[Federal Register Volume 79, Number 8 (Monday, January 13, 2014)]
[Rules and Regulations]
[Pages 2119-2143]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-00415]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

49 CFR Part 1554

[Docket No. TSA-2004-17131
RIN 1652-AA38


Aircraft Repair Station Security

AGENCY: Transportation Security Administration (TSA), Department of 
Homeland Security (DHS).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Transportation Security Administration (TSA) is issuing 
regulations to improve the security of domestic and foreign aircraft 
repair stations as required by the Vision 100--Century of Aviation 
Reauthorization Act. The regulations codify the scope of TSA's existing 
inspection authority and require repair stations certificated by the 
Federal Aviation Administration (FAA) under 14 CFR part 145 to allow 
TSA and Department of Homeland Security (DHS) officials to enter, 
conduct inspections, and view and copy records as needed to carry out 
TSA's security-related statutory and regulatory responsibilities. The 
regulations also require these repair stations to comply with security 
directives when issued by TSA. The regulations also require certain 
repair stations to implement a limited number of security measures. The 
regulations establish procedures for TSA to notify repair stations of 
any deficiencies with their security measures and to determine whether 
a particular repair station presents an immediate risk to security. The 
regulations include a process whereby a repair station may seek review 
of a determination by TSA that the station has not adequately addressed 
security deficiencies or that the repair station poses an immediate 
risk to security.

DATES: Effective February 27, 2014.

FOR FURTHER INFORMATION CONTACT: Shawn Gallagher, Office of Security 
Operations, TSA-29, Transportation Security Administration, 601 South 
12th Street, Arlington, VA 20598-6029; telephone (571) 227-3378; 
facsimile (571) 603-4344; email [email protected].

SUPPLEMENTARY INFORMATION: 

Availability of Rulemaking Document

    You can get an electronic copy using the Internet by--
    (1) Searching the electronic Federal Docket Management System 
(FDMS) Web page at http://www.regulations.gov;
    (2) Accessing the Government Printing Office's Web page at http://www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR to view 
the daily published Federal Register edition; or accessing the ``Search 
the Federal Register by Citation'' in the ``Related Resources'' column 
on the left, if you need to do a Simple or Advanced search for 
information, such as a type of document that crosses multiple agencies 
or dates; or
    (3) Visiting TSA's Security Regulations Web page at http://www.tsa.gov and accessing the link for ``Research Center'' at the top 
of the page.
    In addition, copies are available by writing or calling the 
individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to 
identify the docket number of this rulemaking.

Small Entity Inquiries

    The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 
1996 requires TSA to comply with small entity requests for information 
and advice about compliance with statutes and regulations within TSA's 
jurisdiction. Any small entity that has a question regarding this 
document may contact the person listed in FOR FURTHER INFORMATION 
CONTACT. Persons can obtain further information regarding SBREFA on the 
U.S. Small Business Administration's (SBA) Web page at http://www.sba.gov/advo/laws/law_lib.html.

Abbreviations and Terms Used in This Document

AOA Air Operations Area
CFR Code of Federal Regulations
DHS Department of Homeland Security
EA Emergency Amendment
E.O. Executive Order
EPCA Energy Policy and Conservation Act
EU European Union
FAA Federal Aviation Administration
FR Federal Register
FRFA Final Regulatory Flexibility Analysis
GA General Aviation
ICAO International Civil Aviation Organization
IRFA Initial Regulatory Flexibility Analysis
MTOW Maximum Certificated Take-off Weight
NAICS North American Industry Classification System
NEPA National Environmental Policy Act of 1969
NPRM Notice of Proposed Rulemaking
NTSB National Transportation Safety Board
OMB Office of Management and Budget
PRA Paperwork Reduction Act of 1995
RFA Regulatory Flexibility Act of 1980
SBA United States Small Business Administration
SBREFA Small Business Regulatory Enforcement Fairness Act of 1996
SD Security Directive
SIDA Security Identification Display Area
SSI Sensitive Security Information
TSA Transportation Security Administration
U.S. United States of America
U.S.C. United States Code

Table of Contents

I. Background
    A. Summary of the Rule
    B. Purpose of the Rule
    C. Costs and Benefits
    D. Changes From the NPRM
II. Public Comments on the NPRM and TSA Responses
    A. Summary
    B. Need for Security Regulations
    C. Relationship to FAA Regulations
    D. ``One Size Fits All'' Approach to Security
    E. Relationship to Foreign Laws and Standards
    F. Application to Domestic Repair Stations
    G. Exemptions for Certain Types of Repair Stations
    H. Protection of Sensitive Security Information
    I. Scope of the Final Rule
    J. Terms Used in the Final Rule

[[Page 2120]]

    K. TSA Inspection Authority
    L. Security Program Adoption and Implementation
    M. Security Directives
    N. Suspension and Revocation of Certificates
    O. Nondisclosure of Certain Information
    P. Other Comments on the Rulemaking
    Q. Implementation Issues
    R. Comments From the Small Business Administration
    S. Comments on the Regulatory Impact Assessment
III. Rulemaking Analyses and Notices
    A. International Compatibility
    B. Economic Impact Analyses
    1. Regulatory Impact Analysis Summary
    2. Executive Orders 12866 and 13563 Assessments
    3. Regulatory Flexibility Act Assessment
    4. International Trade Impact Assessment
    5. Unfunded Mandates Reform Act Assessment
    C. Paperwork Reduction Act
    D. Executive Order 13132, Federalism
    E. Environmental Analysis
    F. Energy Impact Analysis

I. Background

A. Summary of the Rule

    TSA is issuing regulations to improve security at repair stations 
located within and outside the United States as required by Vision 100-
Century of Aviation Reauthorization Act, Public Law 108-176 (117 Stat. 
2489, December 12, 2003), codified at 49 U.S.C. 44924 (Vision 100).\1\ 
The statutory requirements of Vision 100 are discussed in the preamble 
of the Notice of Proposed Rulemaking (NPRM) published in the Federal 
Register on November 18, 2009. See 74 FR 59874, 59875. There are 
approximately a total of 4,067 repair stations located in the United 
States and 707 located outside the United States certificated by FAA 
under part 145 as of August 2013.\2\ The final rule contains the 
following requirements:
---------------------------------------------------------------------------

    \1\ While Vision 100 refers to foreign and domestic repair 
stations, TSA is adopting FAA terminology to refer to repair 
stations located ``within'' or ``outside'' the United States.
    \2\ Data taken from the FAA Safety Performance Analysis System 
(SPAS) database, August 2013.
---------------------------------------------------------------------------

     Application. The regulations apply to repair stations 
certificated by the FAA under 14 CFR part 145, except repair stations 
located on a U.S. or foreign government military base. All repair 
stations are subject to inspection as provided in the rule and to 
Security Directives should there be a security need. However, the rule 
text requires only certain repair stations, discussed below, to carry 
out security measures on a regular basis.
     TSA Inspection Authority. Repair stations must allow TSA 
and other authorized DHS officials to enter, conduct inspections, and 
view and copy records as needed to carry out TSA's security-related 
statutory and regulatory responsibilities. For repair stations not 
required to carry out security measures on a regular basis (i.e., those 
repair stations not located on or adjacent to an airport, as further 
defined below), TSA does not intend to inspect such facilities, except 
(1) for compliance with security directives issued by TSA and with 
airport security programs required by TSA (for those repair stations 
that are included in an airport security program), and (2) to respond 
to security information provided to TSA by U.S. or foreign government 
entities.
     Implementation of Security Measures. The security measures 
in this rule cover repair stations that are on or adjacent to certain 
airports. TSA will consider a repair station to be ``on airport'' if it 
is on an air operations area (AOA) or security identification display 
area (SIDA) of an airport covered by an airport security program under 
49 CFR part 1542 in the United States, or on the security restricted 
area any commensurate airport outside the United States regulated by a 
government entity. TSA will consider a repair station to be adjacent to 
an airport if there is an access point between the repair station and 
the airport of sufficient size to allow the movement of large aircraft 
between the repair station and the area described as ``on airport.'' 
\3\
---------------------------------------------------------------------------

    \3\ Large aircraft are defined as aircraft with a maximum 
certificated take-off weight of more than 12,500 pounds.
---------------------------------------------------------------------------

     Security Measures. Certain repair stations, as described 
above, are required to (1) designate a point of contact(s) to carry out 
specified responsibilities; (2) prevent the unauthorized operation of 
large aircraft capable of flight that are left unattended; and (3) 
verify background information of those individuals who are designated 
as the TSA point(s) of contact and those who have access to any keys or 
other means used to prevent the unauthorized operation of large 
aircraft capable of flight that are left unattended. See section 
1554.101.
     Security Directives. Repair stations are required to 
comply with Security Directives (SDs) issued by TSA. See section 
1554.103.
     Notification of Deficiencies; Suspension of Certificate 
and Review Process. The regulations describe the process whereby TSA 
will notify the repair station and the FAA of a security deficiency 
identified by TSA and provide an opportunity for the repair station to 
obtain review of a determination by TSA to suspend its operating 
certification.
     Immediate Risk to Security; Revocation of Certificate and 
Review Process. The regulations specify that when TSA determines a 
repair station poses an immediate risk to security, TSA will notify the 
repair station and the FAA that the certificate must be revoked. The 
regulations also provide the process for the repair station to obtain 
review of such a determination.

B. Purpose of the Rule

    While the FAA has implemented extensive safety requirements for 
repair stations located within and outside the United States, 
supplementing those safety provisions with the security requirements 
contained in the final rule will further reduce the likelihood that 
terrorists would be able to use large aircraft as a weapon. As 
terrorist organizations continue to target civil aviation, TSA believes 
it is important for aircraft repair stations that are located on or 
adjacent to an airport to have specific security measures in place to 
prevent terrorists from commandeering large aircraft that are capable 
of flight and are not attended. Enhancement of security at repair 
stations that have access to runways will mitigate the potential threat 
that a large aircraft could be used as a weapon.
    In developing this rule, TSA consulted with the FAA and built upon 
the certification and safety requirements FAA has instituted requiring 
repair stations to establish and maintain a quality control system. See 
14 CFR 145.211. While these quality control measures provide a 
significant layer of protection and oversight of articles and aircraft 
under repair, this final rule supplements those measures by requiring 
repair stations that are located on or adjacent to an airport, as 
defined in the final rule, to implement security measures to prevent 
the unauthorized operation of large aircraft capable of flight left 
unattended.

C. Costs and Benefits

    In accordance with Executive Orders (E.O.) 12866 and 13563, TSA 
includes in this preamble a summary of the costs and benefits 
associated with the Aircraft Repair Station Security final rule. The 
table below summarizes the costs and benefits of the final rule to U.S. 
and foreign entities. A detailed estimate of these costs and benefits 
can be found in the regulatory impact analysis accompanying this final 
rule; the

[[Page 2121]]

regulatory impact analysis is available in the docket.

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                    Estimates                                          Units
                               ---------------------------------------------------------------------------------------------------
           Category                 Primary                                                        Discount rate                           Notes
                                    estimate      Low  estimate   High  estimate   Year  dollar      (percent)     Period covered
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                        Benefits
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annualized Monetized            None...........  None...........  None..........  NA............  7..............  NA............  Not Quantified.
 ($millions/year).
                                None...........  None...........  None..........  NA............  3..............  NA............
Annualized Quantified.........  None...........  None...........  None..........  NA............  7..............  NA............  Not Quantified.
                                None...........  None...........  None..........  NA............  3..............  NA............
                               ---------------------------------------------------------------------------------------------------
Qualitative...................  This final rule satisfies the Congressional mandate in Vision 100 for TSA to promulgate
                                 regulations to better ensure the security of aircraft repair stations. The security measures
                                 required by this final rule will better secure the aircraft on repair stations located on or
                                 adjacent to an airport and working on aircraft with a MTOW of more than 12,500 lbs. and mitigate
                                 the risk of a terrorist attack originating at these aircraft repair stations
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                          Costs
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annualized Monetized ($/year).  $2,314,614.....  N/A............  N/A...........  2012..........  7..............  10 Years......  None.
                                $2,318,596.....  N/A............  N/A...........  2012..........  3..............  10 Years......
Annualized Quantified.........  None...........  None...........  None..........  2012..........  7..............  10 Years......  None.
                                None...........  None...........  None..........  2012..........  3..............  10 Years......
                               ---------------------------------------------------------------------------------------------------
Qualitative...................
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                        Transfers
--------------------------------------------------------------------------------------------------------------------------------------------------------
Federal Annualized Monetized    None...........  None...........  None..........  NA............  7..............  NA............  None.
 ($year).
                                None...........  None...........  None..........  NA............  3..............  NA............
--------------------------------------------------------------------------------------------------------------------------------------------------------
From/To                         From:                                             To:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Other Annualized Monetized      None...........  None...........  None..........  NA............  7..............  NA............  None.
 ($year).
                                None...........  None...........  None..........  NA............  3..............  NA............
--------------------------------------------------------------------------------------------------------------------------------------------------------
From/To                         From:                                             To:
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                         Effects
--------------------------------------------------------------------------------------------------------------------------------------------------------
State, Local, and/or Tribal     None...........  None...........  None..........  N/A...........  NA.............  NA............  None.
 Government.
                               --------------------------------------------------
Small Business................                    Prepared FRFA                   NA............  NA.............  NA............  None.
                               --------------------------------------------------
Wages.........................                        None.
                               --------------------------------------------------
Growth........................                    Not Measured.
--------------------------------------------------------------------------------------------------------------------------------------------------------

D. Changes From the NPRM

    TSA adopts as final the proposed rule with changes based primarily 
on the public comments received. This section summarizes the regulatory 
text changes that TSA has made to the NPRM in this final rule. A 
detailed description of the responses to the public comments is 
included in Section II.
1. Part 1520
    TSA eliminated the amendments to part 1520 of its rules because it 
has eliminated the proposed requirement to adopt and implement a 
security program.
2. Scope and Purpose
    TSA modified the language in Sec.  1554.1 to eliminate the 
reference to ``U.S. government'' and inserted ``a U.S. or foreign 
government military installation'' in its place to respond to questions 
raised in some comments. This change will eliminate from the scope of 
the final rule FAA part 145-certificated repair stations located on a 
military base, whether within or outside the United States. The change 
clarifies TSA's intention not to exclude from the scope of the final 
rule those repair stations that are subject to government regulation.
3. Terms
    Commenting parties noted that TSA used different terms than the FAA 
to describe repair stations and repair work and found that the 
different terms were confusing. TSA eliminated the terms section to 
avoid confusion. TSA also eliminated the terms ``foreign repair 
station'' and ``domestic repair station'' from the final rule and uses 
the terms ``repair station located within the United States'' and 
``repair station located outside the United States'' to be consistent 
with FAA part 145 regulations.

[[Page 2122]]

4. Security Program Adoption and Implementation
    In response to commenters who requested exemptions from the 
proposed requirement to adopt and carry out a security program, TSA has 
eliminated the requirement to adopt and implement a security program. 
As will be explained below, TSA will only require certain repair 
stations located on or adjacent to an airport to adopt and carry out 
security measures to prevent the unauthorized operation of large 
aircraft capable of flight that are left unattended. TSA has conducted 
a security risk assessment and determined that other repair stations 
represent a minimal risk to aviation security. TSA has eliminated all 
security measures regarding preventing access to repair stations. This 
change will reduce the regulatory requirements and the costs of 
implementation. While TSA has retained the requirement to verify 
employee background information, it has reduced the application of that 
requirement to those individuals who are designated as the TSA point of 
contact and those who have access to the keys or other means used to 
prevent the unauthorized operation of large aircraft capable of flight 
that are left unattended. TSA has clarified that it will accept 
employment history checks or background checks conducted on individuals 
who have obtained a FAA airman certificate or a SIDA badge. All 
proposed regulations regarding the content, format and availability of 
a security program have been eliminated in the final rule.
5. Profile Information
    TSA has eliminated the requirement proposed in Sec.  1554.101(b) 
for repair stations to submit profile information to TSA. TSA will use 
information available from the FAA.
6. Security Directives
    TSA has added language to permit repair stations to comment upon a 
security directive issued by TSA. This language is consistent with the 
regulatory language used for airport operators and aircraft operators 
under 49 CFR 1542.303(e) and 1544.305(e).
7. Compliance and Enforcement
    In response to comments, TSA has clarified the process in part 
1554, subpart C, which a repair station may use to seek review of a TSA 
determination that a certificate must be suspended or revoked.

II. Public Comments on the NPRM and TSA Responses

A. Summary

    TSA received 177 public submissions. Sixty-seven submissions were 
from repair station owner/operators. Other commenters included private 
individuals, industry associations, labor unions, foreign governments, 
airport owner/operators, domestic and foreign aircraft operators, State 
agencies, and the Small Business Administration (SBA). The discussion 
below groups the comments by the primary issues raised in the public 
submissions.

B. Need for Security Regulations

    Comments: Thirty-three commenters said the proposed rule is 
unnecessary because repair stations already have adequate security or 
are already sufficiently regulated. Ten of these commenters cited 
procedures and controls already in place to safeguard security, such as 
quality controls, employee background checks, access controls, and 
general safety procedures already approved by the FAA. Seven commenters 
said the proposed regulations added a duplicate layer of security 
already provided by other TSA requirements described in current TSA 
security programs or SDs. A few commenters said that TSA should not 
regulate repair stations if they are part of an airline that already 
has an air carrier security program.
    TSA response: Vision 100 requires TSA to issue regulations ``to 
ensure the security of foreign and domestic repair stations.'' 49 
U.S.C. 44924(f). TSA believes that the security regulations described 
in the final rule will reduce the likelihood that a terrorist could 
commandeer a large aircraft capable of flight and use it as a weapon.
    The final rule supplements the safety requirements imposed by the 
FAA, but does not duplicate FAA regulations. TSA disagrees with those 
comments that claim the final rule will duplicate other TSA security 
requirements. TSA does not currently regulate aircraft repair stations 
and the requirements referenced by the commenters do not apply to 
aircraft repair stations. TSA has eliminated the proposed requirement 
to adopt and implement a security program, thus there will not be 
duplication with airport security programs.
    Air carrier-owned and -operated maintenance repair and overhaul 
facilities conducting maintenance under the authority of a certificate 
issued under 14 CFR parts 121 or 135 are not subject to the 
requirements of this rule, since the statute and this rule specifically 
requires regulation of repair stations certificated under part 145 of 
the FAA regulations.
    Comments: Several commenters asked TSA to consider a repair station 
to be in full compliance with the rule if it is already incorporated 
within an airport's security program and uses the airport's access 
control measures.
    TSA Response: TSA is aware that some repair stations may be 
incorporated within an existing airport security program and has 
eliminated the proposed requirement that repair stations adopt and 
implement a security program to avoid unnecessary duplication.
    Comments: Eight commenters stated that repair stations in general 
do not pose a risk to security, especially compared to other facilities 
or operations in the aviation system. Ten commenters claimed that TSA 
did not conduct any type of risk analysis that quantified the security 
risks at repair stations or the benefits of the proposed rule. An 
association said TSA had correctly used a risk-based approach to 
determine the security measures that repair stations would be required 
to carry out under the proposed rule and concluded that this approach 
is the most effective way to advance repair station security.
    TSA Response: TSA agrees that the security risks posed by repair 
stations vary and that the most effective way to advance repair station 
security is to use a risk-based approach to address security matters. 
In developing this rule, TSA conducted a security risk analysis, 
including visits to repair stations located within the United States 
and outside the United States, interviews with industry and FAA 
experts, and a review of intelligence concerning a repair station's 
susceptibility to a terrorist attack.
    The NPRM described the site visits TSA made to repair stations 
between June 2005 and May 2008. See 74 FR 59877. Since that time, TSA 
has visited 47 repair stations located outside the United States and 
928 repair station facilities within the United States to observe and 
discuss repair station security practices. The site visits provided 
valuable insight into the different types of facilities certificated by 
the FAA, the different types of repair work performed at those 
facilities, and the different security measures that are deployed.
    In addition, TSA considered whether certain factors could increase 
the security risks of a repair station. The risk factors TSA considered 
were: (1) The size and type of aircraft to which employees had access; 
(2) the type of

[[Page 2123]]

repair work permitted by the FAA certificate; (3) whether the repair 
station was located on an airport and the type of airport; and (4) the 
number of employees at the repair station.
    Comments: An industry association stated that aircraft operators 
that use repair stations should not be responsible for ensuring that 
repair stations comply with the regulation.
    TSA Response: TSA agrees that aircraft operators that use repair 
stations will not be responsible for ensuring that the FAA part 145-
certificated repair stations comply with the final rule.

C. Relationship to FAA Regulations

    Comments: Some commenters asked the FAA and TSA to coordinate their 
efforts to avoid placing any unnecessary burdens on repair station 
owners or operators. For example, one commenter pointed out that TSA 
could obtain repair station profile information from the FAA. Several 
commenters expressed concern regarding TSA's authority to request the 
FAA to suspend or revoke the operating certificate of a repair station. 
A few of these commenters said that because the FAA issues the repair 
station certificate and is the Federal agency responsible for the 
oversight and regulation of repair stations, the FAA should be the one 
Federal entity that is able to suspend or revoke the certificate. Other 
commenters questioned whether TSA, the FAA, or the National 
Transportation Safety Board (NTSB) has jurisdiction over the appeals 
process for certificate suspensions and revocations. Eight commenters 
said the rule would compromise aircraft safety. Three of these 
commenters claimed the FAA would lose oversight of repair stations and 
would no longer conduct mandatory inspections and surveillance. One 
commenter said the cost of the rule would cause repair facilities to 
divert operating funds away from aircraft safety. Two commenters noted 
the possibility that repair station operators would turn in their 
repair station rating and would instead operate using mechanics holding 
Airframe & Powerplant certification, resulting in a decrease in safety.
    TSA response: TSA has coordinated its efforts with the FAA 
throughout the rulemaking process and the final rule does not duplicate 
FAA's authority to regulate repair station safety matters or interfere 
in any way with the FAA certification process. In response to the 
comments requesting that TSA reduce the burden on repair stations by 
using FAA profile information, TSA eliminated the requirement for 
repair stations to provide profile information from the final rule. TSA 
will obtain the profile information from the FAA.
    The final rule is consistent with the statutory provisions 
regarding the processes for suspension and revocation of a repair 
station certificate. Under 49 U.S.C. 44924(c), TSA must notify the FAA 
Administrator when a repair station poses an immediate security risk or 
is found to have security deficiencies. The statute requires the FAA 
Administrator to act upon the TSA determination to suspend or revoke a 
repair station's certificate. Since the suspension or revocation is 
based on a determination that involves security, neither the FAA nor 
the NTSB has jurisdiction over the appeals process. The final rule 
includes a process whereby repair stations may request review of a TSA 
determination that the repair station certificate must be suspended or 
revoked. The procedure is consistent with the procedure now in place 
for TSA to withdraw approval of the security program of an airport 
operator, aircraft operator, foreign air carrier, indirect air carrier, 
or certified cargo screening facility, as provided in 49 CFR part 1540, 
subpart D.
    TSA disagrees with the comments that claim the rule would 
compromise aircraft safety, and that FAA would lose oversight of repair 
stations. FAA authority over repair station safety is not affected by 
this rule and repair stations must continue to comply with FAA safety 
regulations. This rule will supplement existing FAA safety requirements 
with security measures to ensure that unattended, large aircraft 
capable of flight cannot be commandeered. The costs of the rule are 
summarized in Section III.C below and described in detail in the 
regulatory impact analysis accompanying this final rule. As explained 
therein, TSA has minimized the cost burden of compliance, particularly 
to small businesses, by using a risk-based approach and eliminating the 
requirement for repair stations to implement a security program. In 
addition, if a repair station operator turned in the repair station 
rating and instead used mechanics holding Airframe & Powerplant 
certifications, the repair station operator would not be permitted to 
perform maintenance on passenger aircraft unless hired by an aircraft 
operator, in which case the maintenance work would be subject to the 
safety requirements of parts 121 or 135 of the FAA rules.

D. ``One Size Fits All'' Approach to Security

    Comments: Twenty-seven commenters indicated the proposed rule did 
not adequately accommodate or account for the diversity of repair 
stations to which it would apply. A commenter noted that TSA recognized 
that a ``one size fits all approach'' would not appropriately address 
the diversity in repair station characteristics. Other commenters asked 
TSA for more information on how the security program would accommodate 
the different levels of risk posed by different types of repair 
stations.
    TSA response: TSA recognizes that just as aircraft repair stations 
vary widely in size, type of repairs, and numbers of employees, 
existing security measures also vary widely. As stated in the NPRM, TSA 
agrees that a ``one size fits all'' approach will not adequately 
address the diversity of certificated repair stations. As will be 
discussed below in Section G, repair stations that are not on or 
adjacent to an airport as defined in the final rule, are not required 
to implement security measures.

E. Relationship to Foreign Laws and Standards

    Comments: Several commenters, including representatives of foreign 
governments, addressed the relationship of the proposed rule to other 
countries' security laws and standards. Commenters said TSA should 
recognize the equivalency of the security requirements of other 
countries and the European Union (EU). They also questioned the legal 
basis for application of the final rule without consultation and 
agreement as laid out in international and bilateral aviation 
agreements such as the EU-U.S. Air Transport Agreement. Other 
commenters noted the potential conflict of the proposed rule's 
requirements with national or EU laws or regulations in areas such as 
unannounced inspections and background checks of repair station 
employees.
    TSA response: TSA acknowledges the concerns of foreign governments 
regarding TSA authority to apply security requirements to part 145-
certificated repair stations located outside the United States. TSA is 
aware of and has complied with its obligations under the EU-U.S. Air 
Transport Agreement, as well as other bilateral and multilateral 
instruments. TSA has discussed and will continue to discuss current and 
proposed security requirements with its international partners in order 
to enhance the compatibility of security regulations and standards, 
including the possibility of developing protocols for reciprocity and 
mutual recognition of repair station security regulations. TSA will 
address

[[Page 2124]]

any specific conflicts between the final rule and any national or EU 
laws or regulations that may arise.
    TSA has established procedures for conducting inspections outside 
the United States through its Foreign Airport and Foreign Air Carrier 
Assessment Programs and intends to use those same procedures when 
conducting inspections of FAA-certificated repair stations located 
outside the United States. These established procedures require 
coordination with the U.S. Department of State and the appropriate 
foreign government authorities.
    With regard to background checks, TSA will require repair stations 
that are on or adjacent to an airport, as defined in this rule, to 
verify background information of those individuals who are designated 
as the TSA point(s) of contact and those who have access to any keys or 
other means used to prevent the operation of large aircraft. The repair 
station may either verify the individual's employment history, confirm 
that the individual holds a FAA airman certificate, or (for a repair 
station located in the United States) confirm that the individual has 
obtained a security threat assessment, such as by holding a SIDA badge. 
TSA will not require any other specific type of background check since 
the laws regarding the ability to conduct certain background checks 
vary widely. However, repair stations may conduct other background 
checks consistent with applicable laws.
    Comments: Two commenters were concerned the proposed rule did not 
cover FAA-certificated repair stations in Canada. One of these 
commenters said Canadian facilities could pose the same security risks 
as FAA part 145 certificated facilities and contended that they should 
be subject to the regulation.
    TSA Response: TSA is aware that the final rule will not cover 
repair stations located in Canada and agrees that these repair stations 
could pose the same security risk as other repair stations. Canadian 
repair stations are covered under part 43 of the FAA regulations and 
operate under a bilateral agreement between the FAA and the Transport 
Canada Civil Aviation Authority. Since they are not certificated under 
Part 145 of the FAA regulations, they are not within the scope of this 
rule.
    Comments: One commenter said some foreign repair stations are 
already under regulatory oversight by established government 
authorities and should be exempt from the rule.
    TSA Response: A repair station that is regulated by a governmental 
authority is not exempt from the final rule. While a repair station may 
be regulated by a government agency for safety or other purposes, as is 
the case with the FAA, TSA cannot be assured that such regulation would 
encompass the security requirements in the final rule.

F. Application of the Final Rule to Domestic Repair Stations

    Comments: Eight commenters said Congress omitted the word 
``domestic'' from the statute and concluded that TSA does not have 
authority to impose regulations on domestic repair stations. One repair 
station owner/operator acknowledged that 49 U.S.C. 44924(f) requires 
TSA to issue regulations to ensure the security of both domestic and 
foreign repair stations. However, the commenter noted the remainder of 
the statute refers only to foreign repair stations and concluded that 
Vision 100 does not give TSA authority to suspend the certificates of 
domestic repair stations. Several commenters stated that the rule 
should apply only to foreign repair stations, that domestic repair 
stations pose a lower security threat than foreign repair stations, and 
that TSA is overstepping its authority to regulate both domestic and 
foreign repair stations.
    TSA response: TSA disagrees with the comments that claim the 
regulation should apply only to repair stations located outside the 
United States, that repair stations located within the United States 
necessarily pose a lower security threat than those located outside the 
United States, and that TSA is overstepping its authority to regulate 
aircraft repair stations. TSA is required to issue regulations to 
``ensure the security of foreign and domestic aircraft repair 
stations.'' See 49 U.S.C. 44924(f). Therefore, the final rule applies 
to repair stations that are certificated by the FAA under part 145 of 
its regulations. By including all FAA part 145-certificated repair 
stations in the scope of the rule, TSA will be able to verify that 
repair stations certificated by the U.S. government are in compliance 
with the final rule. TSA will not suspend a repair station certificate. 
The statute provides that the FAA must suspend a certificate upon 
notification by TSA until such time as TSA determines the repair 
station maintains and carries out effective security measures. See 49 
U.S.C. 44924(c).
    While the final rule is consistent with the statutory language, TSA 
has ample statutory authority to address all domestic transportation 
security matters. For example, 49 U.S.C. 114(f) gives TSA the authority 
to: Assess threats to transportation; develop policies, strategies, and 
plans for dealing with threats to transportation security; enforce 
security-related regulations and requirements; inspect, maintain, and 
test security facilities, equipment, and systems; and work in 
conjunction with the Administrator of the FAA with respect to any 
actions or activities that may affect aviation safety or air carrier 
operations. Section 611 of Vision 100 discusses the need to 
``strengthen oversight of domestic and foreign repair stations'' and to 
``ensure that foreign repair stations that are certified by the 
Administrator under part 145 of title 14, Code of Federal Regulations, 
are subject to an equivalent level of safety, oversight, and quality 
control as those located in the United States.'' \4\ Exempting repair 
stations within the United States from the enforcement provisions of 
the final rule would not permit TSA to effectively oversee the security 
of repair stations located within the United States or ensure that 
repair stations located outside the United States are subject to an 
equivalent level of safety, oversight, or quality control.
---------------------------------------------------------------------------

    \4\ H.R. Conf. Rep. No. 108-334, at 83 (2003).
---------------------------------------------------------------------------

    Regulating only repair stations outside the United States would not 
help TSA meet the statutory objective to ensure the security of foreign 
and domestic aircraft repair stations. In fact, the majority of FAA 
part 145-certificated repair stations are located in the United States 
and U.S. aircraft continue to be a prime target of terrorist threats. 
Exempting U.S. repair stations from the final rule would create a 
significant gap in TSA's efforts to secure U.S. aircraft and the 
traveling public. Repair stations located in the United States present 
an immediate opportunity for terrorists to attempt to harm U.S. 
aviation interests. For that reason, and consistent with statutory 
language, the final rule applies to FAA part 145-certificated repair 
stations.

G. Exemptions for Certain Types of Repair Stations

    Many commenters requested TSA to exempt particular types of repair 
stations from the rule. Nineteen commenters stated that off-airport 
repair stations do not pose a security threat and contended the final 
rule should apply only to repair stations located on airport grounds. 
Another commenter agreed off-airport repair stations are less desirable 
targets than on-airport repair stations because they do not have access 
to operational aircraft. However, one commenter observed there are off-
airport repair stations that repair complete aircraft.

[[Page 2125]]

    A number of commenters requested additional types of repair 
stations be exempted from the regulation, including: Stations with a 
small number of employees, stations servicing hot-air balloons, and 
stations servicing aircraft with a MTOW below 12,500 pounds. In 
contrast, a labor union urged TSA not to exempt any repair stations 
from the rule.
    Eighteen commenters stated repair stations servicing aircraft with 
a MTOW below 12,500 pounds should be exempt from the rule. Several 
other commenters said any weight threshold used for this rule should be 
consistent with the threshold adopted in the General Aviation Security 
final rule. A few others suggested weight thresholds ranging as high as 
100,000 pounds.
    Eleven commenters requested TSA to exempt repair stations that work 
only on aircraft components and do not have access to complete 
aircraft. Commenters stated these repair stations do not pose a 
security threat because existing FAA rules require testing of the 
airworthiness of the repaired components prior to installation.
    TSA response: TSA agrees with commenters that repair stations 
located on or adjacent to an airport could pose a higher security risk 
than other repair stations. As the commenters point out and as 
discussed in the NPRM, TSA found that repair station employees at off-
airport locations had little, if any, access to operational aircraft or 
runways and are not the last individuals with access to aircraft prior 
to the reintroduction of the aircraft into service. TSA concluded that 
it may be more difficult for potential terrorists to attempt to attack 
aviation interests from an off-airport repair station location.
    TSA also agrees with commenters that it would be difficult for a 
terrorist to damage an aircraft at a repair station that is rated to 
repair only aircraft component parts. FAA safety regulations require 
inspection of the repair work and the component part prior to 
installation in an aircraft and before the aircraft is determined to be 
airworthy. TSA agrees with the commenters who believe that it is less 
likely that a terrorist would attempt to target an aircraft by 
attempting to sabotage or tamper with a component part at an off-
airport location.
    In addition, TSA agrees with those commenters that repair stations 
that do not work on large aircraft pose less of a security risk. TSA 
has long recognized that aircraft with a MTOW of more than 12,500 
pounds may be a greater security risk because the aircraft are of 
sufficient size and weight to inflict significant damage and loss of 
lives. See Security Programs for Aircraft 12,500 Pounds or More, 67 FR 
8295 (Feb. 22, 2002). Smaller aircraft may be a less attractive target 
for terrorists.
    TSA believes that it must maintain its authority to conduct 
security inspections to ensure that repair stations do not pose a risk 
to transportation security and to make clear that repair stations must 
comply with security directives issued by TSA to respond to a specific 
threat. However, TSA has determined that only higher risk repair 
stations will be required to adopt security measures. Repair stations 
considered to be higher risk include those located on or adjacent to an 
airport. TSA will consider a repair station to be ``on airport'' if it 
is located on an AOA or SIDA of an airport covered by an airport 
security program under 49 CFR part 1542 in the United States, or on the 
security restricted area of any commensurate airport outside the United 
States regulated by a government entity. TSA will consider a repair 
station to be adjacent to an airport if there is an access point 
between the repair station and the airport of sufficient size to allow 
the movement of large aircraft between the repair station and the area 
described as ``on airport.'' These repair stations present the highest 
risk to security due to their proximity to an airport and a runway and 
the presence of operational aircraft of a size and weight that could 
inflict significant damage and loss of lives. These repair stations 
must implement security measures described in the final rule. TSA has 
retained the current definition of large aircraft used in its 
regulations, and will change that definition throughout the regulations 
should another definition be adopted in the General Aviation Security 
rulemaking proceeding.
    Other repair stations, in general, represent a minimal risk to 
aviation security because they are not located on or adjacent to an 
airport and do not have access to aircraft of sufficient size and 
weight to inflict significant damage or loss of lives. All FAA part 145 
certificated repair stations are subject to other requirements in the 
rule, such as submission to TSA inspection and compliance with security 
directives.

H. Protection of Sensitive Security Information (SSI)

    Comments: Two repair station owners/operators and an industry 
association supported the proposed SSI regulations. Another repair 
station owner/operator said the proposed SSI requirements may be 
redundant, because some corporations already have controls for business 
purposes to protect information from public disclosure. Another 
commenter warned the SSI requirements could adversely affect corporate 
operations and the availability of an operator's procedural 
documentation to its employees. An airport owner/operator expressed 
concern that the proposed rule would impose SSI responsibilities on 
repair stations even if they pose a low security risk. A repair station 
owner/operator and an industry association suggested the SSI provisions 
should apply to repair station owners but not to operators. Three 
commenters, including the European Commission, expressed concern about 
the applicability of the SSI provisions to foreign nationals who own 
and operate aircraft repair stations. They also said the proposed SSI 
provisions might be incompatible with the data protection directives of 
other nations or the EU.
    TSA response: TSA has eliminated the proposed requirement to adopt 
and implement a security program and has, therefore, eliminated the 
proposed changes to part 1520. TSA's SSI regulations already require 
security directives (SDs) to be treated as SSI. 49 CFR 1520.5. Part 
1520 applies to entities that receive a TSA SD, including U.S. and 
foreign air carriers for their operations both within and outside the 
United States. While businesses may have procedures in place to protect 
certain types of information, they may not include specific SSI 
protections.
    Repair stations will be responsible for developing procedures to 
safeguard against unauthorized disclosure of a SD. When an individual 
is not in physical possession of SSI, that individual must store the 
SSI in a secure container, such as a locked desk, office, or file 
cabinet. TSA disagrees with the comments that the SSI regulations could 
make it difficult to share security information with repair station 
employees. The SSI regulations permit disclosure to persons with a need 
to know. 49 CFR 1520.9.
    TSA appreciates the concerns of the European Commission regarding 
the applicability of SSI requirements to foreign repair stations; 
however, TSA does not believe that this will cause difficulties with 
regard to EU legislation and data protection policies. TSA already 
applies SSI requirements to foreign air carriers operating under a TSA-
accepted Model Security Program or who receive a TSA-issued emergency 
amendment. The EU has not objected to or raised concerns regarding 
conflicts with EU data protection laws and regulations in those 
instances. TSA will continue to discuss with the EU any specific 
conflicting regulatory requirements that may arise.

[[Page 2126]]

I. Scope of the Final Rule

    Comments: A repair station owner/operator supported the scope of 
the rule as proposed. Another repair station owner/operator suggested 
the words ``or excluded from this part by TSA'' be added to account for 
situations in which a repair station is already incorporated within an 
airport's security program or in which the repair station does not 
constitute a security threat. An industry association suggested the 
addition of ``or host government'' after ``U.S. Government'' in 
recognition of the fact that many other governments already have 
standards that meet or exceed those in the proposed rule.
    TSA response: TSA has modified the language in the final rule. The 
final rule does not apply to FAA part 145-certificated repair stations 
located on a U.S. or foreign government military installation. However, 
certificated repair stations that are regulated or under the oversight 
of a governmental entity are not exempt from the final rule. As 
explained previously, only higher risk repair stations will be required 
to implement security measures.

J. Terms Used in the Final Rule

    Comments: Four commenters addressed the proposed definition of 
``repair station.'' One industry association suggested narrowing the 
definition to include only repair stations that convey aircraft 
directly into commercial flight operations under parts 121 or 135 of 
the FAA's regulations. Another industry association suggested narrowing 
the definition to include only those repair stations authorized to 
perform maintenance or alteration of civil aviation aircraft located on 
a commercial airport. A third industry association objected to the 
proposed definition because it does not recognize mixed maintenance 
operations, in which a repair station is co-located at a larger 
facility that is not otherwise covered by TSA security requirements. A 
repair station owner/operator asked whether the scope and boundaries of 
a repair station for purposes of the TSA rule would differ from the 
scope and boundaries of the repair station for FAA purposes.
    TSA response: In response to the comments, TSA has eliminated the 
terms to avoid confusion with FAA terminology.
    TSA is aware of the existence of mixed-use facilities, for example 
those that combine maintenance and manufacturing stations. It will be 
the repair station operator's responsibility to delineate the parts of 
the station used for activities subject to this final rule and those 
that are not. If a repair station determines it is not possible to make 
such a delineation then the entire station would need to meet the 
requirements of this final rule.

K. TSA Inspection Authority

    Comments: Several commenters suggested that TSA's authority to 
enter a repair station should be limited to normal business hours or 
after business hours with an escort upon reasonable notice, unless 
there is a known specific threat. These comments point out that, with 
prior notification, a repair station could make certain that the 
correct personnel are available to answer questions and provide 
documentation. Two labor unions supported unannounced inspections, 
saying repair stations must constantly ensure that they are complying 
with security requirements, and that advance notice would nullify the 
benefit of a security inspection. Four commenters supported the 
proposed language authorizing TSA to conduct unannounced inspections. 
However, they expressed concern that TSA indicated it would follow 
existing protocols for inspection of repair stations located outside 
the United States and provide advance notice to the facility being 
inspected and the host government. The commenters asserted that giving 
advance notice would nullify the benefit of the security inspection. 
Eight commenters, including a foreign government and the European 
Commission, said TSA could not legally inspect repair stations located 
outside the United States without prior notification and the approval 
of the authorities of the country in which the repair station is 
located.
    TSA response: TSA will follow current agency practices regarding 
inspections of repair station facilities outside the United States. TSA 
will always coordinate any inspections with the host government prior 
to starting an inspection. With regard to repair stations within the 
United States, TSA acknowledges the concerns expressed regarding such 
government inspections. While TSA anticipates that in some cases it 
will notify these repair stations of scheduled inspections, this 
regulation allows TSA to conduct an inspection without advance notice 
at any time and in a reasonable manner. In those instances where notice 
is given, TSA will give the repair station the opportunity to gather 
evidence of compliance and to arrange to have the appropriate personnel 
available to assist TSA. However, TSA anticipates that unannounced 
inspections will be conducted in the United States, particularly if 
warranted by a security incident at a repair station. Some inspections 
can be effective only if they are unannounced in order to determine 
whether the regulated party is in compliance when it is unaware that 
TSA may be inspecting. Terrorists will seek to take advantage of 
vulnerabilities whenever they occur. TSA must have the ability to 
respond to information, operations, and specific circumstances whenever 
they develop and to assess the security of regulated entities at any 
time, including weekends or holidays.
    Comments: Several commenters said the rule should clearly define 
the scope of TSA audits and should specify that the repair station 
property, facility, and records to be inspected are only those relevant 
to repair station security. In addition, a repair station owner/
operator and an industry association stated that business records, 
corporate correspondence, and aircraft maintenance records should be 
off-limits without a search warrant. They said the proposed rule 
language was too broad and should be narrowed in the final rule.
    TSA response: TSA disagrees that the inspection authority is overly 
broad and has not modified the language in the final rule. The statute 
authorizes TSA to ``complete a security review and audit.'' See 49 
U.S.C. 44924(a). In addition, TSA has authority to ``inspect, maintain, 
and test security facilities, equipment, and systems.'' See 49 U.S.C. 
114(f)(9). The regulatory text states specifically that the purpose of 
the inspection is to ``carry out TSA's security-related or regulatory 
authorities.'' Thus, TSA will seek access to records relevant only to 
security. The inspection authority section in new Sec.  1554.5 includes 
audits, assessments, or inspections and is consistent with existing TSA 
rules, such as in Sec.  1542.5 (airport operators) and Sec.  1580.5 
(railroad operators).
    Also in connection with scope, TSA notes that consistent with its 
statutory authority (which currently allows inspections for security 
reasons irrespective of this final rule), inspections will be for 
compliance with this final rule's requirements and for security reasons 
only. For repair stations not subject to security measures under this 
rule (that is, those repair stations not located on or adjacent to an 
airport, as defined in this rule), TSA does not intend to inspect such 
facilities except as necessary to comply with the requirement in 49 
U.S.C. 44924 to conduct a security audit of all part 145 certificated 
repair stations located outside the United States, to evaluate security 
risks as conditions warrant, and, in the event that TSA issues a

[[Page 2127]]

security directive to such a repair station, for compliance with the 
security directive.
    Comments: Some commenters said repair station security policy may 
require anyone inside the repair station to have an identification 
badge, and suggested that TSA and DHS officials comply with established 
security programs at the site. A few commenters asked how repair 
station personnel would know if TSA or DHS credentials are valid. One 
of them asked if repair station personnel could record the names and 
badge numbers of TSA and DHS inspectors.
    TSA response: The final rule allows repair stations to request 
inspectors to present their credentials for examination. Repair 
stations may not photocopy or otherwise reproduce the credential to 
prevent unauthorized individuals from using fake credentials to access 
a repair station. Repair stations may issue access or identification 
media to inspectors for their use while conducting inspections of the 
facilities. However, they may not prevent an inspector from conducting 
an inspection because the inspector was not issued identification media 
by the repair station. TSA will assist repair stations to develop 
training to identify TSA and DHS credentials.
    Comments: A repair station owner/operator observed that TSA and DHS 
officials would need an escort for their own safety. Several other 
commenters were concerned that untrained TSA personnel could damage 
aircraft parts during their inspections or cause a disruption of work.
    TSA response: TSA appreciates that it must properly train its 
inspectors so that they avoid dangers to themselves, to employees, and 
other individuals at the repair station, and to property. TSA intends 
to use only properly trained and credentialed personnel to conduct 
inspections.

L. Security Program Adoption and Implementation

    Comments: A repair station owner/operator supported the proposed 
requirement to submit a profile because it would prevent use of a ``one 
size fits all'' approach to repair station security. One commenter 
asked TSA to accept the company profile used for FAA repair station 
approvals. Another repair station owner/operator said that TSA should 
eliminate this requirement or provide more information on what would 
constitute an adequate profile. Several commenters said that the 
proposed rule provided no guidance on how repair stations would report 
changes in profile information or how they would know which changes 
were significant enough to require reporting.
    TSA response: TSA concurs with the majority of comments regarding 
the submission of a profile and has not included the requirement in the 
final rule. TSA will use existing repair station profile information 
from the FAA.
    Comments: Several commenters questioned how TSA could achieve its 
stated objective of appropriately addressing the diversity in repair 
station characteristics while requiring repair stations to use a 
standard security program, unless otherwise authorized by TSA. They 
expressed concern about having to adopt a ``canned'' or ``cookie-
cutter'' security program. In contrast, two labor unions said that 
there needs to be a baseline security standard applied to all repair 
stations and that allowing for any variation presents an opportunity 
for disparities in security from station to station.
    TSA response: TSA has eliminated the requirement to adopt and carry 
out a security program in the final rule.
    Comments: Some commenters expressed the belief that a 30-day 
deadline for a repair station to submit a profile was insufficient, 
particularly for small entities, those located overseas, and large 
corporations with many subsidiaries or joint ventures. Three of them 
suggested that 90 days would be more realistic.
    TSA response: TSA has eliminated the requirement for repair 
stations to submit a profile so there is no longer a 30-day deadline 
requirement.
    Comments: Two repair station owners/operators objected to the fact 
that the proposed rule does not define specific minimum performance 
standards, and entities may be subject to inconsistent compliance 
expectations. Another commenter asked that the detail provided in the 
preamble regarding the security program be included in the regulatory 
language.
    TSA response: TSA has eliminated the language in the NPRM regarding 
the security program requirements. The final rule describes security 
measures that repair stations on an airport or adjacent to an airport, 
as defined in the final rule, must adopt. In order to reduce the 
potential regulatory burden and implementation costs of the proposed 
rule, TSA has removed all security measures that restrict access to a 
repair station in the final rule. Instead, repair stations will be 
required to prevent unauthorized operation of large, unattended 
aircraft that are capable of flight. Large aircraft are defined as 
aircraft with a maximum certificated take-off weight of more than 
12,500 pounds and attended aircraft means aircraft to which access is 
limited to authorized individuals and property.
    The final rule explains that preventing unauthorized operation may 
be accomplished in several ways and a repair station may even develop 
its own measure so long as it obtains approval from TSA. The final rule 
states that a repair station may block the path of the aircraft so that 
it cannot be moved and control the key to a vehicle used for that 
purpose, park the aircraft in a locked hangar and control the key to 
the hangar, or move stairs away from the aircraft and shut and lock, if 
feasible, all cabin and cargo doors and control the key. Controlling 
the key, if used, is described as making sure that keys are only 
available to an authorized individual who has undergone an employment 
history check or a security threat assessment.
    Comments: Ten commenters addressed the provision of the proposed 
rule requiring the security programs to include measures to identify 
all individuals authorized to enter the repair station. Three of the 
commenters said the actual language of the provision was not detailed 
enough to establish TSA's intent. A repair station owner/operator 
expressed support for TSA's statement in the NPRM that TSA will deem 
repair stations with established personnel identification media systems 
as compliant with the requirement. The commenter asked TSA to 
incorporate that language into the final rule. Three of the commenters 
also questioned TSA's intent with regard to compliance by small repair 
stations. They said small repair stations should be able to rely on 
simple identification measures such as personal recognition.
    TSA Response: In response to the comments, TSA has eliminated this 
requirement in the final rule.
    Comments: A repair station owner/operator said it is already in 
compliance with many elements of the proposed standard security 
program, including use of an employee identification system. Another 
repair station owner/operator said TSA should not require repair 
stations with established and existing escort policies and programs to 
replicate ``redundant'' government escort procedures, because it would 
cause confusion among employees and would impose excessive labor costs. 
With regard to the proposed training requirements, three commenters 
said existing International Civil Aviation Organization (ICAO) and EU 
requirements should be sufficient to meet the requirements, and a 
repair station owner/operator said security training already is part of 
its operations.

[[Page 2128]]

    TSA response: TSA has eliminated these security requirements in the 
final rule. TSA acknowledges that many repair stations may already have 
existing measures that meet or exceed the requirements described in the 
final rule.
    Comments: Twenty-one commenters expressed divergent views regarding 
the requirement for employee background checks. Three commenters 
supported the proposed rule and said it should be imposed on repair 
station employees to the same degree it is imposed on FAA-certificated 
mechanics. Five commenters said the requirement to check previous 
employment might not be possible under EU Directive 95/46/EC and 
national legislation. A repair station owner/operator said TSA failed 
to recognize the limits imposed by Federal and State labor laws, as 
well as union contracts. One industry association said other laws and 
FAA regulations already require confirmation of citizenship and other 
information related to employment history. Another industry association 
also stated this requirement would be redundant for airport-based 
facilities.
    Seven commenters said the requirement was too vague and lacked 
details, such as screening criteria and adjudication procedures. One 
industry association said the phrase ``any other means as appropriate 
to validate employee information'' is unclear and said the final rule 
should have specific requirements such as the number of years or number 
of employers to include. Another industry association said it was 
unclear whether TSA intended employers to conduct a criminal history or 
a security threat assessment, but that neither should be required. 
Another commenter said the rule should include language that prevents 
operators from having to repeat background checks they have already 
conducted.
    TSA response: TSA has retained the requirement to verify employee 
background information, but has limited the number of repair stations 
that must implement security measures and has reduced the number of 
individuals whose background information must be verified. TSA 
recognizes that many countries have different laws and regulations 
regarding this matter, and not all repair stations have a need or the 
ability to conduct certain types of background checks. The final rule 
requires that only the individual or individuals responsible for 
compliance with the final rule and recordkeeping, designated as TSA 
point(s) of contact, and authorized access to keys used to secure large 
aircraft must undergo a background check. The final rule does not 
mandate the number of individuals who must undergo a background check, 
but the number must be sufficient to ensure that a point of contact is 
available on a 24-hour-a-day basis and all large aircraft capable of 
flight are secured when not attended.
    The final rule includes four examples of background checks that are 
acceptable and allows a repair station to use another means if approved 
by TSA.
    (1) Verification of employment history for the most recent five 
year period or the time since the employee's 18th birthday, whichever 
is shorter. Verification may be accomplished via telephone, email, or 
in writing. If the verification is performed by telephone, the repair 
station must record the date and the name of person who verified the 
employment. If there is a gap in employment of six months or more that 
is not satisfactorily explained, employment history is not verified for 
purposes of this rule. Employment history verification records must be 
maintained for at least 180 days after the employment ends.
    (2) Confirmation that the employee holds an airman certificate 
issued by the FAA is sufficient since TSA vets all such certificate 
holders.
    (3) For a repair station located within the United States 
confirmation that an employee has successfully completed a security 
threat assessment pursuant to part 1540 of TSA's regulations, such as 
by holding a SIDA badge.
    (4) For a repair station located outside the United States, 
confirmation that an employee has obtained a security threat assessment 
commensurate to a security threat assessment described in part 1540 of 
TSA's regulations.
    TSA is aware that many repair stations already conduct security 
threat assessments or other background checks on their employees. If 
the background check is commensurate with the requirement of the final 
rule, TSA will not require duplicative or redundant measures.
    Comment: A few commenters urged TSA to require drug and alcohol 
testing of personnel at foreign repair stations, just as the FAA 
requires such testing under its authority over domestic repair 
stations. The European Commission commented that such testing in EU 
member nations is a matter for the law enforcement services in those 
nations.
    TSA response: As stated in the NPRM, drug and alcohol testing is a 
safety issue that is under the purview of the FAA and is not included 
as a requirement in the final rule.
    Comments: A repair station owner/operator said the NPRM provided no 
training criteria or scope of incident management for the security 
coordinator. An industry association recommended TSA specify all 
training requirements in one place and requested that the expectations 
for the training of security coordinators be defined. One repair 
station owner/operator indicated that 24-hour contact would not be 
feasible for a small component repair station located outside of an 
airport. A second owner/operator said the requirement should be imposed 
at the airport level, not at the facility level. A third owner-operator 
suggested TSA allow repair stations to designate an alternate security 
coordinator.
    TSA response: TSA has eliminated the requirement to train a 
security coordinator in the final rule. The repair station must 
designate one or more individuals, as necessary, to serve as TSA 
point(s) of contact and to be responsible for compliance with the final 
rule and recordkeeping. Training is not required to perform these 
responsibilities. TSA does not agree that an airport Security 
Coordinator would be sufficient to serve as the primary and immediate 
contact for repair station security-related activities and 
communications with TSA, unless TSA determines the repair station is 
incorporated within the airport security program and the airport is 
responsible for the security of the repair station itself.
    Comments: A commenter stated that requiring a repair station to 
make its security program available for review by TSA is insufficient. 
The commenter said TSA should review and approve each security program. 
A repair station owner/operator asked to whom the security program must 
be accessible. One industry association asked if airport operators 
would be able to access and review a repair station's security program 
to verify that the airport operator is contacted for all security 
related issues or incidents.
    The European Commission and a repair station owner/operator opposed 
the proposed English language requirement, noting that it would be 
burdensome for foreign repair stations. The European Commission pointed 
out that English is the official language of only three of the 27 EU 
member states and said the requirements for oral and written 
communications to be in English would be impossible to implement.
    TSA response: The proposed requirement to adopt and implement a 
security program has been eliminated in the final rule.
    With regard to the proposed English language requirements, while 
TSA has

[[Page 2129]]

eliminated the security program requirement, it retains the requirement 
in the inspection provision to request documents in English. TSA notes 
that this requirement is consistent with FAA regulations, such as 14 
CFR 145.219, which requires a certificated repair station to retain 
records of compliance in English.

M. Security Directives (SDs)

    Comments: Several commenters objected to the requirement to comply 
with SDs and asserted TSA has used SDs to issue requirements without 
notice and the opportunity for public comment, thus circumventing the 
rulemaking process. Several industry associations expressed concern 
that TSA will require repair stations to comply with SDs that are not 
applicable to their circumstances.
    A commenter suggested TSA allow electronic acknowledgement of 
receipt of an SD so that a record of compliance is maintained. Other 
commenters thought verbal acknowledgement would be impractical and 
burdensome to TSA and to repair stations, particularly small 
facilities. Two repair station owners/operators said TSA should specify 
the method of compliance in the SD. A repair station owner/operator 
requested TSA identify the process for obtaining approval for 
alternative measures of complying with an SD.
    An industry association asserted that foreign repair stations are 
not under TSA jurisdiction, and a repair station owner/operator said 
the requirement to comply with SDs might be incompatible with foreign 
security requirements.
    One commenter requested TSA avoid using common aviation-related 
abbreviations for TSA-related items. As an example, the commenter said 
Security Directives should be called ``TSA Directives.''
    TSA response: The term ``Security Directive'' is a standard term 
used throughout TSA's regulations to describe the regulatory document 
issued by TSA when TSA determines that additional security measures are 
necessary to respond to a threat assessment or to a specific threat 
against civil aviation. See 49 CFR 1542.303, 1544.305, 1548.19, and 
1549.109. TSA declines to rename these documents. TSA intends to 
maintain its current practice and issue SDs to repair stations when 
necessary to respond to a threat assessment or a specific threat 
against aviation. TSA has added language to the final rule to clarify 
that repair stations may comment on SDs issued by TSA in Sec.  
1554.103(d). TSA may amend an SD based on those comments. TSA will 
include in an SD the procedures to acknowledge receipt, to implement 
the requirements, and to request alternative measures if a particular 
measure is incompatible with a security requirement imposed by a 
foreign government or cannot reasonably be implemented.

N. Suspension and Revocation of Certificates

    Comments: A few commenters asserted the statutory provisions 
regarding the suspension and revocation of certificates apply only to 
repair stations located outside the United States and thus the final 
rule should not apply to repair stations within the United States. 
Commenters claimed the proposed rule includes procedures for appealing 
the revocation of certification, but not for appealing the suspension 
of certification. Some recommended following the FAA process in 14 CFR 
part 13. Several commenters said the rule should include the criteria 
TSA would use when initiating a suspension or reinstating a 
certification. Another industry association added TSA is as likely to 
err in its judgment, as the industry is likely to err in compliance. 
Several commenters also expressed concern about the consequences of 
suspension and the resulting economic burden, especially on small 
businesses. Several commenters objected to the appeal process because 
it did not provide for appeal of TSA's decision to an impartial third 
party. One repair station owner/operator stated the proposal violates 
the current rules of discovery and does not reflect current judicial 
process, and other commenters urged that final certification authority 
be left to the FAA or NTSB. Other commenters warned that even though 
the suspension and review may be temporary, either action would 
jeopardize a repair station's ability to remain viable and the rule 
should include specific timelines that TSA must meet.
    Commenters expressed concern because the proposed rule provided no 
guidelines for TSA's determination of revocation and there are no 
effective checks on TSA's power to revoke. They also objected that 
under the proposed rule, a certificate remains revoked during the 
review process. One industry association requested TSA follow the 
procedures already in place for the revocation of an FAA airman 
certificate, including appeal to an administrative law judge and then 
to the NTSB. Another industry association observed that in some TSA 
actions against individual airmen, certificates were revoked while the 
documentation supporting TSA's actions were withheld. A repair station 
owner/operator requested harmonization with FAA's enforcement process, 
which includes voluntary self-disclosure, administrative corrections, 
processes to handle repeat offenders, and published guidelines for 
legal enforcement, including suspending or revoking domestic repair 
station certificates. An industry association expressed the belief that 
review of a revocation must be reconciled with existing FAA and TSA 
regulations. An anonymous commenter pointed out that the statute 
requires consulting with the Administrator to establish procedures to 
appeal a revocation of a certificate.
    Nineteen commenters said that the proposed rule did not provide 
enough detail or left too much to interpretation by those who would 
enforce it. A few commenters expressed concern about a lack of key 
definitions such as ``immediate risk to security'' and procedural 
protections such as other tools to achieve compliance objectives, and 
time limits for review, which could lead to inconsistencies and 
certificate revocation without due process.
    TSA response: TSA has clarified the regulatory language that 
provides for judicial review of a final agency order. TSA has also 
modified the language in the final rule to specify that repair stations 
have the opportunity to petition for reconsideration of a TSA 
determination that a repair station certificate must be suspended or 
revoked. The certificate enforcement actions in the final rule are 
consistent with TSA's procedures governing the withdrawal of approval 
of a security program. 49 CFR 1540.301. TSA agrees with commenters that 
the FAA has the authority to issue, suspend, or revoke certificates and 
the statute requires the FAA to suspend or revoke a certificate if 
notified by TSA to do so. 49 U.S.C. 44924(c). Since any certificate 
action initiated by TSA will involve compliance with TSA's security 
regulations, the basis for the certificate action must remain with TSA 
and not the FAA or the NTSB. Further, TSA has general authority to 
enforce security-related regulations and requirements. 49 U.S.C. 
114(f)(7). TSA has consulted with the FAA in the development of the 
final rule.
    TSA appreciates the concerns expressed regarding the impact of a 
suspension or revocation of a certificate on a repair station business. 
TSA intends to follow current enforcement practices and anticipates 
that most instances of non-compliance will not result in certificate 
action. When appropriate, TSA will use a progressive enforcement 
process whereby instances

[[Page 2130]]

of non-compliance can be resolved with non-certificate action, 
including counseling, administrative actions, and civil penalties. See 
49 CFR part 1503.

O. Nondisclosure of Certain Information

    Comment: Two repair station owners/operators expressed concern that 
the proposed regulations would preclude them from obtaining information 
needed to appeal TSA determinations.
    TSA response: TSA has retained the language from the NPRM in Sec.  
1554.205 in the final rule. In accordance with E.O. 12968, TSA does not 
disclose classified information. In accordance with 49 CFR 1520, TSA 
also does not disclose SSI to individuals without a ``need to know.'' 
However, consistent with current enforcement practice, TSA will provide 
the repair station with the information it collected and upon which the 
enforcement action is based.

P. Other Comments on the Rulemaking

    Comment: One commenter suggested repair station operators be 
required to amend their FAA repair station manuals to make all 
personnel aware of TSA security concerns.
    TSA response: The FAA repair station manual is outside the scope of 
this rulemaking and TSA authority. TSA, however, has shared this 
comment with FAA.
    Comment: Several industry associations said that TSA should allow 
them and repair station owner/operators to review the standard security 
program prior to implementation of the rule.
    TSA response: TSA held briefing sessions with industry 
representatives in the United States and overseas. During the sessions, 
TSA provided a draft security program template for review and received 
comments. TSA notes that the requirement to adopt and implement a 
security program has been eliminated in the final rule.
    Comment: A commenter asserted that a substantial number of 
maintenance workers at repair stations are not certified and that some 
may not be legally working in the United States.
    TSA response: TSA notes that all employees hired after November 1, 
1986, must complete Form I-9, Employment Eligibility Verification, 
issued by U.S. Citizenship and Immigration Services of the Department 
of Homeland Security to document that they are authorized to work in 
the United States.
    Comment: Ten commenters requested a more collaborative rulemaking 
process. Another commenter recommended consulting with four specific 
industry associations and other industry organizations during revision 
of the proposed rule. One industry association also suggested the 
creation of a Repair Station Sector Coordinating Council as a formal 
means of obtaining industry input for the rulemaking process. An 
association requested TSA to issue a Supplemental NPRM to make certain 
that the concerns raised in the public comments are addressed. Two 
commenters stated the lack of ability to review details of the Standard 
Security Program as part of the proposed regulations, specifically the 
associated information deemed by TSA to be SSI, render this rulemaking 
non-compliant with the requirements of the Administrative Procedure Act 
and applicable case law defining adequate rulemaking notice and 
opportunity to comment.
    TSA response: The NPRM containing the proposed regulations was 
published in the Federal Register for public comment. 74 FR 59874 (Nov. 
18, 2009). TSA has reviewed all of the comments it received during the 
public comment periods in 2004 and 2009, as well as those received 
during the public listening session conducted in 2004, and has adjusted 
the final rule to address the comments as necessary. TSA has met all 
requirements of the Administrative Procedure Act. As noted above, TSA 
met with the repair station industry to receive comment on the security 
program template format. TSA held briefing sessions with industry 
representatives in the United States and overseas. During the sessions, 
TSA provided a draft security program template for review and received 
comments, although it ultimately determined not to include the security 
program requirement in the final rule. TSA will continue to consult 
with its stakeholders and sees no need for a coordinating council at 
this time.

Q. Implementation Issues

    Comments: Five commenters said TSA lacks the budget and staffing 
levels needed to implement the security programs and provide oversight 
of repair stations as detailed in the rule. Two commenters said TSA is 
understaffed and suggested this rulemaking would serve only to divert 
necessary resources from the agency's other security programs. Two 
other commenters requested TSA secure the necessary resources to make 
certain the proposed program is implemented efficiently and 
immediately.
    Several commenters said TSA would likely need to hire new 
inspectors to implement the rule, and two commenters requested any new 
TSA inspectors be required to complete mandatory training to ensure all 
inspectors understand the safety measures and precautions that must be 
taken when performing security audits at repair stations.
    TSA response: The costs to the government to enforce the final rule 
are included in the regulatory impact analysis. TSA is aware of the 
complexity of work performed at repair stations. TSA has developed the 
appropriate inspection guidance documents and relevant training for its 
inspectors.
    Comments: Two commenters questioned the statutory requirement that 
TSA complete a security review and audit of all foreign repair stations 
certificated by the FAA no later than six months after the final rule 
is issued. Both said that the six-month period is too short. One 
requested that the period be extended to 12 months, while the other 
requested that the compliance period be extended to 18 months, the time 
specified in Vision 100. One commenter warned that if TSA does not 
extend the timeframe, the ability of new repair stations to be 
certified could be impeded, which would negatively affect the aircraft 
repair industry.
    TSA response: In the Implementing Recommendations of the 9/11 
Commission Act of 2007 (Pub. L. 110-53, 121 Stat. 266, Aug. 3, 2007), 
the original 18-month deadline for completing security audits of repair 
stations located outside the United States was reduced to six months. 
TSA is committed to meeting the statutory deadline. TSA has hired 
inspectors and developed a database that will serve as an inspection 
scheduling and tracking tool. TSA has also developed an implementation 
plan for inspecting repair stations located outside the United States.
    Comment: An industry association suggested TSA collaborate with 
foreign authorities to help implement the proposed program in their 
respective countries. According to the association, this approach would 
allow TSA to use its resources more efficiently.
    TSA response: TSA will continue to meet and work with its 
international partners to discuss implementation of the final rule.
    Comments: Ten commenters said the proposed rule did not include a 
compliance date or adequate details on TSA's implementation plans, such 
as whether some repair stations would have to come into compliance 
before others. An aircraft manufacturer recommended adding a long-term 
compliance date for including measures to control access to a repair 
station because a business plan would need to be modified in order to 
accommodate

[[Page 2131]]

increased capital expenses. The commenter also suggested providing a 
more flexible ``phase-in period'' for repair stations that recognizes 
current industry business models in order to enable repair stations to 
adequately and appropriately address any identified security lapses. 
The commenter further recommended adopting a compliance schedule 
similar to that of 14 CFR parts 1, 21, 43, and 45, which focus on 
addressing potential industry constraints with meeting new compliance 
requirements. One commenter recommended an 18-month period, to allow 
adequate time to prepare for necessary costs and ensure that repair 
stations have an adequate understanding of what is required of them. 
One industry association suggested using a compliance date of 180 days 
from the publication of the final rule.
    TSA response: The final rule will be effective 45 days after the 
date of publication in the Federal Register. TSA will conduct 
appropriate outreach and communication to industry representatives and 
the aircraft repair station community to discuss specific 
implementation timeframes and issues. TSA notes that it has eliminated 
the requirement to adopt and carry out a security program in the final 
rule. In addition, TSA anticipates that many of these repair stations 
already have security measures in place that may meet or exceed the 
measures contained in the final rule.
    Comment: One commenter requested more information on the fees 
charged for TSA repair station audits, noting that the initial audit 
will require an additional charge for repair stations if the FAA is 
conducting the audits.
    TSA response: TSA is not charging a fee to conduct security audits 
or inspections.
    Comment: One industry association suggested TSA establish a 24-hour 
point of contact to answer compliance-related questions.
    TSA response: TSA has established a dedicated email address, 
[email protected], where repair stations can send questions. In addition, 
repair stations will be provided with the name and contact information 
for inspectors who will be available to respond to questions.

R. Comments From the Small Business Administration

    Comment: The Small Business Administration Office of Advocacy (SBA) 
recommended that TSA limit the scope of the rule. SBA offered the 
following three alternatives to meet the objectives of Vision 100 while 
minimizing significant economic impacts on small repair stations: (1) 
Exempt all repair stations that are not located at a commercial airport 
or that do not have access to aircraft; (2) adopt a risk-based, tiered 
approach based on size of aircraft and access to aircraft; and (3) 
align the final rule with the threshold level TSA ultimately adopts in 
the proposed General Aviation Security rule.
    TSA response: TSA has reduced the scope of the final rule and has 
eliminated the proposed requirement to adopt and implement a security 
program. TSA has analyzed the possible security risk associated with 
repair stations and agrees that those not located on or adjacent to an 
airport, as defined in the final rule pose a lower risk to 
transportation security. This risk-based approach will minimize the 
economic impact on small repair stations consistent with SBA's 
recommendation. The aircraft size threshold in this final rule is 
consistent with TSA's current regulatory threshold. TSA agrees that its 
regulations should be consistent and will evaluate all of its 
regulations to determine whether changes are needed to enhance 
consistent regulatory treatment once the General Aviation Security rule 
is final.
    Comment: SBA recommended that TSA provide clear guidance to small 
business regarding the implementation of the security program.
    TSA response: TSA has eliminated the requirement to implement a 
security program. TSA will work with all stakeholders to provide 
guidance on the final rule.
    Comment: SBA was concerned that the costs of the regulation were 
understated, explaining that TSA either failed to estimate or 
underestimated costs of inspections, correcting security deficiencies, 
complying with security directives, implementing access control 
measures, implementing the security program, appealing suspension and 
revocation determinations, and implementing identification media 
systems. SBA recommended that TSA reassess its cost estimates.
    TSA response: TSA has added estimates or updated its previous 
estimates in the regulatory impact analysis to reflect the requirements 
in the final rule. TSA notes that the requirement to implement a 
security program has been eliminated and the application of security 
measure requirements has been reduced significantly. The costs of 
complying with future SDs cannot be estimated. SDs are issued on a 
limited basis to respond to a specific threat. The measures required to 
respond to the threat and the frequency of such threats cannot be 
reasonably predicted. TSA does permit regulated entities to comment on 
a SD and propose alternate measures if the measures cannot be 
reasonably implemented.
    Comment: SBA recommended that TSA address the concerns of small 
businesses regarding SSI and develop procedures to assist small 
businesses to control SSI.
    TSA response: The requirements for the protection of SSI are 
described in part 1520 of TSA's regulations. TSA will provide 
assistance and will answer specific questions regarding the protection 
of SSI. The SSI regulations explain that SDs are SSI. Those repair 
stations that receive a SD will be required to safeguard it to prevent 
access by individuals who are not authorized to possess SSI. Repair 
station employees must have access to the SD to ensure that security 
measures are implemented. To protect SSI, TSA only requires that SSI be 
stored in a locked cabinet or desk drawer, or electronically as a 
password-protected file. Therefore, TSA believes that the costs of 
protecting SSI will be minimal and will only be incurred if the repair 
station receives a SD.
    Comment: SBA recommended that TSA address concerns expressed by 
small businesses regarding the appeals process if TSA determines that a 
repair station certificate must be suspended or revoked. It also 
recommended that intermediate processes such as warnings, or requests 
for information be used since small businesses may go out of business 
if closed pending appeal of a suspension.
    TSA response: Since TSA has eliminated the proposed requirement to 
adopt and carry out a security program; we do not expect that there 
will be many instances that would require suspension or revocation of a 
certificate. This expectation is based on the repair station visits TSA 
conducted that demonstrated the vast majority of repair stations 
already have reasonable and sufficient security measures in place. 
While some aspects of the appeals process are specified in the statute, 
TSA has clarified the regulatory language that provides for judicial 
review of a final agency order. TSA has also modified the language in 
the final rule to specify that repair stations have the opportunity to 
petition for reconsideration of a TSA determination that a certificate 
must be suspended or revoked. The final rule is consistent with TSA's 
current regulations regarding withdrawal of a security program. 49 CFR 
1540.301. TSA agrees that intermediate processes will be

[[Page 2132]]

used. This is consistent with TSA's current inspection protocols used 
to inspect airports and air carrier or aircraft operator operations. 
TSA anticipates that in most instances repair stations will be able to 
implement immediate measures to correct security deficiencies without 
the need for any formal enforcement mechanism. When necessary, TSA will 
use a progressive process whereby instances of non-compliance can be 
resolved with non-certificate action, including counseling, 
administrative action, and civil penalties. See 49 CFR part 1503.
    Comment: SBA recommended that TSA consider how its proposed rule 
would affect non-typical and ``hybrid'' repair station facilities. For 
example, some repair stations are tenants in large facilities in which 
the landlord is not a regulated entity, some only occupy a workbench 
within a large building, and some work on the ``air side'' of an 
airport where pilots and other visitors frequently walk up to an open 
hangar to ask questions.
    TSA response: TSA understands that there is a wide variety of 
certificated repair stations that differ in size, type of repairs, and 
number of employees. TSA has eliminated the proposed requirement to 
implement a security program and has reduced the number of repair 
stations that will be required to implement the security measures 
described in the final rule.
    TSA is aware of the existence of ``hybrid'' or mixed-use 
facilities, for example, those that combine maintenance and 
manufacturing stations. It will be the part 145 certificated repair 
station's responsibility to delineate the parts of the station that are 
subject to the final rule and those that are not. If a repair station 
determines it is not possible to make such a delineation, the entire 
repair station must be in compliance with the final rule.

S. Comments on the Regulatory Impact Assessment

    Comment: One association addressed the cost of complying with the 
proposed amendments to part 1520, which would designate repair station 
security programs as SSI and would include repair station owners and 
operators as entities subject to SSI requirements. The association said 
that it was not possible to estimate and comment on the cost of 
controlling SSI, because TSA had failed to indicate what it would 
consider an adequate and secure information management system.
    TSA response: TSA has eliminated the requirement to carry out a 
security program and the proposed amendment to part 1520 to treat the 
security program as SSI. However, part 1520 requires that SDs be 
treated as SSI. If a repair station receives a SD, a system for 
securely managing and controlling SSI could be storing that information 
or material in a secure container (e.g., locked desk or filing cabinet) 
that prevents the unauthorized disclosure of this information or 
material. SSI materials may also be stored electronically as password-
protected files. Considering these options are compliant with part 
1520, TSA does not believe that there will be any additional cost 
burden on repair stations to control access to SDs.
    Comment: Several commenters questioned the attack scenarios found 
in the economic analysis and stated that the probability of these 
attack scenarios actually occurring is remote. One stated that the 
basic premise of the scenarios is off because the break even analysis 
assumes that the majority of repair stations have access to airports 
and aircraft.
    TSA Response: TSA has analyzed the security risks of the repair 
station population and has revised the implementation plan to only 
require repair stations located on or adjacent to an airport, as 
defined in the final rule, to adopt and implement security measures.
    Comments: Seventeen commenters stated that TSA had significantly 
underestimated the cost of compliance. Two commenters stated that the 
costs estimated are too low and that TSA should redo the cost analysis 
and the Initial Regulatory Flexibility Analysis (IRFA). Commenters 
provided lists of items that they claim TSA failed to address 
adequately, including the costs of creating and implementing a security 
program, facility access control measures, personnel identification 
media systems, security coordinators, and security awareness training.
    One repair station owner/operator said that the estimate that an 
off-airport repair station would require only four hours to complete 
and implement a security program seemed extraordinarily low, as did 
other estimates of average compliance costs in the NPRM. Another 
operator stated that rule familiarization had taken 10 hours. It 
estimated that writing a program would cost $12,000 and the actual 
implementation cost could exceed $80,000.
    An industry association and a repair station owner/operator said 
that the analysis failed to consider the cost of fencing, guards, 
cameras, badges, and access control systems, which they said that small 
repair stations and general aviation airports may not already have. The 
industry association said that the cost to establish access control 
would not be feasible for a small repair station at a general aviation 
airport. One commenter said that it had priced three ``off-the-shelf'' 
non-biometric photo ID badge systems at an average cost of $2,346; 
similarly, the commenter said it priced a 750-foot perimeter fence with 
access gates at $14,905. The commenter noted that the sum of these two 
estimates far exceeds TSA's estimate of total compliance costs of 
$4,216 for a business with 45 employees. Various commenters estimated 
the cost of background checks and a badge system as $4,600 to $6,000, 
and a security system as $17,250.
    An industry association stated that the rule would require repair 
stations to add at least one full time position, which would create a 
financial burden for small repair stations and make it harder for them 
to remain competitive. Another association stated that TSA was asking 
repair stations to prove their approach was sufficient; while stations 
with professional security staff could do this, it was unreasonable to 
expect small GA repair stations to do this. A third commenter estimated 
salary for security staff as $70,350.
    One industry association also stated that TSA had underestimated 
training costs and should double them. Another commenter estimated 
training costs at up to $2,000 per employee.
    One industry association stated that the analysis failed to 
consider that small entities do not physically separate work areas, 
which the NPRM would require. The contingency plan requirement for 
identifying unauthorized persons is not defined. It noted that small 
stations do not routinely escort visitors and do not have staff who can 
be assigned to do this without losing productive work. The escort 
requirement will disproportionately affect small stations.
    An operator stated that TSA had based its analysis on small repair 
stations, which calls into question whether the agency has met the 
requirements of E.O. 12866, the Regulatory Flexibility Act (RFA), and 
the Trade Agreement Act.
    TSA response: In order to address the concerns of the commenters 
and better estimate the costs of compliance associated with the 
security measures described in the final rule, TSA has revised its cost 
estimates. TSA has eliminated the requirement to adopt and implement a 
security program. Specifically, TSA has eliminated all security 
measures regarding preventing access to repair stations and will only 
require certain repair stations to prevent the unauthorized operation 
of large

[[Page 2133]]

aircraft that are unattended. This change will reduce the regulatory 
requirement and the costs of implementation. While TSA has retained the 
requirement to verify employee background information, it has reduced 
the application of that requirement only to those individuals who are 
designated as the TSA point of contact and those who have access to the 
keys or other means used to prevent the unauthorized operation of large 
aircraft. TSA has clarified that it will accept the background check 
obtained by individuals who have obtained a FAA airman certificate or a 
SIDA badge. All proposed regulations regarding the content, format and 
availability of a security program have been eliminated in the final 
rule. The cost estimates for both the NPRM and the final rule are 
listed in Chapter 4 of the regulatory impact analysis accompanying this 
final rule. That chapter also describes the reasons for the differences 
in the cost estimates.
    In conjunction with the NPRM, TSA published a regulatory impact 
analysis that addressed the requirements of EO 12866, the RFA, the 
Unfunded Mandates Reform Act, and the Trade Agreement Act. The cost 
estimates in that regulatory impact analysis were not based on small 
repair stations. However, the IRFA considered the cost impact of the 
proposed regulations on repair stations classified under SBA standards 
as ``small'' businesses. In the final rule, TSA has updated these 
analyses, considering all costs incurred by TSA and any repair stations 
notified to adopt security measures under the final rule.
    Comments: Forty-eight commenters argued that complying with the 
proposed requirements in part 1554 would be too costly, and some said 
that the compliance costs would force repair stations out of business. 
Six commenters stated that taxpayers and the flying public would also 
feel the financial burden. Twelve commenters said that the proposed 
rule would likely result in small GA repair stations either closing 
their businesses or surrendering their repair station certificates in 
favor of becoming maintenance repair shops that would not be required 
to comply with the proposed rule. Fifty commenters said that small 
aircraft repair stations in particular would suffer significant 
economic and staffing losses because of the proposed rule. Many of 
these commenters said that because small repair stations each employ a 
small number of people, the compliance cost per employee would be 
significant.
    TSA response: With respect to the comments about station closings, 
TSA recognizes that some aircraft repair stations will incur costs 
associated with the implementation of security measures, but TSA has 
reduced the requirements of this final rule and therefore, the costs of 
implementation. TSA has eliminated the requirement of all security 
measures regarding preventing access to repair stations and will only 
require repair stations to prevent the unauthorized operation of large 
aircraft. All proposed regulations regarding the content, format and 
availability of a security program have been eliminated in the final 
rule. Additionally, the requirement to adopt security measures was 
revised to include only repair stations located on or adjacent to an 
airport, as defined in the final rule.
    TSA has prepared a Final Regulatory Flexibility Analysis (FRFA) as 
part of the economic analysis of the final rule. This analysis can be 
found in the regulatory impact analysis, and presents the estimated 
compliance costs small businesses would incur as a percentage of annual 
revenues.
    TSA has kept the costs of implementation of this rule on small 
businesses to a minimum by eliminating the security program requirement 
for all repair stations. Further, the security measures in this final 
rule allow flexibility in implementation.

III. Rulemaking Analyses and Notices

A. International Compatibility

    In keeping with U.S. obligations under the Convention on 
International Civil Aviation, it is TSA policy to comply with 
International Civil Aviation Organization (ICAO) Standards and 
Recommended Practices where possible. TSA has determined that these 
regulations are consistent with ICAO Standards and Recommended 
Practices for security of airports and facilities contained in Annex 17 
of the Convention, the ICAO Security Manual and the ICAO Security Audit 
Reference Manual.

B. Economic Impact Analyses

1. Regulatory Impact Analysis Summary
    Changes to Federal regulations must undergo several economic 
analyses. First, E.O. 12866, Regulatory Planning and Review (58 FR 
51735, October 4, 1993), as supplemented by E.O. 13563, Improving 
Regulation and Regulatory Review (76 FR 3821, January 21, 2011), 
directs each Federal agency to propose or adopt a regulation only if 
the agency makes a reasoned determination that the benefits of the 
intended regulation justify its costs. Second, the Regulatory 
Flexibility Act (5 U.S.C. 601 et seq.), as amended by the Small 
Business Regulatory Enforcement Fairness Act (SBREFA) of 1996, requires 
agencies to consider the economic impact of regulatory changes on small 
entities when an agency is required to issue a NPRM. Third, the Trade 
Agreements Act (19 U.S.C. 2531-2533) prohibits agencies from setting 
standards that create unnecessary obstacles to the foreign commerce of 
the United States. In developing U.S. standards, the Trade Act requires 
agencies to consider international standards, where appropriate, as the 
basis of U.S. standards. Fourth, the Unfunded Mandates Reform Act of 
1995 (2 U.S.C. 1531-1538) requires agencies to prepare a written 
assessment of the costs, benefits, and other effects of proposed or 
final rules that include a Federal mandate likely to result in the 
expenditure by State, local, or tribal governments, in the aggregate, 
or by the private sector, of $100 million or more annually (adjusted 
for inflation).
    In conducting the following four analyses, TSA has determined:
    1. This final rule is a ``significant regulatory action,'' although 
not an economically significant regulatory action, under section 
3(f)(1) of E.O. 12866. Accordingly, the Office of Management and Budget 
has reviewed this regulation.
    2. This final rule imposes no significant barriers to international 
trade.
    3. This final rule does not impose an unfunded mandate on State, 
local, or tribal governments, or on the private sector in excess of 
$100 million (adjusted for inflation) in any one year.
    These analyses, as well as the Final Regulatory Flexibility 
Analysis, are summarized below and are detailed in the regulatory 
impact analysis accompanying the final rule.
2. Executive Orders 12866 and 13563 Assessments
    Executive Orders 12866 and 13563 direct agencies to assess the 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility.
Costs
    TSA issued an NPRM on November 18, 2009 (74 FR 68774). This final 
rule makes the following major changes to

[[Page 2134]]

the NPRM. The first major change is the elimination of the requirement 
for a repair station to submit a security profile to TSA. TSA will 
obtain data from the FAA and conduct field visits to acquire other data 
and information. TSA has also eliminated the requirement to adopt and 
implement a security program and all security measures preventing 
access to repair stations. While TSA has retained the requirement to 
verify employee background information, it has reduced the application 
of that requirement to those individuals who are designated as the TSA 
point of contact and those who have access to the keys or other means 
used to prevent the unauthorized operation of large aircraft capable of 
flight that are left unattended. TSA has clarified that it will accept 
employment history checks or background checks conducted on individuals 
who have obtained a FAA airman certificate or a SIDA badge.
    TSA assessed the risk profile of the repair station population and 
determined that not all repair stations present sufficient risk to 
warrant security program requirements. Therefore, TSA is only requiring 
those repair stations located on or adjacent to certain airports, as 
defined in this final rule, to adopt security measures. As noted above, 
TSA will consider a repair station to be ``on airport'' if it is on an 
AOA or SIDA of an airport covered by an airport security program under 
49 CFR part 1542 in the United States, or on the security restricted 
area of any commensurate airport outside the United States regulated by 
a government entity. TSA will consider a repair station to be adjacent 
to an airport if there is an access point between the repair station 
and the airport of sufficient size to allow the movement of large 
aircraft between the repair station and the area described as ``on 
airport.'' Under the NPRM, approximately 4,800 repair stations 
certificated under part 145 would have been affected by the 
rulemaking's affirmative requirements, while under this final rule, 
that number has been reduced to an estimated 678 repair stations.
    In response to public comments and changes in final rule 
implementation, TSA has adjusted the estimated costs for the final 
rule. The regulatory impact analysis accompanying this final rule 
summarizes the revised cost estimates of the regulation.
Total
    In summary, over the 10-year period of the analysis, TSA estimates 
the aggregate costs of the Aircraft Repair Station Security Final Rule 
to total approximately $23.22 million, undiscounted. This total is 
distributed among repair stations located within the United States, 
which would incur total costs of $8.7 million; repair stations located 
outside the United States, which would incur costs of $14.18 million; 
and TSA, which would incur costs of $0.34 million. Chapter 2 of the 
regulatory impact analysis, available in the public docket, provides 
detailed estimates of these costs. The following table presents the 
annual costs of the rule over the 10-year period of analysis, broken 
out into costs incurred by TSA, repair stations located within the 
United States, and repair stations located outside the United States, 
respectively.

                                         Table 1--Total Cost of the Aircraft Repair Station Security Final Rule
                                                                      [$ millions]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                Repair stations    Repair stations
                    Year                         TSA Costs     within the United     outside the          Total         Discounted, 3     Discounted, 7
                                                                     States         United States    (undiscounted)        percent           percent
--------------------------------------------------------------------------------------------------------------------------------------------------------
1..........................................             $0.06              $0.9              $1.37             $2.34             $2.27             $2.19
2..........................................              0.03               0.9               1.31              2.24              2.11              1.96
3..........................................              0.02               0.9               1.34              2.25              2.06              1.83
4..........................................              0.04               0.9               1.37              2.29              2.03              1.75
5..........................................              0.04               0.9               1.40              2.31              1.99              1.65
6..........................................              0.02               0.9               1.42              2.30              1.93              1.53
7..........................................              0.04               0.9               1.46              2.36              1.92              1.47
8..........................................              0.03               0.9               1.48              2.36              1.86              1.37
9..........................................              0.02               0.8               1.51              2.37              1.81              1.29
10.........................................              0.04               0.8               1.54              2.41              1.79              1.22
                                            ------------------------------------------------------------------------------------------------------------
    Total..................................              0.34               8.70             14.18             23.22             19.78             16.26
--------------------------------------------------------------------------------------------------------------------------------------------------------

Changes in Cost Estimates From Notice of Proposed Rulemaking
    The cost estimates for this final rule differ from those reported 
in the NPRM due to the elimination of security program, facility access 
control and other requirements as described above. TSA also uses more 
recently available data from its outreach efforts and from FAA 
databases to update population projections and program costs. The 
following tables present the cost estimates of the final rule compared 
to those presented in the NPRM.

                            Table 2--Changes in Costs From the NPRM to the Final Rule
----------------------------------------------------------------------------------------------------------------
                                                                    10-Year total rule costs ($ millions)
                         Estimate                          -----------------------------------------------------
                                                                  NPRM           Final rule        Difference
----------------------------------------------------------------------------------------------------------------
Total (undiscounted)......................................            $344.4            $23.22         ($321.18)
3% Discount...............................................            $293.3            $19.78         ($273.52)
7% Discount...............................................            $241.0            $16.26         ($224.74)
----------------------------------------------------------------------------------------------------------------


[[Page 2135]]


             Table 3--Changes in Costs Incurred by Repair Stations Located Within the United States
----------------------------------------------------------------------------------------------------------------
                                                 10-Year total costs ($ millions)
              Cost segment               ------------------------------------------------   Major cost driving
                                               NPRM         Final rule      Difference            changes
----------------------------------------------------------------------------------------------------------------
Security Programs.......................            $1.6              $0          ($1.6)  All proposed
                                                                                           regulations regarding
                                                                                           the content, format
                                                                                           and availability of a
                                                                                           security program have
                                                                                           been eliminated in
                                                                                           the final rule.
Point of Contact........................           113.2             5.8         (107.4)  TSA is requiring only
                                                                                           a point of contact on
                                                                                           a 24-hour a day
                                                                                           basis.
ID Media System.........................             0.5               0           (0.5)  TSA eliminated ID
                                                                                           Media System
                                                                                           requirements.
Aircraft Access Control.................             0.0             2.7             2.7  This is a new cost in
                                                                                           the final rule for on-
                                                                                           airport and adjacent
                                                                                           repair stations.
Training................................            53.2               0          (53.2)  TSA has eliminated all
                                                                                           training
                                                                                           requirements.
Inspections.............................             0.0            0.16            0.16  This is a new cost in
                                                                                           the final rule for on-
                                                                                           airport and adjacent
                                                                                           repair stations.
Revocation Appeals......................             0.0           0.004           0.004  TSA now includes a
                                                                                           cost estimate for the
                                                                                           fraction of repair
                                                                                           stations estimated to
                                                                                           require an appeal due
                                                                                           to suspension or
                                                                                           revocation. This
                                                                                           fraction is based on
                                                                                           historical data from
                                                                                           FAA.
                                         ------------------------------------------------
    Total (undiscounted)................           168.5             8.7         (159.8)
                                         ------------------------------------------------
    3% Discounted Total.................           143.9             7.4         (136.5)
                                         ------------------------------------------------
    7% Discounted Total.................           118.6             6.1         (112.5)
----------------------------------------------------------------------------------------------------------------


             Table 4--Changes in Costs Incurred by Repair Stations Located Outside the United States
----------------------------------------------------------------------------------------------------------------
                                               10-Year total costs ($ millions)
             Cost segment              ------------------------------------------------    Major cost driving
                                             NPRM         Final rule      Difference             changes
----------------------------------------------------------------------------------------------------------------
Security Programs.....................            $0.7              $0          ($0.7)  All proposed regulations
                                                                                         regarding the content,
                                                                                         format and availability
                                                                                         of a security program
                                                                                         have been eliminated in
                                                                                         the final rule.
Point of Contact......................            18.5             3.8          (14.7)  TSA is requiring only a
                                                                                         point of contact on a
                                                                                         24-hour a day basis.
Personnel ID System...................             0.1               0           (0.1)  TSA eliminated Personnel
                                                                                         ID System requirements.
Aircraft Access Control...............             0.0            10.2            10.2  This is a new cost in
                                                                                         the final rule for on-
                                                                                         airport repair
                                                                                         stations.
Training..............................            78.4               0          (78.4)  TSA has eliminated all
                                                                                         training requirements.
Inspection............................             0.0            0.10            0.10  This is a new cost in
                                                                                         the final rule for on-
                                                                                         airport repair
                                                                                         stations.
Revocation Appeals....................             0.0            0.05            0.05  TSA now includes a cost
                                                                                         estimate for the
                                                                                         fraction of repair
                                                                                         stations estimated to
                                                                                         require an appeal due
                                                                                         to suspension or
                                                                                         revocation. This
                                                                                         fraction is based on
                                                                                         historical data from
                                                                                         FAA.
Employment History Checks.............             0.0             .08             .08  This is a new cost in
                                                                                         the final rule for on-
                                                                                         airport repair
                                                                                         stations.
                                       ------------------------------------------------
    Total (undiscounted)..............            97.7            14.2          (83.5)
                                       ------------------------------------------------
    3% Discounted Total...............            83.4            12.0          (71.4)
                                       ------------------------------------------------
    7% Discounted Total...............            68.7             9.9          (58.8)
----------------------------------------------------------------------------------------------------------------


[[Page 2136]]


                                          Table 5--Changes to TSA Costs
----------------------------------------------------------------------------------------------------------------
                                                 10-Year total costs ($ millions)
                Estimate                 ------------------------------------------------   Major cost driving
                                               NPRM         Final rule      Difference            changes
----------------------------------------------------------------------------------------------------------------
Total (undiscounted)....................           $78.2            $0.3         ($77.9)  TSA has reduced the
                                                                                           requirements of this
                                                                                           final rule resulting
                                                                                           in a reduction of
                                                                                           inspection time and
                                                                                           resources.
                                         ------------------------------------------------
    3% Discounted Total.................            66.1             0.3          (65.8)
                                         ------------------------------------------------
    7% Discounted Total.................            53.7             0.2          (53.5)
----------------------------------------------------------------------------------------------------------------

Benefits
    TSA is issuing regulations to provide for the security of 
maintenance, preventive maintenance, or alterations on aircraft or 
articles of aircraft performed at repair stations located both within 
and outside the United States, of the aircraft and articles located at 
these repair stations, and of the repair station facilities as required 
by Vision 100. As terrorist organizations continue to target civil 
aviation, Congress has indicated the importance of aircraft repair 
station security. TSA opted to require only those repair stations 
located on or adjacent to certain airports, as defined in this final 
rule, to adopt security measures. These facilities represent potential 
risks due to both their location on or adjacent to an airport and 
airport runways and their ability to perform maintenance on and have 
access to aircraft with a MTOW of more than 12,500 lbs. Therefore, the 
opportunity exists for a terrorist to commandeer an operational 
aircraft and use it as a weapon against a populated target.
    TSA uses a break-even analysis to frame the relationship between 
the potential benefits of the rulemaking and the costs of implementing 
the rule. When it is not possible to quantify or monetize the important 
incremental benefits of a regulation, OMB recommends conducting a 
threshold, or ``break-even'' analysis. According to OMB Circular No. A-
4, ``Regulatory Analysis,'' such an analysis answers the question, 
``How small could the value of the non-quantified benefits be (or how 
large would the value of the non-quantified costs need to be) before 
the rule would yield zero net benefits?'' \5\ Consequently, to better 
inform the comparison of the costs of implementing the rule with the 
benefits to homeland security of the Aircraft Repair Station Security 
final rule, TSA performed a break-even analysis. In the break-even 
analysis, TSA compared the annualized cost of the rule's requirements 
to the expected benefits of preventing a potential terrorist attack.
---------------------------------------------------------------------------

    \5\ Http://www.whitehouse.gov/sites/default/files/omb/assets/regulatory_matters_pdf/a-4.pdf.
---------------------------------------------------------------------------

    The type of terrorist attack addressed by this final rule is an 
aircraft as weapon scenario against a populated target such as an 
office building. This attack would result from the infiltration of an 
on-airport repair station and subsequent commandeering of an aircraft. 
To assess the potential impact of an attack originating at a repair 
station, TSA considers a representative attack scenario and estimates 
the monetary value of the losses associated with this scenario. This 
attack scenario is taken from the second iteration of TSA's 
Transportation Sector Security Risk Assessment (TSSRA 2.0). TSSRA 2.0 
is a SSI report that was produced in response to DHS Appropriations 
legislation (Pub. L. 110-396/Division D and Pub. L. 111-83), which 
requires DHS through TSA to conduct a comprehensive risk assessment.
    In order to compare the losses in the scenario with the cost of the 
final rule, TSA assigns a statistical monetary value to potential 
passenger, crew casualties and bystander, and also takes into account 
property damage associated with the aircraft and infrastructure 
involved in the attack scenario. TSA uses a Customs and Border 
Protection (CBP) Value of a Statistical Life (VSL) estimate of $6.3 
million \6\ to represent the amount an individual is willing to pay to 
achieve a small reduction in mortality risk. In order to estimate the 
value of injuries, TSA used the Department of Transportation (DOT) 
published guidance \7\ for values of moderate injuries at 4.7 percent 
of VSL and severe injuries at 26.6 percent of VSL. Consequently, for a 
severe injury, TSA estimates a value of $1,675,800 ($6,300,000 VSL x 
0.266) and for a moderate injury, TSA estimates a value of $296,100 
($6,300,000 VSL x 0.047).
---------------------------------------------------------------------------

    \6\ U.S. Customs and Border Protection, Report, ``Valuing 
Mortality Risk Reductions in Homeland Security Regulatory 
Analyses.'' Final Report, CBP, June 2008.
    \7\ U.S. Department of Transportation memorandum, ``Revised 
Departmental Guidance: Treatment of the Value of Preventing 
Fatalities and Injuries in Preparing Economic Analyses--2011 
Revision,'' July 29, 2011. Http://ostpxweb.dot.gov/policy/reports/vsl_guidance_072911.pdf.
---------------------------------------------------------------------------

    The following paragraphs describe a scenario for which TSA believes 
this final rule will help reduce the likelihood of occurrence and their 
corresponding estimated monetary consequences. This analysis does not 
consider the indirect, macroeconomic consequences these terrorist 
attacks could cause. Consequently, the economic impacts of this 
terrorist attack estimated for this break-even analysis is a lower-
bound estimate.
    This attack scenario describes the impact of a situation where a 
commercial aircraft is stolen from a repair station (with no passengers 
on board) and used as a missile to attack an office building. The 
scenario results in loss of life, severe and moderate injuries, 
destruction of the aircraft, and damage to the building. Again, TSSRA 
2.0 uses the average building size and capacity of a number of office 
buildings to estimate an average building size of 49 stories with an 
average of 176 people per story. TSSRA 2.0 estimates 2,992 fatalities 
for this scenario. TSSRA 2.0 assumes the attacker(s) will hit the 
office building approximately a third of the way down the building and 
due to the size of the aircraft, it is assumed that anyone above the 
impact site will die due to the inability to escape the building (17 
stories x 176 people). Using the CBP VSL of $6.3 million, the monetary 
estimate associated with the loss of life is $18,849.6 million (2,992 x 
$6.3 million).
    TSSRA 2.0 also estimates 880 severe injuries, which is equal to the 
number of occupants of 5-stories of the representative office building. 
TSSRA 2.0 assumes that several floors directly below the impact site 
would be affected by the force of the impact and the resultant fires. 
In addition, people exiting the building from these floors would be 
more likely to have injuries requiring hospital treatment. Again using 
the DOT guidance on the valuation of injuries, the monetary estimate 
associated with severe injuries is $1,474.7 million (880 severe 
injuries

[[Page 2137]]

x $1,675,800). TSSRA 2.0 estimates 2,376 moderate injuries, which is 
equal to one-half of the remaining population of the representative 
office building (0.5 x (8,624 - 2,992 - 880). TSSRA 2.0 assumes that at 
least half of the remaining occupants not killed or severely injured 
would be moderately injured due to smoke, falling debris, or the action 
of evacuating the building. The monetary estimate associated with the 
moderate injuries is $703.5 million (2,376 moderate injuries x 
$296,100).
    TSSRA 2.0 assumes this type of attack requires replacement of the 
entire building. TSSRA 2.0 estimates the cost of replacement using an 
average construction cost of $846.8 million for recently built large 
buildings in the United States.
    To estimate the value of the lost aircraft, TSA uses $22.6 million, 
which is the 2009 weighted average market value of all two-engine 
narrow-body and two-engine wide-body air carrier aircraft.\8\
---------------------------------------------------------------------------

    \8\ Federal Aviation Administration, 2007, ``Economic Values for 
FAA Investment and Regulatory Decisions, a Guide.'' Prepared by GRA, 
Inc. December 31, 2004 (updated). Table 5-2. TSA calculates a 
weighted average value for aircraft in rows 1 and 2. TSA converted 
this weighted average aircraft value from a 2003 estimate to the 
2009 equivalent weighted average value of $22.6 million using the 
FAA recommended method described in the document in Section 9.6 
(page 9-9), which relies on the BLS producer price index series for 
civil aircraft available in the producer price index values (2003-
2009 annual values), a factor of 1.31, for commodities at http://stats.bls.gov/ppi/home.htm.
---------------------------------------------------------------------------

    The total monetary valuation of the losses of life, aircraft and 
buildings, and injuries represented in this scenario is $21,897.2 
million ($18,849.6 million for fatalities + $1,474.7 million for severe 
injuries + $703.5 million for moderate injuries + $22.6 million for 
loss of aircraft + $846.8 million for replacement of the building).
    In this analysis, the comparison is made between the estimated 
monetary consequence of this scenario and the annualized cost of the 
Aircraft Repair Station Security final rule, discounted at seven 
percent ($2.3 million).\9\ The ``required risk reduction in attack 
frequency'' to break even is estimated by dividing the total 
consequences of a specific attack scenario by the annualized cost of 
the regulation, discounted at seven percent. In order to break even, 
the rule will need to reduce the existing or baseline frequency of 
terrorist attack by one attack every 9,460 years for attacks of a 
similar magnitude. These results are presented in table form in both 
the Executive Summary and Chapter 5 of the regulatory impact analysis.
---------------------------------------------------------------------------

    \9\ See the OMB No. A-4, ``Regulatory Analysis,'' Accounting 
Statement in the Executive Summary in the regulatory impact 
analysis. This amount is the annual payment that, if invested each 
year at a 7 percent interest rate, would accrue to the cost of the 
rule after a 10-year period.
---------------------------------------------------------------------------

Alternatives
    As alternatives to the preferred regulatory regime presented in the 
final rule, TSA examined four other options. For most regulatory 
alternatives, TSA considered categorizing repair stations into three 
risk tiers based on a station's location with respect to an airport and 
the size of aircraft on which a repair station performs work. Tier 1, 
in general, would include all repair stations located on or adjacent to 
a part 1542 regulated airport (or commensurate foreign airport) and 
those repair stations located on or adjacent to a GA airport (or 
commensurate foreign airport) that conduct maintenance, preventive 
maintenance, or alterations on aircraft or articles for aircraft with a 
MTOW of more than 12,500 pounds. In Alternative 1 TSA would notify only 
Tier 1 repair stations to adopt and implement a security program.
    Tier 2, in general, would include repair stations located off-
airport that conducts maintenance, preventive maintenance, or 
alterations on articles for aircraft with a MTOW of more than 12,500 
pounds. Tier 3, in general, would include all remaining repair 
stations. Under Alternative 2, TSA would notify both Tier 1 and Tier 2 
repair stations to adopt and implement a security program, since these 
repair stations work on aircraft or articles for aircraft with a MTOW 
of more than 12,500 lbs. Tier 2 repair stations would incur most of the 
requirements in the security program with which Tier 1 repair stations 
must comply; however, Tier 2 would not be required to comply with 
certain of the security program requirements.
    The third and fourth alternatives require Security Threat 
Assessments (STAs) for different subsets of repair station employees. 
Alternative 2A includes an STA requirement for employees of on-airport 
repair stations located within the United States in addition to the 
other security requirements and associated costs of the final rule. 
Alternative 2B includes STAs for employees of both Tier 1 and Tier 2 
repair stations located within the United States as defined in 
Alternative 2, in addition to the security requirements and associated 
costs of Alternative 2. TSA would not require STAs for employees of 
repair stations located outside the United States. This decision was 
based upon a consideration of privacy laws in foreign countries and 
TSA's determination that ICAO standards already address employee 
background checks.
    TSA rejects Alternative 1 and opted to remove any security program 
requirements for all repair stations and only require repair stations 
on or adjacent to an airport that have access to runways and 
operational aircraft to implement security measures.
    TSA rejects the regulatory regimes in Alternatives 2 and 
Alternative 2B because repair stations in Tier 2 in these alternatives 
do not have access to operational aircraft and runways. TSA is unable 
to identify credible attack scenarios that could originate at off-
airport repair stations.
    Alternative 2A, while offering a regulatory framework that covers 
on-airport repair stations with access to runways and operational 
aircraft, was rejected by TSA in favor of the final rule because TSA 
does not believe that the STA requirement provides enough risk 
reduction to justify the additional costs. Since TSA is unable to 
perform STAs on employees at repair stations located outside the United 
States, all the risk reduction yielded by this requirement would be in 
domestic aviation. Therefore, Alternative 2A provides lower marginal 
risk reduction per dollar of cost than the final rule. Further, the 
additional costs of the STA requirement would put an undue burden on 
repair stations located in the United States and disadvantage them 
against foreign competitors. For these reasons, TSA decided to withhold 
the STA requirement from the final rule. While TSA has retained the 
requirement to verify employee background information in this final 
rule, it has reduced the application of that requirement to those 
individuals who are designated as the TSA point of contact and those 
who have access to the keys or other means used to prevent the 
unauthorized operation of large aircraft capable of flight that are 
left unattended. TSA has clarified that it will accept employment 
history checks or background checks conducted on individuals who have 
obtained a FAA airman certificate or a SIDA badge. The following table 
presents the 10-year costs of the alternatives compared to the costs of 
the final rule. The alternatives costs are discussed in detail in 
Chapter 3 of the regulatory impact analysis accompanying the final 
rule.

[[Page 2138]]



                      Table 6--Comparison of Alternatives to the Proposed Final Rule Costs
                                                  [$ millions]
----------------------------------------------------------------------------------------------------------------
                                                                                Discounted, 3     Discounted, 7
            10-Year total costs by alternative                Undiscounted         percent           percent
----------------------------------------------------------------------------------------------------------------
Final Rule (preferred)....................................             $23.2             $19.8             $16.3
Alternative 1 (Tier 1 only)...............................             240.6             207.1             172.6
Alternative 2 (Tier 1 and Tier 2).........................             350.6             301.6             251.3
Alternative 2A (STAs--on-airport only)....................             261.5             225.3             188.1
Alternative 2B (STAs--Tier 1 and Tier 2)..................             381.0             328.2             273.9
----------------------------------------------------------------------------------------------------------------

3. Regulatory Flexibility Act Assessment
    The Regulatory Flexibility Act (RFA) of 1980 establishes ``as a 
principle of regulatory issuance that agencies shall endeavor, 
consistent with the objective of the rule and of applicable statutes, 
to fit regulatory and informational requirements to the scale of the 
business, organizations, and governmental jurisdictions subject to 
regulation.'' To achieve that principle, the RFA requires agencies to 
solicit and consider flexible regulatory proposals and to explain the 
rationale for their actions.
    Sections 603(a) and 604(a) of the Regulatory Flexibility Act 
require that, when an agency issues an interim final rule or 
promulgates a final rule ``after being required to publish a general 
notice of proposed rulemaking,'' the agency must consider the economic 
impact of the rule on small entities. The term ``small entities'' 
comprises small businesses, not-for-profit organizations that are 
independently owned and operated and are not dominant in their fields, 
and governmental jurisdictions with populations of less than 50,000.
    A Final Regulatory Flexibility Analysis discussing the impact of 
this final rule on small entities is available in the docket.
    Based on available data, we estimate that about 44 percent of 
entities directly regulated by the final rule requirements are small 
under the Regulatory Flexibility Act and the SBA size standards 
(compared to the 96 percent of entities affected by the NPRM 
provisions). This is due to the changes in the applicability and 
security requirements (detailed explanation of applicability changes on 
section I. Background, of this final rule). In this final rule TSA 
allows flexibility in which security measures repair stations may 
select in order to prevent commandeering of an aircraft. In addition, 
this flexibility allows repair stations to choose cost-effective 
security measures thus mitigating concerns regarding cost burdens for 
small repair stations. As long as the security requirements are met, 
the repair station may implement the measures that best suit its 
business model and physical layout.
    TSA estimates that approximately 85 percent of small repair 
stations will incur compliance costs that represent less than represent 
1 percent of annual revenues and approximately 97 percent of small 
repair stations will incur compliance costs that represent less than 2 
percent of annual revenues.
4. International Trade Impact Assessment
    The Trade Agreement Act of 1979 prohibits Federal agencies from 
establishing any standards or engaging in any related activities that 
create unnecessary obstacles to the foreign commerce of the United 
States. Legitimate domestic objectives, such as security, are not 
considered unnecessary obstacles. The statute also requires 
consideration of international standards and, where appropriate, that 
they be the basis for U.S. standards. This final rule does not 
implicate Executive Order 13609 because neither the economic impact of 
the final rule nor that imposed on repair stations located outside the 
United States is ``significant'' as defined in EO 12866. Further, TSA 
is imposing the same security requirements on repair stations located 
outside the United States as it is imposing on those located within the 
United States and is subjecting those repair stations located outside 
the United States to the same standard inspection practices as are 
already in place for other foreign entities regulated by TSA.
    TSA considered the economic role of repair stations located outside 
the United States, as well as U.S. obligations under numerous treaties. 
Although some public comments suggested that TSA should focus only on 
repair stations located outside the United States, treaty obligations 
and the statutory language made it clear that the regulations could not 
target only those repair stations. The final rule simply requires 
entities located outside the United States to comply with the same 
regulatory requirements applied to repair stations located within the 
United States and does not create non-tariff barriers to international 
trade. Because the requirements for repair stations located outside the 
United States will be the same as those imposed on repair stations 
located within the United States, TSA does not anticipate trade 
retaliation or unnecessary obstacles to foreign trade. Any differences 
that may occur can be attributed to the legitimate domestic objective 
of security, which under the Trade Agreement Act of 1979 is not 
considered an unnecessary obstacle.
5. Unfunded Mandates Assessment
    The Unfunded Mandates Reform Act of 1995 (UMRA), Public Law 104-4, 
is intended, among other things, to curb the practice of imposing 
unfunded Federal mandates on State, local, and tribal governments. 
Title II of the UMRA establishes requirements for Federal Agencies to 
assess the effects of their regulatory actions on State, local, and 
tribal governments and the private sector. Under section 202 of the 
UMRA, TSA generally must prepare a written statement, including a cost-
benefit analysis, for proposed and final rules with ``Federal 
mandates'' that may result in expenditures by State, local, and tribal 
governments, in the aggregate, or by the private sector, of $100 
million (adjusted for inflation) or more in any one year. TSA has 
determined that this rule does not impose a Federal mandate that may 
exceed $100 million in expenditures of State, local, or tribal 
governments in the aggregate, nor does the final rule impose a $100 
million mandate on the private sector. Therefore, the final rule does 
not contain such a mandate and the requirements of Title II do not 
apply.

C. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.) 
requires that TSA consider the impact of paperwork and other 
information collection burdens imposed on the public and, under the 
provisions of PRA section 3507(d), obtain approval from the Office of 
Management and Budget (OMB) for each collection of information it 
conducts, sponsors, or

[[Page 2139]]

requires through regulations. This rule contains the following new 
information collection requirements. Accordingly, TSA submitted a copy 
of these sections to OMB for its review. OMB approved the collection of 
this information and assigned OMB Control Number 1652-0060.
    The regulations apply to repair stations certificated by the FAA 
under 14 CFR part 145, except repair stations located on a U.S. or 
foreign government military base. All such repair stations must allow 
TSA and other authorized DHS officials to enter, conduct inspections, 
and view and copy records as needed to carry out TSA's security-related 
statutory and regulatory responsibilities. All such repair stations 
must comply with Security Directives if issued by TSA which could 
include requirements to maintain records or provide information to TSA.
    The security measures in this rule cover repair stations that are 
on or adjacent to certain airports. TSA will consider a repair station 
to be ``on airport'' if it is on an air operations area or security 
identification display area of an airport covered by an airport 
security program under 49 CFR part 1542 in the United States, or on the 
security restricted area of any commensurate airport outside the United 
States regulated by a government entity. TSA will consider a repair 
station to be adjacent to an airport if there is an access point 
between the repair station and the airport of sufficient size to allow 
the movement of large aircraft between the repair station and the area 
described as ``on airport.'' \10\ The repair stations, as described 
above, are required to designate a point of contact(s) to carry out 
specified responsibilities; and verify background information of those 
individuals who are designated as the TSA point(s) of contact and those 
who have access to any keys or other means used to prevent the 
unauthorized operation of large aircraft capable of flight that are 
left unattended.
---------------------------------------------------------------------------

    \10\ Large aircraft are defined as aircraft with a maximum 
certificated take-off weight of more than 12,500 pounds.
---------------------------------------------------------------------------

    The regulations also describe the process whereby TSA will notify 
the repair station and the FAA of a security deficiency identified by 
TSA and provide an opportunity for the repair station to obtain review 
of a determination by TSA to suspend its operating certification. The 
regulations specify that when TSA determines a repair station poses an 
immediate risk to security, TSA will notify the repair station and the 
FAA that the certificate must be revoked. The regulations also provide 
the process for the repair station to obtain review of such a 
determination.
    In order to comply with the regulations, repair stations outside of 
the United States, will be responsible for maintaining updated 
employment history records to demonstrate compliance with this final 
rule. These records must be made available to TSA upon request. Repair 
stations located within the United States will be able to use security 
threat assessments that have been obtained for other reasons to comply 
with this rule.
    TSA is required to conduct a security review and audit of the 
repair stations located outside the United States See 49 U.S.C. 
44924(a). TSA will conduct a paper audit of all 707 repair stations 
that are located outside the United States. The paper audit will 
consist of a letter describing the rule and the repair station will be 
required to respond to four questions to verify whether the repair 
station is required to implement security measures. Based upon subject 
matter expert (SME) best estimates, the paper audit is expected to take 
one hour for a repair station employee, assumed to be the point of 
contact, to complete. Seventy-eight repair stations located outside the 
United States meet the definition of on or adjacent to an airport and 
will undergo an annual desk audit in which the repair station will be 
asked to describe how it is complying with the rule. Each desk audit is 
estimated to require one hour for the repair station to read the letter 
sent by TSA and respond.
    The likely respondents to this information collection are the 
owners and/or operators of repair stations certificated by the FAA 
under 14 CFR part 145, which is estimated to number approximately 1,158 
unique respondents over the next three years (451 repair stations 
located within the United States and 707 repair stations located 
outside the United States).
    The average yearly burden for recordkeeping is estimated to be 2 
hours for repair stations located outside the United States. The 
average yearly burden for suspension and revocation appeals is 
estimated to be 10 hours for repair stations located within the United 
States and 100 hours for repair stations located outside the United 
States. The average yearly burden for paper audits is estimated to be 
236 hours for repair stations located outside the United States. The 
average yearly burden for desk audits is estimated to be 80 hours for 
repair stations located outside the United States. Therefore, the total 
average annual time burden estimate is approximately 428 hours. The 
following table shows the information collections and corresponding 
hour burdens for entities falling under the requirements of the final 
rule.

                                 Table 7--Collection and Hour Burdens for Entities Within and Outside the United States
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                            Number of responses                                 Average
                                                                             ------------------------------------------------   3-Year time     annual
                 Collection                         Time per  response                                                            burden         time
                                                                                  Year 1          Year 2          Year 3                        burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
Recordkeeping                                                                            Continuous as needed
                                            ------------------------------------------------------------------------------------------------------------
    On-Airport RS outside the United States  0.025 hours....................             227               5               5             6.0         2.0
                                            ------------------------------------------------------------------------------------------------------------
Suspension/Revocation Appeals                                                                 As needed
                                            ------------------------------------------------------------------------------------------------------------
    On-Airport RS within the United States.  10 hours.......................               1               1               1              30        10
    On-Airport RS outside the United States  12 hours.......................               8               8               9             300       100
                                            ------------------------------------------------------------------------------------------------------------
Paper Audits                                                                                   One-Time
                                            ------------------------------------------------------------------------------------------------------------
    On-Airport RS outside the United States  1 hour.........................             707               0               0             707       236
                                            ------------------------------------------------------------------------------------------------------------

[[Page 2140]]

 
Desk Audits                                                                                     Annual
                                            ------------------------------------------------------------------------------------------------------------
    On-Airport RS outside the United States  1 hour.........................              78              80              82             240        80
                                                                             ---------------------------------------------------------------------------
        Total Burden (responses)...........  ...............................  ..............  ..............  ..............           1,212       404
                                                                             ---------------------------------------------------------------------------
        Total Burden (hours)...............  ...............................  ..............  ..............  ..............           1,283       428
--------------------------------------------------------------------------------------------------------------------------------------------------------

    While comments were received on the issues discussed above in 
Section II, there were no comments received on the information 
collection burden estimates contained in the NPRM.
    As protection provided by the PRA, as amended, an agency may not 
conduct or sponsor, and a person is not required to respond to, a 
collection of information unless it displays a currently valid OMB 
control number.

D. Executive Order 13132 on Federalism

    TSA has analyzed this final rule under the principles and criteria 
of E.O. 13132 on Federalism. We determined that this action will not 
have a substantial direct effect on the States, or the relationship 
between the National Government and the States, or on the distribution 
of power and responsibilities among the various levels of government, 
and, therefore, does not have federalism implications.

E. Environmental Analysis

    TSA has reviewed this action under DHS Management Directive 5100.1, 
Environmental Planning Program (effective April 19, 2006), which guides 
TSA compliance with the National Environmental Policy Act of 1969 
(NEPA) (42 U.S.C. 4321-4347). TSA has determined that this proposal is 
covered by the following categorical exclusions (CATEX) listed in the 
DHS directive: Number A3(a) (administrative and regulatory activities 
involving the promulgation of rules and the development of policies); 
paragraph A4 (information gathering and data analysis); paragraph A7(d) 
(conducting audits, surveys, and data collection of a minimally 
intrusive nature, to include vulnerability, risk, and structural 
integrity assessments of infrastructures); paragraph B3 (proposed 
activities and operations to be conducted in existing structures that 
are compatible with ongoing functions); paragraph B11 (routine 
monitoring and surveillance activities that support homeland security, 
such as patrols, investigations, and intelligence gathering), and H1 
(approval or disapproval of security plans required under legislative 
mandates where such plans do not have a significant effect on the 
environment). In addition, TSA has determined that this proposal meets 
the three conditions required for a CATEX to apply, as described in 
paragraph 3.2, (Conditions and Extraordinary Circumstances).

F. Energy Impact Analysis

    The energy impact of the action has been assessed in accordance 
with the Energy Policy and Conservation Act (EPCA), Public Law 94-163, 
as amended (42 U.S.C. 6362). We have determined that this rulemaking is 
not a major regulatory action under the provisions of the EPCA.

List of Subjects in 49 CFR Part 1554

    Aircraft, Aviation safety, Repair stations, Reporting and 
recordkeeping requirements, Security measures.

The Amendments

    In consideration of the foregoing, the Transportation Security 
Administration amends Chapter XII of Title 49, Code of Federal 
Regulations, by adding a new part 1554 to subchapter C to read as 
follows:

PART 1554--AIRCRAFT REPAIR STATION SECURITY

Subpart A--General
Sec.
1554.1 Scope.
1554.3 TSA inspection authority.
Subpart B--Security Measures
1554.101 Security Measures.
1554.103 Security Directives.
Subpart C--Compliance and Enforcement
1554.201 Notification of security deficiencies; suspension of 
certificate and review process.
1554.203 Immediate risk to security; revocation of certificate and 
review process.
1554.205 Nondisclosure of certain information.

    Authority:  49 U.S.C. 114, 40113, 44903, 44924.

Subpart A--General


Sec.  1554.1  Scope.

    (a) This part applies to repair stations that are certificated by 
the Federal Aviation Administration (FAA) pursuant to 14 CFR part 145, 
except for a part 145 certificated repair station located on a U.S. or 
foreign government military installation.
    (b) In addition to the terms in 49 CFR 1500.3 and 1540.5, for 
purposes of this part, ``large aircraft'' means any aircraft with a 
maximum certificated takeoff weight of more than 12,500 pounds and 
``attended'' aircraft means an aircraft to which access is limited to 
authorized individuals and property.


Sec.  1554.3  TSA inspection authority.

    (a) General. Each repair station must allow TSA and other 
authorized DHS officials, at any time and in a reasonable manner, 
without advance notice, to enter, conduct any audits, assessments, or 
inspections of any property, facilities, equipment, and operations; and 
to view, inspect, and copy records as necessary to carry out TSA's 
security-related statutory or regulatory authorities, including its 
authority to--
    (1) Assess threats to transportation security;
    (2) Enforce security-related regulations, directives, and 
requirements;
    (3) Inspect, assess, and audit security facilities, equipment, and 
systems
    (4) Ensure the adequacy of security measures;
    (5) Verify the implementation of security measures;
    (6) Review security plans; and
    (7) Carry out such other duties, and exercise such other powers, 
relating to transportation security as the TSA Administrator considers 
appropriate, to the extent authorized by law.
    (b) Evidence of compliance. At the request of TSA, each repair 
station must provide evidence of compliance with this part, including 
copies of records required by this part.

[[Page 2141]]

    (1) All records required under this part must be provided in 
English upon TSA's request.
    (2) All responses and submissions provided to TSA or its designee, 
pursuant to this part, must be in English, unless otherwise requested 
by TSA.
    (c) Access to repair station. (1) TSA and DHS officials working 
with TSA may enter, and be present within any area without access media 
or identification media issued or approved by the repair station in 
order to inspect, assess, or perform any other such duties as TSA may 
direct.
    (2) Repair stations may request TSA inspectors and DHS officials 
working with TSA to present their credentials for examination, but the 
credentials may not be photocopied or otherwise reproduced.

Subpart B--Security Measures


Sec.  1554.101  Security Measures.

    (a) Applicability of this section. This section applies to part 145 
certificated repair stations located--
    (1) On airport. On an air operations area or security 
identification display area of an airport covered by an airport 
security program under 49 CFR part 1542 in the United States, or on the 
security restricted area of any commensurate airport outside the United 
States regulated by a government entity; or
    (2) Adjacent to an airport. Adjacent to an area of the airport 
described in paragraph (a)(1) of this section if there is an access 
point between the repair station and the airport of sufficient size to 
allow the movement of large aircraft between the repair station and the 
area described in paragraph (a)(1) of this section.
    (b) Security Measures. Each repair station described in paragraph 
(a) of this section must carry out the following measures:
    (1) Provide TSA with the name and means of contact on a 24-hour 
basis of a person or persons designated by the repair station with 
responsibility for--
    (i) Compliance with the regulations in this part;
    (ii) Serving as the primary point(s) of contact for security-
related activities and communications with TSA;
    (iii) Maintaining a record of all employees responsible for 
controlling keys or other means used to control access to aircraft 
described in paragraph (b)(2) of this section; and
    (iv) Maintaining all records necessary to comply with paragraph 
(b)(3) of this section.
    (2) When not attended, prevent the unauthorized operation of all 
large aircraft capable of flight, by using one or more of the means 
listed in paragraphs (b)(2)(i) through (iv) of this section. In these 
examples, a key, if used, must only be available to an individual 
authorized by the repair station who has successfully undergone a check 
as described in paragraph (b)(3) of this section.
    (i) Block the path of the aircraft such that it cannot be moved, 
and control the vehicle key if a vehicle is used to block the path.
    (ii) Park the aircraft in a locked hangar and control the key to 
the hangar.
    (iii) Move stairs away from the aircraft and shut and, if feasible, 
lock all cabin and/or cargo doors, and control the key.
    (iv) Other means approved in writing by TSA.
    (3) Verify background information of those individuals who are 
designated as the TSA point(s) of contact and those who have access to 
any keys or other means used to prevent the operation of large aircraft 
described in paragraph (b)(2) of this section by one or more of the 
following means:
    (i) Verify an employee's employment history. The repair station 
obtains the employee's employment history for the most recent five year 
period or the time period since the employee's 18th birthday, whichever 
period is shorter. The repair station verifies the employee's 
employment history for the most recent 5-year period via telephone, 
email, or in writing. If the information is verified telephonically, 
the repair station must record the date of the communication and with 
whom the information was verified. If there is a gap in employment of 
six months or longer, without a satisfactory explanation of the gap, 
employment history is not verified. The repair station must retain 
employment history verification records for at least 180 days after the 
individual's employment ends. The repair station must maintain these 
records electronically or in hardcopy, and provide them to TSA upon 
request.
    (ii) Confirm an employee holds an airman certificate issued by the 
Federal Aviation Administration.
    (iii) Confirm an employee of a repair station located within the 
United States has obtained a security threat assessment or comparable 
security threat assessment pursuant to part 1540, subpart C of this 
chapter, such as by holding a SIDA identification media issued by an 
airport operator that holds a complete program under 49 CFR part 1542.
    (iv) Confirm an employee of a repair station located outside the 
United States has successfully completed a security threat assessment 
commensurate to a security threat assessment described in part 1540, 
subpart C of this chapter.
    (v) Other means approved in writing by TSA.


Sec.  1554.103  Security Directives.

    (a) General. When TSA determines that additional security measures 
are necessary to respond to a threat assessment or to a specific threat 
against civil aviation, TSA issues a Security Directive setting forth 
mandatory measures.
    (b) Compliance. Each repair station must comply with each Security 
Directive TSA issues to the repair station within the time prescribed. 
Each repair station that receives a Security Directive must--
    (1) Acknowledge receipt of the Security Directive as directed by 
TSA;
    (2) Specify the method by which security measures have been or will 
be implemented to meet the effective date; and
    (3) Notify TSA to obtain approval of alternative measures if the 
repair station is unable to implement the measures in the Security 
Directive.
    (c) Availability. Each repair station that receives a Security 
Directive and each person who receives information from a Security 
Directive must--
    (1) Restrict the availability of the Security Directive and the 
information contained in the document to persons who have an 
operational need to know; and
    (2) Refuse to release the Security Directive or the information 
contained in the document to persons other than those who have an 
operational need to know without the prior written consent of TSA.
    (d) Comments. Each repair station that receives a Security 
Directive may comment on the Security Directive by submitting data, 
views, or arguments in writing to TSA. TSA may amend the Security 
Directive based on comments received. Submission of a comment does not 
delay the effective date of the Security Directive.

Subpart C--Compliance and Enforcement


Sec.  1554.201  Notification of security deficiencies; suspension of 
certificate and review process.

    (a) General. A repair station may be subject to suspension of its 
FAA certificate, if security deficiencies are identified and are not 
corrected.
    (b) Notice of security deficiencies. TSA provides written 
notification to a repair station and to the FAA of any security 
deficiency identified by TSA.
    (c) Response. A repair station must provide TSA with a written 
explanation

[[Page 2142]]

in English of all efforts, methods, and procedures used to correct the 
security deficiencies identified by TSA within 45 calendar days of 
receipt of the written notification described in paragraph (b) of this 
section.
    (d) Suspension of certificate. If the repair station does not 
correct security deficiencies within 90 calendar days of the repair 
station's receipt of the written notice of security deficiencies, or if 
TSA determines that the security deficiencies have not been addressed 
sufficiently to comply with this section, the TSA designated official 
will provide written notification to the repair station and to the FAA 
that the repair station's certificate must be suspended. The 
notification will include an explanation of the basis for the 
suspension. The suspension remains in effect until TSA determines that 
the security deficiencies have been corrected.
    (e) Petition for reconsideration. The repair station may petition 
TSA to reconsider its determination under paragraph (d) of this section 
by serving a petition for reconsideration no later than 20 calendar 
days after the repair station receives the notification. The repair 
station must serve the petition on the TSA designated official. 
Submission of a petition for reconsideration will not automatically 
stay the suspension. The repair station may request TSA to notify the 
FAA to stay the suspension pending review of and decision on the 
petition. The petition must be in writing, in English, signed by the 
repair station operator or owner, and include--
    (1) A statement that reconsideration is requested; and
    (2) A response to the suspension, including any information TSA 
should consider in reviewing the suspension.
    (f) Review by the TSA designated official. The TSA designated 
official will consider all relevant material and information and will 
act on the petition no later than 15 calendar days after TSA receives 
the petition. The TSA designated official will either notify the repair 
station and the FAA that the suspension be withdrawn or affirm the 
suspension. The decision of the TSA designated official constitutes a 
final agency order subject to judicial review in accordance with 49 
U.S.C. 46110.
    (g) Service of documents. Service may be accomplished by personal 
delivery, certified mail, or express courier. Documents served on a 
repair station will be served at its official place of business. 
Documents served on TSA must be served at the address contained in the 
written notice of suspension.
    (1) A certificate of service may be attached to a document tendered 
for filing. A certificate of service must consist of a statement, dated 
and signed by the person filing the document, that the document was 
personally delivered, served by certified mail on a specific date, or 
served by express courier on a specific date.
    (2) The date of service is--
    (i) The date of personal delivery;
    (ii) If served by certified mail, the mailing date shown on the 
certificate of service, the date shown on the postmark if there is no 
certificate of service, or other mailing date shown by other evidence 
if there is no certificate of service or postmark; or
    (iii) If served by express courier, the service date shown on the 
certificate of service, or by other evidence if there is no certificate 
of service.
    (h) Extension of time. TSA may grant an extension of time to the 
limits set forth in this section for good cause shown. A repair station 
must request an extension of time in writing, and TSA must receive it 
at least two days before the due date in order to be considered. TSA 
may grant itself an extension of time for good cause.


Sec.  1554.203  Immediate risk to security; revocation of certificate 
and review process.

    (a) Notice. The TSA designated official will determine whether any 
repair station poses an immediate risk to security. If such a 
determination is made, TSA will provide written notification of its 
determination to the repair station and to the FAA that the certificate 
must be revoked. The notification will include an explanation of the 
basis for the revocation. TSA does not include classified information 
or other information described in Sec.  1554.205.
    (b) Petition for reconsideration. The repair station may petition 
TSA to reconsider its determination by serving a petition for 
reconsideration no later than 20 calendar days after the repair station 
receives the notification. The repair station must serve the petition 
on the TSA designated official. Submission of a petition for 
reconsideration will not automatically stay the revocation. The repair 
station may request TSA to notify FAA to stay the revocation pending 
review of and decision on the petition. The petition must be in 
writing, in English, signed by the repair station operator or owner, 
and include--
    (1) A statement that a review is requested; and
    (2) A response to the determination of immediate risk to security, 
including any information TSA should consider in reviewing the basis 
for the determination.
    (c) Review by the Administrator. The TSA designated official 
transmits the petition together with all relevant information to the 
Administrator for reconsideration. The Administrator will act on the 
petition within 15 calendar days of receipt by either directing the TSA 
designated official to notify FAA and the repair station that the 
determination is rescinded and the certificate may be reinstated or by 
affirming the determination. The decision by the Administrator 
constitutes a final agency order subject to judicial review in 
accordance with 49 U.S.C. 46110.
    (d) Service of documents. Service may be accomplished by personal 
delivery, certified mail, or express courier. Documents served on a 
repair station will be served at its official place of business. 
Documents served on TSA must be served at the address contained in the 
written notice of revocation.
    (1) A certificate of service may be attached to a document tendered 
for filing. A certificate of service must consist of a statement, dated 
and signed by the person filing the document, that the document was 
personally delivered, served by certified mail on a specific date, or 
served by express courier on a specific date.
    (2) The date of service is--
    (i) The date of personal delivery;
    (ii) If served by certified mail, the mailing date shown on the 
certificate of service, the date shown on the postmark if there is no 
certificate of service, or other mailing date shown by other evidence 
if there is no certificate of service or postmark; or
    (iii) If served by express courier, the service date shown on the 
certificate of service, or by other evidence if there is no certificate 
of service.
    (e) Extension of time. TSA may grant an extension of time to the 
limits set forth in this section for good cause shown. A repair station 
must request an extension of time in writing, and TSA must receive it 
at least two days before the due date in order to be considered. TSA 
may grant itself an extension of time for good cause.


Sec.  1554.205  Nondisclosure of certain information.

    In connection with the procedures under this subpart, TSA does not 
disclose classified information, as defined in Executive Order 12968, 
section 1.1(d), or any successor order, and TSA reserves the right not 
to disclose any other information or material not warranting disclosure 
or protected from disclosure under law or regulation.


[[Page 2143]]


    Dated: January 7, 2014.
John S. Pistole,
Administrator.
[FR Doc. 2014-00415 Filed 1-10-14; 8:45 am]
BILLING CODE 9110-05-P