Department of Transportation, Federal Aviation Administration,

[Federal Register: July 17, 2001 (Volume 66, Number 137)]

[Rules and Regulations]

[Page 37273-37327]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr17jy01-24]

[[Page 37273]]

Part II

Department of Transportation

Federal Aviation Administration

14 CFR Parts 107 and 139

Airport Security; Final Rule

[[Page 37274]]

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Parts 107 and 139

[Docket No. FAA-2001-8724; Formerly Docket No. 28979; Amendment No. 107-13, 139-23]

RIN 2120-AD46

Airport Security

AGENCY: Federal Aviation Administration (FAA), DOT.

ACTION: Final rule.

SUMMARY: This final rule amends the existing airport security rules. It revises certain applicability provisions, definitions, and terms; reorganizes these rules into subparts containing related requirements; and incorporates some requirements already implemented in security programs. This revision also incorporates certain new measures to provide for enhanced airport security. Specifically, this final rule more clearly defines the areas of the airport in which security interests are the most critical and where security measures should be the most stringent. The intent of this final rule is to enhance security for the traveling public, aircraft operators, and persons employed by or conducting business at public airports by increasing awareness of and compliance with civil aviation security measures.

EFFECTIVE DATE: November 14, 2001.

FOR FURTHER INFORMATION CONTACT: Robert J. Cammaroto, Office of Civil Aviation Security Policy and Planning, Federal Aviation Administration, 800 Independence Ave., SW., Washington, DC 20591; telephone (202) 267- 7723.

SUPPLEMENTARY INFORMATION:

Availability of Final Rule

You can get an electronic copy using the Internet by taking the following steps:

(1) Go to the search function of the Department of Transportation's electronic Docket Management System (DMS) Web page (http://dms.dot.gov/ search).

(2) On the search page type in the last four digits of the Docket number shown at the beginning of this notice. Click on ``search.''

(3) On the next page, which contains the Docket summary information for the Docket you selected, click on the final rule.

You can also get an electronic copy using the Internet through FAA's web page at http://www.faa.gov/avr/armhome.htm or the Federal Register's web page at http://www.access.gpo.gov/su_docs/aces/ aces140.html.

You can also get a copy by submitting a request to the Federal Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence Avenue, SW, Washington, DC 20591, or by calling (202) 267-9680. Make sure to identify the amendment number or docket number of this final rule.

Small Business Regulatory Enforcement Fairness Act

The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996 requires FAA to comply with small entity requests for information or advice about compliance with statutes and regulations within its jurisdiction. Therefore, any small entity that has a question regarding this document may contact their local FAA official, or the person listed under FOR FURTHER INFORMATION CONTACT. You can find out more about SBREFA on the Internet at our site, http://www.faa.gov/avr/arm/ sbrefa.htm. For more information on SBREFA, e-mail us 9-AWA- SBREFA@faa.gov.

Background

The FAA published a proposed rule on airport security on August 1, 1997 (62 FR 41760; Notice No. 97-13). On the same date, the FAA issued Notice 9712 to revise part 108, Aircraft Operator Security (62 FR 41730). The crash of TWA 800 on July 17, 1996 raised concerns about the safety and security of civil aviation, leading the President to create the White House Commission on Aviation Safety and Security, headed by the Vice President. The Commission issued an initial report on September 9, 1996, with 20 specific recommendations for improving aviation security. On February 12, 1997, the Commission issued its Final Report with 57 recommendations, 31 of which deal with improving aviation security for travelers. In addition, the Federal Aviation Reauthorization Act of 1996 (Pub. L. 104-264) was signed on October 9, 1996, and directs the FAA to amend rules to upgrade civil aviation security.

The FAA has been working to respond to the recommendations of the Commission and to carry out the legislation, and has issued several proposals, in addition to the proposed rule put forth in Notice No. 97- 13. On September 24, 1998, the FAA issued a Final Rule on employment history, verification, and criminal records checks. (63 FR 51218; September 24, 1998).

The rules proposed in Notice No. 97-13 were not written in response to the Commission or the Reauthorization Act. Rather, the notice, which proposed to update the overall regulatory structure for airport and aircraft operator security, involved the FAA, other Federal agencies and commissions, airports and aircraft operators, and the Aviation Security Advisory Committee (ASAC). Nevertheless, the extensive proposed revisions were considered to be consistent with the intentions of the mandates, contained proposals industry had identified as necessary or appropriate, and outlined a new organization for the regulations that would assist in developing future changes to the rules. For these reasons, the FAA published the proposed rule for comment. This final rule addresses comments to that proposal.

The revision of part 108, published concurrently with this rule, contains a discussion of the current terrorist threat that also is applicable to concerns under part 107.

The Role of the ASAC

On April 3, 1989, the Secretary of Transportation announced the formation of a national ASAC under the provision of the Federal Advisory Committee Act (Title 5 U.S. Code, Appendix II).

The ASAC was formed to examine all areas of civil aviation security and to ensure a higher degree of safety for the traveling public by recommending improvement of aviation security equipment and procedures. The ASAC is chaired by the FAA's Assistant Administrator for Civil Aviation Security and makes recommendations to the FAA Administrator. Committee membership represents a balance of Federal government, aviation industry, and consumer advocacy groups.

All ASAC meetings are open to the public and are announced in the Federal Register. Meetings typically are held three times a year. Members of the public are permitted to attend and appear before the committee, subject to reasonable limitations of space and time.

In December 1993, the FAA sought the ASAC's comments on a ``discussion paper'' that included a broad range of security issues and concerns. A copy of this paper is filedin the FAA public docket for Notice No. 97-13 (Docket No. 28979).

To address the issues raised in the discussion paper, the ASAC formed two subcommittees, and developed recommendations on airport and aircraft operator security issues, which were reported to the FAA on March 15, 1994. Individual ASAC members also provided comments on issues when their respective organizations disagreed with the position of the committee.

[[Page 37275]]

Then the ASAC's and individual committee members' comments were forwarded to the FAA with an overall recommendation that security regulations should remain flexible and contain only general security performance standards.

General Discussion of the Rule

The FAA is required to prescribe rules as needed, to protect persons and property on aircraft against acts of criminal violence and aircraft piracy, and to prescribe rules for screening passengers and property for dangerous weapons, explosives, and destructive substances (See 49 U.S.C. 44901 through 44904).

To comply with the statute, the FAA has issued rules that require airport operators to perform various duties to ensure the security of civil aviation. Title 14, Code of Federal Regulations, contains part 107 that is directed specifically toward airport operators, and contains general requirements for promoting civil aviation security.

Airport operators are required by new Sec. 107.101 to have a security program, approved by the Administrator that specifies measures they will use to perform their regulatory and statutory responsibilities. The airport security program contains sensitive security information (SSI) and is available only to persons with a need-to-know. Most airport security programs include the following information: descriptions of the air operations area (AOA), each area on or adjacent to the airport that affects the security of the AOA, and air carriers exclusive areas; procedures to control access to the AOA; alternate security procedures for use in emergency and other unusual conditions; and law enforcement support training and record maintenance programs in furtherance of part 107. Programs for some airports include a description of the law enforcement support training program and the system for maintaining records.

Other sources of information and measures are contained in Security Directives and Information Circulars described in new Sec. 107.303. These sources address threats to civil aviation security as well as responsive measures to those threats.

The airport security program is far more detailed than the regulations and, therefore, there will be items specifically addressed in detail that may only be broadly addressed in the regulatory language of part 107. Once approved, the security program has the force of law, and like the part 107 regulations, airport operators must comply with their security program.

This revision of part 107 comprehensively updates airport security regulations to more efficiently and effectively address terrorist and other criminal threats to civil aviation. This action incorporates procedures currently in security programs into part 107, in a manner that is intended to allow regulated entities and individuals to better understand their respective security responsibilities. Concurrent with the issuance of this final rule, the FAA is updating relevant guidance that will help to ensure that airport security programs are consistent with this rule. Lastly, the final rule incorporates certain new measures that will provide for enhanced security. For example, the revisions make individuals directly accountable to the FAA for non- compliance with certain regulations.

Furthermore, local authorities will not be prevented from also taking action against an individual for non-compliance with the regulation, even if the FAA previously has taken action against that individual for the same offense. In fact, the FAA realizes that some local actions may be imposed more quickly and effectively than the agency's actions.

The proposal would have required that an airport's security program include specific local disciplinary actions and penalties for employees who do not comply with security requirements. Initially, this proposal was quite controversial. However, the public's opinion regarding this issue apparently has changed. In response, the FAA reopened the comment period from August 10-September 24, 1999, to receive additional comments from the public on the individual accountability issue [64 FR 43321 (August 10, 1999)]. Therefore, the FAA will not address this issue in this final rule, it will be addressed in a future rulemaking.

Through these changes, the FAA hopes to create a more effective mix of individual and corporate responsibility for complying with security regulations, particularly those relating to access controls and challenge procedures.

General Discussion of the Comments

The NPRM initially requested comments by December 1, 1997. Two public meetings were announced on October 15, 1997, in Washington, DC, and on October 22, 1997, in Fort Worth, TX. On April 14, 1998, the FAA reopened the comment period and announced two public meetings on the NPRM. The public meetings were held on May 21, 1998, in Washington, DC, and June 4, 1998, in Nashville, TN.

As of June 26, 1998, the closing of the second comment period, about 200 comments were received addressing the NPRM. Comments were received from 62 airports, two State and local governments, four law enforcement entities, eight air carriers, and seven industry associations representing these interests. Comments were also received from numerous individuals.

Secured Area, Air Operations Area (AOA), and Security Identification Display Area (SIDA)

Proposal: Notice 97-13 proposed to change the names of the various areas controlled under part 107, and to make some changes in the security measures that apply to each. Under the current rule there are several areas that have been introduced over the years for various security purposes.

Security measures have been required in the AOA since the inception of part 107 in 1972. The definition of AOA in current Sec. 107.1(b)(2) is ``a portion of an airport designed and used for landing, takeoff, or surface maneuvering of airplanes. * * *'' Current Sec. 107.13 provides the security requirements for the AOA. Basically, the airport operator must use the measures in its security program to control access to the AOA and prevent entry of unauthorized persons and ground vehicles; to control movement of persons and ground vehicles, including display of ID when appropriate; and to detect and control each unauthorized penetration.

The secured area was introduced in 1989 in Sec. 107.14. Its location on airports intentionally was not defined to avoid compromising airport operators' security programs. See 54 FR 582 at 584 (January 6, 1989). Section 107.14 requires enhanced access controls for secured areas of the airport mostly using computerized access controls. This area for most airports has evolved to be mainly portions of the AOA near the terminal and in baggage make-up areas, where the highest levels of security are needed. For some airports, the entire AOA is a secured area, because of such factors as the location of the airport and the inability to use adequate security controls to separate general aviation and other areas from air carrier operations.

The SIDA was defined in 1991. The SIDA is defined in current Sec. 107.25(a) as ``any area identified in the airport security program as requiring each person to continuously display on their outermost garment, an airport-approved ID medium unless under airport-approved escort.'' The ID medium is referred to as being used for both access control and controlling the presence and movement of persons. The portions of the airport that must be a SIDA are not set out in current part 107. The

[[Page 37276]]

preambles to proposed and final Sec. 107.205, however, indicate that SIDA generally would include secured areas (Sec. 107.14), air operations areas (Sec. 107.1(b)(2)), cargo and baggage make-up areas, and other areas specified in individual airport security programs. SIDA would not include the sterile area. There also would be site-specific provisions at those airports where general aviation and other areas are positively separated from air carrier operations [56 FR 13552 at 13553, and 56 FR 41412 at 41413]. Thus, the secured area, part or all of the AOA, and some areas that are neither secured areas nor AOA (such as some cargo makeup areas) could be within a SIDA. The security measures required in the SIDA are in Secs. 107.25 and 107.31. These sections require training of persons with unescorted access to the SIDA, and employment history, verification, and criminal history records checks of those persons.

This systematic design of interlocking areas has created some confusion in the past. It has not been clear where the limits of the secured area should be, for instance. Notice 97-13 attempted to propose a design that would be simpler and clearer. It proposed to eliminate overlapping areas, such as where both the AOA rules and the secured area rules apply. It also proposed, based in part on recommendations from the ASAC, to rename the areas so that what is now the secured area would be the critical security area (CSA), and what is now the AOA outside of the secured area would be the restricted operations area (ROA). Definitions of these terms were proposed in Sec. 107.3. Sections 107.201 and 107.203 proposed specific requirements for access systems, ID systems, and other security measures to be applied in the CSA and ROA, respectively. The intent was to more clearly describe those areas of the airport in which the security interests are the most critical and require the most stringent measures, and to enhance the security of other parts of the ROA.

Comments on changing the names of the areas: Many commenters object to changing the names of the secured area, AOA, and SIDA. They state that the industry has become familiar with these names and that changing them now would create confusion. It would also result in very large expenses to change training programs and videos, airport manuals, emergency plans, signs, and many other items. The commenters note that spending a significant amount of time, effort, and funds on retraining, signs, documentation, and security programs for renaming the above noted areas, would not improve security. The commenters strongly urge that the names not be changed.

One commenter suggests that acronyms for defined terms should be included in the definitions. Another commenter says that the FAA should avoid using 3-letter acronyms that replicate an airport's 3-letter designator code.

FAA response: The FAA has decided not to change the names of the areas to CSA and ROA. After further consideration, changing these names would create a burden to change numerous documents, signs, training programs, and the like with insufficient benefit. The industry has become used to these names and there is not the same concern there was several years ago about them.

Regarding the use of acronyms, the FAA will adopt the suggestion to reference commonly used acronyms in the definitions. Also, in response to the comment on acronyms relating to security terms as opposed to 3- letter airport designator codes, the FAA notes that security terms and their acronyms are based on functional descriptions of what they are intended to define. The FAA's system of 3-letter airport designator codes is a separate and distinct program. The agency recognizes that some acronyms and 3-letter airport identifiers may be unintentionally identical, but it is not aware of any conflicts at this time. However, it is expected that the context in which overlapping terms would be used will indicate their intent.

Comments on definitions of critical security area, restricted security area, secured area, AOA, and SIDA: National Air Transport Association (NATA) and Missoula International Airport comment that areas used by general aviation should be excluded from the critical security area and maintained in the AOA, and have less intrusive security requirements. The ATA requests a definition of ``AOA.'' Several commenters including three airports requested a definition of ``SIDA.''

The Port Authority of NY and NJ suggests that ``critical security area'' should be defined as ``where aircraft operators and foreign aircraft operators enplane and deplane passengers and sort and load baggage and any immediately adjacent areas that are not separated by security controls, physical or visual barriers, adequate time and distance separation or visual surveillance.''

Atlanta Hartsfield International Airport requests that the FAA add the phrase ``time and distance'' after the phrase ``physical barriers'' in the definition of ``restricted operations area.'' Furthermore, Ft. Wayne Airport suggests the definition should be modified to include only areas that are used by aircraft operators for the carriage of passengers. Another commenter says that the restricted operations area should allow the use of ``visual barriers,'' such as lines or words painted on the pavement.

One commenter requests clarification of the phrases ``adjacent areas'' and ``other security measures'' which are used in the definition of ``critical security area.''

The NATA requests a definition of the area of an airport where general aviation activities occur. One suggestion is to define the term ``General Aviation Security Area'' so that the general aviation areas are not included in the critical security area or restricted operations area.

Two airports state that the ROA should be defined and limited to only those areas outside the critical security area and immediately adjacent to facilities needed for aircraft operators to land, depart, taxi, park, and maneuver aircraft. All other areas should be considered non-restricted AOA portions of the airport and a definition for an AOA included in the new part 107. The proposed rule, as written, would require a massive expenditure of critically needed funds to extend and upgrade the systems presently installed.

The Airport Council International-North America (ACI-NA), American Association of American Executives (AAAE), and two airports state that increasing the size of the restricted operations area directly contravenes the recommendations of the ASAC working group.

FAA Response: This rule adds definitions to better describe the limits of the secured area, AOA, and SIDA. These definitions in part are intended to conform part 107 to what has become common practice in determining the limits of these areas at airports. The FAA anticipates that there will be few changes needed in the boundaries of current secured areas, SIDAs, and AOAs based on these rule changes, although nationwide we anticipate a small reduction in the current security areas and corresponding increase in the AOA. These definitions reduce the overlap between the areas by clearly separating the AOA from the secured area. Each will be a distinct area, with different requirements. This assists in accomplishing the goal of providing for the highest levels of security at those places where operations regulated under parts 108 and 129 are conducted.

The secured area is that area where the highest level of security measures

[[Page 37277]]

are needed. This includes areas where part 108 operations enplane and deplane passengers and sort and load baggage, and adjacent areas that are not separated by adequate security measures. Unlike the current rule, the term ``secured area'' is not used only to describe the area where enhanced access controls are required. It is used to describe an area where a range of enhanced security measures are required, including identification media, escort, and challenge programs. This is consistent with current practice. For example, those areas in which the enhanced access controls are considered necessary are also SIDAs with ID display required.

The SIDA is essentially not changed from the current rule. It overlays secured area, in that the secured area must be a SIDA. It may overlap an AOA, in that at some airports it may be necessary for part or all of the AOA to be a SIDA. The SIDA may also be in an area outside of either the secured area or AOA, such as a cargo makeup area. The security measures required for the SIDA have not been changed significantly.

The AOA is almost the same concept as used in current part 107, except that it is limited to those areas that are used by parts 108 and 129 operations, and those adjacent areas that are not separated by adequate security measures. Further, the secured area is no longer considered part of the AOA. The security measures required in the AOA include controlling access and presence of unauthorized persons and vehicles. There remains flexibility as to exact measures to be used to accomplish these tasks, because each airport is different and may have different needs in the AOA. For instance, personnel ID systems may or may not be used in the AOA.

The proposal used the phrase ``any adjacent areas that are not separated by security controls or physical barriers.'' The final rule uses the phrase ``adjacent areas that are not separated by adequate security systems, measures, or procedures.'' Physical barriers are one sort of security measure, and may be a critical part of a security system that permits an adjacent area to be excluded from a secured area or an AOA. There are many other provisions that in appropriate combinations may provide adequate security systems, measures, or procedures. They include remoteness from the adjacent operation (``time and distance'') combined with specific measures to detect and respond to unauthorized penetrations, fences, personnel ID systems, closed circuit TV, clear markings, and security patrols. Given the wide variations in airports and the various security systems in use, it is impossible to state specifically in the rule what is needed at each airport. Further, much of the information on the security systems to be used at each airport must be kept non-public to avoid giving unauthorized persons information that could be used to attempt to defeat them.

As to signs, markings, and visual barriers, it must be noted that these are effective mostly for people who are attempting in good faith to comply with the security systems at the airport. Standing alone, they are not very effective at keeping out persons who are intending to defeat the system.

The FAA considered using the term ``immediately adjacent,'' rather than just ``adjacent.'' However, this might be viewed as too limiting. The key is whether the adjacent area can be separated by adequate security measures. Distance alone is not sufficient. For instance, to be effective, distance must be coupled with adequate measures to detect and respond to unauthorized persons attempting to cross that distance. In each case, the airport operator and the FAA must consider not only how close the adjacent area is, but also what security measures are present, what related activity is in the area, and all other factors. It is impossible to state specifically how far an area might extend before it is excluded from the secured area or the AOA. For instance, at airports where general aviation (GA) activity is sufficiently remote from the secured area and there are dedicated measures to detect and challenge persons moving from the GA area to the secured area, that GA area may not need to be included in the secured area. At other locations where the GA activity is close to the terminal, and it is not possible to erect adequate physical barriers, there may be no way to provide adequate security measures to exclude the GA area from the secured area. Removing GA areas from the AOA, this too depends on the airport. GA areas are usually near taxiways and/or runways used by parts 108 and 129 aircraft, and are usually within the perimeter fence of the airport. Even if a GA area is remote from the secured area it may not be possible to have adequate security measures to omit it from the AOA. However, if the GA area is separated from the taxiways and runways by a fence and controlled gate, there may be a basis to exclude it from the AOA. Again, the FAA does not consider the secured area and AOA, as defined in the final rule, to be vastly different than what currently exists at the airports. This final rule to a large extent more clearly reflects the areas as they have evolved from the more general and vague language of the current rule.

The security measures required in each area are discussed more fully in the Section-by-Section Analysis.

The Notice did not propose to retain the term SIDA. As discussed above, the FAA has decided to retain this term, with modifications. As used in current Sec. 107.25, SIDA refers to ``any area identified in the airport security program as requiring each person to continuously display on their outermost garment, an airport-approved identification medium unless under airport-approved escort.'' It was based on the idea that, if the area was of such an importance to security to have a requirement in the security program for the continuous display of identification, it should also have the training requirements in Sec. 107.25 to ensure that airport personnel know their duties to challenge persons without ID, and the employment verification of Sec. 107.31.

This final rule changes the definition of SIDA to ``a portion of an airport, specified in the airport security program, in which security measures specified in this part are carried out. This area includes the secured area and may include other areas of the airport, such as areas where there are activities related to the operations of aircraft operators and foreign air carriers that have security programs under part 108 or Sec. 129.25 of this chapter.'' This definition is intended to capture the original intent of the SIDA. It includes the secured area, in which the highest level of security is required. An airport operator may include in the SIDA other areas, such as cargo makeup areas, fuel farms, and other areas, particularly where activities related to part 108 and part 129 operations are carried out. On some airports the entire AOA may be designated a SIDA. Again, because of the varied configuration of airports it is not possible to describe exactly the limits of the SIDA.

New Sec. 107.205 states the security measures that must be carried out in the SIDA, and is discussed in the Section-by-Section Analysis.

A strict reading of current Sec. Sec. 107.25 and 107.31 would suggest that any area in which continuous display of ID is provided for in the security program also requires the more extensive training in escort and challenge procedures, and employment verification in these sections. It has become evident to the FAA that there are areas of airports outside of the secured area in which, due to local circumstances, the continuous display of ID is required by

[[Page 37278]]

local rule, but that do not necessarily warrant the higher security requirements of a SIDA. Examples include areas used exclusively by an aircraft manufacturer or other private corporation, in which continuous display of a corporate ID is required largely for corporate security purposes. Such areas are described in the airport security program because they are part of the overall security situation at the airport. For instance, the airport would make sure that the color and appearance of the corporate ID was not confusingly similar to that of the airport IDs used in the SIDA. The corporate areas, however, need not have all the measures that apply to the SIDA. Nevertheless, the definition as it appears in current part 107 could be read to mean that such areas must be formal SIDA's. New Sec. 107.203(b)(5) acknowledges that such areas may exist in the AOA without them being deemed SIDA's under new Sec. 107.205.

The Notice proposed, in essence, that the CSA (now the secured area) would have all the attributes of the SIDA, with full training and employment verification. The proposed ROA (now AOA) would have ID display required, but not have the same extensive training or employment verification as the SIDA. The final rule represents a middle ground between the current rule and the proposal by requiring the secured area to be a SIDA, and providing the option of less burdensome ID requirements in the AOA.

Time Limits

Proposal: The Notice proposed various time limits for carrying out various tasks, such as approval of a security program, amendments to security programs, and changed conditions affecting security. These tasks were presented with deadlines that were in terms of calendar days and hours.

Comments: A commenter states that compliance timeframes should be adjusted to reflect realistic opportunities. The recommendation was made that the FAA refer to ``business days'' versus a specified number of hours when setting deadlines for compliance.

FAA response: Regarding the use of business days in favor of a specific number of hours, the FAA notes that its regulations usually deal in terms of calendar days or hours (for instance, 30 days or 72 hours). When setting deadlines for compliance the FAA will set reasonable deadlines, based on circumstances, while taking into account holidays and weekends. In emergency situations, it may not be in the interest of security to delay compliance for a weekend or holiday. The agency sees no need to alter its practice. Further, the use of ``business days'' can be confusing. Most airports are open for business every day of the week, including holidays. Further, the observance of holidays is not uniform throughout the country.

Compliance Dates

Proposal: The Notice requested comments regarding compliance dates.

Comments: ACI-NA and AAAE comment that the FAA should provide sufficient time following issuance of a final rule for airports to be in compliance. A minimum phase-in period of 18 months was suggested.

FAA response: The FAA believes this final rule has allowed adequate time for airports to comply. The agency notes that the complexities involved in compliance, as well as anticipated costs, are carefully weighed when deadlines are established. Where difficulties are encountered, airport operators are encouraged to contact their local FAA security field office. The FAA has attempted to ensure a realistic approach to compliance timeframes but recognizes that such timeframes are sometimes not met for good cause. The agency is prepared to extend reasonable consideration when the merits of a situation warrant.

The final rule has far fewer required changes than the NPRM. For instance, the boundaries and names of the secured area, AOA, and SIDA will change little, if at all. Also, some new requirements have intended compliance dates such as for AOA training under Sec. 107.213(c) and (f).

Security Requirements Based on Size of Aircraft Served

Comments: One commenter states that increased airport security thresholds should not be based on the size of the aircraft serving an airport, but on the number of passengers screened annually. One commenter agrees with the statement that experience shows airports served by smaller aircraft need not comply with all of the requirements imposed on larger airports. However, security should be a function of the nature of the service resident at an airport; that is, medium and large hub airports are of more concern, so operations to and from them should be of more concern. The commenter suggests that perhaps the analysis should focus on city pairs instead; and further still, to more highly threatened city pairs. Aircraft sizes and their variations do not, in themselves, create security issues.

FAA response: The agency understands the commenters' concerns about appropriate measures as determined by the size and threat level of particular airports. But, contrary to the comments, the FAA believes that aircraft size and capabilities affect their desirability as targets of terrorism or other criminal acts. Such criteria have historically proven good indicators of where and how to focus limited security resources. There are some requirements that may vary based on the amount of activity at the airport and other factors, which are set out in the individual airport's security programs.

Supplemental Notice of Proposed Rulemaking (SNPRM)

Comments: The ACI-NA and AAAE strongly urge the FAA not to implement the proposed rule until the FAA publishes an SNPRM and reviews the comments. It would be appropriate within this timeframe to examine ways that the ASAC, or a new working group within the ASAC, could be appointed to clarify and streamline this proposal.

Twenty-four airports, an air carrier, a local government, five local departments, and commissions recommend that the FAA publish an SNPRM.

Many commenters state that the FAA states throughout the NPRM that it is an incomplete proposal, and notes that additional language will be supplied at a later, unspecified date.

FAA response: Having received a vast amount of public and industry input to this proposal, and in view of the many changes reflected in the final rule, the FAA is confident that the rule can go forward without the issuance of an SNPRM that covers the entire part 107. This decision is based partly on the fact that the FAA has agreed with many of the issues the commenters felt most strongly about, such as renaming the airport areas. As to another issue of common concern, compliance programs in proposed Sec. 107.103(a)(2) as mentioned under General Discussion of the Rule, the agency reopened the comment period.

The proposal and the final rule, as well as extensive historical experience, make it clear that many specifics of the design and implementation of security programs are not appropriate for the public rulemaking process. The FAA has carefully and diligently indicated the difference between public requirements of the regulation, and specific information that can only appear in the security program. The specific details of security measures, in order to be effective, must often be held closely by those with a ``need to know.''

[[Page 37279]]

Since many of the requirements of this final rule have been in place at airports in one form or another for many years, the FAA does not anticipate any regulated parties would be unduly or unnecessarily inconvenienced in complying with them.

Section-by-Section Analysis

The following is a discussion of comments and FAA responses for each proposed section.

Section 107.1 Applicability

The NPRM proposed to extend airport security requirements to airports regularly serving any aircraft operator required to have a security program under parts 108 or 129. This would be a change from the current rule, which covers airport operators regularly serving scheduled operations of aircraft operators required to have a security program. The increase would be those airports that only regularly serve certain public charter operations. The NPRM also proposed to extend the applicability of existing Sec. 107.1 to individuals entering or in critical security areas, restricted operations areas, and sterile areas.

Under proposed Sec. 107.1(b), the term ``Assistant Administrator for Civil Aviation Security'' would be used, rather than the existing ``Director of Civil Aviation Security.'' This position would be defined as the official who oversees civil aviation security operations and approves security programs. In addition, Sec. 107.1(b) would clarify that the Deputy Assistant Administrator for Civil Aviation Security, or any individual formally designated, could act in the capacity of the Assistant Administrator and the duties of this position could be further delegated.

Comments: A commenter states that smaller regional airports do not have staff to perform all requirements in the proposed rule. The FAA would have to fund the salaries of additional personnel so that the facility could comply with the rule.

Another commenter recommends removing the reference to ``sterile area'' in Sec. 107.1(a)(3), as it is controlled by part 108 rules.

Finally, Air Transport Association (ATA) comments that the delegation of the Administrator's authority should be narrowly circumscribed due to the potential for conflicting and overlapping authority.

FAA response: In the past, the FAA generally chose to hold only the airport operator accountable for the actions of persons under its control, with the expectation that corrective actions taken by airport operators would discourage employees and others from repeated non- compliance. The FAA continues to believe that corporate accountability is key to achieving and maintaining compliance. However, the agency also believes that the concept of holding individuals accountable for security violations, in a timely fashion, is a worthy one. The agency remains committed to broadening accountability and the final rule reflects that under new Sec. 107.11.

In response to the comment regarding the lack of staff at smaller regional airports, the FAA refers to the Regulatory Evaluation. Economic analyses are based on estimates which anticipate costs associated with all sizes of airports, and recognizing the costs of the different levels of security measures associated with each.

Regarding removal of the term ``sterile area'' from Sec. 107.1(a)(3), that term originated in part 108, and is used in part 107 to define locations at which a person is subject to individual responsibility for their conduct under this part. The FAA, therefore, has decided to leave the proposed language unchanged while the definition of ``sterile area'' is retained in part 108.

In response to ATA's comment about the delegation of the Administrator's authority, the FAA notes that the proposal reflects the manner in which the FAA's internal chain of command carries out its statutory responsibilities. The FAA agrees that delegations must be carefully evaluated to avoid unnecessary conflicts of authority.

Section 107.3 Definitions

The FAA proposed a new definitions section (Sec. 107.3) which would include revised definitions from the current part 107. Section 107.3 also would add several new definitions. Existing Sec. 107.3, Security Program, would be incorporated under proposed Subpart B, Airport Security Program. The FAA proposed that the terms defined in part 108, e.g., ``sterile area,'' would apply to this part.

The proposals regarding the secured area, AOA, SIDA, CSA, and ROA are discussed under the General Discussion above. In addition, the FAA proposed the following in Sec. 107.3. The definition of ``exclusive area'' in existing Sec. 107.1 would be revised and grouped with a newly defined ``exclusive area agreement.'' Under the proposal, the definition of ``escort'' was revised to include a reference to the proposed critical security area and restricted operations area. The definition ``sterile area'' was revised in the proposal to clarify the responsibility to conduct inspections of persons and property.

The FAA also proposed adding the following definitions: ``airport security program,'' ``airport tenant,'' ``airport tenant security program,'' ``Assistant Administrator,'' ``exclusive area agreement, ``and ``unescorted access authority.''

Comments on definitions in general: The Regional Airline Association (RAA), Federal Express (FedEx), eight airports, an air carrier, and a local department of aviation request that the FAA define terms more clearly, or continue using the current terms. The commenters also provide detailed suggestions on how to more clearly define some of the terms.

United Parcel Service (UPS), Alaska Airlines, Trans World Airways (TWA), Port Authority of NY and NJ, and Phoenix Aviation Department suggest incorporating the same definitions in parts 107 and 108.

FAA response: Clarity of definitions is a fundamental goal of this rulemaking. In response to RAA, FedEx, and the many other commenters who offered comments on exactly how to go about that task, the FAA wishes to assure them that every effort has been made for clarity and distinctness. The challenge was to develop clarity, while at the same time providing flexibility to allow for local applications and unique circumstances.

As to the requests to repeat the definition of terms used in both parts 107 and 108, the FAA has decided to retain the definitions in the most applicable part. Cross references will indicate that the terms apply to the other part as well. Although it might be more convenient for some users to have the definitions repeated in each part, there is a risk that the definitions would become inconsistent as parts are individually amended from time to time.

Comments on ``escort'': The ATA states that the term ``escort'' should not apply to employees temporarily without aircraft operator identification media.

The UPS and three airports state that the proposed definition of ``escort'' leaves too much room for interpretation. Airport commenters state that the phrase ``sufficient to take action'' is unclear. The FAA should add language that holds individuals accountable for being in direct physical control of persons under escort.

FAA response: In consideration of the comments, the FAA has revised the definition of escort. The term ``escort'' now means ``to accompany or monitor the activities of an individual who does not have unescorted access authority

[[Page 37280]]

into or within a secured area or SIDA.'' This emphasizes the primary function of the escorter--to determine whether the escortee is limiting his or her activities to those authorized. If the escortee departs from authorized activities, the escorter would take action in accordance with the security program. This could include verbally challenging the individual, summoning a supervisor, or summoning law enforcement. The minimum requirements for the local design and implementation of escort procedures are set forth in new Sec. Sec. 107.201 and 107.205. Specifics as to where and how this method is to be applied will appear in individual airport security programs. As to the escorter being in ``direct physical control'' of the escortee, this phrase might imply a level of physical control that generally is not needed, such as the level of control a law enforcement officer exerts over a person they have arrested.

Comments on ``exclusive area'': Denver International Airport suggests that the definition of ``exclusive area'' include the concept that now individual access points can be designated as ``exclusive areas.'' The commenter also recommends adding ``located anywhere on the airport'' after the phrase ``access points.''

FAA response: The definition of ``exclusive area'' as proposed was intended to provide the regulated parties with the opportunity to transfer the accountability and responsibilities under part 107 from the airport operator to aircraft operators under parts 108 or 129. The definition as proposed expands the scope of the former definition, which allowed exclusive area agreements only for portions of the AOA. The new definition permits inclusion of portions of an AOA, secured area, and SIDA, which may include access points. For example, a part 108 regulated aircraft operator may now assume specific security responsibilities under part 107 for that portion of the secured area within its leasehold. The aircraft operator may also accept an exclusive area agreement with the airport for part 107 responsibility for any access point (for persons or vehicles) which leads directly into that portion of the secured area. Individual access points may be included in exclusive area agreements in the final rule. Further discussion of exclusive areas appears in response to comments relating to proposed Sec. 107.111.

Comments on ``sterile area'': Several commenters, including three airports, requested that the FAA put the definition of ``sterile area'' in Sec. 107.3 instead of referring the reader to part 108.

FAA response: The definition of sterile area will remain in Sec. 108.3, and will not be repeated in this part. As explained earlier, the FAA has decided to keep the definitions in the most applicable part, with cross-references showing that the terms apply to other parts as well. Section 108.3 states that the term ``sterile area'' means a portion of an airport defined in the security program that provides passengers access to boarding aircraft and to which the access generally is controlled by an aircraft operator or foreign air carrier through the screening of persons and property in accordance with the security program. The use of the term ``sterile area'' in part 107 is for descriptive purposes only.

Comments on ``unescorted access authority'': The Air Line Pilots Association (ALPA) and Juneau International Airport request a definition of ``unescorted access authority.''

Another commenter says that the airport operator should be the only person authorized to grant unescorted access authority.

FAA response: The FAA defines unescorted access authority as the authority granted to individuals to gain entry to, and be present without an escort in secured areas and SIDA's. The FAA disagrees with the comment that only the airport operator should grant unescorted access authority. It has been a longstanding practice for aircraft operators holding security programs under parts 108 or 129 to join with the airport operator in ``exclusive area agreements.'' The intent of such agreements is to transfer certain part 107 requirements to the aircraft operator, as specified in the agreement.

Additionally, it is a common practice for the airport operator to extend or broaden authorization for unescorted access to a class of persons. For example, the acceptance of a particular company's employee identification card, as airport-approved media, effectively extends to such companies the authority to determine who may have such privileges on a case-by-case basis. In each of these cases the airport operator has agreed to extend the privilege to the other party. The FAA believes that as long as a responsible party is empowered to extend that privilege under specific terms, the safety of the flying public can be ensured. Therefore, absent any compelling reasons to the contrary, the FAA will permit parties other than the airport operator to grant unescorted access authority within the constraints of this part.

Comments on clarification of definitions and new definitions: Many commenters request clarification of the following terms: ``media,'' ``vehicle,'' ``person,'' ``physical barriers,'' and ``law enforcement personnel.'' Atlanta Hartsfield International Airport requests clarification of the term ``person.'' A commenter requests a definition of ``physical barriers,'' and recommends including time, distance, or signage in the definition.

The Monterey Peninsula Airport District comments that the FAA should define ``law enforcement personnel'' to consist of state certified police officers. Security guards should supplement, not replace police officers.

FAA response: In response to comments regarding clarification of definitions or the use of new definitions, the FAA notes that it usually does not define terms that are used within their common, everyday meaning. For example, the terms ``media,'' ``ground vehicle,'' and ``physical barriers'' are not used in this rule in unique ways. There is no need to include definitions in the rule.

The term ``media,'' for instance, is used in a conventional sense to identify any means, materials, or techniques that identify an individual or vehicle or convey an individual's access or personnel identification authorization. In common usage, access media can include keys, magnetic cards, or other means to gain entry. In the case of identification media, Sec. 107.211 provides additional standards for such media. The FAA used the term ``physical barriers'' in a conventional sense to include, for example, fences, walls, and buildings. The FAA has not used that term in the final rule, as discussed under Secured Area, AOA, and SIDA, above.

The word ``person'' is already defined in 14 CFR Sec. 1.1. That definition is controlling with regard to part 107 so that there is no reason to repeat that definition in part 107.

Section 107.5 Airport Security Coordinator

The FAA proposed that existing Sec. 107.5, ``Approval of security program,'' would be incorporated into proposed Sec. 107.105, ``Approval and amendments,'' under proposed Subpart B, Airport Security Program. Existing Sec. 107.29, ``Airport Security Coordinator'' would be revised and renumbered as new Sec. 107.5 under new Subpart A, General.

The FAA proposed to further define the functions and responsibilities of the

[[Page 37281]]

ASC. The functions of the ASC were discussed in the Employment Standards Rulemaking (56 FR 41412 at 41417-8; August 20, 1991). The FAA also proposed that this section would clarify that an individual serving as an ASC may perform other duties in addition to those required by the FAA, and this need not be the ASC's only duties. It was the FAA's intent to clarify that the ASC requirements did not mandate that airport operators establish additional positions, the duties of which are exclusively security-related. Further, the proposed language was intended to clarify the relationship between the FAA and the ASC.

The FAA also proposed to require training for the ASC every 2 years to ensure that ASC's remain updated on both airport and aircraft operator security regulatory and operational requirements. The FAA requested comments on methods airport operators would use to meet this training requirement.

Lastly, the FAA proposed moving to this section certain provisions of existing Sec. 107.31, recently effective (60 FR 51854; October 3, 1995), regarding the ASC responsibility to review and control results of employment and criminal history checks and to serve as the contact for individuals appealing their results.

Comments on ASC Functions: (Proposed Sec. 107.5(a) and (b)): Cheyenne Airport disagrees with incorporating specific functions and duties of the ASC into the rule. A detailed job description is redundant and unnecessary. Several commenters questioned whether there could be more than one ASC.

FAA response: The FAA's general description of the functions of the ASC reflects the expectation that similar tasks are to be conducted at hundreds of individual airports across the nation. The regulatory framework is considered essential to ensure consistent and reliable understanding of the ASC's duties.

In response to the comments, the final rule clarifies that the airport must have one or more ASC's. This would allow different people to be on call at different times. The FAA anticipates the airport generally will designate a lead ASC, and others who will assist.

Comments on Sec. 107.5(b): One airline commenter says that proposed Sec. 107.5(b)(2) should state that ASC's have contact with Federal Security Managers (FSM), who are FAA special agents, located at certain larger or more complex airports. Another commenter says that the ASC should have contact with the Aircraft Operator Security Coordinator (AOSC) and notes that AOSC's are to be designated at the corporate level.

Atlanta Hartsfield International Airport, Minneapolis Airport, the Port Authority of NY and NJ, Lincoln Airport Authority, and the Phoenix Aviation Department state that the requirement in proposed Sec. 107.5(b)(3) to ``review with sufficient frequency all security related functions'' is vague and leaves a considerable amount of room for interpretation. Denver International Airport states that the phrase ``airport tenant activities'' in this paragraph needs to be defined.

The ACI-NA, AAAE, Atlanta Hartsfield International Airport, Miami International Airport, Tucson Airport, Metropolitan Washington Airports Authority, Capital Region Airport Authority, Lincoln Airport Authority, and Phoenix Aviation Department are under the perception that the ASC would ``perform any duties deemed necessary'' (proposed Sec. 107.5(b)(7)). The commenters believe that this situation would be like leaving a ``blank check'' for the FAA to impose new duties and requirements on the airports; some commenters believe that this paragraph should be deleted and that any additional FAA directed changes should be coordinated and implemented under proposed Sec. 107.107.

FAA response: Regarding the airline comment related to Sec. 107.5(b)(2) that the proposal should state that ASC's should have contact with the FSM, the FAA notes that FSM's are senior FAA civil aviation security specialists whose duties apply specifically to particular airports. Such airports are generally larger and more complex facilities. A FSM is the FAA's designated point of contact for the ASC's at such airports. If there is no FSM for that airport, another contact point from a FAA field office is given to the ASC. Hence, the FAA does not see a need to add or to modify proposed language in this regard.

As to requiring the ASC to contact the AOSC, the AOSC for the aircraft operator is designated at the corporate level, while the ASC is designated at the local airport level. It is not the FAA's intent to require that the ASC communicate with corporate aircraft operator personnel. Generally, the ASC can carry out his or her duties by dealing with their aircraft operator counterpart who is a local Ground Security Coordinator (GSC), as required under part 108. The FAA would prefer to leave the option to contact corporate offices to the airport operator, as it deems necessary.

Regarding Sec. 107.5(b)(3), the FAA disagrees that the proposed language is unduly vague. However, the FAA also recognizes that the scope of airports' security-related functions vary greatly based upon the size and complexity of the markets served by the airport. The proposed language clearly directed the airport operator, through the ASC, to review security functions specified in such documents as the security program, tenant security programs, and applicable Security Directives. These documents are written to a high degree of specificity, and therein lie the details the ASC is expected to review. Hence, the language of the regulation is seen by the FAA to be at the appropriate level of specificity. Consequently, the FAA has chosen to retain in the regulation the broader language with an expectation that more specific requirements will be reflected in or flow from the individual security programs.

In response to Denver International Airport, the FAA notes it has removed the general phrase ``airport tenant activities'' from Sec. 107.5(b)(3). This section has been rewritten to reflect the more specific mandate. The airport operator, through the ASC, must review with sufficient frequency all security-related functions to ensure that all are effective and in compliance with this part and the security program. The agency notes, however, that the security program may include tenant security programs, exclusive area agreements, and other implementing documents. The FAA believes a frequent review of the activities specified in and required by such documents will yield an appropriate level of airport operator oversight and local communications regarding security measures.

The FAA agrees with the many comments about proposed Sec. 107.5(b)(7) that may have implied an unlimited ability of the FAA to add to the duties of the ASC through changes to the security program. Consequently, proposed Sec. 107.5(b)(7) does not appear in this final rule.

Comments on Sec. 107.5(c) Training Schedule and Hours: Anchorage International Airport and Phoenix Aviation Department say that the FAA should host and pay for any ASC training. Port Authority of NY and NJ and Anchorage International Airport say that the FAA should provide initial ASC training and recommends that the AAAE perform recurrent training every 2 years.

The ACI-NA, AAAE, Cheyenne Airport, and Lincoln Airport Authority suggest that biannual training for ASC's at smaller airports is economically burdensome. These commenters add that attendance at training seminars for ASC's at smaller airports is difficult due to tight budgets and limited staff.

[[Page 37282]]

Two airports suggest that 180 days after publication of final rule is not sufficient time to be in compliance with such extensive training and recordkeeping and instead recommend a longer compliance date.

FAA response: While the FAA disagrees that it should fund ASC training, it notes that such basic training on the civil aviation security program is available from several sources. For example, the FAA jointly sponsors basic training courses with several industry associations that could provide the ASC with requisite information. Such training, when supplemented with additional information necessary to understand local concerns, would prepare the ASC to carry out the locally defined duties.

The FAA believes that the amount of time necessary for an ASC to receive instruction on the security provisions relevant to their own location would be minimal. Consequently, the FAA does not believe that ASC training comprises an undue burden for any airport.

In response to the last comment above, the FAA accepts that 180 days may be insufficient time for airports to complete training for ASC's. Since training has not been required in the past, it must be developed and budgeted for. The final rule allows for 2 years following the publication date of the rule to achieve compliance with this requirement.

The FAA recognizes the many and valued services currently provided by the nation's ASC's. However, the FAA is also aware that there are inconsistencies in the level of knowledge and experience among ASC's. This variance stems from many factors, such as, tenure in the position, initial training (if any), the individual's current primary duties, and the individual's experience in the performance of ASC duties as well as the individual's background prior to assuming the position. Consequently, the FAA is convinced that baseline training is essential to ensure an adequate level of knowledge of the ASCs.

Therefore, this final rule does not allow for the grandfathering of ASCs as a means to avoid initial training. However, recurrent training is required for only those who have a break in service of 2 years or more during which time the person did not actively perform the duties of a designated ASC. Such persons would have to again take the training to resume ASC duties.

Comments on Sec. 107.5(c) Training Guidance: One airport states that the FAA should formulate guidance materials to clarify airport security issues, and make them available as part of the ASC training. Atlanta International Airport states that ASC training standards should be outlined in an advisory circular (AC) or proposed FAA rule. Lincoln Airport Authority and Port Authority of NY and NJ state that the ASC training curriculum, proficiency standards, and training materials should be developed by the FAA in cooperation with the industry.

Three airports state that the FAA should explain what the ASC training entails.

Two airports suggest that anyone performing in the capacity of the ASC 90 days prior to the effective date of the final rule should be ``grandfathered'' in and not be subject to the basic ASC portions of training. Furthermore, Tucson Airport states that the ASC is the most knowledgeable person at any airport and of the airport's security program and the FAA requirements and, therefore, the retraining of the ASC's basic job skills would be inefficient.

FAA response: The FAA recognizes that the role of the ASC has been expanded. In that context, it is the agency's view that the ASC should be trained to a level of functional familiarity with parts 107, 108, 129, and 191, the airport's relevant operational manuals, the local emergency services support, the process which results in issuances of Security Directives, the security programs (to include contingency plans), and the respective rules and the means to communicate with all airport tenants, the FAA, Federal and local LEO's, and other emergency services.

Section 107.5 of the final rule outlines the duties and functions that the FAA expects the ASC to conduct in this regard. As the performance of those basic duties may vary in detail from airport to airport, the FAA does not anticipate issuance of an AC on this topic. However, the FAA will develop a suggested training curriculum, in coordination with the airport industry. The FAA expects that the training itself would not exceed 24 classroom hours, in most cases, and would average approximately 16 hours.

The FAA would expect the specifics of the training curriculum to be developed locally, in accordance with FAA guidance and local needs. The curriculum should and would be reflected in the security program.

Comments on Sec. 107.5(c) Maintenance of Training Records: A commenter states that where ASC's training records are maintained is a matter of legal guidance and operational preference. As long as those records are available for FAA inspection upon request, there is no need for the FAA to micromanage record maintenance. The Port Authority of NY and NJ recommends removal of language specifying that records are to be maintained in the principal operations office.

Atlanta International Airport says that training records and other documentation requirements will create unnecessary recordkeeping burdens.

FAA response: The FAA has modified the rule so as to permit the airport operator to maintain the ASC training records in a location and manner of its choosing. Further, the FAA believes that the recordkeeping burdens would amount to no more than 30 minutes a year to document the training of each ASC. The FAA anticipates that a simple statement to the record that the ASC has completed training, as specified in the security program, with date and location, is acceptable. The FAA does not believe that this requirement is excessive.

Section 107.7 Inspection Authority

The FAA proposed to move existing Sec. 107.7, ``Changed conditions affecting security'' to proposed Subpart B, Sec. 107.107. In its place, the FAA proposed to insert Sec. 107.7, ``Inspection authority,'' which included current Sec. 107.27, ``Evidence of compliance.'' The proposed section would include the evidence of compliance requirements of existing Sec. 107.27 and additional requirements based on the FAA's statutory authority to conduct inspections, investigations, and tests.

The FAA proposed that Sec. 107.7(a) state the Administrator's authority to conduct inspections and investigations necessary to determine compliance with part 107 and the security program.

The FAA proposed that Sec. 107.7(b) restate the language of existing Sec. 107.27. Also, it was proposed that Sec. 107.7(c) clarify the airport operator's obligation to provide FAA special agents the necessary access and identification media to conduct inspections. Significantly, this proposed requirement did not propose to require airport operators to provide access or identification media to any FAA employee other than special agents.

Comments on Sec. 107.7(a): Miami International Airport suggests referring to special agents as FAA ``Security'' Special Agents.

Atlanta International Airport, Alaska Airlines, and Missoula International Airport state that Sec. 107.7(a)(3) should be removed and placed in part 108 as it relates to carriage of hazardous materials by aircraft operators. Another commenter believes part 139 adequately addresses hazardous materials on airports.

[[Page 37283]]

The RAA, UPS, ACI-NA, AAAE, the Port Authority of NY and NJ, Detroit Metropolitan Airport, Lincoln Airport Authority, Federal Express, Phoenix Aviation Department, Tampa International Airport, and Denver International Airport had concerns regarding the FAA's inspection authority. These commenters state that the phrase ``at any time and place'' is too broad and could subject aircraft operators to unreasonable and frequent intrusions into all aspects of operations by untrained FAA personnel. These commenters, including Atlanta International Airport, recommend adding the word ``reasonable'' at the beginning of the phrase. One commenter states that this section should be amended to limit access by FAA special agents to only those portions related to their duties. Another commenter says that FAA special agents should be allowed to access airport operational areas only after they have received appropriate local training to ensure that safety is not compromised (such as, local rules, vehicle markings, driver's training). The ATA suggests that the FAA modify Sec. 107.7(a) and (c) to state that the FAA provide written notice of an inspection to the airport operator 24 hours prior to commencing it. Atlanta International Airport requests that the FAA inspector be required to inform the airport operator or ASC of the inspection results.

FAA response: In response to the suggestion that the FAA refer to special agents as FAA ``security'' special agents, the agency notes that ``special agent'' is the correct term, and that ``security special agent'' is not a job title used in FAA service.

By statute, the Administrator is empowered to conduct inspections, investigations, tests, and other such duties as may be necessary to ensure the safety and security of the civil aviation system. Since performance of such inspections is not limited to special agents, it is conceivable that other FAA employees, from time to time, may be called upon to assist special agents in the performance of their duties on behalf of the Administrator. Therefore, to avoid confusion, the reference to special agents has been removed from Sec. 107.7(a).

The FAA agrees with the commenters that hazardous materials inspections should be removed from part 107, however, it should not be placed in part 108. The FAA continues to have authority to inspect for violations of hazardous materials regulations, but its authority is based on different statute provisions than those for civil aviation security. Proposed Sec. 107.7(a)(3) referred to determining compliance with 49 CFR part 172, which provides requirements under the Hazardous Materials Transportation Act. This reference has been removed from the final rule. Part 107 is devoted to civil aviation security issues. To avoid misunderstanding, reference to hazardous materials inspections is deleted.

With respect to concerns about the FAA's inspection authority, the Administrator is empowered to conduct such investigations and inspections as necessary to ensure the safety of civil aviation, under the statute. The statute, Title 49 USC Section 40113, does not restrict such activities by time and place, nor should they be restricted if the mission of the FAA is to be accomplished as effectively and efficiently as possible, and in the best interest of the public. Therefore, the FAA will not restrict its security-related activities through the regulation as suggested.

The FAA agrees with the commenters that the FAA is required to conduct its investigations and tests in a reasonable manner, but does not believe that the words ``reasonable'' should be added to the regulation. The wording used is similar to that used in a number of other FAA rules that have existed for years, including Sec. Sec. 119.59 (air carriers and commercial operators), 141.21 (pilot schools), 145.23 (repair stations), and 147.43 (aviation maintenance technician schools). The wording of these rules has not caused significant problems in the past. The FAA does not anticipate any change in its inspection procedures based on this new rule.

The FAA does not agree with the commenters who suggest that the access by special agents be limited in any way. The FAA has authority to conduct inspections and investigations throughout the airport property, wherever regulated activity is conducted. Any limitations placed upon FAA personnel acting on behalf of the Administrator could potentially hinder their ability to most effectively perform their assigned duties. Therefore, the final rule will not impose such limits.

As to the suggestion that the FAA provide advance notice of inspections, the FAA routinely notifies airport operators of scheduled inspections. This notice gives the parties to be inspected the opportunity to gather evidence of compliance and to arrange to have appropriate personnel available to assist the FAA. However, inspections related to a particular incident, or which are intended to be made without notice are necessary. Some inspections can only be effective if they are unannounced. Such considerations fall within the purview of the FAA's internal guidance and will not be addressed in this final rule.

Section 107.7(a) only provides for inspection by the FAA. Unlike the Notice, it does not refer to inspection by other Federal government entities. The FAA has no authority to grant or to deny inspection authority to another agency. The section was changed to avoid any appearance that the FAA was purporting to grant such authority.

Comments on Sec. 107.7(b): Tucson Airport requests guidance to foster consistency when providing ``evidence of compliance with this part and its security program'' as described in Sec. 107.7(b).

FAA response: Since its adoption, this provision has been intended to require airport operators to provide the FAA access to existing records. See 56 FR 41412 at 41416 (August 20, 1991). Such records may vary from airport to airport, and are not the subject of standard guidance.

Proposed Sec. 107.5(a) referred to the Administrator making inspections and tests, and Sec. 107.5(b) referred to the airport operator providing evidence of compliance to the Administrator. The final rule adds the clarification that these include the FAA making copies of records or the airport operator providing copies. Obtaining copies of records is an inherent part of the FAA inspecting compliance with safety and security requirements. It is necessary to preserve the records for further review by the FAA. This is true for all FAA inspections, including those by FAA aviation safety inspectors (who look at compliance with operational and airworthiness rules) and FAA special agents. Often, the copying is done at the aircraft operator's or airport operator's office with their permission. Sometimes other arrangements are made, such as the FAA temporarily removing the records to copy them at a FAA office or a commercial service. The FAA has rarely encountered difficulty on this point, but includes these explicit statements in the final rule to avoid misunderstanding in the future.

This section refers to copying of records, not just documents. Records may be kept in a number of forms, such as paper, microfilm, and electronic. The special agent may request copies of any of these forms, usually by having paper copies made of the records. If another form is easily used by the special agent, he/she may accept records in that form.

New Sec. 107.7(c) states that FAA personnel may gain access to the SIDA and other controlled areas without holding access or personnel identification media issued by the airport or aircraft operator, when

[[Page 37284]]

necessary to conduct an inspection or investigation. The FAA agrees that in most circumstances FAA personnel should comply with the access and identification requirements in place at the airport, and it has been FAA practice to require that, when practicable, FAA personnel first obtain local media before conducting inspections. However, there are times when the FAA cannot adequately inspect and test compliance if its employees first obtain access and ID media from the airport or aircraft operator. The act of obtaining such media may provide an opportunity for the FAA representative to be recognized by personnel at the airport, thereby reducing or negating the value of the inspection. The FAA sometimes must make unannounced tests by entering the SIDA or other areas without first having obtained such media. The FAA authorizes such tests only under very controlled conditions, using personnel who are trained to avoid creating a safety hazard or an undue security response. For instance, they carry their FAA credentials to display if they are challenged, to immediately establish their authority to conduct such inspections. This technique is intended to be used only when it is not practicable to obtain local media before the inspection, such as when making unannounced tests of the access and identification systems in place. Otherwise, the FAA representatives have the appropriate access and ID media.

Comments on Sec. 107.7(d): Atlanta International Airport states that proposed Sec. 107.7(c) should be amended to delete the reference to ``any FAA special agent.'' The FAA should be required to designate a local point of contact to verify the need for local airport identification media. Commenters suggest it is difficult to maintain control and accountability of media issued to the FAA.

Juneau International Airport requests a description of valid FAA special agent credentials, as this information is currently not available.

The Port Authority of NY and NJ states that the display and wearing of an FAA special agent identification should be sufficient identification for unescorted access to any area of an airport which the agent has an operational inspection need.

The Sacramento County Department of Airports suggests that FAA special agents should have to go through the same identification media requests as an airport tenant. Ft. Wayne Airport suggests the FAA special agents should have to go through SIDA training to become familiar with the security program for which they are inspecting. Further, a commenter suggests the airports should charge reasonable fees associated with issuing airport identification media and providing SIDA training to FAA special agents.

Tucson Airport says that the Administrator should develop part 107 testing protocols that meet the FAA's needs without needlessly diverting resources to a ``cry of wolf.'' In a related comment, ALEAN states that it is unsafe for armed law enforcement officers (LEO's) to be running through airport terminals, believing that they are responding to an actual threat at the checkpoint when it is just a test. Such tests should be administered in the same manner that part 139 timed response drills are run.

FAA response: In response to the comment about deleting reference to ``any FAA special agent,'' the FAA agrees, in part, with Atlanta International Airport, and others that the proposed language was broad. Any FAA special agent seeking local access and identification media, should have an operational need for the media, and the concurrence of the designated local FAA point of contact. The proposed rule stated that the media would be issued on request of the FAA special agent and presentation of credentials. As some commenters note, not all FAA special agents have duties and training to conduct inspections at the airport, and those agents do not need local media. The Administrator (usually through the local FAA field office) will provide to the airport or aircraft operator the names of special agents who require media.

In response to the request of Juneau International Airport, the commenter is welcome to request and to view the FAA special agent credentials in the possession of any special agent. They may contact the local FAA security office to view those credentials.

In response to the comment by the Port Authority of New York and New Jersey about the display and wearing of special agent identification, the FAA has addressed that under the new Sec. 107.7(c). When exercising such privileges it is anticipated that the FAA employee acting on behalf of the Administrator will be in the possession of, but not necessarily displaying such credentials, as the situation may warrant. The circumstances under which this authority could be exercised include surveillance and unannounced testing or inspections.

Regarding the comment by the Sacramento County Department of Airports, the FAA acknowledges that appropriate safety and security- related training should be provided to FAA special agents before they exercise full access privileges to the secured areas and AOA's of the airport under normal circumstances. The aspects of such training that have common application can be provided at the agent's primary duty location and can be supplemented with local training at other airports requiring such training. This approach is in common use today, throughout the industry for those persons requiring similar access privileges. The revised Sec. 107.7(d) addresses these concerns. However, in emergency situations or other initiatives, the responding agents may not have been provided the training or access media for that particular airport. The exigencies of their duties may require this access media, therefore, the language of the final rule has been modified accordingly. Where appropriate, coordination through the ASC or other local authorities would take place.

In response to the comment about allowing the airport to charge reasonable fees for issuing airport identification media, the FAA notes that nothing in the regulations would preclude the airport operator from imposing reasonable charges for its services. In fact, many already charge for initial identification media and issuance of replacements. Consequently, language permitting the airport to do so is not necessary in the final rule.

Regarding the comment about developing part 107 testing protocols, the FAA appreciates the complexity and sensitivities of the regulated parties' ongoing operations. The agency also understands both the importance and the impacts of its own operations, especially while conducting essential testing. These testing efforts will continue under the FAA's internal guidance. The agency will continue to be mindful of actual safety and security concerns during testing operations and will maintain dialog on this subject with the industry at the local and national levels.

The final rule states that the media must be issued ``promptly.'' The FAA expects that the media will be issued without undue delay, generally within a similar time frame that media are issued to airport, aircraft operator, and contractor employees who need the media. The particular procedures will be worked out at each airport with its FAA field office.

In response to ALEAN's comment, the FAA understands and concurs with the proposition that safety in testing is essential. The FAA also believes that testing of a law enforcement response differs in some aspects from testing

[[Page 37285]]

firefighting and other emergency responses. For example, the latter services tend to be more focused on a more specific range of duties and generally operate from a fixed position. Law enforcement response is a resource with numerous missions unrelated to civil aviation security as addressed in this rule, and which can take it away from the immediate vicinity of the passenger screening facilities. As such, the law enforcement response can originate from anywhere, but must arrive at a designated location within a given timeframe. The FAA recognizes that testing of the law enforcement response must be conducted as judiciously and as safely as possible. Often, that can be accomplished with full disclosure in advance to the law enforcement agency. The FAA will continue to share ALEAN's concerns with its special agents but does not believe it appropriate to modify any portion of part 107 in this regard. Instead, such concerns will be addressed through the FAA's internal guidance and in keeping with the missions of both the law enforcement entities involved, the airport operators, and the FAA.

Section 107.9 Falsification

The FAA proposed a new Sec. 107.9, entitled ``Falsification.'' This section is the same as the current Sec. 107.2 adopted on November 27, 1996 (61 FR 64242, December 3, 1996).

Comments: The UPS and Atlanta International Airport request an outline of the enforcement procedures and guidance to the airport operators for falsification findings. The commenters say that the airport operator should be informed of all investigations and be provided a copy of the report of findings.

The UPS, Port Authority of NY and NJ, Detroit Metropolitan Airport, and Lincoln Airport Authority say that it should be stated that persons are directly accountable to the FAA for compliance with this regulation, including federal enforcement procedures and fines.

FAA response: Enforcement procedures are contained in 14 CFR part 13 and in FAA order 2150.3A. There is no need to repeat the procedures in part 107.

Section 107.11 Security Responsibilities of Employees and Other Persons

In this section, the FAA proposed to prohibit persons, as defined in part 1, from tampering or interfering with, compromising, or modifying any security system, or attempting to do so. It also proposed to prohibit carrying a deadly or dangerous weapon, explosive, or destructive substance into sterile areas, critical security areas, or restricted operations areas.

This section proposed the use of civil penalty actions to penalize persons, those employed by the airport operator and those not under the direct authority of the airport operator (such as trespassers), who fail to comply with this section.

The FAA proposed in Sec. 107.11(c), that individuals authorized by the Federal government, airport operator, and aircraft operators would be allowed to conduct tests and inspections of security systems.

The FAA proposed in Sec. 107.11(d) that provisions of this section that apply to firearms and weapons would not be applicable to law enforcement personnel, Federal Air Marshals, and certain individuals authorized in a security program to carry a weapon.

Comments on Sec. 107.11(a): Atlanta International Airport and Roanoke Regional Airport request an outline of the enforcement procedures and guidance to the airport operators for noncompliance by individuals. The enforcement concept requires more explanation. The airport operator should be informed of all investigations and be provided a copy of the report of findings.

Port Authority of NY and NJ is concerned that the majority of enforcement of Federal responsibilities are placed on the airport. The Port Authority holds that the FAA should not be unique among Federal enforcement and oversight agencies in abdicating its enforcement responsibilities.

Burbank Airport Authority suggests that civil penalties should be up to $10,000 on a case by case basis, rather than $1,000 as stated in the preamble.

The UPS, RAA, Federal Express, a local department of aviation, Miami International Airport, and many other commenters support the adoption of proposed regulations which would require individual accountability to the FAA and use of civil penalties and enforcement actions against employees, contractors, and other individuals.

The ACI-NA, AAAE, and an airport suggest language stating that failure to comply by an individual will result in revocation of privileges, application of fines, or other punitive action by the Administrator. They also suggest language stating that this rule would not prohibit State or local governments from adopting similar or more stringent regulations for local enforcement. On the other hand, ALEAN suggests that the NPRM is a superficial and impractical attempt to solve a lack of personal accountability and responsibility.

FAA response: The enforcement procedures are found in part 13, Investigative and Enforcement Procedures, and FAA Order 2150.3, Compliance and Enforcement Program.

In further response to ACI-NA and AAAE, the FAA does not believe there is a need for the agency to insert language stating that the rule would not prohibit State or local governments from adopting similar or more stringent regulations. Many State and local governments are currently permitted to adopt similar or more stringent security rules within the context of their respective jurisdictions. Many have already done so. Airport operators are primarily responsible for the security and safety of their airports, both for civil aviation security and other security issues they encounter. As part of this effort, they adopt rules and procedures to gain compliance of their employees, contractors, tenants, and others with safety and security rules. Absent very unusual circumstances, State or local governments are free to adopt penalty provisions to promote compliance.

In response to UPS and other supporting comments on individual accountability, the agency wishes to emphasize an increased reliance on individual accountability, particularly with regard to a person's interaction with security measures. But, at the same time, the agency also emphasizes that the airport operator and aircraft operator are responsible for ensuring that their employees, contractors, and others comply with security duties. The FAA agrees with ALEAN that this section is not, standing alone, adequate to address all issues of individual compliance with security rules. It is intended to serve as another tool to assist the airport operators, aircraft operators, and others to emphasize the responsibility of individuals and other persons to do their part.

Proposed Sec. 107.11 outlined provisions of the regulation for which individual accountability would attach. However, aside from the merits of this proposal, much attention, as reflected by the comments, seemed to focus not on Sec. 107.11, so much as on the related impact of proposed Sec. 107.103(a)(2). This language would have required the airport operators to establish and carry out an enforcement program to hold persons in violation of the program accountable at the local level. As discussed above, the comment period was reopened for that provision.

Burbank Airport Authority sought an increase in the amount of civil

[[Page 37286]]

penalties. The maximum civil penalty is set by statute, however, as to individuals in these circumstances, the amount is $1,100 (adjusted for inflation since Notice 97-13 was issued).

The FAA notes that the circumstances surrounding a single security violation may involve more than one responsible party. For example, if an employee circumvents an access control to a secured area, and gains unauthorized access to an aircraft, that person can be held individually responsible for his/her actions under new Sec. 107.11(a). At the same time, the airport operator may be responsible for failure to control access to the secured area under new Sec. 107.201(b), and the aircraft operator may be responsible under part 108.

This rule will also have the effect of prohibiting some unauthorized testing if it violates Sec. 107.11. The unauthorized testing of security systems may be a form of compromise, circumvention, or interference. An example is a person who is not authorized to be in the secured area without escort, but who deliberately enters the secured area without escort. Many of these actions may serve to distract unnecessarily security or law enforcement resources from their duties, increasing the risks from actual threats. Such unauthorized ``testing'' of security systems can prove dangerous to the ``tester'' (such as if they are not aware of the safety issues in the AOA, with taxiing aircraft and other hazards). The final rule language is consistent with this position, and can be cited in holding accountable persons who conduct such unauthorized activities.

Comments on proposed Sec. 107.11(b): Anchorage International Airport states that Sec. 107.11(b) seems appropriate for what is now known as the ``sterile area'' or ``secured areas'' of the airport, not for areas that are currently known as the ``restricted areas.''

Miami International Airport and TWA state that Sec. 107.11(b) should clarify that compliance with this section rests on the individual and not the airport.

Roanoke Regional Airport states that Sec. 107.11(b) does not recognize that construction contractors may need to bring explosives into secure areas of the airport.

The Port Authority of NY and NJ, Northwest Airlines, and Detroit Metropolitan Airport question the means by which the airport can ensure that no person will have ``any deadly or dangerous weapon, etc.'' without screening all employees. Several commenters request clarification of ``deadly or dangerous weapon'' and ``other destructive substances.''

The ATA, UPS, and Federal Express strongly object to the imposition of screening procedures for employees at access points controlled by proposed Sec. 107.205, and to rescreening of employees who have access clearance from the airport to enter secured areas.

FAA response: In the proposal, the agency sought to provide a means by which unauthorized persons carrying deadly or dangerous weapons, explosives, or incendiaries into the secured area could be held liable under the agency's compliance and enforcement program. The proposed language provided for persons who would have to carry such items into the secured area in the course of their authorized duties. After careful review, the agency has determined that local airport operators, through their local rules and laws, and law enforcement personnel, have the responsibility, authority and the capability to control the presence of weapons and other deadly items on airport property. Hence, there does not appear to be a need to introduce any new rulemaking regarding this issue at this time. The FAA has decided not to adopt proposed Sec. 107.11(b), as well as the related language under Sec. 107.11(c). Over time, the agency will monitor any incidents relating to persons carrying unauthorized weapons or deadly or dangerous items that may be detrimental to the flying public and if warranted, will develop comprehensive security measures.

Section 107.101 General Requirements

The FAA proposed this new section to incorporate related provisions of the existing regulation that require the security program to be current and in writing, and that a copy be kept at the principal operations office. The program's objective was proposed to be modified to include protection against the introduction of a deadly or dangerous weapon, explosive, or incendiary onto aircraft.

In the preamble, the FAA noted its intention to develop a standard airport security program, similar to the air carrier standard security program.

Comments: The ATA and Tucson Airport request that if the use of a standard airport security program is to be a mandatory requirement, then the airports should be given an opportunity to review and comment on its contents and application effects, prior to implementation. The additional time would provide consistency of airport and aircraft operator security programs and benefit the passengers, baggage, and cargo processing. Any policy directives for the model program should also be made available for review and comment.

FAA response: Upon review, the FAA has determined that it will be easier, less disruptive, less expensive, and equally effective to not develop a standard security program, but to modify the language of Sec. 107.101(a)(4) to require that airport security programs include an index, arranged according to the order of subject areas cited in Sec. 107.103. This requirement will preclude the need for major security program modifications. The FAA is also convinced that an index in each security program, arranged in accordance with this standard format, will moderate significantly the FAA's difficulties associated with overseeing the hundreds of vastly different security programs across the nation. The final language has been modified to that end.

Comments on Sec. 107.101(a): Atlanta International Airport states that proposed Sec. 107.101(a) should be written to reflect that airports are responsible for the safety and security of persons and property while at the airport. Roanoke Regional Airport states that the aircraft operator must be responsible for the security of persons and property onboard the aircraft.

Continental Airlines requests that Sec. 107.101(a)(1) be clarified to exempt passenger checkpoint screening responsibilities from the security programs.

FAA response: The FAA believes that the delineation of authorities, for example the screening of passengers or the provision of law enforcement response, are properly assigned based on statute, regulation, reasonable attachment of liability, and the authority possessing the appropriate resources. The term ``on an aircraft operating in air transportation in air commerce'' reflects that the mandated measures in the statute at airports are ultimately in support of the security of person on board aircraft, and are not designed to address other security concerns. The proposed language was included because some of the airport's tasks do include support of the screening function, which prevents the introduction of weapons, explosives, and incendiaries on an aircraft.

Federal law assigns solely to aircraft operators the responsibility for passenger screening. That law cannot be overcome by regulation. Rather the intent of Sec. 107.101(a)(1) is to emphasize the airport operator's role in supporting the screening system in cooperation with aircraft operators.

Comments on Sec. 107.101(b): Atlanta International Airport, Tucson Airport, Minneapolis Airport, Port Authority of

[[Page 37287]]

NY and NJ, Detroit Metropolitan Airport, and Lincoln Airport Authority state that the ``principal operations office'' may not be the appropriate area to store the security program. Denver International Airport believes that specifying the storage location of the security program is not necessary and that making the security program available to the FAA for review upon request should be sufficient. However, requests from the FAA to review the security program should be made through the ASC.

FAA response: Upon reflection, the FAA agrees with the commenters. The rule language has been modified to delete reference to the ``principal operations office.'' Instead, the airport operator is required to maintain at least one current and complete copy at the airport and to provide a copy of the security program to the Administrator upon request. In most cases, the ASC required under new Sec. 107.5 would be the primary contact for such requests.

Section 107.103 Content

The FAA proposed this new section to describe the required content of the security program. The proposed rule specifies three different levels of security programs varying in complexity. The most comprehensive security program would continue to be applicable to airports serviced by scheduled passenger operations on aircraft with more than 60 seats.

The type of passenger operations that trigger the two remaining types of security programs have been expanded somewhat, as the result of changes to part 108. The intent is to ensure complete protection of the sterile area and to ensure security of passengers.

Comments on proposed Sec. 107.103(a)(1): Atlanta International Airport, Missoula International Airport, and Phoenix Aviation Department request removal of the requirement to outline the ASC's training. Training requirements should be provided in an advisory circular (AC), not the security program.

Juneau International Airport requested the FAA explain what the training requirements for ASC's and alternates are under Sec. 107.103(a)(1).

FAA response: While ASC training has been addressed in the discussion of Sec. 107.5, it seems appropriate to address the administrative aspect of the ASC training program requirements here. The FAA disagrees with comments submitted by the Atlanta, Missoula, and Phoenix airport authorities that the ASC training requirements should appear in AC's. Rather, the agency believes general training mandates appearing in the regulation must be clearly defined and required under specific language appearing in nonpublic security programs. The agency notes that the guidance in AC's is not mandatory. The proposed language is adopted without change.

Comments on Sec. 107.103(a)(2): Numerous comments were received on the proposal to require each airport to have a security compliance program.

FAA response: As explained above under General Discussion of the Rule, the comment period on this section was reopened. The FAA will respond to all comments in a later action. The comments recounted here are only a representative sampling of the many comments received in response to proposed Sec. 107.103(a)(2). Yet, since the close of the comment period, the FAA has become aware of shifting views by many of the same parties with regard to this and related issues. Therefore, the FAA has reserved decision on proposed Sec. 107.103(a)(2), and reopened the docket for comments on August 10, 1999. The new comment period closed on September 24, 1999. The FAA will consider the comments received and consider what action, if any should be taken on this proposal.

Comments on Sec. 107.103(a)(3)-(20): Five airports suggest that the FAA replace the word ``dimensions'' in Sec. 107.103(a)(3)(i) with ``general description.'' A general description or a map would provide sufficient details of the areas. Information about the dimensions of the map should be delegated to appendices and not subject to FAA approval. Ft. Wayne Airport says that a scale map or diagram has been and should be sufficient to delineate these areas. If the FAA needs more detailed information, it should state the reason behind the requirement and include costs associated with calculating the dimensions of these areas into a cost benefit scenario. Quad City International Airport states that detailed map-making is a costly undertaking.

Denver International Airport and Port Authority of NY and NJ recommend modifying Sec. 107.103(a)(5) to state ``sterile areas with direct access to the critical security area.'' Only those activities with direct access to secured areas in the NPRM from the sterile areas should be listed.

Another commenter recommends deleting any references to ``sterile areas'' in proposed Sec. 107.103(a)(5) and throughout part 107 since the term is not defined.

Tucson Airport states that the following information should be outlined in an appendix, not included in the body of the security program: The system for maintaining records and the schedule for reporting them required by proposed Sec. 107.103(a)(12), the contingency plan required by proposed Sec. 107.103(a)(14), the exclusive area agreements required by proposed 107.103(a)(19) and the tenant security agreements required by proposed Sec. 107.103(a)(20).

One commenter states that the incident and emergency management procedures, required by Sec. 107.103(a)(17) are adequately covered for airports complying with part 139 programs. A reiteration of these procedures would be redundant and a cross-reference to the part 139 emergency plan should be sufficient.

FAA response: The FAA disagrees with the commenters that a ``general description'' rather than ``dimensions'' would suffice in describing various aspects of the airport in the security program. The FAA believes that the exact dimensions and boundaries, as required in the security program, are necessary to clearly establish where various security measures are required at different locations on the airport. With the advent of the tenant security program (new Sec. 107.113), and the possible increased reliance upon exclusive area agreements (new Sec. 107.111), this requirement becomes increasingly important. The detailed descriptions are necessary so that all parties are aware of what security procedures apply in what areas, and which party is responsible for carrying out those procedures. At the same time, the FAA does not expect the airport operators to generate detailed maps drawn specifically for this purpose. Rather, existing maps used for engineering and maintenance at most airports are usually acceptable and are in common use today. The wording remains the same. If an airport has a method of clearly identifying the boundaries of the areas without using dimensions, it may request to use that method.

In considering the comments that stated that only sterile areas leading to critical security areas (now secured area) should be detailed, the FAA notes that while most sterile areas have access points leading directly to secured areas, that condition may not be the case universally. Further, there are other considerations besides access to secured areas that forces the FAA to require that such details appear in the security program. Lastly, the FAA does not accept the suggestion to delete the term ``sterile area,'' since it is not defined in this part. It is defined in the final rule

[[Page 37288]]

to part 108, in Sec. 108.3, and is a commonly used and understood term.

A security program may be structured in the manner suggested by the Tucson Airport by incorporating information appearing in program appendices. New Sec. 107.103(d) (and current Sec. 107.3(c)) provides for including information in an appendix.

As to the comments regarding proposed Sec. 107.103(a)(17) regarding incident management (new Sec. 107.103(a)(18)), the FAA wishes to emphasize that the requirement speaks to the evaluation of a threat, rather than to a response to an actual incident as referenced in Sec. 139.325. The level of response to a threat is tied to the evaluation of that threat, which is a different process than responding to an actual highjacking or other event in progress. Evaluating which threats call for what type of response is a security issue, best handled under part 107. It may involve evaluation of non-public security information.

Comments on Sec. 107.103(b) and (c): Minneapolis Metropolitan Airport states that the procedures for public advisories required by Sec. Sec. 107.103(b)(7) and 107.103(c)(6) (i.e., that a foreign airport has, in the judgment of the Secretary of Transportation, failed to maintain and administer effective security measures (new Sec. 107.305)) should rest with the aircraft operators, that should be responsible for informing their passengers. This should not be an airport operator responsibility.

FAA response: The requirement to provide public notification that a foreign airport has been determined to have failed to maintain or carryout effective security measures, is found in the Section 44907(d)(ii), Title 49, United States Code. The FAA believes the requirement to prominently post the identity of such foreign airports at all U.S. airports having regularly scheduled aircraft operator operations is best accomplished at each U.S. airport by a single entity at each location. For consistency's sake, the FAA has determined that the airport operator should be responsible for the posting of this information. The law also requires aircraft operators serving the subject airports to notify their passengers of the foreign airport's status. With this dual requirement, the FAA believes all persons using the airport, and those using the specified carriers, will have ample warning before risking travel to a location that the Secretary of Transportation has determined lacks effective security measures.

Comments on Sec. 107.103(d): Tucson Airport asks whether the FAA would allow inclusion of an airport's part 139 emergency plan in the appendix as sufficient compliance with this rule.

FAA response: Regarding placement of the part 139 emergency plan in the security plan as an appendix, the FAA notes its previous comments, above. It has no objections to this method where the plans are mutually supportive and meet the requirements of the respective parts. However, the FAA's civil aviation security organization's review and approval process of the security plan may employ different criteria than the reviews under part 139, for the review of the emergency plan. Simple inclusion in the security plan without the opportunity for the FAA's civil aviation security organization's review and approval on a case- by-case basis would not be acceptable. Additionally, only those limited portions of the emergency plan with direct relevance to security concerns should be incorporated into the airport security plan.

Section 107.105 Approval and Amendments

The FAA proposed to combine existing Sec. Sec. 107.5, 107.9, and 107.11 into a new section, proposed Sec. 107.105. Several changes were proposed to the amendment process itself. Proposed Sec. 108.105 prescribed the same approval and amendment procedures for aircraft operators.

Throughout this proposed section, any references to the ``Director of Civil Aviation Security'' were replaced with ``Assistant Administrator.'' Also, time restraints on filing petitions for reconsideration of the FAA's decision were included for airport operators. Specifically, Sec. 107.105(a)(2) proposed that airport operators submit to the Administrator a petition for reconsideration within 30 days after receiving the notice to modify. Proposed Sec. 107.105(a)(2) included the provision in current Sec. 107.11(c) that the filing of a petition would stay the notice to modify pending a decision by the Administrator. Section 107.105(a)(3) proposed that the Administrator disposes of any petition within 30 days of receipt.

Section 107.105(b) prescribed procedures for an airport operator to request an amendment to its security program currently covered under existing Sec. 107.9. The FAA proposed to increase the number of days prior to the effective date that the airport must submit its proposed amendment from 30 to 45 days. The proposed rule also noted that the amendment process may take longer than 45 days if the proposed amendment was modified or denied.

Existing Sec. 107.9(b) states that the FAA will respond to an amendment proposed by the airport operator within 15 days. The proposal extended this time period to give the FAA 30 days after receipt for approval or denial of the proposed amendment.

In proposed Sec. 107.105(b)(4), the FAA proposed to modify existing Sec. 107.9(d) to limit the time that an airport operator may petition the Administrator to reconsider the denial to 30 days.

Retention of the FAA's existing procedures to amend a security program was proposed in Sec. 107.105(c) and (d). Two significant changes, however, were proposed to the existing procedures of Sec. 107.11: (1) A new requirement for airport operators to submit petitions for reconsideration no later than 15 days before the effective date of the amendment, and (2) a clarification that a petition for reconsideration stays the effective date of the amendment, unless the emergency procedures are used.

Comments: Miami Airport states that there must be procedures in place to ensure that amendments are not sent into an abyss which is created by returning the amendments to airports repeatedly for rewrites, or with general disapproval language that does nothing to aid the airport to satisfy the FAA's objective. Another commenter states that as written, this section leaves the airport with the feeling that there will be even longer delays to requests from airport for items that are essential to airport operations.

FAA response: The FAA agrees with the proposition that amendments, when submitted by airport operators, must be handled in a timely manner and in good faith. They must be submitted in the same manner. In practice, the complexity of any given amendment and the differences between the respective positions of the FAA and the airport operator will determine how often the amendment is handled and how long the process will take. The regulatory language appearing in the final rule attempts to place good faith constraints upon the parties, but recognizes that the exigencies of business as well as other factors often preclude strict adherence to deadlines. It is, therefore, in the mutual interest of both the operator and the FAA to work closely to agree upon amendment language that has been submitted as completely and in the most timely manner possible.

Comments on Sec. 107.105(b): Several commenters suggest that this section should be amended to require the FAA to acknowledge receipt of an airport's proposed amendment within 5 business days. Within 30 days of receipt, the FAA should either approve or deny, in writing, the proposed amendment. One

[[Page 37289]]

commenter had submitted a proposed amendment to the FAA with no action for 11 months.

One commenter states that the submission of amendments to the Administrator presents problems, since airports dissatisfied with local FAA replies, could submit their requests to Washington.

Another commenter suggests that the FAA's civil aviation security field units (CASFU) should be required to review and return comments to airports within 120 days after receipt of an airport-submitted security program amendment. The FAA personnel should be required to approve and return the final security program to the airport for initiation and distribution to the necessary parties, within 60 days after any required resubmission by the airport of the final version of the security program.

The ATA and Anchorage International Airport oppose increasing the time for the FAA to approve an amendment request for either an airport operator or an aircraft operator and recommend that the FAA expedite the amendment process.

The ACI-NA and AAAE oppose the changes to the amendment procedures that impose more stringent deadlines on the regulated parties and relax the time burden on the FAA. These commenters recommend a modification to the rule that would require the airport to submit the amendment 30 days prior to the proposed effective date. Then, the FAA would have 15 days after receipt to approve, deny, or question the amendment, after which the airport operator would have 15 days to respond to the FAA's request.

FAA response: The FAA agrees that the airport operator is entitled to an acknowledgement of receipt of a proposed amendment. The FAA does not believe that this issue needs to be resolved through the regulation, since the airport operator can have the amendments hand- delivered, or sent via return receipt mail.

Also, the agency has noted elsewhere that references to the Administrator are to be interpreted as referring not only to that office, but to a subordinate level of the civil aviation security chain-of-command. This level would include the Assistant Administrator and the subordinates to whom he has delegated program authority, as noted in Sec. 107.1(b).

As noted above, the FAA concurs that the expeditious handling of amendments is essential, and that every effort is made to ensure their timeliness. The agency will strive to meet that commitment.

The agency has carefully considered the time constraints the regulation will place upon all parties to the amendment and the approval process. The FAA has decided to implement a timeframe that it believes is fair and equitable when approached by all parties in good faith. It should also be noted that, in practice, the regulated parties have often requested amendments for activities that were to take place much sooner than the regular amendment process call for. The FAA often handles these on an expedited basis.

The FAA also notes that exclusive area agreements under Sec. 107.111(b) and tenant security programs under Sec. 107.113(a) may be terminated at any time by the FAA if it is determined to be in the interest of security and safety.

Comments on Sec. 107.105(d): Miami International Airport, Lincoln Airport Authority, Federal Express, and Denver International Airport support the ASAC recommendations that Emergency Amendments be issued to the airport program with expiration dates.

Tucson Airport and Port Authority of NY and NJ state that FAA Emergency Amendments should be ``sunsetted'' 180 days from date of issuance if not canceled sooner. The 180-day constraint would not preclude reissuing of the Emergency Amendment, but would build in a review of the propriety and effectiveness of measures to be implemented.

One commenter states that there should be some provision to allow for local modifications to the FAA amendments.

Sacramento Department of Airports states that the current practice of policy memoranda should be discontinued. While there are instances where changes must be issued immediately, in memoranda, these memoranda should be followed up by the FAA within 30 days from the official regulatory change.

FAA response: The comments received in response to this section dealing with ``Emergency Amendments'' illustrate the different practices that have developed. In its original context, ``Emergency Amendment'' was used for exigent and permanent change to the basic individual airport's security program. It also has been used much like the Security Directive process available for several years to aircraft operators under Sec. 108.18, that is, an amendment issued to address time critical threats that are expected to have a limited duration. Depending on the nature of the threat upon which the Emergency Amendment was based and the measures imposed, an expiration date was either set or left ``indefinite.'' But, in either case, the directive nature of the Emergency Amendment was focused on a specific threat, ostensibly with a finite period of applicability.

The final language of this section is intended to return this process to one in which permanent changes to the actual security program are made based upon such emergencies as may arise. Response to certain threats of finite duration, that were formerly handled by Emergency Amendments, now may be addressed in the new Sec. 107.303, Security Directives and Information Circulars. The agency now intends for Emergency Amendments to security programs to be used for exigent changes made to the individual security program, on what is expected to be a permanent basis.

The FAA wishes to assure the regulated parties that it does not issue security program changes through policy memoranda. While memoranda are used for the FAA's internal guidance regarding ongoing programs and enforcement policies for existing requirements, the Emergency Amendment process under Sec. 107.105(d) will only transmit Emergency Amendments to airport operators under cover memoranda. In many cases, where temporary emergency measures subsequently have become part of the baseline, those changes have been proposed through the normal process, with comments invited and considered before any final determination had been made. The FAA has become increasingly sensitive to the airport operators' concerns in this regard, and will continue to follow that practice under the new Sec. 107.105, and as will be noted later, Sec. 107.303.

Section 107.107 Changed Conditions Affecting Security

Proposed Sec. 107.107 would expand the types of changed conditions that would require operators to take corrective actions. It would expand the scope of the requirement to encompass all the elements of the security program to ensure that any changes that may impact security would be reported to and addressed by the FAA as soon as possible.

As proposed, the airport operator would be required to report any changes in the physical layout of the airport, both areas relating to airport operations and aircraft operator operations. The proposal would augment the existing procedures for the airport operators to follow when a changed condition occurs by requiring the airport operator to initially notify the FAA within 2 hours, or within an approved timeframe, of the discovery of any changed condition that

[[Page 37290]]

could affect how an airport complies with regulatory requirements.

The proposal would require the airport operator during this initial notification to obtain verbal approval of any interim measures to be taken to maintain adequate security. The proposal would continue to allow the FAA to issue emergency security program amendments under proposed Sec. 107.105(d) if an agreement on adequate interim measures could not be reached. However, the proposal provided relief in responding to short-term changes.

Proposed Sec. 107.107(c) and (d) would require the airport operator to follow certain procedures to amend its security program to reflect the change. For changed conditions under 60 days' duration, Sec. 107.107(c) proposed that the airport operator be relieved from the amendment process required under proposed Sec. 107.105 and only be required to provide written notification within 72 hours for FAA approval. Recognizing that many changed conditions affecting security can be readily resolved in less time than it would take to complete the formal amendment process, the FAA sought this change to provide some relief in reporting short-term or temporary changes while ensuring that the FAA retains oversight of temporary or short-term changed conditions to security.

Proposed Sec. 107.107(d) would provide procedures for the disposition of changed conditions anticipated to be over 60 days in duration.

Comments on Sec. 107.107(a): Atlanta International Airport, among others, stated that the airport operator cannot be held accountable to notify the FAA of changes of aircraft operator operations, level of services, and aircraft. Miami International Airport and Ft. Wayne Airport state that this requirement would be more appropriate in parts 108 and 129.

The CALA states that changes should only include things as airport perimeter and structural redesigns, relocation of screening checkpoints, and redefining of airport secured areas. Miami International Airport, Port Authority of NY and NJ, and Lincoln Airport Authority state that the layout and physical structure (Sec. 107.107(a)(3)) can change frequently during construction. An overall construction plan should be submitted to the FAA, but not a constant series of notifications about the changes.

The ATA requests very clear criteria as to what ``changed conditions'' are, to satisfy the notification requirement. Denver International Airport suggests that ``changed conditions'' should be limited to conditions that have a serious and continuing impact on security. Furthermore, it was stated, the FAA did not consider the cost associated with personnel staff changes and equipment requirements for scheduling notification to comply with the newly revised notification requirements.

FAA response: In response to these comments, the FAA would like to clarify that its intent is that the only changes which need to be reported are those that cause the airports to be out of compliance with the provisions of part 107 or the FAA-approved security program, at the time the changed condition occurs. Furthermore, this section is not intended to include all construction projects, only those that impact its security program, such as access, movement control functions, and its support of passenger screening checkpoints. The language of the final rule has been modified to more accurately reflect that position, and to provide greater latitude to the airport operator insofar as the required timeframes for reporting changes that impact its compliance posture.

Comments on proposed Sec. 107.107(b): Thirty-four airports, two local governments, a State government, six local departments and commissions of aviation, two airlines, and UPS suggest that a 2 hour initial notification of changed conditions is unnecessary and an arbitrary timeframe. These commenters state that the FAA does not seem prepared to handle the information overload for after-hours, weekend, and holiday occurrences when it is anticipated that FAA field reps would not be available to receive such information. These commenters recommend that the requirement to verbally contact the FAA should apply only to changes that seriously impact security and only as soon as practicable (such as within 24 hours of discovery by the airport operator). The option to provide this information electronically should be considered (such as e-mail and fax). On the other hand, ACI-NA and AAAE recommend that notification should occur within 48 hours. ATA suggests deleting this section because it lacks clear definition.

FAA response: The FAA agrees that a 2-hour initial notification of changed conditions may not be an acceptable timeframe. To provide some flexibility to the operators, this section has been modified to provide that notification be made within 6 hours of discovery or other timeframe for notification to be established in the individual security program. Further, while FAA field offices are not open 24 hours a day, telephone notification can be made to alternate contact numbers for field office staff.

Section 107.109 Alternate Means of Compliance

The FAA proposed this new section to provide relief for small airports located in communities that are only served by seasonal air carrier operator or foreign aircraft operator traffic (such as ski resorts), remotely located, subject to extreme environmental conditions, or have limited facilities and few employees. Often these airports serve aircraft larger than 60 seats for only a portion of the year, or on an infrequent but regular basis. This section would permit the FAA to approve airport operators of such airports to use alternative means to comply with the requirements of the rule. To petition for relief from part 107 requirements, larger airport operators would still have to use the exemption process under existing Sec. 11.25, Petitions for rule making or exemptions.

Comments: The FAA received some comments regarding unique alternate measures at specific airports.

FAA response: Alternate measures at specific airports must be considered case-by-case and questions regarding them cannot be resolved in this rulemaking.

Section 107.111 Exclusive Area Agreements

Proposal: The notice proposed that the Administrator may approve an amendment to an airport security program that permits an air carrier or foreign air carrier that has an approved security program under part 108 or part 129 to assume responsibility for specified security measures for all or portions of the critical security areas or restricted operations areas. The exclusive area agreement must be in writing and must include all of the necessary information, as indicated in the NPRM, to be considered complete.

Comments: A commenter recommends that regulated entities be held responsible for the activities of their unregulated contractors, permitees, invitees, etc. The ALPA and RAA comment that the FAA should allow exclusive area agreements to be developed, which create joint liability and responsibility for the airlines involved. The RAA notes that this requirement could take the form of a consortium to share responsibilities.

Roanoke Regional Airport states that if the airport is conducting the ``monitoring and auditing'' to ensure compliance, then no ``responsibility'' transfer has occurred and such an

[[Page 37291]]

``exclusive lease'' for that purpose would be meaningless.

The ACI-NA and AAAE propose new language stating that the FAA may unilaterally revoke the agreement and descriptions of punitive actions that may be imposed on the aircraft operator or its employees by the FAA for violations of security regulations.

The ATA believes that no security requirements other than those agreed to by the parties to the agreement should be mandated.

One airport asks if the carrier's leasehold agreement could serve as the binding document for exclusive areas. If not, specific guidance for exclusive area agreements should be provided in an AC.

The Port Authority of New York and New Jersey and the city of Phoenix request that the words ``or one entity'' be added to Sec. 107.111(a) after the phrase ``foreign air carrier,'' to allow air carriers to form a consortium or a corporation, like fuel farms and other enterprises operating international terminals. Shared responsibility should be allowed, but only when there is a legal entity established as the responsible party to ensure that the FAA has the ability to enforce the regulations.

FAA response: The FAA agrees that regulated entities are responsible for the actions of their unregulated contractors. The regulation provides for this concern by not excluding the regulated entities from such responsibilities. Hence, the FAA does not believe it is necessary to modify the proposed language in order to respond to the comment. The fundamental responsibilities for compliance with this part rest with the airport operator or on an aircraft operator or foreign air carrier under an exclusive area agreement.

Under the existing exclusive area provisions of Sec. 107.13, and new Sec. 107.111, the FAA's intent is for the airport operator to maintain an awareness of the security posture of the area covered under the agreement. To avoid misunderstanding, we have not adopted proposed Sec. 107.111(b)(4) and (5) regarding the airport monitoring and auditing the aircraft operator, or terminating the exclusive area agreement. The FAA expects the ASC to maintain a general awareness of all security functions, and raise with the aircraft operator and/or the FAA any apparent deficiencies.

The FAA will continue to be responsible for inspection duties in exclusive areas, and for ensuring compliance, and will initiate enforcement actions when necessary.

The FAA agrees with the suggestion made by ACI-NA and AAAE that the regulation permits the agency, in extraordinary circumstances, to unilaterally and immediately terminate exclusive area agreements. In most cases the FAA will work directly with the aircraft operator to correct the problems. However, since poorly implemented agreements represent a vulnerability in the system, and thereby compromise the safety of the larger community, the FAA sees a clear connection between such circumstances and the need for immediate termination, and the return of the responsibility to the airport operator. For that reason, the procedures set forth in Sec. 107.105(d), Emergency Amendments, would be employed for that purpose. The FAA sees no need for additional language toward that end in this section.

On the issue of joint liability and responsibility, the FAA has chosen not to provide such latitude. The agency believes that when more than one party holds joint responsibility for such matters, the responsibilities often are overlooked under the presumption that the ``other'' party will act. In that same view, a shared agreement might tend to fragment responsibility. Not that this would not prevent several aircraft operators from using the same portion of the secured area. Only one of them, however, could have an exclusive area agreement for a given part of the secured area.

The proposed rule stated that the exclusive area agreement could cover security measures in the critical security area or restricted operations area. The final rule clarifies that these measures include Secs. 107.201, 107.203, and 107.205, and would include other sections cited in those, such as Sec. 107.207. Other responsibilities held by the airport operator cannot be assumed by the aircraft operator. An example is the provision of law enforcement support (see Sec. 107.215), which can only fall to the airport operator.

In response to the question as to whether a leasehold agreement could substitute for an exclusive area agreement, the FAA believes that it is permissible if the leasehold agreement meets the criteria established in Sec. 107.111. Such an agreement, in appropriate part, could be approved by the FAA as a part of the approved security program. Often, however, a leasehold agreement includes material not relevant to the security program, such as financial arrangements. Such information likely would have to be removed.

Comments on Sec. 107.111(a): The RAA stated that they were very concerned about the provision that responsibility for the security of an exclusive area cannot be shared. The nature of regional airline operations often mandates that they share facilities with their major airline partners, some of which have exclusive area agreements with airports.

Atlanta Hartsfield International Airport asks if this provision will allow the assignment of access points, leading from the public area to the sterile or critical security areas, to the air carriers. They would like to have the flexibility to assign doors and portals leading to baggage make-up areas, directly to the affected air carrier.

FAA response: Like the proposal, this new section assembles all of the provisions relating to exclusive area agreements that previously appeared in Secs. 107.3(b)(3), (b)(5) and 107.13. Section 107.111(a) expands the existing exclusive area responsibilities for air carriers and foreign aircraft operators to include individual access points (e.g., doors and gates). The security responsibilities for these points may be assumed by a part 108 aircraft operator, or part 129 foreign air carriers, based on a local agreement with the airport operator when approved by the FAA as a part of the airport security program.

Comments on Sec. 107.111(b): A commenter states that nothing in this section specifically notes that the aircraft operator is directly accountable to the FAA as a regulated party for any responsibilities assumed in the agreement. This should be stated in the rule and the ACSSP.

Two airports suggest changing the word ``dimensions'' to ``general description.''

Port Authority of NY and NJ would like the flexibility to assign doors and portals leading from the baggage make-up areas directly to the affected aircraft operator.

FAA response: Complementary language in the newly rewritten part 108 (see Sec. 108.227) provides that the aircraft operator is required to comply with the responsibilities in the exclusive area agreement. A failure to comply could result in enforcement action against the aircraft operator.

Section 107.111(a) exclusive area agreements, states that in an approved amended security program, an aircraft operator or foreign air carriers (one that has a security program under parts 108 or 129) would be permitted to assume responsibility for specified security measures for all or portions of the secured area, AOA or SIDA. This may include doors between baggage make-up areas and secured areas.

With regard to comments about the term ``dimensions'' in paragraph (b)(1), the agency's position remains as previously stated. In performing its

[[Page 37292]]

regulatory responsibility, the airport operator, aircraft operator, foreign air carriers, and the FAA must be able to distinguish clearly the boundaries of the exclusive area. This distinction is necessary in determining what security measures must be applied, and by whom.

The FAA removed proposed paragraphs (b)(4) and (5) from the final rule language of Sec. 107.111. These sections had required that the airport operators monitor and audit the carrier with whom it had an exclusive area agreement.

Furthermore, in response to the Port Authority of NY and NJ, the language of the proposed regulation clearly allows for the airport operator as well as the aircraft operator to be responsible for doors and portals leading from the baggage make-up areas (see Sec. 107.111(b)(1)).

New Sec. 107.111(c) provides a compliance date one year after the effective date of the rule for existing exclusive area agreements to meet new Sec. 107.111. This will give aircraft operators and airport operators time to change existing agreements to conform to the new rules. Any new agreements, however, will have to meet the new rules.

Section 107.113 Airport Tenant Security Programs

As noted in the NPRM, this new section was proposed to permit the use of airport tenant security programs. These programs allow airport tenants, other than aircraft operators regulated under part 108, or foreign air carriers regulated under part 129, to assume some of an airport operator's security responsibilities, as specified in 49 U.S.C. Sec. 44903(c)(2). That statute also clarifies that when an airport operator chooses to implement this program, it accepts the responsibility to inspect the tenant for compliance with the tenant security program, and to take enforcement action as appropriate.

Comments: Detroit Metropolitan Airport disagrees with the notion that tenants would be responsible to the airport operator and not the FAA on security matters.

Ft. Wayne Airport states that this section should include a blanket exemption for any and all military and other Federal facilities co- located on the airport property. If they are not exempted, then close coordination between the FAA and the Department of Defense must occur prior to initiation of the new part 107 regulation.

The LSG/Sky Chefs and Lincoln Airport Authority urge the FAA to either mandate the tenant security program everywhere or eliminate this option altogether. The FAA should provide clear guidance as to what a tenant program consists of, instead of addressing the issues for the first time by each airport during the development of the program or through enforcement actions.

The ACI-NA and AAAE state that nothing in proposed Sec. 107.113 specifically identifies tenants as the regulated party with direct accountability to the FAA for security responsibilities assumed in the agreement.

The NATA strongly opposes any attempt to regulate directly airport tenants and believes that this Congressionally-approved approach of airport tenant security programs will address the concerns of the airport operator community that were raised previously over security violations of its tenants. The penalties posed by the airport operator should not be permitted to go beyond those provided by the FAA. The tenant should not be required to enter into such an agreement with the airport, and it should be emphasized that it is voluntary in nature. There must be an allowance for the airport tenant to cancel the agreement with the airport operator.

FAA response: While Detroit Metropolitan Airport objects that tenants would be responsible to the airport operator rather than to the FAA on security matters, the statute that enacted this program provides no latitude in this regard, and was enacted largely through the efforts of an industry association.

In response to the suggestion by the Fort Wayne Airport that military and other Federal facilities at the airport be exempted, the FAA notes that Federal civilian entities are merely tenants within the context of civil aviation security. The FAA does not regulate military facilities, in that the agency's jurisdiction does not extend to military reservations. The military's cooperation in ensuring a secure airport environment is always sought. As an integral part of the host airport, the military facility, and relevant security issues, must be reflected in the airport security program.

In response to the suggestions made by LSG/Sky Chef and the Lincoln Airport Authority, there does not appear to be any reason to either require tenant security programs for all tenants or to forbid them. Each airport and tenant has different circumstances, and the use of these programs will be based on the needs and wishes of concerned parties at each airport. Within the latitude of the statute, the FAA believes such decisions are best made at the local level. However, in further response, the FAA has provided more information in the rule as to what must be in the tenant security program.

As with exclusive area agreements, airport tenant security programs would only provide for the tenant to assume responsibility for measures under Sec. Sec. 107.201, 107.203, and 107.205, and sections cited in those provisions. If appropriate in a given situation the airport might simply copy provisions from its own program into the tenant program. The airport operator may not transfer responsibility to provide law enforcement support. Further, the tenant may only take on employment verification responsibilities as provided in Sec. 107.209. The tenant may not conduct the criminal history records checks, which under title 49, United States Code, section 44936, may only be done by the airport operator or aircraft operator.

Section 44903(c)(2) provides that the tenant may assume responsibility in an area that it leases or is designated for its exclusive use. The FAA interprets this to foreclose the use of an airport tenant security program for companies that contract with the airport operator to manage a terminal building. The terminal is used by one or more aircraft operators and numerous passengers, visitors, and businesses. Further, it remains the fundamental responsibility of the airport operator to provide security under the statute and the regulations for areas that directly serve the flying public. This has been made more clear in Sec. 107.113(a). The FAA views the airport tenant security program to permit a tenant to take on security duties for areas that are not directly handling passengers for whom part 108 measures apply. It is not a means for the airport to transfer duties that are directly dealing with passengers, which is the fundamental mission of part 107. Thus, a fixed base operator at a remote site may be an acceptable candidate for an airport tenant security program. Its duties, while important to the overall security of the airport, are not as directly involved with passengers. Security at the terminal building is directly involved with passengers and should not be transferred from the airport operator.

At some airports an aircraft operator with a part 108 security program is the major or only aircraft operator at a terminal, and may lease and manage the terminal building. The aircraft operator may assume security responsibilities for that terminal under an exclusive area agreement under Sec. 107.111.

[[Page 37293]]

The final rule also has been clarified to provide that only one tenant can be responsible for each area covered by a tenant security program. This is consistent with the statutory provision that the area be leased to or used exclusively by the tenant. Further, as with aircraft operators, it is evident that when responsibility is unduly diluted, it is more difficult to promote compliance with the security requirements. It should be noted that the FAA will carefully consider whether security is served before approving an airport tenant security program. Before approving the program, the FAA must find that the tenant realistically is capable of carrying out the security measures it is assuming and is willing to do so.

In response to ACI-NA and AAAE, the FAA notes that the statute does not provide for the tenant to be directly accountable to the FAA for violations. Rather, the airport operator is responsible for taking action against the tenant if it fails to comply with its security program. The term ``regulated party'' is a vague one. The tenant is regulated in that it becomes responsible for carrying out its FAA- approved security program, with consequences from the airport operator if it fails to do so.

In response to the NATA comment, the statute on which airport tenant security programs are based states that the tenant will be required to pay financial penalties to the airport operator in the event that the tenant fails to carry out any such security requirement. The statute does not address the amount to be assessed by the airport operator. The FAA's interest in this process will be served when the agency is satisfied that the program includes provisions for the imposition of fines or other penalties adequate to promote or ensure compliance by the tenant participating in the agreement.

As to NATA's comment that the tenant's agreement to an airport tenant security program should be voluntary, Section 44903(c)(2) is silent as to whether airport operators can require their tenants to enter such an agreement. The FAA generally is not involved in such tenant-landlord issues unless there are violations of Federal law, regulations, or grant assurances. As to whether the tenant will be able to cancel the agreement, if the tenant is not able or willing to carry out the tenant security program the FAA will amend the airport security program to remove the tenant security program and provide that the airport operator is directly responsible for the security measures. Any issues between the airport operator and tenant as to possible breach of contract generally will not be resolved by the FAA.

Comments on Sec. 107.113(b): One airport suggests removal of the reference to ``monetary and other penalties.'' The airport operator must have the flexibility to resolve tenant security program infractions on a case-by-case basis.

Two airports comment that under proposed Sec. 107.113(b)(4) tenants should be directly accountable to the FAA, if a ``person'' can be accountable.

FAA response: The tenant security program must outline the terms of the agreement, including monetary and other penalties. The reference to ``money penalties'' comes from the statute, Section 44903(c)(2)(A)(ii). The term ``other penalties'' allows flexibility on the part of the airport operator; however, the nature of that phrase must be outlined in the program by the airport operator. By the same token, the FAA will not approve a tenant security program for which the airport operator has not established a meaningful system of monetary penalties and other penalties applicable in cases of noncompliance. Further, the agency recognizes that token penalties may yield only token compliance or may be willingly incurred by some tenants as a cost of doing business. Such factors will be considered by the FAA in evaluating each tenant security program.

As to responsibility of the tenant under Sec. 107.11, routine use of enforcement action by the FAA against the tenant would dilute the airport operator's responsibility under Section 444903(c) to make sure its security program is carried out. However, in appropriate cases, the FAA will consider action, particularly against individuals.

Section 107.201 Security of the Secured Area

The FAA proposed in Sec. 107.201 to require the airport operator to establish a critical security area and implement certain security measures. The proposed critical security area essentially replaced the secured area that originated with existing Sec. 107.14.

Proposed Sec. 107.201(b) would require an identification system that incorporates the standards of proposed Sec. 107.209 (now Sec. 107.211), including implementation of a challenge program and escort procedures.

It was proposed that, under this section, individuals with unescorted access to the critical security area continue to be required to submit an employment verification as specified in proposed Sec. 107.207 (now Sec. 107.209.)

The FAA proposed that Sec. 107.201(b)(6) require the airport operator to train individuals in a manner prescribed in proposed Sec. 107.211 (now Sec. 107.213) prior to authorizing such individuals unescorted access to the critical security area.

This section also proposed in Sec. 107.201(b)(7) to require signs at access points to and along the perimeter of critical security areas. The NPRM's preamble discussion of the sign requirements referred readers to the FAA's AC 107-1 (May 19, 1972). This AC recommends that airport operators appropriately post signs warning of the entry restrictions to certain areas at the airport and any penalties associated with unauthorized entry. The FAA proposed that the airport operator be permitted 2 years to implement the new sign requirements.

Comments on Sec. 107.201(a): One commenter states that Sec. 107.201 should be deleted, as the systems called for in Sec. 107.209 (Identification Systems) are unnecessary and systems identified by proposed Sec. 107.205 (Access Control Systems) are sufficient.

The Airport Consultants Council (ACC) states that the FAA should not have different training and identification requirements for the critical security area and restricted operations area.

Another commenter asks if it is the intention of the FAA to have the critical security area replace the present SIDA. If so, the requirement for display of identification media should be completely spelled out.

FAA response: The secured area is discussed above under General Discussion of the Final Rule. As noted in the earlier General Discussion, the FAA has decided to retain the term ``AOA'' and ``secured area.'' Therefore, these terms will be used in place of ``critical security area'' and ``restricted operations area,'' respectively, for the remainder of this discussion.

Contrary to the views of the first commenter, the FAA does not believe that this section should be deleted. Proposed Sec. 107.205, Access Control Systems (Sec. 107.207 in the final rule), specifies the requirements for the system, measures, or procedures for controlling entry into the secured area. An important element of strong security is redundancy. If an unauthorized person were to enter the secured area, the airport operator must have a means to determine that the person who is present is not authorized to be there; hence, the need for an identification system as provided for in proposed Sec. 107.209 (new Sec. 107.211). Section 107.201 establishes the secured area as

[[Page 37294]]

a place on the airport that incorporates these two critical security systems, as well as others, to protect the most critical operations of part 108 and part 129 aircraft operators.

In response to ACC, the FAA notes the different burdens of providing training in the secured area versus the more general requirement attached to the AOA, as noted by ACC. The agency believes that a strict training and ID standard should attach to unescorted access privileges to the secured area, where the most critical operations are performed. In other areas, there is not the same need at each airport for the most intense security requirements.

As to the commenter who asked if it is the FAA's intention to have the critical security area replace the current secured area, the FAA notes this was the intention in the NPRM. Again, however, the term ``critical security area'' has not been adopted, in favor of the current term ``secured area.''

In response to the commenters question regarding replacing the SIDA, the FAA notes that a secured area is a SIDA, and incorporates other security measures as well.

Comments on Sec. 107.201(b): Federal Express, eight airports and one air carrier recommend changing the word ``prevent'' to ``deter and/ or detect.'' These commenters believe that the program must be able to detect and remove unauthorized personnel from these areas.

One commenter states that this section implies that full badging may be required everywhere inside the fence at an airport. Such determinations should be made on an airport-specific basis in concert with local FAA officials. Badging should be based on need, not by definition of an area.

The ACI-NA and AAAE expressed several concerns regarding the proposed vehicle identification requirements.

The CALA and an airport state that Sec. 107.201(b)(5) should be more clear and be expanded to exempt airports from having to review background investigations completed by airport tenants on persons requiring SIDA access, received from aircraft operators, that are directly regulated by the FAA.

Several airports state that this proposal should allow general terms on the signs and variations in interpretation depending upon how the airport is divided. Adding sign requirements for all doors would increase the cost significantly. Furthermore, posting signs meeting the additional criteria discussed in the NPRM would pose additional costs without any accompanying increase in security. One airport states that a minimum distance between the warning signs on the perimeter should be provided to ensure uniformity at airports. The ACC states that the proposal lacks reference to sign requirements relevant to the Americans with Disabilities Act.

FAA response: Several commenters questioned the use of the word ``prevent'' as it appears in Secs. 107.201 and 107.205. The FAA disagrees with the arguments put forth by commenters. The word ``prevent'' in this context means to keep unauthorized persons and ground vehicles from the area, and appears in current Sec. 107.13(a)(1). The section goes on to list the methods the airport operator must use to do so. The FAA believes that the high level of security required in the secured area is best completed by first preventing unauthorized access.

Further, the FAA agrees with the commenters, to the extent that a detection capability must also exist should a security system fail to prevent an unauthorized penetration or other potentially dangerous situation from occurring. This philosophy is consistent with the FAA's long held belief that the civil aviation security system is an integrated set of interdependent measures. Consequently, the final regulation also incorporates the requirement for ``detection'' in Sec. 107.201(b), a carryover from existing Sec. 107.13. As to the commenter who noted that the proposal implies that full badging may be required everywhere at an airport, the FAA notes that the proposal to require identification systems in both the critical security area and the restricted operations area has not been adopted. The final rule requires identification media only in the SIDA, of which the secured area is a part.

As to ACI-NA's and AAAE's questions about vehicle identification systems as proposed in Secs. 107.201 and 107.203, for reasons discussed in response to comments in Sec. 107.211, the FAA has decided not to adopt the proposed requirements for vehicle identification systems.

In response to the commenter who suggested that this proposal should allow for general terms on signs, the FAA notes its intent is to allow each local program the latitude to place appropriate signs in a manner that befits the local conditions. Signs remind the person working at the airport that they are entering an area where certain security measures are in place and for which they may be held individually accountable. Also, the signs warn the uninitiated person that access to the area beyond that point is restricted, and that security measures are in effect beyond that point. The FAA believes there is a value to the notification and deterrence effect of such signs. Consequently, the proposed language essentially is unchanged.

Section 107.203 Security of the AOA

The FAA proposed in this new section to require the designation of a restricted operations area and to specify security measures that must be implemented in it.

As in the critical security area, this section proposed that airport operators use a personnel and vehicle identification system to control movement that meets the standards prescribed in proposed Sec. 107.209.

The FAA proposed to require that the airport operator implement the same escort and challenge procedures used in the proposed critical security area; however, access investigation would differ. This section proposed to require the existing 5-year employment history verification standards currently used in the AOA and as they appear in local airport security programs. This section also proposed requirements for signs similar to those of the critical security area.

Comments on Sec. 107.203(a): One airport states that conducting background investigations, badging, training, and auditing all of these operators and individuals would be extremely costly, while adding no improvement to airfield security. This commenter recommends that the focus remain on security and protecting the SIDA or critical security area.

The ACI-NA and AAAE strongly recommend that the requirements formerly associated with the SIDA be limited in application to the critical security area and that the terminology be changed.

FAA response: The AOA is discussed above under General Discussion of the Final Rule. As previously noted, the FAA has deleted the proposed change to the use of the term ``restricted operations area,'' and has retained the term ``air operations area'' to reflect that area and its requirements under Sec. 107.203. The term AOA will be used from this point on.

After further consideration, the FAA has determined that requiring identification in the AOA is not necessary at all airports, nor are the strict escort and challenge procedures that were proposed. The final rule reflects the emphasis placed on the secured area under Sec. 107.201, as more latitude is permitted for the airport operator under Sec. 107.203 than was proposed. However, while the measures

[[Page 37295]]

to be used in the AOA are not strictly prescribed by regulation, the airport operator continues to be responsible for the burden of preventing and detecting unauthorized entry, presence, or movement of persons and ground vehicles in the AOA. Some airports have decided it is necessary, with FAA approval, to require the display of identification throughout their AOA. Also, most airports require a 5- year employment history verification for those with unescorted access to the AOA. This provision, or another check to verify the person's identification, would continue to be part of the airports system to control the AOA.

Under the final rule, security requirements for the AOA remain similar to those in current Sec. 107.13. They are: control of access to and movement on the AOA, the response to unauthorized penetrations, the provision of security information to persons with unescorted access to the AOA, and the posting of signs. The FAA believes this less prescriptive approach in the AOA will provide the greatest flexibility to the airport and its tenants. These measures generally are in effect today. The concerns of many commenters are, therefore, mitigated since part 107 airports currently possess FAA-approved security programs which adequately describe the AOA and no new burden is imposed.

Comments on proposed Sec. 107.203(b): Two airports recommend deleting the requirement for access media for personnel with equipment within the AOA from Sec. 107.203(b). The practicality is that this requirement will be very burdensome for small airport operators with little or no benefit to the critical security area as a result of the additional expense and manpower requirements.

Continental Airlines and the National Association of Police Officers (NAPO) state that Sec. 107.203(b)(2) should be more thoroughly clarified and expanded to exempt airports from reviewing background investigations by airport tenants or persons requiring SIDA access. These background investigations are received from aircraft operators who are directly regulated by the FAA.

Three airports state that the posting of signs meeting the additional criteria appearing in the discussion of the NPRM would pose repetitive monetary expenditures without any accompanying increase in security. One commenter states that a minimum distance between the warning signs on the perimeter should be provided to ensure uniformity at airports.

FAA response: To the commenter who suggested deleting the requirement for access media for personnel with equipment within the AOA, the FAA points out that it is possible under the regulation and would be a local decision. For example, the FAA is aware that at some locations individuals working in teams (such as, construction crews) may not each possess individual access or identification media. Instead, such teams may work under escort of someone with the appropriate authority. The latitude for an airport operator to employ this practice continues to be acceptable under this final rule.

As to Continental's and NAPO's suggestion to exempt airports from reviewing background investigations for unescorted access to the AOA, the FAA points out that it has not adopted the specific 5-year employment verification requirement proposed under Sec. 107.203(b)(2). Instead, the FAA chose to retain in that section the less prescriptive approach of current Sec. 107.13 as regards control of the AOA. New Sec. 107.203 fixes the airport operator's responsibility for the AOA to that of control of entry and movement, and the prevention and detection of unauthorized persons and vehicles.

The FAA expects that airport operators seeking to comply with new Sec. 107.203 will need to verify the identification of persons granted unescorted access to the AOA. Since the 5-year employment verification process has provided for that for many years, some airports may choose to retain that approach. The FAA would also consider other methods to accomplish the same end.

As to the comments regarding fencing, the FAA disagrees that the costs do not result in additional security. Fences provide a positive, physical barrier to intrusions. They provide deterrence, as well as notice to well-intentioned persons who recognize that fencing sets an area apart for some purpose. Taken together with the requirements for the posting of signs under the rulemaking, the agency is convinced the two measures will provide a visible and effective means to provide an initial level of protection to the airport.

The FAA does not wish to specify a fixed distance between signs. Local conditions, the character of fence lines, topography, etc., should be more determining of sign placement than a distance set in regulation. At the same time, the FAA would expect signs to be constructed and placed in such a way as to be readily visible and readable from any point along the fence line, with details reflected in the airport security program.

Section 107.205 Security of the Security Identification Display Area (SIDA)

As noted under the General Discussion of the Final Rule, the term ``SIDA'' is being retained, but its definition is being revised.

It is the FAA's intent that airport operators who choose to apply the provisions of new Sec. 107.209 to areas outside of secured areas must have clearly justifiable reasons for doing so. The use of the employment history verification and in some cases, criminal history records checks, under Sec. 107.205, imposes a burden on individuals that only should be used when necessary. Examples of areas outside of the secured area that may be SIDA's include cargo make-up areas, fuel farms, maintenance areas, and other areas handling activities related to part 108 operations.

The following table illustrates the differences in security requirements between the secured area, SIDA, and AOA.

Portions of air Security operations area Requirements

Secured area identification that are not display area

SIDA

Complex Access Controls......................................

X Baseline Access Controls.....................................

X Escort Procedures............................................

X

X Personnel Identification System and Continuous Display of

X

X Identification.............................................. Challenge Program............................................

X

X Employment History...........................................

X

X Verification and Criminal Records Check......................

X

X Security Training............................................

X

X

X Security Briefing............................................

X

[[Page 37296]]

Signs........................................................

X

X

X

Section 107.207 Access Control Systems

This section was proposed as Sec. 107.205 but was renumbered in the final rule as Sec. 107.207.

The FAA proposed in this section to specify the requirements for access control systems that are required in proposed Sec. 107.201 and Sec. 107.203.

Proposed Sec. 107.205(a) covered access systems for critical security areas that were essentially the same as in current Sec. 107.14. As proposed, Sec. 107.205(b) covers access requirements for the restricted operations area. The proposal was largely the same as the requirement in current Sec. 107.13(a), except for the proposal that the system be locally controlled, and that the airport have accountability procedures. The proposed accountability procedures included regular audits of issued access media, and measures to ensure that access controls are locally controlled and could not be used to gain access to the restricted operations area of other airports.

Proposed Sec. 107.205(c) addressed concerns raised by the ASAC on the issuance of temporary access media to individuals who are not in possession of their original access media. A typical example of this is an airport or aircraft operator employee who reports to work without her/his approved access and identification medium and cannot practicably be escorted throughout the course of her/his assigned shift.

Section 107.205(d) proposed that the airport operator establish and implement escort procedures for individuals who do not have access authority. Many airport operators already have some type of escort procedure in place based on FAA policy guidance, but such procedures are applied inconsistently and often ineffectively.

The FAA proposed Sec. 107.205(e) to allow airport operators to address the issue of group validation access. The present performance standards under Sec. 107.14(a) do not allow for group access, but the proposed language would have allowed the FAA to work with each airport operator to resolve the issue locally. Comments regarding the practicality of group access were requested.

The FAA proposed Sec. 107.205(f) to address access control points that lead from non-public areas, other than critical security areas, to the sterile area.

Proposed Sec. 107.205(g) would incorporate the current provisions of Sec. 107.14(b) for alternative access systems.

Comments on proposed Sec. 107.205 (new Sec. 107.207): A commenter says this section is unclear and impossible to implement, while several commenters noted that the whole burden appears to be placed on the airport operator with none on the aircraft operator. An airport asks whether the proposal envisions access controls such as cameras and gate guards.

ATA is concerned about the proposed access controls for employees, particularly crewmembers, because existing controls are more than adequate.

FAA response: In response to the comment that this section is unclear and impossible to implement, the FAA disagrees. The agency wishes to point to the fact that most of the provisions of the proposal are successfully in daily use at hundreds of airports across the country under current Secs. 107.13 and 107.14. As to the claim that the burden falls only to the airport operator and not aircraft operators, the FAA has long held that the responsibility to ensure a safe airport operating environment falls primarily to the airport. However, aircraft operators are required to control access to their aircraft under part 108 and, therefore, are jointly responsible for adequate security in portions of the secured area and the AOA. Further, under exclusive area agreements aircraft operators take complete responsibility for much of the security. Under this final rule, the FAA provides a means for greater relief to the airport operator through the broadened exclusive area provisions appearing in Sec. 107.111 and with the new provision for tenant security agreements under Sec. 107.113.

As to the exact measures to be used to control access under new Sec. 107.207, the means by which the requirements are accomplished is largely a local decision for the airport operator, as detailed in the security program. The final rule does not specifically require the use of cameras and gate guards, although both are in common use throughout the industry today and can be a part of the systems that provide the appropriate level of security under this rule.

The FAA agrees with the ATA that the requirements for access controls under the current regulation are adequate when diligently and conscientiously implemented. For that reason, access control standards have not been expanded in the final rule. Rather, new Secs. 107.201, 107.203, and 107.207 essentially reflect the access control requirements of current Secs. 107.13 and 107.14.

To the commenter who objected to identification media that displayed a persons access authority, the FAA offers that this requirement has been in place for years at many airports and has proven effective. Each airport operator has flexibility to design a system that works for its airport.

Comments on proposed Sec. 107.205(a) (new Sec. 107.207(a)): Tucson Airport Authority states that the FAA should also address the regulatory requirement of Sec. 107.205(a)(2) in part 108 and part 129.

ACI-NA, AAAE and two airport commenters state that Sec. 107.205(a)(3) should be deleted, while several other airports and a local aviation department state that under Sec. 107.205(a)(3) it would be too complex and difficult for airport employees to challenge access to different critical security areas.

One commenter questions the reasoning to allow employees to have access to only a portion of the critical security area.

Several airports reject the proposed requirement in Sec. 107.205(a)(4) to control an individual's access to critical security area by time and date. Industry does not have the personnel required to modify access by time and date. An airport and a local aviation department state that a universal access system (UAS) for flight crews would make compliance with proposed Sec. 107.205(a)(4) impossible. An airline states that during contingency plan operations, the issuance of special identification media limiting access by time and date could be controlled in accordance with Sec. 107.205(g).

FAA response: As background information, the FAA notes that proposed Sec. 107.205(a) reflects the requirements in current Sec. 107.14(a), and represents no new requirements. The FAA agrees with the Tucson Airport

[[Page 37297]]

Authority that aircraft operators and foreign air carriers must notify airport operators in a timely manner of individuals whose access authority has changed. This is an element of carrying out their duties to protect their aircraft from access by unauthorized persons.

In response to the ACI-NA, AAAE, and others' comments opposing proposed Sec. 107.205(a)(3), the requirement that the access system differentiates between individuals authorized to have access to an entire secured area or to portions of a secured area is in current Sec. 107.14(a). The rule does not require airport operators to restrict individuals' access to specific portions of the secured areas. The rule provides that if the airport does in fact restrict access, the access control system must be capable of recognizing these restrictions. The airport is given latitude to design a system that works for its particular circumstances.

The current Sec. 107.14(a) requires that a system be capable of limiting an individual's access by time and date has existed in the regulation since it was adopted in 1989. The proposal contained this requirement in Sec. 107.205(a)(4). The intent was to ensure that the airport operators had a capability to limit the number of persons accessing the secured area while under a heightened or specific threat. Despite many such threats since that time, to include several during the Gulf War of 1990, the FAA has never felt the need to direct the implementation of that capability. However, it is conceivable that a threat situation may develop which could be so specific that only through implementation of this capability would the airport be permitted to remain operational. The agency notes, however, that in such a situation, the emergency authority available to the Administrator under new Secs. 107.105 and 107.305 would permit the FAA to impose such requirements as necessary to respond to the emergency, as is true under current Sec. 107.11. Hence, the retention of the disputed language is unnecessary. Its retention may impose more of a continuous burden on the industry than the worth of the measure might justify. The deletion would relieve the airports with existing systems from having to exercise, maintain, and upgrade this capability. Further, if new systems are installed, they will not have to meet this criterion.

Comments on proposed Sec. 107.205(b) (new Sec. 107.207(c)): ACI-NA, AAAE and several airports state that the language in the proposed rule seems to suggest that Sec. 107.14 type controls would be required at all access points to the restricted operations area. This would be an expansion of the existing automated access control systems. These commenters do not believe that this is the FAA's intent, and request clarification of this issue.

One commenter states that if the FAA insists on the issuance of some type of airport operator access media for the AOA (proposed restricted operations areas), then a detailed justification for this identification media should be established. One airport suggests that the FAA delete the requirement under Sec. 107.205(b)(2) and replace this with language that requires the airport operator to prevent inadvertent entry into the AOA.

UPS requests specific definition under Sec. 107.205(b)(3) of ``be locally controlled.'' UPS requests that the system be located off property for centralization of control and reporting capability.

FAA response: In response to ACI-NA, AAAE, and others who understood the proposal to place the same level of access controls on the AOA as on the secured area, the agency notes that this is a misapprehension. Rather, the proposed rule (and the final rule, Sec. 107.207(c)) reflect largely the same requirements on access points to the AOA as those in current Sec. 107.13. In new Sec. 107.207(a) of the final rule, the FAA only is to a large extent continuing the current requirements to control access to the AOA. The main addition is that the system must have an accountability system to maintain the integrity of the system. Such a system, would for instance, maintain program accountability for keys that are issued, including retrieval of the keys and re-keying the locks when necessary.

The FAA has chosen not to adopt the commenter's suggestion to delete the requirement under Sec. 107.205(b)(2) and replace it with language which requires the airport operator to ``prevent inadvertent entry'' into the AOA. Part 107 deals directly with intentional, potentially criminal acts against civil aviation. Part 139 deals with concerns regarding inadvertent entry into or onto the AOA.

UPS asked for clarification of the term ``local control'' in proposed Sec. 107.205(b)(3). The original concept of ``local control,'' was that a system be totally contained by the local airport or the air carrier on a local basis. When the proposed rule was written, the FAA's intent was to preclude system-wide manual access control media such as lock and key systems, in which the same access medium could be used at many airports. The danger the FAA saw, for example, was that a lost or stolen key could compromise security at all the airports where that key could operate the access control system. This has been a practice by certain air carriers in the past. The concern was a situation could arise requiring an immediate change of locks at all affected locations systemwide. This would be logistically difficult and extremely costly to achieve.

Upon review, the FAA agrees the proposal that access systems be locally controlled overstated the intent. Locks with keys that can be used throughout an aircraft operator's system may be acceptable. However, the FAA continues to object to the use of such systems that could not be altered immediately at the local level to prevent compromise of the system. Therefore, such system-wide access controls would not be approved in either airport or aircraft operator security programs unless there was sufficient local ability to alter the system as needed.

Comments on proposed Sec. 107.205(c) (new Sec. 107.207(d)): One commenter states that ``secondary'' access media should be renamed ``temporary'' access media, to more accurately convey the intent of this section.

UPS, Federal Express, and an airport recommend that this section be clarified to state that secondary access media can be issued when an individual unintentionally/inadvertently forgets his/her access media.

FAA response: In response to the commenter who recommends the name change, the FAA term ``secondary'' access media was chosen since it was believed to more accurately represent the fact that this privilege could be granted by the airport operator only to those persons who already have an access medium and who have already fulfilled requirements for this privilege. The use of the term ``temporary'' access media was considered but was dismissed because the FAA believes ``temporary'' implies granting of a privilege that did not previously exist and that would have a finite life. Therefore, the FAA has maintained the term ``secondary'' access media, while using ``temporary'' elsewhere in the rule (see Sec. 107.211).

In considering the comments of UPS, Federal Express, and others, the FAA's intent in the proposed language of Sec. 107.205(c) was to extend to the airport operator the latitude to issue ``secondary'' media. It was not the FAA's intent to require the airport operator to use secondary access media, but rather to provide the option should the airport operator choose.

Comments on proposed Sec. 107.205(d) (new Sec. 107.211(e)): ACI-NA, AAAE, and

[[Page 37298]]

several airports state that Sec. 107.205(d)(2) should read ``* * * individuals are continuously accompanied, supervised or monitored * * *''

One airport states that escorting procedures that include group validation are flawed in that there is no means of determining who is responsible or if the group remains together.

FAA response: In the final rule, the requirements for escort appear in Sec. 107.211.

In considering the escort function and its importance to providing for a flexible civil aviation security system, the FAA adopts the suggestion by ACI-NA and others to include the word ``monitored.'' The FAA believes the escort function can be consistently and effectively applied under this latitude at some locations. The key is whether the person monitoring the subject can immediately assess the actions of the subject and take action if the subject engages in unauthorized activity. The exact procedures may be developed at each airport and placed in the airport security program.

To the airport concerned about fixing responsibility for group escort, the FAA notes that the local escort procedures should be designed and implemented in such a way as to make clear where that responsibility lies. Further, the local escort procedures should be clear as to the actions a person providing escort should take should a person or group under escort fail to comply with the conditions of the escort.

The final rule refers to escort within the secured area or SIDA. There are some areas of AOA's, however, where escort and challenge are part of the system for controlling the presence and movement of individuals. For instance, a fixed base operator (FBO) in the AOA may monitor the activities of GA pilots and others, and challenge them if they go beyond the FBO area.

Comments on proposed Sec. 107.205(e): Several commenters asked questions about group validation.

FAA response: Current Sec. 107.14(a) precludes group access. The performance standards requires that each person using a Sec. 107.14(a) access point must be tested to ensure that their authority is appropriate to the access point. At the time the changes to part 107 were proposed the operational difficulties associated with Sec. 107.14(a) access points caused the FAA to consider permitting group access at Sec. 107.14(a) points.

The FAA conducted tests at several locations to determine if group access through Sec. 107.14(a) points was a viable option in light of the inherent criticality of secured areas. The results convinced the FAA that in most cases, the operational benefits offered through group access at such points could not be justified when weighed against the threat to the secured areas. Consequently, the FAA has determined that the proposed language permitting group access in Sec. 107.205(e) is not adopted. The effect in the final rule is that only single person access will be permitted through access points that must meet the requirements of new Sec. 107.207(a), that is, access to the secured area.

Comments on proposed Sec. 107.205(f) (new Sec. 107.211(e)(5)): ATA and FedEx request clarification of the areas/points included within the scope of Sec. 107.205(f). The terms ``all points'' and ``nonpublic'' need to be defined.

ACI-NA, AAAE and an airport state that when someone accompanies a person with authorized access at that airport, the requirements of this section should not be necessary.

FAA response: The FAA has reevaluated proposed Sec. 107.205(f). In the many cases where access points described in the proposal are indirectly controlled in accordance with current Sec. 107.14(a) or (b), the proposed new language would require those access points to be directly controlled. Hence, a potentially burdensome requirement would have been imposed unnecessarily. The agency believes the current language is adequate for its purposes, therefore, the agency has decided not to adopt the requirement proposed in Sec. 107.205(f).

However, as the preamble noted, there is a concern regarding a person bypassing the screening checkpoint by being escorted from the critical security area (now secured area) into the sterile area. New Sec. 107.211(e)(5) addresses this by requiring that persons escorted into the sterile area must be screened or be escorted out of the sterile area.

Comments on the UAS: A number of comments were received on the UAS, which would allow a single access medium to be used at many airports, yet the proposed provision seems to rule out that possibility.

FAA response: The discussion in the NPRM regarding UAS was for information only. UAS has been implemented at some airports and is an on-going program.

Section 107.209 Employment History, Verification, and Criminal History Records Checks (Proposed Sec. 107.207)

The NPRM did not contain the text of this section because it was being revised in a separate rulemaking. On September 24, 1998, the FAA issued a final rule (63 FR 51204). That rulemaking amended Sec. 107.31, Employment history, verification, and criminal history records checks. Under the current final rule, Sec. 107.31 has been renumbered as Sec. 107.209 and appears under Subpart C, Operations.

Comments: Two airports state that the complexity of employment history verification requires that language should have been included in the NPRM (Notice No. 97-13) to fully assess its provisions against the other proposed changes to part 107.

Another commenter requests that the FAA continue to aggressively pursue access to the DOJ/FBI Integrated Automated Fingerprint Identification System--for security investigation--by the law enforcement entities supporting United States airports. The current program remains less than practical and largely unworkable.

FAA response: An NPRM (62 FR 13262; March 19, 1997) and a final rule (63 FR 51204; September 24, 1998) have already been issued with respect to Employment history, verification, and criminal history records check. Therefore, there was no need to republish changes associated with that rulemaking along with the NPRM for this rulemaking.

In this final rule, Sec. 107.209 has been modified to correct an oversight that appeared in the final rule for old Sec. 107.31. The new rule adds Sec. 107.209(b)(3), which states that when an individual has admitted to a conviction of a disqualifying crime the investigative process ends and the individual is denied unescorted access privileges. Although this was the obvious implication of the section and the preamble, it was not clearly stated in the rule.

As to the comments submitted by two airports that sought consideration of the requirements of 107.209 within the context of the NPRM, the FAA wishes to ensure those commenters that this was done, and that the final rule reflects that process.

To the commenter that addressed the FAA's pursuit of the Integrated Automated Fingerprint Identification System, the FAA notes that it has in fact done so and tests are ongoing at this time.

The FAA receives numerous calls requesting clarification on the use of automated telephone systems that provide employment information. The FAA has contacted several of these companies and found that the information being provided comes directly from the past employer.

These telephone services provide employment information that may be

[[Page 37299]]

used to partially satisfy current Sec. Sec. 107.31 and 108.33 regarding the employment history of those individuals seeking certain positions at an airport. The automated services provide the employment dates and does so only if the person calling has the past employer's company identification number and the specifically assigned identification number of the individual whose employment information is sought.

The use of the specifically assigned numbers reflects a level of security is being provided to the information contained within the system. The security is viewed as a means to protect the information from unauthorized changes. Since this method of providing past employment information is the ``current state of business'' the FAA will accept this method as an adequate means to verify past employment dates when the telephone services have security measures in place.

Therefore, the FAA interpretation of current Sec. Sec. 108.33(c)(4) and 107.31(c)(4) and new Sec. Sec. 107.209(c)(4) and 108.2(c)(4) includes the use of these automated telephone services that require the use of special information to access an individual's employment history. No language change is deemed necessary for this final rule.

Section 107.211 Identification Systems (Proposed Sec. 107.209)

The FAA proposed that under this new section, an identification system would be required for both the critical security area and the restricted operations area. The FAA added this section to regulate standards governing the issuance, display, and accountability of identification systems to promote their effectiveness.

In addition, the FAA proposed that the standards become effective 2 years after a final rule is adopted, providing airport operators with time to make necessary changes so that their systems meet regulatory requirements. The ASAC requested that airport operators be afforded 5 years to phase in any identification changes required by the revised rule, however, the committee did not provide any financial or operational data to support this position.

In proposed Sec. 107.209(a), standards were proposed for personnel identification media. Under this proposal, the media must convey accurate information about the individual, bear an expiration date, be readily identifiable for challenge purposes, and indicate the individual's authorization for access and movement. The FAA also proposed procedures to ensure the airport's accountability for the effectiveness of the system. It is anticipated that initial accountability criteria and percentages will have to be tested over an extended period of time and amended as appropriate.

In proposed Sec. 107.209(b), standards were proposed for a vehicle identification system, including identification media requirements and procedures to ensure accountability of the system. At ASAC's suggestion, the FAA also proposed in Sec. 107.209(c) to permit the use of the identification program for vehicles used under part 139, if that system also meets the requirements of this proposed section.

Under Sec. 107.209(d) the FAA proposed that airport operators may issue temporary identification media to persons whose duties are expected to be temporary, such as contractors. To minimize the number of accountable and valid identification media, the FAA proposed that such individuals should have their identification media valid only for the time needed to perform their temporary duties.

The FAA proposed in Sec. 107.209(e) to allow an airport operator to approve the identification media of other entities, which meet the standards of this regulation. Inclusion of this practice would codify an acceptable practice used by many airports.

Under Sec. 107.209(f) the FAA proposed to require an airport operator to develop a challenge program. Airport operators currently establish their own challenge procedures to meet the requirements of existing Sec. 107.25(e)(2), but in this paragraph the FAA proposed to expand these requirements in order to ensure more standardized challenge procedures between airports, and within the critical security areas and restricted operations areas.

General comments on proposed Sec. 107.209 (new Sec. 107.211): ACI- NA, AAAE, ALPA, UPS, ATA, NATA, FedEx, TWAA, RAA, several airports, and others provided comments concerning the identification systems. In general these commenters request greater clarification and detail in what the rule requires. ALPA recommends that an identification system cannot ``control the presence'' or ``movement'' of people or vehicles. It can only ``identify'' or ``validate'' the authority of the person or vehicle to be in the critical security area, or it can be used to ``control access.''

FAA response: The agency believes the responses to comments on specific paragraphs of Sec. 107.209, below, provide the clarification and detail that the commenters request.

The FAA agrees with ALPA who noted that identification systems alone cannot control the presence or movement of people or vehicles. The FAA recognizes that an identification system is one of the many components of the security system. The identification media worn by persons indicate the authority of those persons to be present at given locations, and permit challenge of those without the appropriate identification. This fact, in the FAA's view, provides a means to control ``movement'' and ``presence.'' The FAA also recognizes that an identification system that relies upon display, challenge, and escort can only be as good as its users are vigilant and responsible.

Comments on proposed Sec. 107.209(a) (new Sec. 107.211(a)): UPS and ATA oppose application of identification requirements to flight and cabin crewmembers. They also oppose mandatory inclusion of expiration dates on media for current employees of aircraft operators. ATA states that an exemption should be allowed for flight and cabin crewmembers while they are in areas governed by exclusive area agreements. FedEx suggests that this section would place a tremendous administrative and logistical burden on the aircraft operator and crewmembers. One commenter urges the FAA to consider developing a photo identification for FAA pilot certificates in lieu of the existing non-photo based pilot certificate currently in use.

Several airports and two local aviation departments questioned the feasibility of having ``scope of access'' information on the face of the badge, particularly if there are numerous areas. To assist operators these commenters request that the FAA define ``accurate identification.'' ALPA raised the same concern and recommends that an AC be developed, or the current one amended, prescribing guidance for airport operators on the development of identification media. The AC should outline standard characteristics for all cards to make challenge easier while allowing latitude in other areas to accommodate individual airport needs. Furthermore, ALPA recommends that airport identification media be in full compliance with UAS standards, recently adopted by the FAA-chaired UAS Working Group.

ACI-NA, AAAE, and an airport agree with ASAC's recommendations that a 5-year expiration date for identification media is appropriate, particularly if the date is carried within the media itself. RAA does not support the requirement for an expiration date on personnel

[[Page 37300]]

identification media and requests that the FAA delete this provision.

ACI-NA and AAAE state that if audits are necessary, the FAA should consult with the industry to develop specific audit criteria and guidance documents. One commenter states that the FAA should define audit criteria, since airports need this definition to develop a system of record keeping to simplify the audit process. One airport agrees with ASAC's recommendation that 2-year audits are sufficient.

Two airports state that unaccountable badge percentages should be defined system-wide as the ``total unaccountable badges which include those lost, stolen, or not retrieved, divided by total unexpired badges issued.'' One commenter states that expired badges should not be considered as an ``unaccounted for'' badge. Another commenter states that factoring in badges with an expiration date in the unaccounted for percentage is not representative of any particular logic and requests the FAA to expand their discussion in terms of why an expiration date is necessary on a badge since airport operators are required to replace badges after a certain number of badges are not accounted for. This consideration should be a component in a cost analysis comparison for airports to upgrade their old Sec. 107.14 systems to accommodate an expiration date on security badges.

Several airports agree with the ASAC's recommendations that the unaccountable percentages of identification badges should be raised from 5 to 10 percent. This is a more logical and rational benchmark to replace an access media badging system.

An airport states that personnel who work for more than one company that requires access to the restricted operations area should be allowed to obtain an identification card for each company. One commenter states that this gives the companies more control.

FAA response: A fundamental concept of industrial security, to include that form practiced at the nation's airports, is to establish a credible and well controlled identification system. Without such a system, there can be no surety that the persons present at or having access to a protected asset are so authorized. As discussed earlier, identification systems are useful only if unbadged persons are challenged in a timely manner. It is important to limit the number of different identification media that can be used in an area. Too many different authorized ID's, or ID's that are difficult to read, make it too hard for authorized persons to determine who is not displaying a proper ID. Expiration dates, clearly visible at a reasonable distance, contribute to a system's usefulness. With this in mind, and in specific response to ATA, the FAA will not exempt or exclude any category of person or occupation from the requirement to properly display appropriate identification in such areas as the regulation or security program mandates with exceptions noted in new Sec. Sec. 107.7 and 107.11. Further, a person's failure to display proper identification in accordance with an approved security program, may result in an individual becoming the subject of an FAA enforcement action under new Sec. 107.11. This situation would not preclude other actions being taken by local authorities against the individual. Conceivably, additional culpability may attach to the regulated party responsible for control of the area in which the violation occurred.

At the same time, it must be noted that new part 108 provides a means for aircraft operators to develop identification systems that meet these standards that can be accepted by the airport operator. In this way, cabin and flight crew would not need to have a different ID for each airport, but could use their aircraft operator ID.

The FAA is not adopting the suggestion to add a photograph to the airman certificate to use it as a security tool. At best, the airman certificate would show that the person is a qualified pilot. It would not show that person's authority to be in any particular area of any particular airport.

In response to the several commenters who requested that the FAA further define ``accurate identification,'' the FAA has clarified the final rule. This information includes full name, full-face image, and identification number. The airport operator may include additional details or information at its option. Scope of access information can be displayed by using color-coded badges--a method in common use today.

In response to the commenters who addressed the issue of expiration dates, the FAA believes that clearly displayed expiration dates are an important aspect of identification media and challenge procedures. The recurring need to replace media that have reached an expiration date will afford the issuing authority the opportunity to review the holders' continued need for the media. Additionally, most identification systems will suffer some degree of unaccountability soon after implementation--identification can be lost, stolen, or otherwise become unaccounted. The unaccountable percentage generally grows over time. If expiration dates are clearly displayed, unaccountable identification media will become useless upon reaching their expiration date. Wearing an expired medium would single out the wearer as someone whose authority to be present must be challenged. The specific criteria for establishing expiration dates can be developed locally and in consideration of conditions unique to that location.

Additionally, the inclusion of an expiration date provides a benefit from a logistics standpoint. Media that have reached their expiration can be dropped from the population upon which the unaccountable percentage is based. Section 107.209(a)(3)(v) is changed in the final rule to make it clear that only media that are unexpired need to be counted for revalidation purposes.

Given the criticality of tightly controlled identification systems, the FAA cannot adopt the ASAC's suggestion that audits be performed only once every 2 years. It is not unreasonable to expect the various regulated parties to conduct comprehensive audits a minimum of once per year. In fact, such a practice is common at many airports today, while automation permits many airports to conduct audits even more frequently.

The FAA agrees with ACI-NA and AAAE that the FAA should consult with the industry to develop specific audit criteria. This will be accomplished following this rulemaking. The criteria will be incorporated into FAA-approved security programs.

The validity of an identification system is based, in part, on the idea that the media in circulation are controlled, and that only those persons who have a legitimate need for such media possess them. The validity of most identification systems can be expected to erode as media are lost, stolen, or otherwise unaccounted for over time. So, when a particular percentage of media become unaccounted for, this would represent a critical point marked as a percentage of the total population of the media. At some point, that percentage represents an unacceptably high risk to the assets the system seeks to protect. Therefore, the FAA supports the concept that the percentage figure of unaccounted identification must be based upon a common and valid formulation.

Along those lines, the FAA called for comments on what criteria should be the basis for accountability percentages. As noted in the NPRM, a range of 2 to 10 percent seems common, depending upon the nature of the venue. The FAA acknowledges the ASAC's recommendation that the traditional 5 percent maximum figure should be

[[Page 37301]]

increased to 10 percent, thereby allowing for a greater number of identification media to be unaccounted for before a system would need revalidation or replacement. However, the FAA believes 10 percent to be unacceptably high. Further, with technological advances, and the fact that the 5 percent figure has been in wide use for many years within the civil aviation system, the FAA sees no reason to alter that number as a maximum point at this time. However, as technologies change, and as systems are redesigned, a formula fixed in regulation may prove unwieldy. Hence, the FAA is not imposing a fixed system-wide percentage in the regulation. Since changing technologies and events may alter policy regarding the percentage, language fixing a percentage in regulation would be difficult to change in a timely fashion. Rather, the percentage will appear in the FAA-approved security programs, in accordance with FAA policy. Such programs can be modified in accordance with Sec. 107.105. Again, at present, the FAA policy provides for a maximum allowable unaccounted percentage of 5 percent. The economic analysis for this rule has been based upon that figure.

In response to the comments on personnel who work for more than one company, the FAA has revised the language in the final rule. The revision permits the airport operator to issue to the individual such identification media as are necessary to carry out the duties of any employment the individual may hold at the airport. But, the airport operator, if it chooses to exercise that option, must ensure that its records reflect all other media issued to that individual. The FAA's intent is that any situation that would cause the airport operator to modify, suspend, or revoke any of the privileges associated with any of the individual's identification media, would also cause the airport operator to review the privileges for all other identification media issued to that individual. The airport operator would then be expected to make a finding as to whether the circumstances giving rise to the change would warrant additional modifications to other privileges held by the individual.

As to the need for retrieval of media that bears an expiration date, the FAA notes that it is not uncommon in the press of business at an airport for expiration dates to go unobserved. In order to limit the exposure to the system posed by numerous expired identification media that may otherwise appear valid, the FAA believes retrieval of expired or unnecessary media to be a prudent measure and a reasonable expectation. Where retrieval is not possible, a readily observable expiration date may provide the airport operator an added dimension of security.

Comments on proposed Sec. 107.209(b) and (c): Several airports are concerned about the complex and exhaustive efforts that would be required of airport operators to license, catalogue and audit vehicles used in the critical security area and restricted operations area. An airport says that the cost to build and maintain a vehicle identification database and development of vehicle identification media would be significant. Federal Express, TWA and Alaska Airlines suggest that there is no case to support the inclusion of all airport vehicles in this system and that this requirement should only apply to vehicles which access the AOA from public roadways. ACI-NA, AAAE, UPS, and Federal Express state that this section and similar references to a new vehicle identification system should be deleted as they address no known security concern. Many other comments point out significant logistical and administrative difficulties with adopting a vehicle ID system.

ACC suggests the deletion of the requirement for vehicle identification altogether.

FAA response: The agency has reviewed the comments received on the proposed requirements for vehicle identification. It has come to agree with the commenters that a significant enhancement of security using this procedure at this time would not be realized. The agency believes, however, that it remains the responsibility of the regulated parties as well as individuals, all of who are now subject to new Sec. 107.11, to assure that existing systems and procedures are applied as intended.

In light of existing requirements for control of ground vehicles under part 139, the requirements for access control in Sec. 107.205(a) and the challenge program in Sec. 107.209(f), the FAA believes that adequate measures are in place to identify unauthorized individuals and any vehicles they may be driving. These measures will only be successful if tenants and employees diligently apply the required measures so as to avoid incidents that may require more stringent standards.

The agency has removed the proposed vehicle identification requirements at this time, however, the FAA will monitor the situation and may reconsider vehicle identification in future rulemakings, should circumstances warrant.

Comments on proposed Sec. 107.209(d) (new Sec. 107.211(b)): There were no comments on this section.

FAA response: The FAA notes that the intended purpose of temporary identification is the same as for permanent identification, and as discussed in the response to comments on Sec. 107.209(a). One difference is that the need is short term. The use of temporary identification media is not restricted to any particular class of person or occupation. The FAA believes such latitude is best left to the local authorities. Further, the agency wishes to make clear that the decision to use such media is left solely to the airport operator. The language of Sec. 107.211(c) is only intended to place a consistent and reliable structure to such a program should it be employed.

Comments on proposed Sec. 107.209(e) (new Sec. 107.211(c)): ALPA states that ``Airport-approved identification media'' should be renamed ``Non-airport issued identification media'' for the sake of accuracy and clarity.

One commenter states the security program should indicate that use of aircraft operator identification media issued to flightcrew members of certificated aircraft operators is authorized for unescorted movement in the following portions of the AOA: (1) The immediate vicinity of the aircraft to which flightcrews are assigned, (2) flightcrews operations/flight office, or the equivalent; and (3) points in between, as defined in this security program.

One commenter opposes allowance of airport operators to approve the identification media of other entities that meet the standard of the regulation. This commenter would be willing to allow such media in exclusive area agreements where the entity responsible for that area permits that media.

FAA response: In response to ALPA's call to rename ``airport- approved identification media,'' the agency offers the following. For an identification medium to be accepted as a reliable indication of unescorted access authority in the SIDA, the media must be approved for the individual airport security program. For instance, an airport security program would not approve the use of an aircraft operator identification medium unless that aircraft operator was operating at that airport.

Of the airport-approved media, some are issued directly by the airport operator. Other media approved for use by the airport actually are issued by other entities such as the aircraft operators or the FAA. The main difference is the party of issuance. ``Airport-approved media'' is a term that encompasses all media, regardless of issuing party, since all such media are

[[Page 37302]]

cited as valid for use on the airport in the language of the security program. On the other hand, ``airport-issued media'' refers only to those physically issued directly by the airport operator. The agency believes the terminology to be properly descriptive, historically useful, and accurate. The proposed terminology is retained.

The suggestion to include language in the security program specifying the unescorted movement privilege that attach to flight crew identification media is fully consistent with a nationally mandated amendment to all FAA-approved security programs. The amendment became effective in 1993 and remains current. The new part 108 requires the same standards for identification media as part 107.

Additionally, contrary to the views of the last commenter, the FAA strongly believes that a great deal of discretion must fall to airport operators in exercising their judgment as to what other media, if any, meets the standards for approval and use within their airport security system. Since such a major portion of the responsibility for the security of the airport's surface falls on the airport operator, the FAA believes it reasonable to relegate most decisions in regard to the acceptability of others' identification to the airport operator.

Comments on proposed Sec. 107.209(f) (new Sec. 107.211(d)): One commenter states that challenge procedures should continue to be solely reflective of locally developed performance standards and the FAA should not micromanage the program further. The commenter urges serious reconsideration of this measure.

ACI-NA and AAAE recommend adding a subparagraph (4) under Sec. 107.209(f), incorporating the details of the ``challenge program'' to be described in the security program.

One airport requests that the phrase ``law enforcement support'' be replaced with ``support.'' All challenges may not need to escalate to the LEO level.

FAA response: The agency is not dictating specific challenge procedures. Instead, it only proposed requiring that an acceptable local program be developed in compliance with the general language of new Sec. 107.211(d).

The FAA concurs with the principle that the details of the challenge program should be developed locally and reflected in the security program, and Sec. 107.211(d) so states.

The FAA agrees in part with the comment to replace the phrase ``law enforcement support'' with the less specific ``support.'' The language in new Sec. 107.211(d)(3) clarifies that a response by other than law enforcement personnel may be included in the program. However, the airport operator continues to be obligated to ensure adequate armed law enforcement response in support of the program. This has been reflected in the final language.

New Sec. 107.211 also includes requirements for escort, which is discussed above under proposed Sec. 107.205(d).

Section 107.213 Training (Proposed Sec. 107.211)

The FAA renumbered this section as Sec. 107.213, it was proposed as Sec. 107.211. In the NPRM, the FAA proposed that persons with security responsibilities and with unescorted access to the critical security area (now the secured area or a SIDA in the final rule) be trained similar to that current requirements under existing Sec. 107.25.

All individuals who have unescorted access to, and movement privileges within, the AOA would be provided with information commensurate with their security responsibilities under this proposal.

In addition, this proposed section directed the airport operator to ensure that persons performing security functions for the airport are briefed on their responsibilities under the proposed rule, the security program, and any other pertinent security information.

This proposed section also specified requirements for maintaining documentation of training and the deadline for implementing a revised training syllabus.

Comments on proposed Sec. 107.211(a) (new Sec. 107.213(a)): One airport requests that the FAA delete the phrase ``Security Directives and Information Circulars'' from Sec. 107.211(a). The airport operator cannot be responsible for retraining all employees every time new Security Directives or Information Circulars are issued.

FAA response: While the FAA understands the commenter's concerns, the proposal may not be as broad as the commenter may perceive. An airport operator is only required to train a person on a new Security Directive or Information Circular if the requirements and information in the document is applicable to the person's job and when that job is performed on behalf of the airport operator. A person without ``the need to know'' need not be briefed, and in fact, cannot be briefed under the provisions of Sec. 107.101(c)(1).

Comments on proposed Sec. 107.211(b) and (c) (new Sec. 107.213(b) and (c)): Under Sec. 107.211(b) and (c), the airport operator is required to ensure that all employees authorized access to the critical security area or the restricted operations area have training. Under proposed Sec. 107.7, the airport is required to issue any FAA special agent an airport identification upon request. Commenters see this requirement as a double standard; they state that everyone requesting an airport badge should be required to complete local airport safety training. Miami International Airport states that a new airport employee can not obtain an identification badge without taking the SIDA class.

Commenters say that Sec. 107.211(c) indicates that the airport operator would have to provide every individual a copy of the whole curriculum. Commenters hope that this is not the intent. ACI-NA and AAAE interpret the proposal to mean that each airport would develop its own curriculum, and suggest that national standards may not be appropriate at individual airports.

Several airports comment that a statement should be included to allow for ``grandfathering'' existing individuals authorized unescorted access privileges under the existing SIDA badge issuance under old Sec. 107.25.

Another airport states that for secured areas, an individual must be trained but should not need to acknowledge the training in writing. For AOA's, they must receive information and acknowledge in writing. This seems to be putting more stringent requirements on AOA's than secured areas training.

A commenter states that the two-tiered training program, which provides less stringent training requirements for AOA personnel, has little utility. The commenter submits the differences between the two to be minimal and states that a more conservative higher level training standard approach does no harm.

FAA response: The FAA understands the commenters concerns regarding issuance of an airport identification upon request of any FAA special agent. As discussed more fully under Sec. 107.7, the agency agrees that under routine circumstances, appropriate safety and security related training should be provided to FAA special agents before they exercise full access privileges to an airport. Such training can be provided at the airport which is the agent's primary duty location and can be supplemented with local training at other airports requiring such training. This approach is in common use today throughout the industry for persons requiring similar access privileges. In emergency situations, such as in responses to hijacking situations, the responding agents may not have the opportunity to

[[Page 37303]]

be provided the training or access media for that particular airport. The exigencies of their unique duties in such circumstances may override other considerations and the language of the final rule has been modified to permit this.

New Sec. 107.213(c) does not require that each trainee be provided the whole curriculum. The intent is to ensure that employees have been provided all relevant information in accordance with the security program. The relevant information can be given in writing, by videotape, a personal briefing, or any other means the airport operator chooses to provide the information to the individual. The FAA agrees that each airport would develop its own curriculum.

The rule does not provide that all individuals who have already taken training under current Sec. 107.25 may be ``grandfathered.'' Each airport will have to evaluate whether there have been changes, for example, designations of areas as AOA or secured area. If changes are made, the airport must train those individuals who need to comply with the new conditions.

In regard to the comment that the proposal on training acknowledgements seems inconsistent on its face, persons receive the more definitive training required for unescorted secured area and SIDA access in a more formal, classroom-like setting, with the ability to ask questions. The airport operator can directly observe whether the person has successfully completed that training.

Conversely, persons receiving information necessary for AOA access may do so in a less formal, more self-study process in which case an acknowledgement by the trainee would be an appropriate record. However, it is evident that training under Sec. 107.213(c) may also be in a classroom setting. The final rule in Sec. 107.213(d) does not require an acknowledgement by the trainee under Sec. 107.213(c), it only requires that a record of training given to each individual be maintained.

In regard to the comment on the two levels of training, the FAA has sought to provide for an option to train those with access to the AOA only using a lower-cost method. Should an airport operator wish to exceed the minimum required training standards and require more formal training, the FAA would be supportive.

Comments on proposed Sec. 107.211(e) (new Sec. 107.213(f)): One airport is concerned that proposed Sec. 107.211(e) would allow all training to be dropped for the 2-year period prior to the effective date of the rule.

FAA response: After further consideration, it appears that the only new feature in Sec. 107.203(b) for training for persons with access to secured areas or SIDA's is training in Sec. 107.11. Therefore, new Sec. 107.213(e) provides that for persons who already have such access, classroom training will not be required. The airport operator need only to provide them information on Sec. 107.11. Providing information under new Sec. 107.213(e) is a new requirement, but is less complicated than the Sec. 107.213(b) training. Airports will have 1 year to implement this program.

Section 107.215 Law Enforcement Support (Proposed Sec. 107.213)

This section was renumbered in the final rule as Sec. 107.215, it was proposed as Sec. 107.213. In the Notice, this section specified the qualifications of law enforcement support required under proposed Sec. 107.103, which were similar to those in current Sec. 107.15. The most substantial change made to this proposed section was the distinction between the use of uniformed and ``plainclothes'' law enforcement personnel.

Comments: Phoenix Aviation Department, Tucson Airport, and Port Authority of NY and NJ request more flexibility for airport operators to be permitted to respond with ``plainclothes'' officers provided appropriate insignia/badge is displayed when necessary. The FAA was urged to reconsider the uniformed concept and allow plainclothes LEO response, while airports should be expected to maintain a visible uniformed presence throughout the airport environment.

ALEAN and two airports request the FAA to delete references to ``in the number and manner'' in Sec. 107.213(a). Several airports state that the number of officers necessarily is a local decision.

Alaska Airlines recommends that the airport law enforcement and aircraft operator should establish a triage type system for LEO response. Two airports state that Sec. 107.213(b)(1) should be clarified to state that LEO's are to be available to respond to an ``airport security related'' incident. Another airport states that Sec. 107.213(b) is a general and non-specific section and could mean response at anytime to any location on the airport. If this section is referring to the screening checkpoint, it should state that.

ATA and RAA support the requirement that, on request of an aircraft operator or foreign air carrier, certified law enforcement personnel should respond to an incident.

FAA response: In response to the commenters who urged the FAA to reconsider its position on the use of only uniformed law enforcement personnel for the response to the screening checkpoint, the agency points out that the language of the regulation does not preclude the use of plain-clothes officers to supplement a uniformed response, or to supplement or comprise a complete response to any other situation. Regarding a response to the checkpoint, however, the value of a uniformed law enforcement presence in terms of deterrence, ease of recognition during an emergency situation, and in sustaining the confidence of the public, cannot be overstated. The FAA insists that this capability continue.

The FAA recognizes that the ``number and manner'' in which law enforcement personnel are provided is largely a local determination under new Sec. 107.215(a)(1). The FAA looks to whether law enforcement responds to screening checkpoints, alarming doors, and other events in a timely manner, as well as providing adequate security patrols.

In response to Alaska Airlines and others, the FAA notes that proposed Sec. 107.213(b) (new Sec. 107.215 (b)) applies only to those airports identified in Sec. 107.103(c). Such airports normally do not have airport law enforcement on site and only have limited passenger operations that would require screening and law enforcement support. The wording in the proposal is essentially unchanged from the current Sec. 107.15(b) and refers to a law enforcement response for any reason in support of the civil aviation security program. The FAA sees no need to modify the language or to require a ``triage system'' as suggested.

Section 107.217 Law Enforcement Personnel (Proposed Sec. 107.215).

In Notice 97-13, this section was proposed as Sec. 107.215. It has been renumbered as Sec. 107.217 in the final rule. As discussed in regards to proposed Sec. 107.213 above, the requirement for all law enforcement personnel to be in uniform was modified. To reflect the proposed change it was proposed that Sec. 107.215(a)(2) not include the uniform requirement as appears in current Sec. 107.17(a)(2).

Proposed Sec. 107.215(c) updated training requirements in current Sec. 107.17(c) for State and local law enforcement officers to reflect the fact that all states have law enforcement training programs. This proposed paragraph also specified that private security personnel used to meet the requirements of part 107 must be trained in a manner acceptable to the

[[Page 37304]]

Administrator if the State and local jurisdiction does not prescribe training standards for such personnel.

Comments on proposed Sec. 107.215(a) (new Sec. 107.217(a)): NAPO and Monterey Peninsula Airport are concerned that there will be substantial replacements of law enforcement officers (LEO's) by less experienced and inadequately trained private security forces. NAPO states that the FAA should not generate a rule inviting substantial replacements of experienced and well-trained LEO's which will have potentially serious consequences on airport and aircraft operator security. NAPO recommends that the FAA specify areas of the airport and situations mandating the presence of LEO's and also require a minimum contingent of LEO's at each US airport. One airport suggests replacing the word ``indicia'' with ``appropriate badge or uniform of authority.''

FAA response: The FAA does not have the latitude to provide for the concerns raised by the NAPO and other commenters. The term's ``law enforcement personnel'' and ``indicia of authority,'' as reflected in proposed Sec. 107.215 (new Sec. 107.217), were established under Title 49, United States Code section 44903. The statute authorizes the operator to use the services of qualified State, local, and private law enforcement personnel. The regulation is revised to be consistent with the statutory language.

Comments on proposed Sec. 107.215(b) (new Sec. 107.217(b)): Miami International Airport, UPS, ACI-NA, AAAE, and others comment that the FAA should provide for local law enforcement officers to be ``deputized'' to enforce federal regulations. Some of the commenters' note that LEO's are more often called to respond to incidents such as interference with flight crews, where they have no authority to take action nor are they supported by the statute.

FAA response: Situations such as cited by Miami International Airport and other commenters fall outside the scope of this rulemaking. The FAA notes, however, that nothing in the final rule precludes having law enforcement personnel deputized to enforce selected Federal statutes. Further, there are some airports at which selected airport police officers have been deputized by the United States Marshal Service.

Comments on proposed Sec. 107.215(c) (new Sec. 107.217(c)): Two airports request a deletion of the reference to ``LEO's'' from Sec. 107.215(c). Another commenter recommends retaining the title law enforcement ``officer'' instead of law enforcement ``personnel.'' Miami International Airport states that LEO is a recognized term within the industry. ALEAN states that the term ``private law enforcement personnel'' is confusing and problematic. The phrase should be ``private security personnel.''

Tucson Airport and Phoenix Aviation Department request clarification of what constitutes adequate training under this section. Two airports and a port authority request removal of reference to ``any other subject the Administrator determines is necessary,'' stating that this gives the FAA a blank check to do anything.

FAA response: As explained previously, the use of the terms ``law enforcement personnel'' and ``private law enforcement personnel'' are consistent with Title 49 U.S.C. Sec. 44903. To be qualified for this task, law enforcement personnel (whether state, local, or private) must have the arrest authority, weapons authority, and training set out in this section. The term ``private security personnel'' often is used for uniformed persons who are not armed and do not have arrest powers, and is not suitable for this section. The FAA knows of at least one airport jurisdiction in which law enforcement support had been provided to the airport operator under contract by a private firm. There, privately employed individuals were granted arrest powers and in all other respects meet the requirements for law enforcement support as outlined in this statute and part 107.

In response to the Tucson Airport, the FAA notes that the language of the final rule, in effect, leaves to the local jurisdiction the determination as to what constitutes ``adequate training'' for publicly employed LEO's. In the case of private law enforcement personnel serving the law enforcement role required under this part, the Administrator must approve their training, and must, therefore, determine the adequacy of their training.

With respect to the phrase ``any other subject the Administrator determines is necessary,'' the FAA Administrator reserves the right to add to the training program. The changing nature of the civil aviation security program, and of terrorism or other criminal threats in general, may generate the necessity for additional training in the future that cannot be anticipated at this time.

Comments on proposed Sec. 107.215(d) (new Sec. 107.217(d)): Five airports state that the FAA should remove reference to ``principal operations office'' and add ``as detailed in the security program.'' The place of retention of training records is a matter of legal guidance and operational needs and preferences.

Another commenter states that police training records should be maintained by airport police personnel. A commenter asks who pays for maintaining the training records required by this paragraph.

The Tucson and Phoenix Airports question the means and resources of training under this section.

FAA response: The FAA concurs with the commenters' concerns regarding the location of the records. The final rule does not specify the location of the records.

The final rule does not require the airport operator to possess the actual records, it only requires that they be available for review upon request in accordance with Sec. 107.7(a)

The rule does not specify who will absorb the costs for maintaining the training records. Likely, this will depend on what entity maintains the records.

Section 107.219 Supplementing Law Enforcement Personnel (Proposed Sec. 107.217)

In the Notice, this section appeared as Sec. 107.217; it has been renumbered in the final rule as Sec. 107.219. Under the proposal, existing Sec. 107.19 entitled ``Use of Federal law enforcement officers,'' was revised and renumbered as Sec. 107.217, ``Supplementing law enforcement personnel.'' This revised section sets forth the same procedures for an airport operator to request Federal assistance in supplementing local law enforcement, and has incorporated statutory language that would provide for supplemental support from any personnel employed by the Federal government.

Comments: Commenters suggest that the idea of supplementing airport LEO's with Federal officers is fraught with problems including jurisdiction, legal authority, training and availability. The NAPO recommends that the FAA should reconsider its clarification of statutory authority to allow for wholesale substitution of governmental LEO's in all airport locations under most circumstances and situations. Another commenter suggests that Sec. 107.217(b) should be removed because the statement is too broad and serves no interest.

FAA response: New Sec. 107.219(a), which remains unchanged from the proposal, is intended to provide emergency law enforcement support to airport operators where local law enforcement is either no longer available or is not adequate to meet the requirements of an emergency situation. While this provision has existed in regulation for many years, it has not yet

[[Page 37305]]

been invoked. Commenters are referred to Title 49 United States Code section 44903(c).

The basic information required by Sec. 107.219(b) is intended to help the Administrator decide whether or not to supplement local law enforcement personnel and to prioritize assignment of resources in the event multiple requests are received. The specific requirements of paragraph (b) are directly related to Title 49 United States Code section Sec. 44903, and therefore must be retained.

Section 107.221 Records of Law Enforcement Response (Proposed Sec. 107.219)

This section has been renumbered in the final rule as Sec. 107.221; it was numbered as Sec. 107.219 in the proposed rule. The FAA proposed that Sec. 107.219 would incorporate new recordkeeping requirements found throughout the proposed rule and ensure that the FAA has access to such records.

Under proposed Sec. 107.219(a) the FAA would have access to any record required under the proposed rule and would require the submission of records to the FAA pursuant to a schedule approved in the airport's security program.

A slight modification was proposed for records resulting from law enforcement activity. In proposed Sec. 107.219(b)(l), the word ``action'' was changed to ``response.'' Proposed Sec. 107.219(b)(2) extended the period of time during which records must be maintained to a more practical 180 days. It was also proposed in Sec. 107.219(c) to require records to include more specific information about individuals who are detained or arrested. This information would aid the FAA and the FBI in the investigation of such incidents and in the analysis of data as a management tool.

The addition of proposed Sec. 107.219(d) would require the airport operator to make and maintain for 180 days records of any corrective action taken against persons who fail to comply with falsification and security responsibilities under Sec. Sec. 107.9 and 107.11. A new Sec. 107.219(e) was also proposed to require the airport operator to maintain any additional records that may be needed to support the security program, and highlight additional recordkeeping requirements found throughout the proposed rule.

Comments on proposed Sec. 107.219(a): Three airports, a port authority and an aviation department request that the FAA replace the word ``furnished'' with ``made available.'' Another commenter states that Sec. 107.219(a) should be deleted, and add ``Records required to be maintained should be made available to the Administrator upon request.''

One commenter states that increasing record creation/maintenance requirements for the pleasure of the FAA incorporates no increase in security posture while encroaching upon visible patrol time and availability of personnel for timely response to needs for LEO services.

FAA response: After further consideration, it is evident that new Sec. 107.7 provides for inspection by the FAA of records used to show compliance with this part. Therefore, proposed Sec. 107.219(a) is not needed and is not adopted.

Comments on proposed Sec. 107.219(b) (new Sec. 107.221(a)): The Airport Consultants Council (ACC), an airport, a port authority, and a local aviation department state that the FAA should consider more realistic record retention requirements and strongly urges the FAA to reassess the across-the-board 180-day timeframe and develop a more logical retention matrix associated with the type of information. Another commenter recommends maintaining the current 90-day requirement. A commenter states that the vast majority of the records required in this section is generated at the security checkpoint and would be best supplied and retained by the aircraft operator and their contractors. Another airport states that records for police actions should be the only requirement as there are a significant number of responses where no action is taken. Metropolitan Washington Airports Authority requests that the FAA replace the phrase ``law enforcement response'' with ``law enforcement action.''

FAA response: This paragraph is renumbered Sec. 107.221(a) in the final rule. The FAA's 180-day timeframe is intended to ensure that the subject records are maintained during what is expected to be the maximum period between regularly scheduled FAA inspections. It is hoped that this interval will ensure that records are available when and as needed for FAA purposes.

The records required by this section refer to law enforcement records. The FAA agrees with the substance of the comment that only certain actions taken in support of the security program should be provided to the FAA, while other records need only be made available upon request. Therefore, the final rule requires that records be made of law enforcement ``actions'' instead of the broader category of ``responses.'' The specific types of records that the FAA expects the airport operator to provide routinely, in accordance with the schedule included the security program, would include actions taken in support of the security program and that result in arrests, detentions, or discovery or confiscation of weapons, explosives, and incendiaries.

Comments on proposed Sec. 107.219(c) (new Sec. 107.221(b)): The ACC and an airport state that Sec. 107.219(c)(4) is too broad a category. The FAA needs to assess the validity of retaining this information. One commenter suggests the FAA provide a process to gather and store relevant statistics in a timely manner.

FAA response: This paragraph is renumbered Sec. 107.221(b) in the final rule. The FAA disagrees that the information cited under the proposed rule is broad. Rather, it believes that such information in 107.221(b)(4) is specific, and is routinely developed for each instance of detention or arrest. The agency believes this information is necessary to identify trends, and to meet reporting requirements placed upon the FAA by other entities, to include the Congress.

Comments on proposed Sec. 107.219(d): FAA is not adopting language related to a compliance and enforcement program as proposed under Sec. 107.103, at this time. Such issues will be dealt with in a later rulemaking action.

Comments on proposed Sec. 107.219(e): An airport, a port authority and a local aviation department suggest that the FAA delete the phrases ``maintain any additional records'' and ``but not limited to'' in Sec. 107.219(e). Any new requirement for maintaining records should be introduced through the rulemaking or amendment process with sufficient time to implement the recordkeeping procedures.

FAA response: The FAA agrees that any additional reporting requirements, particularly as levied by entities with authority over the FAA, such as, the Department of Transportation and the Congress, would not be so time critical that a more deliberate approach is precluded. The agency, therefore, recognizes that airports would need time to comment on and to implement any additional recordkeeping procedures beyond that already specifically required in regulations or security program language. Proposed Sec. 107.219(e) is withdrawn.

Section 107.301 Contingency Plan

This proposed new section would require airport operators to implement FAA-issued contingency measures contained in their security programs when directed by the Administrator. It also proposed that airport operators (and aircraft operators under parallel

[[Page 37306]]

language of part 108) should test these contingency plans to ensure that all parties involved are aware of their responsibilities and that information contained in the plan is current.

Comments: Sacramento County Department of Airports requests clarification of the Contingency Plan and asks whether the FAA expects airports to replace the Aviation Security Contingency Plan (AVSEC).

ACC requests that the FAA update its alert levels and contingency measures.

An airport and a port authority state that the term ``exercises'' should be removed from the phrase, ``conduct reviews and exercises.'' Then the regulations would parallel to existing part 107 and part 139. Another commenter recommends an annual requirement to review and exercise the contingency plan.

Two airports state that Sec. 107.301(b) should specify that table top exercises instead of the application of measures with real events is sufficient to meet the requirement for reviews and exercises.

One commenter states that it is the FAA's responsibility to ensure that invited parties participate in contingency plan reviews and exercises. Another commenter recommends that aircraft operator participation should be addressed in part 108.

FAA response: The current AVSEC Plan is mandated by a security program amendment. The FAA does not expect the airports to replace the AVSEC Plan based upon this rulemaking. Rather, this proposal language was intended to clearly state the regulatory foundation for the existing plan.

The FAA disagrees with the commenter who suggested removal of the requirement for airport operators to conduct ``exercises'' of their contingency plans. The FAA developed the AVSEC Plan to ensure that the FAA, airport operators, aircraft operators, and other affected parties are able to respond effectively and on short notice, to each threat to civil aviation security. A contingency plan, in order to be most effective, must be rehearsed regularly with all key participants and infrastructures involved. The FAA experience has shown this approach will help to ensure a timely response to actual threats, therefore, the requirement to perform ``exercises'' will remain. The agency expects that such exercises will be conducted in accordance with requirements established in local security programs.

The airport operator has a responsibility to ensure that all key participants, including aircraft operators, are knowledgeable about the contingency plan and participate in exercises. Consistent with this, aircraft operators have a responsibility under Sec. 108.301 to develop and practice the contingency plan and to participate in tabletop exercises of the airport plan. The FAA views its role as ensuring that all parties to this plan maintain a state of preparedness necessary to respond to reasonably foreseeable situations. The agency believes the regulation, as modified, promotes that end.

Section 107.303 Security Directives and Information Circulars

This proposed new section would correspond to proposed Sec. 108.305 and requires airport operators to respond to Security Directives in the same manner as aircraft operators.

The FAA has used Security Directives as a means to disseminate information to aircraft operators concerning security threats and to require appropriate measures to be implemented. The FAA uses Information Circulars for the notification of general information regarding threats to civil aviation security.

This section also proposed to permit the ASC to apply for a security clearance through the FAA in order to receive classified information related to national security.

Comments on Sec. 107.303(a): One airport states that Sec. Sec. 107.303(a) and (b) are inconsistent. Paragraph (a) refers to the Assistant Administrator issuing a Security Directive and paragraph (b) refers to the Administrator issuing a Security Directive. Another commenter states that the language should be amended to account for the fact that the Administrator issues Information Circulars to convey threat information.

One commenter states that the type and quality of threat information provided to the airport operators is barely useful in security practices.

One port authority states that the FAA should specify in the language that all Security Directives will be addressed to the ASC and/ or their designated alternate.

One commenter states that there should be some distinction made between airport and aircraft operator Security Directives.

FAA response: The FAA agrees that there were apparent inconsistencies in the language. The final rule has been amended to reflect that all actions are taken by the Administrator. However, under Sec. 107.1(b) the Administrator's authority is also exercised by the Assistant Administrator for Civil Aviation Security or the Deputy Assistant Administrator for Civil Aviation Security. Section 107.1(b) also addresses further delegation of the Administrator's authority.

In response to the commenter that stated that threat information is ``barely useful,'' the FAA notes that it makes every effort to provide useful threat information to all regulated parties. However, much of the information upon which Security Directives and Information Circulars are based may have been classified by other Government agencies. Consequently such information can only be released if it has been crafted in such a way as to protect the interests of those agencies. The ability of the agency to grant a Federal security clearance to certain airport officials allows greater latitude in passing on more specific, and hopefully more useful information.

Further, often the information the government holds is very limited, and there is little more specific information to pass along. In such a case, the FAA provides what information it can to keep the airport operator as informed as possible.

The FAA agrees with the commenter that the ASC plays a crucial role in the chain of communication. The final language of the regulation reflects in Sec. 107.5(b)(1) the ASC as the point of contact for this purpose, however, other officials at the airport may also receive information at the FAA's discretion and based upon the circumstances.

The FAA agrees with the commenter who notes that confusion could result when more than one type of regulated party receives a similarly titled document. The FAA also recognizes that the Emergency Amendment process has been used for the notification of both airports and foreign air carriers regulated under part 129. The agency notes that the language of the documents generated under this provision will clearly indicate their applicability and intent.

Comments on Sec. 107.303(b): One airport and a local aviation department state that airports should have a minimum of 3 business days to comply with Security Directives.

FAA response: The FAA does not believe it is appropriate to provide in the regulation a minimum of 3 business days to comply with Security Directives. Security Directives usually respond to an immediate threat. Hence, the FAA will not place regulatory constraints upon its ability to be responsive in these situations. It will, however, be mindful of the difficulties in complying with contingency measures and will permit additional time for implementation where the circumstances of the situation permit.

[[Page 37307]]

Comments on proposed Sec. 107.303(c): One commenter strongly opposes Sec. 107.303(c) that presumes to regulate the airport via the Security Directive.

One airport states that a Security Directive cannot be implemented in ``24 hours.'' Another commenter suggests replacing the references to ``24 hours'' or ``72 hours'' with references to business days (such as, 1 day or 3 days). Miami International Airport suggests that ``24 hours'' and ``72 hours'' should refer to business hours. Smaller airports are not continuously staffed and may not receive a Security Directive until resuming normal workday hours. Otherwise, the FAA must be required to contact the airport to advise that a Security Directive is being transmitted.

One commenter strongly disagrees with the time requirements to comply with a Security Directive. Any significantly intrusive or expensive measure would only need to be implemented if the airport, aircraft operators and the FAA agree that the threat justifies the action.

One commenter states in regards to Sec. 107.303(c)(3) that airports should only be responsible for advising employees directly employed by the airport with a need to know (those on the payroll).

FAA response: The Security Directive process, like the Emergency Amendment process that has been in use for years, is intended to respond to imminent threats. The FAA cannot categorically state in this rule that in each case the airport should have a specified number of hours or days to implement the measures. The FAA is aware that each case must be evaluated, and the circumstances of each airport must be considered, in determining compliance times.

The FAA disagrees with the commenter who addressed Sec. 107.303(c)(3) in that the airport operator may be the only appropriate authority to pass on such information, especially to persons not employed directly by the airport operator or an aircraft operator. The airport operator may also be the only authority in the position to design, describe, and institute appropriate measures. Further, the airport operator has control over such critical functions as the access systems and identification systems. As such, the duty to provide such details to persons having the need to know would logically fall to the airport operator.

Comments on proposed Sec. 107.303(d) and (e): There were no comments on these paragraphs.

Comments on proposed Sec. 107.303(f): Another commenter strongly supports receiving classified information after the ASC has applied and received a security clearance.

FAA response: The proposed language was intended to highlight this option. However, the language has been deleted in the final rule simply because it is unnecessary. The FAA wants to make it clear that the option for the airport operator to receive classified material by an appropriate designated official still exists, and the FAA actively encourages the exercise of that privilege.

New Sec. 107.303(e) makes clear that the airport operator may submit written comments on a Security Directive. The FAA currently receives many verbal comments on Emergency Amendments, and expects to continue to receive verbal comments on Security Directives issued to airports. This often is a quick way for industry and the FAA to exchange information on the practical impact of the Emergency Amendment or Security Directive and for the FAA to provide guidance, and make changes to the Emergency Amendment or Security Directive as needed.

Section 107.305 Public Advisories

This proposed new section was added to incorporate new statutory language and a 1986 security program amendment.

Comments: ASAC and six airports recommend that the most effective means to notify passengers of public advisories is to flag those foreign airports on airline reservations systems. The booking agent would then notify the passengers verbally that the destination airport does not meet FAA standards.

Three airports and a local aviation department recommend that the aircraft operators should be responsible for posting warnings in the ticket jacket. A part 108 requirement to advise passengers via ticket sleeve inserts would diminish airport signage costs, information overload and clutter.

One airport asks why the security program has to specify the timeframe that the public advisory shall be posted? It is meaningless to have an arbitrary time of posting in the security program. Another airport states that by the time the passengers see the sign, they have checked in and committed themselves to the trip.

FAA response: The requirement to provide public notification at US airports that a foreign airport has been determined to have failed to maintain or carryout effective security measures is found in the Title 49 U.S.C. 44907(d)(1)(ii)(A). Under this statute the notification also is published in the Federal Register and the news media is notified. The FAA believes that posting the identity of that airport is best accomplished by a single entity at each location. That entity is determined to be the airport operator. The law also requires aircraft operators to notify their passengers of that foreign airports' status.

As to the question regarding timeframes for postings, the rule provides that the period of time is determined by the Secretary of Transportation.

Section 107.307 Incident Management

This new section was added to require the airport operator to establish procedures to evaluate and respond to threats of sabotage, aircraft piracy, and other unlawful interference to civil aviation operations.

Proposed Sec. 107.307(b) would specifically provide that the evaluation of a threat would be conducted in accordance with the security program. However, any event covered by the part 139 airport emergency plan, such as an actual hijacking, would be handled as specified in the airport emergency plan.

To promote coordination between part 107 and part 139, the FAA also proposed to amend Sec. 139.325 to ensure that emergency response procedures to hijack and sabotage incidents contained in the airport emergency plan are consistent with the approved security program. Proposed Sec. 107.307(d) supported this coordination by requiring the airport operator to review annually threat and incident response procedures. Such a review is intended simply to ensure threat response procedures and contacts are still accurate and should not be interpreted as a requirement for a full-scale exercise.

In the event that an airport required to have a security program under part 107 is not required to have an airport emergency plan under part 139, proposed Sec. 107.307(c) would require the airport to develop emergency response procedures in addition to threat evaluation procedures.

Comments: The Sacramento County Department of Transportation and two airports recommend deleting Sec. 107.307. An airline suggests that Sec. 107.307(a) could lead to disputes between the aircraft and airport operators as to who should actually evaluate bomb threats against flights and aircraft. One commenter recommends removing the phrase, ``As described in the security program'' from Sec. 107.307(a) since it is unnecessary.

FAA response: The FAA agrees that the proposal was not clear as to the airport's role in evaluating threats made to air carriers. The final rule states that

[[Page 37308]]

the airport operator must evaluate or take action on only those bomb threats it receives directly, or that are referred to the operator by any other entity. For example, should an aircraft operator receive a bomb threat that it evaluates under the provisions of Sec. 108.303 and determines that the bomb threat is neither specific nor credible, it need not refer the bomb threat to the airport operator. However, if the aircraft operator refers a threat to the airport operator or if the airport operator receives a threat directly or by other means, the airport operator is obligated to act under the provisions of Sec. 107.307.

The FAA also agrees with the commenter's request to delete the opening phrase ``As described in the security program'' from Sec. 107.307(a). Since the implementing details of almost all requirements appearing in part 107 are placed in the FAA-approved security program, the insertion of the subject language in Sec. 107.307(a) is unnecessary.

Part 139--Certification and Operations: Land Airports Serving Certain Aircraft Operators

Section 139.325 Airport Emergency Plan

The FAA proposed to add a new section, Sec. 107.307, to require the airport operator to establish procedures to evaluate and respond to threats of sabotage, aircraft piracy, and other unlawful interference to civil aviation operations. Existing part 107 lacks a specific requirement for airport operators to respond to threats of such criminal activity. Instead, part 139, Certification and Operations: Land Airports Serving Certain Aircraft Operators, requires airport operators to be prepared to respond to an actual incident of sabotage, hijack, and other emergencies by developing and testing an airport emergency plan under Sec. 139.325. These emergency procedures are sometimes incorporated in the security program verbatim, and generally speak to emergency services responses.

The FAA believes that emergency response procedures to such incidents such as bombing or hijacking, should remain in the part 139 airport emergency plan. An expedited response to emergency situations is critical, and response procedures to any emergency should be limited to one document to minimize delays and confusion.

To promote coordination of the procedures to implement the requirements of part 107 and part 139, the FAA proposed to amend Sec. 139.325 to ensure that emergency response procedures to hijack and sabotage incidents contained in the airport emergency plan are consistent with the approved security program.

Comments: One commenter recommends removing the requirement to have the airport operator to obtain two approvals for its security program (FAA Security Division and FAA Airports Division). Another commenter recommends excluding all emergency plans dealing with security, stating that security emergency plans belong in part 107 only. Another commenter states that the consensus of the airport community is to remove any cross-reference between part 107 and 139.

One commenter states that part 139 does not have protection under the non-disclosure rules.

FAA response: Nothing in this rule requires the airport operator to obtain two approvals for its security program. The changes to Sec. 139.325 require the airport operator to ensure consistency between the operator security program required under part 107 and its airport emergency plan under part 139. The purpose here is to prevent confusion and contradictory program language that would hamper rather than facilitate any response to an actual emergency situation at the airport.

The FAA disagrees with the recommendation to exclude all emergency plans dealing with security. The security program under part 107 is intended primarily to detail how the airport operator will prevent or respond to emergency situations. The airport emergency plan focuses on the emergency services response to a situation that has already occurred. Since the emergency plan deals primarily with emergency medical services, fire and rescue services, etc., the concerns are unique to that program and are properly included in that plan. The FAA recognizes some areas of overlap, but the programs and their purposes are distinct enough that the FAA believes they deserve their own separate document with review by the FAA specialists versed in their respective fields of expertise.

In response to the comment about protection under the non- disclosure rules, any sensitive security information as defined in part 191 that may be contained in the emergency plan must be protected in accordance with that regulation.

Summary of Economic Comments

This section will summarize the economic comments and the FAA's responses. A detailed discussion of these comments and responses is contained in the full evaluation in the docket for this proposed rule. A total of 66 commenters raised economic issues.

General comments: Two commenters believed that the numbering and ordering of several sections changed since the analysis was originally done.

One commenter could not understand why the FAA avoided any cost estimation for the effects of Secs. 107.31 and 108.33.

One commenter notes that the NPRM's economic summary states that the proposed rule ``is not a significant rulemaking action,'' and so asks, then why are we doing it?

One commenter objected to the FAA using 1994 FAA forecasts for a document that was not published until 1998.

One commenter believes that the proposed regulations would have an impact on international trade.

Two commenters believe that the costs of these regulations will result in yet another unfunded mandate.

FAA response: No specific examples were given of how the scope had changed. One commenter did submit a chart, which purported to show these differences. In this chart, most of the differences were explained in terms such as ``not the same,'' ``increased scope,'' or ``potential reduced flexibility''. Without specific examples, the FAA cannot respond to this commenter's concerns.

The FAA has provided cost estimates for Secs. 107.31 and 108.33 in the analysis for the ``Unescorted Access'' final rule.

The Office of Management and Budget (OMB) and the Department of Transportation (DOT) have specific definitions for ``significant'' rulemaking actions that include certain cost and/or policy criteria. The fact that this rulemaking does not meet these criteria does not mean that this rulemaking action is irrelevant.

Even in the best of times, given the limited resources within the FAA and DOT, it is often normal for there to be a delay between the time that the analysis is done and published.

Unlike air carriers, airports are not in competition with their foreign counterparts.

As required by Congress, the FAA has examined these regulations in light of the Unfunded Mandates Reform Act of 1995 and found that this Act does not apply.

Comments on the assumptions used in the analysis: Two commenters questioned the assumption that the number of airports and their distribution into airport types would not change for the 10 year span of the analysis.

[[Page 37309]]

Four commenters believe that using data from many different years, such as 1989, 1991, 1992, and 1994 is inappropriate for a 10-year projection to 2009.

Two commenters were uncomfortable that data was used from an analysis dealing with testing for alcohol usage.

Two commenters believe that the number of badged staff used in the NPRM analysis were incorrect.

One commenter stated that the assumption that all identification media will be magnetic stripe is unrealistic.

One commenter believed that the FAA's assumption that it would take 1 hour to reissue a card assumed no queuing and thus was too low.

One commenter claimed that the discount and price deflator numbers needed clarification and standardization.

One commenter objects to the FAA grouping airports into Types A, B, and C airports, which he believes have little or no apparent correlation to the existing categorization of airports.

One commenter was not comfortable with the difference in the costs of new identification badges at different airports.

FAA response: Since no one can accurately predict the number of airports and how the distribution by size and type for any year in the future, the FAA will not modify these assumptions.

The cost data that the FAA uses is not in one place; instead, it must be gleaned from several different sources. All wage rates were adjusted to 1994 dollars in the NPRM, and 1998 dollars for the Final Rule.

The data gleaned from this analysis applied to GSC's.

The data was obtained from the 1994 survey. Since neither commenter provided different data, the FAA will continue to use the data obtained from the survey.

Since the vast majority are magnetic stripe, cost estimates based on this assumption are expected to be close to the actual amount.

Based on information from industry, the FAA bases its estimate of 1 hour to reissue a card.

According to OMB, the FAA applies a discount factor of 7% to calculate the present value of costs. The GDP implicit price deflators are used to convert costs in different year dollars to the same year dollars.

These airport types track with the security provisions that are in place in the current Sec. 107.3.

The differences in the costs of the badges between the different airports are based in the differences in the wage rates at these airports and in the complexity of the badges needed.

Section 107.3--Definitions

Comments: One commenter believes that the FAA's assertion that changes in definition would not result in any incremental costs is incorrect.

FAA response: This section's purpose is to define the words and terms that will be used later on in the document. When each of these new words and terms are used operationally (in latter sections), they are costed out then.

Section 107.5--Airport Security Coordinator

Comments: One commenter was not comfortable with the FAA's assumption that since the GSC's attrition rate is 5%, the ASC's attrition rate must be the same.

One commenter, in looking at the FAA's costs estimates for additional ASC responsibilities says that the additional ASC duties would need to be transferred to other personnel; the FAA did not cost out the hiring, training, and wages of these additional personnel.

FAA response: Concerning the attrition rates, the commenter offers no other data for the FAA to use, so the FAA will continue to use the 5% attrition rate.

The FAA has no way of knowing if ASC's would need to transfer any of these responsibilities and who they would be reassigned to.

Section 107.9--Falsification

Comments: One commenter does not accept the FAA's belief that there would be few cases that statements or documents would be falsified, and hence, cost would be minor.

FAA response: In the analysis, the FAA specifically invited comments on the number of instances of falsifications that airports have experienced. However, no commenter submitted anything different.

Section 107.11--Security Responsibilities of Persons

Comments: One commenter noted that the FAA assertion that ``the cost of administering a compliance program would only be incurred by airports currently without a program'' was wrong, as existing compliance programs have administrative costs.

One commenter further states that he does not believe that an ASC and a clerk could develop or modify the challenge program in 8 hours.

FAA response: The FAA made a misstatement here and meant to say that ``the additional cost of administering a compliance program * * *.''

The FAA agrees with the commenter and is using a figure of 40 hours per each of these employees in the development or modification of the challenge program.

Section 107.103--Content

Comments: Two commenters were not comfortable with the FAA assumption that it would take 15 minutes to assemble each of the elements required by the new section Sec. 107.103.

One commenter believes that the 10-year estimate of $49,200 for administrative costs to change the descriptions in the ASP averages out to $10.69 per airport annually, clearly too low.

FAA response: The FAA agrees and increased the amount of time from 15 to 60 minutes in the final rule analysis.

The FAA is increasing the amount of time required to make these administrative changes, so these costs will rise. In addition, many of the administrative changes will only occur in the first year of implementation.

Section 107.107--Changed Conditions Affecting Security

Comments: One commenter objected to the proposed rule's requirement for airports to report to the FAA any operational changes within a 2- hour period.

Two commenters were confused as to how the FAA's requirement that the Agency be informed of new conditions in 2 hours could lead to cost savings.

FAA response: The FAA has removed the 2-hour time frame from the final rule; the new requirements are that the airport must notify the FAA within 6 hours, or within the time specified in the security program.

The cost savings do not come from these proposed requirements but from new rules that would relieve the airport from formally amending its security program for a condition under 60 days.

Section 107.111--Exclusive Area Agreements

Comments: One commenter does not understand how the FAA's analysis could state that individual costs on the transfer of exclusive use agreements from airports to air carriers will balance out.

FAA response: This analysis looks at any incremental costs. If the airport was doing ``X'' and now the aircraft operator is doing ``X'', to include total aircraft operator costs without looking at total airport savings would be erroneous.

[[Page 37310]]

Section 107.201--Security of the Secured Area and Section 107.203-- Security of the AOA

Comments: Fourteen commenters make copious arguments against many of the requirements and costs in proposed Secs. 107.201 and 107.203. The FAA has modified this section in the final rule, so these comments are not pertinent.

Three commenters believe that adding signage requirements for all doors would increase the cost significantly.

FAA response: If airports change the boundaries of areas to be secured, they will be required to post new signs within these areas. New signs will need to be posted once, not repeatedly and only if the boundaries have been modified.

Section 107.207--Employment History, Verification, and Criminal History Records Checks

Comments: Two commenters questioned the FAA's assertion that it would take $363 to secure a door, as noted in the calculations of proposed Sec. 107.205(f), claiming that the costs of new infrastructure to existing systems would be higher.

One commenter questions whether parts of proposed Secs. 107.209 and 107.205 (the NPRM's Secs. 107.211 and 107.207) don't contradict each other. He points out that former restricts badge issuance to only 1 per person while the latter allows for the issuance of secondary media.

One commenter was uncomfortable with the FAA's assumption that each employee would forget their access media card on average one time per year.

One commenter objected to the FAA's assertion that employee absences result in supervisors drawing from a labor pool which ensures against employee no-shows; with the exception of reserve flight crews, no airport or air carrier operates with stand-by personnel.

One commenter believes that since there are references to vehicle identification systems in both proposed Sec. 107.205 and in existing part 139, this would lead to two systems that are equally expensive, access control systems.

FAA response: The requirements of proposed Sec. 107.205(f) are not in the final rule. The commenter is confusing the temporary badges discussed by proposed Secs. 107.205 (access) and Sec. 107.209 (identification). For the former, the airport may issue a second access media to someone who forgets to bring it to work. For the latter, the airport may issue a second identification media if the employee has more than one job at the airport.

The FAA agrees with the commenter that in the new analysis, the FAA bases costs on the assumption that each employee would forget their access media on average three times a year.

The commenter is correct and such language has been removed from the final rule analysis.

The FAA is not requiring vehicle identification in the final rule.

Section 107.211--Training

Comments: One commenter could not understand the big differences between the costs of personnel and vehicle identification systems.

One commenter believes that applying the challenge procedures to both types of secured areas but having two-tiered training and identification requirements is confusing and costly.

Four commenters believe that having expiration dates on badges, which cause the need to reaudit and revalidate the system, causes great expense and does not augment security.

Six commenters believe that a vehicle identification system would be very expensive.

One commenter objects to an audit that would compare airport records to airline and airport tenant files. Another commenter objected to what it believed was a second yearly audit to compare airport records to airline and airport tenant files.

One commenter could not understand why escort programs ``would not entail costs to airport operators because it codifies a program that is currently in place at all airports in their ASP.''

FAA response: A major reason for this cost differential between personnel and vehicle identification systems is that former involves personnel salary time and picture identification costs; there are no such requirements for vehicle identification. However, the FAA is not requiring vehicle identification in the final rule.

The fact that a challenge system is needed in both areas does not obviate the need to maintain a two-tiered training system.

There are good reasons why an expiration date is needed on identification badges. A person's appearance changes over time. In addition, if an individual losses their identification, anyone would be able to use that badge in the SIDA, perhaps without the picture being carefully viewed by other persons in the area.

Information from the survey indicated that a vehicle identification system at a large airport costs about $4,700 to set up an identification system and $2,300 and $12,100 to audit and revalidate the system, respectively.

The FAA believes that both commenters misread the proposed regulations as there is no such requirement.

Since the FAA is only costing out the new or incremental costs imposed by this proposed regulation, moving a portion of the existing requirements from the ASP to the regulation does not impose any incremental costs.

Section 107.215--Law Enforcement Personnel

Comments: Two commenters were uncomfortable with the FAA using survey data to project cost savings based on the use of plainclothesmen.

FAA response: The FAA has revisited this issue and now believes that there will not be any costing savings.

Section 107.221--Records of Law Enforcement Response

Comments: One commenter notes that the NPRM's Sec. 107.219 (now Sec. 107.221) doubles the requirement for maintaining records, from 90 to 180 days, and wonders why.

FAA response: With regard to the need for 180 days, the FAA stated in the NPRM's Preamble: ``often times, the current 90-day requirement is insufficient for investigation and enforcement purposes.''

Section 107.301--Contingency Plan

Comments: One commenter points out that each airport was required to incorporate the contingency measures into their airport security program several years ago. By shifting this information to the new airport security program, this would involve costs to each airport.

FAA response: The FAA agrees that these contingency measures have existed in each airport operator's security program and believes that they should now be part of the public rule rather than the private rulemaking. In costing out the proposed provisions, the FAA is looking at the incremental change that these changes would impose on the airport. Given that airports already have these contingency provisions, no airport would have to establish one.

Paperwork Reduction Act

Information collection requirements pertaining to this final rule have been approved by the Office of Management and Budget (OMB) for one year under the provisions of the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)), and have been assigned OMB control number 2120-0656. Comments

[[Page 37311]]

were received on the NPRM publication and are discussed earlier in this preamble.

The FAA is committed to provide the industry with the most current, accurate, and relevant cost impact figures possible. In order not to impede the timely issuance of the regulation, it is our intent to provide updated information on the issues currently contained in the rule, and to solicit additional data from the industry and general public in support of OMB's renewal under the current Paperwork Reduction Act clearance.

The FAA has carefully evaluated the likely incremental burdens of the changes to part 107, and OMB has approved these estimates for a limited period under OMB 2120-0656. However, the FAA recognizes that the rule is codifying many existing practices and procedures, and that the newly codified part 107 will also bring about evolutionary changes of its own. As part of its review of the existing paperwork burden required every 3 years, FAA is now planning a thorough review as part of that renewal clearance of OMB 2120-0075, which expires May 31, 2001. This will also allow the airports and the FAA an opportunity to evaluate how best to implement the changes, and to minimize any new burdens.

It is important to note that the figures contained in the previous clearance for part 107 [OMB #2120-0075], which reflect an estimated annual impact of 75,414 hours of impact, have not changed significantly for a number of years. Those numbers are to a considerable degree based upon long-standing and probably outdated assumptions, and do not fully reflect growth in the demands on airports since that time. Overall traffic at U.S. airports has increased by one-third since 1990, with a concomitant increase in terminal facilities and related demands on security support activities and law enforcement personnel. This includes large demands such as those imposed by the implementation of access controls under Sec. 107.14 in 1989.

During the intervening years, updates of the information collection burden have not kept pace. Amendments have been addressed piecemeal due to periodic security exigencies and legislative requirements. However, a single comprehensive review of the economic impacts of the entire program as an integrated whole has not been possible until this comprehensive rewrite of the regulations. It is our goal to address the informational deficit through additional data gathering and analysis in support of the upcoming May 31, 2001 OMB renewal process.

The current FAA submittal, which estimates approximately 512,000 total annual hours of impact on the industry, must be viewed in a significantly different context from the previous estimates: The FAA will be examining both the old and new regulation in order to validate ongoing burdens and seek to eliminate duplication.

The core provisions of the new regulation have been adopted from current industry practice. Specifically, under the existing regulation, the goals of some security functions are set forth as general mandates. At the same time, the regulation requires the airport operator to accomplish those mandates through language in nonpublic FAA-approved airport security programs. For example, for many years, existing Sec. 107.13 has required airport operators to control access to and movement on certain areas of airports. The implementing details were to be set forth in the security programs. It is the common practice under part 107, to perform this task, in large part, through the use of personal identification (ID) systems. Yet, the existing regulation does not specify the use of such systems; hence, the associated burdens were never adequately reflected. However, the revised part 107 specifically requires the use of ID in certain areas. So, the burdens associated with these systems, while already in place, must be reflected as though totally new. As a result, some of the hours attributed to this new rule are already being expended, so the new burden could actually be less than 512,000 hours. In addition, since the use of such systems has been common industry practice for many years, there exists a considerable amount of industry experience in their implementation. This will allow the FAA to reflect a more valid estimate of impact based on greatly improved data.

Based on extensive comments to the FAA, some costly requirements, such as the access control time and date requirements have been removed from the existing rule, and some NPRM provisions were dropped, such as vehicle IDs and some name changes of the security areas.

Some hours of estimated impact are not really added hours of burden. This regulation simply codifies many existing practices. If anything, the standardization has a strong potential to reduce the collective impact of the rule on both the FAA and the airports.

It is FAA's intent to issue the rule immediately under an interim OMB clearance in order to allow airports to initiate the necessary revisions to their airport security programs. Simultaneously, FAA will initiate the development of an effort to gather updated data to further refine the estimates. These will be submitted to OMB early in 2001 in support of a final clearance under the Paperwork Reduction Act.

As provided for by the Paperwork Reduction Act, it should be noted that an agency may not conduct or sponsor and a person is not required to respond to a collection of information unless it displays a currently valid Office of Management and Budget (OMB) control number. The assigned control number for the collection of information associated with this rule is 2120-0656.

International Compatibility

In keeping with U.S. obligations under the Convention on International Civil Aviation, it is FAA policy to comply with International Civil Aviation Organization (ICAO) Standards and Recommended Practices to the maximum extent practicable. This proposal is consistent with the ICAO security standards.

Regulatory Evaluation Summary

This rule is considered significant under the regulatory policies and procedures of the Department of Transportation (44 FR 11034; February 26, 1979) but is not considered to have a significant economic impact under Executive Order 12866.

Proposed and final rule changes to Federal regulations must undergo several economic analyses. First, Executive Order 12866 directs that each Federal agency propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980, as amended March 1996, requires agencies to analyze the economic effects of regulatory changes on small entities. Third, OMB directs agencies to assess the effects of regulatory changes on international trade. In conducting these analyses, the FAA has determined that the rule will generate benefits that justify its costs. The rule will not have a significant impact on a substantial number of small entities. The rule will not constitute a barrier to international trade and does not contain Federal intergovernmental or private sector mandates. The full analyses performed in response to the above requirements are contained in the docket and are summarized below.

The FAA analyzed the expected costs of this regulatory proposal for a 10-year period (2000 through 2009). As required by OMB, the present value of this cost stream was calculated using a discount

[[Page 37312]]

factor of 7 percent. All costs in this analysis are expressed in 1998 dollars.

The FAA has determined that implementing the final rule changes will affect airport owners; in addition, Sec. 107.307 will impose additional costs on the CASFO representatives.

Currently, there are 458 airports in the U.S. aviation system that have an airport security program approved by the FAA; the contents of these programs, their approval, and the amendment process are key components of part 107. All airport security programs cover many of the same requirements and concerns. However, due to the different physical layouts and security requirements of each airport, each airport's security program will have some unique features. Accordingly, it is important to note there is not a single airport security program, but instead, many programs that have many common elements.

Many of the changes to parts 107 and 139 simply change definitions or make minor word changes. These changes will not result in any incremental costs and will not be covered in this summary. Nine sections will increase costs and two sections will result in cost savings. The changes to security will affect virtually all airports in the system. The analysis assumes no change in the number of airports over the next 10 years.

Section 107.5, entitled ``Airport Security Coordinator'' increases the responsibilities of the ASC. Under this rule, the ASC, or in certain cases the airport operators or their designees, must review materials and security functions for effectiveness and compliance and take corrective action immediately for each instance of non-compliance with this part and notify the FAA of the instances and any corrective measures taken. The ASC must also be trained in accordance with the FAA-approved security program. The estimated cost resulting from these changes total $10.8 million (net present value, $7.6 million).

Section 107.7, entitled, ``Inspection Authority'' (amending the current Sec. 107.27), requires each airport operator to provide the FAA with evidence of compliance with part 107 and its ASP, including copies of records. The airport may be required to send the FAA selected records; for this analysis, the FAA assumes that airports will need to furnish 5% of these reports to the FAA. For this analysis, the FAA assumes that all airports file quarterly. Ten-year costs for these increased records sum to $37,900 (present value, $26,300).

Section 107.103, entitled ``Content'' (amending the current Sec. 107.3) expands the documentation requirements for the airport security programs. The estimated administrative costs will be approximately $420,000 (present value, $330,000).

Section 107.107, entitled ``Changed conditions affecting security'' involves notification costs. All airports are required to notify the FAA to certain changes in airport security. This rule will increase the number of airport security changes of which the FAA needs to be aware and will relieve airports of having to modify their airport security program for a changed security condition under 60 days. The net results of these changes will be an estimated $4.3 million in savings (present value, $3.0 million).

Section 107.201, entitled ``Security of the secured area'' defines the requirements for the most critical security portions of the airport. The intent is to better define the areas of the airport in which the security interest is the most critical and where security measures should be the most stringent. This will entail additional requirements, such as changing warning notices and signs for this area. Most current employees will probably need additional one-time training to educate them as to these new changes. Due to the reclassification and redesignation of the secured area, the FAA believes that 5 percent of all airport employees will no longer need to be issued access media and will no longer need to be trained for access to this area, nor will they need access media. The net result is that these revisions will save an estimated $28.6 million (present value, $15.3 million).

Section 107.203, entitled ``Security of the air operations area'' establishes the means used to control access and movement on the AOA; such access and movement is held to the same standards as controlling access and movement in the secured areas. However, the regulation on the AOA will still entail additional costs including providing information to all employees with access to the AOA and changing warning notices and signs for this area. These revisions will cost an estimated $10.2 million (present value, $9.5 million).

Section 107.207, entitled ``Access control systems'' enhances the existing performance standards for access controls by allowing the issuance of a secondary access medium to individuals. The secondary access media program gives airport operators an option, in addition to using either existing airport escort programs or denying employees access without their original cards, both of which can be very costly. An airport operator opting to use a secondary access media will incur additional costs, including development costs, annual computer time, card manufacturing costs, and card storage costs. A few airports currently escort all employees who do not have their access cards, resulting in lost productivity; costs involved with escorting are covered in Sec. 107.211. Most others deny entry to employees without access cards; they are either sent home to retrieve the card or not allowed to work for the day, so that employee's supervisor needs to spend time reassigning employees. The FAA based its costs by assuming that half the airports adopt the secondary access media and the other half use the current two options. The total 10-year costs for this section total $75.5 million (net present value, $52.7 million).

Section 107.211, entitled ``Identification systems'' requires airports to implement an identification system if they do not have one, and require identification systems to meet certain standards. Such standards will require airports to audit their identification systems once a year and revalidate their identification systems when a certain percentage of the currently issued and active identification media become unaccountable for personnel systems. This section also will require airport operators to implement a challenge program in the secured area and SIDA. The purpose of the challenge program is to improve each airport operator's ability to limit unauthorized incursions in the secured area; the rule requires all airports to make modifications to their present challenge programs. In addition, there will be cost savings from those airports that will no longer use their escort program for employees who forget their access media (as discussed in Sec. 107.207). The total cost of this section will be $7.2 million (present value, $9.2 million).

Section 107.221, entitled ``Records of law enforcement response'' requires that records be maintained pursuant to a schedule in the airport security program and increases the time an airport must maintain records from 90 days to 180 days. Airports will still be required to report all deadly weapon activity, arrests, and threats against civil aviation. The additional recordkeeping and maintenance costs will total $17.8 million (present value, $12.2 million).

Section 107.307, entitled ``Incident management,'' will require that airports incorporate certain procedures into their airport security programs for responding to threats of sabotage, aircraft piracy, and other unlawful acts against civil aviation. This section will also impose

[[Page 37313]]

costs upon the FAA; FAA representatives will have to review and approve airport incident threat response procedures and ensure coordination of such procedures with their counterparts in airport safety. Ten-year costs are estimated to be approximately $2.1 million (present value, $1.5 million).

Section 139.325 is amended to require each airport to ensure that the instructions for each airport emergency plan are consistent with its airport security program. This action will entail costs for each airport. The FAA assumes that the ASC and a clerk will each need to spend 2 hours in 2000 and 1 hour in each subsequent year to ensure consistency. Total costs over 10 years equal $270,000 (present value, $200,000).

The 10-year total cost of this rule is estimated to be $92.2 million (present value, $75.4 million).

The rules to amend parts 107 and 108 are intended to enhance aviation safety for U.S. airport operators and aircraft operators in ways that are not currently addressed. The benefits of the rules will be a strengthening of both airport and air carrier security by adding to their effectiveness. Security is achieved through an intricate set of interdependent requirements.

It would be extremely difficult to determine to what extent an averted terrorist incident can be credited to either airport or aircraft security. Accordingly, the benefits from the rules for parts 107 (airport operators) and 108 (aircraft operators) have been combined in this benefit-cost analysis. These benefits are comprised of the criminal and terrorist incidents that these rules are intended to prevent; hence, these benefits will be contrasted against the costs of the changes to parts 107 and 108. The combined costs of part 107 and 108 total $131.3 million (present value, $104.1 million) over 10 years.

Terrorism can occur anytime and anywhere in the United States. Members of foreign terrorist groups, representatives from state sponsors of terrorism, and radical fundamentalist elements from many nations are present in the United States. In addition, Americans are joining terrorist groups. The activities of some of these individuals and groups go beyond fund raising. These activities now include recruiting other persons (both foreign and U.S.) for terrorist activities and training them to use weapons and make bombs. These extremists operate in small groups and can act without guidance or support from state sponsors. This makes it difficult to identify them or to anticipate and counter their activities. The following discussion outlines some of the concrete evidence of the increasing terrorist threat within the United States and to domestic aviation.

Investigation into the February 1993, attack on the World Trade Center (WTC) uncovered a foreign terrorist threat in the United States that is more serious than previously known. The WTC investigation disclosed that Ramzi Yousef had arrived in the United States in September 1992, and had presented himself to immigration officials as an Iraqi dissident-seeking asylum. Yousef and a group of radicals in the United States then spent the next 5 months planning the bombing of the WTC and other acts of terrorism in the United States. Yousef returned to Pakistan on the evening of February 26, 1993, the same day that the WTC bombing took place. By August 1994, Yousef had conceived a plan to bomb as many as 12 U.S. airliners flying between East Asian cities and the United States.

Yousef and his co-conspirators tested the type of explosive devices to be used in the aircraft bombings and demonstrated the group's ability to assemble such a device in a public place, in the December 1994, bombing of a Manila theater. Later the same month, the capability to get an explosive device past airport screening procedures and detonate it aboard an aircraft also was successfully tested when a bomb was placed by Yousef aboard the first leg of Philippine Airlines Flight 424 from Manila to Tokyo. The device detonated during the second leg of the flight, after Yousef had deplaned at an intermediate stop in the Philippine city of Cebu.

Preparations for executing the plan were progressing rapidly. However, the airliner-bombing plot was discovered in January 1995, by chance after a fire led Philippine police to the Manila apartment where the explosive devices were being assembled. Homemade explosives, batteries, timers, electronic components, and a notebook full of instructions for building bombs were discovered. Subsequent investigations of computer files taken from the apartment revealed the plan, in which five terrorists were to have placed explosive devices aboard United, Northwest, and Delta airline flights. It is likely that thousands of passengers would have been killed if the plot had been successfully carried out.

Yousef and his co-conspirators were arrested and convicted in the bombing of Philippine Airlines flight 424 and in the conspiracy to bomb U.S. airliners. Yousef was sentenced to life imprisonment for his role in the Manila plot. Yousef also was convicted and sentenced to 240 years for the WTC bombing. However, there are continuing concerns about the possibility that other conspirators remain at large.

The fact that Ramzi Yousef was responsible for both the WTC bombing and the plot to bomb as many as 12 U.S. air carrier aircraft shows that: (1) Foreign terrorists are able to operate in the U.S. and (2) foreign terrorists are capable of building and artfully concealing improvised explosive devices that pose a serious challenge to aviation security. Civil aviation's prominence as a prospective target is clearly illustrated by the circumstances of the 1995 Yousef conspiracy.

The bombing of a Federal office building in Oklahoma City, Oklahoma, shows the potential for terrorism from domestic groups. While the specific motivation that led to the Oklahoma City bombing would not translate into a threat to civil aviation, the fact that domestic elements have shown a willingness to carry out attacks resulting in indiscriminate destruction is worrisome. At a minimum, the possibility that a future plot hatched by domestic elements could include civil aircraft among possible targets must be taken into consideration. Thus, an increasing threat to civil aviation from both foreign sources and potential domestic ones exists and needs to be prevented and/or countered.

That both the international and domestic threats have increased is undeniable. While it is extremely difficult to quantify this increase in threat, the overall threat can be roughly estimated by recognizing the following:

U.S. aircraft and American passengers are representatives of the United States, and therefore, are targets;

Up to 12 airplanes could have been destroyed and thousands of passengers killed in the actual plot described above;

These plots came close to being carried out; it was only through a fortunate discovery and then extra tight security after the discovery of the plot that these incidents were thwarted;

It is just as easy for international terrorists to operate within the United States as domestic terrorists, as evidenced by the World Trade Center bombing; therefore,

Based on these facts, the increased threat to domestic aviation could be seen as equivalent to some portion of 12 Class I Explosions on U.S. airplanes. (The FAA defines Class I Explosions as incidents that involve the loss of an entire aircraft and incur a large number of fatalities.)

In 1996, both Congress and the White House Commission on Aviation Safety

[[Page 37314]]

and Security recommended further specific actions to increase civil aviation security. The Commission stated that it believed that the threat against civil aviation was changing and growing, and recommended that the Federal government commit greater resources to improving civil aviation security. President Clinton, in July 1996, declared that the threat of both foreign and domestic terrorism to aviation was a national threat. The U.S. Congress recognized this growing threat in the Federal Aviation Reauthorization Act of 1996 by: (1) authorizing money for the purchase of specific anti-terrorist equipment and the hiring of extra civil aviation security personnel; and (2) requiring the FAA to promulgate additional security-related regulations.

In the absence of increased protection for the U.S. domestic passenger air transportation system, it is conceivable that the system would be targeted for future acts of terrorism. If even one such act were successful, the traveling public would demand immediate increased security. Providing immediate protection on an ad hoc emergency basis would result in major inconveniences, costs, and delays to air travelers that may substantially exceed those imposed by the planned and measured steps contained in these rules.

Based on the above statement, the FAA concludes that these rules set forth a better method to provide increased security at the present time. The FAA considered to the limited extent possible, the benefits of these rules in reducing the costs associated with terrorist acts. The following analysis describes alternative assumptions regarding the number of terrorist acts prevented and potential market disruptions averted that result in these rules' benefits to be at least equal to these rules' costs. This is intended to allow the reader to judge the likelihood of benefits of these rules equaling or exceeding their cost.

The cost of a catastrophic terrorist act can be estimated in terms of lives lost, property damage, decreased public utilization of air transportation, etc. Terrorists acts can result in the complete destruction of an aircraft with the loss of all on board. The FAA considers a Boeing 737 as representative of a typical airplane flown domestically. The fair market value of a Boeing 737 is $16.5 million, and the typical 737 airplane has 113 seats. It flies with an average load factor of 64.7%, which translates into 73 passengers per flight; the airplane will also have 3 pilots and 3 flight attendants.

In order to provide a benchmark comparison of the expected safety benefits of rulemaking actions with estimated costs in dollars; a minimum of $2.7 million is used as the value of avoiding an aviation fatality (based on the willingness to pay approach for avoiding a fatality). In these computations, the present value of each incident was calculated using the current discount rate of 7 percent. Applying this value, the total fatality loss of a single Boeing 737 is represented by a cost $210.6 million (78 x $2.7 million). The safety related costs of a single domestic terrorist act on civil aviation also includes property damage as well as investigative and legal costs, so that the total cost sums to $271.2 million (present value, $190.5 million).

Since the cost of a Class I Explosion on a large domestic airplane is approximately $272 million, coupled with the relative low cost of compliance ($131 million), this rule (and the rule for part 108) will need to prevent one Class I Explosion over the next 10 years in order for quantified benefits to exceed costs. In view of the recent history of terrorist incidents in the United States, a potential catastrophic loss of at least this magnitude is considered to be plausible in the absence of this rule.

The FAA also used the same set of benefits in two proposed rulemakings, Security of Checked Baggage on Flights Within the United States and Certification of Screening Companies. All of these rulemakings have the same goal--to significantly increase the protection of U.S. citizens and other citizens traveling on U.S. domestic air carrier flights from acts of terrorism as well as increase protection for those operating aircraft. Because the combined discounted costs of all of these rules exceeds $190.9 million, the cost of one Class I Explosion, the FAA calculated the economic impact and the potential averted market disruption sufficient, in combination with safety benefits, to justify all these rulemakings.

Certainly the primary concern of the FAA is preventing loss of life, but there are other considerations as well. Another large economic impact is related to decreased airline travel following a terrorist event. A study performed for the FAA by Pailen-Johnson Associates, Inc., An Econometric Model of the Impact of Terrorism on U.S. Air Carrier North Atlantic Operations, indicated that it takes about 9 to 10 months for passenger traffic to return to the pre- incident level after a single event. Such a reduction occurred immediately following the destruction of Pan Am Flight 103 over Lockerbie, Scotland in December 1988. In general, 1988 enplanements were above 1987's. There was a dramatic fall-off in enplanement in the first 3 months of 1989 immediately following the Pan Am 103 tragedy, and it took until November 1989, for enplanements to approximate the 1987 and 1988 levels. Statistics show that there was an almost 20 percent reduction in 1989 in expected enplanements caused by the destruction of Pan Am 103 by terrorists.

The estimated effect of a successful terrorist act on the domestic market has not been studied. Although there are important differences between international and domestic travel (such as the availability of alternative destinations and means of travel), the FAA believes that the traffic loss associated with international terrorist acts is representative of the potential domestic disruption.

There is a social cost associated with travel disruptions and cancellations caused by terrorist events. The cost is composed of several elements. First is the loss associated with passengers opting not to fly--the value of the flight to the passenger (consumer surplus) in the absence of increased security risk and the profit that would be earned by the airline (producer surplus). Even if a passenger opts to travel by air, the additional risk may reduce the associated consumer surplus. Second, passengers who cancel plane trips would not purchase other goods and services normally associated with the trip, such as meals, lodging, and car rental, which would also result in losses of related consumer and producer surplus. Finally, although spending on air travel would decrease, pleasure and business travelers may substitute spending on other goods and services (which produces some value) for the foregone air trips. Economic theory suggests that the sum of the several societal value impacts associated with canceled flights would be a net loss. As a corollary, prevention of market disruption (preservation of consumer and producer welfare) through increased security created by these rules is a benefit.

The FAA is not able to estimate the actual net societal cost of travel disruptions and the corollary benefit gained by preventing the disruptions. However, there is a basis for judging the likelihood of attaining benefits by averting market disruption sufficient, in combination with safety benefits, to justify the rule. The discounted cost of these four rulemakings is $2.3 billion, while the discounted benefits for each Class I Explosion averted comes to $190.9 million. Hence, if one Class I Explosion is averted, the present value of losses due to market disruption must at least equal $2.1 billion ($2.3 billion

[[Page 37315]]

less $190.9 million--one Class I Explosion). If two Class I Explosions are averted, the present value of losses due to market disruption must at least equal $1.9 billion ($2.3 billion less $381.8 million--two Class I Explosions).

The value of market loss averted is the product of the number of foregone trips and the average market loss per trip (combination of all impacts on consumer and producer surplus). If one uses an average ticket price of $160 as a surrogate of the combined loss, preservation of a minimum of 13.3 million lost trips would be suffered, in combination with the safety benefits of one averted Class I Explosion, for the benefits of these rulemakings to equal costs. This represents less than 5 percent of annual domestic trips (the traffic loss caused by Pan Am 103 on trans-Atlantic routes was 20 percent). Calculations can be made on the minimum number of averted lost trips needed if the net value loss was only 75 percent of the ticket price or exceeded the ticket price by 25 percent. If total market disruption cost was $130 or $200 per trip, a minimum retention of 16.3 and 10.6 million lost trips, respectively, would need to occur for the benefits to equal the costs of these rulemakings, assuming one Class I Explosion would be prevented. The FAA also calculated the economic impact and the potential averted market disruption sufficient, in combination with safety benefits, to justify all four rulemakings given anywhere from two to four Class I Explosions prevented. These values can be seen in the full economic analysis contained in the docket.

Based on changes in the domestic security risk, the White House Commission recommendation, recent Congressional mandates, and the known reaction of Americans to any air carrier disaster, the FAA believes that pro-active regulation is warranted to prevent terrorist acts (such as Class I Explosions) before they occur.

Final Regulatory Flexibility Determination

The Regulatory Flexibility Act of 1980 establishes ``as a principle of regulatory issuance that agencies shall endeavor, consistent with the objective of the rule and of applicable statues, to fit regulatory and informational requirements to the scale of the business, organizations, and governmental jurisdictions subject to regulation.'' To achieve that principle, the Act requires agencies to solicit and consider flexible regulatory proposals and to explain the rational for their actions. The Act covers a wide-range of small entities, including small businesses, not-for-profit organizations and small governmental jurisdictions.

Agencies must perform a review to determine whether a proposed or final rule will have a significant economic impact on a substantial number of small entities. If the determination is that it will, the agency must prepare a regulatory flexibility analysis (RFA) as described in the Act.

However, if an agency determines that a proposed or final rule is not expected to have a significant economic impact on a substantial number of small entities, section 605(b) of the 1980 act provides that the head of the agency may so certify and an RFA is not required. The certification must include a statement providing the factual basis for this determination, and the reasoning should be clear.

For this rule, the small entity group is considered to be part 107 airports (Standard Industrial Classification Code [SIC] 4581--Airports, Flying Fields, and Airport Terminal Services). The FAA's small entity size standards criterion define a small airport as one owned by a county, city, town, or other jurisdiction having a population of 49,999 or less. If two or more towns, cities, or counties operate an airport jointly, the population size of each is totaled to determine whether that airport is categorized as a small entity. In addition, all privately owned, public-use airports are considered small. The FAA has identified a total of 129 airports that will be considered small entities pursuant to this rule. These 129 airports break down into 31 airports subject to Sec. 107.103(a), 90 airports subject to Sec. 107.103(b), and 8 airports subject to Sec. 107.103(c).

The FAA examined the revenue base for all part 139 small airports. The most reliable measure of income was tax revenues; these averaged out to $2.4 million at the 34th percentile of all small airports subject to part 139. One percent of the 1998 annual revenue for all small airports at the 34th percentile is $24,000 in 1998 dollars. Many part 139 small airports do not have security programs; only those airports that have scheduled service are eligible for such a program. These airports have a larger tax base, greater aviation traffic activity, and overall generate larger tax revenues than airports without scheduled service. Accordingly, the annual tax revenue for airports subject to part 107 is larger than $2.4 million. Moreover, airports with scheduled service earn additional revenues from retail vendor sales, car rental leasing, and fixed-base operator activities. Adding these commercial proceeds to tax revenues boosts the average annual income for these small airports above $2.4 million. Thus, 1 percent of the 1998 annual median revenue for airports impacted by this rule is greater than $24,000 in 1998 dollars.

The FAA has estimated the 10-year and annualized cost impact on each of the small entities. Over 10 years, these regulations will cost each airport subject to Secs. 107.103(a), (b), and (c) an estimated $53,000, $34,100, and $31,900, respectively. The annualized costs for these airports are $6,400, $3,400, and $3,200, respectively. These costs are not considered burdensome because they are well below the aforementioned $24,000. Furthermore, as revealed by the above analysis, the revenues and earnings for small airports receiving scheduled traffic is greater than $2.4 million annually. Accordingly, the FAA has determined that the rule will not have a significant economic impact.

Accordingly, pursuant to the Regulatory Flexibility Act, 5 U.S.C. 605(b), the FAA certifies that this rule will not have a significant impact on a substantial number of small entities.

International Trade Impact Statement

In accordance with the OMB memorandum dated March 1983, Federal agencies engaged in rulemaking activities are required to assess the effects of regulatory changes on international trade. This rule will affect all airport owners that have a FAA-approved security program in accord with part 107. Unlike domestic air carriers that compete with foreign air carriers, domestic airports are not in competition with foreign airports. For this reason, a trade impact assessment is not applicable.

Federalism Implications

The FAA has analyzed this final rule under the principles and criteria of Executive Order 13132, Federalism. Most airports subject to this rule are owned, operated, or regulated by a local governmental body (such as a city or county government), which in turn is incorporated by, and derives its authority from, a State. This rule has minimal direct effect on the States, and does not alter the relationship between the airport operators and the FAA that is established in the FAA's statute. The annual costs of compliance with this rule are very low compared with the resources available to the airports. Further, before issuing the NPRM, the FAA consulted with representatives of the airports through the Aviation Security Advisory Committee. Accordingly, the FAA has determined that this action will not have a

[[Page 37316]]

substantial direct effect on the States, on the relationship between the national Government and the States, or on the distribution of power and responsibilities among the various levels of government. Therefore, the FAA has determined that this final rule does not have federalism implications.

Unfunded Mandates Reform Act

Title II of the Unfunded Mandates Reform Act of 1995 (the Act), enacted as Pub. L. 104-4 on March 22, 1995, requires each Federal agency, to the extent permitted by law, to prepare a written assessment of the effects of any Federal mandate in a proposed or final agency rule that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more (adjusted annually for inflation) in any 1 year. Section 204(a) of the Act, 2 U.S.C. 1534(a), requires the Federal agency to develop an effective process to permit timely input by elected officers (or their designees) of State, local, and tribal governments on a proposed ``significant intergovernmental mandate.'' A ``significant intergovernmental mandate'' under the Act is any provision in a Federal agency regulation that will impose an enforceable duty upon State, local, and tribal governments, in the aggregate, of $100 million (adjusted annually for inflation) in any 1 year. Section 203 of the Act, 2 U.S.C. 1533, which supplements section 204(a), provides that before establishing any regulatory requirements that might significantly or uniquely affect small governments, the agency shall have developed a plan that, among other things, provides for notice to potentially affected small governments, if any, and for a meaningful and timely opportunity to provide input in the development of regulatory proposals.

This rule does not contain any Federal intergovernmental mandates or private sector mandates.

Environmental Analysis

FAA Order 1050.1D defines FAA actions that may be categorically excluded from preparation of a National Environmental Policy Act (NEPA) environmental assessment or environmental impact statement. In accordance with FAA Order 1050.1D, appendix 4, paragraph 4(j), this rulemaking action qualifies for a categorical exclusion.

Energy Impact

The energy impact of the notice has been assessed in accordance with the Energy Policy and Conservation Act (EPCA) P.L. 94-163, as amended (43 U.S.C. 6362) and FAA Order 1053.1. It has been determined that the final rule is not a major regulatory action under the provisions of the EPCA.

Distribution/Derivation Tables

The following distribution table is provided to illustrate how the current regulation relates to the revised part 107, and the derivation table identifies how the revised part 107 relates to the current rule.

Distribution Table

Old section

New section

107.1(a)(1)-(4)........................... 107.1(a)(1)-(4) 107.1(b)(1)-(4)........................... 107.3, which adds eight new unnumbered definitions 107.1(b)(5)............................... Removed 107.1(b)(6)............................... Removed 107.2(a)-(c).............................. 107.9(a)-(c) 107.3(a)(1)-(3)........................... 107.101(a)(1)-(3) 107.3(b).................................. 107.103(a) 107.3(b)(1) and (2)....................... 107.103(a)(4)(i)-(ii) 107.3(b)(3)............................... 107.103(a)(20) 107.3(b)(4)............................... 107.103(a)(4)(iii) 107.3(b)(5)............................... 107.111(b)(2)-(3) 107.3(b)(6)............................... 107.103(a)(19) 107.3(b)(7)............................... 107.103(a)(12) 107.3(b)(8)............................... 107.103(a)(11) 107.3(b)(9)............................... 107.103(a)(13) 107.3(c).................................. 107.103(d) 107.3(d) and (e).......................... 107.101(b) and (c) 107.3(f)(1)-(3)........................... 107.103(c)(2)-(4) 107.3(g)(1)-(3)........................... 107.103(b)(2)-(4) 107.5(a).................................. 107.105(a) 107.5(b) and (c).......................... 107.105(a)(1) and (2) 107.5(d) and (e).......................... 107.105(a)(3) 107.7(a)(1)............................... 107.107(a)(3) 107.7(a)(2)............................... 107.107(a)(1) 107.7(a)(3)............................... 107.103(a)(19) 107.7(a)(4)............................... 107.107(b) 107.7(a)(5)............................... 107.107(a)(1) 107.7(b)(1)............................... 107.107(b)(1) 107.7(b)(2)............................... 107.107(c) and (d) 107.9(a) and (b).......................... 107.105(b)(1) and (2) 107.9(c)(1)and (2)........................ 107.105(b)(3) 107.9(d).................................. 107.105(b)(4) 107.9(e) and (f).......................... 107.105(b)(5) 107.11(a)................................. 107.105(c) 107.11(b) and (c)......................... 107.105(c)(1) and (2) 107.11(d) and (e)......................... 107.105(c)(3) 107.11(f)................................. 107.105(d) 107.13(a)................................. 107.203(a) 107.13(a)(1).............................. 107.203(b)(1) 107.13(a)(2).............................. 107.203(b) 107.13(a)(3).............................. 107.203(b)(2) 107.13(b)(1) and (2)...................... 107.111(b)(1)-(3) 107.14(a)................................. 107.207(a)(1)-(3) 107.14(b)................................. 107.207(b) 107.14(c) and (d)......................... Removed 107.15(a)(1).............................. 107.215(a) and (a)(1) 107.15(a)(2).............................. 107.215(a)(2) 107.15(b)................................. 107.215(b) 107.17(a)-(c)(2).......................... 107.217(a)-(c)(2) 107.17(d)(1)-(4).......................... 107.217(c)(3)(i)-(iv) 107.19.................................... 107.219 107.20 and 107.21......................... Moved to Part 108 107.23(a)................................. 107.221(a) 107.23(a)(2).............................. 107.221(a)(2) 107.23(a)(3).............................. 107.7(b) 107.23(b)................................. 107.221(c) 107.25(a)................................. 107.3 107.25(b) and (e)......................... 107.213(b) and (c) 107.25(c) and (d)......................... Removed 107.25(e)(1) and (2)...................... 107.213(c)(2) and (3) 107.25(e)(3)-(5).......................... 107.213(c)(5) and (6) 107.25(f)................................. 107.211(a)(3) 107.25(g)................................. 107.213(d) 107.27.................................... 107.7(b) 107.29.................................... 107.5 (expanded) 107.31.................................... 107.209 (unchanged)

Derivation Table

New section

Old section

107.1(a)(1)-(4)........................... 107.1(a)(1)-(4) 107.1(a)(5)............................... New 107.1(b).................................. New 107.3..................................... 107.1, plus eight new unnumbered definitions 107.5..................................... 107.29 107.5(b)(3)-(6), (c), and (d)............. New 107.7, (a), (a)(1) and (2), (c) and (d)... New 107.7(b).................................. 107.27 107.9(a)-(c).............................. 107.2(a)-(c) 107.11(a), (a)(1), (a)(2) and (b)......... New 107.101(a)(1)-(3)......................... 107.3(a)(1)-(3) 107.101(a)(4)............................. New 107.101(a)(5)............................. 107.3(a)(4) 107.101(a)(5)............................. 107.3(a)(4) 107.101(b) and (c)........................ 107.3(d) and (e) 107.103(a)................................ 107.3(b) 107.103(a)(1)............................. New 107.103(a)(2)............................. New--Reserved 107.103(a)(3), (a)(3)(i)-(v).............. New 107.103(a)(4)(i) and (ii)................. 107.3(b)(1) and (2) 107.103(a)(4)(iii)........................ 107.3(b)(4) 107.103(a)(11)............................ 107.3(b)(8) 107.103(a)(12)............................ 107.3(b)(7) 107.103(a)(13)............................ 107.3(b)(9) 107.103(a)(14)-(18)....................... New 107.103(a)(19)............................ 107.3(b)(6) 107.103(a)(20)............................ 107.3(b)(3) 107.103(a)(21)............................ New 107.103(b)................................ 107.3(g) 107.103(b)(1)............................. New 107.103(b)(2)-(4)......................... 107.3(g)(1)-(3) 107.103(b)(5)-(8)......................... New 107.103(c)(1)............................. New 107.103(c)(2)-(4)......................... 107.3(f)(1)-(3) 107.103(c)(5)-(7)......................... New 107.103(d)................................ 107.3(c) 107.105(a)................................ 107.5(a) 107.105(a)(1) and (2)..................... 107.5(b) and (c) 107.105(a)(3)............................. 107.5(d) and (e) 107.105(b)(1) and (2)..................... 107.9(a) and (b) 107.105(b)(3)............................. 107.9(c)(1) and (2) 107.105(b)(4)............................. 107.9(d) 107.105(b)(5)............................. 107.9(e) and (f) 107.105(c)................................ 107.11(a) 107.105(c)(1)-(3)......................... 107.11(a), (c) and (d) 107.105(d)................................ 107.11(f) 107.107(a)(1)............................. 107.7(a)(2)

[[Page 37317]]

107.107(a)(2)............................. New 107.107(a)(3)............................. 107.7(a)(1) 107.107(b)................................ 107.7(b) 107.107(c) and (d)........................ 107.7(b)(2) plus new language 107.109................................... New 107.111(a)................................ New 107.111(b) and (b)(1)..................... 107.3(b)(5) 107.111(c)................................ New 107.113(a)-(d)............................ New 107.201(a), (b) and (b)(1)................ 107.14(a) 107.201(b)(2)-(7)......................... New 107.203(a)................................ 107.13(a) 107.203(b)(1)............................. 107.13(a)(1) 107.203(b)(2)............................. 107.13(a)(3) 107.203(b)(3) and (4)..................... New 107.205(b)(2) and (3)..................... New 107.207................................... 107.13 and 107.14 107.207(a)(1)-(3)......................... 107.14(a) 107.207(b)................................ 107.14(b) 107.207(c)(1)-(e)(5)...................... New 107.209................................... 107.31 107.211(a)(1)(i)-(iv)..................... New 107.211(a)(3)(i)-(vi),(e)................. New 107.213(b) and (c)........................ 107.25(b)-(e) 107.213(b)(1)............................. New 107.213(b)(2)............................. 107.25(e)(1) 107.213(b)(4)............................. New 107.213(c)(5) and (6)..................... 107.25(e)(3)-(5) 107.213(c)(1)............................. New 107.213(c)(2) and (3)..................... 107.25(e)(1) and (2) 107.213(c)(4)............................. New 107.213(c)(5) and (6)..................... 107.25(e)(3)-(5) 107.213(d)................................ 107.25(g) 107.213(e)................................ New 107.215(a)................................ 107.15(a) 107.215(a)(1)............................. 107.15(a) and (a)(1) 107.215(a)(2)............................. 107.15(a)(2) 107.215(b)................................ 107.15(b) 107.217(a)-(c)(2)......................... 107.17(a)-(c)(2) 107.217(c)(3)(i)-(iv)..................... 107.17(d)(1)-(4) 107.217(d)................................ New 107.219................................... 107.19 107.221(a)(1) and (2)..................... 107.23(a)(1) and (2) 107.221(c)................................ 107.23(b) 107.221(d)................................ New 107.301(a) and (b)........................ New 107.303(a)-(f)(2)......................... New 107.305................................... New 107.307(a)-(d)............................ New

List of Subjects

14 CFR Part 107

Airports, Arms and munitions, Law enforcement officers, Reporting and recordkeeping requirements, Security measures.

14 CFR Part 139

Air carriers, Airports, Aviation safety.

The Amendments

In consideration of the foregoing, the Federal Aviation Administration amends chapter I of Title 14, Code of Federal Regulations as follows:

  1. Part 107 is revised to read as follows:

    PART 107--AIRPORT SECURITY

    Subpart A--General Sec. 107.1 Applicability. 107.3 Definitions. 107.5 Airport security coordinator. 107.7 Inspection authority. 107.9 Falsification. 107.11 Security responsibilities of employees and other persons. Subpart B--Airport Security Program 107.101 General requirements. 107.103 Content. 107.105 Approval and amendments. 107.107 Changed conditions affecting security. 107.109 Alternate means of compliance. 107.111 Exclusive area agreements. 107.113 Airport tenant security programs. Subpart C--Operations 107.201 Security of the secured area. 107.203 Security of the air operations area (AOA). 107.205 Security of the security identification display area (SIDA). 107.207 Access control systems. 107.209 Employment history, verification, and criminal history records checks. 107.211 Identification systems. 107.213 Training. 107.215 Law enforcement support. 107.217 Law enforcement personnel. 107.219 Supplementing law enforcement personnel. 107.221 Records of law enforcement response. Subpart D--Contingency Measures 107.301 Contingency plan. 107.303 Security Directives and Information Circulars. 107.305 Public advisories. 107.307 Incident management.

    Authority: 49 U.S.C. 106(g), 5103, 40113, 40119, 44701-44702, 44706, 44901-44905, 44907, 44913-44914, 44932, 44935-44936, 46105.

    Subpart A--General

    Sec. 107.1 Applicability.

    (a) This part describes aviation security rules governing:

    (1) The operation of each airport regularly serving aircraft operations required to be under a security program under part 108 of this chapter.

    (2) The operation of each airport regularly serving foreign air carrier operations required to be under a security program under Sec. 129.25 of this chapter.

    (3) Each person who is in, or entering, a secured area, air operations area, security identification display area, or sterile area described in this part and part 108 of this chapter.

    (4) Each person who files an application or makes entries into any record or report that is kept, made, or used to show compliance under this part, or to exercise any privileges under this part.

    (5) Each airport operator that receives a Security Directive or Information Circular and each person who receives information from a Security Directive or Information Circular issued by the Assistant Administrator for Civil Aviation Security.

    (b) Except as provided in Sec. 107.105, the authority of the Administrator under this part is also exercised by the Assistant Administrator for Civil Aviation Security and the Deputy Assistant Administrator for Civil Aviation Security, and any individual formally designated to act in their capacity. The authority of the Assistant Administrator, including matters under Sec. 107.105, may be further delegated.

    Sec. 107.3 Definitions.

    Terms defined in part 108 of this chapter apply to this part. For purposes of this part, part 108 of this chapter, and security programs under these parts, the following definitions also apply:

    Air operations area (AOA) means a portion of an airport, specified in the airport security program, in which security measures specified in this part are carried out. This area includes aircraft movement areas, aircraft parking areas, loading ramps, and safety areas, for use by aircraft regulated under part 108 or Sec. 129.25 of this chapter, and any adjacent areas (such as general aviation areas) that are not separated by adequate security systems, measures, or procedures. This area does not include the secured area.

    Airport operator means a person that operates an airport serving an aircraft operator or a foreign air carrier required to have a security program under part 108 or Sec. 129.25 of this chapter.

    Airport security program means an airport operator's security program required under Sec. 107.101 and approved by the Administrator.

    Airport tenant means any person, other than an aircraft operator or foreign air carrier that has a security program under part 108 or Sec. 129.25 of this chapter, that has an agreement with the airport operator to conduct business on airport property.

    Airport tenant security program means the agreement between the airport operator and an airport tenant that specifies the measures by which the tenant will perform security functions under Sec. 107.113.

    Assistant Administrator means the FAA Assistant Administrator for Civil Aviation Security as described in 49 U.S.C. 44932.

    Escort means to accompany or monitor the activities of an individual

    [[Page 37318]]

    who does not have unescorted access authority into or within a secured area or SIDA.

    Exclusive area means any portion of a secured area, AOA, or SIDA, including individual access points, for which an aircraft operator or foreign air carrier that has a security program under part 108 or Sec. 129.25 of this chapter has assumed responsibility under Sec. 107.111.

    Exclusive area agreement means an agreement between the airport operator and an aircraft operator or a foreign air carrier that has a security program under part 108 or Sec. 129.25 of this chapter that permits such an aircraft operator or foreign air carrier to assume responsibility for specified security measures in accordance with Sec. 107.111.

    Secured area means a portion of an airport, specified in the airport security program, in which certain security measures specified in this part are carried out. This area is where aircraft operators and foreign air carriers that have a security program under part 108 or Sec. 129.25 of this chapter enplane and deplane passengers and sort and load baggage and any adjacent areas that are not separated by adequate security systems, measures, or procedures.

    Security Identification Display Area (SIDA) means a portion of an airport, specified in the airport security program, in which security measures specified in this part are carried out. This area includes the secured area and may include other areas of the airport.

    Unescorted access authority means the authority granted to individuals by an airport operator, aircraft operator, foreign air carrier, or airport tenant authorized under this part or parts 108 or 129 of this chapter to gain entry to, and be present without an escort in secured areas and SIDA's.

    Sec. 107.5 Airport security coordinator.

    (a) Each airport operator shall designate one or more Airport Security Coordinator(s) (ASC) in its security program.

    (b) The airport operator shall ensure that one or more ASC's:

    (1) Serve as the airport operator's primary and immediate contact for security-related activities and communications with the Administrator. Any individual designated as an ASC may perform other duties in addition to those described in this paragraph (b)(1).

    (2) Is available to the Administrator on a 24-hour basis.

    (3) Review with sufficient frequency all security-related functions to ensure that all are effective and in compliance with this part, its security program, and applicable Security Directives.

    (4) Immediately initiate corrective action for any instance of non- compliance with this part, its security program, and applicable Security Directives.

    (5) Review and control the results of employment history, verification, and criminal history records checks required under Sec. 107.209.

    (6) Serve as the contact to receive notification from individuals applying for unescorted access of their intent to seek correction of their criminal history record with the FBI.

    (c) After July 17, 2003, no airport operator may use, nor may it designate any person as, an ASC unless that individual has completed subject matter training, as specified in its security program, to prepare the individual to assume the duties of the position. The airport operator shall maintain ASC training documentation until at least 180 days after the withdrawal of a individual's designation as an ASC.

    (d) An individual's satisfactory completion of initial ASC training required under paragraph (c) of this section satisfies that requirement for all future ASC designations for that individual, except for site specific information, unless there has been a two or more year break in service as an active and designated ASC.

    Sec. 107.7 Inspection authority.

    (a) For purposes of security inspections, each airport operator shall allow Special Agents designated by the Administrator, at any time or place, to make any inspections or tests, including copying records, to determine compliance of an airport operator, aircraft operator, foreign air carrier, indirect air carrier, or other airport tenants with--

    (1) This part, parts 108, 109, 129, and 191 of this chapter and any security program approved under those parts; and

    (2) 49 U.S.C. Subtitle VII, as amended.

    (b) At the request of the Administrator, each airport operator shall provide evidence of compliance with this part and its airport security program, including copies of records.

    (c) The Administrator may enter and be present within secured areas, AOA's, and SIDA's, without access media or identification media issued or approved by an airport operator or aircraft operator, in order to conduct investigations, inspect, test compliance, or perform other such duties as the Administrator may direct.

    (d) At the request of the Administrator and upon the completion of SIDA training as required in a security program, each airport operator promptly shall issue to a FAA special agent access and identification media to provide a FAA special agent with unescorted access to, and movement within, secured areas, AOA's, and SIDA's.

    Sec. 107.9 Falsification.

    No person may make, or cause to be made, any of the following:

    (a) Any fraudulent or intentionally false statement in any application for any security program, access medium, or identification medium, or any amendment thereto, under this part.

    (b) Any fraudulent or intentionally false entry in any record or report that is kept, made, or used to show compliance with this part, or exercise any privileges under this part.

    (c) Any reproduction or alteration, for fraudulent purpose, of any report, record, security program, access medium, or identification medium issued under this part.

    Sec. 107.11 Security responsibilities of employees and other persons.

    (a) No person may:

    (1) Tamper or interfere with, compromise, modify, attempt to circumvent, or cause a person to tamper or interfere with, compromise, modify, or attempt to circumvent any security system, measure, or procedure implemented under this part.

    (2) Enter, or be present within, a secured area, AOA, SIDA or sterile area without complying with the systems, measures, or procedures being applied to control access to, or presence or movement in, such areas.

    (3) Use, allow to be used, or cause to be used, any airport-issued or airport-approved access medium or identification medium that authorizes the access, presence, or movement of persons or vehicles in secured areas, AOA's, or SIDA's in any other manner than that for which it was issued by the appropriate authority under this part, or part 108 or part 129 of this chapter.

    (b) The provisions of paragraph (a) of this section do not apply to conducting inspections or tests to determine compliance with this part or 49 U.S.C. Subtitle VII authorized by:

    (1) The Administrator, or

    (2) The airport operator, aircraft operator, or foreign air carrier, when acting in accordance with the procedures described in a security program approved by the Administrator.

    Subpart B--Airport Security Program

    Sec. 107.101 General requirements.

    (a) No person may operate an airport subject to this part unless it adopts and carries out a security program that--

    [[Page 37319]]

    (1) Provides for the safety and security of persons and property on an aircraft operating in air transportation or intrastate air transportation against an act of criminal violence, aircraft piracy, and the introduction of deadly or dangerous weapon, explosive, or incendiary onto an aircraft;

    (2) Is in writing and is signed by the airport operator or any person to whom the airport operator has delegated authority in this matter;

    (3) Includes the applicable items listed in Sec. 107.103;

    (4) Includes an index organized in the same subject area sequence as Sec. 107.103; and

    (5) Has been approved by the Administrator.

    (b) The airport operator shall maintain one current and complete copy of its security program and provide a copy to the Administrator upon request.

    (c) Each airport operator shall--

    (1) Restrict the distribution, disclosure, and availability of sensitive security information (SSI), as defined in part 191 of this chapter, to persons with a need to know; and

    (2) Refer all requests for SSI by other persons to the Administrator.

    Sec. 107.103 Content.

    (a) Except as otherwise approved by the Administrator, each airport operator regularly serving operations of an aircraft operator or foreign air carrier described in Secs. 108.101(a)(1) or 129.25(b)(1) of this chapter, shall include in its security program the following:

    (1) The name, means of contact, duties, and training requirements of the ASC required under Sec. 107.5.

    (2) [Reserved]

    (3) A description of the secured areas, including--

    (i) A description and map detailing boundaries and pertinent features;

    (ii) Each activity or entity on, or adjacent to, a secured area that affects security;

    (iii) Systems, measures, and procedures used to perform the access control functions required under Sec. 107.201(b)(1);

    (iv) Procedures to control movement within the secured area, including identification media required under Sec. 107.201(b)(3); and

    (v) A description of the notification signs required under Sec. 107.201(b)(6).

    (4) A description of the AOA, including--

    (i) A description and map detailing boundaries, and pertinent features;

    (ii) Each activity or entity on, or adjacent to, an AOA that affects security;

    (iii) Systems, measures, and procedures used to perform the access control functions required under Sec. 107.203(b)(1);

    (iv) Procedures to control movement within the AOA, including identification media as appropriate; and

    (v) A description of the notification signs required under Sec. 107.203(b)(4).

    (5) A description of the SIDA's, including--

    (i) A description and map detailing boundaries and pertinent features; and

    (ii) Each activity or entity on, or adjacent to, a SIDA.

    (6) A description of the sterile areas, including--

    (i) A diagram with dimensions detailing boundaries and pertinent features;

    (ii) Access controls to be used when the passenger-screening checkpoint is non-operational and the entity responsible for that access control; and

    (iii) Systems, measures, and procedures used to control access as specified in Sec. 107.207.

    (7) Procedures used to comply with Sec. 107.209 regarding employment history, verification, and criminal history records checks.

    (8) A description of the personnel identification systems as described in Sec. 107.211.

    (9) Escort procedures in accordance with Sec. 107.211(e).

    (10) Challenge procedures in accordance with Sec. 107.211(d).

    (11) Training programs required under Secs. 107.213 and 107.217(c)(2), if applicable.

    (12) A description of law enforcement support used to comply with Sec. 107.215(a).

    (13) A system for maintaining the records described in Sec. 107.221.

    (14) The procedures and a description of facilities and equipment used to support aircraft operator or foreign air carrier screening functions of Secs. 108.201 or 129.25 of this chapter.

    (15) A contingency plan required under Sec. 107.301.

    (16) Procedures for the distribution, storage, and disposal of security programs, Security Directives, Information Circulars, implementing instructions, and, as appropriate, classified information.

    (17) Procedures for posting of public advisories as specified in Sec. 107.305.

    (18) Incident management procedures used to comply with Sec. 107.307.

    (19) Alternate security procedures, if any, that the airport operator intends to use in the event of natural disasters, and other emergency or unusual conditions.

    (20) Each exclusive area agreement as specified in Sec. 107.111.

    (21) Each airport tenant security program as specified in Sec. 107.113.

    (b) Except as otherwise approved by the Administrator, each airport regularly serving operations of an aircraft operator or foreign air carrier described in Secs. 108.101(a)(2) or (b), or 129.25(b)(2) or (b)(3) of this chapter, shall include in its security program a description of the following:

    (1) Name, means of contact, duties, and training requirements of the ASC, as required under Sec. 107.5.

    (2) A description of the law enforcement support used to comply with Sec. 107.215(a).

    (3) Training program for law enforcement personnel required under Sec. 107.217(c)(2), if applicable.

    (4) A system for maintaining the records described in Sec. 107.221.

    (5) The contingency plan required under Sec. 107.301.

    (6) Procedures for the distribution, storage, and disposal of security programs, Security Directives, Information Circulars, implementing instructions, and, as appropriate, classified information.

    (7) Procedures for public advisories as specified in Sec. 107.305.

    (8) Incident management procedures used to comply with Sec. 107.307.

    (c) Except as otherwise approved by the Administrator, each airport regularly serving operations of an aircraft operator or foreign air carrier described in Secs. 108.101(c) or 129.25(b)(4) of this chapter, shall include in its security program a description of the following:

    (1) Name, means of contact, duties, and training requirements of the ASC as required under Sec. 107.5.

    (2) A description of the law enforcement support used to comply with Sec. 107.215(b).

    (3) Training program for law enforcement personnel required under Sec. 107.217(c)(2), if applicable.

    (4) A system for maintaining the records described in Sec. 107.221.

    (5) Procedures for the distribution, storage, and disposal of security programs, Security Directives, Information Circulars, implementing instructions, and, as appropriate, classified information.

    (6) Procedures for public advisories as specified in Sec. 107.305.

    (7) Incident management procedures used to comply with Sec. 107.307.

    (d) The airport operator may comply with paragraphs (a), (b), and (c) of this section by including in its security program, as an appendix, any document that contains the information required by paragraphs (a), (b), and (c) of this section. The appendix shall be referenced in the corresponding section(s) of the security program.

    [[Page 37320]]

    Sec. 107.105 Approval and amendments.

    (a) Initial approval of security program. Unless otherwise authorized by the Assistant Administrator, each airport operator required to have a security program under this part shall submit its initial proposed security program to the Assistant Administrator for approval at least 90 days before the date any aircraft operator or foreign air carrier required to have a security program under Secs. 108.101 or 129.25 of this chapter is expected to begin operations. Such requests will be processed as follows:

    (1) The Assistant Administrator, within 30 days after receiving the proposed security program, will either approve the program or give the airport operator written notice to modify the program to comply with the applicable requirements of this part.

    (2) The airport operator may either submit a modified security program to the Assistant Administrator for approval, or petition the Administrator to reconsider the notice to modify within 30 days of receiving a notice to modify. A petition for reconsideration must be filedwith the Assistant Administrator.

    (3) The Assistant Administrator, upon receipt of a petition for reconsideration, either amends or withdraws the notice, or transmits the petition, together with any pertinent information, to the Administrator for reconsideration. The Administrator disposes of the petition within 30 days of receipt by either directing the Assistant Administrator to withdraw or amend the notice to modify, or by affirming the notice to modify.

    (b) Amendment requested by an airport operator. Except as provided in Sec. 107.107(c), an airport operator may submit a request to the Assistant Administrator to amend its security program, as follows:

    (1) The request for an amendment must be filedwith the Assistant Administrator at least 45 days before the date it proposes for the amendment to become effective, unless a shorter period is allowed by the Assistant Administrator.

    (2) Within 30 days after receiving a proposed amendment, the Assistant Administrator, in writing, either approves or denies the request to amend.

    (3) An amendment to a security program may be approved if the Assistant Administrator determines that safety and the public interest will allow it, and the proposed amendment provides the level of security required under this part.

    (4) Within 30 days after receiving a denial, the airport operator may petition the Administrator to reconsider the denial.

    (5) Upon receipt of a petition for reconsideration, the Assistant Administrator either approves the request to amend or transmits the petition within 30 days of receipt, together with any pertinent information, to the Administrator for reconsideration. The Administrator disposes of the petition within 30 days of receipt by either directing the Assistant Administrator to approve the amendment or affirm the denial.

    (c) Amendment by the FAA. If safety and the public interest require an amendment, the Assistant Administrator may amend a security program as follows:

    (1) The Assistant Administrator sends to the airport operator a notice, in writing, of the proposed amendment, fixing a period of not less than 30 days within which the airport operator may submit written information, views, and arguments on the amendment.

    (2) After considering all relevant material, the Assistant Administrator notifies the airport operator of any amendment adopted or rescinds the notice. If the amendment is adopted, it becomes effective not less than 30 days after the airport operator receives the notice of amendment, unless the airport operator petitions the Administrator to reconsider no later than 15 days before the effective date of the amendment. The airport operator shall send the petition for reconsideration to the Assistant Administrator. A timely petition for reconsideration stays the effective date of the amendment.

    (3) Upon receipt of a petition for reconsideration, the Assistant Administrator either amends or withdraws the notice, or transmits the petition, together with any pertinent information to the Administrator for reconsideration. The Administrator disposes of the petition within 30 days of receipt by either directing the Assistant Administrator to withdraw or amend the amendment, or by affirming the amendment.

    (d) Emergency Amendments. Notwithstanding paragraph (c) of this section, if the Assistant Administrator finds that there is an emergency requiring immediate action with respect to safety and security in air transportation or in air commerce that makes procedures in this section contrary to the public interest, the Assistant Administrator may issue an amendment, effective without stay on the date the airport operator receives the notice of it. In such a case, the Assistant Administrator shall incorporate in the notice a brief statement of the reasons and findings for the amendment to be adopted. The airport operator may file a petition for reconsideration under paragraph (c) of this section; however, this does not stay the effective date of the emergency amendment (EA).

    Sec. 107.107 Changed conditions affecting security.

    (a) After approval of the security program, each airport operator shall notify the Administrator when changes have occurred to the--

    (1) Systems, measures, procedures, training, area descriptions, or staffing, described in the security program;

    (2) Operations of an aircraft operator or foreign air carrier that would require modifications to the security program as required under Sec. 107.103; or

    (3) Layout or physical structure of any area under the control of the airport operator, airport tenant, aircraft operator, or foreign air carrier used to support the screening process, access, presence, or movement control functions required under parts 107, 108, or 129 of this chapter.

    (b) Each airport operator shall notify the Administrator no more than 6 hours after the discovery of any changed condition described in paragraph (a) of this section, or within the time specified in its security program, of the discovery of any changed condition described in paragraph (a) of this section. The airport operator shall inform the Administrator of each interim measure being taken to maintain adequate security until an appropriate amendment to the security program is approved. Each interim measure must be acceptable to the Administrator.

    (c) For changed conditions expected to be less than 60 days duration, each airport operator shall forward the information required in paragraph (b) of this section in writing to the Administrator within 72 hours of the original notification of the change condition(s). The Administrator will notify the airport operator of the disposition of the notification in writing. If approved by the Administrator, this written notification becomes a part of the airport security program for the duration of the changed condition(s).

    (d) For changed conditions expected to be 60 days or more duration, each airport operator shall forward the information required in paragraph (b) of this section in the form of a proposed amendment to the airport operator's security program, as required under Sec. 107.105. The request for an amendment shall be made within 30

    [[Page 37321]]

    days of the discovery of the changed condition(s). The Administrator will respond to the request in accordance with Sec. 107.105.

    Sec. 107.109 Alternate means of compliance.

    If in the Administrator's judgment, the overall safety and security of the airport, and aircraft operator or foreign air carrier operations are not diminished, the Administrator may approve a security program that provides for the use of alternate measures. Such a program may be considered only for an operator of an airport at which service by aircraft operators or foreign air carriers under Secs. 108.101 or 129.25 of this chapter is determined by the Administrator to be seasonal or infrequent.

    Sec. 107.111 Exclusive area agreements.

    (a) The Administrator may approve an amendment to an airport security program under which an aircraft operator or foreign air carrier that has a security program under part 108 or part 129 of this chapter assumes responsibility for specified security measures for all or portions of the secured area, AOA, or SIDA, as provided in Secs. 107.201, 107.203, or 107.205. The assumption of responsibility must be exclusive to one aircraft operator or foreign air carrier, and shared responsibility among aircraft operators or foreign air carriers is not permitted for an exclusive area.

    (b) An exclusive area agreement shall be in writing, signed by the airport operator and aircraft operator or foreign air carrier, and maintained in the airport security program. This agreement shall contain the following:

    (1) A description, a map, and, where appropriate, a diagram of the boundaries and pertinent features of each area, including individual access points, over which the aircraft operator or foreign air carrier will exercise exclusive security responsibility.

    (2) A description of the systems, measures, and procedures used by the aircraft operator or foreign air carrier to comply with Secs. 107.201, 107.203, or 107.205, as appropriate.

    (3) Procedures by which the aircraft operator or foreign air carrier will immediately notify the airport operator and provide for alternative security measures when there are changed conditions as described in Sec. 107.107(a).

    (c) Any exclusive area agreements in effect on November 14, 2001 shall meet the requirements of this section and Sec. 108.227 no later than November 14, 2002.

    Sec. 107.113 Airport tenant security programs.

    (a) The Administrator may approve an airport tenant security program as follows:

    (1) The tenant must assume responsibility for specified security systems, measures, or procedures of the secured area, AOA, or SIDA as provided in Secs. 107.201, 107.203, and 107.205.

    (2) The tenant may only assume responsibility for employment verification as provided in Sec. 107.209.

    (3) The tenant may not assume responsibility for law enforcement support under Sec. 107.215.

    (4) The tenant must assume the responsibility within the tenant's leased areas or areas designated for the tenant's exclusive use. A tenant may not assume responsibility under a tenant security program for the airport passenger terminal.

    (5) Responsibility must be exclusive to one tenant, and shared responsibility among tenants is not permitted.

    (6) The Administrator must find that the tenant is able and willing to carry out the airport tenant security program.

    (b) An airport tenant security program shall be in writing, signed by the airport operator and the airport tenant, and maintained in the airport security program. The airport tenant security program shall include the following:

    (1) A description and a map of the boundaries and pertinent features of each area over which the airport tenant will exercise security responsibilities.

    (2) A description of the systems, measures, and procedures the airport tenant has assumed.

    (3) Systems, measures, and procedures by which the airport operator will monitor and audit the tenant's compliance with the security program.

    (4) Monetary and other penalties to which the tenant may be subject if it fails to carry out the airport tenant security program.

    (5) Circumstances under which the airport operator will terminate the airport tenant security program for cause.

    (6) A provision acknowledging that the tenant is subject to inspection by the Administrator in accordance with Sec. 107.7.

    (7) A provision acknowledging that individuals who carry out the tenant security program are contracted to or acting for the airport operator and are required to protect sensitive information in accordance with part 191 of this chapter, and may be subject to civil penalties for failing to protect sensitive security information.

    (8) Procedures by which the tenant will immediately notify the airport operator of and provide for alternative security measures for changed conditions as described in Sec. 107.107(a).

    (c) If the Administrator has approved an airport tenant security program, the airport operator may not be found to be in violation of a requirement of this part in any case in which the airport operator demonstrates that:

    (1) The tenant or an employee, permittee, or invitee of the tenant, is responsible for such violation; and

    (2) The airport operator has complied with all measures in its security program to ensure the tenant has complied with the airport tenant security program.

    (d) The Administrator may amend or terminate an airport tenant security program in accordance with Sec. 107.105.

    Subpart C--Operations

    Sec. 107.201 Security of the secured area.

    (a) Each airport operator required to have a security program under Sec. 107.103(a) shall establish at least one secured area.

    (b) Each airport operator required to establish a secured area shall prevent and detect the unauthorized entry, presence, and movement of individuals and ground vehicles into and within the secured area by doing the following:

    (1) Establish and carry out systems, measures, or procedures for controlling entry to secured areas of the airport in accordance with Sec. 107.207.

    (2) Provide for detection of, and response to, each unauthorized presence or movement in, or attempted entry to, the secured area by an individual whose access is not authorized in accordance with its security program.

    (3) Establish and carry out a personnel identification system described under Sec. 107.211.

    (4) Subject each individual to employment history verification as described in Sec. 107.209 before authorizing unescorted access to a secured area.

    (5) Train each individual before granting unescorted access to the secured area, as required in Sec. 107.213(b).

    (6) Post signs at secured area access points and on the perimeter that provide warning of the prohibition against unauthorized entry. Signs shall be posted by each airport operator in accordance with its security program not later than November 14, 2003.

    Sec. 107.203 Security of the air operations area (AOA).

    (a) Each airport operator required to have a security program under Sec. 107.103(a) shall establish an AOA,

    [[Page 37322]]

    unless the entire area is designated as a secured area.

    (b) Each airport operator required to establish an AOA shall prevent and detect the unauthorized entry, presence, and movement of individuals and ground vehicles into or within the AOA by doing the following:

    (1) Establish and carry out systems, measures, or procedures for controlling entry to the AOA of the airport in accordance with Sec. 107.207.

    (2) Provide for detection of, and response to, each unauthorized presence or movement in, or attempted entry to, the AOA by an individual whose access is not authorized in accordance with its security program.

    (3) Provide security information as described in Sec. 107.213(c) to each individual with unescorted access to the AOA.

    (4) Post signs on AOA access points and perimeters that provide warning of the prohibition against unauthorized entry to the AOA. Signs shall be posted by each airport operator in accordance with its security program not later than November 14, 2003.

    (5) If approved by the Administrator, the airport operator may designate all or portions of its AOA as a SIDA, or may use another personnel identification system, as part of its means of meeting the requirements of this section. If it uses another personnel identification system, the media must be clearly distinguishable from those used in the secured area and SIDA.

    Sec. 107.205 Security of the security identification display area (SIDA).

    (a) Each airport operator required to have a security program under Sec. 107.103(a) shall establish at least one SIDA. Each secured area must be a SIDA. Other areas of the airport may be SIDA's.

    (b) Each airport operator required to establish a SIDA shall establish and carry out measures to prevent the unauthorized presence and movement of individuals in the SIDA and shall do the following:

    (1) Establish and carry out a personnel identification system described under Sec. 107.211.

    (2) Subject each individual to employment history verification as described in Sec. 107.209 before authorizing unescorted access to a SIDA.

    (3) Train each individual before granting unescorted access to the SIDA, as required in Sec. 107.213(b).

    Sec. 107.207 Access control systems.

    (a) Secured area. Except as provided in paragraph (b) of this section, the systems, measures, or procedures for controlling entry to the secured area required under Sec. 107.201(b)(1) shall--

    (1) Ensure that only those individuals authorized to have unescorted access to the secured area are able to gain entry;

    (2) Ensure that an individual is immediately denied entry to a secured area when that person's access authority for that area is withdrawn; and

    (3) Provide a means to differentiate between individuals authorized to have access to an entire secured area and individuals authorized access to only a particular portion of a secured area.

    (b) Alternative systems. The Administrator may approve an amendment to a security program that provides alternative systems, measures, or procedures that provide an overall level of security equal to that which would be provided by the systems, measures, or procedures described in paragraph (a) of this section.

    (c) Air operations area. The systems, measures, or procedures for controlling entry to the AOA required under Sec. 107.203(b)(1) shall incorporate accountability procedures to maintain their integrity.

    (d) Secondary access media. An airport operator may issue a second access medium to an individual who has unescorted access to secured areas or the AOA, but is temporarily not in possession of the original access medium, if the airport operator follows measures and procedures in the security program that--

    (1) Verifies the authorization of the individual to have unescorted access to secured areas or AOAs;

    (2) Restricts the time period of entry with the second access medium;

    (3) Retrieves the second access medium when expired;

    (4) Deactivates or invalidates the original access medium until the individual returns the second access medium; and

    (5) Provides that any second access media that is also used as identification media meet the criteria of Sec. 107.211(b).

    Sec. 107.209 Employment history, verification, and criminal history records checks.

    (a) Scope. The following persons are within the scope of this section:

    (1) All airport operators, airport users, and individuals currently having unescorted access to a SIDA.

    (2) All individuals seeking authorization for, or seeking the authority to authorize others to have, unescorted access to the SIDA.

    (3) Each airport user and aircraft operator making a certification to an airport operator pursuant to paragraph (n) of this section, made on or after January 31, 1996. An airport user, for the purposes of this section only, is any person making a certification under this section other than an aircraft operator subject to Sec. 108.229 of this chapter.

    (b) Employment history investigations required. Except as provided in paragraph (m) of this section, each airport operator must ensure that no individual is granted authorization for, or is granted authority to authorize others to have, unescorted access to the SIDA unless the following requirements are met:

    (1) The individual has satisfactorily undergone Part 1 of an employment history investigation. Part 1 consists of a review of the previous 10 years of employment history and verification of the 5 employment years preceding the date the appropriate investigation is initiated as provided in paragraph (c) of this section; and

    (2) If required by paragraph (c)(5) of this section, the individual must then satisfy Part 2 of the employment history investigation. Part 2 is the process to determine if the individual has a criminal record. To satisfy Part 2 of the investigation the criminal record check must not disclose that the individual has been convicted or found not guilty by reason of insanity, in any jurisdiction, during the 10 years ending on the date of such investigation, of any of the crimes listed as follows:

    (i) Forgery of certificates, false marking of aircraft, and other aircraft registration violation, 49 U.S.C. 46306;

    (ii) Interference with air navigation, 49 U.S.C. 46308;

    (iii) Improper transportation of a hazardous material, 49 U.S.C. 46312;

    (iv) Aircraft piracy, 49 U.S.C. 46502;

    (v) Interference with flightcrew members or flight attendants, 49 U.S.C. 46504;

    (vi) Commission of certain crimes aboard aircraft in flight, 49 U.S.C. 46506;

    (vii) Carrying a weapon or explosive aboard aircraft, 49 U.S.C. 46505;

    (viii) Conveying false information and threats, 49 U.S.C. 49 46507;

    (ix) Aircraft piracy outside the special aircraft jurisdiction of the United States, 49 U.S.C. 46502(b);

    (x) Lighting violations involving transporting controlled substances, 49 U.S.C. 46315;

    (xi) Unlawful entry into an aircraft or airport area that serves air carriers or foreign air carriers contrary to established security requirements, 49 U.S.C. 46314;

    (xii) Destruction of an aircraft or aircraft facility, 18 U.S.C. 32;

    (xiii) Murder;

    [[Page 37323]]

    (xiv) Assault with intent to murder;

    (xv) Espionage;

    (xvi) Sedition;

    (xvii) Kidnapping or hostage taking;

    (xviii) Treason;

    (xix) Rape or aggravated sexual abuse;

    (xx) Unlawful possession, use, sale, distribution, or manufacture of an explosive or weapon;

    (xxi) Extortion;

    (xxii) Armed robbery;

    (xxiii) Distribution of, or intent to distribute, a controlled substance;

    (xxiv) Felony arson; or

    (xxv) Conspiracy or attempt to commit any of the aforementioned criminal acts; and

    (3) If an individual admits to a conviction, or to having been found not guilty by reason of insanity, in any jurisdiction within the preceding 10 years of a crime listed in (b)(2) of this section, the investigative process shall end and the individual shall not be granted unescorted access or assigned to any functions listed in (a)(3) of this section.

    (c) Investigative steps. Part 1 of the employment history investigation must be completed on all persons listed in paragraph (a) of this section. If required by paragraph (c)(5) of this section, Part 2 of the employment history investigation must also be completed on all persons listed in paragraph (a) of this section.

    (1) The individual must provide the following information on an application form:

    (i) The individual's full name, including any aliases or nicknames.

    (ii) The dates, names, phone numbers, and addresses of previous employers, with explanations for any gaps in employment of more than 12 consecutive months, during the previous 10-year period.

    (iii) Any convictions during the previous 10-year period of the crimes listed in paragraph (b)(2) of this section.

    (2) The airport operator or the airport user must include on the application form a notification that the individual will be subject to an employment history verification and possibly a criminal records check.

    (3) The airport operator or the airport user must verify the identity of the individual through the presentation of two forms of identification, one of which must bear the individual's photograph.

    (4) The airport operator or the airport user must verify the information on the most recent 5 years of employment history required under paragraph (c)(1)(ii) of this section. Information must be verified in writing, by documentation, by telephone, or in person.

    (5) If one or more of the conditions (triggers) listed in paragraphs (c)(5)(i) through (c)(5)(iv) of this section exist, the employment history investigation must not be considered complete unless Part 2 is accomplished. Only the airport operator may initiate Part 2 for airport users under this section. Part 2 consists of a comparison of the individual's fingerprints against the fingerprint files of known criminals maintained by the Federal Bureau of Investigation (FBI). The comparison of the individual's fingerprints must be processed through the FAA. The airport operator may request a check of the individual's fingerprint-based criminal record only if one or more of the following conditions exist:

    (i) The individual does not satisfactorily account for a period of unemployment of 12 consecutive months or more during the previous 10- year period.

    (ii) The individual is unable to support statements made on the application form.

    (iii) There are significant inconsistencies in the information provided on the application.

    (iv) Information becomes available to the airport operator or the airport user during the investigation indicating a possible conviction for one of the crimes listed in paragraph (b)(2) of this section.

    (d) Individual notification. Prior to commencing the criminal records check, the airport operator must notify the affected individual and identify the ASC as a contact for follow-up. An individual, who chooses not to submit fingerprints, after having met a requirement for Part 2 of the employment investigation, may not be granted unescorted access privilege.

    (e) Fingerprint processing. If a fingerprint comparison is necessary under paragraph (c)(5) of this section to complete the employment history investigation the airport operator must collect and process fingerprints in the following manner:

    (1) One set of legible and classifiable fingerprints must be recorded on fingerprint cards approved by the FBI, and distributed by the FAA for this purpose.

    (2) The fingerprints must be obtained from the individual under direct observation by the airport operator or a law enforcement officer. Individuals submitting their fingerprints may not take possession of their fingerprint card after they have been fingerprinted.

    (3) The identity of the individual must be verified at the time fingerprints are obtained. The individual must present two forms of identification, one of which must bear the individual's photograph.

    (4) The fingerprint card must be forwarded to the FAA at the location specified by the Administrator.

    (5) Fees for the processing of the criminal record checks are due upon application. Airport operators must submit payment through corporate check, cashier's check, or money order made payable to ``U.S. FAA,'' at the designated rate for each fingerprint card. Combined payment for multiple applications is acceptable. The designated rate for processing the fingerprint cards is available from the local FAA security office.

    (f) Determination of arrest status. In conducting the criminal record checks required by this section, the airport operator must not consider the employment history investigation complete unless it investigates arrest information for the crimes listed in paragraph (b)(2) of this section for which no disposition has been recorded and makes a determination that the arrest did not result in a disqualifying conviction.

    (g) Availability and correction of FBI records and notification of disqualification. (1) At the time Part 2 is initiated and the fingerprints are collected, the airport operator must notify the individual that a copy of the criminal record received from the FBI will be made available to the individual if requested in writing. When requested in writing, the airport operator must make available to the individual a copy of any criminal record received from the FBI.

    (2) Prior to making a final decision to deny authorization to an individual described in paragraph (a) of this section, the airport operator must advise the individual that the FBI criminal record discloses information that would disqualify him/her from receiving unescorted access and provide the individual with a copy of the FBI record if it has been requested.

    (3) The airport operator must notify an individual that a final decision has been made to grant or deny authority for unescorted access.

    (h) Corrective action by the individual. The individual may contact the local jurisdiction responsible for the information and the FBI to complete or correct the information contained in his/her record before any final decision is made, subject to the following conditions:

    (1) Within 30 days after being advised that the criminal record received from the FBI discloses disqualifying information, the individual must notify the airport operator, in writing, of his/

    [[Page 37324]]

    her intent to correct any information believed to be inaccurate.

    (i) Upon notification by an individual that the record has been corrected, the airport operator must obtain a copy of the revised FBI record prior to making a final determination.

    (ii) [Reserved]

    (2) If no notification is received within 30 days, the airport operator may make a final determination.

    (i) Limits on dissemination of results. Criminal record information provided by the FBI must be used solely for the purposes of this section, and no person may disseminate the results of a criminal record check to anyone other than:

    (1) The individual to whom the record pertains or that individual's authorized representative;

    (2) Airport officials with a need to know; and

    (3) Others designated by the Administrator.

    (j) Employment status while awaiting criminal record checks. Individuals who have submitted their fingerprints and are awaiting FBI results may perform work within the SIDA when under escort by someone who has unescorted SIDA access privileges.

    (k) Recordkeeping. (1) Except when the airport operator has received a certification under paragraph (n)(1) of this section, the airport operator must physically maintain and control the Part 1 employment history investigation file until 180 days after the termination of the individual's authority for unescorted access. The Part 1, employment history investigation file, must consist of the following:

    (i) The application;

    (ii) The employment verification information obtained by the employer;

    (iii) The names of those from whom the employment verification information was obtained;

    (iv) The date and the method of how the contact was made; and

    (v) Any other information as required by the Administrator.

    (2) The airport operator must physically maintain, control and when appropriate destroy Part 2, the criminal record, for each individual for whom a fingerprint comparison has been completed. Part 2 must be maintained for 180 days after the termination of the individual's authority for unescorted access. Only direct airport operator employees may carry out this criminal record file responsibility. The Part 2 criminal record file must consist of the following:

    (i) The criminal record received from the FBI as a result of an individual's fingerprint comparison; or

    (ii) Information that the check was completed and no record exists.

    (3) The files required by this section must be maintained in a manner that is acceptable to the Administrator and in a manner that protects the confidentiality of the individual.

    (l) Continuing responsibilities. (1) Any individual authorized to have unescorted access privileges or who may authorize others to have unescorted access, who is subsequently convicted of any of the crimes listed in paragraph (b)(2) of this section must, within 24 hours, report the conviction to the airport operator and surrender the SIDA access medium to the issuer.

    (2) If information becomes available to the airport operator or the airport user indicating that an individual with unescorted access has a possible conviction for one of the disqualifying crimes in paragraph (b)(2) of this section, the airport operator must determine the status of the conviction. If a disqualifying conviction is confirmed the airport operator must withdraw any authority granted under this section.

    (m) Exceptions. Notwithstanding the requirements of this section, an airport operator may authorize the following individuals to have unescorted access, or to authorize others to have unescorted access to the SIDA:

    (1) An employee of the Federal government or a state or local government (including a law enforcement officer (LEO)) who, as a condition of employment, has been subjected to an employment investigation which includes a criminal record check.

    (2) A crewmember of a foreign air carrier covered by an alternate security arrangement in the foreign air carrier's approved security program.

    (3) An individual who has been continuously employed in a position requiring unescorted access by another airport operator, airport user or aircraft operator.

    (4) Those persons who have received access to a U.S. Customs secured area prior to November 24, 1998.

    (n) Investigations by aircraft operators and airport users. An airport operator is in compliance with its obligation under paragraph (b) of this section, as applicable, when the airport operator accepts for each individual seeking unescorted access one of the following:

    (1) Certification from an aircraft operator subject to Sec. 108.229 of this chapter indicating it has complied with Sec. 108.229 of this chapter for the aircraft operator's employees and contractors seeking unescorted access; or

    (2) Certification from an airport user indicating it has complied with and will continue to comply with the provisions listed in paragraph (p) of this section. The certification must include the name of each individual for whom the airport user has conducted an employment history investigation.

    (o) Airport operator responsibility. The airport operator must:

    (1) Prior to the acceptance of a certification from the airport user, the airport operator must conduct a preliminary review of the file for each individual listed on the certification to determine that Part 1 has been completed;

    (2) Designate the ASC, in the security program, to be responsible for reviewing the results of the airport employees' and airport users' employment history investigations and for destroying the criminal record files when their maintenance is no longer required by paragraph (k)(2) of this section;

    (3) Designate the ASC, in the security program, to serve as the contact to receive notification from individuals applying for unescorted access of their intent to seek correction of their FBI criminal record; and

    (4) Audit the employment history investigations performed by the airport operator in accordance with this section and those investigations conducted by the airport users made by certification under paragraph (n)(2) of this section. The audit program must be set forth in the airport security program.

    (p) Airport user responsibility. (1) The airport user is responsible for reporting to the airport operator information, as it becomes available, which indicates an individual with unescorted access may have a conviction for one of the disqualifying crimes in paragraph (b)(2) of this section.

    (2) If the airport user offers certification to the airport operator under paragraph (n)(2) of this section, the airport user must for each individual for whom a certification is made:

    (i) Conduct the employment history investigation, Part 1, in compliance with paragraph (c) of this section. The airport user must report to the airport operator if one of the conditions in paragraph (c)(5) of this section exist;

    (ii) Maintain and control Part 1 of the employment history investigation file in compliance with paragraph (k) of this section, unless the airport operator decides to maintain and control Part 1 of the employment history investigation file;

    (iii) Provide the airport operator and the FAA with access to each completed Part 1 employee history investigative

    [[Page 37325]]

    file of those individuals listed on the certification; and

    (iv) Provide either the name or title of the individual acting as custodian of the files, and the address of the location and the phone number at the location where the investigative files are maintained.

    Sec. 107.211 Identification systems.

    (a) Personnel identification system. The personnel identification system under Secs. 107.201(b)(3) and 107.205(b)(1) shall include the following:

    (1) Personnel identification media that--

    (i) Convey a full-face image, full name, employer, and identification number of the individual to whom the identification medium is issued;

    (ii) Indicate clearly the scope of the individual's access and movement privileges;

    (iii) Indicate clearly an expiration date; and

    (iv) Are of sufficient size and appearance as to be readily observable for challenge purposes.

    (2) Procedures to ensure that each individual in the secured area or SIDA continuously displays the identification medium issued to that individual on the outermost garment above waist level, or is under escort.

    (3) Procedures to ensure accountability through the following:

    (i) Retrieving expired identification media and media of persons who no longer have unescorted access authority.

    (ii) Reporting lost or stolen identification media.

    (iii) Securing unissued identification media stock and supplies.

    (iv) Auditing the system at a minimum of once a year or sooner, as necessary, to ensure the integrity and accountability of all identification media.

    (v) As specified in the security program, revalidate the identification system or reissue identification media if a portion of all issued, unexpired identification media are lost, stolen, or otherwise unaccounted for, including identification media that are combined with access media.

    (vi) Ensure that only one identification medium is issued to an individual at a time, except for personnel who are employed with more than one company and require additional identification media to carry out employment duties. A replacement identification medium may only be issued if an individual declares in writing that the medium has been lost, stolen, or destroyed.

    (b) Temporary identification media. Each airport operator may issue personnel identification media in accordance with its security program to persons whose duties are expected to be temporary. The temporary identification media system shall include procedures and methods to--

    (1) Retrieve temporary identification media;

    (2) Authorize the use of a temporary media for a limited time only;

    (3) Ensure that temporary media are distinct from other identification media and clearly display an expiration date; and

    (4) Ensure that any identification media also being used as an access media meet the criteria of Sec. 107.207(d).

    (c) Airport-approved identification media. The Administrator may approve an amendment to the airport security program that provides for the use of identification media meeting the criteria of this section that are issued by entities other than the airport operator, as described in the security program.

    (d) Challenge program. Each airport operator shall establish and carry out a challenge program that requires each individual who has authorized unescorted access to secured areas and SIDA's to ascertain the authority of any individual who is not displaying an identification medium authorizing the individual to be present in the area. The challenge program shall include procedures to challenge individuals not displaying airport approved identification media. The procedure must--

    (1) Apply uniformly in secured areas, SIDAs, and exclusive areas;

    (2) Describe how to challenge an individual directly or report any individual not visibly displaying an authorized identification medium, including procedures to notify the appropriate authority; and

    (3) Describe support of challenge procedures, including law enforcement and any other responses to reports of individuals not displaying authorized identification media.

    (e) Escorting. Each airport operator shall establish and implement procedures for escorting individuals who do not have unescorted access authority to a secured area or SIDA that--

    (1) Ensure that only individuals with unescorted access authority are permitted to escort;

    (2) Ensure that the escorted individuals are continuously accompanied or monitored while within the secured area or SIDA in a manner sufficient to identify whether the escorted individual is engaged in activities other than those for which escorted access was granted, and to take action in accordance with the airport security program;

    (3) Identify what action is to be taken by the escort, or other authorized individual, should individuals under escort engage in activities other than those for which access was granted;

    (4) Prescribe law enforcement support for escort procedures; and

    (5) Ensure that individuals escorted into a sterile area without being screened under Sec. 108.201 of this chapter remain under escort until they exit the sterile area, or submit to screening pursuant to Sec. 108.201 or part 129 of this chapter.

    (f) Effective date. The identification systems described in this section shall be implemented by each airport operator not later than November 14, 2003.

    Sec. 107.213 Training.

    (a) Each airport operator shall ensure that individuals performing security-related functions for the airport operator are briefed on the provisions of this part, Security Directives, and Information Circulars, and the security program, to the extent that such individuals need to know in order to perform their duties.

    (b) An airport operator may not authorize any individual unescorted access to the secured area or SIDA, except as provided in Sec. 107.7, unless that individual has successfully completed training in accordance with the FAA-approved curriculum specified in the security program. This curriculum must detail the methods of instruction, provide attendees with an opportunity to ask questions, and include at least the following topics--

    (1) The unescorted access authority of the individual to enter and be present in various areas of the airport;

    (2) Control, use, and display of airport-approved access and identification media;

    (3) Escort and challenge procedures and the law enforcement support for these procedures;

    (4) Security responsibilities as specified in Sec. 107.11;

    (5) Restrictions on divulging sensitive security information as described in part 191 of this chapter; and

    (6) Any other topics specified in the security program.

    (c) An airport operator may not authorize any individual unescorted access to the AOA, except as provided in Sec. 107.7, unless that individual has been provided information in accordance with the security program, including--

    (1) The unescorted access authority of the individual to enter and be present in various areas of the airport;

    [[Page 37326]]

    (2) Control, use, and display of airport-approved access and identification media, if appropriate;

    (3) Escort and challenge procedures and the law enforcement support for these procedures, where applicable;

    (4) Security responsibilities as specified in Sec. 107.11;

    (5) Restrictions on divulging sensitive security information as described in part 191 of this chapter; and

    (6) Any other topics specified in the security program.

    (d) Each airport operator shall maintain a record of all training and information given to each individual under paragraphs (b) and (c) of this section for 180 days after the termination of that person's unescorted access authority.

    (e) As to persons with unescorted access to the SIDA on November 14, 2001, training on responsibility under Sec. 107.11 can be provided by making relevant security information available.

    (f) Training described in paragraph (c) of this section shall be implemented by each airport operator not later than November 14, 2002.

    Sec. 107.215 Law enforcement support.

    (a) In accordance with Sec. 107.217, each airport operator required to have a security program under Sec. 107.103(a) or (b) shall provide:

    (1) Law enforcement personnel in the number and manner adequate to support its security program.

    (2) Uniformed law enforcement personnel in the number and manner adequate to support each system for screening persons and accessible property required under Sec. Sec. 108.201 or 129.25 of this chapter.

    (b) Each airport required to have a security program under Sec. 107.103(c) shall ensure that:

    (1) Law enforcement personnel are available and committed to respond to an incident in support of a civil aviation security program when requested by an aircraft operator or foreign air carrier that has a security program under part 108 or Sec. 129.25 of this chapter.

    (2) The procedures by which to request law enforcement support are provided to each aircraft operator or foreign air carrier that has a security program under part 108 or Sec. 129.25 of this chapter.

    Sec. 107.217 Law enforcement personnel.

    (a) Each airport operator shall ensure that law enforcement personnel used to meet the requirements of Sec. 107.215, meet the following qualifications while on duty at the airport--

    (1) Have arrest authority described in paragraph (b) of this section;

    (2) Are identifiable by appropriate indicia of authority;

    (3) Are armed with a firearm and authorized to use it; and

    (4) Have completed a training program that meets the requirements of paragraphs (c) and (d) of this section.

    (b) Each airport operator shall ensure that each individual used to meet the requirements of Sec. 107.215 have the authority to arrest, with or without a warrant, while on duty at the airport for the following violations of the criminal laws of the State and local jurisdictions in which the airport is located--

    (1) A crime committed in the presence of the individual; and

    (2) A felony, when the individual has reason to believe that the suspect has committed it.

    (c) The training program required by paragraph (a)(4) of this section shall--

    (1) Meet the training standard for law enforcement officers prescribed by either the State or local jurisdiction in which the airport is located for law enforcement officers performing comparable functions.

    (2) Specify and require training standards for private law enforcement personnel acceptable to the Administrator, if the State and local jurisdictions in which the airport is located do not prescribe training standards for private law enforcement personnel that meets the standards in paragraph (a) of this section.

    (3) Include training in--

    (i) The use of firearms;

    (ii) The courteous and efficient treatment of persons subject to inspection, detention, search, arrest, and other aviation security activities;

    (iii) The responsibilities of law enforcement personnel under the security program; and

    (iv) Any other subject the Administrator determines is necessary.

    (d) Each airport operator shall document the training program required by paragraph (a)(4) of this section and maintain documentation of training at a location specified in the security program until 180 days after the departure or removal of each person providing law enforcement support at the airport.

    Sec. 107.219 Supplementing law enforcement personnel.

    (a) When the Administrator decides, after being notified by an airport operator as prescribed in this section, that not enough qualified State, local, and private law enforcement personnel are available to carry out the requirements of Sec. 107.215, the Administrator may authorize the airport operator to use, on a reimbursable basis, personnel employed by the Administrator, or by another department, agency, or instrumentality of the Government with the consent of the head of the department, agency, or instrumentality to supplement State, local, and private law enforcement personnel.

    (b) Each request for the use of Federal personnel must be submitted to the Administrator and include the following information:

    (1) The number of passengers enplaned at the airport during the preceding calendar year and the current calendar year as of the date of the request.

    (2) The anticipated risk of criminal violence, sabotage, aircraft piracy, and other unlawful interference to civil aviation operations.

    (3) A copy of that portion of the security program which describes the law enforcement support necessary to comply with Sec. 107.215.

    (4) The availability of law enforcement personnel who meet the requirements of Sec. 107.217, including a description of the airport operator's efforts to obtain law enforcement support from State, local, and private agencies and the responses of those agencies.

    (5) The airport operator's estimate of the number of Federal personnel needed to supplement available law enforcement personnel and the period of time for which they are needed.

    (6) A statement acknowledging responsibility for providing reimbursement for the cost of providing Federal personnel.

    (7) Any other information the Administrator considers necessary.

    (c) In response to a request submitted in accordance with this section, the Administrator may authorize, on a reimbursable basis, the use of personnel employed by a Federal agency, with the consent of the head of that agency.

    Sec. 107.221 Records of law enforcement response.

    (a) Each airport operator shall ensure that--

    (1) A record is made of each law enforcement action taken in furtherance of this part; and

    (2) The record is maintained for a minimum of 180 days.

    (b) Data developed in response to paragraph (a) of this section must include at least the following:

    (1) The number and type of deadly or dangerous weapon, explosives, or incendiaries discovered during any passenger-screening process, and the method of detection of each.

    (2) The number of acts and attempted acts of aircraft piracy.

    [[Page 37327]]

    (3) The number of bomb threats received, real and simulated bombs found, and actual detonations on the airport.

    (4) The number of arrests, including--

    (i) Name, address, and the immediate disposition of each individual arrested;

    (ii) Type of deadly or dangerous weapon, explosive, or incendiary confiscated, as appropriate; and

    (iii) Identification of the aircraft operators or foreign air carriers on which the individual arrested was, or was scheduled to be, a passenger or which screened that individual, as appropriate.

    Subpart D--Contingency Measures

    Sec. 107.301 Contingency plan.

    (a) Each airport operator required to have a security program under Sec. 107.103(a) and (b) shall adopt a contingency plan and shall:

    (1) Implement its contingency plan when directed by the Administrator.

    (2) Conduct reviews and exercises of its contingency plan as specified in the security program with all persons having responsibilities under the plan.

    (3) Ensure that all parties involved know their responsibilities and that all information contained in the plan is current.

    (b) The Administrator may approve alternative implementation measures, reviews, and exercises to the contingency plan which will provide an overall level of security equal to the contingency plan under 107.301(a).

    Sec. 107.303 Security Directives and Information Circulars.

    (a) The Administrator may issue an Information Circular to notify airport operators of security concerns. When the Administrator determines that additional security measures are necessary to respond to a threat assessment or to a specific threat against civil aviation, the Administrator issues a Security Directive setting forth mandatory measures.

    (b) Each airport operator shall comply with each Security Directive issued to the airport operator within the time prescribed in the Security Directive.

    (c) Each airport operator that receives a Security Directive shall--

    (1) Within the time prescribed in the Security Directive, verbally acknowledge receipt of the Security Directive to the Administrator.

    (2) Within the time prescribed in the Security Directive, specify the method by which the measures in the Security Directive have been implemented (or will be implemented, if the Security Directive is not yet effective).

    (d) In the event that the airport operator is unable to implement the measures in the Security Directive, the airport operator shall submit proposed alternative measures and the basis for submitting the alternative measures to the Administrator for approval. The airport operator shall submit the proposed alternative measures within the time prescribed in the Security Directive. The airport operator shall implement any alternative measures approved by the Administrator.

    (e) Each airport operator that receives a Security Directive may comment on the Security Directive by submitting data, views, or arguments in writing to the Administrator. The Administrator may amend the Security Directive based on comments received. Submission of a comment does not delay the effective date of the Security Directive.

    (f) Each airport operator that receives a Security Directive or an Information Circular and each person who receives information from a Security Directive or an Information Circular shall:

    (1) Restrict the availability of the Security Directive or Information Circular, and information contained in either document, to those persons with an operational need-to-know.

    (2) Refuse to release the Security Directive or Information Circular, and information contained in either document, to persons other than those who have an operational need to know without the prior written consent of the Administrator.

    Sec. 107.305 Public advisories.

    When advised by the Administrator, each airport operator shall prominently display and maintain in public areas information concerning foreign airports that, in the judgment of the Secretary of Transportation, do not maintain and administer effective security measures. This information shall be posted in the manner specified in the security program and for such a period of time determined by the Secretary of Transportation.

    Sec. 107.307 Incident management.

    (a) Each airport operator shall establish procedures to evaluate bomb threats, threats of sabotage, aircraft piracy, and other unlawful interference to civil aviation operations.

    (b) Immediately upon direct or referred receipt of a threat of any of the incidents described in paragraph (a) of this section, each airport operator shall--

    (1) Evaluate the threat in accordance with its security program;

    (2) Initiate appropriate action as specified in the Airport Emergency Plan under Sec. 139.325 of this chapter; and

    (3) Immediately notify the Administrator of acts, or suspected acts, of unlawful interference to civil aviation operations, including specific bomb threats to aircraft and airport facilities.

    (c) Airport operators required to have a security program under Sec. 107.103(c) but not subject to part 139 of this chapter, shall develop emergency response procedures to incidents of threats identified in paragraph (a) of this section.

    (d) To ensure that all parties know their responsibilities and that all procedures are current, at least once every 12 calendar months each airport operator shall review the procedures required in paragraphs (a) and (b) of this section with all persons having responsibilities for such procedures.

    PART 139--CERTIFICATION AND OPERATIONS: LAND AIRPORTS SERVING CERTAIN AIR CARRIERS

  2. The authority citation for part 139 continues to read as follows:

    Authority: 49 U.S.C. 106 (g), 40113, 44701-44706, 44709, 44719.

  3. Section 139.325 is amended by redesignating paragraph (h) as paragraph (i) and adding new paragraph (h) to read as follows:

    Sec. 139.325 Airport emergency plan.

    * * * * *

    (h) Each airport subject to part 107 of this chapter, Airport Security, shall ensure that instructions for response to paragraphs (b)(2) and (b)(6) of this section in the airport emergency plan are consistent with its approved security program. * * * * *

    Issued in Washington, DC, on July 2, 2001. Jane F. Garvey, Administrator.

    [FR Doc. 01-16994Filed7-10-01; 10:32 am]

    BILLING CODE 4910-13-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT