Aircraft Repair Station Security
The Transportation Security Administration (TSA) is issuing regulations to improve the security of domestic and foreign aircraft repair stations as required by the Vision 100—Century of Aviation Reauthorization Act. The regulations codify the scope of TSA's existing inspection authority and require repair stations certificated by the Federal Aviation Administration (FAA) under 14 CFR part 145 to allow TSA and Department of Homeland Security (DHS) officials to enter, conduct inspections, and view and copy records as needed to carry out TSA's security-related statutory and regulatory responsibilities. The regulations also require these repair stations to comply with security directives when issued by TSA. The regulations also require certain repair stations to implement a limited number of security measures. The regulations establish procedures for TSA to notify repair stations of any deficiencies with their security measures and to determine whether a particular repair station presents an immediate risk to security. The regulations include a process whereby a repair station may seek review of a determination by TSA that the station has not adequately addressed security deficiencies or that the repair station poses an immediate risk to security.
7 actions from February 24th, 2004 to July 2013
February 24th, 2004
- Notice--Public Meeting; Request for Comments
August 24th, 2004
- Report to Congress
November 18th, 2009
January 19th, 2010
- NPRM Comment Period End
December 29th, 2009
- NPRM Comment Period Extended
February 19th, 2010
- NPRM Extended Comment Period End
- Final Rule
Table of Contents Back to Top
- FOR FURTHER INFORMATION CONTACT:
- SUPPLEMENTARY INFORMATION:
- Availability of Rulemaking Document
- Small Entity Inquiries
- Abbreviations and Terms Used in This Document
- Table of Contents
- I. Background
- A. Summary of the Rule
- B. Purpose of the Rule
- C. Costs and Benefits
- D. Changes From the NPRM
- 1. Part 1520
- 2. Scope and Purpose
- 3. Terms
- 4. Security Program Adoption and Implementation
- 5. Profile Information
- 6. Security Directives
- 7. Compliance and Enforcement
- II. Public Comments on the NPRM and TSA Responses
- A. Summary
- B. Need for Security Regulations
- C. Relationship to FAA Regulations
- D. “One Size Fits All” Approach to Security
- E. Relationship to Foreign Laws and Standards
- F. Application of the Final Rule to Domestic Repair Stations
- G. Exemptions for Certain Types of Repair Stations
- H. Protection of Sensitive Security Information (SSI)
- I. Scope of the Final Rule
- J. Terms Used in the Final Rule
- K. TSA Inspection Authority
- L. Security Program Adoption and Implementation
- M. Security Directives (SDs)
- N. Suspension and Revocation of Certificates
- O. Nondisclosure of Certain Information
- P. Other Comments on the Rulemaking
- Q. Implementation Issues
- R. Comments From the Small Business Administration
- S. Comments on the Regulatory Impact Assessment
- III. Rulemaking Analyses and Notices
- A. International Compatibility
- B. Economic Impact Analyses
- 1. Regulatory Impact Analysis Summary
- 2. Executive Orders 12866 and 13563 Assessments
- Changes in Cost Estimates From Notice of Proposed Rulemaking
- 3. Regulatory Flexibility Act Assessment
- 4. International Trade Impact Assessment
- 5. Unfunded Mandates Assessment
- C. Paperwork Reduction Act
- D. Executive Order 13132 on Federalism
- E. Environmental Analysis
- F. Energy Impact Analysis
- List of Subjects in 49 CFR Part 1554
- The Amendments
- PART 1554—AIRCRAFT REPAIR STATION SECURITY
- Subpart A—General
- Subpart B—Security Measures
- Subpart C—Compliance and Enforcement
- Subpart A—General
- Subpart B—Security Measures
- Subpart C—Compliance and Enforcement
Tables Back to Top
- Table 1—Total Cost of the Aircraft Repair Station Security Final Rule
- Table 2—Changes in Costs From the NPRM to the Final Rule
- Table 3—Changes in Costs Incurred by Repair Stations Located Within the United States
- Table 4—Changes in Costs Incurred by Repair Stations Located Outside the United States
- Table 5—Changes to TSA Costs
- Table 6—Comparison of Alternatives to the Proposed Final Rule Costs
- Table 7—Collection and Hour Burdens for Entities Within and Outside the United States
DATES: Back to Top
Effective February 27, 2014.
FOR FURTHER INFORMATION CONTACT: Back to Top
Shawn Gallagher, Office of Security Operations, TSA-29, Transportation Security Administration, 601 South 12th Street, Arlington, VA 20598-6029; telephone (571) 227-3378; facsimile (571) 603-4344; email ARS@tsa.dhs.gov.
SUPPLEMENTARY INFORMATION: Back to Top
Availability of Rulemaking Document Back to Top
You can get an electronic copy using the Internet by—
(1) Searching the electronic Federal Docket Management System (FDMS) Web page at http://www.regulations.gov;
(2) Accessing the Government Printing Office's Web page at http://www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR to view the daily published Federal Register edition; or accessing the “Search the Federal Register by Citation” in the “Related Resources” column on the left, if you need to do a Simple or Advanced search for information, such as a type of document that crosses multiple agencies or dates; or
(3) Visiting TSA's Security Regulations Web page at http://www.tsa.gov and accessing the link for “Research Center” at the top of the page.
In addition, copies are available by writing or calling the individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this rulemaking.
Small Entity Inquiries Back to Top
The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996 requires TSA to comply with small entity requests for information and advice about compliance with statutes and regulations within TSA's jurisdiction. Any small entity that has a question regarding this document may contact the person listed in FOR FURTHER INFORMATION CONTACT. Persons can obtain further information regarding SBREFA on the U.S. Small Business Administration's (SBA) Web page at http://www.sba.gov/advo/laws/law_lib.html.
Abbreviations and Terms Used in This Document Back to Top
AOAAir Operations Area
CFRCode of Federal Regulations
DHSDepartment of Homeland Security
EPCAEnergy Policy and Conservation Act
FAAFederal Aviation Administration
FR Federal Register
FRFAFinal Regulatory Flexibility Analysis
ICAOInternational Civil Aviation Organization
IRFAInitial Regulatory Flexibility Analysis
MTOWMaximum Certificated Take-off Weight
NAICSNorth American Industry Classification System
NEPANational Environmental Policy Act of 1969
NPRMNotice of Proposed Rulemaking
NTSBNational Transportation Safety Board
OMBOffice of Management and Budget
PRAPaperwork Reduction Act of 1995
RFARegulatory Flexibility Act of 1980
SBAUnited States Small Business Administration
SBREFASmall Business Regulatory Enforcement Fairness Act of 1996
SIDASecurity Identification Display Area
SSISensitive Security Information
TSATransportation Security Administration
U.S.United States of America
U.S.C.United States Code
Table of Contents Back to Top
A. Summary of the Rule
B. Purpose of the Rule
C. Costs and Benefits
D. Changes From the NPRM
II. Public Comments on the NPRM and TSA Responses
B. Need for Security Regulations
C. Relationship to FAA Regulations
D. “One Size Fits All” Approach to Security
E. Relationship to Foreign Laws and Standards
F. Application to Domestic Repair Stations
G. Exemptions for Certain Types of Repair Stations
H. Protection of Sensitive Security Information
I. Scope of the Final Rule
J. Terms Used in the Final Rule
K. TSA Inspection Authority
L. Security Program Adoption and Implementation
M. Security Directives
N. Suspension and Revocation of Certificates
O. Nondisclosure of Certain Information
P. Other Comments on the Rulemaking
Q. Implementation Issues
R. Comments From the Small Business Administration
S. Comments on the Regulatory Impact Assessment
III. Rulemaking Analyses and Notices
A. International Compatibility
B. Economic Impact Analyses
1. Regulatory Impact Analysis Summary
2. Executive Orders 12866 and 13563 Assessments
3. Regulatory Flexibility Act Assessment
4. International Trade Impact Assessment
5. Unfunded Mandates Reform Act Assessment
C. Paperwork Reduction Act
D. Executive Order 13132, Federalism
E. Environmental Analysis
F. Energy Impact Analysis
I. Background Back to Top
A. Summary of the Rule
TSA is issuing regulations to improve security at repair stations located within and outside the United States as required by Vision 100-Century of Aviation Reauthorization Act, Public Law 108-176 (117 Stat. 2489, December 12, 2003), codified at 49 U.S.C. 44924 (Vision 100).  The statutory requirements of Vision 100 are discussed in the preamble of the Notice of Proposed Rulemaking (NPRM) published in the Federal Register on November 18, 2009. See 74 FR 59874, 59875. There are approximately a total of 4,067 repair stations located in the United States and 707 located outside the United States certificated by FAA under part 145 as of August 2013.  The final rule contains the following requirements:
- Application. The regulations apply to repair stations certificated by the FAA under 14 CFR part 145, except repair stations located on a U.S. or foreign government military base. All repair stations are subject to inspection as provided in the rule and to Security Directives should there be a security need. However, the rule text requires only certain repair stations, discussed below, to carry out security measures on a regular basis.
- TSA Inspection Authority. Repair stations must allow TSA and other authorized DHS officials to enter, conduct inspections, and view and copy records as needed to carry out TSA's security-related statutory and regulatory responsibilities. For repair stations not required to carry out security measures on a regular basis (i.e., those repair stations not located on or adjacent to an airport, as further defined below), TSA does not intend to inspect such facilities, except (1) for compliance with security directives issued by TSA and with airport security programs required by TSA (for those repair stations that are included in an airport security program), and (2) to respond to security information provided to TSA by U.S. or foreign government entities.
- Implementation of Security Measures. The security measures in this rule cover repair stations that are on or adjacent to certain airports. TSA will consider a repair station to be “on airport” if it is on an air operations area (AOA) or security identification display area (SIDA) of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as “on airport.” 
- Security Measures. Certain repair stations, as described above, are required to (1) designate a point of contact(s) to carry out specified responsibilities; (2) prevent the unauthorized operation of large aircraft capable of flight that are left unattended; and (3) verify background information of those individuals who are designated as the TSA point(s) of contact and those who have access to any keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. See section 1554.101.
- Security Directives. Repair stations are required to comply with Security Directives (SDs) issued by TSA. See section 1554.103.
- Notification of Deficiencies; Suspension of Certificate and Review Process. The regulations describe the process whereby TSA will notify the repair station and the FAA of a security deficiency identified by TSA and provide an opportunity for the repair station to obtain review of a determination by TSA to suspend its operating certification.
- Immediate Risk to Security; Revocation of Certificate and Review Process. The regulations specify that when TSA determines a repair station poses an immediate risk to security, TSA will notify the repair station and the FAA that the certificate must be revoked. The regulations also provide the process for the repair station to obtain review of such a determination.
B. Purpose of the Rule
While the FAA has implemented extensive safety requirements for repair stations located within and outside the United States, supplementing those safety provisions with the security requirements contained in the final rule will further reduce the likelihood that terrorists would be able to use large aircraft as a weapon. As terrorist organizations continue to target civil aviation, TSA believes it is important for aircraft repair stations that are located on or adjacent to an airport to have specific security measures in place to prevent terrorists from commandeering large aircraft that are capable of flight and are not attended. Enhancement of security at repair stations that have access to runways will mitigate the potential threat that a large aircraft could be used as a weapon.
In developing this rule, TSA consulted with the FAA and built upon the certification and safety requirements FAA has instituted requiring repair stations to establish and maintain a quality control system. See 14 CFR 145.211. While these quality control measures provide a significant layer of protection and oversight of articles and aircraft under repair, this final rule supplements those measures by requiring repair stations that are located on or adjacent to an airport, as defined in the final rule, to implement security measures to prevent the unauthorized operation of large aircraft capable of flight left unattended.
C. Costs and Benefits
In accordance with Executive Orders (E.O.) 12866 and 13563, TSA includes in this preamble a summary of the costs and benefits associated with the Aircraft Repair Station Security final rule. The table below summarizes the costs and benefits of the final rule to U.S. and foreign entities. A detailed estimate of these costs and benefits can be found in the regulatory impact analysis accompanying this final rule; the regulatory impact analysis is available in the docket.
|Primary estimate||Low estimate||High estimate||Year dollar||Discount rate (percent)||Period covered|
|Annualized Monetized ($millions/year)||None||None||None||NA||7||NA||Not Quantified.|
|Annualized Quantified||None||None||None||NA||7||NA||Not Quantified.|
|Qualitative||This final rule satisfies the Congressional mandate in Vision 100 for TSA to promulgate regulations to better ensure the security of aircraft repair stations. The security measures required by this final rule will better secure the aircraft on repair stations located on or adjacent to an airport and working on aircraft with a MTOW of more than 12,500 lbs. and mitigate the risk of a terrorist attack originating at these aircraft repair stations|
|Annualized Monetized ($/year)||$2,314,614||N/A||N/A||2012||7||10 Years||None.|
|Annualized Quantified||None||None||None||2012||7||10 Years||None.|
|Federal Annualized Monetized ($year)||None||None||None||NA||7||NA||None.|
|Other Annualized Monetized ($year)||None||None||None||NA||7||NA||None.|
|State, Local, and/or Tribal Government||None||None||None||N/A||NA||NA||None.|
|Small Business||Prepared FRFA||NA||NA||NA||None.|
D. Changes From the NPRM
TSA adopts as final the proposed rule with changes based primarily on the public comments received. This section summarizes the regulatory text changes that TSA has made to the NPRM in this final rule. A detailed description of the responses to the public comments is included in Section II.
1. Part 1520
TSA eliminated the amendments to part 1520 of its rules because it has eliminated the proposed requirement to adopt and implement a security program.
2. Scope and Purpose
TSA modified the language in § 1554.1 to eliminate the reference to “U.S. government” and inserted “a U.S. or foreign government military installation” in its place to respond to questions raised in some comments. This change will eliminate from the scope of the final rule FAA part 145-certificated repair stations located on a military base, whether within or outside the United States. The change clarifies TSA's intention not to exclude from the scope of the final rule those repair stations that are subject to government regulation.
Commenting parties noted that TSA used different terms than the FAA to describe repair stations and repair work and found that the different terms were confusing. TSA eliminated the terms section to avoid confusion. TSA also eliminated the terms “foreign repair station” and “domestic repair station” from the final rule and uses the terms “repair station located within the United States” and “repair station located outside the United States” to be consistent with FAA part 145 regulations.
4. Security Program Adoption and Implementation
In response to commenters who requested exemptions from the proposed requirement to adopt and carry out a security program, TSA has eliminated the requirement to adopt and implement a security program. As will be explained below, TSA will only require certain repair stations located on or adjacent to an airport to adopt and carry out security measures to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has conducted a security risk assessment and determined that other repair stations represent a minimal risk to aviation security. TSA has eliminated all security measures regarding preventing access to repair stations. This change will reduce the regulatory requirements and the costs of implementation. While TSA has retained the requirement to verify employee background information, it has reduced the application of that requirement to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has clarified that it will accept employment history checks or background checks conducted on individuals who have obtained a FAA airman certificate or a SIDA badge. All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule.
5. Profile Information
TSA has eliminated the requirement proposed in § 1554.101(b) for repair stations to submit profile information to TSA. TSA will use information available from the FAA.
6. Security Directives
TSA has added language to permit repair stations to comment upon a security directive issued by TSA. This language is consistent with the regulatory language used for airport operators and aircraft operators under 49 CFR 1542.303(e) and 1544.305(e).
7. Compliance and Enforcement
In response to comments, TSA has clarified the process in part 1554, subpart C, which a repair station may use to seek review of a TSA determination that a certificate must be suspended or revoked.
II. Public Comments on the NPRM and TSA Responses Back to Top
TSA received 177 public submissions. Sixty-seven submissions were from repair station owner/operators. Other commenters included private individuals, industry associations, labor unions, foreign governments, airport owner/operators, domestic and foreign aircraft operators, State agencies, and the Small Business Administration (SBA). The discussion below groups the comments by the primary issues raised in the public submissions.
B. Need for Security Regulations
Comments: Thirty-three commenters said the proposed rule is unnecessary because repair stations already have adequate security or are already sufficiently regulated. Ten of these commenters cited procedures and controls already in place to safeguard security, such as quality controls, employee background checks, access controls, and general safety procedures already approved by the FAA. Seven commenters said the proposed regulations added a duplicate layer of security already provided by other TSA requirements described in current TSA security programs or SDs. A few commenters said that TSA should not regulate repair stations if they are part of an airline that already has an air carrier security program.
TSA response: Vision 100 requires TSA to issue regulations “to ensure the security of foreign and domestic repair stations.” 49 U.S.C. 44924(f). TSA believes that the security regulations described in the final rule will reduce the likelihood that a terrorist could commandeer a large aircraft capable of flight and use it as a weapon.
The final rule supplements the safety requirements imposed by the FAA, but does not duplicate FAA regulations. TSA disagrees with those comments that claim the final rule will duplicate other TSA security requirements. TSA does not currently regulate aircraft repair stations and the requirements referenced by the commenters do not apply to aircraft repair stations. TSA has eliminated the proposed requirement to adopt and implement a security program, thus there will not be duplication with airport security programs.
Air carrier-owned and -operated maintenance repair and overhaul facilities conducting maintenance under the authority of a certificate issued under 14 CFR parts 121 or 135 are not subject to the requirements of this rule, since the statute and this rule specifically requires regulation of repair stations certificated under part 145 of the FAA regulations.
Comments: Several commenters asked TSA to consider a repair station to be in full compliance with the rule if it is already incorporated within an airport's security program and uses the airport's access control measures.
TSA Response: TSA is aware that some repair stations may be incorporated within an existing airport security program and has eliminated the proposed requirement that repair stations adopt and implement a security program to avoid unnecessary duplication.
Comments: Eight commenters stated that repair stations in general do not pose a risk to security, especially compared to other facilities or operations in the aviation system. Ten commenters claimed that TSA did not conduct any type of risk analysis that quantified the security risks at repair stations or the benefits of the proposed rule. An association said TSA had correctly used a risk-based approach to determine the security measures that repair stations would be required to carry out under the proposed rule and concluded that this approach is the most effective way to advance repair station security.
TSA Response: TSA agrees that the security risks posed by repair stations vary and that the most effective way to advance repair station security is to use a risk-based approach to address security matters. In developing this rule, TSA conducted a security risk analysis, including visits to repair stations located within the United States and outside the United States, interviews with industry and FAA experts, and a review of intelligence concerning a repair station's susceptibility to a terrorist attack.
The NPRM described the site visits TSA made to repair stations between June 2005 and May 2008. See 74 FR 59877. Since that time, TSA has visited 47 repair stations located outside the United States and 928 repair station facilities within the United States to observe and discuss repair station security practices. The site visits provided valuable insight into the different types of facilities certificated by the FAA, the different types of repair work performed at those facilities, and the different security measures that are deployed.
In addition, TSA considered whether certain factors could increase the security risks of a repair station. The risk factors TSA considered were: (1) The size and type of aircraft to which employees had access; (2) the type of repair work permitted by the FAA certificate; (3) whether the repair station was located on an airport and the type of airport; and (4) the number of employees at the repair station.
Comments: An industry association stated that aircraft operators that use repair stations should not be responsible for ensuring that repair stations comply with the regulation.
TSA Response: TSA agrees that aircraft operators that use repair stations will not be responsible for ensuring that the FAA part 145-certificated repair stations comply with the final rule.
C. Relationship to FAA Regulations
Comments: Some commenters asked the FAA and TSA to coordinate their efforts to avoid placing any unnecessary burdens on repair station owners or operators. For example, one commenter pointed out that TSA could obtain repair station profile information from the FAA. Several commenters expressed concern regarding TSA's authority to request the FAA to suspend or revoke the operating certificate of a repair station. A few of these commenters said that because the FAA issues the repair station certificate and is the Federal agency responsible for the oversight and regulation of repair stations, the FAA should be the one Federal entity that is able to suspend or revoke the certificate. Other commenters questioned whether TSA, the FAA, or the National Transportation Safety Board (NTSB) has jurisdiction over the appeals process for certificate suspensions and revocations. Eight commenters said the rule would compromise aircraft safety. Three of these commenters claimed the FAA would lose oversight of repair stations and would no longer conduct mandatory inspections and surveillance. One commenter said the cost of the rule would cause repair facilities to divert operating funds away from aircraft safety. Two commenters noted the possibility that repair station operators would turn in their repair station rating and would instead operate using mechanics holding Airframe & Powerplant certification, resulting in a decrease in safety.
TSA response: TSA has coordinated its efforts with the FAA throughout the rulemaking process and the final rule does not duplicate FAA's authority to regulate repair station safety matters or interfere in any way with the FAA certification process. In response to the comments requesting that TSA reduce the burden on repair stations by using FAA profile information, TSA eliminated the requirement for repair stations to provide profile information from the final rule. TSA will obtain the profile information from the FAA.
The final rule is consistent with the statutory provisions regarding the processes for suspension and revocation of a repair station certificate. Under 49 U.S.C. 44924(c), TSA must notify the FAA Administrator when a repair station poses an immediate security risk or is found to have security deficiencies. The statute requires the FAA Administrator to act upon the TSA determination to suspend or revoke a repair station's certificate. Since the suspension or revocation is based on a determination that involves security, neither the FAA nor the NTSB has jurisdiction over the appeals process. The final rule includes a process whereby repair stations may request review of a TSA determination that the repair station certificate must be suspended or revoked. The procedure is consistent with the procedure now in place for TSA to withdraw approval of the security program of an airport operator, aircraft operator, foreign air carrier, indirect air carrier, or certified cargo screening facility, as provided in 49 CFR part 1540, subpart D.
TSA disagrees with the comments that claim the rule would compromise aircraft safety, and that FAA would lose oversight of repair stations. FAA authority over repair station safety is not affected by this rule and repair stations must continue to comply with FAA safety regulations. This rule will supplement existing FAA safety requirements with security measures to ensure that unattended, large aircraft capable of flight cannot be commandeered. The costs of the rule are summarized in Section III.C below and described in detail in the regulatory impact analysis accompanying this final rule. As explained therein, TSA has minimized the cost burden of compliance, particularly to small businesses, by using a risk-based approach and eliminating the requirement for repair stations to implement a security program. In addition, if a repair station operator turned in the repair station rating and instead used mechanics holding Airframe & Powerplant certifications, the repair station operator would not be permitted to perform maintenance on passenger aircraft unless hired by an aircraft operator, in which case the maintenance work would be subject to the safety requirements of parts 121 or 135 of the FAA rules.
D. “One Size Fits All” Approach to Security
Comments: Twenty-seven commenters indicated the proposed rule did not adequately accommodate or account for the diversity of repair stations to which it would apply. A commenter noted that TSA recognized that a “one size fits all approach” would not appropriately address the diversity in repair station characteristics. Other commenters asked TSA for more information on how the security program would accommodate the different levels of risk posed by different types of repair stations.
TSA response: TSA recognizes that just as aircraft repair stations vary widely in size, type of repairs, and numbers of employees, existing security measures also vary widely. As stated in the NPRM, TSA agrees that a “one size fits all” approach will not adequately address the diversity of certificated repair stations. As will be discussed below in Section G, repair stations that are not on or adjacent to an airport as defined in the final rule, are not required to implement security measures.
E. Relationship to Foreign Laws and Standards
Comments: Several commenters, including representatives of foreign governments, addressed the relationship of the proposed rule to other countries' security laws and standards. Commenters said TSA should recognize the equivalency of the security requirements of other countries and the European Union (EU). They also questioned the legal basis for application of the final rule without consultation and agreement as laid out in international and bilateral aviation agreements such as the EU-U.S. Air Transport Agreement. Other commenters noted the potential conflict of the proposed rule's requirements with national or EU laws or regulations in areas such as unannounced inspections and background checks of repair station employees.
TSA response: TSA acknowledges the concerns of foreign governments regarding TSA authority to apply security requirements to part 145-certificated repair stations located outside the United States. TSA is aware of and has complied with its obligations under the EU-U.S. Air Transport Agreement, as well as other bilateral and multilateral instruments. TSA has discussed and will continue to discuss current and proposed security requirements with its international partners in order to enhance the compatibility of security regulations and standards, including the possibility of developing protocols for reciprocity and mutual recognition of repair station security regulations. TSA will address any specific conflicts between the final rule and any national or EU laws or regulations that may arise.
TSA has established procedures for conducting inspections outside the United States through its Foreign Airport and Foreign Air Carrier Assessment Programs and intends to use those same procedures when conducting inspections of FAA-certificated repair stations located outside the United States. These established procedures require coordination with the U.S. Department of State and the appropriate foreign government authorities.
With regard to background checks, TSA will require repair stations that are on or adjacent to an airport, as defined in this rule, to verify background information of those individuals who are designated as the TSA point(s) of contact and those who have access to any keys or other means used to prevent the operation of large aircraft. The repair station may either verify the individual's employment history, confirm that the individual holds a FAA airman certificate, or (for a repair station located in the United States) confirm that the individual has obtained a security threat assessment, such as by holding a SIDA badge. TSA will not require any other specific type of background check since the laws regarding the ability to conduct certain background checks vary widely. However, repair stations may conduct other background checks consistent with applicable laws.
Comments: Two commenters were concerned the proposed rule did not cover FAA-certificated repair stations in Canada. One of these commenters said Canadian facilities could pose the same security risks as FAA part 145 certificated facilities and contended that they should be subject to the regulation.
TSA Response: TSA is aware that the final rule will not cover repair stations located in Canada and agrees that these repair stations could pose the same security risk as other repair stations. Canadian repair stations are covered under part 43 of the FAA regulations and operate under a bilateral agreement between the FAA and the Transport Canada Civil Aviation Authority. Since they are not certificated under Part 145 of the FAA regulations, they are not within the scope of this rule.
Comments: One commenter said some foreign repair stations are already under regulatory oversight by established government authorities and should be exempt from the rule.
TSA Response: A repair station that is regulated by a governmental authority is not exempt from the final rule. While a repair station may be regulated by a government agency for safety or other purposes, as is the case with the FAA, TSA cannot be assured that such regulation would encompass the security requirements in the final rule.
F. Application of the Final Rule to Domestic Repair Stations
Comments: Eight commenters said Congress omitted the word “domestic” from the statute and concluded that TSA does not have authority to impose regulations on domestic repair stations. One repair station owner/operator acknowledged that 49 U.S.C. 44924(f) requires TSA to issue regulations to ensure the security of both domestic and foreign repair stations. However, the commenter noted the remainder of the statute refers only to foreign repair stations and concluded that Vision 100 does not give TSA authority to suspend the certificates of domestic repair stations. Several commenters stated that the rule should apply only to foreign repair stations, that domestic repair stations pose a lower security threat than foreign repair stations, and that TSA is overstepping its authority to regulate both domestic and foreign repair stations.
TSA response: TSA disagrees with the comments that claim the regulation should apply only to repair stations located outside the United States, that repair stations located within the United States necessarily pose a lower security threat than those located outside the United States, and that TSA is overstepping its authority to regulate aircraft repair stations. TSA is required to issue regulations to “ensure the security of foreign and domestic aircraft repair stations.” See 49 U.S.C. 44924(f). Therefore, the final rule applies to repair stations that are certificated by the FAA under part 145 of its regulations. By including all FAA part 145-certificated repair stations in the scope of the rule, TSA will be able to verify that repair stations certificated by the U.S. government are in compliance with the final rule. TSA will not suspend a repair station certificate. The statute provides that the FAA must suspend a certificate upon notification by TSA until such time as TSA determines the repair station maintains and carries out effective security measures. See 49 U.S.C. 44924(c).
While the final rule is consistent with the statutory language, TSA has ample statutory authority to address all domestic transportation security matters. For example, 49 U.S.C. 114(f) gives TSA the authority to: Assess threats to transportation; develop policies, strategies, and plans for dealing with threats to transportation security; enforce security-related regulations and requirements; inspect, maintain, and test security facilities, equipment, and systems; and work in conjunction with the Administrator of the FAA with respect to any actions or activities that may affect aviation safety or air carrier operations. Section 611 of Vision 100 discusses the need to “strengthen oversight of domestic and foreign repair stations” and to “ensure that foreign repair stations that are certified by the Administrator under part 145 of title 14, Code of Federal Regulations, are subject to an equivalent level of safety, oversight, and quality control as those located in the United States.”  Exempting repair stations within the United States from the enforcement provisions of the final rule would not permit TSA to effectively oversee the security of repair stations located within the United States or ensure that repair stations located outside the United States are subject to an equivalent level of safety, oversight, or quality control.
Regulating only repair stations outside the United States would not help TSA meet the statutory objective to ensure the security of foreign and domestic aircraft repair stations. In fact, the majority of FAA part 145-certificated repair stations are located in the United States and U.S. aircraft continue to be a prime target of terrorist threats. Exempting U.S. repair stations from the final rule would create a significant gap in TSA's efforts to secure U.S. aircraft and the traveling public. Repair stations located in the United States present an immediate opportunity for terrorists to attempt to harm U.S. aviation interests. For that reason, and consistent with statutory language, the final rule applies to FAA part 145-certificated repair stations.
G. Exemptions for Certain Types of Repair Stations
Many commenters requested TSA to exempt particular types of repair stations from the rule. Nineteen commenters stated that off-airport repair stations do not pose a security threat and contended the final rule should apply only to repair stations located on airport grounds. Another commenter agreed off-airport repair stations are less desirable targets than on-airport repair stations because they do not have access to operational aircraft. However, one commenter observed there are off-airport repair stations that repair complete aircraft.
A number of commenters requested additional types of repair stations be exempted from the regulation, including: Stations with a small number of employees, stations servicing hot-air balloons, and stations servicing aircraft with a MTOW below 12,500 pounds. In contrast, a labor union urged TSA not to exempt any repair stations from the rule.
Eighteen commenters stated repair stations servicing aircraft with a MTOW below 12,500 pounds should be exempt from the rule. Several other commenters said any weight threshold used for this rule should be consistent with the threshold adopted in the General Aviation Security final rule. A few others suggested weight thresholds ranging as high as 100,000 pounds.
Eleven commenters requested TSA to exempt repair stations that work only on aircraft components and do not have access to complete aircraft. Commenters stated these repair stations do not pose a security threat because existing FAA rules require testing of the airworthiness of the repaired components prior to installation.
TSA response: TSA agrees with commenters that repair stations located on or adjacent to an airport could pose a higher security risk than other repair stations. As the commenters point out and as discussed in the NPRM, TSA found that repair station employees at off-airport locations had little, if any, access to operational aircraft or runways and are not the last individuals with access to aircraft prior to the reintroduction of the aircraft into service. TSA concluded that it may be more difficult for potential terrorists to attempt to attack aviation interests from an off-airport repair station location.
TSA also agrees with commenters that it would be difficult for a terrorist to damage an aircraft at a repair station that is rated to repair only aircraft component parts. FAA safety regulations require inspection of the repair work and the component part prior to installation in an aircraft and before the aircraft is determined to be airworthy. TSA agrees with the commenters who believe that it is less likely that a terrorist would attempt to target an aircraft by attempting to sabotage or tamper with a component part at an off-airport location.
In addition, TSA agrees with those commenters that repair stations that do not work on large aircraft pose less of a security risk. TSA has long recognized that aircraft with a MTOW of more than 12,500 pounds may be a greater security risk because the aircraft are of sufficient size and weight to inflict significant damage and loss of lives. See Security Programs for Aircraft 12,500 Pounds or More, 67 FR 8295 (Feb. 22, 2002). Smaller aircraft may be a less attractive target for terrorists.
TSA believes that it must maintain its authority to conduct security inspections to ensure that repair stations do not pose a risk to transportation security and to make clear that repair stations must comply with security directives issued by TSA to respond to a specific threat. However, TSA has determined that only higher risk repair stations will be required to adopt security measures. Repair stations considered to be higher risk include those located on or adjacent to an airport. TSA will consider a repair station to be “on airport” if it is located on an AOA or SIDA of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area of any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as “on airport.” These repair stations present the highest risk to security due to their proximity to an airport and a runway and the presence of operational aircraft of a size and weight that could inflict significant damage and loss of lives. These repair stations must implement security measures described in the final rule. TSA has retained the current definition of large aircraft used in its regulations, and will change that definition throughout the regulations should another definition be adopted in the General Aviation Security rulemaking proceeding.
Other repair stations, in general, represent a minimal risk to aviation security because they are not located on or adjacent to an airport and do not have access to aircraft of sufficient size and weight to inflict significant damage or loss of lives. All FAA part 145 certificated repair stations are subject to other requirements in the rule, such as submission to TSA inspection and compliance with security directives.
H. Protection of Sensitive Security Information (SSI)
Comments: Two repair station owners/operators and an industry association supported the proposed SSI regulations. Another repair station owner/operator said the proposed SSI requirements may be redundant, because some corporations already have controls for business purposes to protect information from public disclosure. Another commenter warned the SSI requirements could adversely affect corporate operations and the availability of an operator's procedural documentation to its employees. An airport owner/operator expressed concern that the proposed rule would impose SSI responsibilities on repair stations even if they pose a low security risk. A repair station owner/operator and an industry association suggested the SSI provisions should apply to repair station owners but not to operators. Three commenters, including the European Commission, expressed concern about the applicability of the SSI provisions to foreign nationals who own and operate aircraft repair stations. They also said the proposed SSI provisions might be incompatible with the data protection directives of other nations or the EU.
TSA response: TSA has eliminated the proposed requirement to adopt and implement a security program and has, therefore, eliminated the proposed changes to part 1520. TSA's SSI regulations already require security directives (SDs) to be treated as SSI. 49 CFR 1520.5. Part 1520 applies to entities that receive a TSA SD, including U.S. and foreign air carriers for their operations both within and outside the United States. While businesses may have procedures in place to protect certain types of information, they may not include specific SSI protections.
Repair stations will be responsible for developing procedures to safeguard against unauthorized disclosure of a SD. When an individual is not in physical possession of SSI, that individual must store the SSI in a secure container, such as a locked desk, office, or file cabinet. TSA disagrees with the comments that the SSI regulations could make it difficult to share security information with repair station employees. The SSI regulations permit disclosure to persons with a need to know. 49 CFR 1520.9.
TSA appreciates the concerns of the European Commission regarding the applicability of SSI requirements to foreign repair stations; however, TSA does not believe that this will cause difficulties with regard to EU legislation and data protection policies. TSA already applies SSI requirements to foreign air carriers operating under a TSA-accepted Model Security Program or who receive a TSA-issued emergency amendment. The EU has not objected to or raised concerns regarding conflicts with EU data protection laws and regulations in those instances. TSA will continue to discuss with the EU any specific conflicting regulatory requirements that may arise.
I. Scope of the Final Rule
Comments: A repair station owner/operator supported the scope of the rule as proposed. Another repair station owner/operator suggested the words “or excluded from this part by TSA” be added to account for situations in which a repair station is already incorporated within an airport's security program or in which the repair station does not constitute a security threat. An industry association suggested the addition of “or host government” after “U.S. Government” in recognition of the fact that many other governments already have standards that meet or exceed those in the proposed rule.
TSA response: TSA has modified the language in the final rule. The final rule does not apply to FAA part 145-certificated repair stations located on a U.S. or foreign government military installation. However, certificated repair stations that are regulated or under the oversight of a governmental entity are not exempt from the final rule. As explained previously, only higher risk repair stations will be required to implement security measures.
J. Terms Used in the Final Rule
Comments: Four commenters addressed the proposed definition of “repair station.” One industry association suggested narrowing the definition to include only repair stations that convey aircraft directly into commercial flight operations under parts 121 or 135 of the FAA's regulations. Another industry association suggested narrowing the definition to include only those repair stations authorized to perform maintenance or alteration of civil aviation aircraft located on a commercial airport. A third industry association objected to the proposed definition because it does not recognize mixed maintenance operations, in which a repair station is co-located at a larger facility that is not otherwise covered by TSA security requirements. A repair station owner/operator asked whether the scope and boundaries of a repair station for purposes of the TSA rule would differ from the scope and boundaries of the repair station for FAA purposes.
TSA response: In response to the comments, TSA has eliminated the terms to avoid confusion with FAA terminology.
TSA is aware of the existence of mixed-use facilities, for example those that combine maintenance and manufacturing stations. It will be the repair station operator's responsibility to delineate the parts of the station used for activities subject to this final rule and those that are not. If a repair station determines it is not possible to make such a delineation then the entire station would need to meet the requirements of this final rule.
K. TSA Inspection Authority
Comments: Several commenters suggested that TSA's authority to enter a repair station should be limited to normal business hours or after business hours with an escort upon reasonable notice, unless there is a known specific threat. These comments point out that, with prior notification, a repair station could make certain that the correct personnel are available to answer questions and provide documentation. Two labor unions supported unannounced inspections, saying repair stations must constantly ensure that they are complying with security requirements, and that advance notice would nullify the benefit of a security inspection. Four commenters supported the proposed language authorizing TSA to conduct unannounced inspections. However, they expressed concern that TSA indicated it would follow existing protocols for inspection of repair stations located outside the United States and provide advance notice to the facility being inspected and the host government. The commenters asserted that giving advance notice would nullify the benefit of the security inspection. Eight commenters, including a foreign government and the European Commission, said TSA could not legally inspect repair stations located outside the United States without prior notification and the approval of the authorities of the country in which the repair station is located.
TSA response: TSA will follow current agency practices regarding inspections of repair station facilities outside the United States. TSA will always coordinate any inspections with the host government prior to starting an inspection. With regard to repair stations within the United States, TSA acknowledges the concerns expressed regarding such government inspections. While TSA anticipates that in some cases it will notify these repair stations of scheduled inspections, this regulation allows TSA to conduct an inspection without advance notice at any time and in a reasonable manner. In those instances where notice is given, TSA will give the repair station the opportunity to gather evidence of compliance and to arrange to have the appropriate personnel available to assist TSA. However, TSA anticipates that unannounced inspections will be conducted in the United States, particularly if warranted by a security incident at a repair station. Some inspections can be effective only if they are unannounced in order to determine whether the regulated party is in compliance when it is unaware that TSA may be inspecting. Terrorists will seek to take advantage of vulnerabilities whenever they occur. TSA must have the ability to respond to information, operations, and specific circumstances whenever they develop and to assess the security of regulated entities at any time, including weekends or holidays.
Comments: Several commenters said the rule should clearly define the scope of TSA audits and should specify that the repair station property, facility, and records to be inspected are only those relevant to repair station security. In addition, a repair station owner/operator and an industry association stated that business records, corporate correspondence, and aircraft maintenance records should be off-limits without a search warrant. They said the proposed rule language was too broad and should be narrowed in the final rule.
TSA response: TSA disagrees that the inspection authority is overly broad and has not modified the language in the final rule. The statute authorizes TSA to “complete a security review and audit.” See 49 U.S.C. 44924(a). In addition, TSA has authority to “inspect, maintain, and test security facilities, equipment, and systems.” See 49 U.S.C. 114(f)(9). The regulatory text states specifically that the purpose of the inspection is to “carry out TSA's security-related or regulatory authorities.” Thus, TSA will seek access to records relevant only to security. The inspection authority section in new § 1554.5 includes audits, assessments, or inspections and is consistent with existing TSA rules, such as in § 1542.5 (airport operators) and § 1580.5 (railroad operators).
Also in connection with scope, TSA notes that consistent with its statutory authority (which currently allows inspections for security reasons irrespective of this final rule), inspections will be for compliance with this final rule's requirements and for security reasons only. For repair stations not subject to security measures under this rule (that is, those repair stations not located on or adjacent to an airport, as defined in this rule), TSA does not intend to inspect such facilities except as necessary to comply with the requirement in 49 U.S.C. 44924 to conduct a security audit of all part 145 certificated repair stations located outside the United States, to evaluate security risks as conditions warrant, and, in the event that TSA issues a security directive to such a repair station, for compliance with the security directive.
Comments: Some commenters said repair station security policy may require anyone inside the repair station to have an identification badge, and suggested that TSA and DHS officials comply with established security programs at the site. A few commenters asked how repair station personnel would know if TSA or DHS credentials are valid. One of them asked if repair station personnel could record the names and badge numbers of TSA and DHS inspectors.
TSA response: The final rule allows repair stations to request inspectors to present their credentials for examination. Repair stations may not photocopy or otherwise reproduce the credential to prevent unauthorized individuals from using fake credentials to access a repair station. Repair stations may issue access or identification media to inspectors for their use while conducting inspections of the facilities. However, they may not prevent an inspector from conducting an inspection because the inspector was not issued identification media by the repair station. TSA will assist repair stations to develop training to identify TSA and DHS credentials.
Comments: A repair station owner/operator observed that TSA and DHS officials would need an escort for their own safety. Several other commenters were concerned that untrained TSA personnel could damage aircraft parts during their inspections or cause a disruption of work.
TSA response: TSA appreciates that it must properly train its inspectors so that they avoid dangers to themselves, to employees, and other individuals at the repair station, and to property. TSA intends to use only properly trained and credentialed personnel to conduct inspections.
L. Security Program Adoption and Implementation
Comments: A repair station owner/operator supported the proposed requirement to submit a profile because it would prevent use of a “one size fits all” approach to repair station security. One commenter asked TSA to accept the company profile used for FAA repair station approvals. Another repair station owner/operator said that TSA should eliminate this requirement or provide more information on what would constitute an adequate profile. Several commenters said that the proposed rule provided no guidance on how repair stations would report changes in profile information or how they would know which changes were significant enough to require reporting.
TSA response: TSA concurs with the majority of comments regarding the submission of a profile and has not included the requirement in the final rule. TSA will use existing repair station profile information from the FAA.
Comments: Several commenters questioned how TSA could achieve its stated objective of appropriately addressing the diversity in repair station characteristics while requiring repair stations to use a standard security program, unless otherwise authorized by TSA. They expressed concern about having to adopt a “canned” or “cookie-cutter” security program. In contrast, two labor unions said that there needs to be a baseline security standard applied to all repair stations and that allowing for any variation presents an opportunity for disparities in security from station to station.
TSA response: TSA has eliminated the requirement to adopt and carry out a security program in the final rule.
Comments: Some commenters expressed the belief that a 30-day deadline for a repair station to submit a profile was insufficient, particularly for small entities, those located overseas, and large corporations with many subsidiaries or joint ventures. Three of them suggested that 90 days would be more realistic.
TSA response: TSA has eliminated the requirement for repair stations to submit a profile so there is no longer a 30-day deadline requirement.
Comments: Two repair station owners/operators objected to the fact that the proposed rule does not define specific minimum performance standards, and entities may be subject to inconsistent compliance expectations. Another commenter asked that the detail provided in the preamble regarding the security program be included in the regulatory language.
TSA response: TSA has eliminated the language in the NPRM regarding the security program requirements. The final rule describes security measures that repair stations on an airport or adjacent to an airport, as defined in the final rule, must adopt. In order to reduce the potential regulatory burden and implementation costs of the proposed rule, TSA has removed all security measures that restrict access to a repair station in the final rule. Instead, repair stations will be required to prevent unauthorized operation of large, unattended aircraft that are capable of flight. Large aircraft are defined as aircraft with a maximum certificated take-off weight of more than 12,500 pounds and attended aircraft means aircraft to which access is limited to authorized individuals and property.
The final rule explains that preventing unauthorized operation may be accomplished in several ways and a repair station may even develop its own measure so long as it obtains approval from TSA. The final rule states that a repair station may block the path of the aircraft so that it cannot be moved and control the key to a vehicle used for that purpose, park the aircraft in a locked hangar and control the key to the hangar, or move stairs away from the aircraft and shut and lock, if feasible, all cabin and cargo doors and control the key. Controlling the key, if used, is described as making sure that keys are only available to an authorized individual who has undergone an employment history check or a security threat assessment.
Comments: Ten commenters addressed the provision of the proposed rule requiring the security programs to include measures to identify all individuals authorized to enter the repair station. Three of the commenters said the actual language of the provision was not detailed enough to establish TSA's intent. A repair station owner/operator expressed support for TSA's statement in the NPRM that TSA will deem repair stations with established personnel identification media systems as compliant with the requirement. The commenter asked TSA to incorporate that language into the final rule. Three of the commenters also questioned TSA's intent with regard to compliance by small repair stations. They said small repair stations should be able to rely on simple identification measures such as personal recognition.
TSA Response: In response to the comments, TSA has eliminated this requirement in the final rule.
Comments: A repair station owner/operator said it is already in compliance with many elements of the proposed standard security program, including use of an employee identification system. Another repair station owner/operator said TSA should not require repair stations with established and existing escort policies and programs to replicate “redundant” government escort procedures, because it would cause confusion among employees and would impose excessive labor costs. With regard to the proposed training requirements, three commenters said existing International Civil Aviation Organization (ICAO) and EU requirements should be sufficient to meet the requirements, and a repair station owner/operator said security training already is part of its operations.
TSA response: TSA has eliminated these security requirements in the final rule. TSA acknowledges that many repair stations may already have existing measures that meet or exceed the requirements described in the final rule.
Comments: Twenty-one commenters expressed divergent views regarding the requirement for employee background checks. Three commenters supported the proposed rule and said it should be imposed on repair station employees to the same degree it is imposed on FAA-certificated mechanics. Five commenters said the requirement to check previous employment might not be possible under EU Directive 95/46/EC and national legislation. A repair station owner/operator said TSA failed to recognize the limits imposed by Federal and State labor laws, as well as union contracts. One industry association said other laws and FAA regulations already require confirmation of citizenship and other information related to employment history. Another industry association also stated this requirement would be redundant for airport-based facilities.
Seven commenters said the requirement was too vague and lacked details, such as screening criteria and adjudication procedures. One industry association said the phrase “any other means as appropriate to validate employee information” is unclear and said the final rule should have specific requirements such as the number of years or number of employers to include. Another industry association said it was unclear whether TSA intended employers to conduct a criminal history or a security threat assessment, but that neither should be required. Another commenter said the rule should include language that prevents operators from having to repeat background checks they have already conducted.
TSA response: TSA has retained the requirement to verify employee background information, but has limited the number of repair stations that must implement security measures and has reduced the number of individuals whose background information must be verified. TSA recognizes that many countries have different laws and regulations regarding this matter, and not all repair stations have a need or the ability to conduct certain types of background checks. The final rule requires that only the individual or individuals responsible for compliance with the final rule and recordkeeping, designated as TSA point(s) of contact, and authorized access to keys used to secure large aircraft must undergo a background check. The final rule does not mandate the number of individuals who must undergo a background check, but the number must be sufficient to ensure that a point of contact is available on a 24-hour-a-day basis and all large aircraft capable of flight are secured when not attended.
The final rule includes four examples of background checks that are acceptable and allows a repair station to use another means if approved by TSA.
(1) Verification of employment history for the most recent five year period or the time since the employee's 18th birthday, whichever is shorter. Verification may be accomplished via telephone, email, or in writing. If the verification is performed by telephone, the repair station must record the date and the name of person who verified the employment. If there is a gap in employment of six months or more that is not satisfactorily explained, employment history is not verified for purposes of this rule. Employment history verification records must be maintained for at least 180 days after the employment ends.
(2) Confirmation that the employee holds an airman certificate issued by the FAA is sufficient since TSA vets all such certificate holders.
(3) For a repair station located within the United States confirmation that an employee has successfully completed a security threat assessment pursuant to part 1540 of TSA's regulations, such as by holding a SIDA badge.
(4) For a repair station located outside the United States, confirmation that an employee has obtained a security threat assessment commensurate to a security threat assessment described in part 1540 of TSA's regulations.
TSA is aware that many repair stations already conduct security threat assessments or other background checks on their employees. If the background check is commensurate with the requirement of the final rule, TSA will not require duplicative or redundant measures.
Comment: A few commenters urged TSA to require drug and alcohol testing of personnel at foreign repair stations, just as the FAA requires such testing under its authority over domestic repair stations. The European Commission commented that such testing in EU member nations is a matter for the law enforcement services in those nations.
TSA response: As stated in the NPRM, drug and alcohol testing is a safety issue that is under the purview of the FAA and is not included as a requirement in the final rule.
Comments: A repair station owner/operator said the NPRM provided no training criteria or scope of incident management for the security coordinator. An industry association recommended TSA specify all training requirements in one place and requested that the expectations for the training of security coordinators be defined. One repair station owner/operator indicated that 24-hour contact would not be feasible for a small component repair station located outside of an airport. A second owner/operator said the requirement should be imposed at the airport level, not at the facility level. A third owner-operator suggested TSA allow repair stations to designate an alternate security coordinator.
TSA response: TSA has eliminated the requirement to train a security coordinator in the final rule. The repair station must designate one or more individuals, as necessary, to serve as TSA point(s) of contact and to be responsible for compliance with the final rule and recordkeeping. Training is not required to perform these responsibilities. TSA does not agree that an airport Security Coordinator would be sufficient to serve as the primary and immediate contact for repair station security-related activities and communications with TSA, unless TSA determines the repair station is incorporated within the airport security program and the airport is responsible for the security of the repair station itself.
Comments: A commenter stated that requiring a repair station to make its security program available for review by TSA is insufficient. The commenter said TSA should review and approve each security program. A repair station owner/operator asked to whom the security program must be accessible. One industry association asked if airport operators would be able to access and review a repair station's security program to verify that the airport operator is contacted for all security related issues or incidents.
The European Commission and a repair station owner/operator opposed the proposed English language requirement, noting that it would be burdensome for foreign repair stations. The European Commission pointed out that English is the official language of only three of the 27 EU member states and said the requirements for oral and written communications to be in English would be impossible to implement.
TSA response: The proposed requirement to adopt and implement a security program has been eliminated in the final rule.
With regard to the proposed English language requirements, while TSA has eliminated the security program requirement, it retains the requirement in the inspection provision to request documents in English. TSA notes that this requirement is consistent with FAA regulations, such as 14 CFR 145.219, which requires a certificated repair station to retain records of compliance in English.
M. Security Directives (SDs)
Comments: Several commenters objected to the requirement to comply with SDs and asserted TSA has used SDs to issue requirements without notice and the opportunity for public comment, thus circumventing the rulemaking process. Several industry associations expressed concern that TSA will require repair stations to comply with SDs that are not applicable to their circumstances.
A commenter suggested TSA allow electronic acknowledgement of receipt of an SD so that a record of compliance is maintained. Other commenters thought verbal acknowledgement would be impractical and burdensome to TSA and to repair stations, particularly small facilities. Two repair station owners/operators said TSA should specify the method of compliance in the SD. A repair station owner/operator requested TSA identify the process for obtaining approval for alternative measures of complying with an SD.
An industry association asserted that foreign repair stations are not under TSA jurisdiction, and a repair station owner/operator said the requirement to comply with SDs might be incompatible with foreign security requirements.
One commenter requested TSA avoid using common aviation-related abbreviations for TSA-related items. As an example, the commenter said Security Directives should be called “TSA Directives.”
TSA response: The term “Security Directive” is a standard term used throughout TSA's regulations to describe the regulatory document issued by TSA when TSA determines that additional security measures are necessary to respond to a threat assessment or to a specific threat against civil aviation. See 49 CFR 1542.303, 1544.305, 1548.19, and 1549.109. TSA declines to rename these documents. TSA intends to maintain its current practice and issue SDs to repair stations when necessary to respond to a threat assessment or a specific threat against aviation. TSA has added language to the final rule to clarify that repair stations may comment on SDs issued by TSA in § 1554.103(d). TSA may amend an SD based on those comments. TSA will include in an SD the procedures to acknowledge receipt, to implement the requirements, and to request alternative measures if a particular measure is incompatible with a security requirement imposed by a foreign government or cannot reasonably be implemented.
N. Suspension and Revocation of Certificates
Comments: A few commenters asserted the statutory provisions regarding the suspension and revocation of certificates apply only to repair stations located outside the United States and thus the final rule should not apply to repair stations within the United States. Commenters claimed the proposed rule includes procedures for appealing the revocation of certification, but not for appealing the suspension of certification. Some recommended following the FAA process in 14 CFR part 13. Several commenters said the rule should include the criteria TSA would use when initiating a suspension or reinstating a certification. Another industry association added TSA is as likely to err in its judgment, as the industry is likely to err in compliance. Several commenters also expressed concern about the consequences of suspension and the resulting economic burden, especially on small businesses. Several commenters objected to the appeal process because it did not provide for appeal of TSA's decision to an impartial third party. One repair station owner/operator stated the proposal violates the current rules of discovery and does not reflect current judicial process, and other commenters urged that final certification authority be left to the FAA or NTSB. Other commenters warned that even though the suspension and review may be temporary, either action would jeopardize a repair station's ability to remain viable and the rule should include specific timelines that TSA must meet.
Commenters expressed concern because the proposed rule provided no guidelines for TSA's determination of revocation and there are no effective checks on TSA's power to revoke. They also objected that under the proposed rule, a certificate remains revoked during the review process. One industry association requested TSA follow the procedures already in place for the revocation of an FAA airman certificate, including appeal to an administrative law judge and then to the NTSB. Another industry association observed that in some TSA actions against individual airmen, certificates were revoked while the documentation supporting TSA's actions were withheld. A repair station owner/operator requested harmonization with FAA's enforcement process, which includes voluntary self-disclosure, administrative corrections, processes to handle repeat offenders, and published guidelines for legal enforcement, including suspending or revoking domestic repair station certificates. An industry association expressed the belief that review of a revocation must be reconciled with existing FAA and TSA regulations. An anonymous commenter pointed out that the statute requires consulting with the Administrator to establish procedures to appeal a revocation of a certificate.
Nineteen commenters said that the proposed rule did not provide enough detail or left too much to interpretation by those who would enforce it. A few commenters expressed concern about a lack of key definitions such as “immediate risk to security” and procedural protections such as other tools to achieve compliance objectives, and time limits for review, which could lead to inconsistencies and certificate revocation without due process.
TSA response: TSA has clarified the regulatory language that provides for judicial review of a final agency order. TSA has also modified the language in the final rule to specify that repair stations have the opportunity to petition for reconsideration of a TSA determination that a repair station certificate must be suspended or revoked. The certificate enforcement actions in the final rule are consistent with TSA's procedures governing the withdrawal of approval of a security program. 49 CFR 1540.301. TSA agrees with commenters that the FAA has the authority to issue, suspend, or revoke certificates and the statute requires the FAA to suspend or revoke a certificate if notified by TSA to do so. 49 U.S.C. 44924(c). Since any certificate action initiated by TSA will involve compliance with TSA's security regulations, the basis for the certificate action must remain with TSA and not the FAA or the NTSB. Further, TSA has general authority to enforce security-related regulations and requirements. 49 U.S.C. 114(f)(7). TSA has consulted with the FAA in the development of the final rule.
TSA appreciates the concerns expressed regarding the impact of a suspension or revocation of a certificate on a repair station business. TSA intends to follow current enforcement practices and anticipates that most instances of non-compliance will not result in certificate action. When appropriate, TSA will use a progressive enforcement process whereby instances of non-compliance can be resolved with non-certificate action, including counseling, administrative actions, and civil penalties. See 49 CFR part 1503.
O. Nondisclosure of Certain Information
Comment: Two repair station owners/operators expressed concern that the proposed regulations would preclude them from obtaining information needed to appeal TSA determinations.
TSA response: TSA has retained the language from the NPRM in § 1554.205 in the final rule. In accordance with E.O. 12968, TSA does not disclose classified information. In accordance with 49 CFR 1520, TSA also does not disclose SSI to individuals without a “need to know.” However, consistent with current enforcement practice, TSA will provide the repair station with the information it collected and upon which the enforcement action is based.
P. Other Comments on the Rulemaking
Comment: One commenter suggested repair station operators be required to amend their FAA repair station manuals to make all personnel aware of TSA security concerns.
TSA response: The FAA repair station manual is outside the scope of this rulemaking and TSA authority. TSA, however, has shared this comment with FAA.
Comment: Several industry associations said that TSA should allow them and repair station owner/operators to review the standard security program prior to implementation of the rule.
TSA response: TSA held briefing sessions with industry representatives in the United States and overseas. During the sessions, TSA provided a draft security program template for review and received comments. TSA notes that the requirement to adopt and implement a security program has been eliminated in the final rule.
Comment: A commenter asserted that a substantial number of maintenance workers at repair stations are not certified and that some may not be legally working in the United States.
TSA response: TSA notes that all employees hired after November 1, 1986, must complete Form I-9, Employment Eligibility Verification, issued by U.S. Citizenship and Immigration Services of the Department of Homeland Security to document that they are authorized to work in the United States.
Comment: Ten commenters requested a more collaborative rulemaking process. Another commenter recommended consulting with four specific industry associations and other industry organizations during revision of the proposed rule. One industry association also suggested the creation of a Repair Station Sector Coordinating Council as a formal means of obtaining industry input for the rulemaking process. An association requested TSA to issue a Supplemental NPRM to make certain that the concerns raised in the public comments are addressed. Two commenters stated the lack of ability to review details of the Standard Security Program as part of the proposed regulations, specifically the associated information deemed by TSA to be SSI, render this rulemaking non-compliant with the requirements of the Administrative Procedure Act and applicable case law defining adequate rulemaking notice and opportunity to comment.
TSA response: The NPRM containing the proposed regulations was published in the Federal Register for public comment. 74 FR 59874 (Nov. 18, 2009). TSA has reviewed all of the comments it received during the public comment periods in 2004 and 2009, as well as those received during the public listening session conducted in 2004, and has adjusted the final rule to address the comments as necessary. TSA has met all requirements of the Administrative Procedure Act. As noted above, TSA met with the repair station industry to receive comment on the security program template format. TSA held briefing sessions with industry representatives in the United States and overseas. During the sessions, TSA provided a draft security program template for review and received comments, although it ultimately determined not to include the security program requirement in the final rule. TSA will continue to consult with its stakeholders and sees no need for a coordinating council at this time.
Q. Implementation Issues
Comments: Five commenters said TSA lacks the budget and staffing levels needed to implement the security programs and provide oversight of repair stations as detailed in the rule. Two commenters said TSA is understaffed and suggested this rulemaking would serve only to divert necessary resources from the agency's other security programs. Two other commenters requested TSA secure the necessary resources to make certain the proposed program is implemented efficiently and immediately.
Several commenters said TSA would likely need to hire new inspectors to implement the rule, and two commenters requested any new TSA inspectors be required to complete mandatory training to ensure all inspectors understand the safety measures and precautions that must be taken when performing security audits at repair stations.
TSA response: The costs to the government to enforce the final rule are included in the regulatory impact analysis. TSA is aware of the complexity of work performed at repair stations. TSA has developed the appropriate inspection guidance documents and relevant training for its inspectors.
Comments: Two commenters questioned the statutory requirement that TSA complete a security review and audit of all foreign repair stations certificated by the FAA no later than six months after the final rule is issued. Both said that the six-month period is too short. One requested that the period be extended to 12 months, while the other requested that the compliance period be extended to 18 months, the time specified in Vision 100. One commenter warned that if TSA does not extend the timeframe, the ability of new repair stations to be certified could be impeded, which would negatively affect the aircraft repair industry.
TSA response: In the Implementing Recommendations of the 9/11 Commission Act of 2007 (Pub. L. 110-53, 121 Stat. 266, Aug. 3, 2007), the original 18-month deadline for completing security audits of repair stations located outside the United States was reduced to six months. TSA is committed to meeting the statutory deadline. TSA has hired inspectors and developed a database that will serve as an inspection scheduling and tracking tool. TSA has also developed an implementation plan for inspecting repair stations located outside the United States.
Comment: An industry association suggested TSA collaborate with foreign authorities to help implement the proposed program in their respective countries. According to the association, this approach would allow TSA to use its resources more efficiently.
TSA response: TSA will continue to meet and work with its international partners to discuss implementation of the final rule.
Comments: Ten commenters said the proposed rule did not include a compliance date or adequate details on TSA's implementation plans, such as whether some repair stations would have to come into compliance before others. An aircraft manufacturer recommended adding a long-term compliance date for including measures to control access to a repair station because a business plan would need to be modified in order to accommodate increased capital expenses. The commenter also suggested providing a more flexible “phase-in period” for repair stations that recognizes current industry business models in order to enable repair stations to adequately and appropriately address any identified security lapses. The commenter further recommended adopting a compliance schedule similar to that of 14 CFR parts 1, 21, 43, and 45, which focus on addressing potential industry constraints with meeting new compliance requirements. One commenter recommended an 18-month period, to allow adequate time to prepare for necessary costs and ensure that repair stations have an adequate understanding of what is required of them. One industry association suggested using a compliance date of 180 days from the publication of the final rule.
TSA response: The final rule will be effective 45 days after the date of publication in the Federal Register. TSA will conduct appropriate outreach and communication to industry representatives and the aircraft repair station community to discuss specific implementation timeframes and issues. TSA notes that it has eliminated the requirement to adopt and carry out a security program in the final rule. In addition, TSA anticipates that many of these repair stations already have security measures in place that may meet or exceed the measures contained in the final rule.
Comment: One commenter requested more information on the fees charged for TSA repair station audits, noting that the initial audit will require an additional charge for repair stations if the FAA is conducting the audits.
TSA response: TSA is not charging a fee to conduct security audits or inspections.
Comment: One industry association suggested TSA establish a 24-hour point of contact to answer compliance-related questions.
TSA response: TSA has established a dedicated email address, ARS@tsa.dhs.gov, where repair stations can send questions. In addition, repair stations will be provided with the name and contact information for inspectors who will be available to respond to questions.
R. Comments From the Small Business Administration
Comment: The Small Business Administration Office of Advocacy (SBA) recommended that TSA limit the scope of the rule. SBA offered the following three alternatives to meet the objectives of Vision 100 while minimizing significant economic impacts on small repair stations: (1) Exempt all repair stations that are not located at a commercial airport or that do not have access to aircraft; (2) adopt a risk-based, tiered approach based on size of aircraft and access to aircraft; and (3) align the final rule with the threshold level TSA ultimately adopts in the proposed General Aviation Security rule.
TSA response: TSA has reduced the scope of the final rule and has eliminated the proposed requirement to adopt and implement a security program. TSA has analyzed the possible security risk associated with repair stations and agrees that those not located on or adjacent to an airport, as defined in the final rule pose a lower risk to transportation security. This risk-based approach will minimize the economic impact on small repair stations consistent with SBA's recommendation. The aircraft size threshold in this final rule is consistent with TSA's current regulatory threshold. TSA agrees that its regulations should be consistent and will evaluate all of its regulations to determine whether changes are needed to enhance consistent regulatory treatment once the General Aviation Security rule is final.
Comment: SBA recommended that TSA provide clear guidance to small business regarding the implementation of the security program.
TSA response: TSA has eliminated the requirement to implement a security program. TSA will work with all stakeholders to provide guidance on the final rule.
Comment: SBA was concerned that the costs of the regulation were understated, explaining that TSA either failed to estimate or underestimated costs of inspections, correcting security deficiencies, complying with security directives, implementing access control measures, implementing the security program, appealing suspension and revocation determinations, and implementing identification media systems. SBA recommended that TSA reassess its cost estimates.
TSA response: TSA has added estimates or updated its previous estimates in the regulatory impact analysis to reflect the requirements in the final rule. TSA notes that the requirement to implement a security program has been eliminated and the application of security measure requirements has been reduced significantly. The costs of complying with future SDs cannot be estimated. SDs are issued on a limited basis to respond to a specific threat. The measures required to respond to the threat and the frequency of such threats cannot be reasonably predicted. TSA does permit regulated entities to comment on a SD and propose alternate measures if the measures cannot be reasonably implemented.
Comment: SBA recommended that TSA address the concerns of small businesses regarding SSI and develop procedures to assist small businesses to control SSI.
TSA response: The requirements for the protection of SSI are described in part 1520 of TSA's regulations. TSA will provide assistance and will answer specific questions regarding the protection of SSI. The SSI regulations explain that SDs are SSI. Those repair stations that receive a SD will be required to safeguard it to prevent access by individuals who are not authorized to possess SSI. Repair station employees must have access to the SD to ensure that security measures are implemented. To protect SSI, TSA only requires that SSI be stored in a locked cabinet or desk drawer, or electronically as a password-protected file. Therefore, TSA believes that the costs of protecting SSI will be minimal and will only be incurred if the repair station receives a SD.
Comment: SBA recommended that TSA address concerns expressed by small businesses regarding the appeals process if TSA determines that a repair station certificate must be suspended or revoked. It also recommended that intermediate processes such as warnings, or requests for information be used since small businesses may go out of business if closed pending appeal of a suspension.
TSA response: Since TSA has eliminated the proposed requirement to adopt and carry out a security program; we do not expect that there will be many instances that would require suspension or revocation of a certificate. This expectation is based on the repair station visits TSA conducted that demonstrated the vast majority of repair stations already have reasonable and sufficient security measures in place. While some aspects of the appeals process are specified in the statute, TSA has clarified the regulatory language that provides for judicial review of a final agency order. TSA has also modified the language in the final rule to specify that repair stations have the opportunity to petition for reconsideration of a TSA determination that a certificate must be suspended or revoked. The final rule is consistent with TSA's current regulations regarding withdrawal of a security program. 49 CFR 1540.301. TSA agrees that intermediate processes will be used. This is consistent with TSA's current inspection protocols used to inspect airports and air carrier or aircraft operator operations. TSA anticipates that in most instances repair stations will be able to implement immediate measures to correct security deficiencies without the need for any formal enforcement mechanism. When necessary, TSA will use a progressive process whereby instances of non-compliance can be resolved with non-certificate action, including counseling, administrative action, and civil penalties. See 49 CFR part 1503.
Comment: SBA recommended that TSA consider how its proposed rule would affect non-typical and “hybrid” repair station facilities. For example, some repair stations are tenants in large facilities in which the landlord is not a regulated entity, some only occupy a workbench within a large building, and some work on the “air side” of an airport where pilots and other visitors frequently walk up to an open hangar to ask questions.
TSA response: TSA understands that there is a wide variety of certificated repair stations that differ in size, type of repairs, and number of employees. TSA has eliminated the proposed requirement to implement a security program and has reduced the number of repair stations that will be required to implement the security measures described in the final rule.
TSA is aware of the existence of “hybrid” or mixed-use facilities, for example, those that combine maintenance and manufacturing stations. It will be the part 145 certificated repair station's responsibility to delineate the parts of the station that are subject to the final rule and those that are not. If a repair station determines it is not possible to make such a delineation, the entire repair station must be in compliance with the final rule.
S. Comments on the Regulatory Impact Assessment
Comment: One association addressed the cost of complying with the proposed amendments to part 1520, which would designate repair station security programs as SSI and would include repair station owners and operators as entities subject to SSI requirements. The association said that it was not possible to estimate and comment on the cost of controlling SSI, because TSA had failed to indicate what it would consider an adequate and secure information management system.
TSA response: TSA has eliminated the requirement to carry out a security program and the proposed amendment to part 1520 to treat the security program as SSI. However, part 1520 requires that SDs be treated as SSI. If a repair station receives a SD, a system for securely managing and controlling SSI could be storing that information or material in a secure container (e.g., locked desk or filing cabinet) that prevents the unauthorized disclosure of this information or material. SSI materials may also be stored electronically as password-protected files. Considering these options are compliant with part 1520, TSA does not believe that there will be any additional cost burden on repair stations to control access to SDs.
Comment: Several commenters questioned the attack scenarios found in the economic analysis and stated that the probability of these attack scenarios actually occurring is remote. One stated that the basic premise of the scenarios is off because the break even analysis assumes that the majority of repair stations have access to airports and aircraft.
TSA Response: TSA has analyzed the security risks of the repair station population and has revised the implementation plan to only require repair stations located on or adjacent to an airport, as defined in the final rule, to adopt and implement security measures.
Comments: Seventeen commenters stated that TSA had significantly underestimated the cost of compliance. Two commenters stated that the costs estimated are too low and that TSA should redo the cost analysis and the Initial Regulatory Flexibility Analysis (IRFA). Commenters provided lists of items that they claim TSA failed to address adequately, including the costs of creating and implementing a security program, facility access control measures, personnel identification media systems, security coordinators, and security awareness training.
One repair station owner/operator said that the estimate that an off-airport repair station would require only four hours to complete and implement a security program seemed extraordinarily low, as did other estimates of average compliance costs in the NPRM. Another operator stated that rule familiarization had taken 10 hours. It estimated that writing a program would cost $12,000 and the actual implementation cost could exceed $80,000.
An industry association and a repair station owner/operator said that the analysis failed to consider the cost of fencing, guards, cameras, badges, and access control systems, which they said that small repair stations and general aviation airports may not already have. The industry association said that the cost to establish access control would not be feasible for a small repair station at a general aviation airport. One commenter said that it had priced three “off-the-shelf” non-biometric photo ID badge systems at an average cost of $2,346; similarly, the commenter said it priced a 750-foot perimeter fence with access gates at $14,905. The commenter noted that the sum of these two estimates far exceeds TSA's estimate of total compliance costs of $4,216 for a business with 45 employees. Various commenters estimated the cost of background checks and a badge system as $4,600 to $6,000, and a security system as $17,250.
An industry association stated that the rule would require repair stations to add at least one full time position, which would create a financial burden for small repair stations and make it harder for them to remain competitive. Another association stated that TSA was asking repair stations to prove their approach was sufficient; while stations with professional security staff could do this, it was unreasonable to expect small GA repair stations to do this. A third commenter estimated salary for security staff as $70,350.
One industry association also stated that TSA had underestimated training costs and should double them. Another commenter estimated training costs at up to $2,000 per employee.
One industry association stated that the analysis failed to consider that small entities do not physically separate work areas, which the NPRM would require. The contingency plan requirement for identifying unauthorized persons is not defined. It noted that small stations do not routinely escort visitors and do not have staff who can be assigned to do this without losing productive work. The escort requirement will disproportionately affect small stations.
An operator stated that TSA had based its analysis on small repair stations, which calls into question whether the agency has met the requirements of E.O. 12866, the Regulatory Flexibility Act (RFA), and the Trade Agreement Act.
TSA response: In order to address the concerns of the commenters and better estimate the costs of compliance associated with the security measures described in the final rule, TSA has revised its cost estimates. TSA has eliminated the requirement to adopt and implement a security program. Specifically, TSA has eliminated all security measures regarding preventing access to repair stations and will only require certain repair stations to prevent the unauthorized operation of large aircraft that are unattended. This change will reduce the regulatory requirement and the costs of implementation. While TSA has retained the requirement to verify employee background information, it has reduced the application of that requirement only to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft. TSA has clarified that it will accept the background check obtained by individuals who have obtained a FAA airman certificate or a SIDA badge. All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. The cost estimates for both the NPRM and the final rule are listed in Chapter 4 of the regulatory impact analysis accompanying this final rule. That chapter also describes the reasons for the differences in the cost estimates.
In conjunction with the NPRM, TSA published a regulatory impact analysis that addressed the requirements of EO 12866, the RFA, the Unfunded Mandates Reform Act, and the Trade Agreement Act. The cost estimates in that regulatory impact analysis were not based on small repair stations. However, the IRFA considered the cost impact of the proposed regulations on repair stations classified under SBA standards as “small” businesses. In the final rule, TSA has updated these analyses, considering all costs incurred by TSA and any repair stations notified to adopt security measures under the final rule.
Comments: Forty-eight commenters argued that complying with the proposed requirements in part 1554 would be too costly, and some said that the compliance costs would force repair stations out of business. Six commenters stated that taxpayers and the flying public would also feel the financial burden. Twelve commenters said that the proposed rule would likely result in small GA repair stations either closing their businesses or surrendering their repair station certificates in favor of becoming maintenance repair shops that would not be required to comply with the proposed rule. Fifty commenters said that small aircraft repair stations in particular would suffer significant economic and staffing losses because of the proposed rule. Many of these commenters said that because small repair stations each employ a small number of people, the compliance cost per employee would be significant.
TSA response: With respect to the comments about station closings, TSA recognizes that some aircraft repair stations will incur costs associated with the implementation of security measures, but TSA has reduced the requirements of this final rule and therefore, the costs of implementation. TSA has eliminated the requirement of all security measures regarding preventing access to repair stations and will only require repair stations to prevent the unauthorized operation of large aircraft. All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule. Additionally, the requirement to adopt security measures was revised to include only repair stations located on or adjacent to an airport, as defined in the final rule.
TSA has prepared a Final Regulatory Flexibility Analysis (FRFA) as part of the economic analysis of the final rule. This analysis can be found in the regulatory impact analysis, and presents the estimated compliance costs small businesses would incur as a percentage of annual revenues.
TSA has kept the costs of implementation of this rule on small businesses to a minimum by eliminating the security program requirement for all repair stations. Further, the security measures in this final rule allow flexibility in implementation.
III. Rulemaking Analyses and Notices Back to Top
A. International Compatibility
In keeping with U.S. obligations under the Convention on International Civil Aviation, it is TSA policy to comply with International Civil Aviation Organization (ICAO) Standards and Recommended Practices where possible. TSA has determined that these regulations are consistent with ICAO Standards and Recommended Practices for security of airports and facilities contained in Annex 17 of the Convention, the ICAO Security Manual and the ICAO Security Audit Reference Manual.
B. Economic Impact Analyses
1. Regulatory Impact Analysis Summary
Changes to Federal regulations must undergo several economic analyses. First, E.O. 12866, Regulatory Planning and Review (58 FR 51735, October 4, 1993), as supplemented by E.O. 13563, Improving Regulation and Regulatory Review (76 FR 3821, January 21, 2011), directs each Federal agency to propose or adopt a regulation only if the agency makes a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), as amended by the Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996, requires agencies to consider the economic impact of regulatory changes on small entities when an agency is required to issue a NPRM. Third, the Trade Agreements Act (19 U.S.C. 2531-2533) prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. In developing U.S. standards, the Trade Act requires agencies to consider international standards, where appropriate, as the basis of U.S. standards. Fourth, the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation).
In conducting the following four analyses, TSA has determined:
1. This final rule is a “significant regulatory action,” although not an economically significant regulatory action, under section 3(f)(1) of E.O. 12866. Accordingly, the Office of Management and Budget has reviewed this regulation.
2. This final rule imposes no significant barriers to international trade.
3. This final rule does not impose an unfunded mandate on State, local, or tribal governments, or on the private sector in excess of $100 million (adjusted for inflation) in any one year.
These analyses, as well as the Final Regulatory Flexibility Analysis, are summarized below and are detailed in the regulatory impact analysis accompanying the final rule.
2. Executive Orders 12866 and 13563 Assessments
Executive Orders 12866 and 13563 direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility.
TSA issued an NPRM on November 18, 2009 (74 FR 68774). This final rule makes the following major changes to the NPRM. The first major change is the elimination of the requirement for a repair station to submit a security profile to TSA. TSA will obtain data from the FAA and conduct field visits to acquire other data and information. TSA has also eliminated the requirement to adopt and implement a security program and all security measures preventing access to repair stations. While TSA has retained the requirement to verify employee background information, it has reduced the application of that requirement to those individuals who are designated as the TSA point of contact and those who have access to the keys or other means used to prevent the unauthorized operation of large aircraft capable of flight that are left unattended. TSA has clarified that it will accept employment history checks or background checks conducted on individuals who have obtained a FAA airman certificate or a SIDA badge.
TSA assessed the risk profile of the repair station population and determined that not all repair stations present sufficient risk to warrant security program requirements. Therefore, TSA is only requiring those repair stations located on or adjacent to certain airports, as defined in this final rule, to adopt security measures. As noted above, TSA will consider a repair station to be “on airport” if it is on an AOA or SIDA of an airport covered by an airport security program under 49 CFR part 1542 in the United States, or on the security restricted area of any commensurate airport outside the United States regulated by a government entity. TSA will consider a repair station to be adjacent to an airport if there is an access point between the repair station and the airport of sufficient size to allow the movement of large aircraft between the repair station and the area described as “on airport.” Under the NPRM, approximately 4,800 repair stations certificated under part 145 would have been affected by the rulemaking's affirmative requirements, while under this final rule, that number has been reduced to an estimated 678 repair stations.
In response to public comments and changes in final rule implementation, TSA has adjusted the estimated costs for the final rule. The regulatory impact analysis accompanying this final rule summarizes the revised cost estimates of the regulation.
In summary, over the 10-year period of the analysis, TSA estimates the aggregate costs of the Aircraft Repair Station Security Final Rule to total approximately $23.22 million, undiscounted. This total is distributed among repair stations located within the United States, which would incur total costs of $8.7 million; repair stations located outside the United States, which would incur costs of $14.18 million; and TSA, which would incur costs of $0.34 million. Chapter 2 of the regulatory impact analysis, available in the public docket, provides detailed estimates of these costs. The following table presents the annual costs of the rule over the 10-year period of analysis, broken out into costs incurred by TSA, repair stations located within the United States, and repair stations located outside the United States, respectively.
|Year||TSA Costs||Repair stations within the United States||Repair stations outside the United States||Total (undiscounted)||Discounted, 3 percent||Discounted, 7 percent|
Changes in Cost Estimates From Notice of Proposed Rulemaking
The cost estimates for this final rule differ from those reported in the NPRM due to the elimination of security program, facility access control and other requirements as described above. TSA also uses more recently available data from its outreach efforts and from FAA databases to update population projections and program costs. The following tables present the cost estimates of the final rule compared to those presented in the NPRM.
|Estimate||10-Year total rule costs ($ millions)|
|Cost segment||10-Year total costs ($ millions)||Major cost driving changes|
|Security Programs||$1.6||$0||($1.6)||All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule.|
|Point of Contact||113.2||5.8||(107.4)||TSA is requiring only a point of contact on a 24-hour a day basis.|
|ID Media System||0.5||0||(0.5)||TSA eliminated ID Media System requirements.|
|Aircraft Access Control||0.0||2.7||2.7||This is a new cost in the final rule for on-airport and adjacent repair stations.|
|Training||53.2||0||(53.2)||TSA has eliminated all training requirements.|
|Inspections||0.0||0.16||0.16||This is a new cost in the final rule for on-airport and adjacent repair stations.|
|Revocation Appeals||0.0||0.004||0.004||TSA now includes a cost estimate for the fraction of repair stations estimated to require an appeal due to suspension or revocation. This fraction is based on historical data from FAA.|
|3% Discounted Total||143.9||7.4||(136.5)|
|7% Discounted Total||118.6||6.1||(112.5)|
|Cost segment||10-Year total costs ($ millions)||Major cost driving changes|
|Security Programs||$0.7||$0||($0.7)||All proposed regulations regarding the content, format and availability of a security program have been eliminated in the final rule.|
|Point of Contact||18.5||3.8||(14.7)||TSA is requiring only a point of contact on a 24-hour a day basis.|
|Personnel ID System||0.1||0||(0.1)||TSA eliminated Personnel ID System requirements.|
|Aircraft Access Control||0.0||10.2||10.2||This is a new cost in the final rule for on-airport repair stations.|
|Training||78.4||0||(78.4)||TSA has eliminated all training requirements.|
|Inspection||0.0||0.10||0.10||This is a new cost in the final rule for on-airport repair stations.|
|Revocation Appeals||0.0||0.05||0.05||TSA now includes a cost estimate for the fraction of repair stations estimated to require an appeal due to suspension or revocation. This fraction is based on historical data from FAA.|
|Employment History Checks||0.0||.08||.08||This is a new cost in the final rule for on-airport repair stations.|
|3% Discounted Total||83.4||12.0||(71.4)|
|7% Discounted Total||68.7||9.9||(58.8)|
|Estimate||10-Year total costs ($ millions)||Major cost driving changes|
|Total (undiscounted)||$78.2||$0.3||($77.9)||TSA has reduced the requirements of this final rule resulting in a reduction of inspection time and resources.|
|3% Discounted Total||66.1||0.3||(65.8)|
|7% Discounted Total||53.7||0.2||(53.5)|
TSA is issuing regulations to provide for the security of maintenance, preventive maintenance, or alterations on aircraft or articles of aircraft performed at repair stations located both within and outside the United States, of the aircraft and articles located at these repair stations, and of the repair station facilities as required by Vision 100. As terrorist organizations continue to target civil aviation, Congress has indicated the importance of aircraft repair station security. TSA opted to require only those repair stations located on or adjacent to certain airports, as defined in this final rule, to adopt security measures. These facilities represent potential risks due to both their location on or adjacent to an airport and airport runways and their ability to perform maintenance on and have access to aircraft with a MTOW of more than 12,500 lbs. Therefore, the opportunity exists for a terrorist to commandeer an operational aircraft and use it as a weapon against a populated target.
TSA uses a break-even analysis to frame the relationship between the potential benefits of the rulemaking and the costs of implementing the rule. When it is not possible to quantify or monetize the important incremental benefits of a regulation, OMB recommends conducting a threshold, or “break-even” analysis. According to OMB Circular No. A-4, “Regulatory Analysis,” such an analysis answers the question, “How small could the value of the non-quantified benefits be (or how large would the value of the non-quantified costs need to be) before the rule would yield zero net benefits?”  Consequently, to better inform the comparison of the costs of implementing the rule with the benefits to homeland security of the Aircraft Repair Station Security final rule, TSA performed a break-even analysis. In the break-even analysis, TSA compared the annualized cost of the rule's requirements to the expected benefits of preventing a potential terrorist attack.
The type of terrorist attack addressed by this final rule is an aircraft as weapon scenario against a populated target such as an office building. This attack would result from the infiltration of an on-airport repair station and subsequent commandeering of an aircraft. To assess the potential impact of an attack originating at a repair station, TSA considers a representative attack scenario and estimates the monetary value of the losses associated with this scenario. This attack scenario is taken from the second iteration of TSA's Transportation Sector Security Risk Assessment (TSSRA 2.0). TSSRA 2.0 is a SSI report that was produced in response to DHS Appropriations legislation (Pub. L. 110-396/Division D and Pub. L. 111-83), which requires DHS through TSA to conduct a comprehensive risk assessment.
In order to compare the losses in the scenario with the cost of the final rule, TSA assigns a statistical monetary value to potential passenger, crew casualties and bystander, and also takes into account property damage associated with the aircraft and infrastructure involved in the attack scenario. TSA uses a Customs and Border Protection (CBP) Value of a Statistical Life (VSL) estimate of $6.3million  to represent the amount an individual is willing to pay to achieve a small reduction in mortality risk. In order to estimate the value of injuries, TSA used the Department of Transportation (DOT) published guidance  for values of moderate injuries at 4.7 percent of VSL and severe injuries at 26.6 percent of VSL. Consequently, for a severe injury, TSA estimates a value of $1,675,800 ($6,300,000 VSL × 0.266) and for a moderate injury, TSA estimates a value of $296,100 ($6,300,000 VSL × 0.047).
The following paragraphs describe a scenario for which TSA believes this final rule will help reduce the likelihood of occurrence and their corresponding estimated monetary consequences. This analysis does not consider the indirect, macroeconomic consequences these terrorist attacks could cause. Consequently, the economic impacts of this terrorist attack estimated for this break-even analysis is a lower-bound estimate.
This attack scenario describes the impact of a situation where a commercial aircraft is stolen from a repair station (with no passengers on board) and used as a missile to attack an office building. The scenario results in loss of life, severe and moderate injuries, destruction of the aircraft, and damage to the building. Again, TSSRA 2.0 uses the average building size and capacity of a number of office buildings to estimate an average building size of 49 stories with an average of 176 people per story. TSSRA 2.0 estimates 2,992 fatalities for this scenario. TSSRA 2.0 assumes the attacker(s) will hit the office building approximately a third of the way down the building and due to the size of the aircraft, it is assumed that anyone above the impact site will die due to the inability to escape the building (17 stories × 176 people). Using the CBP VSL of $6.3 million, the monetary estimate associated with the loss of life is $18,849.6 million (2,992 × $6.3 million).
TSSRA 2.0 also estimates 880 severe injuries, which is equal to the number of occupants of 5-stories of the representative office building. TSSRA 2.0 assumes that several floors directly below the impact site would be affected by the force of the impact and the resultant fires. In addition, people exiting the building from these floors would be more likely to have injuries requiring hospital treatment. Again using the DOT guidance on the valuation of injuries, the monetary estimate associated with severe injuries is $1,474.7 million (880 severe injuries × $1,675,800). TSSRA 2.0 estimates 2,376 moderate injuries, which is equal to one-half of the remaining population of the representative office building (0.5 × (8,624 − 2,992 − 880). TSSRA 2.0 assumes that at least half of the remaining occupants not killed or severely injured would be moderately injured due to smoke, falling debris, or the action of evacuating the building. The monetary estimate associated with the moderate injuries is $703.5 million (2,376 moderate injuries × $296,100).
TSSRA 2.0 assumes this type of attack requires replacement of the entire building. TSSRA 2.0 estimates the cost of replacement using an average construction cost of $846.8 million for recently built large buildings in the United States.
To estimate the value of the lost aircraft, TSA uses $22.6 million, which is the 2009 weighted average market value of all two-engine narrow-body and two-engine wide-body air carrier aircraft. 
The total monetary valuation of the losses of life, aircraft and buildings, and injuries represented in this scenario is $21,897.2 million ($18,849.6 million for fatalities + $1,474.7 million for severe injuries + $703.5 million for moderate injuries + $22.6 million for loss of aircraft + $846.8 million for replacement of the building).
In this analysis, the comparison is made between the estimated monetary consequence of this scenario and the annualized cost of the Aircraft Repair Station Security final rule, discounted at seven percent ($2.3 million).  The “required risk reduction in attack frequency” to break even is estimated by dividing the total consequences of a specific attack scenario by the annualized cost of the regulation, discounted at seven percent. In order to break even, the rule will need to reduce the existing or baseline frequency of terrorist attack by one attack every 9,460 years for attacks of a similar magnitude. These results are presented in table form in both the Executive Summary and Chapter 5 of the regulatory impact analysis.
As alternatives to the preferred regulatory regime presented in the final rule, TSA examined four other options. For most regulatory alternatives, TSA considered categorizing repair stations into three risk tiers based on a station's location with respect to an airport and the size of aircraft on which a repair station performs work. Tier 1, in general, woul