NATA Membership Comment Tool Proposed Part 145 Repair Station Security Rule
The Transportation Security Administration (TSA) has recently released a Notice of Proposed Rulemaking (NPRM) that would affect all Federal Aviation Administration (FAA) certificated Part 145 Repair Stations. The National Air Transportation Association (NATA) reviewed the NPRM in a recent Regulatory Report, available to members here. The Aircraft Electronics Associations (AEA) Regulatory Update on the TSA’s proposal can be viewed here.
The proposed rule would create a standard security program for all Part 145 repair stations, including those located within the fifty states, the District of Columbia, or the territories or possessions of the United States. Repair stations located on federal government installations, such as U.S. military bases, would likely be exempt from these requirements. Further, any repair station located on-airport that is incorporated into the airport’s security program will be considered in compliance with the new requirements. All other domestic repair stations would be required to comply with all or portions of the standard security program.
The NPRM is now open for public comment. NATA and AEA will develop comments over the next several weeks. NATA and AEA also encourage their members to submit their own comments. Comments are usually written in letter style and must be submitted to the TSA by January 19, 2010.
This membership comment tool will provide members with the information needed to develop and submit their own comments to the TSA.
Address
Your letter-style comments should be addressed to:
Docket Management System
U.S. Department of Transportation
1200 New Jersey Avenue SE.
West Building Ground Floor, Room W12–140
Washington, DC 20590–0001
RE: Docket # TSA-2004-17131 – Aircraft Repair Station Security
Company Information
It will be helpful for you to include an opening paragraph providing some basic information regarding your company, including
- The primary revenue-generating activities of your business (i.e. do you primarily perform engine overhauls, avionics repairs, full interior replacements, or some other activity?)
- The general type of aircraft on which you perform maintenance or repairs — specifically, are the majority of the aircraft you perform work on over a maximum takeoff weight of 12,500 pounds or under?
- Whether your company performs work primarily on components — information on what type of components (i.e. avionics, engines, etc) and whether those components are ultimately installed on aircraft with a maximum takeoff weight of 12,500 pounds or under.
- Number of full-time employees or contractors used on a frequent basis
- Where your facility/facilities is/are based — specifically, are you on an airport or located off-airport in an industrial or other area?
- Your current security regimen (i.e. have you developed a security policy, do you use industry best practices, or are you subject to an airport’s security plan?)
Specific Comment Areas
Recognition of Diversity in Industry:The TSA seems to recognize the wide range of size, location, and type of work performed by repair stations within and outside the United States. NATA recommends its membership encourage the TSA to continue this reasonable approach to aviation safety.
Applicability of the Proposed Rule:Point out the distinct characteristics of your repair station that might not make a standard security program feasible. Ask the agency to describe how waivers or alternatives to the standard security program would be granted to repair stations with unique circumstances.
The agency also asked for comments on whether it should exempt repair stations that only perform maintenance on aircraft with a MTOW of 12,500 pounds or less from all or portions of the standard security program. If you choose to weigh in on this issue, be sure to make your case. Why should particular repair stations be exempt? Should all repair stations play by the same rules? Are there other characteristics – say number of employees – that determine need for compliance?
The TSA initially seems to recognize the diversity of the industry but much of this rule is focused on repair stations that work with whole aircraft, not just components. If you work only on components, identify any aspects of the rule with which it is unreasonable for a components shop of your type to comply (for example, do you think all the requirements of the rule should apply to a radio shop?).
TSA Inspections:The new rule would codify existing TSA inspection authority as granted through Vision 100 – Century of Aviation Reauthorization Act passed in 2003. However, Vision 100 speaks mostly of foreign repair station inspections, setting a timeline for the TSA to complete inspections (six months from the date of the final rule) and providing guidance on order of priority of these inspections. Specific question areas relating to TSA inspections include:
- How long would the TSA have to complete domestic repair station inspections?
- What is the order of priority for these businesses?
The TSA seems to have a proposed rule but no real plan for implementation – or that plan is not included in the proposal. Ask the TSA for clarification so you can better determine the impact on your business.
Appeals Process:The TSA has outlined an appeals process should your Part 145 certificate be suspended or revoked due to security violations. There are two actions that could lead to suspension or revocation:
1. A repair station’s failure to correct a violation or address a security threat identified during a TSA inspection within 90 days of notification of the violation or threat.
2. A repair station is deemed by the TSA to pose an “immediate risk to security.”
The review process only allows the repair station to respond to the TSA and request further consideration. The TSA then has 30 calendar days – or longer with “good cause” – to review the case and make a determination.
Note that the TSA is reviewing its own findings. Although the initial request for suspension or revocation is likely made by a local TSA official and the review is likely conducted by a headquarters official, the local official already acted on behalf of the administrator, just as the headquarters official would. How probable is it that the agency would overturn its own decision?
During the review process, the repair station’s certification remains suspended or revoked. In contrast, the FAA has an extensive appeals process in the case of certificate suspension or revocation that goes outside of the agency itself. Since the certificate action – suspension or revocation – is actually performed by the FAA, would repair stations have the right to that appeals process as well? If not, this one-step, one-stop appeals process is not fitting to the serious ramifications of certificate action. Demand the TSA provide more protection of your certificate through a layered appeals process, or ensure that your rights to appeal through the FAA are guaranteed in the case of certificate suspension or revocation.
Standard Security Program:The proposed rule would require each repair station to implement a standard security program. Its components are listed below, but because the security program itself is sensitive security information (SSI), details are not included in the rule. Typically, the general aviation industry has found “standard” security programs to be limiting, “one-size-fits-all” solutions to security. In this NPRM, the TSA says repair stations will be permitted to make changes to the program or even be granted waivers to certain aspects of the program based on unique characteristics of each repair station. However, history tends to prove that the TSA’s resources simply do not allow for individual programs or even individual waivers to specific requirements of a standard security program. Below are specific areas of the proposed Standard Security Program on which you may wish to comment.
- Profile Submission/Changes Deadline: The proposed rule would require each repair station to submit a profile of its business, including location (on- or off-airport), number of employees, number of employees with access to large aircraft, and possibly other information. Each business would have 30 days from the compliance date of the rule to submit this profile and 30 days after a change in profile information to submit the changes to the TSA. The TSA did not indicate how this information would be transmitted or if verification of receipt would be required. The burden imposed by this requirement could vary significantly based on submission method (i.e. Web site, email, letter) and any need to receive verification, especially if the verification relies on only a few individuals at the TSA. (Consider the impact if you had to advise your FAA principal maintenance inspector each time an employee joins or leaves the company.)
- Access Control: Each repair station would be required to implement access controls for its facility as well as the aircraft and components located there. The proposal does not define acceptable access controls, but does seem to recognize that a simple key and lock might be appropriate for some businesses, while a more sophisticated system might be needed at other locations. Again, it is difficult for a “standard” program to cover all of these possibilities in one package.
- Identification for Employees and Others with Access: Each repair station would be required to establish a means of identifying employees and others with access to aircraft or components. The proposal indicates that personal recognition could be acceptable, or sophisticated badges might be necessary. Ask for clear guidance on this requirement.
- Challenge Procedures: Each repair station would be required to challenge individuals seeking access to aircraft or components without appropriate authorization.
- Security Training: The proposed rule would require initial and recurrent security awareness training for all repair station personnel and also require the repair station to maintain records of this training. This requirement lacks many details. Who may perform the training – a repair station employee or an outside organization? How often is recurrent training required? Must the receptionist and janitor receive the training, or would that violate SSI limitations? How many hours of training are required? Consider the impact of even a two-hour annual training requirement for EACH of your employees. Now consider the cost of off-site or third-party training for each individual. Without additional details, it is very difficult to estimate the cost to your business.
- Employee Background Verification: The proposed rule would require repair stations to verify the employment history of each employee and conduct background checks. However, this is not typical TSA language. Would this “background verification” be a full security threat assessment performed by the TSA, a 10-year criminal history background check or something much less burdensome? Is there a requirement to report certain findings to the agency? Would specific findings result in a technician being unable to perform maintenance? Give the agency your opinion on background checks. Do you already perform a background check of some type? For all employees, or just those with access to aircraft? What about contractors?
- Security Coordinator: Each repair station would be required to provide the name and 24-hour contact information for one individual to act as the repair station’s liaison and emergency contact with the TSA. Most standard security programs allow for a security coordinator and at least one alternate in the event the security coordinator is unavailable. This program should allow the same latitude.
- Contingency Plan: This proposed rule would require each repair station to submit a contingency plan in the event of a security-related incident. The plan must include emergency contact information for critical employees, descriptions of each employee’s responsibilities, and more. Any listing that requires individuals’ names and contact information is very cumbersome. Ask the agency to allow the contingency plan to refer to a separate listing of names and contact information. Otherwise, you will be updating your security program every time an employee leaves the company or simply changes their cell phone number!
Compliance Date:The proposed rule lacks details about an implementation plan and compliance deadlines. How much time would you need to implement a standard security program that includes access controls, a means to identify employees and others with authorized access to aircraft, a description of challenge procedures, a designated security coordinator, security awareness training, and employee background checks?
Security Directives:This rule would require repair stations to comply with Security Directives (SD) when issued by the TSA. The TSA has recently come under fire for knee-jerk, draconian SDs issued to other parts of the industry. Although Congress is working to reign in this behavior, repair stations should be wary of any requirement to comply with SDs. Also, the proposed rule would require repair stations to acknowledge receipt of the SD verbally. Typically, SDs are issued to an entire portion of the industry, not a single business entity. How would each and every repair station verbally acknowledge receipt of an SD? Can you imagine calling your FAA inspector to acknowledge receipt of each and every Airworthiness Directive? This is similarly ridiculous.
Cost:The TSA estimates compliance with this program will cost the average repair station with one employee $3,013. The compliance cost for a repair station with 45 employees is estimated to be $4,216. This appears to be a one-time estimate, but what about the cost of recurrent training? Without knowing how often that training is required, or how long it must be, any estimate of compliance costs is going to be a guess, at best. Tell the TSA how much it would cost you to train your entire workforce initially and on an annual basis (assuming the worst). Further, the estimates above do not account for any employee badging or identification costs. The estimates also do not seem to include costs of background checks, which could range widely depending on the extent of the background check required. Nor do the estimates seem to include any equipment or capital costs for access control measures (cameras, badge readers, etc), should those be necessary at your location. These costs can easily exceed $100,000! Take some time to consider the cost of this proposed rule for your business.
Be as specific as possible when outlining costs. Although NATA and AEA will respond on behalf of their membership, detailed numbers from businesses speak volumes to the TSA – and other agencies with rulemaking oversight! Your careful input is critical to a reasonable, workable program.
Conclusion
Include a brief summary of your concerns and an overview of the impact this proposed rule could have on your operation. It is also standard decorum to thank the agency for the opportunity to comment and to provide contact information should the agency wish to get more detailed information from you.
Submitting Your Comments
Once you have completed your comments, you can submit them to the TSA electronically via the Web site:
At the main screen, place the docket number, TSA-2004-17131, in the “Search” field. Click the “Go” button to search for the docket, and then click the box next to “Rules.” Clicking on a yellow text balloon will open the Public Comment and Submission Form. Complete the required fields on this form to submit your comments. (Note: Be sure you are responding to “NRPM: Aircraft Repair Station Security – Federal Register Publication” and not another individual’s public comment submission!)
For help using the www.regulations.gov Web site, review the User Tips or User Guide.
For more information or help submitting comments, please contact:
Michael France Richard Peri
Director, Regulatory Affairs OR Vice President, Government and Industry Affairs
NATA AEA
(703) 845-9000 (202) 236-2733
mfrance@nata.aero ricp@aea.net