Government of Canada / Gouvernement du Canada
Symbol of the Government of Canada

Search

Canadian Aviation Security Regulations, 2012 (SOR/2011-318)

Regulations are current to 2024-04-01 and last amended on 2022-12-21. Previous Versions

AMENDMENTS NOT IN FORCE

  • — SOR/2022-92, s. 14

    • 14 The reference “[65 to 75 reserved]” after section 64 of the Regulations is replaced by the following:

      PART 2CATSA Security Program

      CATSA Security Program Requirements

      • Requirement to establish and implement

        • 65 (1) CATSA must establish and implement a security program in order to safeguard information, equipment, information technology infrastructure, facilities and all other assets related to screening operations.

        • Program requirements

          (2) As part of its security program, CATSA must

          • (a) develop a security policy statement that establishes an overall security commitment and direction and sets out the security objectives;

          • (b) establish and implement a security awareness program that promotes a culture of vigilance among its employees;

          • (c) conduct a security risk assessment in accordance with section 69;

          • (d) assess risk information and disseminate it within its organization for the purpose of facilitating informed decision-making about security;

          • (e) establish a strategic security plan in accordance with section 73;

          • (f) identify the security official referred to in subsection (3);

          • (g) subject to section 31, establish and implement a process for receiving, identifying, retaining, disclosing and disposing of sensitive information respecting aviation security in order to protect the information from unauthorized access; and

          • (h) establish and implement a process for responding to security incidents and breaches.

        • Security official

          (3) CATSA must have, at all times, at least one security official or acting security official who is responsible for acting as the principal contact between CATSA and the Minister with respect to the security program.

      • Documentation

        • 66 (1) CATSA must keep

          • (a) documentation related to its security risk assessment and any review of it for at least five years;

          • (b) documentation related to its strategic security plan and any amendment to it for at least five years; and

          • (c) all other documentation related to its security program for at least two years.

        • Ministerial access

          (2) CATSA must make the documentation available to the Minister on reasonable notice given by the Minister.

      • Requirement to amend

        67 CATSA must amend its security program if it identifies a security risk that is not addressed by the program.

      Committees

      • Multi-agency advisory committee

        68 CATSA must be an active member of an aerodrome’s multi-agency advisory committee referred to in sections 196 and 353.

      Security Risk Assessments

      • Security risk assessments

        69 CATSA must have a security risk assessment that identifies and assesses the risks in respect of information, equipment, information technology infrastructure, facilities and all other assets related to screening operations and that includes the following elements:

        • (a) a threat assessment that evaluates the probability of a disruption to security screening services caused by an unauthorized access or an act or attempted act of unlawful interference;

        • (b) a criticality assessment that prioritizes the information, equipment, information technology infrastructure, facilities and all other assets related to screening operations that most require protection from acts and attempted acts of unlawful interference;

        • (c) a vulnerability assessment that considers the extent to which information, equipment, information technology infrastructure, facilities and all other assets related to screening operations are susceptible to loss or damage; and

        • (d) an impact assessment that, at a minimum, measures the consequences of a security screening incident or potential security screening incident in terms of

          • (i) a decrease in public safety and security,

          • (ii) financial and economic loss, and

          • (iii) a loss of public confidence.

      • Submission for approval

        • 70 (1) CATSA must submit its initial security risk assessment to the Minister for approval.

        • Submission — five years

          (2) CATSA must submit a new security risk assessment to the Minister within five years after the date of the most recent approval.

      • Security risk assessment — annual review

        • 71 (1) CATSA must conduct a review of its security risk assessment at least once a year.

        • Security risk assessment — other reviews

          (2) CATSA must also conduct a review of its security risk assessment if

          • (a) it acquires new equipment, information technology infrastructure, facilities or any other new assets related to screening operations;

          • (b) it makes changes to security screening operations that could affect information, equipment, information technology infrastructure, facilities or any other assets related to screening operations;

          • (c) a change in regulatory requirements could affect information, equipment, information technology infrastructure, facilities or any other assets related to screening operations; or

          • (d) it identifies a vulnerability that is not addressed in the assessment or the Minister identifies such a vulnerability to CATSA.

        • Equivalency

          (3) For greater certainty, a review conducted under subsection (2) counts as a review required under subsection (1).

        • Documentation

          (4) When CATSA conducts a review of its security risk assessment, it must document

          • (a) any decision to amend or to not amend the assessment or the risk-management strategy;

          • (b) the reasons for that decision; and

          • (c) the factors that were taken into consideration in making that decision.

        • Notification

          (5) CATSA must notify the Minister if, as a result of a review of its security risk assessment, it amends the assessment

          • (a) to include a new medium to high risk; or

          • (b) to raise or lower the level of a risk within the medium to high range.

      • Approval

        72 The Minister must approve a security risk assessment submitted by CATSA if

        • (a) the assessment meets the requirements of section 69;

        • (b) the assessment has been reviewed by an executive within CATSA who is responsible for security;

        • (c) CATSA has considered all available and relevant information; and

        • (d) CATSA has not overlooked a security risk that could compromise information, equipment, information technology infrastructure, facilities or any other assets related to screening operations.

      Strategic Security Plans

      • Strategic security plans

        • 73 (1) CATSA must establish a strategic security plan that

          • (a) summarizes its strategy to prepare for, detect, prevent, respond to and recover from threats identified in the security risk assessment; and

          • (b) includes a risk-management strategy that addresses the medium to high security risks identified and prioritized in its security risk assessment.

        • Submission for approval

          (2) CATSA must submit its strategic security plan to the Minister for approval.

        • Approval of plan

          (3) The Minister must approve a strategic security plan submitted by CATSA if

          • (a) the plan meets the requirements of subsection (1);

          • (b) the plan has been reviewed by an executive within CATSA who is responsible for security;

          • (c) the plan is likely to enable CATSA to prepare for, detect, prevent, respond to and recover from an unauthorized access to or acts or attempted acts of unlawful interference with information, equipment, information technology infrastructure, facilities or any other assets related to screening operations;

          • (d) the risk-management strategy is in proportion to the risks it addresses;

          • (e) CATSA has not overlooked a security risk that could compromise information, equipment, information technology infrastructure, facilities or any other assets related to screening operations; and

          • (f) the plan can be implemented without compromising security.

        • Implementation

          (4) CATSA must, as soon as its strategic security plan is approved, implement its risk-management strategy.

      • Amendments

        • 74 (1) CATSA may amend its strategic security plan at any time, but must do so if

          • (a) the plan does not reflect CATSA’s most recent security risk assessment;

          • (b) the Minister informs CATSA that there is a change in the threat environment that could result in a new or unaddressed medium to high risk to information, equipment, information technology infrastructure, facilities or any other assets related to screening operations;

          • (c) CATSA identifies a deficiency in the plan; or

          • (d) the Minister informs CATSA that its risk-management strategy is not in proportion to a risk set out in its security risk assessment.

        • Documentation

          (2) If CATSA amends its strategic security plan, it must document

          • (a) the reason for the amendment; and

          • (b) the factors that were taken into consideration in making that amendment.

        • Submission of amendment

          (3) If CATSA amends its strategic security plan, it must, as soon as possible, submit the amendment to the Minister for approval.

        • Approval

          (4) The Minister must approve an amendment if

          • (a) in the case of an amendment to the summary required under paragraph 73(1)(a), the conditions set out in paragraphs 73(3)(a) to (c) have been met; or

          • (b) in the case of an amendment to the risk-management strategy required under paragraph 73(1)(b), the conditions set out in paragraphs 73(3)(a) to (f) have been met.

        • Implementation

          (5) If CATSA amends its risk-management strategy, it must implement the amended version of the strategy once it is approved by the Minister.

      Disclosure of Information

      • Prohibition

        75 A person other than the Minister must not disclose security-sensitive information that is created or used under this Part unless the disclosure is required by law or is necessary to comply or facilitate compliance with the aviation security provisions of the Act, regulatory requirements or the requirements of an emergency direction.

  • — SOR/2022-92, s. 34

    • 34 Schedule 4 to the Regulations is amended by adding the following after the reference “Subsection 64(2)”:

      Column 1Column 2Column 3
      Designated ProvisionMaximum Amount Payable ($)Maximum Amount Payable ($)
      IndividualCorporation
      PART 2 — CATSA SECURITY PROGRAM
      Subsection 65(1)25,000
      Paragraph 65(2)(a)25,000
      Paragraph 65(2)(c)25,000
      Paragraph 65(2)(f)25,000
      Paragraph 65(2)(g)25,000
      Paragraph 65(2)(h)25,000
      Subsection 65(3)25,000
      Paragraph 66(1)(a)25,000
      Paragraph 66(1)(b)25,000
      Paragraph 66(1)(c)10,000
      Subsection 66(2)25,000
      Section 6725,000
      Section 6825,000
      Section 6925,000
      Subsection 70(1)25,000
      Subsection 70(2)25,000
      Subsection 71(1)25,000
      Subsection 71(2)25,000
      Subsection 71(4)25,000
      Subsection 71(5)25,000
      Subsection 73(1)25,000
      Subsection 73(2)25,000
      Subsection 73(4)25,000
      Subsection 74(1)25,000
      Subsection 74(2)25,000
      Subsection 74(3)25,000
      Subsection 74(5)25,000
      Section 755,00025,000

Table of Contents


Date modified: