[Federal Register Volume 62, Number 55 (Friday, March 21, 1997)] [Rules and Regulations] [Pages 13736-13745] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 97-6948] [[Page 13735]] _______________________________________________________________________ Part II Department of Transportation _______________________________________________________________________ Federal Aviation Administration _______________________________________________________________________ 14 CFR Part 107, et al. Sensitive Security Information; Final Rule Federal Register / Vol. 62, No. 55 / Friday, March 21, 1997 / Rules and Regulations [[Page 13736]] DEPARTMENT OF TRANSPORTATION Federal Aviation Administration 14 CFR Parts 107, 108, 109, 129, 191 [Docket No. 27965; Amendment Nos. 107-10, 108-15, 109-3, 129-26, and 191-4] RIN 2120-AF49 Sensitive Security Information AGENCY: Federal Aviation Administration (FAA), DOT. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: This final rule strengthens the existing rules protecting sensitive security information from unauthorized disclosure. Part 191 is expanded to apply to air carriers, airport operators, indirect air carriers, foreign air carriers, and individuals, and specifies in more detail what sensitive security information they must protect. Part 191 continues to describe what information is protected from disclosure by the FAA, and describes in more detail that information. This final rule also changes part 107, 108, 109, and 129 to correspond with changes it makes to part 1991. This action is necessary to counter the increased sophistication of those who pose a threat to civil aviation and their ability to develop techniques to subvert current security measures. The intended effect of this action is to prevent undue disclosure of information that could compromise public safety if it falls into the wrong hands, while being mindful of the public's legitimate right to know and interest in aviation information. DATES: This rule is effective April 21, 1997. FAA will comply with the provisions of this rule on March 21, 1997. FOR FURTHER INFORMATION CONTACT: Robert S. Cammardto, Office of Civil Aviation Security Division, ACP- 100, Office of Civil Aviation Security Policy and Planning, Federal Aviation Administration, 800 Independence Avenue, SW., Washington, DC 20591; telephone (202) 267-7723. SUPPLEMENTARY INFORMATION: Background The Security Regulatory Scheme The FAA is required to prescribe rules, as needed, to protect persons and property on aircraft against acts of criminal violence and aircraft piracy, and to prescribe rules for screening passengers and property for dangerous weapons, explosives, and destructive substances. See, 49 U.S.C. 44901 through 44904. To carry out the provisions of the statute, the FAA has adopted rules requiring airport operators, air carriers, indirect air carriers, and foreign air carriers to carry out various duties for civil aviation security. Title 14, Code of Federal Regulations, part 107 (14 CFR part 107) applies to certain airport operators. Part 108 (14 CFR part 108) governs certain air carriers. Part 109 (14 CFR part 109) applies to indirect air carriers such as freight forwarders, who engage indirectly in air transportation of property. Part 129 (14 CFR part 129) applies to the operation of foreign air carriers within the United States. Parts 107, 108, 109, and 129 contain general requirements for promoting civil aviation security. Each airport operator, air carrier, indirect air carrier, and foreign air carrier covered by these parts also has a security program that is approved or accepted by the Administrator, containing information that specifies how airport operators and air carriers perform their regulatory and statutory responsibilities. These security programs are available only to persons with the need-to-know, as described more fully below. Each air carrier's security program is a comprehensive document that details the full range of security procedures and countermeasures that air carriers are required to perform under 14 CFR 108.5. This program includes procedures for: (1) Screening of passengers, carry-on baggage, checked baggage, and cargo; (2) using screening devices (such as X-ray systems and metal detectors); (3) controlling access to aircraft and air carrier facilities; (4) reporting and responding to bomb threats, hijackings, and weapons discovered during screening; (5) reporting and protecting bomb threat information; (6) identifying special procedures required at airports with special security needs; and (7) training and testing standards for crewmembers and security personnel. The airport security program is a comprehensive document that details the full range of security procedures and countermeasures that airport operators are required to perform under 14 CFR 107.3. Most programs include: (1) Descriptions of the air operations area (AOA), each area on or adjacent to the airport that affect the security of the AOA, and air carriers exclusive areas; (2) procedures to control access to the AOA; (3) alternate security procedures for use in emergency and other unusual conditions; and (4) law enforcement support training and record maintenance programs in furtherance of part 107. Programs for some airports include a description of the law enforcement support training program and the system for maintaining records. The indirect air carrier security program covers security procedures for cargo that is accepted for transport on air carrier aircraft. In general, indirect air carriers are required to carry out security procedures for handling cargo that will be carried on air carrier aircraft. Foreign air carriers' security programs provide security procedures for foreign air carriers while operating to and from the United States, which is a counterpart to the procedures required under part 108. Security programs of individual companies are based largely on standard security programs and amendments developed by the FAA and industry. As new threats are identified and improved countermeasures developed, the FAA develops standard means to respond to the threats and improve security. Other sources of information and countermeasures are contained in the Security Directives and Information Circulars, described in Sec. 108.18. These sources address threats to civil aviation security as well as responsive countermeasures to those threats. Additionally, these sources provide sensitive information concerning various security devices, such as metal detectors and X-ray machines. The Need to Protect Security Information The notice of proposed rulemaking contained a history of how the threat to civil aviation has increased over the years. The FAA monitors potential threats to civil aviation. Terrorist pose an increasingly sophisticated threat to civil aviation. This has led the FAA to reevaluate the release of security information to the public, particularly in response to requests under the FOIA. This information has been termed sensitive security information (SSI). It is important to keep details of security measures and FAA evaluations of security out of the public domain where terrorists could read them. If the information identified in this rule were publicly available, it could reveal potential weaknesses in the current security system. The FAA is mindful of the public's legitimate interest in how the FAA operates and how it regulates the aviation industry, as well as how the industry is carrying out its duties. The FAA has a corresponding responsibility to prevent undue disclosure of information that could compromise public safety if it falls into the wrong hands. The rule has been carefully considered and covers only information [[Page 13737]] that could reasonably be anticipated to be damaging to the security of the traveling public if given to unauthorized persons. Security programs are absolutely essential mechanisms through which the FAA regulates the air carriers' and airports' detailed obligations with respect to ensuring civil aviation security. Much of the effectiveness of the programs depends on strictly limiting access to such information to those persons who have a need-to-know. Unauthorized disclosure of the specific provisions of the air carrier and airport security programs or other aviation security information would allow potential attackers of civil aviation to devise methods to circumvent or otherwise defeat the security provisions. It would also discount the deterrent effect inherently provided in prohibiting disclosure of security measures that may or may not be in place. There are sophisticated criminal elements who actively seek information on what seemingly are minor security points, with a view to accumulating a larger picture of the entire security program. Therefore, it is imperative that the entire security program be protected. Similarly, it is critical to protect the information contained in Security Directives and Information Circulars. These documents contain detailed information on threats that the FAA has identified, and the measures to counter those threats. The unauthorized release of that information could compromise those countermeasures. In addition, particular information regarding FAA approved security devices, such as metal detectors, should also be protected to the extent possible. Current Protection of Security Information Currently, the FAA, airport operators, air carriers, indirect air carriers, and foreign air carriers are required to restrict the availability of information contained in security programs to those with a need-to-know, and to refer requests for such information by other persons to the FAA. These requirements are in Secs. 107.3(e), 108.7(c) (4) and (5), 109.3(c), and foreign air carrier security programs. In addition, Sec. 108.18(d) specifically requires both air carriers and individuals to restrict the availability of Security Directives and Information Circulars, and the information contained therein, to persons with a need-to-know. However, individuals who work for or perform activities in support of the air carriers are not required to protect other security information. Part 191 states when the FAA will withhold certain requested information from public disclosure, such as when requested under the Freedom of Information Act (FOIA) (5 U.S.C. 552), in litigation, or in rulemaking. Part 191 currently applies only to the FAA, and does not specify all of the sources of SSI that should be covered. Civil aviation security information protected under the Federal Aviation Regulations is different from Classified National Security Information governed by Executive Order 12598 and related orders, statutes, and rules. The Executive Order provides for classifying information as Top Secret, Secret, and Confidential, and covers a wide range of information affecting the national security. All persons with access to such information must have an appropriate security clearance, and there may be a criminal penalty for misuse of the information. While there is some ``classified'' civil aviation security information, part 191 is not directed to the handling of classified information. Indeed, part 191 is needed because the SSI is not National Security Information and therefore is not subject to the controls that apply to such information. This final rule improves the protection of SSI by amending parts 107, 108, 109, 129, and 191 as described more fully later in the document. Discussion of Comments The FAA published Notice of Proposed Rulemaking No. 94-32 on December 6, 1994 (59 FR 62956). In response to Notice No. 94-32, 17 comments were received from a total of 18 commenters, 2 commenters having jointly submitted 1 comment. Five commenters state that the proposed language in proposed Sec. 191.5(a) on the release of SSI is too broad. Of these, two commenters ask the FAA to limit this language by linking the enforcement of SSI unauthorized releases to significant compromises of security or those that result in an actual security incident. The FAA believes the suggested language would weaken the rule. The FAA should not have to wait to see if the improperly released or compromised information is actually misused before taking action against the person(s) who released it. On the contrary, one purpose of the rule is to have more clear and consistent guidance as to what must be protected. In every case in which the FAA considers what enforcement action to take in response to a violation, however, the FAA considers all factors, including the potential or actual adverse impact on safety or security. The same two commenters also share the view that the FAA should limit the geographic scope of airport security programs solely to that area where scheduled carriers operate. These commenters argue that this geographic limitation would remove general aviation operations from the Air Operations Area (AOA), reducing the number of individuals with a ``need-to-know'' and thereby reducing the potential for the release of SSI. The FAA finds that the scope of the airport security program would be more appropriately addressed in Part 107. If needed, airport operators may contact their cognizant FAA security office for a re- evaluation of the geographic areas in which security measures are applied. Six commenters request the addition of language to proposed Sec. 191.5 (a) or (d) to make clear that, if an air carrier or airport operator has established a reasonable procedure for the control of sensitive information and has not been negligent in monitoring compliance with this procedure, the air carrier or airport operator would not be held to a standard of strict liability for disclosures made by individuals. Currently Sec. 108.7(c)(4) requires each air carrier to ``restrict the availability of information contained in the security program to those persons with an operational need-to-know * * *'' Current Sec. 107.3(e) requires in part that each airport operator ``restrict the distribution, disclosure, and availability of information contained in the security program to those persons with an operational need-to- know * * *'' Proposed Sec. 191.5(a) would impose similar duties on airport operators and air carriers, stating that they must ``restrict disclosure of and access to sensitive security information to persons with a need-to-know, * * *'' The FAA is not aware that any instance in which an air carrier or airport operator allegedly has been held to an unduly strict standard for compliance with the current rules. Accordingly, no change is needed to the proposal. Two commenters indicate that, when the FAA releases a Security Directive to the air carriers, the air carriers' principal means of dissemination to the affected locations throughout the world are via facsimile, teletype, and electronic mail messages. The commenters indicate that remote facsimile machines, high speed printers, and computers often are not located in secured areas and operate on a 24- hour schedule due to differences in time zones. The commenters state that, unlike certain government agencies that routinely handle SSI, there are very few air carrier employees, and even fewer contract workers, who hold a [[Page 13738]] Department of Defense (DOD)-approved SECRET clearance. Nonetheless, the commenters say they do support the premise that individuals should be penalized if they have acted imprudently or knowingly disregarded the instructions of their employers. The commenters state that even with the clearest of instructions regarding the protection of the information, it is unreasonable to expect air carriers to be totally responsible for the actions of a large number of individuals. As noted earlier in this document, the air carriers' responsibility under the rule will be similar to their responsibilities under the current rule, and air carriers that are in compliance now need not change their procedures. SSI is not Classified National Security Information, and no Secret clearance issued by the Federal government is required to gain access to it. The FAA realizes that certain employees will have access to SSI simply because they must retrieve the information from facsimile machines and the like, although they do not have responsibility to carry out the security program. All such employees, however, are responsible for protecting the information from unauthorized disclosure. Three commenters ask how agencies or persons, included within the scope of the proposed regulation, should respond to Freedom of Information Act (FOIA) or Open Records Act (ORA) requests for unclassified security information, in the event the proposed regulation is promulgated as written. The requirement to make records available under the FOIA does not apply to matters that are specifically exempted from disclosure by statute (5 U.S.C. 552(b)(3)). Under 49 U.S.C. 40119, the information described in the rule is exempt by statute from disclosure. When the FAA receives requests under FOIA for SSI, the FAA will deny the information in accordance with Sec. 191.3. As to requests for information under state and local freedom of information acts or open records acts, Sec. 191.5(a) provides that requests for SSI be referred to the Administrator. The FAA works with the airports and air carriers to determine what records or portions of records should remain undisclosed, and what may be released. Ten commenters state that the proposed regulation restricts, too severely, the disclosure of SSI. Three of these commenters object that the proposed language may prohibit disclosure of security information to a carrier president, outside counsel, consultant, or management personnel who do not personally perform or directly supervise security activities. Five commenters indicate that the carriers may be required to inform parties other than those with a need-to-know of certain security requirements or procedures. Such parties may include travel agents, passengers, contractors, and internal personnel who develop procedures to ensure effective passenger, cargo, and baggage processing for the air carrier. The FAA believes that the definition of ``need-to-know'' as proposed would have provided for dissemination of information to travel agents, passengers, contractors, and internal personnel, when such dissemination is necessary to carry out security duties. The FAA agrees, however, that the proposed definition could have been read as more limiting than intended, as to some persons. Various high level officials must be apprised of the information, even though they may not personally carry out the security requirements. Further, persons who represent the air carriers and airport operators, such as attorneys and industry associations, may have a need-to-know, in order to be able to represent their clients. In order to avoid misunderstanding, the FAA is clarifying the definition of need-to-know in Sec. 191.5(b) to read as follows: A person has a need-to-know sensitive security information when the information is necessary to carry out FAA-approved or directed aviation security duties; when the information is necessary to supervise or otherwise manage the individuals carrying out such duties; to advise the airport operator, air carrier, indirect air carrier, or foreign air carrier regarding the specific requirements of any FAA security related requirements; or to represent the airport operator, air carrier, indirect air carrier, or foreign air carrier, or person receiving information under Sec. 191.3(d) in connection with any judicial or administrative proceeding regarding those requirements. For some specific information, the Administrator may specify which persons, or classes of persons, have a need-to-know. Three commenters indicate that contractors who are bidding on a job inside the security identification display area (SIDA) need to know that the procedures are for ID applications and employment history checks in order to price their bids correctly. One of these commenters states that ``each person issued an airport identification badge has a need to know certain details of the Airport Security Program.'' The definition of ``need-to-know'' in Sec. 191.5(b) includes the need for the information to carry out FAA approved or directed aviation security duties. When a contractor needs the procedures for ID applications and employment checks in order to comply with FAA rules and the airport security program, the contractor has a ``need-to-know'' within the meaning of the rule. Such releases of information must be limited only to the information needed to comply. One commenter states that, in most international locations, air carriers do not provide their own security. According to this commenter, the security at international locations comes in the form of assistance provided by the host government. This commenter states that, in order to carry out some of the FAA-mandated security directives, some portion of those directives must be disclosed to the host government. In this commenter's opinion, the proposed draft acknowledges that the foreign government has a need-to-know in the case of a foreign air carrier, but not necessarily in connection with the overseas operation of a U.S. air carrier. The FAA finds that the foreign government would also meet the need- to-know requirement in connection with the overseas operations of a U.S. air carrier. Procedures have already been established through FAA liaison personnel and the State Department to communicate necessary security information. Two commenters state that many airport operators must supply monthly confiscated weapons reports or incident reports to other official bodies, sometimes for the purpose of prosecution at the local level. Another commenter notes that, local law enforcement or legislative requirements may require disclosure of certain security information to persons otherwise without a ``need-to-know'' as part of normal reporting requirements. This commenter requests coordination among industry and FAA personnel before the FAA designates information as ``sensitive.'' It appears that most confiscated weapons reports would not be SSI, if the airport operator is releasing the report. Section 191.7(h) makes such information SSI only as to release by the FAA. As to the release of other information to law enforcement officials, or in response to other legislative requirements, the airport operator should contact the FAA to discuss specific needs. Some of the information the commenter is concerned about may not be SSI under the rule. As to information that is SSI, the FAA may approve release to specific states and local officials with appropriate safeguards to prevent its dissemination to unauthorized persons. [[Page 13739]] One commenter indicates that, if sensitive information concerns a specific airport, persons having a need-to-know should include, at a minimum, the designated Airport Security Coordinator(s). This commenter also states that Coordinators should have the authority to disseminate such information themselves on a need-to-know basis among parties at the airport or within the same airport authority. The FAA agrees with the commenter to the extent that the need-to- know requirements apply. One commenter states that the proposed disclosure limitations may preclude carriers from seeking assistance form government agencies or other law enforcement authorities when faced with unusual security situations or threats. It appears that, if the air carrier is seeking assistance to respond to security situations or threats, there is a need-to-know within the meaning of the rule. Of course, the agency or authority should be informed of the nature of the information and the need to not release it to unauthorized persons. One commenter asks that proposed Sec. 191.5(c) be modified to include whistle-blower protection for the entity that advises the FAA that a breach of security has occurred. This commenter observes that, ``without a safeguard, there will be a tendency for parties * * * not to advise the FAA (that a breach of security has occurred) in the hope that they would not be caught * * *.'' The primary purpose of Sec. 191.5(c) is to permit the FAA to evaluate the release of information and determine whether there is a need to act to mitigate any vulnerability the release might have caused. The fact that a person self-discloses a failure to comply with the rule is given significant weight in determining what, if any, action should be taken as to that person. In the end, the choice of action involves the exercise of prosecutorial discretion, and will be considered in the context of policies involving enforcement in general. Four commenters ask for modification of proposed Sec. 191.5(d) to specify the FAA's criteria for adequate restriction of access to, or disclosure of, sensitive information; to clarify what changes might be recommended by the FAA to security procedures; and to state the actions that may be included in the phrase ``other enforcement or corrective action,'' including potential criminal prosecution. As noted previously, the air carriers' and airport operators' responsibilities under the new rule are similar to their responsibilities under the current rules. Procedures that are appropriate under the current rules should be continued. and a similar level of protection should be used for other SSI. It is not possible to list changes to security procedures that might be required after an unauthorized release of those procedures. It would depend on what information was released, the apparent security risk resulting from the release, and what other measures might be considered appropriate alternatives to those that were compromised. In addition, the FAA might consider requiring changes to the way SSI was handled or disseminated, if it was discovered that the air carrier or airport operator had inadequate procedures. The types of possible action the FAA might take in response to a violation are set forth in the statute and FAA Order 2150.3A, compliance and Enforcement Program. These include such actions as counseling, corrective action, civil penalties. and certificate action (such as suspension or revocation of a certificate). In appropriate cases, the FAA may refer a matter to proper authorities for criminal prosecution. Two commenters request modification of proposed Sec. 191.7 to list, as completely as possible, the specific categories of information which fall within the meaning of the phrase SSI. These commenters state that such a list should include training programs and records of practice exercise as a category. The entire training program of an air carrier is not normally SSI. However, the program contains SSI, such as specifications of test objects and security devices, and sensitive procedures. Under Sec. 191.7, the portions of the training programs containing SSI must be protected, but the rest is not subject to this rule. Similarly, training records are not normally considered SSI in themselves, because they normally do not contain SSI. They may simply indicate the dates that the screeners completed their training, for instance. Such records are a general means by which the FAA monitors industry compliance with specific requirements, and therefore would not require protection in accordance with Sec. 191.7. However, there are occasions when information related to ``sensitive activities,'' such as practical exercise, which falls under the purview of )191.7(d), is included in training records. Under these circumstances, these particular training records would be subject to part 191 controls. These two commenters also ask whether the airport boundary descriptions found in airport security plans are SSI, whether information that is readily available elsewhere become SSI by being included in an airport security plan, whether partial disclosures of information contained in an airport security plan might violate the proposed regulation, and if so, what the threshold of violation by partial disclosure might be. Informaiton that is not in the security plan or otherwise listed in Sec. 191.7 is not SSI under this rule. Because the airport boundary descriptions are readily available elsewhere, they can be released in the form that is available elsewhere without violating the new rule. These commenters also suggest that the FAA reconsider the necessity of designating all threat information as sensitive. According to these commenters, it would be more efficient to draw a distinction between information regarding general trends in terrorist technology and possible responses, which is largely in the public domain and should not be subjected to extensive disclosure protection, and known, specific threats. It is not clear to which portion of the rule the commenters are objecting. New Sec. 191.7(i) (proposed as Sec. 191.7(h)(1)) makes threat information SSI only as to release by the FAA, which means that the FAA may decline to release the information. That section does not require the airport operator or air carrier to protect the information. Airport operators and air carriers are required to protect threat information that may be a part of security program amendments, Security Directives, and Information Circulars, because they are protected under Sec. 191.7 (a) and (b). It should also be noted that general trends in terrorist technology and possible responses often is non-public, and may even be Classified National Security Information. Two commenters state that the FAA cost/benefit analysis is not correct. Of these, one commenter states that evidence does not exist to support the FAA's portrayal of the terrorist threat to civil aviation, as found in the section of the NPRM titled ``The Need To Protect Security Information.'' The FAA disagrees with this commenter. The information reflected in the ``Need To Protect Security Information'' section of the NPRM is based on a complete analysis of the best threat information available. The other commenter in this group states that, if the proposed regulation is adopted, the air carriers will have to inform their employees of the new regulations and will also have to design [[Page 13740]] a more sophisticated tracking system in order to trace the dissemination of security information. Dollars will have to be spent to secure information in safes, locked rooms, and to purchase shredders and conduct audits. The commenters state that there is the potential cost to the carriers to investigate and respond to FAA allegations of noncompliance, which more often than not results in a civil penalty. Again, the air carriers' and airport operators' responsibilities under the new rules are similar to their responsibilities under the current rules. Procedures that are appropriate under the current rules should be continued, and a similar level of protection should be used for all designated SSI. One commenter indicates that the FAA has underestimated the proposed regulation's constitutional implications for restriction of freedom of speech. The commenter does not provide an analysis as to how the Constitution protections of freedom of speech are violated. The FAA considers that restricting dissemination of the information described in the rule is necessary to protect the traveling public from persons who would seek to commit acts of criminal violence or aircraft piracy. The FAA has attempted to include as little information as is reasonably necessary to adequately protect the public. The Rule As Adopted Part 191 Part 191 sets forth the rules that allow the FAA to withhold information from public disclosure. This final rule amends and reorganizes part 191 as follows: Section 191.1 is expanded to apply not only to the FAA, but also to air carriers, airport operators, indirect air carriers, foreign air carriers, and individuals. As discussed later in this document, parts 107, 108, 109, and 129 still would contain some requirements regarding the protection of information, but part 191 would be the primary rule for withholding information from unauthorized disclosure. Section 191.1(a) is amended to conform to the current statute. In 1976, the FAA promulgated part 191 to implement the Air Transportation Act of 1974, Public Law 93-366. Section 316(d)(2) of the Federal Aviation Act of 1958, as amended, provided, in part, that the Administrator shall prescribe regulations to ``prohibit disclosure of any information obtained or developed in the conduct of research and development activities'' if the disclosure meets certain conditions. This section is a major basis for the current rules in part 191 on withholding information from unauthorized disclosure. In 1990, section 316(d)(2) was amended to provide that the Administrator shall adopt rules to prohibit disclosure of ``any information obtained in the conduct of security or research and development activities. * * *'' Section 9121 of the Aviation Safety and Capacity Expansion Act of 1990 (Pub. L. 101-508) (emphasis added). In 1994 this section was recodified, and now appears at 49 U.S.C. 40119. This final rule amends Sec. 191.1(a), to protect information obtained during the course of specified security activities. This final rule also removes from the title of part 191 reference to the 1974 Act, to avoid any implication that it is the only source of statutory authority for the part. Section 191.1(b) now defines ``record,'' in part, as ``documentary'' material. This final rule removes the word ``documentary.'' It addresses all methods of preserving information, including computer records. This would avoid any misunderstanding over whether such records were ``documentary.'' Part 191 now refers to the ``Director of Civil Aviation Security'' as the official who makes the determination on behalf of the Administrator to withhold information. Under internal FAA reorganization, the current title of this position is Associate Administrator for Civil Aviation Security, however, 49 U.S.C. 44932 refers to this official as Assistant Administrator for Civil Aviation Security. Therefore, part 191, as adopted, used the title ``Assistant Administrator for Civil Aviation Security.'' In addition, the Deputy Assistant Administrator for Civil Aviation Security (currently called the Deputy Associate Administrator for Civil Aviation Security) and any individual formally designated to act in the capacity of the Assistant Administrator or the Deputy, now has the authority to make such determinations. For decisions involving information and records described in Sec. 191.7 (a) through (g), and related documents in (l), Sec. 191.1(c) permits delegation below the Assistant Administrator level. The information that is described in Sec. 191.7 (a) through (g) is well- defined, and decisions on release or withholding of the information involves relatively objective judgments. Section 191.7 (h), (i), (j), (k), and related documents described in (l), require more subjective judgments. A decision to release or withhold information under these paragraphs requires a careful evaluation of the need to provide the highest level of security to the traveling public by preventing SSI from falling into the wrong hands, balanced by an awareness of the public's strong interest in obtaining information about security in air transportation. These decisions require a careful evaluation of security threats as well as important policies of the agency. Therefore, this rule requires that such decisions be made by high policy-level officials, and not below the Assistant Administrator and Deputy Assistant Administrator level. The Assistant Administrator is responsible for carrying out the agency's civil aviation security program, and reports directly to the Administrator. Section 191.3 continues to state generally that the FAA withholds certain information, but has been clarified to state that part 191 applies, notwithstanding FOIA and other disclosure statutes. For example, the FAA may adopt certain security rules affecting air carriers and airports without disclosing the rules to unauthorized persons. Additionally, this rule will move the provisions that describe the circumstances under which the FAA prohibits disclosure of information from Sec. 191.5 to Sec. 191.3(b). New Sec. 191.3(d) is added to clarify how SSI is handled during enforcement actions. When the FAA initiates legal enforcement action in a matter involving security, if the alleged violator or his designated representative so requests, the Chief Counsel, or designee, may provide copies of portions of the enforcement investigative report (EIR), including SSI. This information may be released only to the alleged violator or designated representative for the sole purpose of providing the information necessary to prepare a response to the allegations contained in the legal enforcement action document. Such information is not released under the FOIA. Whenever such documents are provided to an alleged violator or designated representative, the Chief Counsel or designee advises the alleged violator or designated representative that: (a) The documents are provided for the sole purpose of providing the information necessary to respond to the allegations contained in the legal enforcement action document; and (b) SSI contained in the documents provided must be maintained in a confidential manner to prevent compromising civil aviation security. Section 191.5, as adopted, contains the requirements that apply to persons other than the FAA. Such persons [[Page 13741]] include air carriers, airport operators, indirect air carriers, foreign air carriers, and persons who receive SSI in connection with enforcement actions, and individuals employed by, or contracted by, air carriers, airport operators, indirect air carriers, foreign air carriers, and persons who receive SSI in enforcement actions. This section is intended to be very inclusive. A difficult aspect of protecting SSI is that a large number of persons must be aware of at least portions of the information in order to carry out their duties including pilots, flight attendants, ticket agents, screeners, baggage handlers, and law enforcement officers. Frequently, some of these people are not direct employees of the air carrier or airport operator, but they do carry out duties for, or on behalf of, the air carrier or airport operator. For example, in many cases, screeners and law enforcement officers are not directly employed by air carriers or airport operators, but do have important security responsibilities to carry out. This section is intended to cover all such persons who have access to SSI. It should be emphasized, however, that airports and air carriers will continue to have the responsibility they now have to protect SSI. If SSI is released to unauthorized persons, depending upon the circumstances, the FAA may hold the airport or air carrier, as well as the individual accountable. Section 191.5(a) states the general requirement that disclosure of, and access to, SSI shall be restricted to persons with a need-to-know. Section 191.5(b) defines need-to-know as when the information is necessary to carry out FAA-approved or directed aviation security duties; when the information is necessary to supervise or otherwise manage the individuals directly carrying out such duties; to advise the airport operator, air carrier, indirect air carrier, or foreign air carrier regarding the specific requirements of any FAA security related requirements; or to represent the airport operator, air carrier, indirect air carrier, or foreign air carrier, or person receiving information under Sec. 191.3(d) in connection with any judicial or administrative proceeding regarding those requirements. In most cases, the air carrier or airport operator has the discretion to decide who in its organization has a need to know SSI. There are times, however, when information is so sensitive that extra measures should be taken to protect that information from release to those without a need-to-know. The rule would, therefore, provide that for some specific information the Administrator may make a finding that only specific persons, or classes of persons, have a need-to-know. Section 191.5(c) requires that, if sensitive security information is released to unauthorized persons, the FAA must be notified. This will permit the FAA to evaluate the risk presented by the release of the information, and to take whatever action may be needed to mitigate that risk. Section 191.5(d) alerts persons that violations may result in a civil penalty or other action by the FAA. The FAA may take a broad range of enforcement action for violation of the regulations. The FAA anticipates that civil penalty action will be considered for a violation of part 191, as it is for violations of parts 107 and 108. However, the FAA may seek enforcement action deemed appropriate based on individual circumstances of the case. Further, the FAA may take action to mitigate or correct the risk posed by the violation. Such actions may include requiring air carriers or airport operators to change their procedures for protecting security information, or change the security procedures in place that may have been compromised by unauthorized release of the information. New Sec. 191.7 describes information that is protected from public disclosure. Some of this information is now specifically described in current Sec. 191.3, and the rest the FAA now withholds based on findings under current Sec. 191.5, in that disclosure of this information would be detrimental to the safety of persons traveling in air transportation or intrastate air transportation. These findings are set forth in written denials of FOIA requests for such information, and in declarations submitted to judges to seek protection of information in litigation cases. To better inform the public of the information prohibited from unauthorized release, this rule adds this information to new Sec. 191.7. The introductory text of Sec. 191.7 provides that the specified information is SSI, ``except as otherwise provided in writing by the Administrator.'' This exception serves two functions. First, some SSI contains information that is released to the public, and the FAA may issue press releases and otherwise make this information available. Air carriers and others would not be expected to protect those details. Second, the Administrator may release some other SSI to help achieve compliance with the security requirements. In rare circumstances the FAA has released summary information regarding air carriers' failures to fully carry out their security duties, which assisted in bringing them into compliance. In such cases, the FAA must determine whether security will be better served by maintaining the confidentiality of the information, or to release some portions of it to help achieve compliance with the security standards. The introductory text of Sec. 191.7 also refers to ``records containing such information'' as being SSI. This would include, for instance, interpretations that contain information on the contents of security programs and other SSI. Section 191.7(a) retains the current requirements to protect any approved or standard security program for an air carrier, indirect air carrier, airport operator, or foreign air carrier. It also is clarified to protect any security program that relates to United States mail to be transported by air (including that of the United States Postal Service and of the Department of Defense). This rule expands this provision to include any comments, instructions, or implementing guidance pertaining to these security programs. Generally, these materials reveal some or all of the sensitive information and must be protected the same as the security programs themselves. Section 191.7(b) is revised to include any comments, instructions, or implementing guidance pertaining to Security Directives and Information Circulars. New Sec. 191.7(c) lists any profile used in any security screening process, including persons, baggage, or cargo. Hijacker and baggage screening profiles were previously addressed in current Sec. 191.3(b) (1) and (2). This rule now makes those profiles general to cover screening persons, because there are systems in place to protect against terrorists and others who might seek to commit criminal violence, not just hijackers. This rule addresses cargo profiles because, like baggage, cargo is a potential tool for criminal violence that the security rules cover. Section 191.7(d) includes any security contingency plan or information and any comments, instructions, or implementing guidance pertaining thereto. These plans, when adopted, become part of the security program and are already covered by rules governing security programs; however, they are included in Sec. 191.7 for emphasis. This rule deletes the provisions currently in current Sec. 191.3(b)(6), pertaining to the technical specifications for devices for protection against, or detection of, cargo theft. Such devices are not directly used to meet the requirements for civil aviation security under the FAA regulations. Any devices that serve a dual function of protecting cargo and security are [[Page 13742]] protected under other provisions in this section. Section 191.7(e) covers the technical specifications of any device used for the detection of any ``deadly or dangerous weapon, explosive, incendiary, or destructive substance.'' It is essentially the same as the current Sec. 191.3(b)(5) which used the words ``explosive or incendiary device or weapon,'' with the addition of the phrase ``destructive substance.'' That phrase is used in 49 U.S.C. 44902 in reference to searching persons and property to be carried aboard aircraft. Section 191.7(f) addresses the descriptions of and technical specifications of objects used to test screening equipment and equipment parameters. Knowledge of this test equipment and parameters could lead to a plan to defeat those devices. Accordingly, details of such devices should be protected. Section 191.7(g) addresses the technical specifications of any security communications equipment and procedures. Knowledge of security communication equipment and procedures could lead to a plan to defeat those devices. Accordingly, details of such devices should be protected. Section 191.7(h) addresses release of certain information relating to violation of the security rules. Section 191.7(h) applies only to the release of information by the FAA. There is less risk of harm from casual disclosure of this information by individuals. The FAA, however, has information regarding the entire security system. Release of significant amounts of such information by the FAA could permit someone to attempt to identify weaknesses in the system that might be exploited. The notice proposed in Sec. 191.7(h)(2) to withhold the details of alleged violations of parts 107, 108, 109, or 129, including the airport name, the location of the gate or access point; the air carrier, indirect air carrier, or foreign air carrier, and any information that could reasonably lead to the disclosure of such details. After further consideration, the FAA has determined that this proposed policy was more restrictive than necessary. The rule as adopted makes a distinction between information based on the time since the incident occurred. In the first 12 months, there is the highest level of concern that information could be used to identify an apparent weakness that an unauthorized person may seek to exploit. After 12 months, there has been sufficient passage of time, including an opportunity to correct any deficiency in the system, to make that information less useful in identifying apparent weaknesses. Section 191.7(h) as adopted provides generally for withholding any information that the Administrator has determined may reveal a systemic vulnerability of the aviation system or a vulnerability of aviation facilities to attack. This is defined to include certain details of inspections, investigations, and alleged violations and findings of violations of 14 CFR parts 107, 108, or 109, or Secs. 129.25, 129.26, or 129.27, and any information that could lead to the disclosure of such details. For events that occurred less than 12 months before the date of the release of the information, the FAA will not release the name of an airport where a violation occurred, the regional identifier in the case number, a description of the violation, the regulation allegedly violated, and the identity of the air carrier in connection with specific locations or specific security procedures. The FAA may release summaries of an air carrier's total security violations in a specified time range without identifying specific violations. Summaries may include total enforcement actions, total proposed civil penalty amounts, total assessed civil penalty amounts, number of cases opened, number of cases referred by Civil Aviation Security to FAA counsel for legal enforcement action, and number of cases closed. For events that occurred 12 months or more before the date of the release of the information, FAA will not release the specific gate or other location on an airport where the event occurred. In addition, the FAA will not release the identity of the FAA special agent who conducted the investigation or inspection, or security information or data developed during FAA evaluations of the air carriers and airports and the implementation of the security programs, including air carrier and airport inspections and screening points tests or methods for evaluating such tests. Section 191.7(i) (proposed as Sec. 191.7(h)(1)) covers release by the FAA of information concerning threats against civil aviation. This paragraph specifically applies only to release of information by the FAA. However, threat information may also be contained in Security Directives, Information Circulars, or other documents that air carriers and others must protect under other provision of this section. Section 191.7(j) further clarifies that the FAA does not release, and others should not release, certain details of security measures not otherwise listed in this section, such as information regarding Federal Air Marshals. Release of such information to unauthorized persons could not only compromise security, it could place Federal Air Marshals in danger. Secton 191.7(k) includes any other information that the Administrator determines should not be disclosed under the criteria in Sec. 191.3(b). While we have attempted to anticipate all sources of information that should be protected from unauthorized disclosure, additional information may be discovered in the future. This section allows the Administrator to determine whether that additional information should or should not be considered as SSI. Section 191.7(1) includes any draft, proposed, or recommended changes to SSI or records. The FAA frequently issues proposed revisions for sensitive security documents to air carriers and airports operators and requests comments on the proposals. These proposals contain SSI that also should be protected. Parts 107, 108, 109 and 129 This rule change also affects those specific sections of parts 107, 108, 109, and 129 which require airport operators, air carriers, indirect air carriers, and foreign air carriers to protect security information and direct requests for such information to the administrator as required in part 191. All changes to parts 107, 108, 109, and 129 correspond to, and are redundant with, changes made to part 191 because airport operators, air carriers, and foreign air carriers refer to their specific parts of Title 14 CFR for security requirements. Including a cross-reference to part 191 in parts 107, 108, 109, and 129, alerts airport operators and air carriers to the new requirements, and makes it clear that part 191 is part of their security duties. Paperwork Reduction Act In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)), there are not requirements for information collection associated with this final rule. International Compatibility The FAA has reviewed corresponding International Civil Aviation Organization international standards and recommended practices and Joint Aviation Airworthiness Authorities requirements and has identified no differences in these amendments and the foreign regulations. [[Page 13743]] Regulatory Evaluation Summary Benefits and Costs Changes to Federal regulations must undergo several economic analyses. First, Executive Order 12866 directs that each Federal agency shall propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 requires agencies to analyze the economic effect of regulatory changes on small entities. Third, the Office of Management and Budget directs agencies to assess the effect of regulatory changes on international trade. In conducting these analyses, the FAA has determined that this rule is not ``a significant regulatory action'' as defined in the Executive Order and the Department of Transportation Regulatory Policies and Procedures. This rule will not have a significant impact on a substantial number of small entities and will not constitute a barrier to international trade. A detailed discussion of costs and benefits is contained in the full evaluation in the docket for this Final rule. The costs and benefits associated with this Final rule are summarized as follows. Air carriers and airports have security programs which are intended to protect the public from the threat of aircraft hijacking and other criminal activities affecting air transportation. The FAA proposes to strengthen the rules protecting security-related information from being released to unauthorized persons. The current rules fail to require individuals to protect sensitive security information that is in their control, and specify all sensitive security information that should be protected from public disclosure. The unauthorized disclosure of any of the information contained in these security programs can have a detrimental effect on the ability to thwart terrorist and other criminal activities. This final rule will amend parts 107, 108, 109, and 129 to restrict the distribution, disclosure, and availability of specific sensitive security information, which will be defined in part 191, to persons with a need- to-know. Because this fine rule will not be included in the airport or the air carrier security programs, and because there are no specific requirements for safes, locked files, or enhanced security equipment, affected entities will not incur any costs to implement these proposed requirements. Much of the air carrier and airport security program effectiveness depends on strictly limiting access to sensitive security information to those persons who have a need to know. Sophisticated criminal elements are actively seeking ways to obtain information regarding the methods and procedures used by the FAA, air carriers, and airports to guard against terrorist activities. The accumulation of seemingly minor security details can enable the criminal element to piece together a larger picture of the entire security program. Therefore, it is imperative that the entire security program be protected. The consequences of not protecting such information can be catastrophic. Between 1982 and 1991, terrorist bombings of U.S. air carriers have resulted in 275 deaths and 24 injuries, while hijackings incidents have resulted in 24 deaths and 127 injuries. Given the absence of cost and the potential benefits of avoided fatalities and injuries, this final rule is cost beneficial. Regulatory Flexibility Determination The Regulatory Flexibility Act of 1980 (RFA) was enacted by Congress to ensure that small entities are not unnecessarily burdened by government regulations. The RFA requires agencies to review rules that may have a ``significant economic impact on a substantial number of small entities.'' FAA Order 2100.14A, Regulatory Flexibility Criteria and Guidance, establishes threshold costs and small entity size standards for complying with RFA requirements. There is no cost associated with this rule; therefore, it does not have a significant economic impact on a substantial number of small entities. International Trade Impact Statement In accordance with the Office of Management and Budget memorandum dated March 1983, federal agencies engaged in rulemaking activities are required to assess the effects of regulatory changes on international trade. The FAA finds that this rule will not have an adverse impact on trade opportunities for either U.S. firms doing business overseas or foreign firms doing business in the United States. This rule will impose no costs on both domestic and foreign air carriers, so neither would have a trade advantage over the other. Federalism Implications This rule will not have a substantial direct effect on the states, on the relationship between the national government and the states, or on the distribution of power and responsibilities among the various levels of government. Therefore, in accordance with Executive Order 12612, it is determined that this rule does not have sufficient federalism implications to warrant preparation of a Federalism Assessment. Conclusion For the reasons discussed above, and based on the findings in the Regulatory Flexibility Determination and the International Trade Impact Statement, the FAA certifies that this regulation will not have a significant economic impact, positive or negative, on a substantial number of small entities under the criteria of the Regulatory Flexibility Act. This rule is not considered a ``significant regulatory action'' under Executive Order 12866 and is considered nonsignificant under Order DOT 2100.5, Policies and Procedures for Simplification, Analysis, and Review of Regulations. A regulatory evaluation of the rule, including a Regulatory Flexibility Determination and international Trade Impact Analysis, has been placed in the docket. A copy may be obtained by contracting the person identified under FOR FURTHER INFORMATION CONTACT. List of Subjects 14 CFR Part 107 Airports, Arms and munitions, Law enforcement officers, Reporting and recordkeeping requirements, Security measures. 14 CFR Part 108 Air carriers, Aircraft, Airmen, Airports, Arms and munitions, Explosives, Law enforcement officers, Reporting and recordkeeping requirements, Security measures, X-rays. 14 CFR Part 109 Air carriers, Aircraft, Freight forwarders, Security measures. 14 CFR Part 129 Air carriers, Aircraft, Aviation safety, Reporting and recordkeeping requirements, Security measures, Smoking. 14 CFR Part 191 Air transportation, Security measures. The Amendment Accordingly, the Federal Aviation Administration amends parts 107, 108, 109, 129, and 191 of Title 14, Code of Federal Regulations (14 CFR parts 107, 108, 109, 129, and 191) as follows: [[Page 13744]] PART 107--AIRPORT SECURITY 1. The authority citation for part 107 continues to read as follows: Authority: 49 U.S.C. 106(g), 5103, 40113, 40119, 44701-44702, 44706, 44901-44905, 44907, 44913-44914, 44932, 44935-44936, 46105. 2. Section 107.3 is amended by revising paragraph (e) to read as follows: Sec. 107.3 Security program. * * * * * (e) Each airport operator shall-- (1) Restrict the distribution, disclosure, and availability of sensitive security information, as defined in part 191 of this chapter, to persons with a need-to-know; and (2) Refer requests for security sensitive information by other persons to the Assistant Administrator for Civil Aviation Security. PART 108--AIRPLANE OPERATOR SECURITY 3. The authority citation for part 108 continues to read as follows: Authority: 49 U.S.C. 106(g), 5103, 40113, 40119, 44701-44702, 44705, 44901-44905, 44907, 44913-44914, 44932, 44935-44936, 46105. 4. Section 108.7 is amended by revising paragraphs (c)(4) and (c)(5) to read as follows: Sec. 108.7 Security program: Form, content, and availability. * * * * * (c) * * * (4) Restrict the distribution, disclosure, and availability of sensitive security information, as defined in part 191 of this chapter, to persons with a need-to-know; and (5) Refer requests for sensitive security information by other persons to the Assistant Administrator for Civil Aviation Security. PART 109--INDIRECT AIR CARRIER SECURITY 5. The authority citation for part 109 continues to read as follows: Authority: 49 U.S.C. 106(g), 5103, 40113, 40119, 44701-44702, 44705, 44901-44905, 44907, 44913-44914, 44932, 44935-44936, 46105. 6. Section 109.3 is amended by revising paragraph (c) to read as follows: Sec. 109.3 Security program. * * * * * (c) Each indirect air carrier shall-- (1) Restrict the distribution, disclosure, and availability of sensitive security information, as defined in part 191 of this chapter, to persons with a need-to-know; and (2) Refer requests for sensitive security information by other persons to the Assistant Administrator for Civil Aviation Security. PART 129--OPERATIONS: FOREIGN AIR CARRIERS AND FOREIGN OPERATORS OF U.S.-REGISTERED AIRCRAFT ENGAGED IN COMMON CARRIAGE 7. The authority citation for part 129 continues to read as follows: Authority: 49 U.S.C. 106(g), 40104-40105, 40113, 40119, 44701- 44702, 44712, 44716-44717, 44722, 44901-44904, and 44906. 8. Part 129 is amended by adding a new Sec. 129.31 to read as follows: Sec. 129.31 Airplane security. Each foreign air carrier required to adopt and use a security program under Sec. 129.25(b) shall-- (a) Restrict the distribution, disclosure, and availability of sensitive security information, as defined in part 191 of this chapter, to persons with a need-to-know; and (b) Refer requests for sensitive security information by other persons to the Assistant Administrator for Civil Aviation Security. 9. Part 191 is revised to read as follows: PART 191--PROTECTION OF SENSITIVE SECURITY INFORMATION Sec. 191.1 Application and definitions. 191.3 Records and information withheld by the Federal Aviation Administration. 191.5 Records and information protected by others. 191.7 Sensitive security information. Authority: 49 U.S.C. 106(g), 5103, 40113, 40119, 44701-44702, 44705-44706, 44901-44907, 44913-44914, 44932, 44935-44936, 46105. Sec. 191.1 Applicability and definitions. (a) This part governs the release, by the Federal Aviation Administration and by other persons, of records and information that has been obtained or developed during security activities or research and development activities. (b) For purposes of this part, record includes any writing, drawing, map, tape, film, photograph, or other means by which information is preserved. (c) The authority of the Administrator under this part is also exercised by the Assistant Administrator for Civil Aviation Security and the Deputy Assistant Administrator for Civil Aviation Security, and any other individual formally designated to act in their capacity. For matters involving the release or withholding of information and records containing information described in Sec. 191.7 (a) through (g), and related documents described in (l), the authority may be further delegated. For matters involving the release or withholding of information and records containing information described in Sec. 191.7 (h) through (k), and related documents described in (l), the authority may not be further delegated. Sec. 191.3 Records and information withheld by the Federal Aviation Administration. (a) Except as provided in Sec. 191.3 (c) and (d), and notwithstanding 5 U.S.C. 552 or other laws, the records and information described in Secs. 191.7 and 191.3(b) are not available for public inspection or copying, nor is information contained in those records released to the public. (b) The Administrator prohibits disclosure of information developed in the conduct of security or research and development activities under 49 U.S.C. 40119 if, in the opinion of the Administrator, the disclosure of such information would: (1) Constitute an unwarranted invasion of privacy (including, but not limited to, information contained in any personnel, medical, or similar file); (2) Reveal trade secrets or privileged or confidential information obtained from any person; or (3) Be detrimental to the safety of persons traveling in air transportation. (c) If a record contains information that the Administrator determines cannot be disclosed under this part, but also contains information that can be disclosed, the latter information, on proper Freedom of Information Act request, will be provided for public inspection and copying. However, if it is impractical to redact the requested information from the document, the entire document will be withheld from public disclosure. (d) After initiation of legal enforcement action, if the alleged violator or designated representative so requests, the Chief Counsel, or designee, may provide copies of portions of the enforcement investigative report (EIR), including sensitive security information. This information may be released only to the alleged violator or designated representative for the sole purpose of providing the information necessary to prepare a response to the allegations contained in the legal enforcement action document. Such information is not released under the Freedom of Information Act. Whenever such documents are provided to an alleged violator or designated representative, the Chief Counsel or designee advises the alleged violator or designed representative that-- [[Page 13745]] (1) The documents are provided for the sole purpose of providing the information necessary to respond to the allegations contained in the legal enforcement action document; and (2) Sensitive security information contained in the documents provided must be maintained in a confidential manner to prevent compromising civil aviation security, as provided in Sec. 191.5 of this part. Sec. 191.5 Records and information protected by others. (a) Each airport operator, air carrier, indirect air carrier, foreign air carrier, and person receiving information under Sec. 191.3(d) of this part; and each individual employed by, contracted to, or acting for an airport operator, air carrier, indirect air carrier, or foreign air carrier; and each person receiving information under Sec. 191.3(d) of this part, shall restrict disclosure of and access to sensitive security information described in Sec. 191.7 (a) through (g), (j), (k), and as applicable (l), to persons with a need- to-know, and shall refer requests by other persons for such information to the Administrator. (b) A person has a need-to-know sensitive security information when the information is necessary to carry out FAA-approved or directed aviation security duties; when the information is necessary to supervise or otherwise manage the individuals carrying out such duties; to advise the airport operator, air carrier, indirect air carrier, or foreign air carrier regarding the specific requirements of any FAA security related requirements; or to represent the airport operator, air carrier, indirect air carrier, foreign air carrier, or person receiving information under Sec. 191.3(d) of this part, in connection with any judicial or administrative proceeding regarding those requirements. For some specific information the Administrator may make a finding that only specific persons, or classes of persons, have a need-to-know. (c) When sensitive security information is released to unauthorized persons, any air carrier, airport operator, indirect air carrier, foreign air carrier, or individual with knowledge of the release shall inform the Administrator. (d) Violation of this section is grounds for a civil penalty and other enforcement or corrective action by the FAA. Sec. 191.7 Sensitive security information. Except as otherwise provided in writing by the Administrator as necessary in the interest of safety of persons traveling in air transportation, the following information and records containing such information constitute sensitive security information: (a) Any approved or standard security program for an air carrier, foreign air carrier, indirect air carrier, or airport operator, and any security program that relates to United States mail to be transported by air (including that of the United States Postal Service and of the Department of Defense); and any comments, instructions, or implementing guidance pertaining thereto. (b) Security Directives, Information Circulars, and any comments, instructions, or implementing guidance pertaining thereto. (c) Any profile used in any security screening process, including for persons, baggage, or cargo. (d) Any security contingency plan or information and any comments, instructions, or implementing guidance pertaining thereto. (e) Technical specifications of any device used for the detection of any deadly or dangerous weapon, explosive, incendiary, or destructive substance. (f) A description of, or technical specifications of, objects used to test screening equipment and equipment parameters. (g) Technical specifications of any security communications equipment and procedures. (h) As to release of information by the Administrator: Any information that the Administrator has determined may reveal a systemic vulnerability of the aviation system, or a vulnerability of aviation facilities, to attack. This includes, but is not limited to, details of inspections, investigations, and alleged violations and findings of violations parts 107, 108, or 109, or Sec. 129.25, 129.26, of Sec. 129.27 of this chapter, and any information that could lead the disclosure of such details, as follows: (1) As to events that occurred less than 12 months before the date of the release of the information, the following are not released: the name of an airport where a violation occurred, the regional identifier in the case number, a description of the violation, the regulation allegedly violated, and the identity of the air carrier in connection with specific locations or specific security procedures. The FAA may release summaries of an air carrier's total security violations in a specified time range without identifying specific violations. Summaries may include total enforcement actions, total proposed civil penalty amounts, total assessed civil penalty amounts, number of cases opened, number of cases referred by Civil Aviation Security to FAA counsel for legal enforcement action, and number of cases closed. (2) As to events that occurred 12 months or more before the date of the release of information, the specific gate or other location on an airport where an event occurred is not released. (3) The identity of the FAA special agent who conducted the investigation or inspection. (4) Security information or data developed during FAA evaluations of the air carriers and airports and the implementation of the security programs, including air carrier and airport inspections and screening point tests or methods for evaluating such tests. (i) As to release of information by the FAA: Information concerning threats against civil aviation. (j) Specific details of aviation security measures whether applied directly by the FAA or regulated parties. This includes, but is not limited to, information concerning specific numbers of Federal Air Marshals, deployments or missions, and the methods involved in such operations. (k) Any other information, the disclosure of which the Administrator has prohibited under the criteria of 49 U.S.C. 40119. (l) Any draft, proposed, or recommended change to the information and records identified in this paragraph. Issued in Washington, DC on March 13, 1997. Barry Valentine, Acting Administrator. [FR Doc. 97-6948 Filed 3-20-97; 8:45 am] BILLING CODE 4910-13-M