§ 191.7 - Sensitive security information.

Except as otherwise provided in writing by the Administrator as necessary in the interest of safety of persons traveling in air transportation, the following information and records containing such information constitute sensitive security information:

(a) Any approved or standard security program for an air carrier, foreign air carrier, indirect air carrier, or airport operator, and any security program that relates to United States mail to be transported by air (including that of the United States Postal Service and of the Department of Defense); and any comments, instructions, or implementing guidance pertaining thereto.

(b) Security Directives, Information Circulars, and any comments, instructions, or implementing guidance pertaining thereto.

(c) Any profile used in any security screening process, including for persons, baggage, or cargo.

(d) Any security contingency plan or information and any comments, instructions, or implementing guidance pertaining thereto.

(e) Technical specifications of any device used for the detection of any deadly or dangerous weapon, explosive, incendiary, or destructive substance.

(f) A description of, or technical specifications of, objects used to test screening equipment and equipment parameters.

(g) Technical specifications of any security communications equipment and procedures.

(h) As to release of information by the Administrator: Any information that the Administrator has determined may reveal a systemic vulnerability of the aviation system, or a vulnerability of aviation facilities, to attack. This includes, but is not limited to, details of inspections, investigations, and alleged violations and findings of violations parts 107, 108, or 109, or § 129.25, 129.26, of § 129.27 of this chapter, and any information that could lead the disclosure of such details, as follows:

(1) As to events that occurred less than 12 months before the date of the release of the information, the following are not released: the name of an airport where a violation occurred, the regional identifier in the case number, a description of the violation, the regulation allegedly violated, and the identity of the air carrier in connection with specific locations or specific security procedures. The FAA may release summaries of an air carrier's total security violations in a specified time range without identifying specific violations. Summaries may include total enforcement actions, total proposed civil penalty amounts, total assessed civil penalty amounts, number of cases opened, number of cases referred by Civil Aviation Security to FAA counsel for legal enforcement action, and number of cases closed.

(2) As to events that occurred 12 months or more before the date of the release of information, the specific gate or other location on an airport where an event occurred is not released.

(3) The identity of the FAA special agent who conducted the investigation or inspection.

(4) Security information or data developed during FAA evaluations of the air carriers and airports and the implementation of the security programs, including air carrier and airport inspections and screening point tests or methods for evaluating such tests.

(i) As to release of information by the FAA: Information concerning threats against civil aviation.

(j) Specific details of aviation security measures whether applied directly by the FAA or regulated parties. This includes, but is not limited to, information concerning specific numbers of Federal Air Marshals, deployments or missions, and the methods involved in such operations.

(k) Any other information, the disclosure of which the Administrator has prohibited under the criteria of 49 U.S.C. 40119.

(l) Any draft, proposed, or recommended change to the information and records identified in this paragraph.