[Federal Register Volume 59, Number 233 (Tuesday, December 6, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-27912]


[[Page Unknown]]

[Federal Register: December 6, 1994]


_______________________________________________________________________

Part V





Department of Transportation





_______________________________________________________________________



Federal Aviation Administration



_______________________________________________________________________



14 CFR Part 107, et al.




Sensitive Security Information; Proposed Rule
DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Parts 107, 108, 109, 129, 191

[Docket No. 27965; Notice No. 94-32]
RIN 2120-AF49

 
Sensitive Security Information

AGENCY: Federal Aviation Administration (FAA), Department of 
Transportation (DOT).

ACTION: Notice of Proposed Rulemaking (NPRM).

-----------------------------------------------------------------------

SUMMARY: The FAA proposes to strengthen the rules protecting 
information from release to unauthorized persons. The current rules 
fail to: Require individuals to protect security sensitive information 
that is in their control; and specify all sensitive security 
information that should be protected from public disclosure. This 
proposed rule would specify all sensitive security information that 
must be protected and would require air carriers, airport operators, 
indirect air carriers, foreign air carriers, and individuals to be 
responsible for protecting it from disclosure to unauthorized persons.

DATES: Comments must be received on or before February 6, 1995.

ADDRESSES: Comments on this notice may be delivered or mailed, in 
triplicate, to the Federal Aviation Administration, Office of the Chief 
Counsel, Attention: Rules Docket (AGC-200), Docket No. 27965, 800 
Independence Avenue, SW., Room 915G, Washington, DC 20591. Comments 
submitted must be marked: ``Docket No. 27965.'' Comments may be 
inspected in Room 915G between 8:30 a.m. and 5 p.m. on weekdays, except 
Federal holidays.

FOR FURTHER INFORMATION CONTACT: Eugene Cunningham or Don Cotton, 
Office of Civil Aviation Security Policy and Planning, Federal Aviation 
Administration, 800 Independence Avenue, SW., Washington, DC 20591; 
telephone (202) 267-8701.

SUPPLEMENTARY INFORMATION:

Comments Invited

    Interested persons are invited to participate in the rulemaking by 
submitting such written data, views, or arguments as they may desire. 
Comments relating to environmental, energy, federalism, or 
international trade impacts that might result from adopting the 
proposals in this notice are also invited. Comments must include the 
regulatory docket or notice number and be submitted in triplicate to 
the address above. All comments received, as well as a report 
summarizing each substantive public contact with FAA personnel on this 
rulemaking, will be filed in the docket. The docket is available for 
public inspection both before and after the comment closing date.
    All comments received on or before the closing date will be 
considered by the Administrator before taking action on this proposed 
rulemaking. Late-filed comments will be considered to the extent 
practicable. The proposals contained in this notice may be changed in 
light of the comments received.
    Commenters wishing the FAA to acknowledge receipt of their comments 
submitted in response to this notice must submit a pre-addressed, 
stamped postcard with those comments on which the following statement 
is made: ``Comments to Docket No. 27965.'' The postcard will be date-
stamped by the FAA and returned to the commenter.

Availability of NPRM

    Any person may obtain a copy of this NPRM by submitting a request 
to the Federal Aviation Administration, Office of Public Affairs, 
Attention: Public Inquiry Center (APA-200), 800 Independence Avenue, 
SW., Washington, DC 20591, or by calling (202) 267-3484. Requests must 
include the notice or docket number.
    Persons interested in being placed on a mailing list for future 
rulemaking actions should request a copy of Advisory Circular 11-2A, 
Notice of Proposed Rulemaking Distribution System, which describes the 
application procedure.

Background

The Security Regulatory Scheme

    Sections 315 and 316 of the Federal Aviation Act of 1958, as 
amended (FAAct) (49 U.S.C. app. 1356, 1357), require the FAA to 
prescribe rules, as needed, to protect persons and property aboard 
aircraft against acts of criminal violence and aircraft piracy, and to 
prescribe rules for screening passengers for weapons. To carry out the 
provisions of the FAAct, the FAA has adopted rules requiring airport 
operators, air carriers, indirect air carriers, and foreign air 
carriers to carry out various duties for civil aviation security. Part 
107 of the Federal Aviation Regulations (FAR) (14 CFR part 107) applies 
to certain airport operators; part 108 (14 CFR part 108) governs 
certain air carriers. Part 109 (14 CFR part 109) applies to indirect 
air carriers, such as freight forwarders, who engage indirectly in air 
transportation of property. Part 129 (14 CFR part 129) applies to the 
operation of foreign air carriers within the United States.
    Parts 107, 108, 109, and 129 contain general requirements for 
promoting civil aviation security. Each airport operator, air carrier, 
indirect air carrier, and foreign air carrier covered by these parts 
also has a security program that is approved or accepted by the 
Administrator, containing information that specifies how airport 
operators and air carriers perform their regulatory and statutory 
responsibilities. The security programs are available only to persons 
with the need to know, as described more fully below.
    Each air carrier's security program is a comprehensive document 
that details the full range of security procedures and countermeasures 
that air carriers are required to perform under Sec. 108.5 of the FAR. 
This program includes procedures for: (1) screening of passengers, 
carry-on baggage, checked baggage, and cargo; (2) using screening 
devices (such as X-ray systems and metal detectors); (3) controlling 
access to aircraft and air carrier facilities; (4) reporting and 
responding to bomb threats, hijackings, and weapons discovered during 
screening; (5) reporting and protecting bomb threat information; (6) 
identifying special procedures required at airports with special 
security needs; and (7) training and testing standards for crewmembers 
and security personnel.
    The airport security program is a comprehensive document that 
details the full range of security procedures and countermeasures that 
airport operators are required to perform under Sec. 107.3. Most 
programs include the: (1) Description of the air operations area (AOA), 
each area on or adjacent to the airport that affects the security of 
the AOA, and air carrier exclusive areas; (2) procedures to control 
access to the AOA; (3) alternate security procedures for use in 
emergency and other unusual conditions; and (4) law enforcement support 
training and record maintenance programs in furtherance of part 107. 
Programs for some airports include a description of the law enforcement 
support training program and the system for maintaining records.
    The indirect air carrier security program covers security 
procedures for cargo that is accepted for transport on air carrier 
aircraft. In general, it requires indirect air carriers to carry out 
security procedures for handling cargo that will be carried on air 
carrier aircraft.
    Foreign air carrier's security programs provide security procedures 
for foreign air carriers while operating to and from the United States, 
which is a counterpart to the procedures required under part 108.
    Security programs of individual companies largely are based on 
standard security programs and amendments developed by the FAA and 
industry. As new threats are identified, and as improved 
countermeasures are developed, the FAA develops standard means to 
respond to the threats and improve security.
    Other sources of information and countermeasures are in Security 
Directives and Information Circulars, described in Sec. 108.18. They 
address threats to civil aviation security and countermeasures to 
respond to those threats. In addition, there is information concerning 
various security devices, such as metal detectors and X-ray machines, 
that is sensitive.

The Need to Protect Security Information

    The FAA has, over the years, adopted security procedures to respond 
to the growing threat to civil aviation. The trend has been towards a 
more sophisticated and dangerous threat.
    Until 1984, hijackings of U.S. air carriers primarily were 
conducted by single individuals who were asylum seekers, expatriates 
desiring to return to Cuba, mentally disturbed persons, or single 
individuals who were carrying out their criminal acts for personal 
motives. Beginning in 1985, however, there were a series of 
sophisticated hijackings and attempted hijackings of airliners of U.S. 
registry. These hijackings were conducted by relatively well-organized 
teams of trained individuals with political motives primarily connected 
to international affairs in the Middle East. The June 1985 hijacking of 
TWA 847 and intelligence reporting in subsequent years clearly 
indicated that U.S. air carriers were facing a higher level and type of 
threat. Similar incidents that occurred over the next few years 
routinely involved murder and extended hostage takings.
    The change in the hijacking threat faced by U.S. air carriers was 
accompanied by increasingly sophisticated and deadly sabotage attacks 
against civil aviation. These attacks also were perpetrated by well-
organized international terrorist groups with, in some cases, nation 
states also involved as supporters and facilitators, if not direct 
participants. These groups and countries repeatedly attempted to 
collect information concerning extant security countermeasures and to 
devise methods of attack to bypass or defeat those countermeasures.
    With the 1985 terrorist attacks on the airport terminals in Rome 
and Vienna and the December 1988 explosion and crash of Pan American 
World Airways [Pan Am] Flight 103 in Lockerbie, Scotland, the FAA, 
along with the world civil aviation community, recognized that an 
entirely new phase of terrorism had opened. In response, the FAA issued 
new, detailed, amendments to the air carrier standard security program 
to counter the threat to U.S. carriers at foreign airports. The FAA 
also developed new procedures to decrease the vulnerability of airports 
to terrorist attacks. These procedures, both foreign and domestic, went 
into both the air carrier and airport security programs.
    Because of the increasing sophistication of those who may pose a 
threat to civil aviation, it is increasingly important that information 
regarding the manner in which the FAA, the airport operators, and the 
air carriers may seek to guard against criminal threats be protected. 
The unauthorized disclosure of sensitive aviation security information 
could assist in the development of techniques to counter those 
measures.
    The FAA is mindful of the public's legitimate interest in how the 
FAA operates and how it regulates the aviation industry. The FAA has a 
corresponding responsibility to prevent undue disclosure of information 
that could compromise public safety if it falls into the wrong hands. 
The proposals in this notice have been carefully considered to cover 
only information that could reasonably be anticipated to be damaging to 
the security of the traveling public if given to unauthorized persons.
    Security programs are absolutely essential mechanisms through which 
the FAA regulates the air carriers' and airports' detailed obligations 
with respect to ensuring civil aviation security. Much of the 
effectiveness of the programs depends on strictly limiting access to 
such information to those persons who have a need to know. Unauthorized 
disclosure of the specific provisions of the air carrier and airport 
security programs or other aviation security information would allow 
potential attackers of civil aviation to devise methods to circumvent 
or otherwise defeat the security provisions. It would also discount the 
deterrent effect inherently provided in prohibiting disclosure of 
security measures that may or may not be in place.
    There are sophisticated criminal elements who actively seek 
information on what seemingly are minor security points, with a view to 
accumulating a larger picture of the entire security program. 
Therefore, it is imperative that the entire security program be 
protected. Similarly, it is critical to protect the information 
contained in Security Directives and Information Circulars. These 
documents contain detailed information on threats that the FAA has 
identified, and the measures to counter those threats. The unauthorized 
release of that information could compromise those countermeasures. In 
addition, particular information regarding FAA approved security 
devices, such as metal detectors, should also be protected to the 
extent possible.

Current Protection of Security Information

    Currently, the FAA, airport operators, air carriers, indirect air 
carriers, and foreign air carriers are required to restrict the 
availability of information contained in security programs to those 
with a need to know, and to refer requests for such information to the 
FAA. These requirements are in Secs. 107.3(e), 108.7(c) (4) and (5), 
109.3(c), and foreign air carrier security programs. In addition, 
Sec. 108.18(c)(1) specifically requires air carriers to restrict the 
availability of Security Directives and Information Circulars, and the 
information contained therein, to persons with a need to know. However, 
individuals who work for or perform activities in support of the air 
carriers are not required to protect the information, except for 
Security Directives and Information Circulars. Part 191 allows the FAA 
to withhold certain requested information, such as a request under the 
Freedom of Information Act (FOIA) (5 U.S.C. 552) or in litigation. Part 
191 currently applies only to the FAA. Section 191.3 identifies 
specific information, such as security programs and hijacker profiles, 
that the FAA withholds. Section 191.5 provides generally that the FAA 
prohibits disclosure of information when release would constitute an 
unwarranted invasion of privacy, reveal trade secrets or privileged or 
confidential information, or be detrimental to the safety of persons 
traveling in air transportation or in intrastate air transportation. 
However, it does not cover all of the potential sources of sensitive 
security information that should be covered.
    Civil aviation security information protected under the Federal 
Aviation Regulations is different from National Security Information 
governed by Executive Order 12356 and related orders, statutes, and 
rules. The Executive Order provides for classifying information as Top 
Secret, Secret, and Confidential, and covers a wide range of 
information affecting the national security. All persons with access to 
such information must have an appropriate security clearance, and there 
may be a criminal penalty for misuse of the information. While there is 
some ``classified'' civil aviation security information, these proposed 
rules are not directed to the handling of all classified information.
    The FAA proposes to improve the protection of sensitive security 
information by amending parts 107, 108, 129 and 191 as described more 
fully below.

Part By Part Discussion of the Proposed Rule

    The FAA currently is reformulating the authority citations of all 
parts in accordance with the recodification enacted in Public Law 103-
272 on July 5, 1994. This process is not complete. Accordingly, the 
authority citations in this proposed rule are those in the current 
rules.
Part 191
    Part 191 sets forth the rules that allow the FAA to withhold 
information from public disclosure. The FAA proposes to amend and 
reorganize part 191 as follows:
    Sec. 191.1. The FAA proposes to expand part 191 to apply not only 
to the FAA, but also to air carriers, airport operators, indirect air 
carriers, foreign air carriers, and individuals. As discussed below, 
parts 107, 108, 109, and 129 still would contain some requirements 
regarding the protection of information, but part 191 would be the 
primary rule for withholding information from unauthorized public 
disclosure.
    Section 191.1(a) would be amended to conform to the current 
statute. In 1976, the FAA promulgated part 191 to implement the Air 
Transportation Act of 1974, Pub. L. 93-366. Section 316(d)(2) of the 
FAAct provides, in part, that the Administrator shall prescribe 
regulations to ``prohibit disclosure of any information obtained or 
developed in the conduct of research and development activities'' if 
the disclosure meets certain conditions. This section is a major basis 
for the current rules in part 191 on withholding information from 
unauthorized disclosure.
    In 1990, section 316(d)(2) was amended to provide that the 
Administrator shall adopt rules to prohibit disclosure of ``any 
information obtained in the conduct of security or research and 
development activities * * *.'' Section 9121 of the Aviation Safety and 
Capacity Expansion Act of 1990 (Pub. L. 101-508) (emphasis added). The 
FAA proposes to amend Sec. 191.1(a), to protect information obtained 
during the course of specified security activities.
    The FAA also proposes to remove from the title of part 191 
reference to the 1974 Act, to avoid any implication that it is the only 
source of statutory authority for the part.
    Section 191.1(b) now defines ``record,'' in part, as 
``documentary'' material. The FAA proposes to delete the word 
``documentary.'' The FAA intends to address all methods of preserving 
information, including computer records. This would avoid any 
misunderstanding over whether such records were ``documentary.''
    Part 191 now refers to the ``Director of Civil Aviation Security'' 
as the official who makes the determination on behalf of the 
Administrator to withhold information. Following a reorganization, the 
FAA official who makes such determinations now is the Assistant 
Administrator for Civil Aviation Security. The FAA proposes to amend 
part 191 accordingly. In addition, the Deputy Assistant Administrator 
for Civil Aviation Security, and any individual formally designated to 
act in the capacity of the Assistant Administrator or the Deputy, would 
have authority to make such determinations.
    We also propose to state in more detail the extent to which the 
Assistant Administrator may further delegate the authority to make 
these decisions. For decisions involving information and records 
described in Sec. 191.7(a) through (i), we propose to permit delegation 
below the Assistant Administrator level. The information that is 
described in (a) through (i) is well-defined, and decisions on release 
or withholding of the information involves relatively objective 
judgments.
    Section 191.7(j) provides a ``catch all'' basis for determining 
that other information is sensitive security information. A decision to 
release or withhold information under Sec. 191.7(j) requires a careful 
evaluation of, on the one hand, the need to provide the highest level 
of security to the traveling public by preventing sensitive security 
information from falling into the wrong hands, and on the other hand, 
an awareness of the public's strong interest in obtaining information 
about security in air transportation. These decisions require a careful 
evaluation of security threats as well as important policies of the 
agency. Therefore, the FAA proposes that such decisions be made by high 
policy-level officials, and not below the Assistant Administrator and 
Deputy Assistant Administrator level. The Assistant Administrator is 
responsible for carrying out the agency's civil aviation security 
program, and reports directly to the Administrator.
    Sec. 191.3. Section 191.3 would continue to state generally that 
the FAA withholds certain information, but would be clarified to state 
that part 191 applies, notwithstanding FOIA and other disclosure 
statutes. For instance, the FAA may adopt certain security rules 
affecting air carriers and airports without disclosing the rules to 
unauthorized persons.
    The FAA proposes to move the provisions currently in Sec. 191.5 
that describe the circumstances under which the FAA prohibits 
disclosure of information to Sec. 191.3(b).
    Sec. 191.5. Section 191.5 would contain the requirements that apply 
to persons other than the FAA. Such persons include air carriers, 
airport operators, indirect air carriers, and foreign air carriers, and 
individuals employed by, or contracted by, air carriers, airport 
operators, indirect air carriers, and foreign air carriers. This 
section is intended to be very inclusive.
    A difficult aspect of protecting sensitive security information is 
that a large number of persons must be aware of at least portions of 
the information in order to carry out their duties. These include 
pilots, flight attendants, ticket agents, screeners, baggage handlers, 
and law enforcement officers. Frequently, some of these people are not 
direct employees of the air carrier or airport operator, but they do 
carry out duties for or on behalf of the air carrier or airport 
operator. For instance, in many cases, screeners and law enforcement 
officers are not directly employed by air carriers or airport 
operators, but do have important security responsibilities to carry 
out. This section is intended to cover all such persons who have access 
to sensitive security information. It should be emphasized, however, 
that airports and air carriers would continue to have the 
responsibility they now have to protect sensitive security information. 
If sensitive security information is released to unauthorized persons, 
depending upon the circumstances, the FAA may hold the airport or air 
carrier, as well as the individual, accountable.
    Section 191.5(a) would state the general requirement that 
disclosure of and access to sensitive security information shall be 
restricted to persons with a ``need to know.'' Section 191.5(b) would 
define ``need to know'' as the requirement to have knowledge of or 
access to the information to carry out FAA-approved or directed 
aviation security duties. Of course, in the case of foreign air 
carriers that are owned or operated, or closely regulated, by the 
foreign government, various officials in that government have a ``need 
to know.''
    In most cases, the air carrier or airport operator has the 
discretion to decide who in its organization has a need to know 
sensitive security information. There are times, however, when 
information is so sensitive that extra measures should be taken to 
protect it from release to those without a ``need to know.'' The rule 
would, therefore, provide that for some specific information the 
Assistant Administrator may make a finding that only specific persons, 
or classes of persons, have an operational need to know.
    Section 191.5(c) would require that, if sensitive security 
information is released to unauthorized persons, the FAA must be 
notified. This will permit the FAA to evaluate the risk presented by 
the release of the information, and to take whatever action may be 
needed to mitigate that risk.
    Section 191.5(d) alerts persons that violations may result in a 
civil penalty or other action by the FAA. Under the FAAct, the FAA may 
take a broad range of enforcement action for violation of the 
regulations. The FAA anticipates that civil penalty action will be 
considered for a violation of part 191, as it is for violations of 
parts 107 and 108. However, the FAA may seek any enforcement action 
deemed appropriate based on individual circumstances of the case. 
Further, the FAA may take action to mitigate or correct the risk posed 
by the violation. Such actions may include requiring air carriers or 
airport operators to change their procedures for protecting security 
information, or change the security procedures in place that may have 
been compromised by unauthorized release of the information.
    Sec. 191.7. Proposed 191.7 would incorporate and expand current 
Sec. 191.3, which describes information that is protected from public 
disclosure. There is information not specifically mentioned in 
Sec. 191.3 that should be protected. The FAA now withholds such 
information from public disclosure based on findings under Sec. 191.5 
that disclosure would be detrimental to the safety of persons traveling 
in air transportation or intrastate air transportation. Those findings 
are set forth in written denials of FOIA requests for such information, 
and in Declarations submitted to judges to seek protection of 
information in litigation cases. To better inform the public of the 
information prohibited from unauthorized release, the FAA proposes to 
add this information to Sec. 191.7, as described below:
    Section 191.7(a) would retain the current requirements to protect 
any approved or standard security program for an air carrier, indirect 
air carrier, airport operator, or foreign air carrier, and that portion 
of the security program of the United States Postal Service that 
relates to security of parcel mail to be transported by air. The FAA 
proposes to expand this provision to include any comments, 
instructions, or implementing guidance pertaining to these security 
programs. Generally, these materials reveal some or all of the 
sensitive information and must be protected the same as the security 
programs themselves.
    Paragraph (b) would be revised to include any comments, 
instructions, or implementing guidance pertaining to Security 
Directives and Information Circulars.
    Paragraph (c) would list any profile used in any security screening 
process, including persons, baggage, or cargo. Section 191.3(b) (1) and 
(2) currently cover any hijacker profile and profile used in baggage 
screening. This proposal makes that provision general to cover profiles 
for screening persons, because there are systems in place to protect 
against terrorists and others who might seek to commit criminal 
violence, not just hijackers. It would also cover profiles for cargo. 
Like baggage, cargo is a potential tool for criminal violence that the 
security rules cover.
    Paragraph (d) would include any security contingency plan and 
comments, instructions, or implementing guidance pertaining thereto. 
These plans, when adopted, become part of the security program and are 
already covered by rules governing security programs. They are included 
in Sec. 191.7 for emphasis.
    The FAA proposes to delete the provisions currently in 
Sec. 191.3(b)(6), pertaining to the technical specifications for 
devices for protection against, or detection of, cargo theft, from the 
rule. Such devices are not directly used to meet the requirements for 
civil aviation security under the FAA regulations. Any devices that 
serve a dual function of protecting cargo and security are protected 
under other provisions in this section.
    Paragraph (e) would cover the technical specifications of any 
device used for the detection of any explosive, incendiary, or deadly 
or dangerous weapon. It is essentially the same as current 
Sec. 191.3(b)(5), except that the current rule is worded ``explosive or 
incendiary device or weapon.'' The proposed rule would use the same 
wording that is in Sec. 108.9(a), which contains the requirements for 
air carriers to screen passengers and property for such items.
    Paragraph (f) would address the specifications for objects used to 
test screening equipment, and equipment parameters, and paragraph (g) 
would address any security communications equipment and procedures. 
Knowledge of the devices used to perform various security functions 
could lead to a plan to defeat those devices. Accordingly, details of 
such devices should be protected.
    Paragraph (h) would address any information pertaining to: (1) 
Threats of any criminal acts directed against air transportation; and 
(2) the details of an alleged violation of parts 107, 108, 109, or 129, 
and any information that could reasonably lead to the disclosure of 
such details, i.e., the airport name, the location of the gate or 
access point; the air carrier, indirect air carrier, or foreign air 
carrier. Paragraph (h) would apply only to the release of information 
by the FAA. There is less risk of harm from the casual disclosure of 
this information by individuals.
    Paragraph (i) would include any draft, proposed, or recommended 
change to sensitive security information or records. The FAA frequently 
issues proposed revisions for sensitive security documents to air 
carriers and airport operators and requests comments on the proposals. 
These proposals contain sensitive security information that also should 
be protected.
    Paragraph (j) would include any other information that the 
Administrator determines should not be disclosed under the criteria in 
Sec. 191.3(b). While we have attempted to anticipate all sources of 
information that should be protected from unauthorized disclosure, 
additional information may be discovered in the future. As with the 
current rule, this paragraph would allow the Administrator to determine 
whether other information should be considered to be sensitive security 
information.
Parts 107, 108, 109, and 129
    The FAA proposes to make changes to the specific parts that apply 
to airport operators, air carriers, indirect air carriers, and foreign 
air carriers, to correspond to the proposed changes to part 191. Parts 
107, 108, 109, and 129 require these organizations to protect security 
information as required in part 191, and would require them to direct 
requests for such information to the administrator. These parts would 
be redundant with the proposed changes to part 191. These organizations 
currently refer to their specific parts of the FAR for security 
requirements. Including a cross-reference to part 191 in parts 107, 
108, 109, and 129, alerts organization to the new requirements, and 
makes it clear that part 191 is part of their security duties.

Economic Evaluation

    This section summarizes the regulatory evaluation prepared by the 
FAA. The regulatory evaluation provides more detailed discussion of the 
potential economic consequences of this proposal.
    Executive Order 12866, dated September 30, 1993, directs Federal 
agencies to promulgate new regulations or modify existing regulations 
only if benefits to society for each regulatory change outweigh 
potential costs. The order also requires the preparation of an economic 
analysis of all ``significant regulatory actions'' except those 
responding to emergency situations or other narrowly-defined 
exigencies.
    The FAA has determined that this proposed rule is not a 
``significant regulatory action'' as defined by Executive Order 12866 
(Regulatory Planning and Review). A synopsis of the costs and benefits 
associated with this rule are summarized below. (A more detailed 
discussion is contained in the full regulatory evaluation placed in the 
docket for this proposed rule.)

Costs and Benefits

    This proposed rule would help protect persons and property at 
airports and aboard aircraft against terrorist and other criminal acts 
by strengthening the rules protecting sensitive security information 
from being released to unauthorized persons. It would require the 
affected entities to be responsible for safeguarding this security 
information from unauthorized disclosure. The accidental divulgence of 
such material could lead, directly or indirectly, to injuries, the loss 
of life, and/or the loss of an aircraft.
    These rules could be implemented at no cost. Given the lack of cost 
and given the potential benefits of avoided fatalities and injuries, 
the FAA finds this proposed rule to be cost beneficial.

International Trade Impact Statement

    In accordance with the Office of Management and Budget memorandum 
dated March 1983, federal agencies engaged in rulemaking activities are 
required to assess the effects of regulatory changes on international 
trade. The FAA finds that this proposed rule would not have an adverse 
impact on trade opportunities for either U.S. firms doing business 
overseas or foreign firms doing business in the United States. The 
proposed rule would impose no costs on both domestic and foreign air 
carriers, so neither would have a trade advantage over the other.

Initial Regulatory Flexibility Determination

    The Regulatory Flexibility Act of 1980 (RFA) was enacted by 
Congress to ensure that small entities are not unnecessarily burdened 
by government regulations. The RFA requires agencies to review rules 
that may have a ``significant economic impact on a substantial number 
of small entities.'' There is no cost associated with this proposed 
rule; therefore, this proposal does not have a significant economic 
impact on a substantial number of small entities.

Federalism Impact

    This proposal will not have a substantial direct effect on the 
States, on the relationship between the national government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government. Therefore, in accordance with Executive 
Order 12612, it is determined that this proposal does not have 
sufficient federalism implications to warrant preparation of a 
Federalism Assessment.

Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1980 (Pub. L. 96-
511), there are no requirements for information collection associated 
with this proposed rule.

Conclusion

    For the reasons discussed above, and based on the findings in the 
initial Regulatory Flexibility Determination and the International 
Trade Impact Statement, the FAA certifies that this proposed regulation 
will not have a significant economic impact, positive or negative, on a 
substantial number of small entities under the criteria of the 
Regulatory Flexibility Act. This proposal is not considered a 
``significant regulatory action'' under Executive Order 12866 and is 
not considered significant under Department of Transportation 
Regulatory Policies and Procedures (44 FR 11034; February 26, 1979).

List of Subjects

14 CFR Part 107

    Airports, Arms and munitions, Federal Aviation Administration, Law 
enforcement officers, Reporting and recordkeeping requirements, 
Security measures.

14 CFR Part 108

    Air carriers, Aircraft, Airmen, Airports, Arms and munitions, 
Explosives, Federal Aviation Administration, Law enforcement officers, 
Reporting and recordkeeping requirements, Security measures.

14 CFR Part 109

    Air carriers, Aircraft, Federal Aviation Administration, Freight 
forwarders, Security measures.

14 CFR Part 129

    Air carriers, Aircraft, Aviation safety, Federal Aviation 
Administration, Reporting and recordkeeping requirements, Security 
measures, Smoking.

14 CFR Part 191

    Air transportation, Federal Aviation Administration, 
Telecommunications.

The Proposed Amendments

    Accordingly, the Federal Aviation Administration proposes to amend 
parts 107, 108, 109, 129, and 191 (14 CFR parts 107, 108, 109, 129, and 
191), as follows:

PART 107--AIRPORT SECURITY

    1. The authority citation for part 107 continues to read as 
follows:

    Authority: 49 U.S.C. App. 1354, 1356, 1357, 1358, and 1421; 49 
U.S.C. 106(g); Sec. 101, et seq., Pub. L. 101-604, 104 Stat. 3066.

    2. Section 107.3 is amended by revising paragraph (e) to read as 
follows:


Sec. 107.3  Security program.

* * * * *
    (e) Each airport operator shall--
    (1) Restrict the distribution, disclosure, and availability of 
sensitive security information, as defined in part 191 of this chapter, 
to persons with a need to know; and
    (2) Refer requests for security sensitive information by other 
persons to the Assistant Administrator for Civil Aviation Security.
* * * * *

PART 108--AIRPLANE OPERATOR SECURITY

    3. The authority citation for part 108 continues to read as 
follows:

    Authority: 49 U.S.C. App. 1354, 1356, 1357, 1421, 1424, and 
1511; 49 U.S.C. 106(g); Sec. 101 et seq., Pub. L. 101-604, 104 Stat. 
3066.

    4. Section 108.7 is amended by revising paragraphs (c)(4) and 
(c)(5) to read as follows:


Sec. 108.7  Security program: Form, content, and availability.

* * * * *
    (c) * * *
    (4) Restrict the distribution, disclosure, and availability of 
sensitive security information, as defined in part 191 of this chapter, 
to persons with a need to know; and
    (5) Refer requests for a sensitive security information by other 
persons to the Assistant Administrator for Civil Aviation Security.

PART 109--INDIRECT AIR CARRIER SECURITY

    5. The authority citation for part 109 continues to read as 
follows:

    Authority: Secs. 313(a), 316, 601, 1005, Federal Aviation Act of 
1958 (49 U.S.C. 1354(a), 1357, 1421, and 1485; and sec. 6(c), 
Department of Transportation Act (49 U.S.C. 1655(c)).

    6. Section 109.3 is amended by revising paragraph (c) to read as 
follows:


Sec. 109.3  Security program.

* * * * *
    (c) Each indirect air carrier shall--
    (1) Restrict the distribution, disclosure, and availability of 
sensitive security information, as defined in part 191 of this chapter, 
to persons with a need to know; and
    (2) Refer requests for sensitive security information by other 
persons to the Assistant Administrator for Civil Aviation Security.

PART 129--OPERATIONS: FOREIGN AIR CARRIERS AND FOREIGN OPERATORS OF 
U.S.-REGISTERED AIRCRAFT ENGAGED IN COMMON CARRIAGE

    7. The authority citation for part 129 continues to read as 
follows:

    Authority: 49 U.S.C. app. 1346, 1354(a), 1356, 1357, 1421, 1502, 
1511 and 1522; 49 U.S.C. 106(g) (revised Pub. L. 97-449, January 12, 
1983).

    8. Part 129 is amended by adding a new Sec. 129.31 to read as 
follows:


Sec. 129.31  Airplane security.

    Each foreign air carrier required to adopt and use a security 
program pursuant to Sec. 129.25(b) shall--
    (a) Restrict the distribution, disclosure, and availability of 
sensitive security information, as defined in part 191 of this chapter, 
to persons with a need to know; and
    (b) Refer requests for sensitive security information by other 
persons to the Assistant Administrator for Civil Aviation Security.
    9. Part 191 is revised to read as follows:

PART 191--PROTECTION OF SENSITIVE SECURITY INFORMATION

Sec.
191.1  Applicability and definitions.
191.3  Records and information withheld by the Federal Aviation 
Administration.
191.5  Prohibition on release of sensitive security information.
191.7  Sensitive security information.

    Authority: Secs. 313(a), 316(d)(2), 601, Federal Aviation Act of 
1958 (49 U.S.C. 1354(a), 1357(d)(2), 1421); sec. 6(c), Department of 
Transportation Act (49 U.S.C. 1655(c)).


Sec. 191.1  Applicability and definitions.

    (a) This part governs the release, by the Federal Aviation 
Administration and by other persons, of records and information that 
has been obtained or developed during security activities or research 
and development activities.
    (b) For purposes of this part, ``record'' includes any writing, 
drawing, map, tape, film, photograph, or other means by which 
information is preserved.
    (c) The authority of the Administrator under this part is also 
exercised by the Assistant Administrator for Civil Aviation Security 
and the Deputy Assistant Administrator for Civil Aviation Security, and 
any individual formally designated to act in their capacity. For 
matters involving the release or withholding of information and records 
containing information described in Sec. 191.7(a) through (i), the 
authority may be further delegated. For matters involving the release 
or withholding of information and records containing information 
described in Sec. 191.7(j), the authority may not be further delegated.


Sec. 191.3  Records and information withheld by the Federal Aviation 
Administration.

    (a) Except as provided in paragraph (c) of this section, and 
notwithstanding 5 U.S.C. 552 or other laws, the records and information 
described in paragraph (b) of this section are not available for public 
inspection or copying, nor is information contained in those records 
released to the public.
    (b) The Administrator prohibits disclosure of information developed 
in the conduct of security or research and development activities under 
49 U.S.C. App. Chapter 20, Subchapter III, if, in the opinion of the 
Administrator, the disclosure of such information would:
    (1) Constitute an unwarranted invasion of privacy (including, but 
not limited to, information contained in any personnel, medical, or 
similar file);
    (2) Reveal trade secrets or privileged or confidential information 
obtained from any person; or
    (3) Be detrimental to the safety of persons traveling in air 
transportation.
    (c) If a record contains information that the Administrator 
determines cannot be disclosed under this part, but also contains 
information that can be disclosed, the latter information, on proper 
FOIA request, will be provided for public inspection and copying. 
However, if it is impractical to redact the requested information from 
the document, the entire document will be withheld from public 
disclosure.


Sec. 191.5  Prohibition on release of sensitive security information.

    (a) Each airport operator, air carrier, indirect air carrier, 
foreign air carrier, and each individual employed by, contracted to, or 
acting for an airport operator, air carrier, indirect air carrier, or 
foreign air carrier shall restrict disclosure of and access to 
sensitive security information to persons with a need to know, and 
shall refer requests from other persons for such information to the 
Administrator.
    (b) A person has a need to know sensitive security information when 
the information is necessary to carry out FAA-approved or directed 
aviation security duties. For some specific information, the 
Administrator may specify which persons, or classes of persons, have a 
need to know.
    (c) When sensitive security information is released to unauthorized 
persons, any air carrier, airport operator, indirect air carrier, 
foreign air carrier, or individual with knowledge of the release shall 
inform the Administrator.
    (d) Violation of this section is grounds for a civil penalty or 
other enforcement or corrective action by the FAA.


Sec. 191.7  Sensitive security information.

    Except as otherwise provided in writing by the Administrator, the 
following information and records containing such information 
constitute sensitive information:
    (a) Any approved or standard security program for an air carrier, 
foreign air carrier, indirect air carrier, or airport operator, and 
that portion of the security program of the United States Postal 
Service that relates to security of parcel mail to be transported by 
air; and any comments, instructions, or implementing guidance 
pertaining thereto.
    (b) Security Directives, Information Circulars, and any comments, 
instructions, or implementing guidance pertaining thereto.
    (c) Any profile used in any security screening process, including 
for persons, baggage, or cargo.
    (d) Any security contingency plan or information and any comments, 
instructions, or implementing guidance pertaining thereto.
    (e) Technical specifications of any device used for the detection 
of any explosive, incendiary, or deadly or dangerous weapon.
    (f) Technical specifications of objects used to test screening 
equipment and equipment parameters.
    (g) Technical specifications of any security communications 
equipment and procedures.
    (h) As to the release of information by the FAA only:
    (1) Any information pertaining to threats of any criminal acts 
directed against air transportation.
    (2) The details of an alleged violation of parts 107, 108, 109, or 
129 of this chapter, including the airport name, the location of the 
gate or access point; the air carrier, indirect air carrier, or foreign 
air carrier, and any information that could reasonably lead to the 
disclosure of such details.
    (i) Any draft, proposed, or recommended change to the information 
and records identified in this part.
    (j) Any other information, the disclosure of which the 
Administrator has prohibited under the criteria in Sec. 191.3(b).

    Issued in Washington, DC, November 4, 1994.
Bruce R. Butterworth,
Director, Office of Civil Aviation Security Policy and Planning.
[FR Doc. 94-27912 Filed 12-5-94; 8:45 am]
BILLING CODE 4910-13-M