49 CFR § 1548.19 - Security Directives and Information Circulars.
(b) When TSA determines that additional security measures are necessary to respond to a threat assessment, or to a specific threat against civil aviation, TSA issues a Security Directive setting forth mandatory measures.
(1) Each indirect air carrier that is required to have an approved indirect air carrier security program must comply with each Security Directive that TSA issues to it, within the time prescribed in the Security Directive for compliance.
(2) Each indirect air carrier that receives a Security Directive must comply with the following:
(i) Within the time prescribed in the Security Directive, acknowledge in writing receipt of the Security Directive to TSA.
(ii) Within the time prescribed in the Security Directive, specify the method by which the measures in the Security Directive have been implemented (or will be implemented, if the Security Directive is not yet effective).
(3) In the event that the indirect air carrier is unable to implement the measures in the Security Directive, the indirect air carrier must submit proposed alternative measures and the basis for submitting the alternative measures to TSA for approval.
(i) The indirect air carrier must submit the proposed alternative measures within the time prescribed in the Security Directive.
(i) TSA may amend the Security Directive based on comments received.
(ii) Submission of a comment does not delay the effective date of the Security Directive.
(i) Restrict the availability of the Security Directive or Information Circular, and information contained in either document, to those persons with a need-to-know.
(ii) Refuse to release the Security Directive or Information Circular, and information contained in either document, to persons other than those with a need-to-know without the prior written consent of TSA.