Detailed Analysis of the Large Aircraft Security Program (LASP) NPRM

November 5, 2008

Regulatory Construction

Under TSA’s current regulatory structure, each of TSA’s aircraft security programs, such as the Aircraft Operator Standard Security Program (AOSSP) for the scheduled airlines, the Twelve-Five Standard Security Program (TFSSP) for on-demand charter operators and the Private Charter Standard Security Program (PCSSP) for aircraft over 100, 309 pounds occupies its own set of regulatory requirements. TSA is proposing to combine all of the security programs under a single structure and then identify which requirements apply to a particular operator.

This will eliminate the separate distinctions for TSA’s current security programs and combine all of them under a singular Large Aircraft Security Program.

The NPRM proposes a number of significant modifications including the following.

Flight Crew Background Checks

The proposal would require flight crew, which under TSA’s definition includes both pilots and flight attendants, to undergo a fingerprint-based Criminal History Record Check (CHRC) and a Security Threat Assessment (STA), similar to the requirements for airline pilots. TSA proposes to charge $74 per person to complete the required checks. TSA would prohibit flight crew members that do not pass a CHRC and STA from operating the aircraft. The TSA would also require follow up STA’s every 5 years.

Passenger Manifest Validation

TSA proposes to require passengers on board a large aircraft to have their names compared against two lists maintained by the Agency; the “selectee” list, which subjects commercial airline passengers to additional screening at the security checkpoint, and the “no fly” list which prohibits listed individuals from boarding a commercial flight. While the TSA proposes that the operator only submit passenger names, additional biographic information, such as date of birth, place of birth and gender is under consideration.

Today, TSA provides these lists to commercial carriers who conduct the passenger vetting process in-house. The Agency does not want to send these lists to an additional 10,000 potential operators and has created a Watch List Service Provider (WLSP) who would conduct the passenger name vetting for the operator. TSA has set forth a number of requirements for companies that would act as WLSPs. The proposal would also allow a WLSP to charge for this service.

An operator would have the ability to either check passenger names on a flight-by-flight basis or by creating a Master Passenger List (MPL) for frequent or regular passengers. TSA would constantly vet passengers on the MPL, alleviating the need for a flight-by-flight check. Passengers would sign a written acknowledgement of their inclusion on the MPL since TSA would retain certain passenger information subject to continuous vetting.

TSA would prohibit passengers appearing on the “No Fly” list from flying on board the aircraft. TSA identifies other notification requirements for the operator to follow if a passenger’s name appears on the “Selectee” list.

To prevent duplicate submissions, TSA proposes that inbound international flights using the Bureau of Customs and Border Protection (CBP) Electronic Advanced Passenger Information System (eAPIS) would not need to submit passenger information to TSA. An operator’s manifest submission to CBP would satisfy TSA’s passenger name check requirement.

Operator Security Program

The TSA proposes to manage the requirements of the LASP through a security program developed by each operator. The proposal requires the security program to contain several significant elements. These include:

• Designation of Key Security Personnel: These include the Aircraft Operator Security Coordinator (AOSC), In-Flight Security Coordinator (ISC) and Ground Security Coordinator (GSC). The operator could assign a single person to perform all three functions. The AOSC is TSA’s principal 24-hour-a-day point of contact regarding dissemination of specific threat intelligence. The ISC and GSC oversee the in-flight and ground security elements of the operator’s security program.
• Procedures to Address Passenger Name Matches: If a passenger’s name matches one of TSA’s lists, the operator must follow specific instructions to identify if a real match has occurred. TSA may require additional screening if a name matches the “Selectee” list. TSA will require the operator to deny boarding to a passenger if the name matches with the “No Fly” list.
• Transportation of Weapons: TSA would require that operators transport weapons either in an inaccessible cargo area or in a locked box under the control of the ISC.
• Carriage of Prohibited Items: TSA maintains a list or items prohibited in the cabin of a commercial aircraft. Some of these items include sporting equipment and tools. The proposal would require an operator to comply with this list of prohibited items designed for commercial aircraft.
• Aviation Security Contingency Plan: This would require development of specific security-related procedures for use in the event of a security threat or other security related issue.
• Securing of Aircraft and Facilities: Requires the operator to identify procedures for securing aircraft while at home-base and on the road and for ensuring security of facilities supporting an operator’s aircraft.
• Carriage of a TSA Federal Air Marshal (FAM): TSA would require operators of aircraft over 100,309 pounds to develop procedures to carry a FAM on their flights when notified by TSA.
• Law Enforcement Assistance: TSA would require operators to conduct training to ensure that employees understand procedures for obtaining law enforcement assistance in the event of a security need.
• Bomb and Piracy Threats: TSA would require operators to follow specific regulatory requirements in the event an operator receives a threat of a bomb or piracy.
• Security Directives and Information Circulars: TSA utilizes Security Directives (SDs) to quickly address very specific security threats. SD’s are similar to FAA Airworthiness Directives in that they carry the authority of a regulation. Also important to note is that an SD does not follow a public rulemaking process due to the sensitive security information that it addresses. Information Circulars describe more general security concerns.

Security Audits

TSA has identified the challenges of overseeing approximately 10,000 aircraft operators covered by this proposal. While Congress has removed the cap of TSA’s maximum number of employees, hiring a sufficient number of GA inspectors could prove daunting. TSA has proposed the use of third-party auditors to conduct security inspections of the LASP. The auditor would not have authority to require modifications to procedures or facilities. The auditor would submit a report to TSA who would determine regulatory compliance. TSA could accompany any inspector during an audit.

TSA proposes that the operator would contract with an auditor, at their own cost, to perform this security inspection. The auditor would inspect for compliance within 60 days of TSA approving the operator’s security program and then every two years thereafter.

TSA also proposes a number of specific regulatory requirements for auditors that include:

• Successfully undergo a TSA security threat assessment.
• Currently hold or be able to obtain a certification or accreditation from an organization recognized by TSA.
• Have sufficient knowledge and skills to conduct a security audit of an aircraft operator.
• Receive initial and biennial training.
• Conduct independent and impartial audits, submit audit reports to TSA, and retain audit reports for 36 months.
• Identify, handle, and protect Sensitive Security Information and keep confidential other information provided by TSA and large aircraft operators.
• Submit to inspection by TSA.

Phased Compliance Schedule

TSA proposes to phase in compliance with the LASP based on the geographic location of the based aircraft.

• Mid Atlantic region: final rule + 1-4 months
• Northeast region: final rule + 5-8 months
• Southern region: final rule + 9-12 months
• Midwest region: final rule + 13-16 months
• Western region: final rule + 17-20 months
• Existing security program holders: final rule + 21-24 months

Airport Security Requirements

The proposal identifies approximately 320 airports that would need to adopt a “Partial” airport security program. The TSA has identified these airports as either a DOT defined reliever airport or one that regularly serves scheduled or public charter operations in large aircraft.

The “Partial” airport security program would require:

• Designation of an airport security coordinator
• Training program for law enforcement personnel
• Description of law enforcement support
• System for maintaining records
• Procedures for dealing with Sensitive Security Information (SSI)
• Procedures for posting public advisories
• Incident management procedures