Each aircraft operator must adopt a contingency plan and must:

(a) Implement its contingency plan when directed by TSA.

(b) Ensure that all information contained in the plan is updated annually and that appropriate persons are notified of any changes.

(c) Participate in an airport-sponsored exercise of the airport contingency plan or its equivalent, as provided in its security program.

(a) Flight: Notification. Upon receipt of a specific and credible threat to the security of a flight, the aircraft operator must—

(1) Immediately notify the ground and in-flight security coordinators of the threat, any evaluation thereof, and any measures to be applied; and

(2) Ensure that the in-flight security coordinator notifies all crewmembers of the threat, any evaluation thereof, and any measures to be applied; and

(3) Immediately notify the appropriate airport operator.

(b) Flight: Inspection. Upon receipt of a specific and credible threat to the security of a flight, each aircraft operator must attempt to determine whether or not any explosive or incendiary is present by doing the following:

(1) Conduct a security inspection on the ground before the next flight or, if the aircraft is in flight, immediately after its next landing.

(2) If the aircraft is on the ground, immediately deplane all passengers and submit that aircraft to a security search.

(3) If the aircraft is in flight, immediately advise the pilot in command of all pertinent information available so that necessary emergency action can be taken.

(c) Ground facility. Upon receipt of a specific and credible threat to a specific ground facility at the airport, the aircraft operator must:

(1) Immediately notify the appropriate airport operator.

(2) Inform all other aircraft operators and foreign air carriers at the threatened facility.

(3) Conduct a security inspection.

(d) Notification. Upon receipt of any bomb threat against the security of a flight or facility, or upon receiving information that an act or suspected act of air piracy has been committed, the aircraft operator also must notify TSA. If the aircraft is in airspace under other than U.S. jurisdiction, the aircraft operator must also notify the appropriate authorities of the State in whose territory the aircraft is located and, if the aircraft is in flight, the appropriate authorities of the State in whose territory the aircraft is to land. Notification of the appropriate air traffic controlling authority is sufficient action to meet this requirement.

(a) TSA may issue an Information Circular to notify aircraft operators of security concerns. When TSA determines that additional security measures are necessary to respond to a threat assessment or to a specific threat against civil aviation, TSA issues a Security Directive setting forth mandatory measures.

(b) Each aircraft operator required to have an approved aircraft operator security program must comply with each Security Directive issued to the aircraft operator by TSA, within the time prescribed in the Security Directive for compliance.

(c) Each aircraft operator that receives a Security Directive must—

(1) Within the time prescribed in the Security Directive, verbally acknowledge receipt of the Security Directive to TSA.

(2) Within the time prescribed in the Security Directive, specify the method by which the measures in the Security Directive have been implemented (or will be implemented, if the Security Directive is not yet effective).

(d) In the event that the aircraft operator is unable to implement the measures in the Security Directive, the aircraft operator must submit proposed alternative measures and the basis for submitting the alternative measures to TSA for approval. The aircraft operator must submit the proposed alternative measures within the time prescribed in the Security Directive. The aircraft operator must implement any alternative measures approved by TSA.

(e) Each aircraft operator that receives a Security Directive may comment on the Security Directive by submitting data, views, or arguments in writing to TSA. TSA may amend the Security Directive based on comments received. Submission of a comment does not delay the effective date of the Security Directive.

(f) Each aircraft operator that receives a Security Directive or Information Circular and each person who receives information from a Security Directive or Information Circular must:

(1) Restrict the availability of the Security Directive or Information Circular, and information contained in either document, to those persons with an operational need-to-know.

(2) Refuse to release the Security Directive or Information Circular, and information contained in either document, to persons other than those with an operational need-to-know without the prior written consent of TSA.