- What is Business Aviation?
- Flight Department Administration
- Aircraft Operations
- Professional Development
- News & Publications
- Products & Services
Submitting a Certified Security Concern to FAA
July 1, 2011
Companies that currently participate in the Blocked Aircraft Registration Request (BARR) program may be seeking further detail as to what they should include in a cover letter and the Certified Security Concern which is required to comply with the FAA’s new rule regarding the program. Companies must file their submissions with the FAA by July 14 in order to maintain the necessary protections afforded by the BARR program without interruption. If the July 14 deadline date is missed, companies still may file a submission, but there may be a period of time when the aircraft tail number is unblocked until the FAA reviews and processes the filing.
This resource briefly introduces the two options to file and provides some suggestions for companies to consider as they prepare their filings. The concepts suggested in this resource were proposed by Members of NBAA’s Tax Committee and NBAA’s Regulatory Issues Advisory Group via a teleconference on June 29, 2011. This information has not been reviewed or approved by the FAA and does not substitute for legal advice your company may obtain from a qualified aviation lawyer.
The FAA provided two alternatives to satisfy the Certified Security Concern requirements:
Option 1: IRS Security Study/Safe Harbor
The first is to have a bona fide business-oriented security concern, as prescribed by IRS regulations – see 26 C.F.R. section 1.132-5(m). The IRS requires a third-party security firm to conduct a security study and prepare a security plan, to which the impacted executives must strictly adhere.
Companies that have completed security assessments and “plans” internally do not meet these stringent requirements.
If your company has completed a security study and implemented a security plan, the study results and plan should not be submitted with your certification.
Option 2: Valid Security Concern
Companies that want to continue participating in the BARR program will require the alternative, Valid Security Concern (VSC), which requires the following: “a verifiable threat to person, property or company, including a threat of death, kidnapping or serious bodily harm against an individual, a recent history of violent terrorist activity in the geographic area in which the transportation is provided, or a threat against a company.” After spending a few days with the company’s security department, a range of companies likely will be able to generate a list of threats against the company, employees, and/or their property to satisfy the requirements for a VSC. And if company employees travel globally, companies likely will be able to prepare a list of countries / regions to satisfy the “terrorist activity” requirement. Though the VSC list requires only one type of threat, additional threat types would likely help a company’s case in the event of an FAA “spot check.” The threat data should be gathered contemporaneously with the company’s preparation of its certification and stored in its legal and corporate security files. The data also should be updated annually before the company renews is certification.
What details, if any, are required to be included in certifications based on the VSC? There were two schools of thought between the conference call participants. Some believed the certificate should contain at least some details of VSC threats and others interpret the FAA Notice and guidance to require only a written certification that a VCS exists. However, it is clear that the FAA does not require companies to submit any documentation supporting their filing. And all of the call participants agreed that companies should not provide any detail that would further exacerbate a security concern, as a company’s FAA filing may be open to the public view if it is obtained via a Freedom of Information Act (FOIA) request.
If the FAA determines a company’s certificate is defective, it is expected that they either they will request additional information while considering the request, or they will reject the certificate and unblock the company’s tail number. Under this worst-case scenario, the company would amend its certificate to remedy any potential defects and quickly re-submit it to the FAA. During the re-submission period, the public would have access to the company’s aircraft real-time flight data, which includes the aircraft position, call sign, airspeed, heading and flight plan. Companies will want to weigh the risk of an unblocked tail number against the risk of making highly sensitive security data public.
Who should sign the certificate? The consensus of the call participants was that the certificate would have more credibility if the person in charge of the aircraft owner’s or operator’s security department signed the certificate. However, the FAA did not specify that as a requirement, so any corporate officer’s signature (assuming that officer reviewed and understood the security threat data) should suffice.