Direct Answer
A Part 135 operator that flies an aircraft over 12,500 pounds maximum certificated takeoff weight in scheduled or charter service must hold a TSA-approved security program — most commonly the Twelve-Five Standard Security Program (TFSSP) under 49 CFR §1544.101(d).
That program must be in writing, signed, and TSA-approved (§1544.103(a)), with an original kept at the corporate office and a complete or pertinent copy accessible at each airport served (§1544.103(b)). It generates a specific record set: criminal history records checks (§1544.230), security training (§1544.235), security-coordinator designations (§1544.215), and Security Directive acknowledgments (§1544.305).
The twist that catches operators: the program itself and many of those records are Sensitive Security Information (SSI) under 49 CFR §1520.5. They have to be both instantly producible for a TSA inspector and access-controlled to a need-to-know basis under 49 CFR Part 1520 — two requirements that pull in opposite directions unless your document system is built for it.
If you operate under Part 135, your compliance mental model is probably built around the FAA: the records a Part 135 operator must keep, your pilot records, and the drug and alcohol program records. Those are real and they matter. But the TSA security program is a parallel obligation administered by a different agency under a different title of the CFR (Title 49, Subtitle B, Chapter XII), and it is easy to under-resource because it does not show up in a routine FAA Part 135 surveillance binder.
This article maps the program types under §1544.101, the records each one requires, and — the part most write-ups skip — how the Sensitive Security Information rules in 49 CFR Part 1520 change the way those records must be stored, shared, and disposed of. For the FAA half of your compliance picture, the FAA aviation compliance hub is the companion reference.
Which Security Program Applies to You
The program type is set by 49 CFR §1544.101, and it turns on three variables: the aircraft’s maximum certificated takeoff weight, its passenger-seating configuration, and whether passengers enplane from or deplane into a sterile area (the secured, post-screening part of a commercial airport). A single Part 135 certificate holder can be subject to more than one program type at once if it runs a mixed fleet.
Twelve-Five Program (the TFSSP)
§1544.101(d)Trigger: An aircraft with a maximum certificated takeoff weight of more than 12,500 pounds, in scheduled or charter service, carrying passengers or cargo or both — that is not subject to the full, partial, or full all-cargo program.
This is the program most Part 135 on-demand charter operators land in once they fly aircraft above the 12,500-pound line. TSA publishes a standard program — the Twelve-Five Standard Security Program (TFSSP) — that qualifying operators adopt and that TSA approves.
Private Charter Program
§1544.101(f)Trigger: A private charter operation where passengers enplane from or deplane into a sterile area, OR the aircraft has a maximum certificated takeoff weight greater than 45,500 kg (100,309.3 lbs), OR the aircraft has a passenger-seating configuration of 61 or more.
Private charter is a distinct program for charter operations that touch a sterile area or use very large aircraft. The defining feature versus the Twelve-Five program is the sterile-area enplanement or the larger aircraft thresholds.
Full Program
§1544.101(a)Trigger: A scheduled passenger or public charter passenger operation with an aircraft having a passenger-seating configuration of 61 or more seats; OR 60 or fewer seats when passengers enplane from or deplane into a sterile area.
The full program (subparts C, D, and E of Part 1544) is the most demanding. It is associated with larger scheduled and public-charter passenger operations and is generally beyond the typical small Part 135 charter operator — but the seat-count and sterile-area triggers are what to watch as a fleet grows.
Partial Program
§1544.101(b)Trigger: A scheduled passenger or public charter passenger operation with 31 or more but 60 or fewer seats that does not enplane from or deplane into a sterile area; or 60 or fewer seats on operations to, from, or outside the United States not enplaning from or deplaning into a sterile area.
An intermediate program tied to the 31–60 seat band and certain international operations outside a sterile area.
Full All-Cargo Program
§1544.101(h)Trigger: An aircraft with a maximum certificated takeoff weight of more than 45,500 kg (100,309.3 lbs) carrying cargo and authorized persons and no passengers.
The all-cargo program applies to large freighter operations. Part 135 cargo operators below the all-cargo weight line that are above 12,500 lbs generally fall under the Twelve-Five program instead.
The threshold is maximum certificated takeoff weight, not actual weight
The 12,500-pound line in §1544.101(d) is the aircraft’s maximum certificated takeoff weight — a fixed characteristic of the aircraft type as certificated — not the loaded weight on a given trip. A light jet or turboprop certificated above 12,500 lbs MTOW is in scope even on a lightly loaded leg. Use the certificated MTOW from the aircraft’s type certificate data sheet and airworthiness paperwork to determine which program applies. For how those aircraft records are organized, see the Part 91 aircraft records requirements.
Determining your program type is a legal and operational judgment — confirm it with TSA and your aviation security counsel, not from a blog. What is consistent across every program type is this: once you are in scope, you owe TSA a written, approved program and a record set that proves you follow it. The rest of this article is about that record set.
Why the TSA Layer Is Easy to Under-Resource
FAA compliance and TSA compliance live in different places, are inspected by different people, and follow different rules. The FAA administers your operating certificate under 14 CFR Part 119 and Part 135 and shows up for principal operations inspector (POI) surveillance. The TSA administers your security program under 49 CFR Part 1544 and conducts its own inspections through aviation security inspectors. An operation can have an immaculate FAA record set and still be exposed on the TSA side — because the TSA records simply were not part of the same binder, the same calendar, or the same owner’s attention.
Three structural features make the TSA security record set particularly prone to drift:
The consequence is not theoretical. A TSA inspection that finds an out-of-date security program copy at an airport (§1544.103(b)), a security-duty employee who performed duties before completing the training in the program (§1544.235), an unacknowledged Security Directive (§1544.305), or a CHRC record retained past its destruction point (§1544.230(h)(3)) is a finding — and security findings can carry civil penalties and, in serious cases, affect the operator’s standing. The exact penalty exposure depends on the violation and TSA’s enforcement posture, so treat the dollar figure as a matter for counsel; the point is that the record set is the evidence either way.
The same discipline as your FAA file — applied to a second regulator
Operators who handle this well do not treat TSA security as a separate universe. They apply the same document discipline they use for Part 135 FAA surveillance audits — a single source of truth, expiration and event tracking, and the ability to produce a complete, current package on request — and extend it to the TSA record set, with the added constraint that SSI access must be controlled.
The hard part is that constraint. A shared drive that makes FAA records easy to find also makes SSI easy to over-share. The TSA record set needs the producibility of a good FAA file and the access control of a classified-adjacent document set at the same time.
The Records a TSA Security Program Generates
Below are the core record categories that flow from a Part 1544 aircraft-operator security program, the governing CFR section, and what each one has to prove. Remember that the security program itself is the controlling document for many specifics — TSA’s approved program defines the precise procedures, and several records are kept "as specified in the security program" rather than spelled out line-by-line in the rule.
The Security Program Itself (TFSSP / Private Charter / Full)
49 CFR §1544.103What it proves
The written, signed, TSA-approved program is the foundation document. Section 1544.103(a) requires it to be in writing and signed by the aircraft operator or a person delegated authority, and approved by TSA. Section 1544.103(b) requires an original at the corporate office and a complete copy — or the pertinent portions — accessible at each airport served. Version control matters: an out-of-date copy at an airport, or a program that does not reflect the current approved amendments, is a finding. Because the program is SSI, §1544.103(b)(4)–(5) requires its distribution and availability to be restricted to need-to-know.
How FileFlo tracks it
FileFlo treats the approved security program (and each amendment) as a controlled document class — tracking the current version, who holds access, and that the corporate and per-airport copies are the current revision, so a TSA request returns the right version, not a stale one.
Criminal History Records Check (CHRC) Results
49 CFR §1544.230What it proves
The fingerprint-based criminal history records check applies to flightcrew members (per §1544.230(a)) and to others as the rule specifies, screening against the disqualifying criminal offenses referenced from §1544.229(d). The recordkeeping rule is specific and unusual: under §1544.230(h)(1) the operator must physically maintain, control, and (as appropriate) destroy the fingerprint application and the criminal record; under §1544.230(h)(2) the records must be kept in a manner that protects the individual’s confidentiality; and under §1544.230(h)(3) the criminal record must be available to TSA on request and maintained until 180 days after the termination of the individual’s privileges — after which it must be destroyed. Disclosure is limited under §1544.230(g) to the individual, their authorized representative, and persons designated by TSA.
How FileFlo tracks it
FileFlo tracks each CHRC record against its 180-days-after-privilege-termination destruction date, flags records approaching the destruction point, and records the access-control and confidentiality status — turning a destroy-on-schedule obligation into a managed timeline instead of a forgotten folder.
Security Training Records
49 CFR §1544.235 / §1540.105What it proves
Under §1544.235(a), an operator may not use a person for a security-related duty unless that person has received the training specified in the operator’s security program, including the security responsibilities under §1540.105. Section 1544.235(b) requires the person to have knowledge of Part 1544, applicable Security Directives and Information Circulars, the airport security program where they work, and the operator’s own program to the extent needed for their duties. The record set is: who was trained, on what curriculum, on what date, before performing the duty — and any recurrent training the approved program requires. Training material itself is SSI under §1520.5(b)(10).
How FileFlo tracks it
FileFlo indexes each security-training record to the individual and the duty, tracks completion dates against the program’s requirements, and surfaces anyone assigned a security duty who is missing current training — the §1544.235 "no person ... unless trained" gate, made visible.
Security Coordinator Designations (AOSC / GSC / In-flight)
49 CFR §1544.215What it proves
Section 1544.215(a) requires designation of an Aircraft Operator Security Coordinator (AOSC) and alternates at the corporate level — the primary security contact for TSA, with 24-hour availability for the AOSC or an alternate. Section 1544.215(b) requires a Ground Security Coordinator (GSC) for each domestic and international flight departure, who conducts daily reviews of security functions and initiates corrective action. Section 1544.215(c) designates the pilot in command as the In-flight Security Coordinator. These designations and their duties are documented in the security program.
How FileFlo tracks it
FileFlo keeps the current coordinator designations, alternates, and effective dates as a tracked record tied to the program — so a TSA request, or an internal continuity check, returns who currently holds each role rather than an out-of-date org chart.
Security Directive & Information Circular Records
49 CFR §1544.305What it proves
Under §1544.305(b), an operator with an approved program must comply with each Security Directive within the prescribed time. Section 1544.305(c) requires the operator to verbally acknowledge receipt to TSA within the time prescribed and to specify the method by which the measures have been (or will be) implemented. Section 1544.305(f) requires the operator to restrict availability of the directive to operational need-to-know and to refuse release without TSA’s prior written consent. While the rule does not in terms require a written compliance log, you must be able to specify implementation to TSA — which in practice means a controlled record of each directive, its acknowledgment, and how it was implemented.
How FileFlo tracks it
FileFlo logs each Security Directive and Information Circular as a controlled, need-to-know document with its receipt/acknowledgment date and the recorded implementation method — so the operator can show TSA, directive by directive, what was acknowledged and how it was carried out.
Records Demonstrating Program Implementation
49 CFR Part 1544, subparts C–E (as applicable per program)What it proves
Beyond the categories above, the approved program will define operational records that demonstrate the security measures are actually carried out — for example, records tied to screening procedures, access and identification controls, weapons-carriage and law-enforcement coordination, and contingency procedures, depending on the program type. The exact set is program-specific (the full program implements subparts C, D, and E; the Twelve-Five and private charter programs carry their own subset). The governing principle: if the program says you do it, you should be able to show the record that proves you did.
How FileFlo tracks it
FileFlo classifies and indexes program-implementation records against the security program section they support, so the documentary proof of "we follow our program" is organized the same way the program is — and producible on request.
Related Part 135 record guides: Part 135 records overview · Part 135 training program records · Part 135 management personnel · Part 135 maintenance / CAMP records
FileFlo is the proof layer, not the security program
FileFlo is a compliance document intelligence platform — it classifies, indexes, and tracks the documents that prove TSA-security compliance. It does not run your security program, screen passengers or cargo, file with TSA, or communicate with TSA on your behalf, and it does not replace your Aircraft Operator Security Coordinator. The program and the need-to-know access decisions stay with you; FileFlo keeps the documentary record organized, version-controlled, and audit-ready.
Is your TSA security record set as audit-ready as your FAA file?
FileFlo tracks the security program version, CHRC destruction dates, security-training completion, coordinator designations, and Security Directive acknowledgments — classified against the governing 49 CFR section and organized for a controlled, need-to-know record set. Starter at $89/mo, Professional at $299/mo. 5-day free trial, no credit card required.
The SSI Constraint: Producible and Access-Controlled
The feature that makes the TSA record set genuinely different from your FAA file is Sensitive Security Information. Under 49 CFR §1520.5(b), the security program is SSI (§1520.5(b)(1), which expressly covers an aircraft operator security program or security contingency plan), Security Directives are SSI (§1520.5(b)(2)), threat information is SSI (§1520.5(b)(7)), and security training materials are SSI (§1520.5(b)(10)). In other words, most of the very records you must be able to produce for TSA are records you are simultaneously obligated to protect.
The handling rules live in 49 CFR §1520.9. A covered person must take reasonable steps to safeguard SSI from unauthorized disclosure and, when not in physical possession of it, store it in a locked desk, file cabinet, or room (§1520.9(a)(1)). SSI may be disclosed only to covered persons with a need to know, unless TSA authorizes otherwise in writing (§1520.9(a)(2)). SSI must be marked per §1520.13, and if you receive unmarked SSI you must mark it and tell the sender to do the same (§1520.9(b)). SSI must be disposed of per §1520.19, and unauthorized releases must be reported promptly to TSA (§1520.9(c)).
The two requirements that pull in opposite directions
Producibility (§1544.103, §1544.230, §1544.305)
On a TSA request, you must produce the current program and supporting records — fast, complete, and accurate. The program copy at the airport must be the current revision. Slow or incomplete production is a finding.
Access control (§1520.9)
The same records may only be seen by covered persons with a need to know, stored under lock when unattended, marked as SSI, and disposed of per §1520.19. Over-sharing — even internally — is its own violation.
A loose shared drive solves producibility and fails access control. A locked file cabinet in one person’s office solves access control and fails producibility (and continuity). The right answer is a controlled record system where access is need-to-know by design and the current, complete set is instantly retrievable by an authorized person.
This article is not SSI — but your program is
Everything described here is drawn from the publicly available text of the regulations. Your actual security program, your Security Directives, your threat information, and your security training materials are SSI and must not be posted, emailed without protection, or shared outside need-to-know. When you build your record system, the SSI handling rules in 49 CFR Part 1520 — not just the recordkeeping rules in Part 1544 — define what "good" looks like. Confirm your specific handling obligations with your AOSC and counsel.
How FileFlo fits the SSI constraint: FileFlo is the proof layer that keeps the documentary record current, indexed, and version-controlled, with access organized around who needs to know. It does not change your legal SSI obligations or your AOSC’s authority — you remain responsible for the need-to-know determinations and for handling the records under Part 1520. What it removes is the failure mode where SSI either goes stale in a locked drawer or leaks across an unmanaged drive. For the FAA side of an inspection, the same discipline shows up in the audit-binder approach inspectors expect and in preparing for a Part 135 surveillance audit.
The TSA security program is also worth viewing alongside the broader safety-and-compliance modernization happening in the industry — including the FAA Part 135 SMS rule with its May 28, 2027 deadline. Security (TSA) and safety management (FAA SMS) are distinct programs, but both push the same direction: documented, current, auditable evidence that the operator does what its programs say. For specialized operations such as helicopter air ambulance (HEMS) and Part 91K fractional ownership, the security analysis can layer additional considerations on top of the program-type determination — another reason to confirm scope with counsel rather than assume.
Frequently Asked Questions
What is the Twelve-Five Standard Security Program (TFSSP) and which Part 135 operators need one?
The Twelve-Five Standard Security Program is the TSA security program required under 49 CFR §1544.101(d) for aircraft operators using an aircraft with a maximum certificated takeoff weight (MTOW) of more than 12,500 pounds that is in scheduled or charter service carrying passengers, cargo, or both — and that is not already subject to the full, partial, or full all-cargo program. Most Part 135 on-demand charter operators that fly aircraft above the 12,500-pound line fall into this category. The program is a written, TSA-approved document; the "standard" version (the TFSSP) is TSA's model program that qualifying operators adopt. The weight threshold is the trigger — it is the maximum certificated takeoff weight of the aircraft, not the actual loaded weight on any given flight.
What is the difference between the Twelve-Five program, the Private Charter program, and the full program?
Under 49 CFR §1544.101, the program type is driven by aircraft size, seating configuration, and how passengers are enplaned. The full program (§1544.101(a)) applies to scheduled or public charter passenger operations with 61 or more seats, or with 60 or fewer seats when passengers enplane from or deplane into a sterile area. The Private Charter program (§1544.101(f)) applies to private charter operations where passengers enplane from or deplane into a sterile area, or the aircraft exceeds 45,500 kg (100,309.3 lbs) MTOW, or it has a passenger-seating configuration of 61 or more. The Twelve-Five program (§1544.101(d)) is the program for aircraft over 12,500 pounds MTOW in scheduled or charter service that do not meet the higher full or private-charter thresholds. A single Part 135 certificate holder can be subject to more than one program type depending on the aircraft and operations it runs, and each program carries its own document and recordkeeping obligations.
How long must an aircraft operator keep criminal history records check (CHRC) results?
Under 49 CFR §1544.230(h), an aircraft operator that conducts a fingerprint-based criminal history records check must physically maintain, control, and (as appropriate) destroy the fingerprint application and the criminal record. Section 1544.230(h)(3) requires that the criminal record be made available to TSA on request and maintained until 180 days after the termination of the individual's privileges to perform the duties that triggered the check — after which the criminal record must be destroyed. The records must be kept in a manner that protects the confidentiality of the individual (§1544.230(h)(2)), and disclosure is restricted to the individual, the individual's authorized representative, and others designated by TSA (§1544.230(g)). This is a destroy-on-schedule obligation, not a keep-forever one — over-retaining a criminal record past the destruction point is itself a compliance problem.
Is a Part 135 TSA security program a public document?
No. An aircraft operator security program is Sensitive Security Information (SSI) under 49 CFR §1520.5(b)(1), which expressly covers "any aircraft operator ... security program, or security contingency plan." Security Directives are SSI under §1520.5(b)(2), threat information is SSI under §1520.5(b)(7), and security training materials are SSI under §1520.5(b)(10). SSI may only be disclosed to "covered persons" with a need to know (§1520.9(a)(2)); it must be safeguarded, stored in a locked desk, file cabinet, or room when not in someone's possession, marked per §1520.13, and disposed of per §1520.19. This is why §1544.103(b)(4)–(5) requires the operator to restrict the distribution, disclosure, and availability of the security program to persons with a need-to-know and to refer all other requesters to TSA. The records that prove TSA-security compliance therefore have to be both audit-ready and access-controlled at the same time.
Where must an aircraft operator keep its security program, and who can see it?
Under 49 CFR §1544.103(b), the aircraft operator must maintain an original copy of its security program at its corporate office and have accessible a complete copy — or the pertinent portions — of the program at each airport served. The program must be in writing and signed by the aircraft operator or a person delegated authority, and it must be approved by TSA (§1544.103(a)). Because the program is SSI, access is limited to persons with a need-to-know under 49 CFR Part 1520, and the operator must make a copy available for inspection on TSA request while refusing to release it to anyone else without TSA consent (§1544.103(b)(3)–(5)). In practice this means a TSA inspector can ask for the program — and the supporting records — at the corporate office or at the airport, and the operator has to produce a current, complete, controlled copy.
What security training records does a Twelve-Five / Part 135 operator have to keep?
Under 49 CFR §1544.235, an aircraft operator may not use an individual to perform a security-related duty unless that individual has received the training specified in the operator's security program, including the responsibilities under §1540.105 (security responsibilities of employees and other persons). The individual must have knowledge of 49 CFR Part 1544, applicable Security Directives and Information Circulars, the airport security program where they work, and the operator's own security program to the extent needed to perform their duties. The specific training curriculum, the records to be kept, and any recurrent intervals are defined in the TSA-approved security program itself rather than spelled out in the rule, so the program is the controlling document. The practical record set is: who was trained, on what curriculum, on what date, and the documentation that ties each security-duty person to completed (and current) training before they performed the duty.
What does an operator have to do when TSA issues a Security Directive?
Under 49 CFR §1544.305, each aircraft operator with an approved security program must comply with each Security Directive issued to it by TSA within the time prescribed in the directive. Section 1544.305(c) requires the operator to verbally acknowledge receipt of the Security Directive to TSA within the time prescribed and to specify the method by which the measures in the directive have been (or will be) implemented. Security Directives and Information Circulars are themselves SSI: §1544.305(f) requires the operator to restrict their availability to persons with an operational need-to-know and to refuse to release them without TSA's prior written consent. While the rule does not in terms mandate a written compliance log, the operator must be able to specify implementation to TSA — which in practice means keeping a controlled record of each directive received, the acknowledgment, and how it was implemented.
Does FileFlo run my TSA security program or talk to TSA for me?
No. FileFlo is a compliance document intelligence platform — it classifies, indexes, tracks, and proves the records that demonstrate TSA-security compliance. It does not run your security program, screen passengers or cargo, file with TSA, or communicate with TSA on your behalf, and it is not a substitute for your Aircraft Operator Security Coordinator or aviation security counsel. Because the security program and many of its supporting records are Sensitive Security Information, the right operating model is that you (and your AOSC) own the program and the need-to-know access decisions, and FileFlo keeps the documentary record organized, version-controlled, and audit-ready alongside the rest of your Part 135 compliance file.
Keep your TSA security records audit-ready — and need-to-know controlled
FileFlo classifies and tracks the records a Part 1544 security program generates — the program version, CHRC destruction dates, security-training completion, coordinator designations, and Security Directive acknowledgments — against the governing CFR section. AI document classification. 600+ document types. Organized for a controlled, producible record set. Starter at $89/mo, Professional at $299/mo. No credit card required for the 5-day free trial.
5-day free trial · No credit card required · Cancel anytime
Reviewed by Chad Griffith, Founder, FileFlo — compliance document intelligence — June 9, 2026. Regulatory citations verified against the public text of 49 CFR (Cornell Legal Information Institute) as of publication date. This article is educational and is not legal advice; some security records are Sensitive Security Information under 49 CFR Part 1520 and must be handled accordingly.