Aircraft Repair Station Security, 2119-2143 [2014-00415]
Download as PDFAgencies
[Federal Register Volume 79, Number 8 (Monday, January 13, 2014)] [Rules and Regulations] [Pages 2119-2143] From the Federal Register Online via the Government Printing Office [www.gpo.gov] [FR Doc No: 2014-00415] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY Transportation Security Administration 49 CFR Part 1554 [Docket No. TSA-2004-17131 RIN 1652-AA38 Aircraft Repair Station Security AGENCY: Transportation Security Administration (TSA), Department of Homeland Security (DHS). ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Transportation Security Administration (TSA) is issuing regulations to improve the security of domestic and foreign aircraft repair stations as required by the Vision 100--Century of Aviation Reauthorization Act. The regulations codify the scope of TSA's existing inspection authority and require repair stations certificated by the Federal Aviation Administration (FAA) under 14 CFR part 145 to allow TSA and Department of Homeland Security (DHS) officials to enter, conduct inspections, and view and copy records as needed to carry out TSA's security-related statutory and regulatory responsibilities. The regulations also require these repair stations to comply with security directives when issued by TSA. The regulations also require certain repair stations to implement a limited number of security measures. The regulations establish procedures for TSA to notify repair stations of any deficiencies with their security measures and to determine whether a particular repair station presents an immediate risk to security. The regulations include a process whereby a repair station may seek review of a determination by TSA that the station has not adequately addressed security deficiencies or that the repair station poses an immediate risk to security. DATES: Effective February 27, 2014. FOR FURTHER INFORMATION CONTACT: Shawn Gallagher, Office of Security Operations, TSA-29, Transportation Security Administration, 601 South 12th Street, Arlington, VA 20598-6029; telephone (571) 227-3378; facsimile (571) 603-4344; email ARS@tsa.dhs.gov. SUPPLEMENTARY INFORMATION: Availability of Rulemaking Document You can get an electronic copy using the Internet by-- (1) Searching the electronic Federal Docket Management System (FDMS) Web page at https://www.regulations.gov; (2) Accessing the Government Printing Office's Web page at https://www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR to view the daily published Federal Register edition; or accessing the ``Search the Federal Register by Citation'' in the ``Related Resources'' column on the left, if you need to do a Simple or Advanced search for information, such as a type of document that crosses multiple agencies or dates; or (3) Visiting TSA's Security Regulations Web page at https://www.tsa.gov and accessing the link for ``Research Center'' at the top of the page. In addition, copies are available by writing or calling the individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this rulemaking. Small Entity Inquiries The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996 requires TSA to comply with small entity requests for information and advice about compliance with statutes and regulations within TSA's jurisdiction. Any small entity that has a question regarding this document may contact the person listed in FOR FURTHER INFORMATION CONTACT. Persons can obtain further information regarding SBREFA on the U.S. Small Business Administration's (SBA) Web page at https://www.sba.gov/advo/laws/law_lib.html. Abbreviations and Terms Used in This Document AOA Air Operations Area CFR Code of Federal Regulations DHS Department of Homeland Security EA Emergency Amendment E.O. Executive Order EPCA Energy Policy and Conservation Act EU European Union FAA Federal Aviation Administration FR Federal Register FRFA Final Regulatory Flexibility Analysis GA General Aviation ICAO International Civil Aviation Organization IRFA Initial Regulatory Flexibility Analysis MTOW Maximum Certificated Take-off Weight NAICS North American Industry Classification System NEPA National Environmental Policy Act of 1969 NPRM Notice of Proposed Rulemaking NTSB National Transportation Safety Board OMB Office of Management and Budget PRA Paperwork Reduction Act of 1995 RFA Regulatory Flexibility Act of 1980 SBA United States Small Business Administration SBREFA Small Business Regulatory Enforcement Fairness Act of 1996 SD Security Directive SIDA Security Identification Display Area SSI Sensitive Security Information TSA Transportation Security Administration U.S. United States of America U.S.C. United States Code Table of Contents I. Background A. Summary of the Rule B. Purpose of the Rule C. Costs and Benefits D. Changes From the NPRM II. Public Comments on the NPRM and TSA Responses A. Summary B. Need for Security Regulations C. Relationship to FAA Regulations D. ``One Size Fits All'' Approach to Security E. Relationship to Foreign Laws and Standards F. Application to Domestic Repair Stations G. Exemptions for Certain Types of Repair Stations H. Protection of Sensitive Security Information I. Scope of the Final Rule J. Terms Used in the Final Rule [[Page 2120]] K. TSA Inspection Authority L. Security Program Adoption and Implementation M. Security Directives N. Suspension and Revocation of Certificates O. Nondisclosure of Certain Information P. Other Comments on the Rulemaking Q. Implementation Issues R. Comments From the Small Business Administration S. Comments on the Regulatory Impact Assessment III. Rulemaking Analyses and Notices A. International Compatibility B. Economic Impact Analyses 1. Regulatory Impact Analysis Summary 2. Executive Orders 12866 and 13563 Assessments 3. Regulatory Flexibility Act Assessment 4. International Trade Impact Assessment 5. Unfunded Mandates Reform Act Assessment C. Paperwork Reduction Act D. Executive Order 13132, Federalism E. Environmental Analysis F. Energy Impact Analysis I. Background A. Summary of the Rule TSA is issuing regulations to improve security at repair stations located within and outside the United States as required by Vision 100- Century of Aviation Reauthorization Act, Public Law 108-176 (117 Stat. 2489, December 12, 2003), codified at 49 U.S.C. 44924 (Vision 100).\1\ The statutory requirements of Vision 100 are discussed in the preamble of the Notice of Proposed Rulemaking (NPRM) published in the Federal Register on November 18, 2009. See 74 FR 59874, 59875. There are approximately a total of 4,067 repair stations located in the United States and 707 located outside the United States certificated by FAA under part 145 as of August 2013.\2\ The final rule contains the following requirements: --------------------------------------------------------------------------- \1\ While Vision 100 refers to foreign and domestic repair stations, TSA is adopting FAA terminology to refer to repair stations located ``within'' or ``outside'' the United States. \2\ Data taken from the FAA Safety Performance Analysis System (SPAS) database, August 2013. ---------------------------------------------------------------------------Application. The regulations apply to repair stations certificated by the FAA under 14 CFR part 145, except repair stations located on a U.S. or foreign government military base. All repair stations are subject to inspection as provided in the rule and to Security Directives should there be a security need. However, the rule text requires only certain repair stations, discussed below, to carry out security measures on a regular basis. TSA Inspection Authority. Repair stations must allow TSA and other authorized DHS officials to enter, conduct inspections, and view and copy records as needed to carry out TSA's security-related statutory and regulatory responsibilities. For repair stations not required to carry out security measures on a regular basis (i.e., those repair stations not located on or adjacent to an airport, as further defined below), TSA does not intend to inspect such facilities, except (1) for compliance with security directives issued by TSA and with airport security programs required by TSA (for those repair stations that are included in an airport security program), and (2) to respond to security information provided to TSA by U.S. or foreign government entities. Implementation of Security Measures. The security measures in this rule cover repair stations that are on or adjacent to certain airports. TSA will consider a repair station to be ``on airport'' if it is on an air operations area (AOA) or security identification display area (SIDA) of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as ``on airport.'' \3\ --------------------------------------------------------------------------- \3\ Large aircraft are defined as aircraft with a maximum certificated take-off weight of more than 12,500 pounds. --------------------------------------------------------------------------- Security Measures. Certain repair stations, as described above, are required to (1) designate a point of contact(s) to carry out specified responsibilities; (2) prevent the unauthorized operation of large aircraft capable of flight that are left unattended; and (3) verify background information of those individuals who are designated as the TSA point(s) of contact and those who have access to any keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. See section 1554.101. Security Directives. Repair stations are required to comply with Security Directives (SDs) issued by TSA. See section 1554.103. Notification of Deficiencies; Suspension of Certificate and Review Process. The regulations describe the process whereby TSA will notify the repair station and the FAA of a security deficiency identified by TSA and provide an opportunity for the repair station to obtain review of a determination by TSA to suspend its operating certification. Immediate Risk to Security; Revocation of Certificate and Review Process. The regulations specify that when TSA determines a repair station poses an immediate risk to security, TSA will notify the repair station and the FAA that the certificate must be revoked. The regulations also provide the process for the repair station to obtain review of such a determination. B. Purpose of the Rule While the FAA has implemented extensive safety requirements for repair stations located within and outside the United States, supplementing those safety provisions with the security requirements contained in the final rule will further reduce the likelihood that terrorists would be able to use large aircraft as a weapon. As terrorist organizations continue to target civil aviation, TSA believes it is important for aircraft repair stations that are located on or adjacent to an airport to have specific security measures in place to prevent terrorists from commandeering large aircraft that are capable of flight and are not attended. Enhancement of security at repair stations that have access to runways will mitigate the potential threat that a large aircraft could be used as a weapon. In developing this rule, TSA consulted with the FAA and built upon the certification and safety requirements FAA has instituted requiring repair stations to establish and maintain a quality control system. See 14 CFR 145.211. While these quality control measures provide a significant layer of protection and oversight of articles and aircraft under repair, this final rule supplements those measures by requiring repair stations that are located on or adjacent to an airport, as defined in the final rule, to implement security measures to prevent the unauthorized operation of large aircraft capable of flight left unattended. C. Costs and Benefits In accordance with Executive Orders (E.O.) 12866 and 13563, TSA includes in this preamble a summary of the costs and benefits associated with the Aircraft Repair Station Security final rule. The table below summarizes the costs and benefits of the final rule to U.S. and foreign entities. A detailed estimate of these costs and benefits can be found in the regulatory impact analysis accompanying this final rule; the [[Page 2121]] regulatory impact analysis is available in the docket. -------------------------------------------------------------------------------------------------------------------------------------------------------- Estimates Units --------------------------------------------------------------------------------------------------- Category Primary Discount rate Notes estimate Low estimate High estimate Year dollar (percent) Period covered -------------------------------------------------------------------------------------------------------------------------------------------------------- Benefits -------------------------------------------------------------------------------------------------------------------------------------------------------- Annualized Monetized None........... None........... None.......... NA............ 7.............. NA............ Not Quantified. ($millions/year). None........... None........... None.......... NA............ 3.............. NA............ Annualized Quantified......... None........... None........... None.......... NA............ 7.............. NA............ Not Quantified. None........... None........... None.......... NA............ 3.............. NA............ --------------------------------------------------------------------------------------------------- Qualitative................... This final rule satisfies the Congressional mandate in Vision 100 for TSA to promulgate regulations to better ensure the security of aircraft repair stations. The security measures required by this final rule will better secure the aircraft on repair stations located on or adjacent to an airport and working on aircraft with a MTOW of more than 12,500 lbs. and mitigate the risk of a terrorist attack originating at these aircraft repair stations -------------------------------------------------------------------------------------------------------------------------------------------------------- Costs -------------------------------------------------------------------------------------------------------------------------------------------------------- Annualized Monetized ($/year). $2,314,614..... N/A............ N/A........... 2012.......... 7.............. 10 Years...... None. $2,318,596..... N/A............ N/A........... 2012.......... 3.............. 10 Years...... Annualized Quantified......... None........... None........... None.......... 2012.......... 7.............. 10 Years...... None. None........... None........... None.......... 2012.......... 3.............. 10 Years...... --------------------------------------------------------------------------------------------------- Qualitative................... -------------------------------------------------------------------------------------------------------------------------------------------------------- Transfers -------------------------------------------------------------------------------------------------------------------------------------------------------- Federal Annualized Monetized None........... None........... None.......... NA............ 7.............. NA............ None. ($year). None........... None........... None.......... NA............ 3.............. NA............ -------------------------------------------------------------------------------------------------------------------------------------------------------- From/To From: To: -------------------------------------------------------------------------------------------------------------------------------------------------------- Other Annualized Monetized None........... None........... None.......... NA............ 7.............. NA............ None. ($year). None........... None........... None.......... NA............ 3.............. NA............ -------------------------------------------------------------------------------------------------------------------------------------------------------- From/To From: To: -------------------------------------------------------------------------------------------------------------------------------------------------------- Effects -------------------------------------------------------------------------------------------------------------------------------------------------------- State, Local, and/or Tribal None........... None........... None.......... N/A........... NA............. NA............ None. Government. -------------------------------------------------- Small Business................ Prepared FRFA NA............ NA............. NA............ None. -------------------------------------------------- Wages......................... None. -------------------------------------------------- Growth........................ Not Measured. -------------------------------------------------------------------------------------------------------------------------------------------------------- D. Changes From the NPRM TSA adopts as final the proposed rule with changes based primarily on the public comments received. This section summarizes the regulatory text changes that TSA has made to the NPRM in this final rule. A detailed description of the responses to the public comments is included in Section II. 1. Part 1520 TSA eliminated the amendments to part 1520 of its rules because it has eliminated the proposed requirement to adopt and implement a security program. 2. Scope and Purpose TSA modified the language in Sec. 1554.1 to eliminate the reference to ``U.S. government'' and inserted ``a U.S. or foreign government military installation'' in its place to respond to questions raised in some comments. This change will eliminate from the scope of the final rule FAA part 145-certificated repair stations located on a military base, whether within or outside the United States. The change clarifies TSA's intention not to exclude from the scope of the final rule those repair stations that are subject to government regulation. 3. Terms Commenting parties noted that TSA used different terms than the FAA to describe repair stations and repair work and found that the different terms were confusing. TSA eliminated the terms section to avoid confusion. TSA also eliminated the terms ``foreign repair station'' and ``domestic repair station'' from the final rule and uses the terms ``repair station located within the United States'' and ``repair station located outside the United States'' to be consistent with FAA part 145 regulations. [[Page 2122]] 4. Security Program Adoption and Implementation In response to commenters who requested exemptions from the proposed requirement to adopt and carry out a security program, TSA has eliminated the requirement to adopt and implement a security program. As will be explained below, TSA will only require certain repair stations located on or adjacent to an airport to adopt and carry out security measures to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has conducted a security risk assessment and determined that other repair stations represent a minimal risk to aviation security. TSA has eliminated all security measures regarding preventing access to repair stations. This change will reduce the regulatory requirements and the costs of implementation. While TSA has retained the requirement to verify employee background information, it has reduced the application of that requirement to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has clarified that it will accept employment history checks or background checks conducted on individuals who have obtained a FAA airman certificate or a SIDA badge. All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. 5. Profile Information TSA has eliminated the requirement proposed in Sec. 1554.101(b) for repair stations to submit profile information to TSA. TSA will use information available from the FAA. 6. Security Directives TSA has added language to permit repair stations to comment upon a security directive issued by TSA. This language is consistent with the regulatory language used for airport operators and aircraft operators under 49 CFR 1542.303(e) and 1544.305(e). 7. Compliance and Enforcement In response to comments, TSA has clarified the process in part 1554, subpart C, which a repair station may use to seek review of a TSA determination that a certificate must be suspended or revoked. II. Public Comments on the NPRM and TSA Responses A. Summary TSA received 177 public submissions. Sixty-seven submissions were from repair station owner/operators. Other commenters included private individuals, industry associations, labor unions, foreign governments, airport owner/operators, domestic and foreign aircraft operators, State agencies, and the Small Business Administration (SBA). The discussion below groups the comments by the primary issues raised in the public submissions. B. Need for Security Regulations Comments: Thirty-three commenters said the proposed rule is unnecessary because repair stations already have adequate security or are already sufficiently regulated. Ten of these commenters cited procedures and controls already in place to safeguard security, such as quality controls, employee background checks, access controls, and general safety procedures already approved by the FAA. Seven commenters said the proposed regulations added a duplicate layer of security already provided by other TSA requirements described in current TSA security programs or SDs. A few commenters said that TSA should not regulate repair stations if they are part of an airline that already has an air carrier security program. TSA response: Vision 100 requires TSA to issue regulations ``to ensure the security of foreign and domestic repair stations.'' 49 U.S.C. 44924(f). TSA believes that the security regulations described in the final rule will reduce the likelihood that a terrorist could commandeer a large aircraft capable of flight and use it as a weapon. The final rule supplements the safety requirements imposed by the FAA, but does not duplicate FAA regulations. TSA disagrees with those comments that claim the final rule will duplicate other TSA security requirements. TSA does not currently regulate aircraft repair stations and the requirements referenced by the commenters do not apply to aircraft repair stations. TSA has eliminated the proposed requirement to adopt and implement a security program, thus there will not be duplication with airport security programs. Air carrier-owned and -operated maintenance repair and overhaul facilities conducting maintenance under the authority of a certificate issued under 14 CFR parts 121 or 135 are not subject to the requirements of this rule, since the statute and this rule specifically requires regulation of repair stations certificated under part 145 of the FAA regulations. Comments: Several commenters asked TSA to consider a repair station to be in full compliance with the rule if it is already incorporated within an airport's security program and uses the airport's access control measures. TSA Response: TSA is aware that some repair stations may be incorporated within an existing airport security program and has eliminated the proposed requirement that repair stations adopt and implement a security program to avoid unnecessary duplication. Comments: Eight commenters stated that repair stations in general do not pose a risk to security, especially compared to other facilities or operations in the aviation system. Ten commenters claimed that TSA did not conduct any type of risk analysis that quantified the security risks at repair stations or the benefits of the proposed rule. An association said TSA had correctly used a risk-based approach to determine the security measures that repair stations would be required to carry out under the proposed rule and concluded that this approach is the most effective way to advance repair station security. TSA Response: TSA agrees that the security risks posed by repair stations vary and that the most effective way to advance repair station security is to use a risk-based approach to address security matters. In developing this rule, TSA conducted a security risk analysis, including visits to repair stations located within the United States and outside the United States, interviews with industry and FAA experts, and a review of intelligence concerning a repair station's susceptibility to a terrorist attack. The NPRM described the site visits TSA made to repair stations between June 2005 and May 2008. See 74 FR 59877. Since that time, TSA has visited 47 repair stations located outside the United States and 928 repair station facilities within the United States to observe and discuss repair station security practices. The site visits provided valuable insight into the different types of facilities certificated by the FAA, the different types of repair work performed at those facilities, and the different security measures that are deployed. In addition, TSA considered whether certain factors could increase the security risks of a repair station. The risk factors TSA considered were: (1) The size and type of aircraft to which employees had access; (2) the type of [[Page 2123]] repair work permitted by the FAA certificate; (3) whether the repair station was located on an airport and the type of airport; and (4) the number of employees at the repair station. Comments: An industry association stated that aircraft operators that use repair stations should not be responsible for ensuring that repair stations comply with the regulation. TSA Response: TSA agrees that aircraft operators that use repair stations will not be responsible for ensuring that the FAA part 145- certificated repair stations comply with the final rule. C. Relationship to FAA Regulations Comments: Some commenters asked the FAA and TSA to coordinate their efforts to avoid placing any unnecessary burdens on repair station owners or operators. For example, one commenter pointed out that TSA could obtain repair station profile information from the FAA. Several commenters expressed concern regarding TSA's authority to request the FAA to suspend or revoke the operating certificate of a repair station. A few of these commenters said that because the FAA issues the repair station certificate and is the Federal agency responsible for the oversight and regulation of repair stations, the FAA should be the one Federal entity that is able to suspend or revoke the certificate. Other commenters questioned whether TSA, the FAA, or the National Transportation Safety Board (NTSB) has jurisdiction over the appeals process for certificate suspensions and revocations. Eight commenters said the rule would compromise aircraft safety. Three of these commenters claimed the FAA would lose oversight of repair stations and would no longer conduct mandatory inspections and surveillance. One commenter said the cost of the rule would cause repair facilities to divert operating funds away from aircraft safety. Two commenters noted the possibility that repair station operators would turn in their repair station rating and would instead operate using mechanics holding Airframe & Powerplant certification, resulting in a decrease in safety. TSA response: TSA has coordinated its efforts with the FAA throughout the rulemaking process and the final rule does not duplicate FAA's authority to regulate repair station safety matters or interfere in any way with the FAA certification process. In response to the comments requesting that TSA reduce the burden on repair stations by using FAA profile information, TSA eliminated the requirement for repair stations to provide profile information from the final rule. TSA will obtain the profile information from the FAA. The final rule is consistent with the statutory provisions regarding the processes for suspension and revocation of a repair station certificate. Under 49 U.S.C. 44924(c), TSA must notify the FAA Administrator when a repair station poses an immediate security risk or is found to have security deficiencies. The statute requires the FAA Administrator to act upon the TSA determination to suspend or revoke a repair station's certificate. Since the suspension or revocation is based on a determination that involves security, neither the FAA nor the NTSB has jurisdiction over the appeals process. The final rule includes a process whereby repair stations may request review of a TSA determination that the repair station certificate must be suspended or revoked. The procedure is consistent with the procedure now in place for TSA to withdraw approval of the security program of an airport operator, aircraft operator, foreign air carrier, indirect air carrier, or certified cargo screening facility, as provided in 49 CFR part 1540, subpart D. TSA disagrees with the comments that claim the rule would compromise aircraft safety, and that FAA would lose oversight of repair stations. FAA authority over repair station safety is not affected by this rule and repair stations must continue to comply with FAA safety regulations. This rule will supplement existing FAA safety requirements with security measures to ensure that unattended, large aircraft capable of flight cannot be commandeered. The costs of the rule are summarized in Section III.C below and described in detail in the regulatory impact analysis accompanying this final rule. As explained therein, TSA has minimized the cost burden of compliance, particularly to small businesses, by using a risk-based approach and eliminating the requirement for repair stations to implement a security program. In addition, if a repair station operator turned in the repair station rating and instead used mechanics holding Airframe & Powerplant certifications, the repair station operator would not be permitted to perform maintenance on passenger aircraft unless hired by an aircraft operator, in which case the maintenance work would be subject to the safety requirements of parts 121 or 135 of the FAA rules. D. ``One Size Fits All'' Approach to Security Comments: Twenty-seven commenters indicated the proposed rule did not adequately accommodate or account for the diversity of repair stations to which it would apply. A commenter noted that TSA recognized that a ``one size fits all approach'' would not appropriately address the diversity in repair station characteristics. Other commenters asked TSA for more information on how the security program would accommodate the different levels of risk posed by different types of repair stations. TSA response: TSA recognizes that just as aircraft repair stations vary widely in size, type of repairs, and numbers of employees, existing security measures also vary widely. As stated in the NPRM, TSA agrees that a ``one size fits all'' approach will not adequately address the diversity of certificated repair stations. As will be discussed below in Section G, repair stations that are not on or adjacent to an airport as defined in the final rule, are not required to implement security measures. E. Relationship to Foreign Laws and Standards Comments: Several commenters, including representatives of foreign governments, addressed the relationship of the proposed rule to other countries' security laws and standards. Commenters said TSA should recognize the equivalency of the security requirements of other countries and the European Union (EU). They also questioned the legal basis for application of the final rule without consultation and agreement as laid out in international and bilateral aviation agreements such as the EU-U.S. Air Transport Agreement. Other commenters noted the potential conflict of the proposed rule's requirements with national or EU laws or regulations in areas such as unannounced inspections and background checks of repair station employees. TSA response: TSA acknowledges the concerns of foreign governments regarding TSA authority to apply security requirements to part 145- certificated repair stations located outside the United States. TSA is aware of and has complied with its obligations under the EU-U.S. Air Transport Agreement, as well as other bilateral and multilateral instruments. TSA has discussed and will continue to discuss current and proposed security requirements with its international partners in order to enhance the compatibility of security regulations and standards, including the possibility of developing protocols for reciprocity and mutual recognition of repair station security regulations. TSA will address [[Page 2124]] any specific conflicts between the final rule and any national or EU laws or regulations that may arise. TSA has established procedures for conducting inspections outside the United States through its Foreign Airport and Foreign Air Carrier Assessment Programs and intends to use those same procedures when conducting inspections of FAA-certificated repair stations located outside the United States. These established procedures require coordination with the U.S. Department of State and the appropriate foreign government authorities. With regard to background checks, TSA will require repair stations that are on or adjacent to an airport, as defined in this rule, to verify background information of those individuals who are designated as the TSA point(s) of contact and those who have access to any keys or other means used to prevent the operation of large aircraft. The repair station may either verify the individual's employment history, confirm that the individual holds a FAA airman certificate, or (for a repair station located in the United States) confirm that the individual has obtained a security threat assessment, such as by holding a SIDA badge. TSA will not require any other specific type of background check since the laws regarding the ability to conduct certain background checks vary widely. However, repair stations may conduct other background checks consistent with applicable laws. Comments: Two commenters were concerned the proposed rule did not cover FAA-certificated repair stations in Canada. One of these commenters said Canadian facilities could pose the same security risks as FAA part 145 certificated facilities and contended that they should be subject to the regulation. TSA Response: TSA is aware that the final rule will not cover repair stations located in Canada and agrees that these repair stations could pose the same security risk as other repair stations. Canadian repair stations are covered under part 43 of the FAA regulations and operate under a bilateral agreement between the FAA and the Transport Canada Civil Aviation Authority. Since they are not certificated under Part 145 of the FAA regulations, they are not within the scope of this rule. Comments: One commenter said some foreign repair stations are already under regulatory oversight by established government authorities and should be exempt from the rule. TSA Response: A repair station that is regulated by a governmental authority is not exempt from the final rule. While a repair station may be regulated by a government agency for safety or other purposes, as is the case with the FAA, TSA cannot be assured that such regulation would encompass the security requirements in the final rule. F. Application of the Final Rule to Domestic Repair Stations Comments: Eight commenters said Congress omitted the word ``domestic'' from the statute and concluded that TSA does not have authority to impose regulations on domestic repair stations. One repair station owner/operator acknowledged that 49 U.S.C. 44924(f) requires TSA to issue regulations to ensure the security of both domestic and foreign repair stations. However, the commenter noted the remainder of the statute refers only to foreign repair stations and concluded that Vision 100 does not give TSA authority to suspend the certificates of domestic repair stations. Several commenters stated that the rule should apply only to foreign repair stations, that domestic repair stations pose a lower security threat than foreign repair stations, and that TSA is overstepping its authority to regulate both domestic and foreign repair stations. TSA response: TSA disagrees with the comments that claim the regulation should apply only to repair stations located outside the United States, that repair stations located within the United States necessarily pose a lower security threat than those located outside the United States, and that TSA is overstepping its authority to regulate aircraft repair stations. TSA is required to issue regulations to ``ensure the security of foreign and domestic aircraft repair stations.'' See 49 U.S.C. 44924(f). Therefore, the final rule applies to repair stations that are certificated by the FAA under part 145 of its regulations. By including all FAA part 145-certificated repair stations in the scope of the rule, TSA will be able to verify that repair stations certificated by the U.S. government are in compliance with the final rule. TSA will not suspend a repair station certificate. The statute provides that the FAA must suspend a certificate upon notification by TSA until such time as TSA determines the repair station maintains and carries out effective security measures. See 49 U.S.C. 44924(c). While the final rule is consistent with the statutory language, TSA has ample statutory authority to address all domestic transportation security matters. For example, 49 U.S.C. 114(f) gives TSA the authority to: Assess threats to transportation; develop policies, strategies, and plans for dealing with threats to transportation security; enforce security-related regulations and requirements; inspect, maintain, and test security facilities, equipment, and systems; and work in conjunction with the Administrator of the FAA with respect to any actions or activities that may affect aviation safety or air carrier operations. Section 611 of Vision 100 discusses the need to ``strengthen oversight of domestic and foreign repair stations'' and to ``ensure that foreign repair stations that are certified by the Administrator under part 145 of title 14, Code of Federal Regulations, are subject to an equivalent level of safety, oversight, and quality control as those located in the United States.'' \4\ Exempting repair stations within the United States from the enforcement provisions of the final rule would not permit TSA to effectively oversee the security of repair stations located within the United States or ensure that repair stations located outside the United States are subject to an equivalent level of safety, oversight, or quality control. --------------------------------------------------------------------------- \4\ H.R. Conf. Rep. No. 108-334, at 83 (2003). --------------------------------------------------------------------------- Regulating only repair stations outside the United States would not help TSA meet the statutory objective to ensure the security of foreign and domestic aircraft repair stations. In fact, the majority of FAA part 145-certificated repair stations are located in the United States and U.S. aircraft continue to be a prime target of terrorist threats. Exempting U.S. repair stations from the final rule would create a significant gap in TSA's efforts to secure U.S. aircraft and the traveling public. Repair stations located in the United States present an immediate opportunity for terrorists to attempt to harm U.S. aviation interests. For that reason, and consistent with statutory language, the final rule applies to FAA part 145-certificated repair stations. G. Exemptions for Certain Types of Repair Stations Many commenters requested TSA to exempt particular types of repair stations from the rule. Nineteen commenters stated that off-airport repair stations do not pose a security threat and contended the final rule should apply only to repair stations located on airport grounds. Another commenter agreed off-airport repair stations are less desirable targets than on-airport repair stations because they do not have access to operational aircraft. However, one commenter observed there are off- airport repair stations that repair complete aircraft. [[Page 2125]] A number of commenters requested additional types of repair stations be exempted from the regulation, including: Stations with a small number of employees, stations servicing hot-air balloons, and stations servicing aircraft with a MTOW below 12,500 pounds. In contrast, a labor union urged TSA not to exempt any repair stations from the rule. Eighteen commenters stated repair stations servicing aircraft with a MTOW below 12,500 pounds should be exempt from the rule. Several other commenters said any weight threshold used for this rule should be consistent with the threshold adopted in the General Aviation Security final rule. A few others suggested weight thresholds ranging as high as 100,000 pounds. Eleven commenters requested TSA to exempt repair stations that work only on aircraft components and do not have access to complete aircraft. Commenters stated these repair stations do not pose a security threat because existing FAA rules require testing of the airworthiness of the repaired components prior to installation. TSA response: TSA agrees with commenters that repair stations located on or adjacent to an airport could pose a higher security risk than other repair stations. As the commenters point out and as discussed in the NPRM, TSA found that repair station employees at off- airport locations had little, if any, access to operational aircraft or runways and are not the last individuals with access to aircraft prior to the reintroduction of the aircraft into service. TSA concluded that it may be more difficult for potential terrorists to attempt to attack aviation interests from an off-airport repair station location. TSA also agrees with commenters that it would be difficult for a terrorist to damage an aircraft at a repair station that is rated to repair only aircraft component parts. FAA safety regulations require inspection of the repair work and the component part prior to installation in an aircraft and before the aircraft is determined to be airworthy. TSA agrees with the commenters who believe that it is less likely that a terrorist would attempt to target an aircraft by attempting to sabotage or tamper with a component part at an off- airport location. In addition, TSA agrees with those commenters that repair stations that do not work on large aircraft pose less of a security risk. TSA has long recognized that aircraft with a MTOW of more than 12,500 pounds may be a greater security risk because the aircraft are of sufficient size and weight to inflict significant damage and loss of lives. See Security Programs for Aircraft 12,500 Pounds or More, 67 FR 8295 (Feb. 22, 2002). Smaller aircraft may be a less attractive target for terrorists. TSA believes that it must maintain its authority to conduct security inspections to ensure that repair stations do not pose a risk to transportation security and to make clear that repair stations must comply with security directives issued by TSA to respond to a specific threat. However, TSA has determined that only higher risk repair stations will be required to adopt security measures. Repair stations considered to be higher risk include those located on or adjacent to an airport. TSA will consider a repair station to be ``on airport'' if it is located on an AOA or SIDA of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area of any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as ``on airport.'' These repair stations present the highest risk to security due to their proximity to an airport and a runway and the presence of operational aircraft of a size and weight that could inflict significant damage and loss of lives. These repair stations must implement security measures described in the final rule. TSA has retained the current definition of large aircraft used in its regulations, and will change that definition throughout the regulations should another definition be adopted in the General Aviation Security rulemaking proceeding. Other repair stations, in general, represent a minimal risk to aviation security because they are not located on or adjacent to an airport and do not have access to aircraft of sufficient size and weight to inflict significant damage or loss of lives. All FAA part 145 certificated repair stations are subject to other requirements in the rule, such as submission to TSA inspection and compliance with security directives. H. Protection of Sensitive Security Information (SSI) Comments: Two repair station owners/operators and an industry association supported the proposed SSI regulations. Another repair station owner/operator said the proposed SSI requirements may be redundant, because some corporations already have controls for business purposes to protect information from public disclosure. Another commenter warned the SSI requirements could adversely affect corporate operations and the availability of an operator's procedural documentation to its employees. An airport owner/operator expressed concern that the proposed rule would impose SSI responsibilities on repair stations even if they pose a low security risk. A repair station owner/operator and an industry association suggested the SSI provisions should apply to repair station owners but not to operators. Three commenters, including the European Commission, expressed concern about the applicability of the SSI provisions to foreign nationals who own and operate aircraft repair stations. They also said the proposed SSI provisions might be incompatible with the data protection directives of other nations or the EU. TSA response: TSA has eliminated the proposed requirement to adopt and implement a security program and has, therefore, eliminated the proposed changes to part 1520. TSA's SSI regulations already require security directives (SDs) to be treated as SSI. 49 CFR 1520.5. Part 1520 applies to entities that receive a TSA SD, including U.S. and foreign air carriers for their operations both within and outside the United States. While businesses may have procedures in place to protect certain types of information, they may not include specific SSI protections. Repair stations will be responsible for developing procedures to safeguard against unauthorized disclosure of a SD. When an individual is not in physical possession of SSI, that individual must store the SSI in a secure container, such as a locked desk, office, or file cabinet. TSA disagrees with the comments that the SSI regulations could make it difficult to share security information with repair station employees. The SSI regulations permit disclosure to persons with a need to know. 49 CFR 1520.9. TSA appreciates the concerns of the European Commission regarding the applicability of SSI requirements to foreign repair stations; however, TSA does not believe that this will cause difficulties with regard to EU legislation and data protection policies. TSA already applies SSI requirements to foreign air carriers operating under a TSA- accepted Model Security Program or who receive a TSA-issued emergency amendment. The EU has not objected to or raised concerns regarding conflicts with EU data protection laws and regulations in those instances. TSA will continue to discuss with the EU any specific conflicting regulatory requirements that may arise. [[Page 2126]] I. Scope of the Final Rule Comments: A repair station owner/operator supported the scope of the rule as proposed. Another repair station owner/operator suggested the words ``or excluded from this part by TSA'' be added to account for situations in which a repair station is already incorporated within an airport's security program or in which the repair station does not constitute a security threat. An industry association suggested the addition of ``or host government'' after ``U.S. Government'' in recognition of the fact that many other governments already have standards that meet or exceed those in the proposed rule. TSA response: TSA has modified the language in the final rule. The final rule does not apply to FAA part 145-certificated repair stations located on a U.S. or foreign government military installation. However, certificated repair stations that are regulated or under the oversight of a governmental entity are not exempt from the final rule. As explained previously, only higher risk repair stations will be required to implement security measures. J. Terms Used in the Final Rule Comments: Four commenters addressed the proposed definition of ``repair station.'' One industry association suggested narrowing the definition to include only repair stations that convey aircraft directly into commercial flight operations under parts 121 or 135 of the FAA's regulations. Another industry association suggested narrowing the definition to include only those repair stations authorized to perform maintenance or alteration of civil aviation aircraft located on a commercial airport. A third industry association objected to the proposed definition because it does not recognize mixed maintenance operations, in which a repair station is co-located at a larger facility that is not otherwise covered by TSA security requirements. A repair station owner/operator asked whether the scope and boundaries of a repair station for purposes of the TSA rule would differ from the scope and boundaries of the repair station for FAA purposes. TSA response: In response to the comments, TSA has eliminated the terms to avoid confusion with FAA terminology. TSA is aware of the existence of mixed-use facilities, for example those that combine maintenance and manufacturing stations. It will be the repair station operator's responsibility to delineate the parts of the station used for activities subject to this final rule and those that are not. If a repair station determines it is not possible to make such a delineation then the entire station would need to meet the requirements of this final rule. K. TSA Inspection Authority Comments: Several commenters suggested that TSA's authority to enter a repair station should be limited to normal business hours or after business hours with an escort upon reasonable notice, unless there is a known specific threat. These comments point out that, with prior notification, a repair station could make certain that the correct personnel are available to answer questions and provide documentation. Two labor unions supported unannounced inspections, saying repair stations must constantly ensure that they are complying with security requirements, and that advance notice would nullify the benefit of a security inspection. Four commenters supported the proposed language authorizing TSA to conduct unannounced inspections. However, they expressed concern that TSA indicated it would follow existing protocols for inspection of repair stations located outside the United States and provide advance notice to the facility being inspected and the host government. The commenters asserted that giving advance notice would nullify the benefit of the security inspection. Eight commenters, including a foreign government and the European Commission, said TSA could not legally inspect repair stations located outside the United States without prior notification and the approval of the authorities of the country in which the repair station is located. TSA response: TSA will follow current agency practices regarding inspections of repair station facilities outside the United States. TSA will always coordinate any inspections with the host government prior to starting an inspection. With regard to repair stations within the United States, TSA acknowledges the concerns expressed regarding such government inspections. While TSA anticipates that in some cases it will notify these repair stations of scheduled inspections, this regulation allows TSA to conduct an inspection without advance notice at any time and in a reasonable manner. In those instances where notice is given, TSA will give the repair station the opportunity to gather evidence of compliance and to arrange to have the appropriate personnel available to assist TSA. However, TSA anticipates that unannounced inspections will be conducted in the United States, particularly if warranted by a security incident at a repair station. Some inspections can be effective only if they are unannounced in order to determine whether the regulated party is in compliance when it is unaware that TSA may be inspecting. Terrorists will seek to take advantage of vulnerabilities whenever they occur. TSA must have the ability to respond to information, operations, and specific circumstances whenever they develop and to assess the security of regulated entities at any time, including weekends or holidays. Comments: Several commenters said the rule should clearly define the scope of TSA audits and should specify that the repair station property, facility, and records to be inspected are only those relevant to repair station security. In addition, a repair station owner/ operator and an industry association stated that business records, corporate correspondence, and aircraft maintenance records should be off-limits without a search warrant. They said the proposed rule language was too broad and should be narrowed in the final rule. TSA response: TSA disagrees that the inspection authority is overly broad and has not modified the language in the final rule. The statute authorizes TSA to ``complete a security review and audit.'' See 49 U.S.C. 44924(a). In addition, TSA has authority to ``inspect, maintain, and test security facilities, equipment, and systems.'' See 49 U.S.C. 114(f)(9). The regulatory text states specifically that the purpose of the inspection is to ``carry out TSA's security-related or regulatory authorities.'' Thus, TSA will seek access to records relevant only to security. The inspection authority section in new Sec. 1554.5 includes audits, assessments, or inspections and is consistent with existing TSA rules, such as in Sec. 1542.5 (airport operators) and Sec. 1580.5 (railroad operators). Also in connection with scope, TSA notes that consistent with its statutory authority (which currently allows inspections for security reasons irrespective of this final rule), inspections will be for compliance with this final rule's requirements and for security reasons only. For repair stations not subject to security measures under this rule (that is, those repair stations not located on or adjacent to an airport, as defined in this rule), TSA does not intend to inspect such facilities except as necessary to comply with the requirement in 49 U.S.C. 44924 to conduct a security audit of all part 145 certificated repair stations located outside the United States, to evaluate security risks as conditions warrant, and, in the event that TSA issues a [[Page 2127]] security directive to such a repair station, for compliance with the security directive. Comments: Some commenters said repair station security policy may require anyone inside the repair station to have an identification badge, and suggested that TSA and DHS officials comply with established security programs at the site. A few commenters asked how repair station personnel would know if TSA or DHS credentials are valid. One of them asked if repair station personnel could record the names and badge numbers of TSA and DHS inspectors. TSA response: The final rule allows repair stations to request inspectors to present their credentials for examination. Repair stations may not photocopy or otherwise reproduce the credential to prevent unauthorized individuals from using fake credentials to access a repair station. Repair stations may issue access or identification media to inspectors for their use while conducting inspections of the facilities. However, they may not prevent an inspector from conducting an inspection because the inspector was not issued identification media by the repair station. TSA will assist repair stations to develop training to identify TSA and DHS credentials. Comments: A repair station owner/operator observed that TSA and DHS officials would need an escort for their own safety. Several other commenters were concerned that untrained TSA personnel could damage aircraft parts during their inspections or cause a disruption of work. TSA response: TSA appreciates that it must properly train its inspectors so that they avoid dangers to themselves, to employees, and other individuals at the repair station, and to property. TSA intends to use only properly trained and credentialed personnel to conduct inspections. L. Security Program Adoption and Implementation Comments: A repair station owner/operator supported the proposed requirement to submit a profile because it would prevent use of a ``one size fits all'' approach to repair station security. One commenter asked TSA to accept the company profile used for FAA repair station approvals. Another repair station owner/operator said that TSA should eliminate this requirement or provide more information on what would constitute an adequate profile. Several commenters said that the proposed rule provided no guidance on how repair stations would report changes in profile information or how they would know which changes were significant enough to require reporting. TSA response: TSA concurs with the majority of comments regarding the submission of a profile and has not included the requirement in the final rule. TSA will use existing repair station profile information from the FAA. Comments: Several commenters questioned how TSA could achieve its stated objective of appropriately addressing the diversity in repair station characteristics while requiring repair stations to use a standard security program, unless otherwise authorized by TSA. They expressed concern about having to adopt a ``canned'' or ``cookie- cutter'' security program. In contrast, two labor unions said that there needs to be a baseline security standard applied to all repair stations and that allowing for any variation presents an opportunity for disparities in security from station to station. TSA response: TSA has eliminated the requirement to adopt and carry out a security program in the final rule. Comments: Some commenters expressed the belief that a 30-day deadline for a repair station to submit a profile was insufficient, particularly for small entities, those located overseas, and large corporations with many subsidiaries or joint ventures. Three of them suggested that 90 days would be more realistic. TSA response: TSA has eliminated the requirement for repair stations to submit a profile so there is no longer a 30-day deadline requirement. Comments: Two repair station owners/operators objected to the fact that the proposed rule does not define specific minimum performance standards, and entities may be subject to inconsistent compliance expectations. Another commenter asked that the detail provided in the preamble regarding the security program be included in the regulatory language. TSA response: TSA has eliminated the language in the NPRM regarding the security program requirements. The final rule describes security measures that repair stations on an airport or adjacent to an airport, as defined in the final rule, must adopt. In order to reduce the potential regulatory burden and implementation costs of the proposed rule, TSA has removed all security measures that restrict access to a repair station in the final rule. Instead, repair stations will be required to prevent unauthorized operation of large, unattended aircraft that are capable of flight. Large aircraft are defined as aircraft with a maximum certificated take-off weight of more than 12,500 pounds and attended aircraft means aircraft to which access is limited to authorized individuals and property. The final rule explains that preventing unauthorized operation may be accomplished in several ways and a repair station may even develop its own measure so long as it obtains approval from TSA. The final rule states that a repair station may block the path of the aircraft so that it cannot be moved and control the key to a vehicle used for that purpose, park the aircraft in a locked hangar and control the key to the hangar, or move stairs away from the aircraft and shut and lock, if feasible, all cabin and cargo doors and control the key. Controlling the key, if used, is described as making sure that keys are only available to an authorized individual who has undergone an employment history check or a security threat assessment. Comments: Ten commenters addressed the provision of the proposed rule requiring the security programs to include measures to identify all individuals authorized to enter the repair station. Three of the commenters said the actual language of the provision was not detailed enough to establish TSA's intent. A repair station owner/operator expressed support for TSA's statement in the NPRM that TSA will deem repair stations with established personnel identification media systems as compliant with the requirement. The commenter asked TSA to incorporate that language into the final rule. Three of the commenters also questioned TSA's intent with regard to compliance by small repair stations. They said small repair stations should be able to rely on simple identification measures such as personal recognition. TSA Response: In response to the comments, TSA has eliminated this requirement in the final rule. Comments: A repair station owner/operator said it is already in compliance with many elements of the proposed standard security program, including use of an employee identification system. Another repair station owner/operator said TSA should not require repair stations with established and existing escort policies and programs to replicate ``redundant'' government escort procedures, because it would cause confusion among employees and would impose excessive labor costs. With regard to the proposed training requirements, three commenters said existing International Civil Aviation Organization (ICAO) and EU requirements should be sufficient to meet the requirements, and a repair station owner/operator said security training already is part of its operations. [[Page 2128]] TSA response: TSA has eliminated these security requirements in the final rule. TSA acknowledges that many repair stations may already have existing measures that meet or exceed the requirements described in the final rule. Comments: Twenty-one commenters expressed divergent views regarding the requirement for employee background checks. Three commenters supported the proposed rule and said it should be imposed on repair station employees to the same degree it is imposed on FAA-certificated mechanics. Five commenters said the requirement to check previous employment might not be possible under EU Directive 95/46/EC and national legislation. A repair station owner/operator said TSA failed to recognize the limits imposed by Federal and State labor laws, as well as union contracts. One industry association said other laws and FAA regulations already require confirmation of citizenship and other information related to employment history. Another industry association also stated this requirement would be redundant for airport-based facilities. Seven commenters said the requirement was too vague and lacked details, such as screening criteria and adjudication procedures. One industry association said the phrase ``any other means as appropriate to validate employee information'' is unclear and said the final rule should have specific requirements such as the number of years or number of employers to include. Another industry association said it was unclear whether TSA intended employers to conduct a criminal history or a security threat assessment, but that neither should be required. Another commenter said the rule should include language that prevents operators from having to repeat background checks they have already conducted. TSA response: TSA has retained the requirement to verify employee background information, but has limited the number of repair stations that must implement security measures and has reduced the number of individuals whose background information must be verified. TSA recognizes that many countries have different laws and regulations regarding this matter, and not all repair stations have a need or the ability to conduct certain types of background checks. The final rule requires that only the individual or individuals responsible for compliance with the final rule and recordkeeping, designated as TSA point(s) of contact, and authorized access to keys used to secure large aircraft must undergo a background check. The final rule does not mandate the number of individuals who must undergo a background check, but the number must be sufficient to ensure that a point of contact is available on a 24-hour-a-day basis and all large aircraft capable of flight are secured when not attended. The final rule includes four examples of background checks that are acceptable and allows a repair station to use another means if approved by TSA. (1) Verification of employment history for the most recent five year period or the time since the employee's 18th birthday, whichever is shorter. Verification may be accomplished via telephone, email, or in writing. If the verification is performed by telephone, the repair station must record the date and the name of person who verified the employment. If there is a gap in employment of six months or more that is not satisfactorily explained, employment history is not verified for purposes of this rule. Employment history verification records must be maintained for at least 180 days after the employment ends. (2) Confirmation that the employee holds an airman certificate issued by the FAA is sufficient since TSA vets all such certificate holders. (3) For a repair station located within the United States confirmation that an employee has successfully completed a security threat assessment pursuant to part 1540 of TSA's regulations, such as by holding a SIDA badge. (4) For a repair station located outside the United States, confirmation that an employee has obtained a security threat assessment commensurate to a security threat assessment described in part 1540 of TSA's regulations. TSA is aware that many repair stations already conduct security threat assessments or other background checks on their employees. If the background check is commensurate with the requirement of the final rule, TSA will not require duplicative or redundant measures. Comment: A few commenters urged TSA to require drug and alcohol testing of personnel at foreign repair stations, just as the FAA requires such testing under its authority over domestic repair stations. The European Commission commented that such testing in EU member nations is a matter for the law enforcement services in those nations. TSA response: As stated in the NPRM, drug and alcohol testing is a safety issue that is under the purview of the FAA and is not included as a requirement in the final rule. Comments: A repair station owner/operator said the NPRM provided no training criteria or scope of incident management for the security coordinator. An industry association recommended TSA specify all training requirements in one place and requested that the expectations for the training of security coordinators be defined. One repair station owner/operator indicated that 24-hour contact would not be feasible for a small component repair station located outside of an airport. A second owner/operator said the requirement should be imposed at the airport level, not at the facility level. A third owner-operator suggested TSA allow repair stations to designate an alternate security coordinator. TSA response: TSA has eliminated the requirement to train a security coordinator in the final rule. The repair station must designate one or more individuals, as necessary, to serve as TSA point(s) of contact and to be responsible for compliance with the final rule and recordkeeping. Training is not required to perform these responsibilities. TSA does not agree that an airport Security Coordinator would be sufficient to serve as the primary and immediate contact for repair station security-related activities and communications with TSA, unless TSA determines the repair station is incorporated within the airport security program and the airport is responsible for the security of the repair station itself. Comments: A commenter stated that requiring a repair station to make its security program available for review by TSA is insufficient. The commenter said TSA should review and approve each security program. A repair station owner/operator asked to whom the security program must be accessible. One industry association asked if airport operators would be able to access and review a repair station's security program to verify that the airport operator is contacted for all security related issues or incidents. The European Commission and a repair station owner/operator opposed the proposed English language requirement, noting that it would be burdensome for foreign repair stations. The European Commission pointed out that English is the official language of only three of the 27 EU member states and said the requirements for oral and written communications to be in English would be impossible to implement. TSA response: The proposed requirement to adopt and implement a security program has been eliminated in the final rule. With regard to the proposed English language requirements, while TSA has [[Page 2129]] eliminated the security program requirement, it retains the requirement in the inspection provision to request documents in English. TSA notes that this requirement is consistent with FAA regulations, such as 14 CFR 145.219, which requires a certificated repair station to retain records of compliance in English. M. Security Directives (SDs) Comments: Several commenters objected to the requirement to comply with SDs and asserted TSA has used SDs to issue requirements without notice and the opportunity for public comment, thus circumventing the rulemaking process. Several industry associations expressed concern that TSA will require repair stations to comply with SDs that are not applicable to their circumstances. A commenter suggested TSA allow electronic acknowledgement of receipt of an SD so that a record of compliance is maintained. Other commenters thought verbal acknowledgement would be impractical and burdensome to TSA and to repair stations, particularly small facilities. Two repair station owners/operators said TSA should specify the method of compliance in the SD. A repair station owner/operator requested TSA identify the process for obtaining approval for alternative measures of complying with an SD. An industry association asserted that foreign repair stations are not under TSA jurisdiction, and a repair station owner/operator said the requirement to comply with SDs might be incompatible with foreign security requirements. One commenter requested TSA avoid using common aviation-related abbreviations for TSA-related items. As an example, the commenter said Security Directives should be called ``TSA Directives.'' TSA response: The term ``Security Directive'' is a standard term used throughout TSA's regulations to describe the regulatory document issued by TSA when TSA determines that additional security measures are necessary to respond to a threat assessment or to a specific threat against civil aviation. See 49 CFR 1542.303, 1544.305, 1548.19, and 1549.109. TSA declines to rename these documents. TSA intends to maintain its current practice and issue SDs to repair stations when necessary to respond to a threat assessment or a specific threat against aviation. TSA has added language to the final rule to clarify that repair stations may comment on SDs issued by TSA in Sec. 1554.103(d). TSA may amend an SD based on those comments. TSA will include in an SD the procedures to acknowledge receipt, to implement the requirements, and to request alternative measures if a particular measure is incompatible with a security requirement imposed by a foreign government or cannot reasonably be implemented. N. Suspension and Revocation of Certificates Comments: A few commenters asserted the statutory provisions regarding the suspension and revocation of certificates apply only to repair stations located outside the United States and thus the final rule should not apply to repair stations within the United States. Commenters claimed the proposed rule includes procedures for appealing the revocation of certification, but not for appealing the suspension of certification. Some recommended following the FAA process in 14 CFR part 13. Several commenters said the rule should include the criteria TSA would use when initiating a suspension or reinstating a certification. Another industry association added TSA is as likely to err in its judgment, as the industry is likely to err in compliance. Several commenters also expressed concern about the consequences of suspension and the resulting economic burden, especially on small businesses. Several commenters objected to the appeal process because it did not provide for appeal of TSA's decision to an impartial third party. One repair station owner/operator stated the proposal violates the current rules of discovery and does not reflect current judicial process, and other commenters urged that final certification authority be left to the FAA or NTSB. Other commenters warned that even though the suspension and review may be temporary, either action would jeopardize a repair station's ability to remain viable and the rule should include specific timelines that TSA must meet. Commenters expressed concern because the proposed rule provided no guidelines for TSA's determination of revocation and there are no effective checks on TSA's power to revoke. They also objected that under the proposed rule, a certificate remains revoked during the review process. One industry association requested TSA follow the procedures already in place for the revocation of an FAA airman certificate, including appeal to an administrative law judge and then to the NTSB. Another industry association observed that in some TSA actions against individual airmen, certificates were revoked while the documentation supporting TSA's actions were withheld. A repair station owner/operator requested harmonization with FAA's enforcement process, which includes voluntary self-disclosure, administrative corrections, processes to handle repeat offenders, and published guidelines for legal enforcement, including suspending or revoking domestic repair station certificates. An industry association expressed the belief that review of a revocation must be reconciled with existing FAA and TSA regulations. An anonymous commenter pointed out that the statute requires consulting with the Administrator to establish procedures to appeal a revocation of a certificate. Nineteen commenters said that the proposed rule did not provide enough detail or left too much to interpretation by those who would enforce it. A few commenters expressed concern about a lack of key definitions such as ``immediate risk to security'' and procedural protections such as other tools to achieve compliance objectives, and time limits for review, which could lead to inconsistencies and certificate revocation without due process. TSA response: TSA has clarified the regulatory language that provides for judicial review of a final agency order. TSA has also modified the language in the final rule to specify that repair stations have the opportunity to petition for reconsideration of a TSA determination that a repair station certificate must be suspended or revoked. The certificate enforcement actions in the final rule are consistent with TSA's procedures governing the withdrawal of approval of a security program. 49 CFR 1540.301. TSA agrees with commenters that the FAA has the authority to issue, suspend, or revoke certificates and the statute requires the FAA to suspend or revoke a certificate if notified by TSA to do so. 49 U.S.C. 44924(c). Since any certificate action initiated by TSA will involve compliance with TSA's security regulations, the basis for the certificate action must remain with TSA and not the FAA or the NTSB. Further, TSA has general authority to enforce security-related regulations and requirements. 49 U.S.C. 114(f)(7). TSA has consulted with the FAA in the development of the final rule. TSA appreciates the concerns expressed regarding the impact of a suspension or revocation of a certificate on a repair station business. TSA intends to follow current enforcement practices and anticipates that most instances of non-compliance will not result in certificate action. When appropriate, TSA will use a progressive enforcement process whereby instances [[Page 2130]] of non-compliance can be resolved with non-certificate action, including counseling, administrative actions, and civil penalties. See 49 CFR part 1503. O. Nondisclosure of Certain Information Comment: Two repair station owners/operators expressed concern that the proposed regulations would preclude them from obtaining information needed to appeal TSA determinations. TSA response: TSA has retained the language from the NPRM in Sec. 1554.205 in the final rule. In accordance with E.O. 12968, TSA does not disclose classified information. In accordance with 49 CFR 1520, TSA also does not disclose SSI to individuals without a ``need to know.'' However, consistent with current enforcement practice, TSA will provide the repair station with the information it collected and upon which the enforcement action is based. P. Other Comments on the Rulemaking Comment: One commenter suggested repair station operators be required to amend their FAA repair station manuals to make all personnel aware of TSA security concerns. TSA response: The FAA repair station manual is outside the scope of this rulemaking and TSA authority. TSA, however, has shared this comment with FAA. Comment: Several industry associations said that TSA should allow them and repair station owner/operators to review the standard security program prior to implementation of the rule. TSA response: TSA held briefing sessions with industry representatives in the United States and overseas. During the sessions, TSA provided a draft security program template for review and received comments. TSA notes that the requirement to adopt and implement a security program has been eliminated in the final rule. Comment: A commenter asserted that a substantial number of maintenance workers at repair stations are not certified and that some may not be legally working in the United States. TSA response: TSA notes that all employees hired after November 1, 1986, must complete Form I-9, Employment Eligibility Verification, issued by U.S. Citizenship and Immigration Services of the Department of Homeland Security to document that they are authorized to work in the United States. Comment: Ten commenters requested a more collaborative rulemaking process. Another commenter recommended consulting with four specific industry associations and other industry organizations during revision of the proposed rule. One industry association also suggested the creation of a Repair Station Sector Coordinating Council as a formal means of obtaining industry input for the rulemaking process. An association requested TSA to issue a Supplemental NPRM to make certain that the concerns raised in the public comments are addressed. Two commenters stated the lack of ability to review details of the Standard Security Program as part of the proposed regulations, specifically the associated information deemed by TSA to be SSI, render this rulemaking non-compliant with the requirements of the Administrative Procedure Act and applicable case law defining adequate rulemaking notice and opportunity to comment. TSA response: The NPRM containing the proposed regulations was published in the Federal Register for public comment. 74 FR 59874 (Nov. 18, 2009). TSA has reviewed all of the comments it received during the public comment periods in 2004 and 2009, as well as those received during the public listening session conducted in 2004, and has adjusted the final rule to address the comments as necessary. TSA has met all requirements of the Administrative Procedure Act. As noted above, TSA met with the repair station industry to receive comment on the security program template format. TSA held briefing sessions with industry representatives in the United States and overseas. During the sessions, TSA provided a draft security program template for review and received comments, although it ultimately determined not to include the security program requirement in the final rule. TSA will continue to consult with its stakeholders and sees no need for a coordinating council at this time. Q. Implementation Issues Comments: Five commenters said TSA lacks the budget and staffing levels needed to implement the security programs and provide oversight of repair stations as detailed in the rule. Two commenters said TSA is understaffed and suggested this rulemaking would serve only to divert necessary resources from the agency's other security programs. Two other commenters requested TSA secure the necessary resources to make certain the proposed program is implemented efficiently and immediately. Several commenters said TSA would likely need to hire new inspectors to implement the rule, and two commenters requested any new TSA inspectors be required to complete mandatory training to ensure all inspectors understand the safety measures and precautions that must be taken when performing security audits at repair stations. TSA response: The costs to the government to enforce the final rule are included in the regulatory impact analysis. TSA is aware of the complexity of work performed at repair stations. TSA has developed the appropriate inspection guidance documents and relevant training for its inspectors. Comments: Two commenters questioned the statutory requirement that TSA complete a security review and audit of all foreign repair stations certificated by the FAA no later than six months after the final rule is issued. Both said that the six-month period is too short. One requested that the period be extended to 12 months, while the other requested that the compliance period be extended to 18 months, the time specified in Vision 100. One commenter warned that if TSA does not extend the timeframe, the ability of new repair stations to be certified could be impeded, which would negatively affect the aircraft repair industry. TSA response: In the Implementing Recommendations of the 9/11 Commission Act of 2007 (Pub. L. 110-53, 121 Stat. 266, Aug. 3, 2007), the original 18-month deadline for completing security audits of repair stations located outside the United States was reduced to six months. TSA is committed to meeting the statutory deadline. TSA has hired inspectors and developed a database that will serve as an inspection scheduling and tracking tool. TSA has also developed an implementation plan for inspecting repair stations located outside the United States. Comment: An industry association suggested TSA collaborate with foreign authorities to help implement the proposed program in their respective countries. According to the association, this approach would allow TSA to use its resources more efficiently. TSA response: TSA will continue to meet and work with its international partners to discuss implementation of the final rule. Comments: Ten commenters said the proposed rule did not include a compliance date or adequate details on TSA's implementation plans, such as whether some repair stations would have to come into compliance before others. An aircraft manufacturer recommended adding a long-term compliance date for including measures to control access to a repair station because a business plan would need to be modified in order to accommodate [[Page 2131]] increased capital expenses. The commenter also suggested providing a more flexible ``phase-in period'' for repair stations that recognizes current industry business models in order to enable repair stations to adequately and appropriately address any identified security lapses. The commenter further recommended adopting a compliance schedule similar to that of 14 CFR parts 1, 21, 43, and 45, which focus on addressing potential industry constraints with meeting new compliance requirements. One commenter recommended an 18-month period, to allow adequate time to prepare for necessary costs and ensure that repair stations have an adequate understanding of what is required of them. One industry association suggested using a compliance date of 180 days from the publication of the final rule. TSA response: The final rule will be effective 45 days after the date of publication in the Federal Register. TSA will conduct appropriate outreach and communication to industry representatives and the aircraft repair station community to discuss specific implementation timeframes and issues. TSA notes that it has eliminated the requirement to adopt and carry out a security program in the final rule. In addition, TSA anticipates that many of these repair stations already have security measures in place that may meet or exceed the measures contained in the final rule. Comment: One commenter requested more information on the fees charged for TSA repair station audits, noting that the initial audit will require an additional charge for repair stations if the FAA is conducting the audits. TSA response: TSA is not charging a fee to conduct security audits or inspections. Comment: One industry association suggested TSA establish a 24-hour point of contact to answer compliance-related questions. TSA response: TSA has established a dedicated email address, ARS@tsa.dhs.gov, where repair stations can send questions. In addition, repair stations will be provided with the name and contact information for inspectors who will be available to respond to questions. R. Comments From the Small Business Administration Comment: The Small Business Administration Office of Advocacy (SBA) recommended that TSA limit the scope of the rule. SBA offered the following three alternatives to meet the objectives of Vision 100 while minimizing significant economic impacts on small repair stations: (1) Exempt all repair stations that are not located at a commercial airport or that do not have access to aircraft; (2) adopt a risk-based, tiered approach based on size of aircraft and access to aircraft; and (3) align the final rule with the threshold level TSA ultimately adopts in the proposed General Aviation Security rule. TSA response: TSA has reduced the scope of the final rule and has eliminated the proposed requirement to adopt and implement a security program. TSA has analyzed the possible security risk associated with repair stations and agrees that those not located on or adjacent to an airport, as defined in the final rule pose a lower risk to transportation security. This risk-based approach will minimize the economic impact on small repair stations consistent with SBA's recommendation. The aircraft size threshold in this final rule is consistent with TSA's current regulatory threshold. TSA agrees that its regulations should be consistent and will evaluate all of its regulations to determine whether changes are needed to enhance consistent regulatory treatment once the General Aviation Security rule is final. Comment: SBA recommended that TSA provide clear guidance to small business regarding the implementation of the security program. TSA response: TSA has eliminated the requirement to implement a security program. TSA will work with all stakeholders to provide guidance on the final rule. Comment: SBA was concerned that the costs of the regulation were understated, explaining that TSA either failed to estimate or underestimated costs of inspections, correcting security deficiencies, complying with security directives, implementing access control measures, implementing the security program, appealing suspension and revocation determinations, and implementing identification media systems. SBA recommended that TSA reassess its cost estimates. TSA response: TSA has added estimates or updated its previous estimates in the regulatory impact analysis to reflect the requirements in the final rule. TSA notes that the requirement to implement a security program has been eliminated and the application of security measure requirements has been reduced significantly. The costs of complying with future SDs cannot be estimated. SDs are issued on a limited basis to respond to a specific threat. The measures required to respond to the threat and the frequency of such threats cannot be reasonably predicted. TSA does permit regulated entities to comment on a SD and propose alternate measures if the measures cannot be reasonably implemented. Comment: SBA recommended that TSA address the concerns of small businesses regarding SSI and develop procedures to assist small businesses to control SSI. TSA response: The requirements for the protection of SSI are described in part 1520 of TSA's regulations. TSA will provide assistance and will answer specific questions regarding the protection of SSI. The SSI regulations explain that SDs are SSI. Those repair stations that receive a SD will be required to safeguard it to prevent access by individuals who are not authorized to possess SSI. Repair station employees must have access to the SD to ensure that security measures are implemented. To protect SSI, TSA only requires that SSI be stored in a locked cabinet or desk drawer, or electronically as a password-protected file. Therefore, TSA believes that the costs of protecting SSI will be minimal and will only be incurred if the repair station receives a SD. Comment: SBA recommended that TSA address concerns expressed by small businesses regarding the appeals process if TSA determines that a repair station certificate must be suspended or revoked. It also recommended that intermediate processes such as warnings, or requests for information be used since small businesses may go out of business if closed pending appeal of a suspension. TSA response: Since TSA has eliminated the proposed requirement to adopt and carry out a security program; we do not expect that there will be many instances that would require suspension or revocation of a certificate. This expectation is based on the repair station visits TSA conducted that demonstrated the vast majority of repair stations already have reasonable and sufficient security measures in place. While some aspects of the appeals process are specified in the statute, TSA has clarified the regulatory language that provides for judicial review of a final agency order. TSA has also modified the language in the final rule to specify that repair stations have the opportunity to petition for reconsideration of a TSA determination that a certificate must be suspended or revoked. The final rule is consistent with TSA's current regulations regarding withdrawal of a security program. 49 CFR 1540.301. TSA agrees that intermediate processes will be [[Page 2132]] used. This is consistent with TSA's current inspection protocols used to inspect airports and air carrier or aircraft operator operations. TSA anticipates that in most instances repair stations will be able to implement immediate measures to correct security deficiencies without the need for any formal enforcement mechanism. When necessary, TSA will use a progressive process whereby instances of non-compliance can be resolved with non-certificate action, including counseling, administrative action, and civil penalties. See 49 CFR part 1503. Comment: SBA recommended that TSA consider how its proposed rule would affect non-typical and ``hybrid'' repair station facilities. For example, some repair stations are tenants in large facilities in which the landlord is not a regulated entity, some only occupy a workbench within a large building, and some work on the ``air side'' of an airport where pilots and other visitors frequently walk up to an open hangar to ask questions. TSA response: TSA understands that there is a wide variety of certificated repair stations that differ in size, type of repairs, and number of employees. TSA has eliminated the proposed requirement to implement a security program and has reduced the number of repair stations that will be required to implement the security measures described in the final rule. TSA is aware of the existence of ``hybrid'' or mixed-use facilities, for example, those that combine maintenance and manufacturing stations. It will be the part 145 certificated repair station's responsibility to delineate the parts of the station that are subject to the final rule and those that are not. If a repair station determines it is not possible to make such a delineation, the entire repair station must be in compliance with the final rule. S. Comments on the Regulatory Impact Assessment Comment: One association addressed the cost of complying with the proposed amendments to part 1520, which would designate repair station security programs as SSI and would include repair station owners and operators as entities subject to SSI requirements. The association said that it was not possible to estimate and comment on the cost of controlling SSI, because TSA had failed to indicate what it would consider an adequate and secure information management system. TSA response: TSA has eliminated the requirement to carry out a security program and the proposed amendment to part 1520 to treat the security program as SSI. However, part 1520 requires that SDs be treated as SSI. If a repair station receives a SD, a system for securely managing and controlling SSI could be storing that information or material in a secure container (e.g., locked desk or filing cabinet) that prevents the unauthorized disclosure of this information or material. SSI materials may also be stored electronically as password- protected files. Considering these options are compliant with part 1520, TSA does not believe that there will be any additional cost burden on repair stations to control access to SDs. Comment: Several commenters questioned the attack scenarios found in the economic analysis and stated that the probability of these attack scenarios actually occurring is remote. One stated that the basic premise of the scenarios is off because the break even analysis assumes that the majority of repair stations have access to airports and aircraft. TSA Response: TSA has analyzed the security risks of the repair station population and has revised the implementation plan to only require repair stations located on or adjacent to an airport, as defined in the final rule, to adopt and implement security measures. Comments: Seventeen commenters stated that TSA had significantly underestimated the cost of compliance. Two commenters stated that the costs estimated are too low and that TSA should redo the cost analysis and the Initial Regulatory Flexibility Analysis (IRFA). Commenters provided lists of items that they claim TSA failed to address adequately, including the costs of creating and implementing a security program, facility access control measures, personnel identification media systems, security coordinators, and security awareness training. One repair station owner/operator said that the estimate that an off-airport repair station would require only four hours to complete and implement a security program seemed extraordinarily low, as did other estimates of average compliance costs in the NPRM. Another operator stated that rule familiarization had taken 10 hours. It estimated that writing a program would cost $12,000 and the actual implementation cost could exceed $80,000. An industry association and a repair station owner/operator said that the analysis failed to consider the cost of fencing, guards, cameras, badges, and access control systems, which they said that small repair stations and general aviation airports may not already have. The industry association said that the cost to establish access control would not be feasible for a small repair station at a general aviation airport. One commenter said that it had priced three ``off-the-shelf'' non-biometric photo ID badge systems at an average cost of $2,346; similarly, the commenter said it priced a 750-foot perimeter fence with access gates at $14,905. The commenter noted that the sum of these two estimates far exceeds TSA's estimate of total compliance costs of $4,216 for a business with 45 employees. Various commenters estimated the cost of background checks and a badge system as $4,600 to $6,000, and a security system as $17,250. An industry association stated that the rule would require repair stations to add at least one full time position, which would create a financial burden for small repair stations and make it harder for them to remain competitive. Another association stated that TSA was asking repair stations to prove their approach was sufficient; while stations with professional security staff could do this, it was unreasonable to expect small GA repair stations to do this. A third commenter estimated salary for security staff as $70,350. One industry association also stated that TSA had underestimated training costs and should double them. Another commenter estimated training costs at up to $2,000 per employee. One industry association stated that the analysis failed to consider that small entities do not physically separate work areas, which the NPRM would require. The contingency plan requirement for identifying unauthorized persons is not defined. It noted that small stations do not routinely escort visitors and do not have staff who can be assigned to do this without losing productive work. The escort requirement will disproportionately affect small stations. An operator stated that TSA had based its analysis on small repair stations, which calls into question whether the agency has met the requirements of E.O. 12866, the Regulatory Flexibility Act (RFA), and the Trade Agreement Act. TSA response: In order to address the concerns of the commenters and better estimate the costs of compliance associated with the security measures described in the final rule, TSA has revised its cost estimates. TSA has eliminated the requirement to adopt and implement a security program. Specifically, TSA has eliminated all security measures regarding preventing access to repair stations and will only require certain repair stations to prevent the unauthorized operation of large [[Page 2133]] aircraft that are unattended. This change will reduce the regulatory requirement and the costs of implementation. While TSA has retained the requirement to verify employee background information, it has reduced the application of that requirement only to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft. TSA has clarified that it will accept the background check obtained by individuals who have obtained a FAA airman certificate or a SIDA badge. All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. The cost estimates for both the NPRM and the final rule are listed in Chapter 4 of the regulatory impact analysis accompanying this final rule. That chapter also describes the reasons for the differences in the cost estimates. In conjunction with the NPRM, TSA published a regulatory impact analysis that addressed the requirements of EO 12866, the RFA, the Unfunded Mandates Reform Act, and the Trade Agreement Act. The cost estimates in that regulatory impact analysis were not based on small repair stations. However, the IRFA considered the cost impact of the proposed regulations on repair stations classified under SBA standards as ``small'' businesses. In the final rule, TSA has updated these analyses, considering all costs incurred by TSA and any repair stations notified to adopt security measures under the final rule. Comments: Forty-eight commenters argued that complying with the proposed requirements in part 1554 would be too costly, and some said that the compliance costs would force repair stations out of business. Six commenters stated that taxpayers and the flying public would also feel the financial burden. Twelve commenters said that the proposed rule would likely result in small GA repair stations either closing their businesses or surrendering their repair station certificates in favor of becoming maintenance repair shops that would not be required to comply with the proposed rule. Fifty commenters said that small aircraft repair stations in particular would suffer significant economic and staffing losses because of the proposed rule. Many of these commenters said that because small repair stations each employ a small number of people, the compliance cost per employee would be significant. TSA response: With respect to the comments about station closings, TSA recognizes that some aircraft repair stations will incur costs associated with the implementation of security measures, but TSA has reduced the requirements of this final rule and therefore, the costs of implementation. TSA has eliminated the requirement of all security measures regarding preventing access to repair stations and will only require repair stations to prevent the unauthorized operation of large aircraft. All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. Additionally, the requirement to adopt security measures was revised to include only repair stations located on or adjacent to an airport, as defined in the final rule. TSA has prepared a Final Regulatory Flexibility Analysis (FRFA) as part of the economic analysis of the final rule. This analysis can be found in the regulatory impact analysis, and presents the estimated compliance costs small businesses would incur as a percentage of annual revenues. TSA has kept the costs of implementation of this rule on small businesses to a minimum by eliminating the security program requirement for all repair stations. Further, the security measures in this final rule allow flexibility in implementation. III. Rulemaking Analyses and Notices A. International Compatibility In keeping with U.S. obligations under the Convention on International Civil Aviation, it is TSA policy to comply with International Civil Aviation Organization (ICAO) Standards and Recommended Practices where possible. TSA has determined that these regulations are consistent with ICAO Standards and Recommended Practices for security of airports and facilities contained in Annex 17 of the Convention, the ICAO Security Manual and the ICAO Security Audit Reference Manual. B. Economic Impact Analyses 1. Regulatory Impact Analysis Summary Changes to Federal regulations must undergo several economic analyses. First, E.O. 12866, Regulatory Planning and Review (58 FR 51735, October 4, 1993), as supplemented by E.O. 13563, Improving Regulation and Regulatory Review (76 FR 3821, January 21, 2011), directs each Federal agency to propose or adopt a regulation only if the agency makes a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), as amended by the Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996, requires agencies to consider the economic impact of regulatory changes on small entities when an agency is required to issue a NPRM. Third, the Trade Agreements Act (19 U.S.C. 2531-2533) prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. In developing U.S. standards, the Trade Act requires agencies to consider international standards, where appropriate, as the basis of U.S. standards. Fourth, the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation). In conducting the following four analyses, TSA has determined: 1. This final rule is a ``significant regulatory action,'' although not an economically significant regulatory action, under section 3(f)(1) of E.O. 12866. Accordingly, the Office of Management and Budget has reviewed this regulation. 2. This final rule imposes no significant barriers to international trade. 3. This final rule does not impose an unfunded mandate on State, local, or tribal governments, or on the private sector in excess of $100 million (adjusted for inflation) in any one year. These analyses, as well as the Final Regulatory Flexibility Analysis, are summarized below and are detailed in the regulatory impact analysis accompanying the final rule. 2. Executive Orders 12866 and 13563 Assessments Executive Orders 12866 and 13563 direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. Costs TSA issued an NPRM on November 18, 2009 (74 FR 68774). This final rule makes the following major changes to [[Page 2134]] the NPRM. The first major change is the elimination of the requirement for a repair station to submit a security profile to TSA. TSA will obtain data from the FAA and conduct field visits to acquire other data and information. TSA has also eliminated the requirement to adopt and implement a security program and all security measures preventing access to repair stations. While TSA has retained the requirement to verify employee background information, it has reduced the application of that requirement to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has clarified that it will accept employment history checks or background checks conducted on individuals who have obtained a FAA airman certificate or a SIDA badge. TSA assessed the risk profile of the repair station population and determined that not all repair stations present sufficient risk to warrant security program requirements. Therefore, TSA is only requiring those repair stations located on or adjacent to certain airports, as defined in this final rule, to adopt security measures. As noted above, TSA will consider a repair station to be ``on airport'' if it is on an AOA or SIDA of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area of any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as ``on airport.'' Under the NPRM, approximately 4,800 repair stations certificated under part 145 would have been affected by the rulemaking's affirmative requirements, while under this final rule, that number has been reduced to an estimated 678 repair stations. In response to public comments and changes in final rule implementation, TSA has adjusted the estimated costs for the final rule. The regulatory impact analysis accompanying this final rule summarizes the revised cost estimates of the regulation. Total In summary, over the 10-year period of the analysis, TSA estimates the aggregate costs of the Aircraft Repair Station Security Final Rule to total approximately $23.22 million, undiscounted. This total is distributed among repair stations located within the United States, which would incur total costs of $8.7 million; repair stations located outside the United States, which would incur costs of $14.18 million; and TSA, which would incur costs of $0.34 million. Chapter 2 of the regulatory impact analysis, available in the public docket, provides detailed estimates of these costs. The following table presents the annual costs of the rule over the 10-year period of analysis, broken out into costs incurred by TSA, repair stations located within the United States, and repair stations located outside the United States, respectively. Table 1--Total Cost of the Aircraft Repair Station Security Final Rule [$ millions] -------------------------------------------------------------------------------------------------------------------------------------------------------- Repair stations Repair stations Year TSA Costs within the United outside the Total Discounted, 3 Discounted, 7 States United States (undiscounted) percent percent -------------------------------------------------------------------------------------------------------------------------------------------------------- 1.......................................... $0.06 $0.9 $1.37 $2.34 $2.27 $2.19 2.......................................... 0.03 0.9 1.31 2.24 2.11 1.96 3.......................................... 0.02 0.9 1.34 2.25 2.06 1.83 4.......................................... 0.04 0.9 1.37 2.29 2.03 1.75 5.......................................... 0.04 0.9 1.40 2.31 1.99 1.65 6.......................................... 0.02 0.9 1.42 2.30 1.93 1.53 7.......................................... 0.04 0.9 1.46 2.36 1.92 1.47 8.......................................... 0.03 0.9 1.48 2.36 1.86 1.37 9.......................................... 0.02 0.8 1.51 2.37 1.81 1.29 10......................................... 0.04 0.8 1.54 2.41 1.79 1.22 ------------------------------------------------------------------------------------------------------------ Total.................................. 0.34 8.70 14.18 23.22 19.78 16.26 -------------------------------------------------------------------------------------------------------------------------------------------------------- Changes in Cost Estimates From Notice of Proposed Rulemaking The cost estimates for this final rule differ from those reported in the NPRM due to the elimination of security program, facility access control and other requirements as described above. TSA also uses more recently available data from its outreach efforts and from FAA databases to update population projections and program costs. The following tables present the cost estimates of the final rule compared to those presented in the NPRM. Table 2--Changes in Costs From the NPRM to the Final Rule ---------------------------------------------------------------------------------------------------------------- 10-Year total rule costs ($ millions) Estimate ----------------------------------------------------- NPRM Final rule Difference ---------------------------------------------------------------------------------------------------------------- Total (undiscounted)...................................... $344.4 $23.22 ($321.18) 3% Discount............................................... $293.3 $19.78 ($273.52) 7% Discount............................................... $241.0 $16.26 ($224.74) ---------------------------------------------------------------------------------------------------------------- [[Page 2135]] Table 3--Changes in Costs Incurred by Repair Stations Located Within the United States ---------------------------------------------------------------------------------------------------------------- 10-Year total costs ($ millions) Cost segment ------------------------------------------------ Major cost driving NPRM Final rule Difference changes ---------------------------------------------------------------------------------------------------------------- Security Programs....................... $1.6 $0 ($1.6) All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. Point of Contact........................ 113.2 5.8 (107.4) TSA is requiring only a point of contact on a 24-hour a day basis. ID Media System......................... 0.5 0 (0.5) TSA eliminated ID Media System requirements. Aircraft Access Control................. 0.0 2.7 2.7 This is a new cost in the final rule for on- airport and adjacent repair stations. Training................................ 53.2 0 (53.2) TSA has eliminated all training requirements. Inspections............................. 0.0 0.16 0.16 This is a new cost in the final rule for on- airport and adjacent repair stations. Revocation Appeals...................... 0.0 0.004 0.004 TSA now includes a cost estimate for the fraction of repair stations estimated to require an appeal due to suspension or revocation. This fraction is based on historical data from FAA. ------------------------------------------------ Total (undiscounted)................ 168.5 8.7 (159.8) ------------------------------------------------ 3% Discounted Total................. 143.9 7.4 (136.5) ------------------------------------------------ 7% Discounted Total................. 118.6 6.1 (112.5) ---------------------------------------------------------------------------------------------------------------- Table 4--Changes in Costs Incurred by Repair Stations Located Outside the United States ---------------------------------------------------------------------------------------------------------------- 10-Year total costs ($ millions) Cost segment ------------------------------------------------ Major cost driving NPRM Final rule Difference changes ---------------------------------------------------------------------------------------------------------------- Security Programs..................... $0.7 $0 ($0.7) All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. Point of Contact...................... 18.5 3.8 (14.7) TSA is requiring only a point of contact on a 24-hour a day basis. Personnel ID System................... 0.1 0 (0.1) TSA eliminated Personnel ID System requirements. Aircraft Access Control............... 0.0 10.2 10.2 This is a new cost in the final rule for on- airport repair stations. Training.............................. 78.4 0 (78.4) TSA has eliminated all training requirements. Inspection............................ 0.0 0.10 0.10 This is a new cost in the final rule for on- airport repair stations. Revocation Appeals.................... 0.0 0.05 0.05 TSA now includes a cost estimate for the fraction of repair stations estimated to require an appeal due to suspension or revocation. This fraction is based on historical data from FAA. Employment History Checks............. 0.0 .08 .08 This is a new cost in the final rule for on- airport repair stations. ------------------------------------------------ Total (undiscounted).............. 97.7 14.2 (83.5) ------------------------------------------------ 3% Discounted Total............... 83.4 12.0 (71.4) ------------------------------------------------ 7% Discounted Total............... 68.7 9.9 (58.8) ---------------------------------------------------------------------------------------------------------------- [[Page 2136]] Table 5--Changes to TSA Costs ---------------------------------------------------------------------------------------------------------------- 10-Year total costs ($ millions) Estimate ------------------------------------------------ Major cost driving NPRM Final rule Difference changes ---------------------------------------------------------------------------------------------------------------- Total (undiscounted).................... $78.2 $0.3 ($77.9) TSA has reduced the requirements of this final rule resulting in a reduction of inspection time and resources. ------------------------------------------------ 3% Discounted Total................. 66.1 0.3 (65.8) ------------------------------------------------ 7% Discounted Total................. 53.7 0.2 (53.5) ---------------------------------------------------------------------------------------------------------------- Benefits TSA is issuing regulations to provide for the security of maintenance, preventive maintenance, or alterations on aircraft or articles of aircraft performed at repair stations located both within and outside the United States, of the aircraft and articles located at these repair stations, and of the repair station facilities as required by Vision 100. As terrorist organizations continue to target civil aviation, Congress has indicated the importance of aircraft repair station security. TSA opted to require only those repair stations located on or adjacent to certain airports, as defined in this final rule, to adopt security measures. These facilities represent potential risks due to both their location on or adjacent to an airport and airport runways and their ability to perform maintenance on and have access to aircraft with a MTOW of more than 12,500 lbs. Therefore, the opportunity exists for a terrorist to commandeer an operational aircraft and use it as a weapon against a populated target. TSA uses a break-even analysis to frame the relationship between the potential benefits of the rulemaking and the costs of implementing the rule. When it is not possible to quantify or monetize the important incremental benefits of a regulation, OMB recommends conducting a threshold, or ``break-even'' analysis. According to OMB Circular No. A- 4, ``Regulatory Analysis,'' such an analysis answers the question, ``How small could the value of the non-quantified benefits be (or how large would the value of the non-quantified costs need to be) before the rule would yield zero net benefits?'' \5\ Consequently, to better inform the comparison of the costs of implementing the rule with the benefits to homeland security of the Aircraft Repair Station Security final rule, TSA performed a break-even analysis. In the break-even analysis, TSA compared the annualized cost of the rule's requirements to the expected benefits of preventing a potential terrorist attack. --------------------------------------------------------------------------- \5\ https://www.whitehouse.gov/sites/default/files/omb/assets/regulatory_matters_pdf/a-4.pdf. --------------------------------------------------------------------------- The type of terrorist attack addressed by this final rule is an aircraft as weapon scenario against a populated target such as an office building. This attack would result from the infiltration of an on-airport repair station and subsequent commandeering of an aircraft. To assess the potential impact of an attack originating at a repair station, TSA considers a representative attack scenario and estimates the monetary value of the losses associated with this scenario. This attack scenario is taken from the second iteration of TSA's Transportation Sector Security Risk Assessment (TSSRA 2.0). TSSRA 2.0 is a SSI report that was produced in response to DHS Appropriations legislation (Pub. L. 110-396/Division D and Pub. L. 111-83), which requires DHS through TSA to conduct a comprehensive risk assessment. In order to compare the losses in the scenario with the cost of the final rule, TSA assigns a statistical monetary value to potential passenger, crew casualties and bystander, and also takes into account property damage associated with the aircraft and infrastructure involved in the attack scenario. TSA uses a Customs and Border Protection (CBP) Value of a Statistical Life (VSL) estimate of $6.3 million \6\ to represent the amount an individual is willing to pay to achieve a small reduction in mortality risk. In order to estimate the value of injuries, TSA used the Department of Transportation (DOT) published guidance \7\ for values of moderate injuries at 4.7 percent of VSL and severe injuries at 26.6 percent of VSL. Consequently, for a severe injury, TSA estimates a value of $1,675,800 ($6,300,000 VSL x 0.266) and for a moderate injury, TSA estimates a value of $296,100 ($6,300,000 VSL x 0.047). --------------------------------------------------------------------------- \6\ U.S. Customs and Border Protection, Report, ``Valuing Mortality Risk Reductions in Homeland Security Regulatory Analyses.'' Final Report, CBP, June 2008. \7\ U.S. Department of Transportation memorandum, ``Revised Departmental Guidance: Treatment of the Value of Preventing Fatalities and Injuries in Preparing Economic Analyses--2011 Revision,'' July 29, 2011. https://ostpxweb.dot.gov/policy/reports/vsl_guidance_072911.pdf. --------------------------------------------------------------------------- The following paragraphs describe a scenario for which TSA believes this final rule will help reduce the likelihood of occurrence and their corresponding estimated monetary consequences. This analysis does not consider the indirect, macroeconomic consequences these terrorist attacks could cause. Consequently, the economic impacts of this terrorist attack estimated for this break-even analysis is a lower- bound estimate. This attack scenario describes the impact of a situation where a commercial aircraft is stolen from a repair station (with no passengers on board) and used as a missile to attack an office building. The scenario results in loss of life, severe and moderate injuries, destruction of the aircraft, and damage to the building. Again, TSSRA 2.0 uses the average building size and capacity of a number of office buildings to estimate an average building size of 49 stories with an average of 176 people per story. TSSRA 2.0 estimates 2,992 fatalities for this scenario. TSSRA 2.0 assumes the attacker(s) will hit the office building approximately a third of the way down the building and due to the size of the aircraft, it is assumed that anyone above the impact site will die due to the inability to escape the building (17 stories x 176 people). Using the CBP VSL of $6.3 million, the monetary estimate associated with the loss of life is $18,849.6 million (2,992 x $6.3 million). TSSRA 2.0 also estimates 880 severe injuries, which is equal to the number of occupants of 5-stories of the representative office building. TSSRA 2.0 assumes that several floors directly below the impact site would be affected by the force of the impact and the resultant fires. In addition, people exiting the building from these floors would be more likely to have injuries requiring hospital treatment. Again using the DOT guidance on the valuation of injuries, the monetary estimate associated with severe injuries is $1,474.7 million (880 severe injuries [[Page 2137]] x $1,675,800). TSSRA 2.0 estimates 2,376 moderate injuries, which is equal to one-half of the remaining population of the representative office building (0.5 x (8,624 - 2,992 - 880). TSSRA 2.0 assumes that at least half of the remaining occupants not killed or severely injured would be moderately injured due to smoke, falling debris, or the action of evacuating the building. The monetary estimate associated with the moderate injuries is $703.5 million (2,376 moderate injuries x $296,100). TSSRA 2.0 assumes this type of attack requires replacement of the entire building. TSSRA 2.0 estimates the cost of replacement using an average construction cost of $846.8 million for recently built large buildings in the United States. To estimate the value of the lost aircraft, TSA uses $22.6 million, which is the 2009 weighted average market value of all two-engine narrow-body and two-engine wide-body air carrier aircraft.\8\ --------------------------------------------------------------------------- \8\ Federal Aviation Administration, 2007, ``Economic Values for FAA Investment and Regulatory Decisions, a Guide.'' Prepared by GRA, Inc. December 31, 2004 (updated). Table 5-2. TSA calculates a weighted average value for aircraft in rows 1 and 2. TSA converted this weighted average aircraft value from a 2003 estimate to the 2009 equivalent weighted average value of $22.6 million using the FAA recommended method described in the document in Section 9.6 (page 9-9), which relies on the BLS producer price index series for civil aircraft available in the producer price index values (2003- 2009 annual values), a factor of 1.31, for commodities at https://stats.bls.gov/ppi/home.htm. --------------------------------------------------------------------------- The total monetary valuation of the losses of life, aircraft and buildings, and injuries represented in this scenario is $21,897.2 million ($18,849.6 million for fatalities + $1,474.7 million for severe injuries + $703.5 million for moderate injuries + $22.6 million for loss of aircraft + $846.8 million for replacement of the building). In this analysis, the comparison is made between the estimated monetary consequence of this scenario and the annualized cost of the Aircraft Repair Station Security final rule, discounted at seven percent ($2.3 million).\9\ The ``required risk reduction in attack frequency'' to break even is estimated by dividing the total consequences of a specific attack scenario by the annualized cost of the regulation, discounted at seven percent. In order to break even, the rule will need to reduce the existing or baseline frequency of terrorist attack by one attack every 9,460 years for attacks of a similar magnitude. These results are presented in table form in both the Executive Summary and Chapter 5 of the regulatory impact analysis. --------------------------------------------------------------------------- \9\ See the OMB No. A-4, ``Regulatory Analysis,'' Accounting Statement in the Executive Summary in the regulatory impact analysis. This amount is the annual payment that, if invested each year at a 7 percent interest rate, would accrue to the cost of the rule after a 10-year period. --------------------------------------------------------------------------- Alternatives As alternatives to the preferred regulatory regime presented in the final rule, TSA examined four other options. For most regulatory alternatives, TSA considered categorizing repair stations into three risk tiers based on a station's location with respect to an airport and the size of aircraft on which a repair station performs work. Tier 1, in general, would include all repair stations located on or adjacent to a part 1542 regulated airport (or commensurate foreign airport) and those repair stations located on or adjacent to a GA airport (or commensurate foreign airport) that conduct maintenance, preventive maintenance, or alterations on aircraft or articles for aircraft with a MTOW of more than 12,500 pounds. In Alternative 1 TSA would notify only Tier 1 repair stations to adopt and implement a security program. Tier 2, in general, would include repair stations located off- airport that conducts maintenance, preventive maintenance, or alterations on articles for aircraft with a MTOW of more than 12,500 pounds. Tier 3, in general, would include all remaining repair stations. Under Alternative 2, TSA would notify both Tier 1 and Tier 2 repair stations to adopt and implement a security program, since these repair stations work on aircraft or articles for aircraft with a MTOW of more than 12,500 lbs. Tier 2 repair stations would incur most of the requirements in the security program with which Tier 1 repair stations must comply; however, Tier 2 would not be required to comply with certain of the security program requirements. The third and fourth alternatives require Security Threat Assessments (STAs) for different subsets of repair station employees. Alternative 2A includes an STA requirement for employees of on-airport repair stations located within the United States in addition to the other security requirements and associated costs of the final rule. Alternative 2B includes STAs for employees of both Tier 1 and Tier 2 repair stations located within the United States as defined in Alternative 2, in addition to the security requirements and associated costs of Alternative 2. TSA would not require STAs for employees of repair stations located outside the United States. This decision was based upon a consideration of privacy laws in foreign countries and TSA's determination that ICAO standards already address employee background checks. TSA rejects Alternative 1 and opted to remove any security program requirements for all repair stations and only require repair stations on or adjacent to an airport that have access to runways and operational aircraft to implement security measures. TSA rejects the regulatory regimes in Alternatives 2 and Alternative 2B because repair stations in Tier 2 in these alternatives do not have access to operational aircraft and runways. TSA is unable to identify credible attack scenarios that could originate at off- airport repair stations. Alternative 2A, while offering a regulatory framework that covers on-airport repair stations with access to runways and operational aircraft, was rejected by TSA in favor of the final rule because TSA does not believe that the STA requirement provides enough risk reduction to justify the additional costs. Since TSA is unable to perform STAs on employees at repair stations located outside the United States, all the risk reduction yielded by this requirement would be in domestic aviation. Therefore, Alternative 2A provides lower marginal risk reduction per dollar of cost than the final rule. Further, the additional costs of the STA requirement would put an undue burden on repair stations located in the United States and disadvantage them against foreign competitors. For these reasons, TSA decided to withhold the STA requirement from the final rule. While TSA has retained the requirement to verify employee background information in this final rule, it has reduced the application of that requirement to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has clarified that it will accept employment history checks or background checks conducted on individuals who have obtained a FAA airman certificate or a SIDA badge. The following table presents the 10-year costs of the alternatives compared to the costs of the final rule. The alternatives costs are discussed in detail in Chapter 3 of the regulatory impact analysis accompanying the final rule. [[Page 2138]] Table 6--Comparison of Alternatives to the Proposed Final Rule Costs [$ millions] ---------------------------------------------------------------------------------------------------------------- Discounted, 3 Discounted, 7 10-Year total costs by alternative Undiscounted percent percent ---------------------------------------------------------------------------------------------------------------- Final Rule (preferred).................................... $23.2 $19.8 $16.3 Alternative 1 (Tier 1 only)............................... 240.6 207.1 172.6 Alternative 2 (Tier 1 and Tier 2)......................... 350.6 301.6 251.3 Alternative 2A (STAs--on-airport only).................... 261.5 225.3 188.1 Alternative 2B (STAs--Tier 1 and Tier 2).................. 381.0 328.2 273.9 ---------------------------------------------------------------------------------------------------------------- 3. Regulatory Flexibility Act Assessment The Regulatory Flexibility Act (RFA) of 1980 establishes ``as a principle of regulatory issuance that agencies shall endeavor, consistent with the objective of the rule and of applicable statutes, to fit regulatory and informational requirements to the scale of the business, organizations, and governmental jurisdictions subject to regulation.'' To achieve that principle, the RFA requires agencies to solicit and consider flexible regulatory proposals and to explain the rationale for their actions. Sections 603(a) and 604(a) of the Regulatory Flexibility Act require that, when an agency issues an interim final rule or promulgates a final rule ``after being required to publish a general notice of proposed rulemaking,'' the agency must consider the economic impact of the rule on small entities. The term ``small entities'' comprises small businesses, not-for-profit organizations that are independently owned and operated and are not dominant in their fields, and governmental jurisdictions with populations of less than 50,000. A Final Regulatory Flexibility Analysis discussing the impact of this final rule on small entities is available in the docket. Based on available data, we estimate that about 44 percent of entities directly regulated by the final rule requirements are small under the Regulatory Flexibility Act and the SBA size standards (compared to the 96 percent of entities affected by the NPRM provisions). This is due to the changes in the applicability and security requirements (detailed explanation of applicability changes on section I. Background, of this final rule). In this final rule TSA allows flexibility in which security measures repair stations may select in order to prevent commandeering of an aircraft. In addition, this flexibility allows repair stations to choose cost-effective security measures thus mitigating concerns regarding cost burdens for small repair stations. As long as the security requirements are met, the repair station may implement the measures that best suit its business model and physical layout. TSA estimates that approximately 85 percent of small repair stations will incur compliance costs that represent less than represent 1 percent of annual revenues and approximately 97 percent of small repair stations will incur compliance costs that represent less than 2 percent of annual revenues. 4. International Trade Impact Assessment The Trade Agreement Act of 1979 prohibits Federal agencies from establishing any standards or engaging in any related activities that create unnecessary obstacles to the foreign commerce of the United States. Legitimate domestic objectives, such as security, are not considered unnecessary obstacles. The statute also requires consideration of international standards and, where appropriate, that they be the basis for U.S. standards. This final rule does not implicate Executive Order 13609 because neither the economic impact of the final rule nor that imposed on repair stations located outside the United States is ``significant'' as defined in EO 12866. Further, TSA is imposing the same security requirements on repair stations located outside the United States as it is imposing on those located within the United States and is subjecting those repair stations located outside the United States to the same standard inspection practices as are already in place for other foreign entities regulated by TSA. TSA considered the economic role of repair stations located outside the United States, as well as U.S. obligations under numerous treaties. Although some public comments suggested that TSA should focus only on repair stations located outside the United States, treaty obligations and the statutory language made it clear that the regulations could not target only those repair stations. The final rule simply requires entities located outside the United States to comply with the same regulatory requirements applied to repair stations located within the United States and does not create non-tariff barriers to international trade. Because the requirements for repair stations located outside the United States will be the same as those imposed on repair stations located within the United States, TSA does not anticipate trade retaliation or unnecessary obstacles to foreign trade. Any differences that may occur can be attributed to the legitimate domestic objective of security, which under the Trade Agreement Act of 1979 is not considered an unnecessary obstacle. 5. Unfunded Mandates Assessment The Unfunded Mandates Reform Act of 1995 (UMRA), Public Law 104-4, is intended, among other things, to curb the practice of imposing unfunded Federal mandates on State, local, and tribal governments. Title II of the UMRA establishes requirements for Federal Agencies to assess the effects of their regulatory actions on State, local, and tribal governments and the private sector. Under section 202 of the UMRA, TSA generally must prepare a written statement, including a cost- benefit analysis, for proposed and final rules with ``Federal mandates'' that may result in expenditures by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million (adjusted for inflation) or more in any one year. TSA has determined that this rule does not impose a Federal mandate that may exceed $100 million in expenditures of State, local, or tribal governments in the aggregate, nor does the final rule impose a $100 million mandate on the private sector. Therefore, the final rule does not contain such a mandate and the requirements of Title II do not apply. C. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.) requires that TSA consider the impact of paperwork and other information collection burdens imposed on the public and, under the provisions of PRA section 3507(d), obtain approval from the Office of Management and Budget (OMB) for each collection of information it conducts, sponsors, or [[Page 2139]] requires through regulations. This rule contains the following new information collection requirements. Accordingly, TSA submitted a copy of these sections to OMB for its review. OMB approved the collection of this information and assigned OMB Control Number 1652-0060. The regulations apply to repair stations certificated by the FAA under 14 CFR part 145, except repair stations located on a U.S. or foreign government military base. All such repair stations must allow TSA and other authorized DHS officials to enter, conduct inspections, and view and copy records as needed to carry out TSA's security-related statutory and regulatory responsibilities. All such repair stations must comply with Security Directives if issued by TSA which could include requirements to maintain records or provide information to TSA. The security measures in this rule cover repair stations that are on or adjacent to certain airports. TSA will consider a repair station to be ``on airport'' if it is on an air operations area or security identification display area of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area of any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as ``on airport.'' \10\ The repair stations, as described above, are required to designate a point of contact(s) to carry out specified responsibilities; and verify background information of those individuals who are designated as the TSA point(s) of contact and those who have access to any keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. --------------------------------------------------------------------------- \10\ Large aircraft are defined as aircraft with a maximum certificated take-off weight of more than 12,500 pounds. --------------------------------------------------------------------------- The regulations also describe the process whereby TSA will notify the repair station and the FAA of a security deficiency identified by TSA and provide an opportunity for the repair station to obtain review of a determination by TSA to suspend its operating certification. The regulations specify that when TSA determines a repair station poses an immediate risk to security, TSA will notify the repair station and the FAA that the certificate must be revoked. The regulations also provide the process for the repair station to obtain review of such a determination. In order to comply with the regulations, repair stations outside of the United States, will be responsible for maintaining updated employment history records to demonstrate compliance with this final rule. These records must be made available to TSA upon request. Repair stations located within the United States will be able to use security threat assessments that have been obtained for other reasons to comply with this rule. TSA is required to conduct a security review and audit of the repair stations located outside the United States See 49 U.S.C. 44924(a). TSA will conduct a paper audit of all 707 repair stations that are located outside the United States. The paper audit will consist of a letter describing the rule and the repair station will be required to respond to four questions to verify whether the repair station is required to implement security measures. Based upon subject matter expert (SME) best estimates, the paper audit is expected to take one hour for a repair station employee, assumed to be the point of contact, to complete. Seventy-eight repair stations located outside the United States meet the definition of on or adjacent to an airport and will undergo an annual desk audit in which the repair station will be asked to describe how it is complying with the rule. Each desk audit is estimated to require one hour for the repair station to read the letter sent by TSA and respond. The likely respondents to this information collection are the owners and/or operators of repair stations certificated by the FAA under 14 CFR part 145, which is estimated to number approximately 1,158 unique respondents over the next three years (451 repair stations located within the United States and 707 repair stations located outside the United States). The average yearly burden for recordkeeping is estimated to be 2 hours for repair stations located outside the United States. The average yearly burden for suspension and revocation appeals is estimated to be 10 hours for repair stations located within the United States and 100 hours for repair stations located outside the United States. The average yearly burden for paper audits is estimated to be 236 hours for repair stations located outside the United States. The average yearly burden for desk audits is estimated to be 80 hours for repair stations located outside the United States. Therefore, the total average annual time burden estimate is approximately 428 hours. The following table shows the information collections and corresponding hour burdens for entities falling under the requirements of the final rule. Table 7--Collection and Hour Burdens for Entities Within and Outside the United States -------------------------------------------------------------------------------------------------------------------------------------------------------- Number of responses Average ------------------------------------------------ 3-Year time annual Collection Time per response burden time Year 1 Year 2 Year 3 burden -------------------------------------------------------------------------------------------------------------------------------------------------------- Recordkeeping Continuous as needed ------------------------------------------------------------------------------------------------------------ On-Airport RS outside the United States 0.025 hours.................... 227 5 5 6.0 2.0 ------------------------------------------------------------------------------------------------------------ Suspension/Revocation Appeals As needed ------------------------------------------------------------------------------------------------------------ On-Airport RS within the United States. 10 hours....................... 1 1 1 30 10 On-Airport RS outside the United States 12 hours....................... 8 8 9 300 100 ------------------------------------------------------------------------------------------------------------ Paper Audits One-Time ------------------------------------------------------------------------------------------------------------ On-Airport RS outside the United States 1 hour......................... 707 0 0 707 236 ------------------------------------------------------------------------------------------------------------ [[Page 2140]] Desk Audits Annual ------------------------------------------------------------------------------------------------------------ On-Airport RS outside the United States 1 hour......................... 78 80 82 240 80 --------------------------------------------------------------------------- Total Burden (responses)........... ............................... .............. .............. .............. 1,212 404 --------------------------------------------------------------------------- Total Burden (hours)............... ............................... .............. .............. .............. 1,283 428 -------------------------------------------------------------------------------------------------------------------------------------------------------- While comments were received on the issues discussed above in Section II, there were no comments received on the information collection burden estimates contained in the NPRM. As protection provided by the PRA, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. D. Executive Order 13132 on Federalism TSA has analyzed this final rule under the principles and criteria of E.O. 13132 on Federalism. We determined that this action will not have a substantial direct effect on the States, or the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government, and, therefore, does not have federalism implications. E. Environmental Analysis TSA has reviewed this action under DHS Management Directive 5100.1, Environmental Planning Program (effective April 19, 2006), which guides TSA compliance with the National Environmental Policy Act of 1969 (NEPA) (42 U.S.C. 4321-4347). TSA has determined that this proposal is covered by the following categorical exclusions (CATEX) listed in the DHS directive: Number A3(a) (administrative and regulatory activities involving the promulgation of rules and the development of policies); paragraph A4 (information gathering and data analysis); paragraph A7(d) (conducting audits, surveys, and data collection of a minimally intrusive nature, to include vulnerability, risk, and structural integrity assessments of infrastructures); paragraph B3 (proposed activities and operations to be conducted in existing structures that are compatible with ongoing functions); paragraph B11 (routine monitoring and surveillance activities that support homeland security, such as patrols, investigations, and intelligence gathering), and H1 (approval or disapproval of security plans required under legislative mandates where such plans do not have a significant effect on the environment). In addition, TSA has determined that this proposal meets the three conditions required for a CATEX to apply, as described in paragraph 3.2, (Conditions and Extraordinary Circumstances). F. Energy Impact Analysis The energy impact of the action has been assessed in accordance with the Energy Policy and Conservation Act (EPCA), Public Law 94-163, as amended (42 U.S.C. 6362). We have determined that this rulemaking is not a major regulatory action under the provisions of the EPCA. List of Subjects in 49 CFR Part 1554 Aircraft, Aviation safety, Repair stations, Reporting and recordkeeping requirements, Security measures. The Amendments In consideration of the foregoing, the Transportation Security Administration amends Chapter XII of Title 49, Code of Federal Regulations, by adding a new part 1554 to subchapter C to read as follows: PART 1554--AIRCRAFT REPAIR STATION SECURITY Subpart A--General Sec. 1554.1 Scope. 1554.3 TSA inspection authority. Subpart B--Security Measures 1554.101 Security Measures. 1554.103 Security Directives. Subpart C--Compliance and Enforcement 1554.201 Notification of security deficiencies; suspension of certificate and review process. 1554.203 Immediate risk to security; revocation of certificate and review process. 1554.205 Nondisclosure of certain information. Authority: 49 U.S.C. 114, 40113, 44903, 44924. Subpart A--General Sec. 1554.1 Scope. (a) This part applies to repair stations that are certificated by the Federal Aviation Administration (FAA) pursuant to 14 CFR part 145, except for a part 145 certificated repair station located on a U.S. or foreign government military installation. (b) In addition to the terms in 49 CFR 1500.3 and 1540.5, for purposes of this part, ``large aircraft'' means any aircraft with a maximum certificated takeoff weight of more than 12,500 pounds and ``attended'' aircraft means an aircraft to which access is limited to authorized individuals and property. Sec. 1554.3 TSA inspection authority. (a) General. Each repair station must allow TSA and other authorized DHS officials, at any time and in a reasonable manner, without advance notice, to enter, conduct any audits, assessments, or inspections of any property, facilities, equipment, and operations; and to view, inspect, and copy records as necessary to carry out TSA's security-related statutory or regulatory authorities, including its authority to-- (1) Assess threats to transportation security; (2) Enforce security-related regulations, directives, and requirements; (3) Inspect, assess, and audit security facilities, equipment, and systems (4) Ensure the adequacy of security measures; (5) Verify the implementation of security measures; (6) Review security plans; and (7) Carry out such other duties, and exercise such other powers, relating to transportation security as the TSA Administrator considers appropriate, to the extent authorized by law. (b) Evidence of compliance. At the request of TSA, each repair station must provide evidence of compliance with this part, including copies of records required by this part. [[Page 2141]] (1) All records required under this part must be provided in English upon TSA's request. (2) All responses and submissions provided to TSA or its designee, pursuant to this part, must be in English, unless otherwise requested by TSA. (c) Access to repair station. (1) TSA and DHS officials working with TSA may enter, and be present within any area without access media or identification media issued or approved by the repair station in order to inspect, assess, or perform any other such duties as TSA may direct. (2) Repair stations may request TSA inspectors and DHS officials working with TSA to present their credentials for examination, but the credentials may not be photocopied or otherwise reproduced. Subpart B--Security Measures Sec. 1554.101 Security Measures. (a) Applicability of this section. This section applies to part 145 certificated repair stations located-- (1) On airport. On an air operations area or security identification display area of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area of any commensurate airport outside the United States regulated by a government entity; or (2) Adjacent to an airport. Adjacent to an area of the airport described in paragraph (a)(1) of this section if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described in paragraph (a)(1) of this section. (b) Security Measures. Each repair station described in paragraph (a) of this section must carry out the following measures: (1) Provide TSA with the name and means of contact on a 24-hour basis of a person or persons designated by the repair station with responsibility for-- (i) Compliance with the regulations in this part; (ii) Serving as the primary point(s) of contact for security- related activities and communications with TSA; (iii) Maintaining a record of all employees responsible for controlling keys or other means used to control access to aircraft described in paragraph (b)(2) of this section; and (iv) Maintaining all records necessary to comply with paragraph (b)(3) of this section. (2) When not attended, prevent the unauthorized operation of all large aircraft capable of flight, by using one or more of the means listed in paragraphs (b)(2)(i) through (iv) of this section. In these examples, a key, if used, must only be available to an individual authorized by the repair station who has successfully undergone a check as described in paragraph (b)(3) of this section. (i) Block the path of the aircraft such that it cannot be moved, and control the vehicle key if a vehicle is used to block the path. (ii) Park the aircraft in a locked hangar and control the key to the hangar. (iii) Move stairs away from the aircraft and shut and, if feasible, lock all cabin and/or cargo doors, and control the key. (iv) Other means approved in writing by TSA. (3) Verify background information of those individuals who are designated as the TSA point(s) of contact and those who have access to any keys or other means used to prevent the operation of large aircraft described in paragraph (b)(2) of this section by one or more of the following means: (i) Verify an employee's employment history. The repair station obtains the employee's employment history for the most recent five year period or the time period since the employee's 18th birthday, whichever period is shorter. The repair station verifies the employee's employment history for the most recent 5-year period via telephone, email, or in writing. If the information is verified telephonically, the repair station must record the date of the communication and with whom the information was verified. If there is a gap in employment of six months or longer, without a satisfactory explanation of the gap, employment history is not verified. The repair station must retain employment history verification records for at least 180 days after the individual's employment ends. The repair station must maintain these records electronically or in hardcopy, and provide them to TSA upon request. (ii) Confirm an employee holds an airman certificate issued by the Federal Aviation Administration. (iii) Confirm an employee of a repair station located within the United States has obtained a security threat assessment or comparable security threat assessment pursuant to part 1540, subpart C of this chapter, such as by holding a SIDA identification media issued by an airport operator that holds a complete program under 49 CFR part 1542. (iv) Confirm an employee of a repair station located outside the United States has successfully completed a security threat assessment commensurate to a security threat assessment described in part 1540, subpart C of this chapter. (v) Other means approved in writing by TSA. Sec. 1554.103 Security Directives. (a) General. When TSA determines that additional security measures are necessary to respond to a threat assessment or to a specific threat against civil aviation, TSA issues a Security Directive setting forth mandatory measures. (b) Compliance. Each repair station must comply with each Security Directive TSA issues to the repair station within the time prescribed. Each repair station that receives a Security Directive must-- (1) Acknowledge receipt of the Security Directive as directed by TSA; (2) Specify the method by which security measures have been or will be implemented to meet the effective date; and (3) Notify TSA to obtain approval of alternative measures if the repair station is unable to implement the measures in the Security Directive. (c) Availability. Each repair station that receives a Security Directive and each person who receives information from a Security Directive must-- (1) Restrict the availability of the Security Directive and the information contained in the document to persons who have an operational need to know; and (2) Refuse to release the Security Directive or the information contained in the document to persons other than those who have an operational need to know without the prior written consent of TSA. (d) Comments. Each repair station that receives a Security Directive may comment on the Security Directive by submitting data, views, or arguments in writing to TSA. TSA may amend the Security Directive based on comments received. Submission of a comment does not delay the effective date of the Security Directive. Subpart C--Compliance and Enforcement Sec. 1554.201 Notification of security deficiencies; suspension of certificate and review process. (a) General. A repair station may be subject to suspension of its FAA certificate, if security deficiencies are identified and are not corrected. (b) Notice of security deficiencies. TSA provides written notification to a repair station and to the FAA of any security deficiency identified by TSA. (c) Response. A repair station must provide TSA with a written explanation [[Page 2142]] in English of all efforts, methods, and procedures used to correct the security deficiencies identified by TSA within 45 calendar days of receipt of the written notification described in paragraph (b) of this section. (d) Suspension of certificate. If the repair station does not correct security deficiencies within 90 calendar days of the repair station's receipt of the written notice of security deficiencies, or if TSA determines that the security deficiencies have not been addressed sufficiently to comply with this section, the TSA designated official will provide written notification to the repair station and to the FAA that the repair station's certificate must be suspended. The notification will include an explanation of the basis for the suspension. The suspension remains in effect until TSA determines that the security deficiencies have been corrected. (e) Petition for reconsideration. The repair station may petition TSA to reconsider its determination under paragraph (d) of this section by serving a petition for reconsideration no later than 20 calendar days after the repair station receives the notification. The repair station must serve the petition on the TSA designated official. Submission of a petition for reconsideration will not automatically stay the suspension. The repair station may request TSA to notify the FAA to stay the suspension pending review of and decision on the petition. The petition must be in writing, in English, signed by the repair station operator or owner, and include-- (1) A statement that reconsideration is requested; and (2) A response to the suspension, including any information TSA should consider in reviewing the suspension. (f) Review by the TSA designated official. The TSA designated official will consider all relevant material and information and will act on the petition no later than 15 calendar days after TSA receives the petition. The TSA designated official will either notify the repair station and the FAA that the suspension be withdrawn or affirm the suspension. The decision of the TSA designated official constitutes a final agency order subject to judicial review in accordance with 49 U.S.C. 46110. (g) Service of documents. Service may be accomplished by personal delivery, certified mail, or express courier. Documents served on a repair station will be served at its official place of business. Documents served on TSA must be served at the address contained in the written notice of suspension. (1) A certificate of service may be attached to a document tendered for filing. A certificate of service must consist of a statement, dated and signed by the person filing the document, that the document was personally delivered, served by certified mail on a specific date, or served by express courier on a specific date. (2) The date of service is-- (i) The date of personal delivery; (ii) If served by certified mail, the mailing date shown on the certificate of service, the date shown on the postmark if there is no certificate of service, or other mailing date shown by other evidence if there is no certificate of service or postmark; or (iii) If served by express courier, the service date shown on the certificate of service, or by other evidence if there is no certificate of service. (h) Extension of time. TSA may grant an extension of time to the limits set forth in this section for good cause shown. A repair station must request an extension of time in writing, and TSA must receive it at least two days before the due date in order to be considered. TSA may grant itself an extension of time for good cause. Sec. 1554.203 Immediate risk to security; revocation of certificate and review process. (a) Notice. The TSA designated official will determine whether any repair station poses an immediate risk to security. If such a determination is made, TSA will provide written notification of its determination to the repair station and to the FAA that the certificate must be revoked. The notification will include an explanation of the basis for the revocation. TSA does not include classified information or other information described in Sec. 1554.205. (b) Petition for reconsideration. The repair station may petition TSA to reconsider its determination by serving a petition for reconsideration no later than 20 calendar days after the repair station receives the notification. The repair station must serve the petition on the TSA designated official. Submission of a petition for reconsideration will not automatically stay the revocation. The repair station may request TSA to notify FAA to stay the revocation pending review of and decision on the petition. The petition must be in writing, in English, signed by the repair station operator or owner, and include-- (1) A statement that a review is requested; and (2) A response to the determination of immediate risk to security, including any information TSA should consider in reviewing the basis for the determination. (c) Review by the Administrator. The TSA designated official transmits the petition together with all relevant information to the Administrator for reconsideration. The Administrator will act on the petition within 15 calendar days of receipt by either directing the TSA designated official to notify FAA and the repair station that the determination is rescinded and the certificate may be reinstated or by affirming the determination. The decision by the Administrator constitutes a final agency order subject to judicial review in accordance with 49 U.S.C. 46110. (d) Service of documents. Service may be accomplished by personal delivery, certified mail, or express courier. Documents served on a repair station will be served at its official place of business. Documents served on TSA must be served at the address contained in the written notice of revocation. (1) A certificate of service may be attached to a document tendered for filing. A certificate of service must consist of a statement, dated and signed by the person filing the document, that the document was personally delivered, served by certified mail on a specific date, or served by express courier on a specific date. (2) The date of service is-- (i) The date of personal delivery; (ii) If served by certified mail, the mailing date shown on the certificate of service, the date shown on the postmark if there is no certificate of service, or other mailing date shown by other evidence if there is no certificate of service or postmark; or (iii) If served by express courier, the service date shown on the certificate of service, or by other evidence if there is no certificate of service. (e) Extension of time. TSA may grant an extension of time to the limits set forth in this section for good cause shown. A repair station must request an extension of time in writing, and TSA must receive it at least two days before the due date in order to be considered. TSA may grant itself an extension of time for good cause. Sec. 1554.205 Nondisclosure of certain information. In connection with the procedures under this subpart, TSA does not disclose classified information, as defined in Executive Order 12968, section 1.1(d), or any successor order, and TSA reserves the right not to disclose any other information or material not warranting disclosure or protected from disclosure under law or regulation. [[Page 2143]] Dated: January 7, 2014. John S. Pistole, Administrator. [FR Doc. 2014-00415 Filed 1-10-14; 8:45 am] BILLING CODE 9110-05-P
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.