[Federal Register Volume 62, Number 55 (Friday, March 21, 1997)]
[Rules and Regulations]
[Pages 13736-13745]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-6948]



[[Page 13735]]

_______________________________________________________________________

Part II





Department of Transportation





_______________________________________________________________________



Federal Aviation Administration



_______________________________________________________________________



14 CFR Part 107, et al.



Sensitive Security Information; Final Rule

  Federal Register / Vol. 62, No. 55 / Friday, March 21, 1997 / Rules 
and Regulations  

[[Page 13736]]



DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Parts 107, 108, 109, 129, 191

[Docket No. 27965; Amendment Nos. 107-10, 108-15, 109-3, 129-26, and 
191-4]
RIN 2120-AF49


Sensitive Security Information

AGENCY: Federal Aviation Administration (FAA), DOT.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule strengthens the existing rules protecting 
sensitive security information from unauthorized disclosure. Part 191 
is expanded to apply to air carriers, airport operators, indirect air 
carriers, foreign air carriers, and individuals, and specifies in more 
detail what sensitive security information they must protect. Part 191 
continues to describe what information is protected from disclosure by 
the FAA, and describes in more detail that information. This final rule 
also changes part 107, 108, 109, and 129 to correspond with changes it 
makes to part 1991. This action is necessary to counter the increased 
sophistication of those who pose a threat to civil aviation and their 
ability to develop techniques to subvert current security measures. The 
intended effect of this action is to prevent undue disclosure of 
information that could compromise public safety if it falls into the 
wrong hands, while being mindful of the public's legitimate right to 
know and interest in aviation information.

DATES: This rule is effective April 21, 1997. FAA will comply with the 
provisions of this rule on March 21, 1997.

FOR FURTHER INFORMATION CONTACT:
Robert S. Cammardto, Office of Civil Aviation Security Division, ACP-
100, Office of Civil Aviation Security Policy and Planning, Federal 
Aviation Administration, 800 Independence Avenue, SW., Washington, DC 
20591; telephone (202) 267-7723.

SUPPLEMENTARY INFORMATION:

Background

The Security Regulatory Scheme

    The FAA is required to prescribe rules, as needed, to protect 
persons and property on aircraft against acts of criminal violence and 
aircraft piracy, and to prescribe rules for screening passengers and 
property for dangerous weapons, explosives, and destructive substances. 
See, 49 U.S.C. 44901 through 44904. To carry out the provisions of the 
statute, the FAA has adopted rules requiring airport operators, air 
carriers, indirect air carriers, and foreign air carriers to carry out 
various duties for civil aviation security. Title 14, Code of Federal 
Regulations, part 107 (14 CFR part 107) applies to certain airport 
operators. Part 108 (14 CFR part 108) governs certain air carriers.
    Part 109 (14 CFR part 109) applies to indirect air carriers such as 
freight forwarders, who engage indirectly in air transportation of 
property. Part 129 (14 CFR part 129) applies to the operation of 
foreign air carriers within the United States.
    Parts 107, 108, 109, and 129 contain general requirements for 
promoting civil aviation security. Each airport operator, air carrier, 
indirect air carrier, and foreign air carrier covered by these parts 
also has a security program that is approved or accepted by the 
Administrator, containing information that specifies how airport 
operators and air carriers perform their regulatory and statutory 
responsibilities. These security programs are available only to persons 
with the need-to-know, as described more fully below.
    Each air carrier's security program is a comprehensive document 
that details the full range of security procedures and countermeasures 
that air carriers are required to perform under 14 CFR 108.5. This 
program includes procedures for: (1) Screening of passengers, carry-on 
baggage, checked baggage, and cargo; (2) using screening devices (such 
as X-ray systems and metal detectors); (3) controlling access to 
aircraft and air carrier facilities; (4) reporting and responding to 
bomb threats, hijackings, and weapons discovered during screening; (5) 
reporting and protecting bomb threat information; (6) identifying 
special procedures required at airports with special security needs; 
and (7) training and testing standards for crewmembers and security 
personnel.
    The airport security program is a comprehensive document that 
details the full range of security procedures and countermeasures that 
airport operators are required to perform under 14 CFR 107.3. Most 
programs include: (1) Descriptions of the air operations area (AOA), 
each area on or adjacent to the airport that affect the security of the 
AOA, and air carriers exclusive areas; (2) procedures to control access 
to the AOA; (3) alternate security procedures for use in emergency and 
other unusual conditions; and (4) law enforcement support training and 
record maintenance programs in furtherance of part 107. Programs for 
some airports include a description of the law enforcement support 
training program and the system for maintaining records.
    The indirect air carrier security program covers security 
procedures for cargo that is accepted for transport on air carrier 
aircraft. In general, indirect air carriers are required to carry out 
security procedures for handling cargo that will be carried on air 
carrier aircraft.
    Foreign air carriers' security programs provide security procedures 
for foreign air carriers while operating to and from the United States, 
which is a counterpart to the procedures required under part 108.
    Security programs of individual companies are based largely on 
standard security programs and amendments developed by the FAA and 
industry. As new threats are identified and improved countermeasures 
developed, the FAA develops standard means to respond to the threats 
and improve security.
    Other sources of information and countermeasures are contained in 
the Security Directives and Information Circulars, described in 
Sec. 108.18. These sources address threats to civil aviation security 
as well as responsive countermeasures to those threats. Additionally, 
these sources provide sensitive information concerning various security 
devices, such as metal detectors and X-ray machines.

The Need to Protect Security Information

    The notice of proposed rulemaking contained a history of how the 
threat to civil aviation has increased over the years. The FAA monitors 
potential threats to civil aviation. Terrorist pose an increasingly 
sophisticated threat to civil aviation. This has led the FAA to 
reevaluate the release of security information to the public, 
particularly in response to requests under the FOIA. This information 
has been termed sensitive security information (SSI).
    It is important to keep details of security measures and FAA 
evaluations of security out of the public domain where terrorists could 
read them. If the information identified in this rule were publicly 
available, it could reveal potential weaknesses in the current security 
system.
    The FAA is mindful of the public's legitimate interest in how the 
FAA operates and how it regulates the aviation industry, as well as how 
the industry is carrying out its duties. The FAA has a corresponding 
responsibility to prevent undue disclosure of information that could 
compromise public safety if it falls into the wrong hands. The rule has 
been carefully considered and covers only information

[[Page 13737]]

that could reasonably be anticipated to be damaging to the security of 
the traveling public if given to unauthorized persons.
    Security programs are absolutely essential mechanisms through which 
the FAA regulates the air carriers' and airports' detailed obligations 
with respect to ensuring civil aviation security. Much of the 
effectiveness of the programs depends on strictly limiting access to 
such information to those persons who have a need-to-know. Unauthorized 
disclosure of the specific provisions of the air carrier and airport 
security programs or other aviation security information would allow 
potential attackers of civil aviation to devise methods to circumvent 
or otherwise defeat the security provisions. It would also discount the 
deterrent effect inherently provided in prohibiting disclosure of 
security measures that may or may not be in place.
    There are sophisticated criminal elements who actively seek 
information on what seemingly are minor security points, with a view to 
accumulating a larger picture of the entire security program. 
Therefore, it is imperative that the entire security program be 
protected. Similarly, it is critical to protect the information 
contained in Security Directives and Information Circulars. These 
documents contain detailed information on threats that the FAA has 
identified, and the measures to counter those threats. The unauthorized 
release of that information could compromise those countermeasures. In 
addition, particular information regarding FAA approved security 
devices, such as metal detectors, should also be protected to the 
extent possible.

Current Protection of Security Information

    Currently, the FAA, airport operators, air carriers, indirect air 
carriers, and foreign air carriers are required to restrict the 
availability of information contained in security programs to those 
with a need-to-know, and to refer requests for such information by 
other persons to the FAA. These requirements are in Secs. 107.3(e), 
108.7(c) (4) and (5), 109.3(c), and foreign air carrier security 
programs. In addition, Sec. 108.18(d) specifically requires both air 
carriers and individuals to restrict the availability of Security 
Directives and Information Circulars, and the information contained 
therein, to persons with a need-to-know. However, individuals who work 
for or perform activities in support of the air carriers are not 
required to protect other security information.
    Part 191 states when the FAA will withhold certain requested 
information from public disclosure, such as when requested under the 
Freedom of Information Act (FOIA) (5 U.S.C. 552), in litigation, or in 
rulemaking. Part 191 currently applies only to the FAA, and does not 
specify all of the sources of SSI that should be covered.
    Civil aviation security information protected under the Federal 
Aviation Regulations is different from Classified National Security 
Information governed by Executive Order 12598 and related orders, 
statutes, and rules. The Executive Order provides for classifying 
information as Top Secret, Secret, and Confidential, and covers a wide 
range of information affecting the national security. All persons with 
access to such information must have an appropriate security clearance, 
and there may be a criminal penalty for misuse of the information. 
While there is some ``classified'' civil aviation security information, 
part 191 is not directed to the handling of classified information. 
Indeed, part 191 is needed because the SSI is not National Security 
Information and therefore is not subject to the controls that apply to 
such information.
    This final rule improves the protection of SSI by amending parts 
107, 108, 109, 129, and 191 as described more fully later in the 
document.

Discussion of Comments

    The FAA published Notice of Proposed Rulemaking No. 94-32 on 
December 6, 1994 (59 FR 62956). In response to Notice No. 94-32, 17 
comments were received from a total of 18 commenters, 2 commenters 
having jointly submitted 1 comment.
    Five commenters state that the proposed language in proposed 
Sec. 191.5(a) on the release of SSI is too broad. Of these, two 
commenters ask the FAA to limit this language by linking the 
enforcement of SSI unauthorized releases to significant compromises of 
security or those that result in an actual security incident.
    The FAA believes the suggested language would weaken the rule. The 
FAA should not have to wait to see if the improperly released or 
compromised information is actually misused before taking action 
against the person(s) who released it. On the contrary, one purpose of 
the rule is to have more clear and consistent guidance as to what must 
be protected. In every case in which the FAA considers what enforcement 
action to take in response to a violation, however, the FAA considers 
all factors, including the potential or actual adverse impact on safety 
or security.
    The same two commenters also share the view that the FAA should 
limit the geographic scope of airport security programs solely to that 
area where scheduled carriers operate. These commenters argue that this 
geographic limitation would remove general aviation operations from the 
Air Operations Area (AOA), reducing the number of individuals with a 
``need-to-know'' and thereby reducing the potential for the release of 
SSI.
    The FAA finds that the scope of the airport security program would 
be more appropriately addressed in Part 107. If needed, airport 
operators may contact their cognizant FAA security office for a re-
evaluation of the geographic areas in which security measures are 
applied.
    Six commenters request the addition of language to proposed 
Sec. 191.5 (a) or (d) to make clear that, if an air carrier or airport 
operator has established a reasonable procedure for the control of 
sensitive information and has not been negligent in monitoring 
compliance with this procedure, the air carrier or airport operator 
would not be held to a standard of strict liability for disclosures 
made by individuals.
    Currently Sec. 108.7(c)(4) requires each air carrier to ``restrict 
the availability of information contained in the security program to 
those persons with an operational need-to-know * * *'' Current 
Sec. 107.3(e) requires in part that each airport operator ``restrict 
the distribution, disclosure, and availability of information contained 
in the security program to those persons with an operational need-to-
know * * *'' Proposed Sec. 191.5(a) would impose similar duties on 
airport operators and air carriers, stating that they must ``restrict 
disclosure of and access to sensitive security information to persons 
with a need-to-know, * * *'' The FAA is not aware that any instance in 
which an air carrier or airport operator allegedly has been held to an 
unduly strict standard for compliance with the current rules. 
Accordingly, no change is needed to the proposal.
    Two commenters indicate that, when the FAA releases a Security 
Directive to the air carriers, the air carriers' principal means of 
dissemination to the affected locations throughout the world are via 
facsimile, teletype, and electronic mail messages. The commenters 
indicate that remote facsimile machines, high speed printers, and 
computers often are not located in secured areas and operate on a 24-
hour schedule due to differences in time zones. The commenters state 
that, unlike certain government agencies that routinely handle SSI, 
there are very few air carrier employees, and even fewer contract 
workers, who hold a

[[Page 13738]]

Department of Defense (DOD)-approved SECRET clearance. Nonetheless, the 
commenters say they do support the premise that individuals should be 
penalized if they have acted imprudently or knowingly disregarded the 
instructions of their employers. The commenters state that even with 
the clearest of instructions regarding the protection of the 
information, it is unreasonable to expect air carriers to be totally 
responsible for the actions of a large number of individuals.
    As noted earlier in this document, the air carriers' responsibility 
under the rule will be similar to their responsibilities under the 
current rule, and air carriers that are in compliance now need not 
change their procedures.
    SSI is not Classified National Security Information, and no Secret 
clearance issued by the Federal government is required to gain access 
to it. The FAA realizes that certain employees will have access to SSI 
simply because they must retrieve the information from facsimile 
machines and the like, although they do not have responsibility to 
carry out the security program. All such employees, however, are 
responsible for protecting the information from unauthorized 
disclosure.
    Three commenters ask how agencies or persons, included within the 
scope of the proposed regulation, should respond to Freedom of 
Information Act (FOIA) or Open Records Act (ORA) requests for 
unclassified security information, in the event the proposed regulation 
is promulgated as written.
    The requirement to make records available under the FOIA does not 
apply to matters that are specifically exempted from disclosure by 
statute (5 U.S.C. 552(b)(3)). Under 49 U.S.C. 40119, the information 
described in the rule is exempt by statute from disclosure. When the 
FAA receives requests under FOIA for SSI, the FAA will deny the 
information in accordance with Sec. 191.3. As to requests for 
information under state and local freedom of information acts or open 
records acts, Sec. 191.5(a) provides that requests for SSI be referred 
to the Administrator. The FAA works with the airports and air carriers 
to determine what records or portions of records should remain 
undisclosed, and what may be released.
    Ten commenters state that the proposed regulation restricts, too 
severely, the disclosure of SSI. Three of these commenters object that 
the proposed language may prohibit disclosure of security information 
to a carrier president, outside counsel, consultant, or management 
personnel who do not personally perform or directly supervise security 
activities. Five commenters indicate that the carriers may be required 
to inform parties other than those with a need-to-know of certain 
security requirements or procedures. Such parties may include travel 
agents, passengers, contractors, and internal personnel who develop 
procedures to ensure effective passenger, cargo, and baggage processing 
for the air carrier.
    The FAA believes that the definition of ``need-to-know'' as 
proposed would have provided for dissemination of information to travel 
agents, passengers, contractors, and internal personnel, when such 
dissemination is necessary to carry out security duties. The FAA 
agrees, however, that the proposed definition could have been read as 
more limiting than intended, as to some persons. Various high level 
officials must be apprised of the information, even though they may not 
personally carry out the security requirements. Further, persons who 
represent the air carriers and airport operators, such as attorneys and 
industry associations, may have a need-to-know, in order to be able to 
represent their clients. In order to avoid misunderstanding, the FAA is 
clarifying the definition of need-to-know in Sec. 191.5(b) to read as 
follows: A person has a need-to-know sensitive security information 
when the information is necessary to carry out FAA-approved or directed 
aviation security duties; when the information is necessary to 
supervise or otherwise manage the individuals carrying out such duties; 
to advise the airport operator, air carrier, indirect air carrier, or 
foreign air carrier regarding the specific requirements of any FAA 
security related requirements; or to represent the airport operator, 
air carrier, indirect air carrier, or foreign air carrier, or person 
receiving information under Sec. 191.3(d) in connection with any 
judicial or administrative proceeding regarding those requirements. For 
some specific information, the Administrator may specify which persons, 
or classes of persons, have a need-to-know.
    Three commenters indicate that contractors who are bidding on a job 
inside the security identification display area (SIDA) need to know 
that the procedures are for ID applications and employment history 
checks in order to price their bids correctly. One of these commenters 
states that ``each person issued an airport identification badge has a 
need to know certain details of the Airport Security Program.''
    The definition of ``need-to-know'' in Sec. 191.5(b) includes the 
need for the information to carry out FAA approved or directed aviation 
security duties. When a contractor needs the procedures for ID 
applications and employment checks in order to comply with FAA rules 
and the airport security program, the contractor has a ``need-to-know'' 
within the meaning of the rule. Such releases of information must be 
limited only to the information needed to comply.
    One commenter states that, in most international locations, air 
carriers do not provide their own security. According to this 
commenter, the security at international locations comes in the form of 
assistance provided by the host government. This commenter states that, 
in order to carry out some of the FAA-mandated security directives, 
some portion of those directives must be disclosed to the host 
government. In this commenter's opinion, the proposed draft 
acknowledges that the foreign government has a need-to-know in the case 
of a foreign air carrier, but not necessarily in connection with the 
overseas operation of a U.S. air carrier.
    The FAA finds that the foreign government would also meet the need-
to-know requirement in connection with the overseas operations of a 
U.S. air carrier. Procedures have already been established through FAA 
liaison personnel and the State Department to communicate necessary 
security information.
    Two commenters state that many airport operators must supply 
monthly confiscated weapons reports or incident reports to other 
official bodies, sometimes for the purpose of prosecution at the local 
level. Another commenter notes that, local law enforcement or 
legislative requirements may require disclosure of certain security 
information to persons otherwise without a ``need-to-know'' as part of 
normal reporting requirements. This commenter requests coordination 
among industry and FAA personnel before the FAA designates information 
as ``sensitive.''
    It appears that most confiscated weapons reports would not be SSI, 
if the airport operator is releasing the report. Section 191.7(h) makes 
such information SSI only as to release by the FAA. As to the release 
of other information to law enforcement officials, or in response to 
other legislative requirements, the airport operator should contact the 
FAA to discuss specific needs. Some of the information the commenter is 
concerned about may not be SSI under the rule. As to information that 
is SSI, the FAA may approve release to specific states and local 
officials with appropriate safeguards to prevent its dissemination to 
unauthorized persons.

[[Page 13739]]

    One commenter indicates that, if sensitive information concerns a 
specific airport, persons having a need-to-know should include, at a 
minimum, the designated Airport Security Coordinator(s). This commenter 
also states that Coordinators should have the authority to disseminate 
such information themselves on a need-to-know basis among parties at 
the airport or within the same airport authority.
    The FAA agrees with the commenter to the extent that the need-to-
know requirements apply.
    One commenter states that the proposed disclosure limitations may 
preclude carriers from seeking assistance form government agencies or 
other law enforcement authorities when faced with unusual security 
situations or threats.
    It appears that, if the air carrier is seeking assistance to 
respond to security situations or threats, there is a need-to-know 
within the meaning of the rule. Of course, the agency or authority 
should be informed of the nature of the information and the need to not 
release it to unauthorized persons.
    One commenter asks that proposed Sec. 191.5(c) be modified to 
include whistle-blower protection for the entity that advises the FAA 
that a breach of security has occurred. This commenter observes that, 
``without a safeguard, there will be a tendency for parties * * * not 
to advise the FAA (that a breach of security has occurred) in the hope 
that they would not be caught * * *.''
    The primary purpose of Sec. 191.5(c) is to permit the FAA to 
evaluate the release of information and determine whether there is a 
need to act to mitigate any vulnerability the release might have 
caused. The fact that a person self-discloses a failure to comply with 
the rule is given significant weight in determining what, if any, 
action should be taken as to that person. In the end, the choice of 
action involves the exercise of prosecutorial discretion, and will be 
considered in the context of policies involving enforcement in general.
    Four commenters ask for modification of proposed Sec. 191.5(d) to 
specify the FAA's criteria for adequate restriction of access to, or 
disclosure of, sensitive information; to clarify what changes might be 
recommended by the FAA to security procedures; and to state the actions 
that may be included in the phrase ``other enforcement or corrective 
action,'' including potential criminal prosecution.
    As noted previously, the air carriers' and airport operators' 
responsibilities under the new rule are similar to their 
responsibilities under the current rules. Procedures that are 
appropriate under the current rules should be continued. and a similar 
level of protection should be used for other SSI.
    It is not possible to list changes to security procedures that 
might be required after an unauthorized release of those procedures. It 
would depend on what information was released, the apparent security 
risk resulting from the release, and what other measures might be 
considered appropriate alternatives to those that were compromised. In 
addition, the FAA might consider requiring changes to the way SSI was 
handled or disseminated, if it was discovered that the air carrier or 
airport operator had inadequate procedures.
    The types of possible action the FAA might take in response to a 
violation are set forth in the statute and FAA Order 2150.3A, 
compliance and Enforcement Program. These include such actions as 
counseling, corrective action, civil penalties. and certificate action 
(such as suspension or revocation of a certificate). In appropriate 
cases, the FAA may refer a matter to proper authorities for criminal 
prosecution.
    Two commenters request modification of proposed Sec. 191.7 to list, 
as completely as possible, the specific categories of information which 
fall within the meaning of the phrase SSI. These commenters state that 
such a list should include training programs and records of practice 
exercise as a category.
    The entire training program of an air carrier is not normally SSI. 
However, the program contains SSI, such as specifications of test 
objects and security devices, and sensitive procedures. Under 
Sec. 191.7, the portions of the training programs containing SSI must 
be protected, but the rest is not subject to this rule.
    Similarly, training records are not normally considered SSI in 
themselves, because they normally do not contain SSI. They may simply 
indicate the dates that the screeners completed their training, for 
instance. Such records are a general means by which the FAA monitors 
industry compliance with specific requirements, and therefore would not 
require protection in accordance with Sec. 191.7. However, there are 
occasions when information related to ``sensitive activities,'' such as 
practical exercise, which falls under the purview of )191.7(d), is 
included in training records. Under these circumstances, these 
particular training records would be subject to part 191 controls.
    These two commenters also ask whether the airport boundary 
descriptions found in airport security plans are SSI, whether 
information that is readily available elsewhere become SSI by being 
included in an airport security plan, whether partial disclosures of 
information contained in an airport security plan might violate the 
proposed regulation, and if so, what the threshold of violation by 
partial disclosure might be.
    Informaiton that is not in the security plan or otherwise listed in 
Sec. 191.7 is not SSI under this rule. Because the airport boundary 
descriptions are readily available elsewhere, they can be released in 
the form that is available elsewhere without violating the new rule.
    These commenters also suggest that the FAA reconsider the necessity 
of designating all threat information as sensitive. According to these 
commenters, it would be more efficient to draw a distinction between 
information regarding general trends in terrorist technology and 
possible responses, which is largely in the public domain and should 
not be subjected to extensive disclosure protection, and known, 
specific threats.
    It is not clear to which portion of the rule the commenters are 
objecting. New Sec. 191.7(i) (proposed as Sec. 191.7(h)(1)) makes 
threat information SSI only as to release by the FAA, which means that 
the FAA may decline to release the information. That section does not 
require the airport operator or air carrier to protect the information. 
Airport operators and air carriers are required to protect threat 
information that may be a part of security program amendments, Security 
Directives, and Information Circulars, because they are protected under 
Sec. 191.7 (a) and (b). It should also be noted that general trends in 
terrorist technology and possible responses often is non-public, and 
may even be Classified National Security Information.
    Two commenters state that the FAA cost/benefit analysis is not 
correct. Of these, one commenter states that evidence does not exist to 
support the FAA's portrayal of the terrorist threat to civil aviation, 
as found in the section of the NPRM titled ``The Need To Protect 
Security Information.''
    The FAA disagrees with this commenter. The information reflected in 
the ``Need To Protect Security Information'' section of the NPRM is 
based on a complete analysis of the best threat information available.
    The other commenter in this group states that, if the proposed 
regulation is adopted, the air carriers will have to inform their 
employees of the new regulations and will also have to design

[[Page 13740]]

a more sophisticated tracking system in order to trace the 
dissemination of security information. Dollars will have to be spent to 
secure information in safes, locked rooms, and to purchase shredders 
and conduct audits. The commenters state that there is the potential 
cost to the carriers to investigate and respond to FAA allegations of 
noncompliance, which more often than not results in a civil penalty.
    Again, the air carriers' and airport operators' responsibilities 
under the new rules are similar to their responsibilities under the 
current rules. Procedures that are appropriate under the current rules 
should be continued, and a similar level of protection should be used 
for all designated SSI.
    One commenter indicates that the FAA has underestimated the 
proposed regulation's constitutional implications for restriction of 
freedom of speech.
    The commenter does not provide an analysis as to how the 
Constitution protections of freedom of speech are violated. The FAA 
considers that restricting dissemination of the information described 
in the rule is necessary to protect the traveling public from persons 
who would seek to commit acts of criminal violence or aircraft piracy. 
The FAA has attempted to include as little information as is reasonably 
necessary to adequately protect the public.

The Rule As Adopted

Part 191

    Part 191 sets forth the rules that allow the FAA to withhold 
information from public disclosure. This final rule amends and 
reorganizes part 191 as follows:
    Section 191.1 is expanded to apply not only to the FAA, but also to 
air carriers, airport operators, indirect air carriers, foreign air 
carriers, and individuals. As discussed later in this document, parts 
107, 108, 109, and 129 still would contain some requirements regarding 
the protection of information, but part 191 would be the primary rule 
for withholding information from unauthorized disclosure.
    Section 191.1(a) is amended to conform to the current statute. In 
1976, the FAA promulgated part 191 to implement the Air Transportation 
Act of 1974, Public Law 93-366. Section 316(d)(2) of the Federal 
Aviation Act of 1958, as amended, provided, in part, that the 
Administrator shall prescribe regulations to ``prohibit disclosure of 
any information obtained or developed in the conduct of research and 
development activities'' if the disclosure meets certain conditions. 
This section is a major basis for the current rules in part 191 on 
withholding information from unauthorized disclosure.
    In 1990, section 316(d)(2) was amended to provide that the 
Administrator shall adopt rules to prohibit disclosure of ``any 
information obtained in the conduct of security or research and 
development activities. * * *'' Section 9121 of the Aviation Safety and 
Capacity Expansion Act of 1990 (Pub. L. 101-508) (emphasis added). In 
1994 this section was recodified, and now appears at 49 U.S.C. 40119. 
This final rule amends Sec. 191.1(a), to protect information obtained 
during the course of specified security activities. This final rule 
also removes from the title of part 191 reference to the 1974 Act, to 
avoid any implication that it is the only source of statutory authority 
for the part.
    Section 191.1(b) now defines ``record,'' in part, as 
``documentary'' material. This final rule removes the word 
``documentary.'' It addresses all methods of preserving information, 
including computer records. This would avoid any misunderstanding over 
whether such records were ``documentary.''
    Part 191 now refers to the ``Director of Civil Aviation Security'' 
as the official who makes the determination on behalf of the 
Administrator to withhold information. Under internal FAA 
reorganization, the current title of this position is Associate 
Administrator for Civil Aviation Security, however, 49 U.S.C. 44932 
refers to this official as Assistant Administrator for Civil Aviation 
Security. Therefore, part 191, as adopted, used the title ``Assistant 
Administrator for Civil Aviation Security.'' In addition, the Deputy 
Assistant Administrator for Civil Aviation Security (currently called 
the Deputy Associate Administrator for Civil Aviation Security) and any 
individual formally designated to act in the capacity of the Assistant 
Administrator or the Deputy, now has the authority to make such 
determinations.
    For decisions involving information and records described in 
Sec. 191.7 (a) through (g), and related documents in (l), Sec. 191.1(c) 
permits delegation below the Assistant Administrator level. The 
information that is described in Sec. 191.7 (a) through (g) is well-
defined, and decisions on release or withholding of the information 
involves relatively objective judgments.
    Section 191.7 (h), (i), (j), (k), and related documents described 
in (l), require more subjective judgments. A decision to release or 
withhold information under these paragraphs requires a careful 
evaluation of the need to provide the highest level of security to the 
traveling public by preventing SSI from falling into the wrong hands, 
balanced by an awareness of the public's strong interest in obtaining 
information about security in air transportation. These decisions 
require a careful evaluation of security threats as well as important 
policies of the agency. Therefore, this rule requires that such 
decisions be made by high policy-level officials, and not below the 
Assistant Administrator and Deputy Assistant Administrator level. The 
Assistant Administrator is responsible for carrying out the agency's 
civil aviation security program, and reports directly to the 
Administrator.
    Section 191.3 continues to state generally that the FAA withholds 
certain information, but has been clarified to state that part 191 
applies, notwithstanding FOIA and other disclosure statutes. For 
example, the FAA may adopt certain security rules affecting air 
carriers and airports without disclosing the rules to unauthorized 
persons. Additionally, this rule will move the provisions that describe 
the circumstances under which the FAA prohibits disclosure of 
information from Sec. 191.5 to Sec. 191.3(b).
    New Sec. 191.3(d) is added to clarify how SSI is handled during 
enforcement actions. When the FAA initiates legal enforcement action in 
a matter involving security, if the alleged violator or his designated 
representative so requests, the Chief Counsel, or designee, may provide 
copies of portions of the enforcement investigative report (EIR), 
including SSI. This information may be released only to the alleged 
violator or designated representative for the sole purpose of providing 
the information necessary to prepare a response to the allegations 
contained in the legal enforcement action document. Such information is 
not released under the FOIA.
    Whenever such documents are provided to an alleged violator or 
designated representative, the Chief Counsel or designee advises the 
alleged violator or designated representative that: (a) The documents 
are provided for the sole purpose of providing the information 
necessary to respond to the allegations contained in the legal 
enforcement action document; and (b) SSI contained in the documents 
provided must be maintained in a confidential manner to prevent 
compromising civil aviation security.
    Section 191.5, as adopted, contains the requirements that apply to 
persons other than the FAA. Such persons

[[Page 13741]]

include air carriers, airport operators, indirect air carriers, foreign 
air carriers, and persons who receive SSI in connection with 
enforcement actions, and individuals employed by, or contracted by, air 
carriers, airport operators, indirect air carriers, foreign air 
carriers, and persons who receive SSI in enforcement actions. This 
section is intended to be very inclusive.
    A difficult aspect of protecting SSI is that a large number of 
persons must be aware of at least portions of the information in order 
to carry out their duties including pilots, flight attendants, ticket 
agents, screeners, baggage handlers, and law enforcement officers. 
Frequently, some of these people are not direct employees of the air 
carrier or airport operator, but they do carry out duties for, or on 
behalf of, the air carrier or airport operator. For example, in many 
cases, screeners and law enforcement officers are not directly employed 
by air carriers or airport operators, but do have important security 
responsibilities to carry out. This section is intended to cover all 
such persons who have access to SSI. It should be emphasized, however, 
that airports and air carriers will continue to have the responsibility 
they now have to protect SSI. If SSI is released to unauthorized 
persons, depending upon the circumstances, the FAA may hold the airport 
or air carrier, as well as the individual accountable.
    Section 191.5(a) states the general requirement that disclosure of, 
and access to, SSI shall be restricted to persons with a need-to-know. 
Section 191.5(b) defines need-to-know as when the information is 
necessary to carry out FAA-approved or directed aviation security 
duties; when the information is necessary to supervise or otherwise 
manage the individuals directly carrying out such duties; to advise the 
airport operator, air carrier, indirect air carrier, or foreign air 
carrier regarding the specific requirements of any FAA security related 
requirements; or to represent the airport operator, air carrier, 
indirect air carrier, or foreign air carrier, or person receiving 
information under Sec. 191.3(d) in connection with any judicial or 
administrative proceeding regarding those requirements.
    In most cases, the air carrier or airport operator has the 
discretion to decide who in its organization has a need to know SSI. 
There are times, however, when information is so sensitive that extra 
measures should be taken to protect that information from release to 
those without a need-to-know. The rule would, therefore, provide that 
for some specific information the Administrator may make a finding that 
only specific persons, or classes of persons, have a need-to-know.
    Section 191.5(c) requires that, if sensitive security information 
is released to unauthorized persons, the FAA must be notified. This 
will permit the FAA to evaluate the risk presented by the release of 
the information, and to take whatever action may be needed to mitigate 
that risk.
    Section 191.5(d) alerts persons that violations may result in a 
civil penalty or other action by the FAA. The FAA may take a broad 
range of enforcement action for violation of the regulations. The FAA 
anticipates that civil penalty action will be considered for a 
violation of part 191, as it is for violations of parts 107 and 108. 
However, the FAA may seek enforcement action deemed appropriate based 
on individual circumstances of the case. Further, the FAA may take 
action to mitigate or correct the risk posed by the violation. Such 
actions may include requiring air carriers or airport operators to 
change their procedures for protecting security information, or change 
the security procedures in place that may have been compromised by 
unauthorized release of the information.
    New Sec. 191.7 describes information that is protected from public 
disclosure. Some of this information is now specifically described in 
current Sec. 191.3, and the rest the FAA now withholds based on 
findings under current Sec. 191.5, in that disclosure of this 
information would be detrimental to the safety of persons traveling in 
air transportation or intrastate air transportation. These findings are 
set forth in written denials of FOIA requests for such information, and 
in declarations submitted to judges to seek protection of information 
in litigation cases. To better inform the public of the information 
prohibited from unauthorized release, this rule adds this information 
to new Sec. 191.7.
    The introductory text of Sec. 191.7 provides that the specified 
information is SSI, ``except as otherwise provided in writing by the 
Administrator.'' This exception serves two functions. First, some SSI 
contains information that is released to the public, and the FAA may 
issue press releases and otherwise make this information available. Air 
carriers and others would not be expected to protect those details.
    Second, the Administrator may release some other SSI to help 
achieve compliance with the security requirements. In rare 
circumstances the FAA has released summary information regarding air 
carriers' failures to fully carry out their security duties, which 
assisted in bringing them into compliance. In such cases, the FAA must 
determine whether security will be better served by maintaining the 
confidentiality of the information, or to release some portions of it 
to help achieve compliance with the security standards.
    The introductory text of Sec. 191.7 also refers to ``records 
containing such information'' as being SSI. This would include, for 
instance, interpretations that contain information on the contents of 
security programs and other SSI.
    Section 191.7(a) retains the current requirements to protect any 
approved or standard security program for an air carrier, indirect air 
carrier, airport operator, or foreign air carrier. It also is clarified 
to protect any security program that relates to United States mail to 
be transported by air (including that of the United States Postal 
Service and of the Department of Defense). This rule expands this 
provision to include any comments, instructions, or implementing 
guidance pertaining to these security programs. Generally, these 
materials reveal some or all of the sensitive information and must be 
protected the same as the security programs themselves.
    Section 191.7(b) is revised to include any comments, instructions, 
or implementing guidance pertaining to Security Directives and 
Information Circulars.
    New Sec. 191.7(c) lists any profile used in any security screening 
process, including persons, baggage, or cargo. Hijacker and baggage 
screening profiles were previously addressed in current Sec. 191.3(b) 
(1) and (2). This rule now makes those profiles general to cover 
screening persons, because there are systems in place to protect 
against terrorists and others who might seek to commit criminal 
violence, not just hijackers. This rule addresses cargo profiles 
because, like baggage, cargo is a potential tool for criminal violence 
that the security rules cover.
    Section 191.7(d) includes any security contingency plan or 
information and any comments, instructions, or implementing guidance 
pertaining thereto. These plans, when adopted, become part of the 
security program and are already covered by rules governing security 
programs; however, they are included in Sec. 191.7 for emphasis.
    This rule deletes the provisions currently in current 
Sec. 191.3(b)(6), pertaining to the technical specifications for 
devices for protection against, or detection of, cargo theft. Such 
devices are not directly used to meet the requirements for civil 
aviation security under the FAA regulations. Any devices that serve a 
dual function of protecting cargo and security are

[[Page 13742]]

protected under other provisions in this section.
    Section 191.7(e) covers the technical specifications of any device 
used for the detection of any ``deadly or dangerous weapon, explosive, 
incendiary, or destructive substance.'' It is essentially the same as 
the current Sec. 191.3(b)(5) which used the words ``explosive or 
incendiary device or weapon,'' with the addition of the phrase 
``destructive substance.'' That phrase is used in 49 U.S.C. 44902 in 
reference to searching persons and property to be carried aboard 
aircraft.
    Section 191.7(f) addresses the descriptions of and technical 
specifications of objects used to test screening equipment and 
equipment parameters. Knowledge of this test equipment and parameters 
could lead to a plan to defeat those devices. Accordingly, details of 
such devices should be protected.
    Section 191.7(g) addresses the technical specifications of any 
security communications equipment and procedures. Knowledge of security 
communication equipment and procedures could lead to a plan to defeat 
those devices. Accordingly, details of such devices should be 
protected.
    Section 191.7(h) addresses release of certain information relating 
to violation of the security rules. Section 191.7(h) applies only to 
the release of information by the FAA. There is less risk of harm from 
casual disclosure of this information by individuals. The FAA, however, 
has information regarding the entire security system. Release of 
significant amounts of such information by the FAA could permit someone 
to attempt to identify weaknesses in the system that might be 
exploited.
    The notice proposed in Sec. 191.7(h)(2) to withhold the details of 
alleged violations of parts 107, 108, 109, or 129, including the 
airport name, the location of the gate or access point; the air 
carrier, indirect air carrier, or foreign air carrier, and any 
information that could reasonably lead to the disclosure of such 
details. After further consideration, the FAA has determined that this 
proposed policy was more restrictive than necessary. The rule as 
adopted makes a distinction between information based on the time since 
the incident occurred. In the first 12 months, there is the highest 
level of concern that information could be used to identify an apparent 
weakness that an unauthorized person may seek to exploit. After 12 
months, there has been sufficient passage of time, including an 
opportunity to correct any deficiency in the system, to make that 
information less useful in identifying apparent weaknesses.
    Section 191.7(h) as adopted provides generally for withholding any 
information that the Administrator has determined may reveal a systemic 
vulnerability of the aviation system or a vulnerability of aviation 
facilities to attack. This is defined to include certain details of 
inspections, investigations, and alleged violations and findings of 
violations of 14 CFR parts 107, 108, or 109, or Secs. 129.25, 129.26, 
or 129.27, and any information that could lead to the disclosure of 
such details. For events that occurred less than 12 months before the 
date of the release of the information, the FAA will not release the 
name of an airport where a violation occurred, the regional identifier 
in the case number, a description of the violation, the regulation 
allegedly violated, and the identity of the air carrier in connection 
with specific locations or specific security procedures. The FAA may 
release summaries of an air carrier's total security violations in a 
specified time range without identifying specific violations. Summaries 
may include total enforcement actions, total proposed civil penalty 
amounts, total assessed civil penalty amounts, number of cases opened, 
number of cases referred by Civil Aviation Security to FAA counsel for 
legal enforcement action, and number of cases closed.
    For events that occurred 12 months or more before the date of the 
release of the information, FAA will not release the specific gate or 
other location on an airport where the event occurred.
    In addition, the FAA will not release the identity of the FAA 
special agent who conducted the investigation or inspection, or 
security information or data developed during FAA evaluations of the 
air carriers and airports and the implementation of the security 
programs, including air carrier and airport inspections and screening 
points tests or methods for evaluating such tests.
    Section 191.7(i) (proposed as Sec. 191.7(h)(1)) covers release by 
the FAA of information concerning threats against civil aviation. This 
paragraph specifically applies only to release of information by the 
FAA. However, threat information may also be contained in Security 
Directives, Information Circulars, or other documents that air carriers 
and others must protect under other provision of this section.
    Section 191.7(j) further clarifies that the FAA does not release, 
and others should not release, certain details of security measures not 
otherwise listed in this section, such as information regarding Federal 
Air Marshals. Release of such information to unauthorized persons could 
not only compromise security, it could place Federal Air Marshals in 
danger.
    Secton 191.7(k) includes any other information that the 
Administrator determines should not be disclosed under the criteria in 
Sec. 191.3(b). While we have attempted to anticipate all sources of 
information that should be protected from unauthorized disclosure, 
additional information may be discovered in the future. This section 
allows the Administrator to determine whether that additional 
information should or should not be considered as SSI.
    Section 191.7(1) includes any draft, proposed, or recommended 
changes to SSI or records. The FAA frequently issues proposed revisions 
for sensitive security documents to air carriers and airports operators 
and requests comments on the proposals. These proposals contain SSI 
that also should be protected.

Parts 107, 108, 109 and 129

    This rule change also affects those specific sections of parts 107, 
108, 109, and 129 which require airport operators, air carriers, 
indirect air carriers, and foreign air carriers to protect security 
information and direct requests for such information to the 
administrator as required in part 191.
    All changes to parts 107, 108, 109, and 129 correspond to, and are 
redundant with, changes made to part 191 because airport operators, air 
carriers, and foreign air carriers refer to their specific parts of 
Title 14 CFR for security requirements. Including a cross-reference to 
part 191 in parts 107, 108, 109, and 129, alerts airport operators and 
air carriers to the new requirements, and makes it clear that part 191 
is part of their security duties.

Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
3507(d)), there are not requirements for information collection 
associated with this final rule.

International Compatibility

    The FAA has reviewed corresponding International Civil Aviation 
Organization international standards and recommended practices and 
Joint Aviation Airworthiness Authorities requirements and has 
identified no differences in these amendments and the foreign 
regulations.

[[Page 13743]]

Regulatory Evaluation Summary

Benefits and Costs

    Changes to Federal regulations must undergo several economic 
analyses. First, Executive Order 12866 directs that each Federal agency 
shall propose or adopt a regulation only upon a reasoned determination 
that the benefits of the intended regulation justify its costs. Second, 
the Regulatory Flexibility Act of 1980 requires agencies to analyze the 
economic effect of regulatory changes on small entities. Third, the 
Office of Management and Budget directs agencies to assess the effect 
of regulatory changes on international trade. In conducting these 
analyses, the FAA has determined that this rule is not ``a significant 
regulatory action'' as defined in the Executive Order and the 
Department of Transportation Regulatory Policies and Procedures. This 
rule will not have a significant impact on a substantial number of 
small entities and will not constitute a barrier to international 
trade.
    A detailed discussion of costs and benefits is contained in the 
full evaluation in the docket for this Final rule. The costs and 
benefits associated with this Final rule are summarized as follows.
    Air carriers and airports have security programs which are intended 
to protect the public from the threat of aircraft hijacking and other 
criminal activities affecting air transportation. The FAA proposes to 
strengthen the rules protecting security-related information from being 
released to unauthorized persons. The current rules fail to require 
individuals to protect sensitive security information that is in their 
control, and specify all sensitive security information that should be 
protected from public disclosure.
    The unauthorized disclosure of any of the information contained in 
these security programs can have a detrimental effect on the ability to 
thwart terrorist and other criminal activities. This final rule will 
amend parts 107, 108, 109, and 129 to restrict the distribution, 
disclosure, and availability of specific sensitive security 
information, which will be defined in part 191, to persons with a need-
to-know.
    Because this fine rule will not be included in the airport or the 
air carrier security programs, and because there are no specific 
requirements for safes, locked files, or enhanced security equipment, 
affected entities will not incur any costs to implement these proposed 
requirements.
    Much of the air carrier and airport security program effectiveness 
depends on strictly limiting access to sensitive security information 
to those persons who have a need to know. Sophisticated criminal 
elements are actively seeking ways to obtain information regarding the 
methods and procedures used by the FAA, air carriers, and airports to 
guard against terrorist activities. The accumulation of seemingly minor 
security details can enable the criminal element to piece together a 
larger picture of the entire security program. Therefore, it is 
imperative that the entire security program be protected.
    The consequences of not protecting such information can be 
catastrophic. Between 1982 and 1991, terrorist bombings of U.S. air 
carriers have resulted in 275 deaths and 24 injuries, while hijackings 
incidents have resulted in 24 deaths and 127 injuries.
    Given the absence of cost and the potential benefits of avoided 
fatalities and injuries, this final rule is cost beneficial.

Regulatory Flexibility Determination

    The Regulatory Flexibility Act of 1980 (RFA) was enacted by 
Congress to ensure that small entities are not unnecessarily burdened 
by government regulations. The RFA requires agencies to review rules 
that may have a ``significant economic impact on a substantial number 
of small entities.'' FAA Order 2100.14A, Regulatory Flexibility 
Criteria and Guidance, establishes threshold costs and small entity 
size standards for complying with RFA requirements. There is no cost 
associated with this rule; therefore, it does not have a significant 
economic impact on a substantial number of small entities.

International Trade Impact Statement

    In accordance with the Office of Management and Budget memorandum 
dated March 1983, federal agencies engaged in rulemaking activities are 
required to assess the effects of regulatory changes on international 
trade. The FAA finds that this rule will not have an adverse impact on 
trade opportunities for either U.S. firms doing business overseas or 
foreign firms doing business in the United States. This rule will 
impose no costs on both domestic and foreign air carriers, so neither 
would have a trade advantage over the other.

Federalism Implications

    This rule will not have a substantial direct effect on the states, 
on the relationship between the national government and the states, or 
on the distribution of power and responsibilities among the various 
levels of government. Therefore, in accordance with Executive Order 
12612, it is determined that this rule does not have sufficient 
federalism implications to warrant preparation of a Federalism 
Assessment.

Conclusion

    For the reasons discussed above, and based on the findings in the 
Regulatory Flexibility Determination and the International Trade Impact 
Statement, the FAA certifies that this regulation will not have a 
significant economic impact, positive or negative, on a substantial 
number of small entities under the criteria of the Regulatory 
Flexibility Act. This rule is not considered a ``significant regulatory 
action'' under Executive Order 12866 and is considered nonsignificant 
under Order DOT 2100.5, Policies and Procedures for Simplification, 
Analysis, and Review of Regulations. A regulatory evaluation of the 
rule, including a Regulatory Flexibility Determination and 
international Trade Impact Analysis, has been placed in the docket. A 
copy may be obtained by contracting the person identified under FOR 
FURTHER INFORMATION CONTACT.

List of Subjects

14 CFR Part 107

    Airports, Arms and munitions, Law enforcement officers, Reporting 
and recordkeeping requirements, Security measures.

14 CFR Part 108

    Air carriers, Aircraft, Airmen, Airports, Arms and munitions, 
Explosives, Law enforcement officers, Reporting and recordkeeping 
requirements, Security measures, X-rays.

14 CFR Part 109

    Air carriers, Aircraft, Freight forwarders, Security measures.

14 CFR Part 129

    Air carriers, Aircraft, Aviation safety, Reporting and 
recordkeeping requirements, Security measures, Smoking.

14 CFR Part 191

    Air transportation, Security measures.

The Amendment

    Accordingly, the Federal Aviation Administration amends parts 107, 
108, 109, 129, and 191 of Title 14, Code of Federal Regulations (14 CFR 
parts 107, 108, 109, 129, and 191) as follows:

[[Page 13744]]

PART 107--AIRPORT SECURITY

    1. The authority citation for part 107 continues to read as 
follows:

    Authority: 49 U.S.C. 106(g), 5103, 40113, 40119, 44701-44702, 
44706, 44901-44905, 44907, 44913-44914, 44932, 44935-44936, 46105.

    2. Section 107.3 is amended by revising paragraph (e) to read as 
follows:


Sec. 107.3  Security program.

* * * * *
    (e) Each airport operator shall--
    (1) Restrict the distribution, disclosure, and availability of 
sensitive security information, as defined in part 191 of this chapter, 
to persons with a need-to-know; and
    (2) Refer requests for security sensitive information by other 
persons to the Assistant Administrator for Civil Aviation Security.

PART 108--AIRPLANE OPERATOR SECURITY

    3. The authority citation for part 108 continues to read as 
follows:

    Authority: 49 U.S.C. 106(g), 5103, 40113, 40119, 44701-44702, 
44705, 44901-44905, 44907, 44913-44914, 44932, 44935-44936, 46105.

    4. Section 108.7 is amended by revising paragraphs (c)(4) and 
(c)(5) to read as follows:


Sec. 108.7  Security program: Form, content, and availability.

* * * * *
    (c) * * *
    (4) Restrict the distribution, disclosure, and availability of 
sensitive security information, as defined in part 191 of this chapter, 
to persons with a need-to-know; and
    (5) Refer requests for sensitive security information by other 
persons to the Assistant Administrator for Civil Aviation Security.

PART 109--INDIRECT AIR CARRIER SECURITY

    5. The authority citation for part 109 continues to read as 
follows:

    Authority: 49 U.S.C. 106(g), 5103, 40113, 40119, 44701-44702, 
44705, 44901-44905, 44907, 44913-44914, 44932, 44935-44936, 46105.

    6. Section 109.3 is amended by revising paragraph (c) to read as 
follows:


Sec. 109.3  Security program.

* * * * *
    (c) Each indirect air carrier shall--
    (1) Restrict the distribution, disclosure, and availability of 
sensitive security information, as defined in part 191 of this chapter, 
to persons with a need-to-know; and
    (2) Refer requests for sensitive security information by other 
persons to the Assistant Administrator for Civil Aviation Security.

PART 129--OPERATIONS: FOREIGN AIR CARRIERS AND FOREIGN OPERATORS OF 
U.S.-REGISTERED AIRCRAFT ENGAGED IN COMMON CARRIAGE

    7. The authority citation for part 129 continues to read as 
follows:

    Authority: 49 U.S.C. 106(g), 40104-40105, 40113, 40119, 44701-
44702, 44712, 44716-44717, 44722, 44901-44904, and 44906.

    8. Part 129 is amended by adding a new Sec. 129.31 to read as 
follows:


Sec. 129.31  Airplane security.

    Each foreign air carrier required to adopt and use a security 
program under Sec. 129.25(b) shall--
    (a) Restrict the distribution, disclosure, and availability of 
sensitive security information, as defined in part 191 of this chapter, 
to persons with a need-to-know; and
    (b) Refer requests for sensitive security information by other 
persons to the Assistant Administrator for Civil Aviation Security.
    9. Part 191 is revised to read as follows:

PART 191--PROTECTION OF SENSITIVE SECURITY INFORMATION

Sec.
191.1  Application and definitions.
191.3  Records and information withheld by the Federal Aviation 
Administration.
191.5  Records and information protected by others.
191.7  Sensitive security information.

    Authority: 49 U.S.C. 106(g), 5103, 40113, 40119, 44701-44702, 
44705-44706, 44901-44907, 44913-44914, 44932, 44935-44936, 46105.


Sec. 191.1  Applicability and definitions.

    (a) This part governs the release, by the Federal Aviation 
Administration and by other persons, of records and information that 
has been obtained or developed during security activities or research 
and development activities.
    (b) For purposes of this part, record includes any writing, 
drawing, map, tape, film, photograph, or other means by which 
information is preserved.
    (c) The authority of the Administrator under this part is also 
exercised by the Assistant Administrator for Civil Aviation Security 
and the Deputy Assistant Administrator for Civil Aviation Security, and 
any other individual formally designated to act in their capacity. For 
matters involving the release or withholding of information and records 
containing information described in Sec. 191.7 (a) through (g), and 
related documents described in (l), the authority may be further 
delegated. For matters involving the release or withholding of 
information and records containing information described in Sec. 191.7 
(h) through (k), and related documents described in (l), the authority 
may not be further delegated.


Sec. 191.3  Records and information withheld by the Federal Aviation 
Administration.

    (a) Except as provided in Sec. 191.3 (c) and (d), and 
notwithstanding 5 U.S.C. 552 or other laws, the records and information 
described in Secs. 191.7 and 191.3(b) are not available for public 
inspection or copying, nor is information contained in those records 
released to the public.
    (b) The Administrator prohibits disclosure of information developed 
in the conduct of security or research and development activities under 
49 U.S.C. 40119 if, in the opinion of the Administrator, the disclosure 
of such information would:
    (1) Constitute an unwarranted invasion of privacy (including, but 
not limited to, information contained in any personnel, medical, or 
similar file);
    (2) Reveal trade secrets or privileged or confidential information 
obtained from any person; or
    (3) Be detrimental to the safety of persons traveling in air 
transportation.
    (c) If a record contains information that the Administrator 
determines cannot be disclosed under this part, but also contains 
information that can be disclosed, the latter information, on proper 
Freedom of Information Act request, will be provided for public 
inspection and copying.
    However, if it is impractical to redact the requested information 
from the document, the entire document will be withheld from public 
disclosure.
    (d) After initiation of legal enforcement action, if the alleged 
violator or designated representative so requests, the Chief Counsel, 
or designee, may provide copies of portions of the enforcement 
investigative report (EIR), including sensitive security information. 
This information may be released only to the alleged violator or 
designated representative for the sole purpose of providing the 
information necessary to prepare a response to the allegations 
contained in the legal enforcement action document. Such information is 
not released under the Freedom of Information Act. Whenever such 
documents are provided to an alleged violator or designated 
representative, the Chief Counsel or designee advises the alleged 
violator or designed representative that--

[[Page 13745]]

    (1) The documents are provided for the sole purpose of providing 
the information necessary to respond to the allegations contained in 
the legal enforcement action document; and
    (2) Sensitive security information contained in the documents 
provided must be maintained in a confidential manner to prevent 
compromising civil aviation security, as provided in Sec. 191.5 of this 
part.


Sec. 191.5  Records and information protected by others.

    (a) Each airport operator, air carrier, indirect air carrier, 
foreign air carrier, and person receiving information under 
Sec. 191.3(d) of this part; and each individual employed by, contracted 
to, or acting for an airport operator, air carrier, indirect air 
carrier, or foreign air carrier; and each person receiving information 
under Sec. 191.3(d) of this part, shall restrict disclosure of and 
access to sensitive security information described in Sec. 191.7 (a) 
through (g), (j), (k), and as applicable (l), to persons with a need-
to-know, and shall refer requests by other persons for such information 
to the Administrator.
    (b) A person has a need-to-know sensitive security information when 
the information is necessary to carry out FAA-approved or directed 
aviation security duties; when the information is necessary to 
supervise or otherwise manage the individuals carrying out such duties; 
to advise the airport operator, air carrier, indirect air carrier, or 
foreign air carrier regarding the specific requirements of any FAA 
security related requirements; or to represent the airport operator, 
air carrier, indirect air carrier, foreign air carrier, or person 
receiving information under Sec. 191.3(d) of this part, in connection 
with any judicial or administrative proceeding regarding those 
requirements. For some specific information the Administrator may make 
a finding that only specific persons, or classes of persons, have a 
need-to-know.
    (c) When sensitive security information is released to unauthorized 
persons, any air carrier, airport operator, indirect air carrier, 
foreign air carrier, or individual with knowledge of the release shall 
inform the Administrator.
    (d) Violation of this section is grounds for a civil penalty and 
other enforcement or corrective action by the FAA.


Sec. 191.7  Sensitive security information.

    Except as otherwise provided in writing by the Administrator as 
necessary in the interest of safety of persons traveling in air 
transportation, the following information and records containing such 
information constitute sensitive security information:
    (a) Any approved or standard security program for an air carrier, 
foreign air carrier, indirect air carrier, or airport operator, and any 
security program that relates to United States mail to be transported 
by air (including that of the United States Postal Service and of the 
Department of Defense); and any comments, instructions, or implementing 
guidance pertaining thereto.
    (b) Security Directives, Information Circulars, and any comments, 
instructions, or implementing guidance pertaining thereto.
    (c) Any profile used in any security screening process, including 
for persons, baggage, or cargo.
    (d) Any security contingency plan or information and any comments, 
instructions, or implementing guidance pertaining thereto.
    (e) Technical specifications of any device used for the detection 
of any deadly or dangerous weapon, explosive, incendiary, or 
destructive substance.
    (f) A description of, or technical specifications of, objects used 
to test screening equipment and equipment parameters.
    (g) Technical specifications of any security communications 
equipment and procedures.
    (h) As to release of information by the Administrator: Any 
information that the Administrator has determined may reveal a systemic 
vulnerability of the aviation system, or a vulnerability of aviation 
facilities, to attack. This includes, but is not limited to, details of 
inspections, investigations, and alleged violations and findings of 
violations parts 107, 108, or 109, or Sec. 129.25, 129.26, of 
Sec. 129.27 of this chapter, and any information that could lead the 
disclosure of such details, as follows:
    (1) As to events that occurred less than 12 months before the date 
of the release of the information, the following are not released: the 
name of an airport where a violation occurred, the regional identifier 
in the case number, a description of the violation, the regulation 
allegedly violated, and the identity of the air carrier in connection 
with specific locations or specific security procedures. The FAA may 
release summaries of an air carrier's total security violations in a 
specified time range without identifying specific violations. Summaries 
may include total enforcement actions, total proposed civil penalty 
amounts, total assessed civil penalty amounts, number of cases opened, 
number of cases referred by Civil Aviation Security to FAA counsel for 
legal enforcement action, and number of cases closed.
    (2) As to events that occurred 12 months or more before the date of 
the release of information, the specific gate or other location on an 
airport where an event occurred is not released.
    (3) The identity of the FAA special agent who conducted the 
investigation or inspection.
    (4) Security information or data developed during FAA evaluations 
of the air carriers and airports and the implementation of the security 
programs, including air carrier and airport inspections and screening 
point tests or methods for evaluating such tests.
    (i) As to release of information by the FAA: Information concerning 
threats against civil aviation.
    (j) Specific details of aviation security measures whether applied 
directly by the FAA or regulated parties. This includes, but is not 
limited to, information concerning specific numbers of Federal Air 
Marshals, deployments or missions, and the methods involved in such 
operations.
    (k) Any other information, the disclosure of which the 
Administrator has prohibited under the criteria of 49 U.S.C. 40119.
    (l) Any draft, proposed, or recommended change to the information 
and records identified in this paragraph.

    Issued in Washington, DC on March 13, 1997.
Barry Valentine,
Acting Administrator.
[FR Doc. 97-6948 Filed 3-20-97; 8:45 am]
BILLING CODE 4910-13-M