February 19, 2010 BY ELECTRONIC MAIL Ms. Gale D. Rossides, Acting Administrator Transportation Security Administration U.S. Department of Homeland Security 601 South 12th Street – East Building Arlington, VA 22202 Electronic Address: www.regulations.gov (Docket No. TSA-2004-17131) Re: Comments on TSA’s Proposed Aircraft Repair Station Security Rule Dear Acting Administrator Rossides: The U.S. Small Business Administration's (SBA) Office of Advocacy (Advocacy) is pleased to submit the following comments on the Transportation Security Administration’s (TSA’s) Proposed Aircraft Repair Station Security Rule.(1) The proposed rule would require domestic and foreign repair stations certificated by the Federal Aviation Administration (FAA) to implement a standard security program developed by TSA, comply with TSA security directives, allow inspections, maintain records, and respond to deficiencies in their security programs.(2) A more detailed summary of the proposed rule is provided below. Office of Advocacy Advocacy was established pursuant to Pub. L. 94-305 to represent the views of small entities before federal agencies and Congress. Advocacy is an independent office within SBA, so the views expressed by Advocacy do not necessarily reflect the views of the SBA or the Administration. The Regulatory Flexibility Act (RFA),(3) as amended by the Small Business Regulatory Enforcement Fairness Act (SBREFA),(4) gives small entities a voice in the rulemaking process. For all rules that are expected to have a significant economic impact on a substantial number of small entities, federal agencies are required by the RFA to assess the impact of the proposed rule on small entities and to consider less burdensome alternatives.(5) Moreover, Executive Order 13272(6) requires federal agencies to notify Advocacy of any proposed rules that are expected to have a significant economic impact on a substantial number of small entities and to give every appropriate consideration to any comments on a proposed or final rule submitted by Advocacy. Further, the agency must include, in any explanation or discussion accompanying publication in the Federal Register of a final rule, the agency's response to any written comments submitted by Advocacy on the proposed rule. Background TSA’s proposed rule has been published in accordance with the Vision 100 – Century of Aviation Act, and would provide for the security of maintenance and repair work conducted on aircraft and aircraft components at domestic and foreign repair stations certificated by FAA (under 14 C.F.R. Part 145).(7) The rules are intended to reduce the likelihood of a terrorist attack on civil aviation via a certificated repair station.(8) The proposed rule would require domestic and foreign repair stations to file a profile with TSA (including name, location, description, security coordinator, number of employees, etc.) and then adopt and carry out a standard security program developed by TSA. The standard security program is treated as Sensitive Security Information (SSI) and must be safeguarded as such by the repair station. The proposed rule would also require repair stations to allow for TSA security audits and inspections, respond to declarations of risks to security, and comply with security directives.(9) According to TSA, there are approximately 4,268 domestic and 687 foreign repair stations that would be subject to the proposed rule.(10) Of these, TSA estimates that 4,115 (or 96 percent) of the domestic repair stations are small businesses (defined by SBA as having $7 million or less in annual revenue).(11) TSA estimates that the cost of complying with the proposed rule is about $3,013 for a business with one employee, $4,216 for a business with 45 employees, and $4,728 for a business with 50 – 99 employees.(12) As TSA recognizes, the size and scope of repair station operations vary considerably by size and complexity. Some are large facilities located at commercial airports; others are very small and located at off-airport facilities. Some have access to aircraft, while others work only on parts and components at remote locations. However, all of the repair stations are highly regulated by FAA safety regulations and many already have security programs in place. Small Entities Have Expressed Concerns About The Proposed Rule Following publication of the proposed rule, a number of small entity representatives contacted Advocacy and expressed concerns with the proposed rule. In response, Advocacy hosted a small business roundtable on January 7, 2010 to discuss the proposed rule, obtain small business input, and consider significant alternatives. A representative from TSA attended the roundtable and provided a background briefing on the proposed rule, but did not remain for the ensuing discussion because the proposed rule was the subject of an open comment period. The following comments and recommendations are reflective of the discussion during the roundtable and in subsequent conversations with small entity representatives. It should be noted that the attendees at the meeting generally support a repair station security rule (because FAA is prohibited from certificating new foreign repair stations until a final rule is in place), but many were concerned about the cost and approach that TSA has taken. Advocacy appreciates that TSA has sought to provide flexibility in the proposed rule in order to address the diverse nature of the industry. However, Advocacy recommends that TSA consider the following stakeholder comments as the agency proceeds with the development of a final rule. 1. Small business representatives would like TSA to limit the scope of the proposed rule. Representatives stated that TSA should consider exempting all repair stations that are not located at a commercial airport or that do not have access to aircraft. This would eliminate many small businesses from the requirements of the rule. These representatives stated that these repair stations are already subject to rigorous FAA safety regulations and industry safety protocols (requiring the inspection and declaration as to the airworthiness of a part or component prior to installation) that would prevent a sabotaged part from being installed on an aircraft. Similarly, other attendees recommended a risk-based, tiered approach based on the size of the aircraft (i.e., less than 12,500 lbs.; 12,500 to 100,000 lbs.; and, over 100,000 lbs.) and the proximity to it (i.e., no access; access, but no control; and, control of the aircraft). Under such a scenario, TSA would require a range of security programs from simply registering with TSA to adopting one of several increasingly rigorous standard security programs. For example, a repair station working on a part or component for a small aircraft (less than 12,500 lbs.) with no access to the aircraft would only be required to submit a profile to TSA, whereas a repair station operating at a commercial airport and working on large aircraft (over 100,000 lbs.) would require a full security program. Finally, another representative stated that TSA should align the proposed rule with the threshold level TSA ultimately adopts for its Large Aircraft Security Program (LASP) rule(13) in order to promote continuity across the industry. The proposed LASP contained a threshold aircraft weight level of 12,500 lbs., but the representative felt a weight threshold of 30,000 to 100,000 lbs. was more appropriate. Regardless, the representative stated that TSA’s threat determination should lead to a consistent threshold for both the LASP and repair station rules. 2. Small business representatives are unable to assess what the standard security program will entail or cost in practice. Attendees expressed concern that they were being asked to comment on the standard security program, but have no idea what it will entail. Specifically, because the standard security program is Sensitive Security Information (SSI), its contents are unavailable. Presumably, a repair station will be required to select controls from a menu of options suitable to the particular facility.(14) However, attendees said they had no idea which control will be deemed adequate for a particular facility and that repair stations will be left to guess what is acceptable. For this reason, attendees said they were unable to assess the potential cost of the program and wondered how TSA was able to provide accurate cost estimates. In addition, attendees were concerned that the lack of clarity could lead to subjective enforcement by individual TSA inspectors, where one inspector deems a particular control acceptable while another comes to a different conclusion in a similar circumstance. Given this uncertainty, Advocacy recommends that TSA provide clear guidance to small business and TSA inspectors to reduce uncertainty and ease compliance with the rule.(15) 3. Small business representatives stated that TSA has understated the cost and complexity of the proposed rule. Small business representatives stated that TSA has understated the cost and complexity of the proposed rule. In particular, attendees noted that TSA has not included costs for attending to TSA inspections and audits, addressing deficiencies, appealing determinations, and complying with security directives. Further, attendees stated that the proposed rule would require capital expenditures for access and other controls that do not currently exist in many small repair stations. For example, one representative noted that administrative and technical areas of many small repair stations are not separated, but would have to be under the proposed rule. Other representatives said that TSA has understated the cost of implementing the standard security program and controlling SSI, and has not included replacement costs for the normal wear and tear of identification badges and other access controls. Advocacy recommends that TSA re- assess its cost projections to be sure they are in line with actual business practices. 4. Small business representatives are concerned about handling and access to SSI. The attendees stated that they are concerned about the cost and complexity of handling Sensitive Security Information (SSI). The proposed rule states that the standard security program is SSI and must be safeguarded as such.(16) However, representatives stated that all of the practices, procedures, and records associated with the standard security program will also be SSI and that many small repair stations are not equipped to handle it. For example, one representatives stated while the proposed rule allows a repair station to keep SSI in a locked safe, not one of his members has a safe. Another representative stated that many repair stations do not have computer systems capable of storing electronic SSI in a secure manner. Along a different line, several attendees stated that TSA should amend the proposed rule to clarify that trade associations can have access to SSI and audit information so they can effectively advise their members on security and compliance issues. Advocacy recommends that TSA consider these concerns and develop effective procedures for small repair stations to handle and control SSI. 5. Small business representatives are concerned about the lack of an external appeal process for suspensions and revocations. The proposed rule includes internal TSA mechanisms to appeal notifications of deficiencies and suspensions and revocations of FAA certificates in the case of immediate risks to security.(17) The attendees raised several concerns with these provisions. First, they noted that the term “immediate threat to security” is not defined. Second, they stated that there should be an expedited third-party appeal process in the case of a revocation of a repair station’s certificate (similar to an expedited appeal to the National Transportation Safety Board for emergency FAA revocations). Attendees stated that many small repair stations would go out of business if they were closed for thirty days pending an appeal to TSA. Third, attendees were concerned that the appeal process in the proposed rule is not well defined and that TSA should include intermediate procedures short of revocation, such as warnings or requests for information. Finally, the attendees stated that affected parties should be able to include TSA as a party to FAA revocation proceedings. Advocacy recommends that TSA consider these concerns to be sure small repair stations are provided with timely and effective appeal procedures. 6. Small business representatives stated that TSA needs to consider non-typical and “hybrid” repair station structures. While attendees praised TSA for recognizing the diverse nature of repair stations, several still felt that TSA has a “homogenous” view of the industry that does account for non-typical and “hybrid” business structures. For example, one representative stated that many Part 145 repair stations are tenants in larger, unregulated facilities where the repair station would be required to have a security program, but the (larger) landlord would not - even though the landlord has access to the aircraft. Another attendee stated that some repair stations merely occupy a workbench in a larger facility, such as an aircraft manufacturing plant. Finally, another representative said that that TSA needs to address the “air side” of an airport, where pilots and other visitors frequently walk up to an open hanger to ask questions. This would presumably be a violation of the repair station’s security program because the pilot is not authorized access. Advocacy recommends that TSA consider the how its proposed rule would affect these non-typical and hybrid operations that perform multiple functions. 7. TSA should consider significant alternatives for small businesses. The RFA requires that each Initial Regulatory Flexibility Analysis (IRFA) include a description of “any significant alternatives to the proposed rule which accomplish the stated objectives of applicable statutes and which minimize any significant economic impact of the proposed rule on small entities.”(18) (Emphasis added.) A “significant” alternative under the RFA is defined as one that: 1) is feasible; 2) meets the agency's underlying objectives; and 3) reduces the burden on small entities.(19) TSA considered several alternatives in its Regulatory Impact Analysis, but none of them were tailored to small business and all but one (i.e., no action) would actually increase costs to small business. Accordingly, Advocacy recommends that TSA consider the three alternatives discussed in Comment 1 above, including: exempting repair stations that do not operate at a commercial airport or that do not have access to aircraft; adopting a risk-based, tiered approach based on the size of and proximity to the aircraft; and, aligning the threshold levels in the proposed rule with TSA’s forthcoming LASP rule. Further, attendees at the roundtable noted that none of the three threat scenarios underlying TSA’s chosen alternative could have involved a repair station that was: 1) located at an off-airport site, or 2) did not have access to the aircraft. Accordingly, Advocacy recommends that TSA consider alternatives such as exemptions and less significant compliance requirements for small repair stations that fall outside of TSA’s threat parameters as required by the RFA. Conclusion Advocacy appreciates the opportunity to comment on TSA’s Proposed Aircraft Repair Station Security Rule and recommends that TSA consider these and other comments before proceeding. Advocacy is mindful of the important security implications associated with the proposed rule, and hopes these comments are helpful and constructive. Please feel free to contact me or Bruce Lundegren at (202) 205-6144 (or bruce.lundegren@sba.gov) if you have any questions or require additional information. Sincerely, /s/ Susan M. Walthall Acting Chief Counsel for Advocacy /s/ Bruce E. Lundegren Assistant Chief Counsel for Advocacy Cc: The Honorable Cass R. Sunstein, Administrator, OMB/OIRA ENDNOTES 1. 74 Fed. Reg. 59874 (November 18, 2009). 2. Id. 3. 5 U.S.C. § 601 et seq. 4. Pub. L. 104-121, Title II, 110 Stat. 857 (1996) (codified in various sections of 5 U.S.C. § 601 et seq.). 5. 5 U.S.C. § 603 (c). 6. Executive Order 13272, Proper Consideration of Small Entities in Agency Rulemaking (67 Fed. Reg. 53461) (August 16, 2002). 7. 74 Fed. Reg. 59875. 8. 74 Fed. Reg. 59877. 9. Id. 10. Preliminary Regulatory Evaluation and Regulatory Flexibility Determination, TSA/DHS (October 15, 2009), p. 29 (available at http://www.regulations.gov/search/Regs/home.html#documentDetail?R=0900006480a61404). 11. 74 Fed. Reg. 59885. 12. 74 Fed. Reg. 59886. 13. 73 Fed. Reg. 64790 (October 30, 2008). 14. TSA states that the standard security program would require each repair station to include (1) a description of access controls for the facility as well as for the aircraft and/or aircraft components; (2) a description of the measures used to identify employees and others who are authorized to access aircraft and/or aircraft components; (3) a description of the procedures to challenge unauthorized individuals; (4) a description of security awareness training for employees; (5) the name of the designated security coordinator; (6) a contingency plan; and (7) a description of the means used to verify employee background information. 74 Fed. Reg. 59877. 15. Section 213 of SBREFA (as amended) requires federal agencies to prepare and publish small business compliance guides for certain rules at the time of publication of the final rule. 16. 74 Fed. Reg. 59887. 17. 74 Fed. Reg. 59889. 18. 5 U.S.C. § 603(c). This section goes on to state: the analysis shall discuss significant alternatives such as -- (1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities. 19. See, A Guide to Federal Agencies, How to Comply with the Regulatory Flexibility Act, SBA Office of Advocacy, May 2003, p. 35-37, 73-75 (available at http://www.sba.gov/advo/laws/rfaguide.pdf). - 5 -