environmental Policy Act of 1969
(NEPA) (42 U.S.C. 4321-4347). TSA has determined that this proposal is
covered by the following categorical exclusions (CATEX) listed in the
DHS directive: Number A3(a) (administrative and regulatory activities
involving the promulgation of rules and the development of policies);
paragraph A4 (information gathering and data analysis); paragraph A7(d)
(conducting audits, surveys, and data collection of a minimally
intrusive nature, to include vulnerability, risk, and structural
integrity assessments of infrastructures); paragraph B3 (proposed
activities and operations to be conducted in existing structures that
are compatible with ongoing functions); paragraph B11 (routine
monitoring and surveillance activities that support homeland security,
such as patrols, investigations, and intelligence gathering), and H1
(approval or disapproval of security plans required under legislative
mandates where such plans do not have a significant effect on the
environment). In addition, TSA has determined that this proposal meets
the three conditions required for a CATEX to apply, as described in
paragraph 3.2, (Conditions and Extraordinary Circumstances).

F. Energy Impact Analysis

The energy impact of the action has been assessed in accordance
with the Energy Policy and Conservation Act (EPCA), Public Law 94-163,
as amended (42 U.S.C. 6362). We have determined that this rulemaking is
not a major regulatory action under the provisions of the EPCA.

List of Subjects in 49 CFR Part 1554

Aircraft, Aviation safety, Repair stations, Reporting and
recordkeeping requirements, Security measures.

The Amendments

In consideration of the foregoing, the Transportation Security
Administration amends Chapter XII of Title 49, Code of Federal
Regulations, by adding a new part 1554 to subchapter C to read as
follows:

PART 1554--AIRCRAFT REPAIR STATION SECURITY

Subpart A--General
Sec.
1554.1 Scope.
1554.3 TSA inspection authority.
Subpart B--Security Measures
1554.101 Security Measures.
1554.103 Security Directives.
Subpart C--Compliance and Enforcement
1554.201 Notification of security deficiencies; suspension of
certificate and review process.
1554.203 Immediate risk to security; revocation of certificate and
review process.
1554.205 Nondisclosure of certain information.

Authority: 49 U.S.C. 114, 40113, 44903, 44924.

Subpart A--General

Sec. 1554.1 Scope.

(a) This part applies to repair stations that are certificated by
the Federal Aviation Administration (FAA) pursuant to 14 CFR part 145,
except for a part 145 certificated repair station located on a U.S. or
foreign government military installation.
(b) In addition to the terms in 49 CFR 1500.3 and 1540.5, for
purposes of this part, ``large aircraft'' means any aircraft with a
maximum certificated takeoff weight of more than 12,500 pounds and
``attended'' aircraft means an aircraft to which access is limited to
authorized individuals and property.

Sec. 1554.3 TSA inspection authority.

(a) General. Each repair station must allow TSA and other
authorized DHS officials, at any time and in a reasonable manner,
without advance notice, to enter, conduct any audits, assessments, or
inspections of any property, facilities, equipment, and operations; and
to view, inspect, and copy records as necessary to carry out TSA's
security-related statutory or regulatory authorities, including its
authority to--
(1) Assess threats to transportation security;
(2) Enforce security-related regulations, directives, and
requirements;
(3) Inspect, assess, and audit security facilities, equipment, and
systems
(4) Ensure the adequacy of security measures;
(5) Verify the implementation of security measures;
(6) Review security plans; and
(7) Carry out such other duties, and exercise such other powers,
relating to transportation security as the TSA Administrator considers
appropriate, to the extent authorized by law.
(b) Evidence of compliance. At the request of TSA, each repair
station must provide evidence of compliance with this part, including
copies of records required by this part.

[[Page 2141]]

(1) All records required under this part must be provided in
English upon TSA's request.
(2) All responses and submissions provided to TSA or its designee,
pursuant to this part, must be in English, unless otherwise requested
by TSA.
(c) Access to repair station. (1) TSA and DHS officials working
with TSA may enter, and be present within any area without access media
or identification media issued or approved by the repair station in
order to inspect, assess, or perform any other such duties as TSA may
direct.
(2) Repair stations may request TSA inspectors and DHS officials
working with TSA to present their credentials for examination, but the
credentials may not be photocopied or otherwise reproduced.

Subpart B--Security Measures

Sec. 1554.101 Security Measures.

(a) Applicability of this section. This section applies to part 145
certificated repair stations located--
(1) On airport. On an air operations area or security
identification display area of an airport covered by an airport
security program under 49 CFR part 1542 in the United States, or on the
security restricted area of any commensurate airport outside the United
States regulated by a government entity; or
(2) Adjacent to an airport. Adjacent to an area of the airport
described in paragraph (a)(1) of this section if there is an access
point between the repair station and the airport of sufficient size to
allow the movement of large aircraft between the repair station and the
area described in paragraph (a)(1) of this section.
(b) Security Measures. Each repair station described in paragraph
(a) of this section must carry out the following measures:
(1) Provide TSA with the name and means of contact on a 24-hour
basis of a person or persons designated by the repair station with
responsibility for--
(i) Compliance with the regulations in this part;
(ii) Serving as the primary point(s) of contact for security-
related activities and communications with TSA;
(iii) Maintaining a record of all employees responsible for
controlling keys or other means used to control access to aircraft
described in paragraph (b)(2) of this section; and
(iv) Maintaining all records necessary to comply with paragraph
(b)(3) of this section.
(2) When not attended, prevent the unauthorized operation of all
large aircraft capable of flight, by using one or more of the means
listed in paragraphs (b)(2)(i) through (iv) of this section. In these
examples, a key, if used, must only be available to an individual
authorized by the repair station who has successfully undergone a check
as described in paragraph (b)(3) of this section.
(i) Block the path of the aircraft such that it cannot be moved,
and control the vehicle key if a vehicle is used to block the path.
(ii) Park the aircraft in a locked hangar and control the key to
the hangar.
(iii) Move stairs away from the aircraft and shut and, if feasible,
lock all cabin and/or cargo doors, and control the key.
(iv) Other means approved in writing by TSA.
(3) Verify background information of those individuals who are
designated as the TSA point(s) of contact and those who have access to
any keys or other means used to prevent the operation of large aircraft
described in paragraph (b)(2) of this section by one or more of the
following means:
(i) Verify an employee's employment history. The repair station
obtains the employee's employment history for the most recent five year
period or the time period since the employee's 18th birthday, whichever
period is shorter. The repair station verifies the employee's
employment history for the most recent 5-year period via telephone,
email, or in writing. If the information is verified telephonically,
the repair station must record the date of the communication and with
whom the information was verified. If there is a gap in employment of
six months or longer, without a satisfactory explanation of the gap,
employment history is not verified. The repair station must retain
employment history verification records for at least 180 days after the
individual's employment ends. The repair station must maintain these
records electronically or in hardcopy, and provide them to TSA upon
request.
(ii) Confirm an employee holds an airman certificate issued by the
Federal Aviation Administration.
(iii) Confirm an employee of a repair station located within the
United States has obtained a security threat assessment or comparable
security threat assessment pursuant to part 1540, subpart C of this
chapter, such as by holding a SIDA identification media issued by an
airport operator that holds a complete program under 49 CFR part 1542.
(iv) Confirm an employee of a repair station located outside the
United States has successfully completed a security threat assessment
commensurate to a security threat assessment described in part 1540,
subpart C of this chapter.
(v) Other means approved in writing by TSA.

Sec. 1554.103 Security Directives.

(a) General. When TSA determines that additional security measures
are necessary to respond to a threat assessment or to a specific threat
against civil aviation, TSA issues a Security Directive setting forth
mandatory measures.
(b) Compliance. Each repair station must comply with each Security
Directive TSA issues to the repair station within the time prescribed.
Each repair station that receives a Security Directive must--
(1) Acknowledge receipt of the Security Directive as directed by
TSA;
(2) Specify the method by which security measures have been or will
be implemented to meet the effective date; and
(3) Notify TSA to obtain approval of alternative measures if the
repair station is unable to implement the measures in the Security
Directive.
(c) Availability. Each repair station that receives a Security
Directive and each person who receives information from a Security
Directive must--
(1) Restrict the availability of the Security Directive and the
information contained in the document to persons who have an
operational need to know; and
(2) Refuse to release the Security Directive or the information
contained in the document to persons other than those who have an
operational need to know without the prior written consent of TSA.
(d) Comments. Each repair station that receives a Security
Directive may comment on the Security Directive by submitting data,
views, or arguments in writing to TSA. TSA may amend the Security
Directive based on comments received. Submission of a comment does not
delay the effective date of the Security Directive.

Subpart C--Compliance and Enforcement

Sec. 1554.201 Notification of security deficiencies; suspension of
certificate and review process.

(a) General. A repair station may be subject to suspension of its
FAA certificate, if security deficiencies are identified and are not
corrected.
(b) Notice of security deficiencies. TSA provides written
notification to a repair station and to the FAA of any security
deficiency identified by TSA.
(c) Response. A repair station must provide TSA with a written
explanation

[[Page 2142]]

in English of all efforts, methods, and procedures used to correct the
security deficiencies identified by TSA within 45 calendar days of
receipt of the written notification described in paragraph (b) of this
section.
(d) Suspension of certificate. If the repair station does not
correct security deficiencies within 90 calendar days of the repair
station's receipt of the written notice of security deficiencies, or if
TSA determines that the security deficiencies have not been addressed
sufficiently to comply with this section, the TSA designated official
will provide written notification to the repair station and to the FAA
that the repair station's certificate must be suspended. The
notification will include an explanation of the basis for the
suspension. The suspension remains in effect until TSA determines that
the security deficiencies have been corrected.
(e) Petition for reconsideration. The repair station may petition
TSA to reconsider its determination under paragraph (d) of this section
by serving a petition for reconsideration no later than 20 calendar
days after the repair station receives the notification. The repair
station must serve the petition on the TSA designated official.
Submission of a petition for reconsideration will not automatically
stay the suspension. The repair station may request TSA to notify the
FAA to stay the suspension pending review of and decision on the
petition. The petition must be in writing, in English, signed by the
repair station operator or owner, and include--
(1) A statement that reconsideration is requested; and
(2) A response to the suspension, including any information TSA
should consider in reviewing the suspension.
(f) Review by the TSA designated official. The TSA designated
official will consider all relevant material and information and will
act on the petition no later than 15 calendar days after TSA receives
the petition. The TSA designated official will either notify the repair
station and the FAA that the suspension be withdrawn or affirm the
suspension. The decision of the TSA designated official constitutes a
final agency order subject to judicial review in accordance with 49
U.S.C. 46110.
(g) Service of documents. Service may be accomplished by personal
delivery, certified mail, or express courier. Documents served on a
repair station will be served at its official place of business.
Documents served on TSA must be served at the address contained in the
written notice of suspension.
(1) A certificate of service may be attached to a document tendered
for filing. A certificate of service must consist of a statement, dated
and signed by the person filing the document, that the document was
personally delivered, served by certified mail on a specific date, or
served by express courier on a specific date.
(2) The date of service is--
(i) The date of personal delivery;
(ii) If served by certified mail, the mailing date shown on the
certificate of service, the date shown on the postmark if there is no
certificate of service, or other mailing date shown by other evidence
if there is no certificate of service or postmark; or
(iii) If served by express courier, the service date shown on the
certificate of service, or by other evidence if there is no certificate
of service.
(h) Extension of time. TSA may grant an extension of time to the
limits set forth in this section for good cause shown. A repair station
must request an extension of time in writing, and TSA must receive it
at least two days before the due date in order to be considered. TSA
may grant itself an extension of time for good cause.

Sec. 1554.203 Immediate risk to security; revocation of certificate
and review process.

(a) Notice. The TSA designated official will determine whether any
repair station poses an immediate risk to security. If such a
determination is made, TSA will provide written notification of its
determination to the repair station and to the FAA that the certificate
must be revoked. The notification will include an explanation of the
basis for the revocation. TSA does not include classified information
or other information described in Sec. 1554.205.
(b) Petition for reconsideration. The repair station may petition
TSA to reconsider its determination by serving a petition for
reconsideration no later than 20 calendar days after the repair station
receives the notification. The repair station must serve the petition
on the TSA designated official. Submission of a petition for
reconsideration will not automatically stay the revocation. The repair
station may request TSA to notify FAA to stay the revocation pending
review of and decision on the petition. The petition must be in
writing, in English, signed by the repair station operator or owner,
and include--
(1) A statement that a review is requested; and
(2) A response to the determination of immediate risk to security,
including any information TSA should consider in reviewing the basis
for the determination.
(c) Review by the Administrator. The TSA designated official
transmits the petition together with all relevant information to the
Administrator for reconsideration. The Administrator will act on the
petition within 15 calendar days of receipt by either directing the TSA
designated official to notify FAA and the repair station that the
determination is rescinded and the certificate may be reinstated or by
affirming the determination. The decision by the Administrator
constitutes a final agency order subject to judicial review in
accordance with 49 U.S.C. 46110.
(d) Service of documents. Service may be accomplished by personal
delivery, certified mail, or express courier. Documents served on a
repair station will be served at its official place of business.
Documents served on TSA must be served at the address contained in the
written notice of revocation.
(1) A certificate of service may be attached to a document tendered
for filing. A certificate of service must consist of a statement, dated
and signed by the person filing the document, that the document was
personally delivered, served by certified mail on a specific date, or
served by express courier on a specific date.
(2) The date of service is--
(i) The date of personal delivery;
(ii) If served by certified mail, the mailing date shown on the
certificate of service, the date shown on the postmark if there is no
certificate of service, or other mailing date shown by other evidence
if there is no certificate of service or postmark; or
(iii) If served by express courier, the service date shown on the
certificate of service, or by other evidence if there is no certificate
of service.
(e) Extension of time. TSA may grant an extension of time to the
limits set forth in this section for good cause shown. A repair station
must request an extension of time in writing, and TSA must receive it
at least two days before the due date in order to be considered. TSA
may grant itself an extension of time for good cause.

Sec. 1554.205 Nondisclosure of certain information.

In connection with the procedures under this subpart, TSA does not
disclose classified information, as defined in Executive Order 12968,
section 1.1(d), or any successor order, and TSA reserves the right not
to disclose any other information or material not warranting disclosure
or protected from disclosure under law or regulation.

[[Page 2143]]

Dated: January 7, 2014.
John S. Pistole,
Administrator.
[FR Doc. 2014-00415 Filed 1-10-14; 8:45 am]
BILLING CODE 9110-05-P