Airport Security Module 2 PDF

Summary

This document provides information on airport security, focusing on transportation security regulations, airport security operations, and general aviation airport security. It covers topics like Title 49 CFR regulations and security procedures, along with information on general aviation.

Full Transcript

ACE

p l o y e e
C e r t i fi ed Em
Airpor t
C U R I T Y
O RT S E
AIRP
Modules 2
 © 2005 (first edition)
© 2009 (second edition)
© 2011 (third edition)
© 2015 (fourth edition)
Copyright American Association of Airport Executives
 Module 2

Airport Certified Employee (ACE) – Security
Module 2: Airport Security

Authored by: Jeffrey C. Price, M.A., C.M.
Owner – Leading Edge Strategies
Professor – Metropolitan State University of Denver

ACE Security – Module 2 / 3 of 82
 Security

TABLE OF CONTENTS
Contents
Module 2 – Objectives.................................................................................................................................................................................. 6
Introduction to Module 2............................................................................................................................................................................... 7
Abbreviations.................................................................................................................................................................................................. 8
Transportation Security Regulations........................................................................................................................................................... 10
Title 49 CFR Part 1500: Applicability, Terms and Abbreviations................................................................................................................... 11
Title 49 CFR Part 1520 Sensitive Security Information................................................................................................................................. 11
Title 49 CFR Part 1540 Civil Aviation Security: General Rules...................................................................................................................... 15
Definitions................................................................................................................................................................................................. 16
Responsibilities of Passengers and Other Individuals and Persons......................................................................................................... 20
Security Responsibilities of Employees and Other Persons..................................................................................................................... 21
Security Threat Assessments.................................................................................................................................................................... 24
Responsibilities of Holders of TSA-Approved Security Programs............................................................................................................ 25
Title 49 CFR Part 1542: Airport Security....................................................................................................................................................... 25
Format of the Airport Security Program.................................................................................................................................................... 26
ASP Table of Contents............................................................................................................................................................................... 27
Security Programs................................................................................................................................................................................. 29
Changing the Airport Security Program................................................................................................................................................ 30
Airport Security Operations.......................................................................................................................................................................... 32
The Authorized Signatory......................................................................................................................................................................... 33
Intake..................................................................................................................................................................................................... 33
Security Areas and Access Control Overview........................................................................................................................................... 34
Airfield Layout....................................................................................................................................................................................... 37
The Security Areas................................................................................................................................................................................ 38
Access Control Systems........................................................................................................................................................................ 41
Credentialing................................................................................................................................................................................................. 47
Credentialing Check Processes................................................................................................................................................................. 48
The Trusted Agent................................................................................................................................................................................. 48
Criminal History Records Checks – CHRC............................................................................................................................................ 48
Security Threat Assessments............................................................................................................................................................... 51
Exceptions to the Regulations.............................................................................................................................................................. 52
Recordkeeping (electronic or hard copy)............................................................................................................................................... 52
Personnel Identification Systems.......................................................................................................................................................... 52
Enforcing Security Rules and Regulations and the Airport Security Program.............................................................................................. 55
Enforcing the Airport Security Program.................................................................................................................................................... 55
TSA Inspection Authority Process............................................................................................................................................................. 56
Contingency Measures and Incident Management Plans............................................................................................................................ 58

4 of 82 / American Association of Airport Executives
 Module 2

TABLE OF CONTENTS
Contingency Plans..................................................................................................................................................................................... 58
Incident Management.......................................................................................................................................................................... 59
General Aviation Airport Security.................................................................................................................................................................. 59
Introduction............................................................................................................................................................................................... 59
Why GA is Important to the United States............................................................................................................................................... 60
The “Threat” from General Aviation..................................................................................................................................................... 60
The Challenge of Regulating GA........................................................................................................................................................... 62
The General Aviation Hotline and “See Something Say Something”.................................................................................................. 62
AOPAs Airport Watch................................................................................................................................................................................ 63
TSA Security Guidelines for General Aviation Airports............................................................................................................................ 63
The General Aviation “Airport Security Program”.................................................................................................................................... 65
Title 49 CFR Part 1562 Operations in the Washington, DC Metropolitan Area........................................................................................ 66
The Maryland-3..................................................................................................................................................................................... 66
Reagan National Airport (DCA)............................................................................................................................................................. 66
General Aviation Aircraft Operator and Business Requirements................................................................................................................. 67
Pilot Certificates........................................................................................................................................................................................ 67
Airspace..................................................................................................................................................................................................... 67
Agricultural Aircraft Operations................................................................................................................................................................ 68
Fixed Base Operators................................................................................................................................................................................ 68
General ICAO Recommendations................................................................................................................................................................ 69
Summary.......................................................................................................................................................................................................... 70
Appendix I........................................................................................................................................................................................................ 70
Forms............................................................................................................................................................................................................. 70
Appendix II....................................................................................................................................................................................................... 74
A Biometric Primer....................................................................................................................................................................................... 74
Appendix III...................................................................................................................................................................................................... 76
Perimeter Intrusion Detection System Primer............................................................................................................................................... 76
Appendix IV...................................................................................................................................................................................................... 78
Bomb Threat Card.......................................................................................................................................................................................... 78
Appendix V....................................................................................................................................................................................................... 79
Bomb Threat Stand-Off Distance................................................................................................................................................................... 79
Endnotes........................................................................................................................................................................................................... 80

ACE Security – Module 2 / 5 of 82
 Security

Module 2 – Objectives
Explain Regulations under 1500-1542
Know the requirements of handling Sensitive Security Information
Know the elements of Part 1540: Civil Aviation Security General Rules
Explain how an Airport Security Program must be written and enforced
Explain the requirements of the Security Areas
Know the requirements of the access control systems in each security area
Explain the function of the Authorized Signatory
Explain the credentialing process
Know how to develop an enforcement process at an airport
Know how to handle a Letter of Investigation from the TSA
Explain the difference between contingency plans and incident management plans and what belongs in each section
Explain basic General Aviation security requirements
Know airport business security guidance and requirements (FBO’s, flight schools)
Differentiate airport biometrics
Differentiate Perimeter Intrusion Detection Systems

6 of 82 / American Association of Airport Executives
 Module 2

Introduction to Module 2
Module 2 focuses on the requirements of the Airport Security Program, addressing the regulatory requirements under Title 49
CFR Part 1500, specifically focused on Parts 1503, 1520, 1540 and 1542. This module is a core element in understanding how to
effectively meet the regulations regarding airport security and to build airport security systems, methods and procedures to meet
the regulatory requirements and ideally, to deter, mitigate or respond to criminal or terrorist acts.

The module is designed with a training format and does not always follow the regulatory numbering system. This format better
presents the material from an education perspective. Regulatory citations are provided where appropriate. In some instances,
Security Directives are referenced, but only when their contents have moved into the public domain (i.e., the three-ounce liquid
restrictions). In ALL cases, the regulations should be referenced prior to making decisions about airport security procedures. In no
way does the ACE-Security program trump, override or have precedence over the approved regulatory practices in place at any
particular airport or aircraft operation.

It is important to reiterate here that aviation security is based upon a layered system of defenses, rather than a “silver-bullet,”
that prevents all types of attacks. Short of parking all aircraft, any security program will only address a finite number of threats
to airports and aircraft. Additionally, any security program will contain certain compromises so that transportation can still take
place. It is understandable that there will always be holes in the transportation security system. Some of those exist because they
are too expensive or impractical to close, some exist because they must in order for the system to still operate, and some exist not
because they are unknown, but because there hasn’t been enough focus yet. A good example here is the active shooter threat.
While the threat has been around since the early 1970s, the majority of the U.S. aviation industry did not pay much attention to the
threat until after the November 1st murder of a TSA agent by an active shooter.

The objective of a layered aviation security system is to develop numerous security processes that combined will stop the vast
majority of threats. Understanding this concept is key to understanding how the system is designed to work.

Another example can be found when untrained observers see security personnel conducting vehicle inspections at an airport:
they may criticize the process because the cursory look does not provide a defense against hijackings or bombing an aircraft.
However, the process of conducting cursory searches is not designed to prevent those particular types of attacks. It is designed
to prevent a car or truck bomb from getting close enough to blow up the terminal building. In looking at certain contingency
measures, outside observers occasionally comment that a particular measure has shortcomings that do not prevent different
types of attacks. The U.S. aviation security system consists of multiple layers of protection, each with its own advantages and
disadvantages that, stacked together, combine to provide a reasonable, but not impenetrable defense against air terrorism. These
layers are balanced against the need to facilitate commerce and keep the air transportation system moving.

ACE Security – Module 2 / 7 of 82
 Security

Abbreviations
AIT Automated Imaging Technology EDS Explosives Detection System
Aircraft Communications Addressing and EOC Emergency Operations Center
ACARS
Reporting System
EOP Emergency Operations Plan
AC Advisory Circular
ETD Explosives Trace Detection
ASAC Aviation Security Advisory Committee
FAA Federal Aviation Administration
ADASP Aviation Direct Access Screening Program
FAM Federal Air Marshal
AFSD Assistant Federal Security Director
FIO Field Intelligence Officer
AOA Air Operations Area
FBI Federal Bureau of Investigation
AOPA Aircraft Owners and Pilots Association
FBO Fixed Base Operator
AOSC Aircraft Operator Security Coordinator
FFDO Federal Flight Deck Officer
ASC Airport Security Coordinator
FPS Federal Protective Service
ASIS American Society of Industrial Security
FSD Federal Security Director
ASP Airport Security Program
FSP Full Standard Security Program
ATR Automated Threat Recognition
GA General Aviation
ATSA Aviation and Transportation Security
GSC Ground Security Coordinator
2001 Act of 2001
HRT Hostage Rescue Team
ATSP Airport Tenant Security Program
IAC Indirect Air Carriers
AVSEC Aviation Security Contingency Plan
IAP Incident Action Plan
BAO Bomb Appraisal Officer
IATA International Air Transport Association
BATF Bureau of Alcohol, Tobacco and Firearms
ICE Immigration and Customs Enforcement
BCP Business Continuity Planning
ICAO International Civil Aviation Organization
BDO Behavior Detection Officer
IED Improvised Explosive Device
Computer Assisted Passenger Pre-Screen-
CAPPS
ing System IFSC In Flight Security Coordinator
CASFO Civil Aviation Security Field Office IMS Ion Mobility Spectrometry
Nuclear/Biological/Chemical/Explosive Indirect Air Carrier Standard Security
CBRNE IACSSP
Weapons Program
CBP Customs and Border Protection IPP Isolated Parking Position
CCSP Certified Cargo Screening Program JTTF Joint Terrorism Task Force
CERT Community Emergency Response Team LEO Law Enforcement Officer
CIRG Critical Incident Response Group LRBL Least Risk Bomb Location
CHRC Criminal History Records Check MANPAD Manned Portable Air Defense System
Crime Prevention Through Environmental National Explosives Detection Canine
CPTED NEDCP
Design Program
DAC Designated Aviation Channeler NIMS National Incident Management System
DEA Drug Enforcement Administration NTSB National Transportation Safety Board
DHS Department of Homeland Security PCSSP Private Charter Standard Security Program
EAA Exclusive Area Agreement PIC Pilot in Command

8 of 82 / American Association of Airport Executives
 Module 2

PIV Personal Identity Verification
PNR Passenger Name Record
PPBM Positive Passenger Bag Match
RAM Random Anti-terrorism Measures
RT Registered Traveler
SAM Surface to Air Missile
SARP Standards and Recommended Practices
SeMS Security Management Systems
SD Security Directive
SIDA Security Identification Display Area
SOC Security Operations Center
Screening of Passengers by Observation
SPOT
Techniques
SPP Screening Partnership Program
SSI Sensitive Security Information
SSCP Security Screening Check Point
STA Security Threat Assessment
TDC Travel Document Check
TFSSP Twelve-Five Standard Security Program
TLO Terrorism Liaison Officers
TSC Terrorist Screening Center
TSA Transportation Security Administration
TSI Transportation Security Inspector
TSO Transportation Security Officer
TSOC Transportation Security Operations Center
TSR Transportation Security Regulations
Transportation Worker Identification
TWIC
Credential
USAR Urban Search and Rescue
VBIED Vehicle Born Improvised Explosive Device
WMD Weapon of Mass Destruction
WTMD Walk Through Metal Detector

ACE Security – Module 2 / 9 of 82
 Security

Transportation Security Regulations
Through the Administrative Procedure Act, Executive Branches of the Federal Government are permitted to promulgate rules
and regulations through a public “rulemaking” process, which includes the ability of the public to comment before the rules are
published. The rules can be found in the Federal Register.

In 1970, Title 14 of the Code of Federal Regulations addressed aviation security. Specifically Part 1071 governed Airport Security,
Part 1082 governed Air Carrier Security, Part 1093 governed Indirect Air Carriers (freight forwarders) and Part 1294 governed foreign
air carriers that operate to and from the United States. Part 191 was created in the 1970’s and governed the protection of Sensitive
Security Information (SSI), and Special Federal Aviation Regulation 91 (SFAR 91) covered other Aircraft Operators, such as charter
operations. The regulations were often truncated to “FAR”, which stood for Federal Aviation Regulations, Part 107, 108, etc.

After 9/11, the Aviation and Transportation Security Act of 2001 transferred the aviation security responsibility as well as
federal regulations covering aviation security from the FAA to the TSA, moving the regulations to Title 49 of the Code of Federal
Regulations. They are sometimes referred to as Transportation Security Regulations (TSR’s), but officially, they are known as the
Title 49 CFR Part 1500 series.

Just as there are numerous key personnel in aviation security, there are a variety of regulations that govern each area.
This section describes the various key regulations that ASCs should know in order to be effective and compliant.

Title 49 CFR Part 1500 addresses transportation security as a whole
Title 49 CFR Part 1503 addresses civil penalties and enforcement actions on behalf of the TSA
Title 49 CFR Part 1520 addresses the protection of Sensitive Security Information
Title 49 CFR Part 1540 addresses the security responsibilities of individuals, and also includes definitions and terms used
throughout Title CFR Part 1500
Title 49 CFR Part 1542 addresses airport security
Title 49 CFR Part 1544 addresses domestic Aircraft operator security, primarily scheduled service operations conducted
under Title 14 CFR Part 121, air charter and air taxi operations covered under Title 14 CFR Part 135, and full-cargo operations
covered under Title 14 CFR Part 125
Title 49 CFR Part 1546 addresses foreign Aircraft Operator security
Title 49 CFR Part 1548 addresses indirect Aircraft Operator security
Title 49 CFR Part 1550 addresses Aircraft Operator security under general operating rules, specifically any commercial flight
operation not covered under Part 1544, and
Title 49 CFR Part 1552, which addresses commercial flight training security requirements.

Title 14 of the Code of Federal Regulations are still relevant to aviation security, as many aircraft operator security programs relate
directly to the type of Title 14 CFR component that is being conducted (i.e., scheduled air carrier, charter, etc.). In other words,
a security coordinator must understand the type of flight operation (private, scheduled passenger, etc), in order to know which
security program must be implemented.

Title 14 CFR Part 915 addresses the operation of any aircraft in the U.S. airspace system – the “rules of the road” for pilots.
The NTSB also uses the term “Part 91 operation” to distinguish between a private versus a commercial flight operation.
Title 14 CFR Part 121 addresses the operations for most of the commercial service airlines. Part 121 explains the operating
requirements, training requirements for airline pilots, and maintenance and safety requirements for the aircraft and the
airline operation. An air carrier must possess a 121 Certificate in order to conduct scheduled air service of aircraft of a
certain size or larger.
Title 14 CFR Part 135 addresses operators conducting commercial operations that are generally unscheduled, such as
charter or air taxi operations. A 135 Certificate is required for these operations. Some small cargo operations may also fall
under the Part 135 requirements.
Title 14 CFR Part 125 addresses operating requirements for the full-cargo operators such as FedEx, UPS and DHL.

Note that the above operations (Part 121, 135 and 125) are commercial operations, not private operations conducted with one’s

1 Now known as Title 49 CFR Part 1542
2 Now known as Title 49 CFR Part 1544
3 Now known as Title 49 CFR Part 1548
4 Now known as Title 49 CFR Part 1546
5 There are few regulations covering flight in a private aircraft. Most of the regulations relate to commercial flight operations and commercial airports.

10 of 82 / American Association of Airport Executives
 Module 2

own aircraft. Private operations are addressed under Title 14 CFR Part 91. Presently, few security requirements exist for private
operations, but these continue to be discussed in Congress.

Title 49 CFR Part 1500: Applicability, Terms and Abbreviations
To have a complete understanding of the regulations it’s important to understand a few key definitions. The following definitions
are from Title 49, Volume 9 Chapter XII Transportation Security Administration, Department of Homeland Security.

 nder §1500.3, the term Administrator means the Under Secretary of Transportation for Security identified
U
in 49 U.S.C. 114(b) who serves as the Administrator of the Transportation Security Administration. Under
§1502.1, The Administrator is responsible for the planning, direction, and control of the Transportation Security
Administration (TSA) and for security in all modes of transportation. The Administrator’s responsibility includes
carrying out chapter 449 of title 49, United States Code, relating to civil aviation security, and related research
and development activities, and security responsibilities over other modes of transportation that are exercised
by the Department of Transportation.

Person means an individual, corporation, company, association, firm, partnership, society, joint-stock
company, or governmental authority. It includes a trustee, receiver, assignee, successor, or similar
representative of any of them.

Transportation Security Regulations (TSR) means the regulations issued by the Transportation Security
Administration, in title 49 of the Code of Federal Regulations, chapter XII, which includes parts 1500 through
1699.

TSA means the Transportation Security Administration.

United States, in a geographical sense, means the States of the United States, the District of Columbia, and
territories and possessions of the United States, including the territorial sea and the overlying airspace.

Under §1500.5 Rules of construction, “must” is used in an imperative sense (as in “shall”), and “may” is used in the permissive
sense to state authority to do the act prescribed as in, “no person may,” or “a person may not.” The term “includes” means
“includes but is not limited to.”

These definitions may seem insignificant to the average reader but to an ASC the appropriate understanding of these terms can
mean the difference between no fine and paying hundreds of thousands of dollars in civil penalties.

NOTE: as stated previously, the module will not necessarily address each applicable regulation sequentially, but in context to the
overall document. Therefore, we break with the sequential list of regulations here and jump to Title 49 CFR Part 1520. The module
does address Part 1503 later on.

Title 49 CFR Part 1520 Sensitive Security Information
ASCs will handle a variety of documents, many of which are designated for a specific type of use, prohibited from certain
disclosures, and in some cases, classified for national security purposes. When an ASC receives a Security Directive, they
will many times have to disseminate the information on the SD, but under the qualification of need-to-know, should not just
photocopy it an hand it out. ASCs should develop procedures to distribute materials and procedures marked as SSI to the various
relevant stakeholders (i.e airport police, security, operations). These procedures may require the development of an internal SSI
distribution memorandum system which, once established, should be described in the Airport Security Program.

The Air Transportation Security Act of 1974 created Sensitive Security Information (SSI) by allowing the FAA to create a method
for sharing intelligence information with airport operators and air carriers. After 9/11, SSI was expanded into all forms of
transportation and moved into Title 49 CFR Part 1520.

Confidential, Secret and Top Secret information is considered Classified National Security Information – a.k.a., Classified
Information. SSI is not. SSI fits into a category considered Sensitive but Unclassified.

ACE Security – Module 2 / 11 of 82
 Security

“For Official Use Only” and “For Law Enforcement Sensitive” are also considered Sensitive but Unclassified information. A
third category of information is Public Information and includes all other information not previously addressed. Airport security
personnel handle all types of information and, in some cases, may receive National Security clearances to handle information up
to Secret.

SSI is defined as: Information obtained or developed which, if released publicly, would be detrimental to transportation security.
SSI examples include the No-Fly and the Selectee List, Screening Standard Operating Procedures, Security Directives,
Information Circulars, Airport Security Programs and the Aircraft Operator Standard Security Program.

For Official Use Only (FOUO) is information not typically6 protected by regulation, such as the building plans for
a federal building that could adversely affect a Federal program if publicly released without authorization.

Law Enforcement Sensitive7 (LES) information includes documents that are intended for official use only that
contains material that could adversely affect or jeopardize investigative activities.8 Examples of LES material
are the FBI Intelligence Bulletins. LES information is not to be released to the media or the general public, nor
is it to be sent or posted via non-secure Internet servers.

While FOUO and LES are included in the category of Sensitive but Unclassified, they are not based on U.S. law or protected by a
federal regulation. SSI is based on U.S. law and on Title 14 CFR Part 1520. Thus, unauthorized disclosure of SSI may result in civil
penalties, whereas breaches of FOUO and LES may not.

Other characteristics of SSI include:
SSI has stronger protection from court-ordered production requests than LES and FOUO.
SSI is protected from public release under the Freedom of Information Act (FOIA).
SSI is always SSI, regardless of the entity that holds the information.
SSI documents must be marked as SSI.

In an effort to increase information sharing, the President signed an Executive Order on Controlled Unclassified information (CUI).
SSI falls within that category, but until appropriate handling policies are developed, CUI protocols are not to be used with SSI.

Classified Information (CI) is information of which “unauthorized disclosure could reasonably be expected to cause identifiable
or describable damage to the national security.”9 Certain airport security personnel may request or receive access to Classified
Information. The three primary categories of CI are Confidential, Secret and Top Secret.

“Confidential” is applied to information that could cause damage to national security.
“Secret” is applied to information that could cause serious damage to national security.
“Top Secret” is applied to information that could cause exceptionally grave damage to national security.

The type of “damage” referenced above must be articulated by the entity that assigned the classification. “Damage” generally
refers to information related to vulnerabilities or capabilities of systems, installations, projects, plan or protection services,
intelligence (including covert) activities, intelligence sources, methods or cryptology, foreign government information, and
numerous other categories as explained in Executive Order 13526.

In order to be classified as SSI, the information must be related to transportation security, its release must be detrimental, and
it must fall under the one of the 16 categories of SSI defined by the Federal Regulation (49 CFR Part 1520.5(b)). SSI is information
obtained or developed in the conduct of security activities, including research and development, the disclosure of which TSA has
determined would:
C
 onstitute an unwarranted invasion of privacy (including, but not limited to, information contained in any personnel, medical
or similar file);
Reveal trade secrets or privileged or confidential information obtained from any person; and/or
Be detrimental to the security of transportation.

6 Some States have established requirements for handling FOUO information but it is not a federally regulated classification. Check with your local and State regulations for further restrictions on this term
and others.
7 Note that in the case of Law Enforcement Sensitive, there are a variety of definitions. We have elected to use the definition used by the TSA in their SSI training aviation presentation, available on the
TSA’s website.
8 Note that in the case of Law Enforcement Sensitive, there are a variety of definitions. We have elected to use the definition used by the TSA in their SSI training aviation presentation, available on the
TSA’s website.
9 Executive Order 13526, December 29, 2009.

12 of 82 / American Association of Airport Executives
 Module 2

The 16 categories of SSI related to aviation security, are:
1. Security Programs and Contingency Plans (the Airport Security Program and the Aircraft Operator Standard
Security Program)
2. Security Directives (SDs)
3. Performance Specifications (checkpoint or checked baggage screening equipment)
4. Information Circulars (ICs) which include information advisory in nature about a potential threat
5. Vulnerability Assessments
6. Security Inspection or Investigative Information (including incidents, violations, or inspections that might reveal a
security vulnerability)
7. Threat information (the details of bomb threats or other threats)
8. Security Measures (access control measures recommended by the Federal government, Federal Air Marshal
deployment and the operation of Federal Flight Deck Officers (FFDO))
9. Security Screening Information (screening procedures, no-fly and selectee lists, security screener tests and results,
performance data from screening equipment, electronic images on TSA-owned screening equipment)
10. Security Training Materials (such as SIDA training records)
11. Identifying information of certain security personnel (individuals issued a SIDA badge, Transportation Security Officers,
Federal Air Marshals and FFDOs)
12. Critical aviation infrastructure asset information (any list identifying systems or assets, physical or virtual, that is vital
to the aviation system, which the incapacity or destruction of such would have a debilitating impact on transportation
security). This may include information about the airport access control and alarm monitoring system.
13. Systems security information, including any information involving the security of operational or administrative data
systems operated by the Federal government and critical to aviation security (including automated security procedures
and systems)
14. Confidential business information (bid information submitted to DHS or DOT, trade secret information or commercial,
financial information requested by DHS or DOT)
15. Research and Development related to security
16. Other information not otherwise described that TSA determines is SSI

Documents and information not typically considered to be SSI are the Airport Layout Plan (ALP), the Airport Master Plan and the
Airport Emergency Plan10 (AEP).

Typical SSI documents also include training that discusses the “Common Strategy II,” airline flight manuals that provide
information related to the Common Strategy or FAM procedures, procedures related to airport/SIDA badges, correspondence
between Transportation Security Inspectors (TSIs), and stakeholders that may reveal vulnerability.

Only ‘covered persons’ may access SSI. Covered persons includes airport and airline officials, maritime operators, Federal
employees, vendors, contractors, and grantees, among others. Covered persons have a need-to-know SSI if access is required
for the performance of official duties. DHS or DOT may limit access to specific SSI to certain employees or covered persons. For
example, a vendor with an airport/SIDA badge may have access to security training information related to performing his or her
job in the SIDA, but may not have access to information relating to the deployment of Federal Air Marshals.

The previous list is not all-inclusive of covered persons. Under §1520.7, other covered persons include indirect air carriers, fixed
base operators, armed security officers under §156211, airline reservation personnel, participants of a national security committee
established under 46 U.S.C. 70112, industry trade associations that have entered into a non-disclosure agreement, and each
person receiving SSI. A complete list is in §1520.7.

Other individuals may have a need-to-know if they supervise others with a need-to-know SSI, if they train others with a need-
to-know SSI or if they are requesting as part of a court order12. Members of the media are not covered persons and do not have
a need-to-know. Any requests from the media for SSI should be referred to the TSA’s Public Affairs Office (current contact
information is on the TSA’s website).

The SSI regulation mandates specific and general requirements for handling and protecting SSI.

10 Some airports have marked their AEP as SSI, but this may make it difficult for mutual aid and non-governmental agencies to respond during an emergency. Additionally, this creates more copies of the
ASC that must be available.
11 Related to the Reagan National Airport general aviation access security program.
12 When in doubt, ASCs should always consult with the FSD before releasing SSI.

ACE Security – Module 2 / 13 of 82
 Security

You Must – Lock Up All SSI: Store SSI in a secure container such as a locked file cabinet or drawer (as defined by Federal
regulation 49 CFR Part 1520.9 (a)(1)).
You Must – When No Longer Needed, Destroy SSI: Destruction of SSI must be complete to preclude recognition or
reconstruction of the information (as defined by Federal regulation 49 CFR Part 1520.19).
You Must – Mark SSI: The regulation requires that even when only a small portion of a paper document contains SSI, every
page of the document must be marked with the SSI header and footer shown at left (as defined by Federal regulation 49 CFR
Part 1520.13). Alteration of the footer is not authorized.

At the time of publication the following paragraph was the approved language for marking each page as SSI, but check the TSA
website for changes:

WARNING: This record contains Sensitive Security Information that is controlled under 49 CFR parts 15 and
1520. No part of this record may be disclosed to persons without a “need to know,” as defined in 49 CFR
parts 15 and 1520, except with the written permission of the Administrator of the Transportation Security
Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other
action. For U.S. government agencies, public disclosure is governed by 5 USC 552 and 49 CFR parts 15 and
1520.

When not working on SSI, persons without a “need to know” should lock SSI materials in a desk drawer or file cabinet to prevent
access. Under the regulations, those with the responsibility of handling SSI are required to take reasonable steps to prevent the
unauthorized disclosure of SSI. TSA recommends the following best practices:

Use an SSI cover sheet on all SSI materials (available on the TSA website).
Electronic presentations (e.g., PowerPoint) should be marked with the SSI header on all pages and the SSI footer on the first
and last pages of the presentation.
Spreadsheets should be marked with the SSI header on every page and the SSI footer on every page or at the end of the
document.
Video and audio should be marked with the SSI header and footer on the protective cover when able and the header and
footer should be shown and/or read at the beginning and end of the program.
CDs/DVDs should be encrypted or password-protected and the header and footer should be affixed to the CD/DVD.
Portable drives including “flash” or “thumb” drives should not themselves be marked, but the drive itself should be
encrypted or all SSI documents stored on it should be password protected.
When leaving your computer or desk you must lock up all SSI and you should lock or turn off your computer.
Taking SSI home is not recommended. If necessary, get permission from a supervisor and lock up all SSI at home.
Don’t handle SSI on computers that have peer-to-peer software installed on them or on your home computer.
Transmit SSI via email only in a password-protected attachment, not in the body of the email. Send the password without
identifying information in a separate email or by phone.
Passwords for SSI documents should contain at least eight characters, have at least one uppercase and one lowercase
letter, contain at least one number, one special character and not be a word in the dictionary.
Faxing of SSI should be done by first verifying the fax number and that the intended recipient will be available promptly to
retrieve the SSI.
SSI should be mailed by U.S. First Class mail or other traceable delivery service using an opaque envelope or wrapping. The
outside wrapping (i.e. box or envelope) should not be marked as SSI.
Interoffice mail should be sent using an unmarked, opaque, sealed envelope so that the SSI cannot be read through the
envelope.
SSI stored in network folders should either require a password to open or the network should limit access to the folder to
only those with a need to know.
Properly destroy SSI using a cross-cut shredder or by cutting manually into less than 1⁄2 inch squares.
Properly destroy electronic records using any method that will preclude recognition or reconstruction.

SSI Airport Security Cameras Identification Guide
Since CCTV cameras are used in a variety of ways at an airport, including for criminal surveillance at the security checkpoints
and other areas around the airport property, such as parking garages. They are also used to detect activity, which may fall under
the heading of SSI; such as imagery from an x-ray machine or imagery that reveals methods of penetrating secure areas. TSA has
published guidance on whether a particular CCTV image is considered SSI.

14 of 82 / American Association of Airport Executives
 Module 2

Essentially, videos revealing information that a passenger may learn simply by watching the screening process (such as a
passenger being hand wanded, patted-down or having his bag searched) is generally not considered SSI. However, any release of
security camera footage must be submitted to the Federal Security Director for approval. Additional guidance on airport security
camera footage (including still imagery taken from a security camera) may be obtained from the TSA.

SSI Best Practices
Limiting the number of Airport Security Program copies to as few as possible makes keeping track of, and updating, the ASP
easier and more secure. The Airport Security Coordinator, the airport manager, the police department and the TSA should have full
copies of the ASP.

For other operators, including air carriers, tenants, vendors and contractors, the manager of each business should receive a
downsized copy of the ASP, eliminating any information that is not directly pertinent to that business. This document is sometimes
referred to as an Airport Security Participant Manual or Tenant Security Manual and gives the ASC greater flexibility in educating
airport tenants on security programs and regulations. Additionally, anyone receiving a copy of an ASP should sign a confidentiality
agreement or letter, agreeing not to disclose or copy any portion of the ASP without the written approval of the Airport Security
Coordinator. A copy of this letter is available at TSA’s website.

The ASP should be kept in a secured location at all times.
Whenever an update is issued to the ASP, each recipient of that update should make a log entry in his or her copy of the ASP
stating that he or she has received the update and either destroy through an approved means, or return the previous sections to
the ASC.
Any draft copies, notes, or e-mails relating to the development of the ASP should be properly secured or destroyed.
Confidential information should be passed on to those authorized to receive it in written format and preferably in person.
However, discussions relating to the ASP, including security procedures and practices, should not be transmitted by e-mail if
possible.
Electronic copies of the ASP, such as CDs, may be issued to approved entities, but the file on the CD that contains the Airport
Security Program, or other SSI materials, must be password protected.

Airport personnel should be trained in the handling of SSI and should not discuss SSI in public areas. ASCs should always
exercise caution in the handling and dissemination of Sensitive Security Information. Under §1520.17, the consequences of
unauthorized disclosure of SSI are grounds for a civil penalty and other enforcement or corrective action by DHS, and appropriate
personnel actions for Federal employees. Corrective action may include issuance of an order requiring retrieval of SSI to remedy
unauthorized disclosure or an order to cease future unauthorized disclosure.

With the current culture moving towards a world where everything gets posted on Facebook, Twitter or YouTube, or some other
social networking site, it is important to remind personnel with SIDA badges, or those that handle other forms of SSI that they are
not allowed to divulge this information to anyone that doesn’t have a need to know, and that certainly includes the general public
or Facebook friends, Twitter followers and so forth.

Title 49 CFR Part 1540 Civil Aviation Security: General Rules
There are certain regulations that apply to all individuals and entities involved or in contact with the aviation security system.
This includes employees, passengers and companies. Under §1540.1, this subchapter and this part apply to persons engaged in
aviation-related activities.

Title 49 CFR Part 1540 addresses several areas within the regulations, including, indirectly, the authority of the Federal Security
Director and associated personnel, and the individual responsibility each person within the aviation security system.
Under §1540.3, Delegation of authority, the Administrator (of the TSA) is named in this subchapter as exercising authority over a
function, the authority is exercised by the Administrator or the Deputy Administrator, or any individual formally designated to act
as the Administrator or the Deputy Administrator.

Where TSA or the designated official is named in this subchapter as exercising authority over a function, the authority is exercised
by the official designated by the Administrator to perform that function. What this essentially means is that the authority of the TSA
Administrator can be (and often is) delegated to the Federal Security Director, who makes regulatory interpretations and other
assessments on behalf of the TSA.

ACE Security – Module 2 / 15 of 82
 Security

Definitions

Part 1540 also provides a definition of security terms used throughout the regulations.

Air operations area (AOA) means a portion of an airport, specified in the airport security program, in which
security measures specified in this part are carried out. This area includes aircraft movement areas, aircraft
parking areas, loading ramps, and safety areas, for use by aircraft regulated under 49 CFR part 1544 or 1546,
and any adjacent areas (such as general aviation areas) that are not separated by adequate security systems,
measures, or procedures. This area does not include the secured area.

The entire airfield of a commercial service airport must, at a minimum, be designated an Air Operations Area. AOA is a security
term (as opposed to the Title 14 CFR Part 139 term Airport Movement Area – which designates only runways and taxiways) that
explains the security measures that must be carried out in that area. Airport operators can increase the security in various areas
of the airport by creating a Security Identification Display Area or a Secured Area – both terms are explained later in this module.
AOAs may also be combined with Security Identification Display Areas (SIDAs).

Within the area designated as an AOA, Airport Operators must:

Implement an access control system.
Be able to detect and respond to unauthorized persons or vehicles within the AOA.
Ensure that security information is provided for personnel working in the AOA.
Post warning signs to the general public that they are about to enter an AOA.

 ircraft operator means a person who uses, causes to be used, or authorizes to be used an aircraft, with
A
or without the right of legal control (as owner, lessee, or otherwise), for the purpose of air navigation
including the piloting of aircraft, or on any part of the surface of an airport. In specific parts or sections of this
subchapter, “aircraft operator” is used to refer to specific types of operators as described in those parts or
sections.

The key change in the definition of an Aircraft Operator from the old security regulations is the deletion of the term “scheduled
passenger operations.” However, this small change in wording resulted in an entirely new perspective. Aircraft Operators were
traditionally viewed scheduled passenger commercial air carrier (i.e. the airlines). However, the term Aircraft Operator now
covers both scheduled and nonscheduled (public and private charters) passenger operations.

Airport operator means a person that operates an airport serving an aircraft operator or a foreign air carrier
required to have a security program under part 1544 or 1546.

Airport security program means a security program approved by TSA under §1542.101.

Airport tenant means any person, other than an aircraft operator or foreign air carrier that
has a security program under part 1544 or 1546, that has an agreement with the airport operator to conduct
business on airport property.

Airport tenants include businesses on the airport, such as restaurants and gift shops, general aviation facilities, including Fixed-
Base Operators (FBO), certain cargo companies, catering companies, and contractors or vendors who have facilities on the
airport.

It is important to distinguish between airport tenants as those normally associated with having a facility on the airport, and airport
contractors or vendors who either service or deliver products to the airport but may not have permanent facilities or lease space
on the airport property. While the regulations do not define contractors or vendors, it is a good idea to define those terms and
entities within the ASP and set forth their parameters and operating restrictions on operation within the AOA, SIDA, Sterile or
Secured Areas.

As defined in this section, airport tenants does not include Aircraft Operators, most commonly airlines or charter operators, as
Aircraft Operators are considered Regulated parties.

Airport tenant security program means the agreement between the airport operator and an airport tenant that
specifies the measures by which the tenant will perform security functions, and approved by TSA, under §1542.113.

16 of 82 / American Association of Airport Executives
 Module 2

Prior to 9/11, Airport Operators were required by the FAA to take full responsibility for the actions of their tenants. If the employee
of an airport tenant violated a security procedure enforceable under the ASP or federal regulations, then subsequent enforcement
action was taken against the airport, rather than the tenant. It was then up to the airport to pursue legal remedies against its
tenant. Airport Operators had some relief through the use of Exclusive Area Agreements (defined later in this section) with Aircraft
Operators; however, airports could not make the same agreements with all other airport tenants.

After the Part 107 re-write, and as subsequently embodied in Part 1542, Airport Operators can utilize an Airport Tenant Security
Program, which is similar to the Exclusive Area Agreement but applicable to non-Aircraft Operators. Tenants assume certain
security responsibilities from the airport under an ATSP (except for law enforcement response requirements). Each ATSP must
be approved by the Airport Operator, the tenant and the TSA, at which point it becomes part of the Airport Security Program.
However, the use of an ATSP is generally for large tenants (not individual t-hangar tenants), such as FBOs, large corporate
operators or aircraft manufacturers. Within an ATSP the Airport Operator must establish an enforcement program, which has
many of the same elements as the TSA enforcement programs under 1503.

Approved, unless used with reference to another person, means approved by TSA.

Airport Security Programs, amendments and the implementation of Security Directives are some documents that must be
approved by TSA, which means to be signed and dated by the appropriate authorizing party.

Cargo means property tendered for air transportation accounted for on an air waybill. All accompanied
commercial courier consignments, whether or not accounted for on an air waybill, are also classified as
cargo. Aircraft operator security programs further define the term “cargo.”

Certified cargo screening facility (CCSF) means a facility certified by TSA to screen air cargo in accordance
with part 1549. “Certified cargo screening facility” refers to the legal entity that operates a CCSF at a
particular location.

Certified cargo screening program (CCSP) means the program under which facilities are authorized to screen
cargo to be offered for transport on certain passenger aircraft in accordance with 49 CFR part 1549.

Checked baggage means property tendered by or on behalf of a passenger and accepted by an aircraft
operator for transport, which is inaccessible to passengers during flight. Accompanied commercial courier
consignments are not classified as checked baggage.

Escort means to accompany or monitor the activities of an individual who does not have unescorted access
authority into or within a secured area or SIDA.

The term “Escort” has been used for many years on airports. However, the term was not clearly defined by regulations. While
the regulations now provide a definition, each Airport Operator must determine the parameters of an acceptable escort. Most
often, those parameters include requiring an individual with unescorted access privileges to maintain the escorted parties in
visual contact and within close proximity. Additionally, the parameters often place limitations on the number of people a person
with unescorted access privileges can escort at one time. The TSA issued a Security Directive in 2007 clarifying the escort
requirements, which essentially includes ensuring un-badged personnel are continuously monitored and accompanied.

Exclusive area means any portion of a secured area, AOA, or SIDA, including individual access points, for
which an aircraft operator or foreign air carrier that has a security program under part 1544 or 1546 of this
chapter has assumed responsibility under §1542.111 of this chapter.

Exclusive area agreement means an agreement between the airport operator and an aircraft operator or a
foreign air carrier that has a security program under parts 1544 or 1546 of this chapter that permits such an
aircraft operator or foreign air carrier to assume responsibility for specified security measures in accordance
with §1542.111 of this chapter.

The Exclusive Area is that portion of an airport where a regulated party, including Aircraft Operators, Indirect Air Carriers, and
foreign Aircraft Operators, assume certain security responsibilities (with the exception of law enforcement). This is similar to the
Airport Tenant Security Program but the EAA is used by Regulated Parties and the Airport Operators security requirements over
the Regulated Parties activities are less involved than with the ATSP.

ACE Security – Module 2 / 17 of 82
 Security

FAA means the Federal Aviation Administration.

Flightcrew member means a pilot, flight engineer, or flight navigator assigned to duty in an aircraft during flight
time.

Indirect air carrier (IAC) means any person or entity within the United States not in possession of an FAA air
carrier operating certificate, that undertakes to engage indirectly in air transportation of property, and uses
for all or any part of such transportation the services of an air carrier. This does not include the United States
Postal Service (USPS) or its representative while acting on the behalf of the USPS.

Loaded firearm means a firearm that has a live round of ammunition, or any component thereof, in the
chamber or cylinder or in a magazine inserted in the firearm.

Passenger seating configuration means the total maximum number of seats for which the aircraft is type
certificated that can be made available for passenger use aboard a flight, regardless of the number of seats
actually installed, and includes that seat in certain aircraft that may be used by a representative of the FAA to
conduct flight checks but is available for revenue purposes on other occasions.

Private charter means any aircraft operator flight—

(1) For which the charterer engages the total passenger capacity of the aircraft for the carriage of
passengers; the passengers are invited by the charterer; the cost of the flight is borne entirely by the
charterer and not directly or indirectly by any individual passenger; and the flight is not advertised to the
public, in any way, to solicit passengers. (2) For which the total passenger capacity of the aircraft is used for
the purpose of civilian or military air movement conducted under contract with the Government of the United
States or the government of a foreign country.

Many kinds of private charter operations exist including, but not limited to, small aircraft or commercial service aircraft being used
to carry specialized clients, or large air carrier aircraft drawn into service to carry professional sports teams or musical acts.

Public charter means any charter flight that is not a private charter.

Scheduled passenger operation means an air transportation operation (a flight) from identified air terminals at
a set time, which is held out to the public and announced by timetable or schedule, published in a newspaper,
magazine, or other advertising medium.

It’s important to distinguish scheduled passenger operations from public charters. Scheduled passenger operations have a set
timetable: for example, an aircraft will depart from Point A at 8 a.m., every morning, Monday through Friday, and fly to Point B,
arriving at 9 a.m. Non-scheduled, public charter operations sometimes have similar schedules, which can cause confusion, but
charter operators do not advertise themselves to the public as a scheduled operation and may have varied arrival and departure
times and locations. Scheduled air carriers also hold themselves out to the public as a scheduled air carrier, as well as publish
flight schedules. Further, they are certificated by the FAA as scheduled air carriers under Title 14 CFR Part 121. A public charter
often operates under a different operating certificate and are commonly used by tourist organizations such as Sun Country, Apple
Vacations or similar all-encompassing resort operations13.

Screening function means the inspection of individuals and property for weapons, explosives, and
incendiaries.

Prior to 2010, the Screening Function officially began at the first point of screening, whether that is when an individual places his
property onto the x-ray or EDS machine belt, or when the individual himself passes into a walk-through metal detector, millimeter
wave imaging system or similarly approved method. However, in 2010, TSA declared that screening officially begins essentially
wherever they put up a sign stating something to the effect that ‘individuals may be screened beyond this point.’ This issue is one
of contention for many airport law enforcement agencies and local district attorneys, so the definition may be subject to future
judicial review.

13 In these cases, the aircraft is the conveyance used by the public charter (i.e. resort operator) company. Passengers are not buying a seat on the plane, they are purchasing a vacation package and the
aircraft is simply their transport to their destination.

18 of 82 / American Association of Airport Executives
 Module 2

Screening location means each site at which individuals or property are inspected for the presence of
weapons, explosives, or incendiaries.

Secured area means a portion of an airport, specified in the airport security program, in which certain
security measures specified in part 1542 of this chapter are carried out. This area is where aircraft operators
and foreign air carriers that have a security program under part 1544 or 1546 of this chapter enplane and
deplane passengers and sort and load baggage and any adjacent areas that are not separated by adequate
security measures.

Within the Secured Area, Airport Operators must:
Employ an access control system that meets three essential requirements: (a) the ability to identify and allow access to
authorized personnel; (b) the ability to distinguish access for those authorized to be in the Secured Area; (c) the ability to
immediately deny access to an unauthorized individual or a previously authorized individual.
Be able to detect and respond to unauthorized persons or vehicles within the Secured Area.
Establish a personal identification system (ID badges), as every Secured Area is also a SIDA.
Ensure security training for personnel working in the Secured Area.
Post warning signs to the general public that they are about to enter a Secured Area.

The key difference between an access control system in an AOA and that of a Secured Area is that the Airport Operator must
implement an access control program must be able to allow access to those who have authorization, immediately deny access to
those without authorization and differentiate access for individuals who have access to certain areas of the Secured Area but not
others.

Security Identification Display Area (SIDA) means a portion of an airport, specified in the airport security
program, in which security measures specified in this part are carried out. This area includes the secured
area and may include other areas of the airport.

Within the SIDA, Airport Operators are required to:
Be able to detect and respond to unauthorized persons or vehicles within the SIDA.
Establish a personal identification system (ID badges).
Ensure security training for personnel working in the SIDA.

The SIDA definition does not have a requirement for access control or the requirement to post signage; however, it does contain
all of the other elements of the Secured Area. Secured Areas must always be SIDAs, but not all SIDAs are Secured Areas
because the SIDA does not include an access control requirement. A SIDA may be combined with an AOA, in which case, it
includes access controls and signage, but not necessarily access controls that meet the higher requirements of a Secured Area.

SIDAs may also stand-alone and be off-airport fuel farms14, aircraft rescue and firefighting facilities, maintenance facilities, within
cargo facilities or other areas outside and away from areas where passengers enplane and deplane. Since 2006, all cargo ramp
areas on an airport are required to be SIDAs (thus, making them SIDA/AOAs).

In order to help airport and Aircraft Operator employees better understand the various meanings of Secured Area, SIDA and
AOA, some airports have simply created the definition of “Restricted Area” within their ASP, to both simplify the wording in their
security programs, and on their publicly posted warning signs. Restricted area or secure areas are terms that the airport must
further define within their own ASP’s in order to meet the regulations in Part 1542. ASCs should work with their local FSD or
stakeholder manager to assist in these areas.

Standard security program means a security program issued by TSA that serves as a baseline for a particular
type of operator. If TSA has issued a standard security program for a particular type of operator, unless
otherwise authorized by TSA, each operator’s security program consists of the standard security program
together with any amendments and alternative procedures approved or accepted by TSA.

Standard security programs include many aircraft operator security programs such as the Aircraft Operator Standard Security
Program, the Twelve-Five Standard Security Program, the Indirect Air Carrier Standard Security Program, and others.

14 TSA issued additional guidance on the security of fuel farms on June 6, 2007. This information can be found in the Airport Security Program Guide and 49 CFR 1542 Implementation Guide.

ACE Security – Module 2 / 19 of 82
 Security

Sterile area means a portion of an airport defined in the airport security program that provides passengers
access to boarding aircraft and to which the access generally is controlled by TSA, or by an aircraft operator
under part 1544 of this chapter or a foreign air carrier under part 1546 of this chapter, through the screening of
persons and property.

Unescorted access authority means the authority granted by an airport operator, an aircraft operator, foreign
air carrier, or airport tenant under part 1542, 1544, or 1546 of this chapter, to individuals to gain entry to, and be
present without an escort in, secured areas and SIDA’s of airports.

Unescorted access to cargo means the authority granted by an aircraft operator or IAC to individuals to have
access to air cargo without an escort.

Responsibilities of Passengers and Other Individuals and Persons

This section of 1540 applies to individuals and other persons, meaning that it applies to employees of an airport, airline, tenant,
contractor, vendor, government agency or otherwise is connected to the aviation system, plus passengers or even visitors to the
airport. The creation of these regulations made it possible for TSA to leverage fines against individuals. Prior to §1540 the TSA (and
the FAA before it), typically went just after airport or air carrier operators when there was a violation. This section opened the door
for individual enforcement actions.

Fraud and Intentional Falsification of Records
No person may make any fraudulent statement in any application for a security program, access medium15 or identification
medium (§1540.103).

In order to receive airport access/ID media, applicants must Personally Identifiable Information (PII) to the Airport or Aircraft
Operator. Aircraft Operators must also attest to the airport or Aircraft Operator that an applicant has passed a fingerprint-based
CHRC and is authorized to receive airport access/ID media16.

Pre 9/11 FAA investigations discovered two disturbing trends.
Applicants would willingly provide false information so that they could receive airport access/ID media, and,
Airport tenants will falsely verify that the background check17 had been conducted on their employees, when in fact it was
not.

Individuals also may not reproduce or alter for fraudulent purposes any report, record or security program or access medium.
What are the parameters for an individual making a false statement?

I n order for an individual to make an intentionally false statement that individual must know that the statement is false and
have an “intent to deceive.” If a person makes a statement in good faith that he or she believes is true, then the elements of
a false statement do not exist.
Fraud exists when action is taken based on false information.

Therefore, if an individual applying for airport access/ID media knowingly writes down a false statement, he or she has likely only
made a “false statement” and cannot yet be guilty of fraud. However, if access/ID media is issued, or other actions are taken
based on that false information, then the individual may be guilty of the criminal act of fraud. If an individual suspects a situation
involving a false statement or fraud, they should immediately report it to the TSA.

Operation Rampcheck: identity theft has made its way into the aviation security world. This practice created one critical gap in
security and was identified soon after the passage of the Aviation and Transportation Security Act, when hundreds of airport
workers with access to security areas were arrested at airports across the United States. In many cases, illegal aliens had
falsified applications for airport access/ID media. While fingerprint-based, criminal history record checks were conducted on
these personnel, the regulations never required (nor funded the program) to verify the identity of the individual submitting the
information. If the illegal aliens were not wanted for a criminal act, and Airport and Aircraft Operators did not know they were
illegal aliens, they were issued access/ID media granting them unescorted access to airport Secured Areas.
15 Such as an airport identification badge.
16 The Airport Operator can decide whether to accept the results of the check, (or to conduct its own check) before issuing the access/ID media.
17 A pre 9/11 process known as the Access Investigation. The process has since been eliminated from the regulations but some airports still require it.

20 of 82 / American Association of Airport Executives
 Module 2

The TSA issued a Security Directive in 2007 on this practice, and airports are now required to review the passports or birth
certificates of access/ID media applicants before issuing such media. Some airports have contracted identity verification out to
private companies, and in many cases CBP personnel will provide training to airport access control office/badging personnel in
the identification of fraudulent documents.

Security Responsibilities of Employees and Other Persons

Section 1540.105(a)(1) prohibits anyone from tampering or interfering with a security system, measure or procedure, nor modify,
attempt to circumvent, or cause a person to tamper or interfere with, compromise, modify, or attempt to circumvent any security
system, measure, or procedure. This could include the airport access control system, screening personnel, or airport or TSA
enforcement personnel.

This section further prohibits individuals from being in a Security Area without complying with the required access control,
system, measure or procedure (§1540.105(b)(2)), and prohibits individuals from loaning their access/ID media to another individual.
Individuals may not alter their airport access/ID media nor circumvent the access control system by climbing a fence or by
disabling or tricking an access control device. Even individuals who have the rightful access to an AOA, SIDA or Secured Area,
but do not enter those areas through the appropriate access control measures, are subject to enforcement action18.

Testing Airport Security: Since the Airport Operator must enforce the provisions of the Airport Security Program, most airports
have established programs to test individuals on airport security measures. Unless authorized under the Airport Security Program,
this section also prohibits unauthorized tests of any airport security system. By extension, through the application of airport rules
and regulations, and its Airport Security Program, this section is used to enforce the security regulations on an airport, since
almost any violation can be considered tampering, circumventing etc., the security system.

While unauthorized testing has been a favorite method of journalists seeking to publicize gaps in the security system. While there
may be some merit to some of this testing, it diverts security resources from areas of true concern and oftentimes points out
perceived weaknesses within the security system that are best handled in a nonpublic manner.

Some common challenges Airport Operators face include employees who like to decorate their airport access/ID media with
stickers and pins. Also, in some cases, temporary employees, such as construction workers or contractors, will bypass a security
system in an area where they are working19, which is prohibited. According to the regulations, the first case fits the definition of
altering the airport access/ID media and the second case fits the definition of tampering with the security system. However, in
neither case do the actions necessarily demonstrate intent to circumvent the security system for criminal purposes. There should
be consequences to individuals committing these offenses, but Airport Operators should consider the totality of the circumstances
when enforcing regulations, particularly, when determining whether there was intent to circumvent a system for criminal
purposes.

This section, however, does not prohibit airport or Aircraft Operators or foreign air carriers from conducting self-tests of their
security systems. When conducting these tests, certain parameters must be followed:
The training must be under the authority of the Airport Security Coordinator and should not include the general public or the
media.
Testing should not endanger any person, property or aircraft, including those not participating in the test.
Only those individuals with unescorted access and escort authority may carry out security self-testing.
Persons authorized to conduct a test must be trained or briefed by the ASC on the location, areas of focus and time frame
that the testing will cover, so that the ASC is aware and can confirm the details of any on-going tests20.
Testing methodologies should relate to the goals of the test.

Any airport self-testing program must be part of the ASP and the ASP must clearly designate who is allowed to conduct tests of
the security system and under what conditions.

Many airports have established “challenge” programs whereby an individual who is authorized to conduct such tests will remove
his or her airport access/ID media and walk through the SIDA to see if airline and other airport personnel challenge them. Some

18 From the TSA, the Airport Operator, or local police or the FBI – in some cases, all four.
19 Many possess the technical skills to override an access control system or alarm system. This reinforces the need for a tamper alarm mechanism or protocol so the Airport Security Operations Center is
notified when a door or system goes out of service.
20 An armed police response to a situation that the police do not know is a test could have disastrous results.

ACE Security – Module 2 / 21 of 82
 Security

airports offer a reward for individuals who do challenge the un-badged individual; some airports issue violation notices for those
not challenging the un-badged individual, and some airports do both.

Airport tenants and Aircraft Operators often donate rewards. It is important to remember that even after 9/11, many airport or
Aircraft Operator employees either do not believe airport security is their responsibility, or are fearful of challenging individuals
who are not displaying proper ID. For these reasons, security responsibilities should be stressed over and over again in training,
and employees should be instructed on who to contact when they encounter an individual not displaying proper identification.

While these efforts can help increase the employee challenge responsibility, airport security coordinators should still encourage
frequent patrols by law enforcement officers, security guards and airport operations personnel to look for unauthorized individuals
in restricted areas. Other testing programs in effect include routine testing of security guard response time, as well as law
enforcement officer response time to door alarms and other security incidents. All testing should be pre-coordinated with the ASC
and conducted by an individual who is authorized to conduct the testing.

Submission to screening and inspection
Sections 1540.107,.109 and.111 address issues related to the screening of personnel and materials entering the Sterile Area or
being brought on board an aircraft.

§1540.107 Submission to screening and inspection. (a) No individual may enter a sterile area or board an
aircraft without submitting to the screening and inspection of his or her person and accessible property in
accordance with the procedures being applied to control access to that area or aircraft under this subchapter.

Individuals must provide their full name, date of birth and gender when making a reservation for a flight request for authorization
to enter a sterile area. While the language request for authorization, is very formal, this is really just the process of the Travel
Document Check which takes place when passengers into the screening checkpoint. When a person does not have a verifying
identity document as defined in §1560.321, the individual may still be allowed access to the screening area on a case-by-case
basis. This will typically trigger a secondary screening process whereby the individual undergoes additional scrutiny prior to being
allowed access to the sterile area.

Most travelers know that they are not supposed to joke at the checkpoint about aviation security; however, until 9/11 a specific
prohibition not to interfering with screening personnel did not exist. §1540.109 Prohibition against interference with screening
personnel makes it a violation to assault, threaten or intimidate screening personnel in the performance of their duties.
Additionally, many Airport Operators have added interference with security personnel into their list of airport violations. This tends
to cut down on harassment of airport operations and security officer personnel while enforcing the rules and regulations.

The carriage of weapons, explosives, and incendiaries by individuals (§1540.111), into the Sterile Area or on an aircraft is
restricted. This section prohibits individuals from carrying weapons, explosives, and incendiaries as soon as the individual submits
his or her property or self for screening. Up until that time, they may not be guilty of violating this regulation; however, they may be
guilty of violating other federal, state and local regulations concerning carrying weapons, explosives or incendiaries in a public
facility.

This section does not apply to law enforcement personnel who are required to carry a firearm while in the performance of their
law enforcement duties at the airport, or certain other individuals authorized to carry a weapon, which can include Federal
Flight Deck Officers, Federal Air Marshals and other federal agents, or individuals providing prisoner and escort duties. Specific
exceptions are found in §1544.219 (law enforcement officers), 1544.221 (carriage of prisoners), 1544.223 (Federal Air Marshals), or
1546.211 (foreign air carrier law enforcement personnel).

Federal Flight Deck Officers are allowed to carry their weapons onboard even if they are not a member of the flight crew. The
specific procedures for an FFDO carrying his or her firearm are specifically outlined for those individuals and the Aircraft Operator,
but are considered SSI and not addressed in this document.

Unloaded firearms may be carried by passengers in checked baggage, provided the firearm is declared to the Aircraft Operator
both orally and in writing prior to checking the firearm. Unloaded firearms must be carried in a hard-sided, locked container with
only the passenger retaining the key or combination. Inspection of the container is usually conducted at the ticket counter at the

21 This is the Secure Flight program that requires matching the name of the passenger with the appropriate watch lists.

22 of 82 / American Association of Airport Executives
 Module 2

time the firearm is checked-in. There are often additional airline-specific procedures.

Much has been said about State regulations in Alaska, which discusses carriage of firearms on board an aircraft as part of a
pilot’s survival gear. Carriage of firearms on board a commercial Part 121 operation is still prohibited by federal law (above).
Previous Alaska State law (AS 02.35.110) did require a pilot to carry a firearm (pistol, rifle or shotgun with ammunition for same);
however that law has been revised to remove the requirement. Carriage of a firearm by an airman within the State is now at the
operator’s discretion.

Unauthorized explosives or incendiaries are not allowed in checked or carry-on baggage. Ammunition is not prohibited from
being carried in checked baggage; however, Title 49 CFR 175 (hazardous material carriage on aircraft) does provide additional
requirements for carrying ammunition on aircraft. This responsibility is primarily that of the aircraft operator.

One question that commonly comes up with respect to law enforcement operations is the ability of a police officer to conduct a
search of an individual who submits to the screening checkpoint. This issue has resurfaced with the actions of Behavior Detection
Officers and TSOs who stop individuals before reaching the screening checkpoint as part of the SPOT program.

Terry v. Ohio established that a police officer without a warrant may stop and briefly detain a person for investigative purposes if
the officer has a reasonable suspicion, supported by articulable facts that criminal activity is occurring, even if the officer lacks
probable cause. So, a cop can stop someone when they believe a crime is being committed or has been committed. That said, an
officer can question anyone but that individual(s) is free to go whenever they want, unless the officer has reasonable suspicion
or probable cause22. When an individual submits to the screening process, it is considered an administrative search and is an
exception to the Fourth Amendment to the U.S. Constitution.

Under Terry v. Ohio, if there is evidence of a crime or suspicion based on the results of the search, then a police officer, may
conduct a search of the individual. In August 2007, this law was again tested when TSA personnel in Honolulu discovered
narcotics during a secondary search of a passenger. The Ninth Circuit Court of Appeals upheld the lower court’s ruling, which
concluded that checkpoint screening is not only constitutional but necessary to meet the government’s legitimate aviation security
goal to protect its citizens against terrorist threats.

When does screening begin? There have been several debates on this topic throughout the years. Previous to 2011, the “start” of
the screening process was generally considered to be the x-ray machine and the walk through metal detector. As soon as an item
went inside the x-ray machine or as soon as an individual stepped into the metal detector, breaking the invisible magnetic plane,
then the screening process had begun. However, with the deployment of BDO’s throughout airports, the question of where the
screening process begins has become unclear. Some believe that if a sign is in place warning the public that beyond the sign they
may be subject to screening, that constitutes the screening process while others hold to different views, such as in the screening
line or at the metal detector or body imaging device.

Inspection of airman certificate

This rule requires any individual who holds an airman certificate or license, or a medical certificate issued by the FAA, to present
it for inspection upon request of a Transportation Security Inspector, Assistant Federal Security Director, Federal Security Director,
or similarly authorized individual. Transportation Security Officers (i.e., screeners) are not authorized to demand this inspection
(§1540.113).

This rule closes a gap, particularly in the case of general aviation Aircraft Operators and air cargo operators, many of whom do
not have airport access/ID media for a commercial service airport. Additionally, the requirement of pilots to carry some form of
government issued photo ID has aided inspectors in this area (§1540.113).

Considering that the hijackers in the 9/11 attacks were trained in the U.S. and held U.S. Federal Aviation Administration pilot
certificates, the TSA has continued to expand regulations regarding flight training. This rule requires any U.S. pilot or pilot
certificate or rating applicant to submit certain identifying information to the TSA, so that it may conduct a Security Threat
Assessment (§1540.115).

22 There are some interesting writings on the difference between these two concepts that are beyond the purview of the ACE-Security modules, but readers involved in airport law enforcement who desire
further clarification or information are encouraged to seek such writings or consult with your legal advisors.

28
 APPS – computer assisted passenger pre-screening system. CAPPS was implemented in 1996 after the crash of TWA 800. It was a computer triggered process that flagged passengers booking with
C
certain indicators as being a potential higher risk. These passengers were subjected to higher levels of scrutiny at the checkpoint and the positive passenger bag match requirement applied to them.

ACE Security – Module 1 / 23 of 82
 Security

If a pilot applicant is determined to be a threat to transportation or national security, civil aviation, airline or passenger security
or suspected of committing air piracy or terrorism, then a lengthy investigation process ensues between the TSA and FAA. The
process will determine if the individual will be issued, or allowed to retain, FAA pilot certification. The same process applies to
aliens holding or applying for FAA certificates, ratings or authorizations (§1540.117).

Security Threat Assessments

Section 1540.115,.117 and Part 1540.201,.203,.205, and.209 address the requirements of Security Threat Assessments (STA), for
various circumstances.

Most predominantly, STAs are conducted for individuals applying for Access/ID to an airport’s Security Areas. STAs are also
conducted on those individuals holding or applying for FAA pilot certificates, ratings or authorizations - (§1540.115 for U.S. citizens),
and (§1540.117 for aliens). In this context, an individual poses a security threat when the individual is suspected of posing, or is
known to pose:

A threat to transportation or national security;
A threat of air piracy or terrorism;
A threat to airline or passenger security; or
A threat to civil aviation security.

STAs are required to be conducted on certain individuals23 including:

Aircraft operator personnel operating under a full-program described in 49 CFR 1544.101(a) or (h).
Foreign air carrier personnel under a program described in 49 CFR 1546.101(a), (b), or (e).
Indirect air carrier personnel under a security program descri