§ 108.305 - Security Directives and Information Circulars.

(a) The Administrator may issue an Information Circular to notify aircraft operators of security concerns. When the Administrator determines that additional security measures are necessary to respond to a threat assessment or to a specific threat against civil aviation, the Administrator issues a Security Directive setting forth mandatory measures.

(b) Each aircraft operator required to have an approved aircraft operator security program shall comply with each Security Directive issued to the aircraft operator by the Administrator, within the time prescribed in the Security Directive for compliance.

(c) Each aircraft operator that receives a Security Directive shall—

(1) Within the time prescribed in the Security Directive, verbally acknowledge receipt of the Security Directive to the Administrator.

(2) Within the time prescribed in the Security Directive, specify the method by which the measures in the Security Directive have been implemented (or will be implemented, if the Security Directive is not yet effective).

(d) In the event that the aircraft operator is unable to implement the measures in the Security Directive, the aircraft operator shall submit proposed alternative measures and the basis for submitting the alternative measures to the Administrator for approval. The aircraft operator shall submit the proposed alternative measures within the time prescribed in the Security Directive. The aircraft operator shall implement any alternative measures approved by the Administrator.

(e) Each aircraft operator that receives a Security Directive may comment on the Security Directive by submitting data, views, or arguments in writing to the Administrator. The Administrator may amend the Security Directive based on comments received. Submission of a comment does not delay the effective date of the Security Directive.

(f) Each aircraft operator that receives a Security Directive or Information Circular and each person who receives information from a Security Directive or Information Circular shall:

(1) Restrict the availability of the Security Directive or Information Circular, and information contained in either document, to those persons with an operational need-to-know.

(2) Refuse to release the Security Directive or Information Circular, and information contained in either document, to persons other than those with an operational need-to-know without the prior written consent of the Administrator.