Doc 9807 - icscc.org.cn · ASITF Advanced Security in the Field AUI Response to acts of unlawful interference BSITF Basic Security in the Field C/ASA Chief, Aviation Security Audit

Approved by and published under the authority of the Secretary General

INTERNATIONAL CIVIL AVIATION ORGANIZATION

Doc 9807

Universal Security Audit ProgrammeContinuous Monitoring Manual

Second Edition, 2016

Approved by and published under the authority of the Secretary General

INTERNATIONAL CIVIL AVIATION ORGANIZATION

Doc 9807

Universal Security Audit ProgrammeContinuous Monitoring Manual

Second Edition, 2016

Published in separate English, Arabic, Chinese, French, Russian and Spanish editions by the INTERNATIONAL CIVIL AVIATION ORGANIZATION 999 Robert-Bourassa Boulevard, Montréal, Quebec, Canada H3C 5H7 For ordering information and for a complete listing of sales agents and booksellers, please go to the ICAO website at www.icao.int First edition, 2004 Second edition, 2016 Doc 9807, Universal Security Audit Programme Continuous Monitoring Manual Order Number: 9807 ISBN 978-92-9258-039-1 © ICAO 2016 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, without prior permission in writing from the International Civil Aviation Organization.

(iii)

AMENDMENTS

Amendments are announced in the supplements to the Products and Services Catalogue; the Catalogue and its supplements are available on the ICAO website at www.icao.int. The space below is provided to keep a record of such amendments.

RECORD OF AMENDMENTS AND CORRIGENDA

AMENDMENTS CORRIGENDA

No. Date Entered by No. Date Entered by

(v)

FOREWORD

This manual is the main reference document prepared in connection with the ICAO Universal Security Audit Programme (USAP). It provides procedures, information and guidance on the management and conduct of programme activities under the Continuous Monitoring Approach (CMA). USAP-CMA procedures have been developed for the implementation of the CMA concept and methodology as part of the USAP. Within the USAP-CMA, standardized processes and procedures have been established to ensure that activities are prepared, conducted and reported in a systematic, consistent, objective and established manner. The first edition of this manual, entitled Security Audit Reference Manual (Doc 9807), was developed as a result of Assembly Resolution A33-1 of the 33rd Session of the ICAO Assembly (25 September to 5 October 2001) and the decision of the ICAO Council to implement the mandatory USAP for the conduct of aviation security audits in all ICAO Member States starting in November 2002. This second edition was developed for the transition of the USAP to a continuous monitoring approach as directed under Assembly Resolution A38-15 — Consolidated statement of continuing ICAO policies related to aviation security. The primary objective of this manual is to assist both ICAO Member States and ICAO USAP-CMA audit teams by explaining the concept, methodology, processes and procedures for preparing, conducting and reporting various audit and monitoring activities under the USAP-CMA. This second edition is published under the authority of the Secretary General and supersedes the first edition of this manual. Comments on this manual would be appreciated from all ICAO Member States and interested parties. These comments should be addressed to: The Secretary General International Civil Aviation Organization 999 Robert-Bourassa Boulevard Montréal, Quebec Canada H3C 5H7

_____________________

(vii)

TABLE OF CONTENTS

Page Glossary ....................................................................................................................................................... (ix) Abbreviations…………………………………………………………………………………... ................ (ix) Definitions……………………………………………………………………………………………………. (xi) Chapter 1. Introduction ................................................................................................................................ 1-1 1.1 Purpose .......................................................................................................................................... 1-1 1.2 References ..................................................................................................................................... 1-1 Chapter 2. The ICAO Universal Security Audit Programme (USAP) ........................................................ 2-1 2.1 Background .................................................................................................................................... 2-1 2.2 Transition to a Continuous Monitoring Approach (CMA) ................................................................ 2-2 2.3 USAP-CMA principles .................................................................................................................... 2-3 2.4 Auditing principles .......................................................................................................................... 2-5 2.5 Critical elements (CEs) ................................................................................................................... 2-5 2.6 Audit areas ..................................................................................................................................... 2-7 2.7 USAP-CMA protocol questions (PQs) ............................................................................................ 2-8 2.8 State’s aviation security performance ............................................................................................. 2-9 2.9 Significant security concern (SSeC) ............................................................................................... 2-10 2.10 State aviation security activity questionnaire (SASAQ) .................................................................. 2-11 2.11 Compliance checklists (CCs) .......................................................................................................... 2-12 Chapter 3. The Continuous Monitoring Approach (CMA) ......................................................................... 3-1 3.1 USAP-CMA concept ....................................................................................................................... 3-1 3.2 USAP-CMA objective ..................................................................................................................... 3-2 3.3 USAP-CMA process ....................................................................................................................... 3-2 3.4 Determination of a State-specific USAP-CMA activity .................................................................... 3-3 3.5 Conduct of a State-specific USAP-CMA activity ............................................................................. 3-8 3.6 Identification and analysis of deficiencies ....................................................................................... 3-8 3.7 Measurement of the State’s aviation security performance ............................................................ 3-8 3.8 Provision of prioritized recommendations ....................................................................................... 3-9 3.9 Evaluation of State corrective actions to address deficiencies ....................................................... 3-9 3.10 Aviation security performance-related analysis .............................................................................. 3-9 Chapter 4. Programme management .......................................................................................................... 4-1 4.1 General ........................................................................................................................................... 4-1 4.2 Roles and responsibilities of ICAO ................................................................................................. 4-1 4.3 Roles and responsibilities of Member States .................................................................................. 4-4 4.4 Roles and responsibilities of regional aviation security oversight organizations ............................. 4-8 4.5 Memorandum of Understanding (MoU) .......................................................................................... 4-8

Universal Security Audit Programme (viii) Continuous Monitoring Manual

4.6 Planning and scheduling ................................................................................................................ 4-9 4.7 Programme records ........................................................................................................................ 4-12 4.8 Programme quality management ................................................................................................... 4-12 4.9 Confidentiality ................................................................................................................................. 4-13 4.10 Language ....................................................................................................................................... 4-15 4.11 Resolution of disputes .................................................................................................................... 4-15 Chapter 5. USAP-CMA audit teams ............................................................................................................. 5-1 5.1 USAP-CMA audit team composition ............................................................................................... 5-1 5.2 Training and certification of auditors ............................................................................................... 5-2 5.3 Team leaders ................................................................................................................................. 5-2 5.4 Team members .............................................................................................................................. 5-4 5.5 Competencies ................................................................................................................................ 5-5 5.6 Code of Conduct ............................................................................................................................ 5-6 Chapter 6. USAP-CMA activity phases and procedures ........................................................................... 6-1 6.1 USAP-CMA activity phases ............................................................................................................ 6-1 6.2 Preparation phase .......................................................................................................................... 6-1 6.3 Conduct phase ............................................................................................................................... 6-5 6.4 Reporting phase ............................................................................................................................. 6-12 Appendix A. Generic Memorandum of Understanding (MoU) .................................................................. App A-1 Appendix B. Criteria for certification as an ICAO USAP-CMA auditor ..................................................... App B-1 Appendix C. Guidance for States on developing CAPs ............................................................................ App C-1 Appendix D. ICAO Code of Conduct for Auditors ..................................................................................... App D-1

______________________

(ix)

GLOSSARY

ABBREVIATIONS When the following abbreviations are used in this manual, they have the meanings indicated below: ASA Aviation Security Audit Section ASITF Advanced Security in the Field AUI Response to acts of unlawful interference BSITF Basic Security in the Field C/ASA Chief, Aviation Security Audit Section CAP Corrective action plan CC Compliance checklist CE Critical element CGO Cargo, catering and mail security CMA Continuous Monitoring Approach DSA Daily subsistence allowance EB Electronic Bulletin EI Effective implementation EID Estimated implementation date FAL Security aspects of facilitation ICAO International Civil Aviation Organization IFS Aircraft and in-flight security ISD-SEC Implementation Support and Development – Security Section LEG Regulatory framework and the national civil aviation security system LEI Lack of effective implementation MoU Memorandum of Understanding NC National Coordinator NCASP National Civil Aviation Security Programme NCASTP National Civil Aviation Security Training Programme NQCP National Civil Aviation Security Quality Control Programme OJT On-the-job training OPS Airport operations PAX Passenger and baggage security PQ Protocol question QCF Quality control functions RO Regional Office ROASF Regional Officer, Aviation Security and Facilitation SARPs Standards and Recommended Practices SASAQ State aviation security activity questionnaire SSeC Significant security concern SSG Secretariat Study Group TCB Technical Cooperation Bureau TL Team leader TLO Technical Liaison Officer TM Team member TRG Training of aviation security personnel

Universal Security Audit Programme (x) Continuous Monitoring Manual

UIC Committee on Unlawful Interference USAP Universal Security Audit Programme USOAP Universal Safety Oversight Audit Programme

Glossary (xi)

DEFINITIONS

When the following terms are used in this manual, they have the meanings indicated below: Adequate. The state of fulfilling minimal requirements: satisfactory; acceptable; sufficient. Assessment. An appraisal of procedures or operations based largely on experience and professional judgement. Audit area. One of nine audit areas pertaining to the USAP-CMA, i.e. regulatory framework and the national civil

aviation security system (LEG); training of aviation security personnel (TRG); quality control functions (QCF); airport operations (OPS); aircraft and in-flight security (IFS); passenger and baggage security (PAX); cargo, catering and mail security (CGO); response to acts of unlawful interference (AUI); and security aspects of facilitation (FAL).

Audited State. An ICAO Member State that is the subject of a USAP-CMA audit. Certification. The process of determining that a person possesses the key competencies and personal attributes

required of an ICAO USAP-CMA auditor. Compliance. The state of meeting the requirements of an ICAO Standard. Compliance checklist (CC). A tool designed to assist the State in ascertaining the status of implementation of

Annex 17 SARPs and Annex 9 security-related provisions and in identifying any difference that may exist between the national regulations and practices and the relevant provisions in Annex 17 and Annex 9 to the Chicago Convention.

Corrective action plan (CAP). An action plan submitted to ICAO by an audited State, detailing the specific action that

the State proposes to take to correct deficiencies identified during the USAP-CMA audit. Cost-recovery audit. A USAP-CMA audit for which the cost of transportation to and from the State, local transportation

and the daily subsistence allowance (DSA) of the ICAO audit team members (TMs) is covered by the State requesting such an audit.

Critical elements (CEs). The building blocks, encompassing the whole spectrum of civil aviation security activities,

upon which an effective aviation security oversight system is based. The level of effective implementation (EI) of the CEs is an indication of a State’s capability for aviation security oversight.

Deficiency. A condition where the State’s aviation security oversight system does not satisfactorily address a protocol

question (PQ) used to measure the EI of the CEs and the degree of compliance with Standards of Annex 17 or security-related provisions of Annex 9. As a result, the status of the associated PQ is marked not satisfactory. One or more related deficiencies may be grouped together to identify a finding.

Effective implementation (EI). A measure of a State’s aviation security oversight and compliance capabilities,

calculated for each CE, each audit area, each Annex 17 Standard and Annex 9 security-related provision or as an overall value for all USAP-CMA PQs. The EI is expressed as a percentage. A higher EI indicates that a State’s aviation security and oversight systems have a greater degree of compliance with ICAO security-related provisions.

Finding. A deficiency or a group of deficiencies generated in a USAP-CMA activity as a result of a lack of compliance

with Annex 17 Standards and/or security-related provisions of Annex 9, or a lack of application of ICAO guidance material or good aviation security practices.

Mitigating measure. The implementation of defences or preventive controls to lower the severity and/or likelihood of a

threat’s projected consequence.

Universal Security Audit Programme (xii) Continuous Monitoring Manual

National briefing. A meeting of the ICAO USAP-CMA audit team and representatives of the audited State at the beginning of the USAP-CMA on-site audit, the purpose of which is to provide State authorities with information on the USAP-CMA audit scope, processes and procedures.

Off-site activity. A USAP-CMA documentation-based audit of a State conducted by an ICAO USAP-CMA team leader

(TL) at ICAO Headquarters without an on-site visit to the State. On-site activity. A USAP-CMA activity requiring a USAP-CMA audit team to travel to a State and conduct a USAP-CMA

on-site audit. Oversight. The active control of the aviation industry and service providers by the appropriate authority for aviation

security or other relevant national-level entities, as designated by the State, to ensure that the State’s international obligations and national requirements are met.

Post-audit debriefing. A meeting of the ICAO USAP-CMA audit team and representatives of the audited State at the

end of the USAP-CMA audit, the purpose of which is to provide State authorities with a briefing on the audit findings and proposed recommendations to enable the State to begin development of its corrective action plan (CAP).

Procedure. A series of steps followed in a methodical manner to complete an activity or a process, describing what

should be done, when and by whom; where and how each step should be carried out; what information, documentation and resources should be used; and how it should all be controlled.

Process. A set of interrelated or interacting activities that transforms inputs into outputs. Processes within an

organization or programme are generally planned and carried out under controlled conditions to add value. Protocol question (PQ). The primary tool used in the USAP-CMA for assessing the level of implementation of CEs of a

State’s aviation security oversight system and the degree of a State’s compliance with Annex 17 Standards and security-related provisions of Annex 9.

Recertification. The process whereby certified USAP-CMA auditors periodically undergo recurrent training and

demonstrate that they continue to possess the key competencies and personal attributes required of an ICAO USAP-CMA auditor.

Scope. A set of PQs addressed and covered in a USAP-CMA activity. Sensitive security information. Non-public information relating to capabilities and/or deficiencies of a State’s aviation

security and oversight systems. Significant security concern (SSeC). Occurs when the appropriate authority responsible for aviation security in the

State permits aviation activities to continue, despite a lack of effective implementation (LEI) of the minimum security requirements established by the State and by the provisions set forth in Annex 17 related to critical aviation security controls, including, but not limited to, the screening and the protection from unauthorized interference of passengers, cabin and hold baggage; the security of cargo and catering; access control to restricted and security-restricted areas of airports; and the security of departing aircraft resulting in an immediate security risk to international civil aviation.

SSeC Validation Committee. A high-level Secretariat Committee responsible for the review, confirmation and validation

of the SSeC and its resolution.

Glossary (xiii)

State aviation security activity questionnaire (SASAQ). A document that provides the USAP-CMA audit team with information on the security organization of a Member State, identifying the departments, agencies and other organizations of the State, both private and public, responsible for the implementation of various aspects of the National Civil Aviation Security Programme (NCASP).

State’s aviation security performance. A State’s aviation security capability defined as the State’s level of

implementation of the CEs of an aviation security oversight system and the State’s degree of compliance with Annex 17 Standards and security-related provisions of Annex 9.

State’s aviation security performance indicators. A set of parameters used for measuring a State’s aviation security

performance. USAP-CMA audit. A USAP-CMA on-site or off-site activity during which ICAO conducts a systematic and objective

evaluation of a Member State’s aviation security and oversight systems to assess the level of implementation of the CEs of a State’s aviation security oversight system and to determine the degree of compliance with Annex 17 Standards and security-related provisions of Annex 9, as well as associated procedures, guidance material and security-related practices.

USAP-CMA audit activities. Those activities and procedures by which information is obtained to verify the audited

State’s level of implementation of the CEs of an aviation security oversight system and the degree of compliance with Standards of Annex 17 and security-related provisions of Annex 9. Such activities may include, but are not limited to, interviews, observations and the review of documents.

USAP-CMA audit report. A confidential formal report of a USAP-CMA activity containing full details of the findings and

recommendations. USAP-CMA audit team briefing. An on-site pre-audit briefing provided to TMs by the TL, the purpose of which is to

provide information and instructions directly related to the conduct of an audit in a specific State. USAP-CMA audit team leader. The individual designated by the Chief, Aviation Security Audit Section (C/ASA) to be

responsible for the preparation and conduct of a USAP-CMA activity, including the consolidation and completion of the USAP-CMA audit report.

Verification. The independent review, examination, measurement, checking, observation and monitoring to establish

and document that products, processes, practices, services and documents conform to specified standards. This includes evaluating the effectiveness of management systems.

Note.— Definitions of security-related terms applicable to the USAP-CMA activity process may be found in Annex 17 — Security — Safeguarding International Civil Aviation Against Acts of Unlawful Interference, Annex 9 — Facilitation, the Aviation Security Manual (Doc 8973 — Restricted) and the Aviation Security Oversight Manual — The Establishment and Management of a State’s Aviation Security Oversight System (Doc 10047).

______________________

1-1

Chapter 1

INTRODUCTION

1.1 PURPOSE 1.1.1 The primary purpose of this manual is to describe the Universal Security Audit Programme Continuous Monitoring Approach (USAP-CMA) and to provide guidance to ICAO Member States (hereinafter referred to as Member States or States), recognized organizations, USAP-CMA audit team leaders (TLs) and audit team members (TMs) and support staff involved in the planning, preparation, conduct and reporting of USAP-CMA activities. 1.1.2 It also provides information on the background and evolution of the USAP, along with an explanation of its management and various components and standardized processes and procedures which ensure that USAP-CMA activities are conducted in a systematic and consistent manner.

1.2 REFERENCES 1.2.1 The USAP-CMA references the Convention on International Civil Aviation (Doc 7300) (hereinafter referred to as the Chicago Convention), ICAO Standards and Recommended Practices (SARPs) of Annex 17 — Security — Safeguarding International Civil Aviation Against Acts of Unlawful Interference and security-related provisions of Annex 9 — Facilitation to the Chicago Convention and related guidance material, including but not limited to: a) Aviation Security Manual (Doc 8973 — Restricted); and b) Aviation Security Oversight Manual — The Establishment and Management of a State’s Aviation

Security Oversight System (Doc 10047). 1.2.2 Together, these documents provide guidance material on how States can comply with the various SARPs of Annex 17, as well as describe the requirements and guidelines for the establishment and management of an effective aviation security and oversight systems by States. This implementation will be continuously monitored under the USAP-CMA framework and verified during USAP-CMA activities. 1.2.3 In support of the Programme, ICAO has also developed training materials for regional USAP-CMA seminars and USAP auditor training and certification courses. Note.— The Products and Services Catalogue provides a complete list of ICAO guidance material available to States to support the requirements of security-related provisions contained in the Annexes to the Chicago Convention.

______________________

2-1

Chapter 2

THE ICAO UNIVERSAL SECURITY AUDIT PROGRAMME (USAP)

2.1 BACKGROUND 2.1.1 The 33rd Session of the ICAO Assembly, held in Montreal from 25 September to 5 October 2001, adopted Resolution A33-1, Declaration on misuse of civil aircraft as weapons of destruction and other terrorist acts involving civil aviation, which directed the Council and Secretary General to consider the establishment of an ICAO Universal Security Audit Programme (USAP) relating to, inter alia, airport security arrangements and civil aviation security programmes. 2.1.2 Pursuant to Assembly Resolution A33-1, a High-level, Ministerial Conference on Aviation Security was convened in Montreal on 19 and 20 February 2002, with the objectives of preventing, combating and eradicating acts of terrorism involving civil aviation and strengthening ICAO’s role in the adoption of security-related SARPs and the audit of their implementation. 2.1.3 The Conference endorsed a global strategy for strengthening aviation security worldwide, adopted a number of conclusions and recommendations, and issued a public declaration. A central element of the strategy was the ICAO Aviation Security Plan of Action, which included, inter alia, the establishment of a comprehensive programme of regular, mandatory, systematic and harmonized audits to be carried out by ICAO for the evaluation of aviation security in all ICAO Member States. 2.1.4 Consistent with the outcomes of the 33rd Session of the Assembly and the High-level, Ministerial Conference on Aviation Security, the Council, at its 166th Session, adopted the Aviation Security Plan of Action in June 2002. Project 3 of the Plan of Action provided for the promotion of global aviation security through auditing of Member States. Thus, the ICAO USAP was launched in November 2002. Subsequent sessions of the Council and the Committee on Unlawful Interference (UIC) endorsed the audit methodology which was developed for the USAP in close consultation with the Aviation Security Panel, including a model Memorandum of Understanding (MoU) between ICAO and audited States, airport selection criteria, and certification criteria for auditors, and established a practice of regularly monitoring the progress of the USAP through the review of progress reports prepared by the Secretariat. 2.1.5 Assembly Resolution A35-9, Consolidated statement of continuing ICAO policies related to the safeguarding of international civil aviation against acts of unlawful interference, directed the Secretary General to continue the USAP, comprising regular, mandatory, systematic and harmonized aviation security audits of all Member States, with such audits conducted at both national and airport levels in order to evaluate the aviation security oversight capabilities of States as well as the actual security measures in place at selected key airports. 2.1.6 From 2002 to 2007, 181 Member States benefited from ICAO audits under the first cycle of the USAP. The objective of the Programme was to promote global aviation security through the auditing of Member States on a regular basis to determine the status of implementation of ICAO security Standards. The USAP first-cycle audits were designed to determine the degree of compliance of a State in implementing Annex 17 Standards and the extent to which a State's implementation of its aviation security system is sustainable through the establishment of appropriate legislation and an aviation security authority with inspection and enforcement capabilities. The USAP methodology provided for a significant portion of the ICAO audit to be dedicated to making actual observations of security measures and procedures at airports in situ, in order to have direct evidence of the degree of implementation of each Annex 17 Standard. This

Universal Security Audit Programme 2-2 Continuous Monitoring Manual

approach provided a comprehensive picture of the overall aviation security posture of States and resulted in recommendations for improvement that could be directed at all facets of the aviation security systems of States. 2.1.7 In accordance with the programme of audit follow-up visits initiated in 2005, follow-up visits were conducted to validate the implementation of the corrective action plans (CAPs) of States and to provide support to States in remedying deficiencies identified during the USAP first-cycle audits. These visits were normally conducted in the second year following the initial audit. The programme of audit follow-up visits, under which 172 Member States received follow-up visits, was completed in 2009. 2.1.8 Recognizing that the USAP proved to be instrumental in identifying aviation security concerns and providing recommendations for their resolution, the 36th Session of the Assembly, in Resolution A36-20, requested the Council to ensure the continuation of the USAP following the initial cycle of audits at the end of 2007 focusing, wherever possible, on a State’s capability to provide appropriate national oversight of its aviation security activities through the effective implementation (EI) of the critical elements (CEs) of an aviation security oversight system and expanding future audits to include relevant security-related provisions of Annex 9 — Facilitation to the Chicago Convention. 2.1.9 Aviation security audits under the second cycle of the USAP commenced in January 2008 and were completed in June 2013. The objective of the USAP second-cycle audits was to promote global aviation security through the auditing of Member States, on a regular basis, to determine their capability for aviation security oversight by assessing the EI of the CEs of an aviation security oversight system and the status of States’ implementation of security-related ICAO SARPs, associated procedures, guidance material and security-related practices. In total, audits of 177 ICAO Member States and one Special Administrative Region were conducted under the USAP second cycle, as well as an assessment of the European Commission aviation security inspection system. 2.1.10 Detailed information on the results of the audits of the USAP first and second cycle is contained in the supplementary document entitled Universal Security Audit Programme — Analysis of Audit Results, Fifth Edition — 2013. This document is available through the USAP secure website: http://portallogin.icao.int.

2.2 TRANSITION TO A CONTINUOUS MONITORING APPROACH (CMA) 2.2.1 In order to prepare for the continuation of the USAP beyond 2013, the 37th Session of the Assembly (Resolution A37-17, Appendix E refers) requested the Council to assess the feasibility of extending the Continuous Monitoring Approach (CMA) being applied by the Universal Safety Oversight Audit Programme (USOAP) to the USAP after the conclusion of the USAP second cycle of audits. Accordingly, the Council at its 187th Session, directed the Secretary General to study the feasibility of applying a CMA to the USAP. 2.2.2 A study on the application of a CMA to the USAP was initiated by the Secretariat with a view to: • adopting a more comprehensive and proactive approach which may allow for future audit activities to

be prioritized and better focused on identification of deficiencies in the aviation security systems of Member States while maintaining the principle of universality;

• ensuring ongoing compliance of Member States with ICAO security-related provisions while assessing

the aviation security oversight capabilities of States; and • making more effective and efficient use of the resources available to the Programme. 2.2.3 A Secretariat Study Group (SSG) was established in 2011 in order to assist the Secretariat in evaluating this study and in considering options for the evolution and future direction of the USAP beyond the end of its second cycle, in line with the Council’s decision. After considering a number of options for the evolution of the USAP, the SSG

Chapter 2. The ICAO Universal Security Audit Programme (USAP) 2-3

concluded that, in order to ensure efficiency, long-term sustainability and cost effectiveness of the USAP, the Programme should move towards a CMA specific to aviation security, while incorporating risk-management elements. The study also suggested that a transition period be established prior to launching the USAP-CMA and described the necessary activities to be undertaken during this period to ensure a smooth transition. These recommendations were presented to the Twenty-third Meeting of the Aviation Security Panel, which expressed support for the concept of a USAP-CMA that combines continuous monitoring with a risk-based approach to aviation security auditing. 2.2.4 The High-Level Conference on Aviation Security convened in Montreal in September 2012 expressed strong support for the transition of the USAP to a CMA that combines both continuous monitoring and risk-based elements while maintaining the rigour of the audit process and methodology. It was widely recognized that the USAP is an essential tool in enabling States to identify their own deficiencies and then implement corrective actions to address those deficiencies either directly or through assistance provided by other States or organizations. The Conference also supported the notion that the USAP-CMA should provide ICAO with the necessary flexibility in determining the type of audit and monitoring activity appropriate for each State based on the status of its aviation security and oversight systems and other risk indicators. 2.2.5 The Council, during its 197th Session, formally approved the USAP-CMA and the transition plan. This decision was further endorsed by the 38th Session of the Assembly (Resolution A38-15, Appendix E refers). 2.2.6 The 1½-year transition to the USAP-CMA took place from July 2013 to December 2014, and the USAP-CMA was fully launched on 1 January 2015, as scheduled and approved by the Council during its 197th Session. The USAP-CMA transition plan included numerous tasks, such as: a) development of a new USAP-CMA activity management and analysis software for aviation security

data collection, analysis and measurement while ensuring confidentiality of sensitive security information;

b) development of the USAP-CMA methodology, protocol questions (PQs), tools, procedures and

supporting documentation; c) training and certification/recertification of aviation security experts and existing USAP auditors for

participation in USAP-CMA on-site activities as TMs; d) conduct of USAP-CMA regional seminars in all ICAO regions to familiarize Member States with the

USAP-CMA methodology, tools, procedures and processes; e) conduct of USAP-CMA on-site test audits in selected States; and f) development and expansion of agreements with relevant partners to foster coordination and

cooperation.

2.3 USAP–CMA PRINCIPLES 2.3.1 The principles of the USAP were first established at the inception of the Programme in 2002. Since that time, these underlying principles have remained unchanged and valid, with the exception of the principle of confidentiality of audit results. The principle of confidentiality has been modified for the second cycle of USAP audits and further modified for the USAP-CMA, with the approval of the Council of ICAO. The USAP-CMA principles are listed below.


2.3.2 Sovereignty. Every State has complete and exclusive sovereignty over the airspace above its territory. Accordingly, ICAO fully respects a sovereign State’s responsibility and authority for oversight of aviation security, including its decision-making powers with respect to implementing corrective actions related to identified deficiencies. 2.3.3 Universality. All Member States will be subject to continuous audit and monitoring activities by ICAO, in accordance with the principles, methodology, processes and procedures established for conducting such activities, and on the basis of the MoU signed between ICAO and each Member State, though the types and frequency of USAP-CMA audit and monitoring activities undertaken for each Member State may differ. 2.3.4 Transparency of methodology. The USAP-CMA activity procedures and processes will be made available to all Member States. 2.3.5 Timeliness. Results of USAP-CMA activities will be produced and submitted on a timely basis in accordance with a predetermined schedule for their preparation and submission. 2.3.6 All-inclusiveness. The scope of the USAP-CMA includes Annex 17 Standards and security-related provisions of Annex 9. It is expected to expand the scope of the USAP-CMA at appropriate times to include all security-related provisions contained in other Annexes to the Chicago Convention, in order to ensure their effective implementation in the civil aviation systems of Member States. 2.3.7 Consistency and objectivity. USAP-CMA activities will be conducted in a consistent and objective manner. Standardization and uniformity in the scope, depth and quality of USAP-CMA activities will be assured through training and certification of all auditors, the use of standardized PQs and the provision of relevant guidance material. 2.3.8 Fairness. USAP-CMA activities will be conducted in a manner such that Member States are given the opportunity to monitor, comment on and respond to the USAP-CMA processes, but must do so within an established time frame. 2.3.9 Quality. The quality of USAP-CMA activities will be ensured by assigning trained and certified auditors to conduct USAP-CMA activities in accordance with widely recognized auditing concepts, as well as by implementing an internal quality control system within the Aviation Security Audit Section (ASA) that continually monitors and evaluates feedback received from USAP-CMA stakeholders to ensure their ongoing satisfaction. 2.3.10 Confidentiality. Sensitive security information collected as part of the USAP-CMA will be protected from unauthorized disclosure. Accordingly, USAP-CMA audit reports will be confidential and will only be made available to the audited State and ICAO staff on a need-to-know basis. However, in the interests of promoting global aviation security, a limited level of disclosure will apply whereby charts depicting the level of implementation of the CEs of an aviation security oversight system by a Member State and an indication of the degree of compliance by a Member State with Annex 17 Standards, as well as information pertaining to the existence of unresolved significant security concerns (SSeCs) in a Member State will be made available to all Member States on the USAP secure website. Note.— The principle of confidentiality is described in detail in 4.9.


2.4 AUDITING PRINCIPLES 2.4.1 The following auditing principles apply to USAP-CMA activities, in accordance with ISO 19011:2011 — Guidelines for Auditing Management Systems. a) Integrity: the foundation of professionalism. Auditors should: perform their work with honesty,

diligence, and responsibility; observe and comply with any applicable legal requirements; demonstrate their competence while performing their work; perform their work in an impartial manner, i.e. remain fair and unbiased in all their dealings; be sensitive to any influences that may be exerted on their judgement while carrying out an audit.

b) Fair presentation: the obligation to report truthfully and accurately. Audit findings, audit conclusions

and audit reports should reflect truthfully and accurately the audit activities. Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee should be reported. The communication should be truthful, accurate, objective, timely, clear and complete.

c) Due professional care: the application of diligence and judgement in auditing. Auditors should

exercise due care in accordance with the importance of the task they perform and the confidence placed in them by Member States and other interested parties. An important factor in carrying out their work with due professional care is having the ability to make reasoned judgements in all audit situations.

d) Confidentiality: security of information. Auditors should exercise discretion in the use and protection

of information acquired in the course of their duties. Audit information should not be used inappropriately for personal gain by the auditor, or in a manner detrimental to the legitimate interests of the auditee. This concept includes the proper handling of sensitive or confidential information.

e) Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions.

Auditors should be independent of the activity being audited and should in all cases act in a manner that is free from bias and conflict of interest. Auditors should maintain objectivity throughout the audit process to ensure that the audit findings and conclusions are based only on the audit evidence.

f) Evidence-based approach: the rational method for reaching reliable and reproducible audit

conclusions in a systematic audit process. Audit evidence should be verifiable. It will in general be based on samples of the information available, since an audit is conducted during a finite period of time and with finite resources. An appropriate use of sampling should be applied, since this is closely related to the confidence that can be placed in the audit conclusions.

2.5 CRITICAL ELEMENTS (CEs) 2.5.1 CEs are the main building blocks of a State’s aviation security oversight system required for the effective implementation of security-related standards and associated procedures. Each Member State should address all CEs in its efforts to establish and implement an effective aviation security oversight system that reflects the shared responsibility of the State and the aviation community. CEs of an aviation security oversight system cover the whole spectrum of civil aviation security activities. The level of implementation of the CEs is an indication of a State's capability for aviation security oversight and compliance with security-related SARPs.


2.5.2 ICAO has defined the following CEs of a State’s aviation security oversight system (see the Aviation Security Oversight Manual — The Establishment and Management of a State’s Aviation Security Oversight System (Doc 10047)): CE-1. Primary aviation security legislation. The provision of a comprehensive and effective legislative

framework, consistent with the environment and complexity of the State’s civil aviation operations, to effect the establishment and implementation of the State’s aviation security policies and requirements in conformance with Annex 17 SARPs and security-related provisions contained in other Annexes to the Chicago Convention.

CE-2. Aviation security programmes and regulations. The provision of necessary national-level

programmes and adequate regulations to address, at a minimum, national requirements emanating from the primary aviation security legislation and providing for standardized implementation procedures, equipment and infrastructures (including security management and training systems) in conformance with Annex 17 SARPs and security-related provisions contained in other Annexes to the Chicago Convention.

Note.— The term “regulations” is used in a generic sense to include policies, requirements,

rules, instructions, edicts, directives, orders, etc., that are enforceable in the State. The specific status given to a regulation when it is applied within the State and the penalty assigned in the event of non-compliance are internal matters subject to the discretion of individual States, taking into account their responsibilities under the Chicago Convention.

CE-3. State appropriate authority for aviation security and its responsibilities. The designation of

an appropriate national authority for aviation security supported by appropriate technical and non-technical staff and provided with adequate financial resources. The State appropriate authority must have aviation security regulatory functions, objectives and policies. This element also includes the definition and allocation of tasks and coordination of activities between government agencies and airport-level entities concerned with or responsible for the implementation of various aspects of the NCASP, as well as arranging for the supporting resources and facilities required for aviation security to be available at airports serving civil aviation.

CE-4. Personnel qualifications and training. The establishment of minimum knowledge and

experience requirements for the technical personnel performing aviation security oversight functions and the provision of appropriate training to these personnel to maintain and enhance their competence at the desired level. The training should include initial, on-the-job and recurrent training. This element also includes the provision of training to entities involved in the implementation of applicable aviation security requirements, measures and procedures.

Note.— The technical personnel may be from an organization engaged by the appropriate

authority to provide State oversight functions on its behalf. CE-5. Provision of technical guidance, tools and security-critical information. The provision of

technical guidance (including processes and procedures), tools (including facilities and equipment) and security-critical information, as applicable, to the technical personnel to enable them to perform their aviation security oversight functions in accordance with established requirements and in a standardized manner. This element also includes the provision of technical guidance by the appropriate authority to entities responsible for the implementation of applicable aviation security requirements, measures and procedures.


CE-6. Certification and approval obligations. The implementation of processes and procedures to ensure that personnel and entities performing an aviation security activity meet the established requirements (such as certification systems for security screeners and aviation security instructors, and a system to ensure that entities responsible for the implementation of security measures and procedures have established security programmes consistent with all relevant national requirements) before they are allowed to conduct the relevant activity.

CE-7. Quality control obligations. The implementation of processes, such as audits, inspections,

surveys and tests, to proactively ensure that entities authorized and/or approved to perform an aviation security activity continue to meet the established requirements and operate at the level of competency and security required by the State. This includes the monitoring of designated personnel who perform security oversight functions on behalf of the appropriate authority.

CE-8. Resolution of security concerns. The implementation of processes and procedures to resolve

identified deficiencies impacting aviation security, which may have been residing in the aviation security system and have been detected by the appropriate authority or other appropriate bodies. This includes the ability to analyse security deficiencies, provide recommendations, support the resolution of identified deficiencies by implementing follow-up procedures to validate the effective implementation of corrective actions, as well as take enforcement action when appropriate.

2.5.3 CEs 1 through 5 (collectively known as “establishment CEs”) are mainly related to “establishment”, i.e. they indicate that the addressed provision must be fully and effectively established within the State’s aviation security oversight system. CEs 6 through 8 (collectively known as “implementation CEs”) are related to “implementation”, i.e. they indicate that the addressed provision must be fully and effectively implemented within the State’s aviation security oversight system.

2.6 AUDIT AREAS The following nine audit areas have been identified as functional areas for the conduct of audits under the USAP-CMA: 1. Regulatory framework and the national civil aviation security system (LEG): the primary aviation

security legislative framework; national aviation security requirements and amendment procedures; the National Civil Aviation Security Programme (NCASP); empowerment of national aviation security inspectors, threat evaluation and risk assessment; international cooperation; the appropriate authority for aviation security; allocation of tasks and coordination of activities;

2. Training of aviation security personnel (TRG): the National Civil Aviation Security Training

Programme (NCASTP); training of national aviation security inspectors and airport-level aviation security personnel; certification of security screeners and aviation security instructors;

3. Quality control functions (QCF): the establishment and implementation of a National Civil Aviation

Security Quality Control Programme (NQCP) to determine compliance with and validate the effectiveness of the NCASP and to ensure that sustainable and appropriate corrective actions are implemented;

4. Airport operations (OPS): the airport aviation security organization and administration; the airport

security programme; the supporting resources and facilities for aviation security services; access control and security control measures to the airside and security restricted areas of the airport;


5. Aircraft and in-flight security (IFS): aircraft operator security programmes; aircraft protection and in-flight security measures;

6. Passenger and baggage security (PAX): the measures and procedures for screening of originating

and transfer/transit passengers and their cabin/hold baggage; 7. Cargo, catering and mail security (CGO): the supply chain security process; the measures and

procedures for security controls of cargo, catering and mail; 8. Response to acts of unlawful interference (AUI): airport-level contingency plans; national- and

airport-level measures and procedures for the management of responses to acts of unlawful interference; and

9. Security aspects of facilitation (FAL): the national air transport facilitation programme; coordination

between security and facilitation activities; security and inspection of travel documents; border control measures and procedures.

2.7 USAP-CMA PROTOCOL QUESTIONS (PQs) 2.7.1 The USAP-CMA PQs serve as the primary tool for the conduct of USAP-CMA activities aimed at assessing the level of implementation of the CEs of a State’s aviation security oversight system, as well as a State’s degree of compliance with Annex 17 Standards and security-related provisions of Annex 9. The use of standardized PQs ensures transparency, consistency, reliability and fairness of the audit process, as well as enhances confidence in audit results. 2.7.2 The USAP-CMA PQs are based on Annex 17 Standards, security-related provisions of Annex 9 and associated ICAO guidance material. Each PQ refers to one Annex 17 Standard or Annex 9 security-related provision and to one CE. The PQs are divided into the nine audit areas specific to each subject covered, as described in 2.6, which assists in planning a USAP-CMA audit and facilitates effective allocation of tasks to USAP-CMA audit team participants. 2.7.3 The USAP-CMA PQs cover all elements of a State’s aviation security and oversight systems which are subject to audit and monitoring. Although the PQs serve as a checklist of items to be verified, the evidence required to validate the answer to each PQ only serves as a guide to ensure that a minimum amount of information is consistently verified in all States. While following the best international practices derived from the ICAO relevant guidance material in terms of evidence for review/observation as an acceptable means of compliance, the USAP-CMA PQs are, at the same time, sufficiently flexible to allow for the appropriate evaluation of other means of compliance based on the scope, complexity and specifics of the aviation security activity in each State. 2.7.4 ASA amends and updates the USAP-CMA PQs on a periodic basis to reflect the latest changes in Annex 17 Standards, security-related provisions of Annex 9 and related guidance material to include emerging issues in civil aviation and to harmonize and improve PQ references and content. PQ amendments incorporate input from the ICAO Aviation Security Panel, USAP mission TMs and external stakeholders. 2.7.5 States are encouraged to use the USAP-CMA PQs to perform self-assessments. As a priority, States may conduct a self-assessment: a) on PQs that were found not satisfactory in a previous USAP activity; b) on new PQs introduced through the PQ amendment process — these PQs will have an undetermined

status until they are assessed through an appropriate type of USAP-CMA activity; or


c) in case of any changes in their aviation security system, programmes, regulations and/or procedures to determine whether these changes impact the status of any PQs.

2.7.6 The self-assessment is important for States in order to prepare for a USAP-CMA activity. Each PQ includes information on ICAO references that helps identify a specific Annex 17 Standard or Annex 9 security-related provision related to the PQ. Each PQ also includes guidance for review and examples of what the State needs to establish and implement to comply with the ICAO provision outlined in the PQ; this is also an indication of the type of evidence that the USAP-CMA audit team will be looking for during a USAP-CMA activity. The CE linked to each PQ is also an indication for States — CEs 1 to 5 indicate that the State must establish the ICAO provision outlined in the PQ and CEs 6 to 8 indicate that the State must implement the established provision. 2.7.7 As indicated above, USAP-CMA PQs also serve as a tool for States to conduct regular self-assessments in order to actively monitor and report the health of their aviation security and oversight systems on a continuous basis. States can use PQs to conduct scheduled internal audits of their aviation security and oversight systems. Thus, States can actively monitor their own systems in a proactive manner to identify and resolve deficiencies. Note.— The USAP-CMA PQs are available on the USAP secure website.

2.8 STATE’S AVIATION SECURITY PERFORMANCE 2.8.1 The State’s aviation security performance is defined as the State’s level of implementation of the CEs of an aviation security oversight system and the State’s status of implementation of Annex 17 Standards and security-related provisions of Annex 9, associated procedures, guidance material and security-related practices. 2.8.2 The EI is a measure of the State’s aviation security oversight and compliance capabilities. A higher EI indicates that a State’s aviation security and oversight systems have a greater degree of compliance with ICAO security-related provisions. The EI is calculated for any group of PQs, based on the following formula: number of satisfactory PQs within the group EI (%) = ——————————————————————————————————— x 100 number of satisfactory PQs + number of not satisfactory PQs within the group 2.8.3 Thus, the EI can be calculated for each CE, each audit area, each Annex 17 Standard or Annex 9 security-related provision and as an overall value for all USAP-CMA PQs. The USAP-CMA uses the following indicators to measure the State’s aviation security performance: a) Oversight Indicator — average EI of the eight CEs of a State’s aviation security oversight system; b) Compliance Indicator — average EI of Annex 17 Standards and average EI of security-related

provisions of Annex 9; and c) USAP-CMA PQ Indicator — EI of USAP-CMA PQs, i.e. the percentage of satisfactory USAP-CMA

PQs. 2.8.4 In addition to the EI, a lack of effective implementation (LEI) is also calculated for certain analyses. The LEI is simply the inverse of the EI and is calculated as:

LEI (%) = 100 – EI (%)


Note 1.— For the Compliance Indicator, the term “compliance” is used instead of EI. Thus, the State’s Compliance Indicator is, in other words, the average compliance with Annex 17 Standards and the average compliance with security-related provisions of Annex 9. Note 2.— The Compliance Indicator provides only a picture of indicative compliance of the State with Standards of Annex 17 and security-related provisions of Annex 9 derived from observations made at the time of the USAP-CMA audit by the USAP-CMA audit team at the airport(s) selected for observation. It does not provide a definitive measure of the State’s overall compliance with Standards of Annex 17 and security-related provisions of Annex 9. 2.8.5 Aviation security performance indicators provide a system of measurement to ICAO to assess the oversight and compliance capabilities of States and serve as data trending charts to track and monitor any changes in those capabilities.

2.9 SIGNIFICANT SECURITY CONCERN (SSeC) 2.9.1 Under the USAP second-cycle audit report production process, a final aviation security audit report was forwarded to the audited State within 60 calendar days after the closing meeting of the audit. The State then had 60 calendar days to submit a CAP. However, USAP auditors sometimes encountered situations that revealed SSeCs that might pose an immediate security risk to international civil aviation. In the absence of a mechanism to address these SSeCs in a timely manner, corrective action might not have been taken by the audited State before the CAP was submitted to ICAO approximately four months after the audit. 2.9.2 In June 2008, the ICAO Council considered a procedure, within the scope of Article 54 j) of the Chicago Convention, that would enable disclosure of information regarding a State having significant compliance shortcomings with respect to security-related SARPs, including failure to act in accordance with its security oversight obligations and failure to carry out recommendations of the Council. The Council requested that issues related to the security risk indicators and the concept of SSeC be referred to the Aviation Security Panel for discussion. 2.9.3 The Council, during its 187th Session, endorsed the Aviation Security Panel’s recommendation to establish an SSG to review and develop the security risk indicators associated with the application of Article 54 j) to aviation security and the definition of SSeC, including a mechanism to enable the rapid resolution of such concerns identified under the USAP. 2.9.4 The Council, during its 189th Session, considered and approved the proposals of the SSG related to: a) the security risk indicators: 1) failure or refusal to participate in significant aspects of the USAP audit process, including, but not

limited to, pre-audit, on-site and corrective action requirements; 2) failure to resolve critical security-related deficiencies identified in the USAP process; 3) level or nature of activity inconsistent with security oversight capability; and 4) security incidents linked to deficiencies in a State’s security oversight responsibilities and

obligations.


b) the definition of SSeC: “A significant security concern occurs when the appropriate authority responsible for aviation security

in the State permits aviation activities to continue, despite lack of effective implementation of the minimum security requirements established by the State and by the provisions set forth in Annex 17 — Security related to critical aviation security controls including, but not limited to, the screening and the protection from unauthorized interference of passengers, cabin and hold baggage; the security of cargo and catering; access control to restricted and security-restricted areas of airports; and the security of departing aircraft resulting in an immediate security risk to international civil aviation.”

c) the associated mechanism to address SSeCs identified during a USAP audit in a timely manner. The

SSeC mechanism was further revised by the Council during its 208th Session based on the Aviation Security Panel’s recommendation.

2.9.5 SSeC mechanism. An SSeC identified during the course of a USAP-CMA on-site activity will be described to the audited State as a preliminary SSeC during the post-audit debriefing, at the conclusion of the audit. If the preliminary SSeC is validated and confirmed by the SSeC Validation Committee at ICAO Headquarters, ICAO notifies the audited State, within 15 calendar days following the post-audit debriefing, by providing the State with the SSeC finding and recommendation. The State is then requested to implement, within 15 days following notification, immediate corrective action to resolve or mitigate the SSeC and advise ICAO. If no corrective action to resolve or mitigate the SSeC is implemented and provided to ICAO within the prescribed time frame, ICAO informs all Member States that an SSeC has been identified and remains unresolved, by publishing an Electronic Bulletin (EB), which includes the name of the State with an SSeC. In addition, the name of the State and the number of unresolved SSeCs are also posted on the USAP secure website. Furthermore, if the SSeCs are not resolved within three months of being posted, ICAO identifies on the USAP secure website the audit area(s) related to unresolved SSeCs. 2.9.6 The Council, during its 208th Session, endorsed the Aviation Security Panel’s recommendation, whereby the ICAO Secretariat should include the name of States with SSeCs in the EB sent to all Member States, and should identify through the USAP secure website the audit area(s) related to the SSeC(s) if these are not resolved within three months of being posted. 2.9.7 ASA has developed internal procedures describing in detail the different phases of the SSeC mechanism, including the identification, confirmation and resolution of SSeCs.

2.10 STATE AVIATION SECURITY ACTIVITY QUESTIONNAIRE (SASAQ) 2.10.1 The State aviation security activity questionnaire (SASAQ) is designed to collect comprehensive and specific information on each State’s aviation security activities, including legislative, regulatory, organizational, operational, technical and administrative details. Each State shall submit to ICAO, no later than 60 calendar days prior to the start of a USAP-CMA activity, a completed SASAQ designed to provide ICAO with preliminary information concerning the State’s aviation security and oversight systems. 2.10.2 States are required to update their SASAQ regularly in order to assist ASA in monitoring the level of aviation security activities in States related to each audit area and in prioritizing and planning USAP-CMA activities. 2.10.3 ICAO will revise the SASAQ template periodically.


2.10.4 The State Quality Control Activity Summary Form is an attachment to the SASAQ and has been created to facilitate States in the provision of information regarding their oversight activities which will be used within the framework of the USAP-CMA. Note.— The SASAQ and the State Quality Control Activity Summary Form are available on the USAP secure website.

2.11 COMPLIANCE CHECKLISTS (CCs) 2.11.1 States are required to complete and maintain up to date compliance checklists (CCs), which contain information on the State’s compliance with Annex 17 SARPs and security-related provisions of Annex 9. The completion of the CCs by Member States will: a) provide authorized users with an overview of the level of implementation of relevant ICAO provisions;

and b) enable Member States to identify any difference which may exist between their own practices and

those established by relevant ICAO Standards. 2.11.2 ICAO will revise the CCs template periodically subsequent to amendments to Annex 17 SARPs or to security-related provisions of Annex 9. Note.— The CCs are available on the USAP secure website.

______________________

3-1

Chapter 3

THE CONTINUOUS MONITORING APPROACH (CMA)

3.1 USAP-CMA CONCEPT 3.1.1 The USAP-CMA is designed to promote global aviation security through auditing and monitoring aviation security performance of Member States on an ongoing basis. 3.1.2 The USAP-CMA is a shift from the traditional cyclical audit approach, which provides only a “snapshot” of a State’s aviation security system at a given point in time, to a more continuous monitoring of a State’s oversight and compliance capabilities. This enables ICAO to develop and maintain an ongoing, updated picture of the aviation security situation in Member States. 3.1.3 The USAP-CMA incorporates a risk-based approach to auditing, by establishing the priorities and frequency of audit and monitoring activities based on various key parameters reflecting the changes in the aviation security situation in Member States, while taking into consideration any oversight activities and information provided by regional regulatory/oversight bodies. This leads to a more efficient use of resources of both ICAO and the Member States, thus ensuring long-term and cost-effective programme management for the Organization. 3.1.4 The USAP-CMA provides for a system that does not apply a one-size-fits-all approach to auditing. Rather, the USAP-CMA incorporates a performance-based approach to auditing which enables increased flexibility in determining the real needs of Member States and allows for a customized approach for each Member State. This is achieved by proposing activities of different types and scope based on aviation security performance indicators of States, which provide an indication of the level of security of the civil aviation system and the effectiveness of the aviation security oversight system in place in Member States. 3.1.5 Under the USAP-CMA, the principle of universality is maintained as all Member States are subject to continuous audit and monitoring activities by ICAO, in accordance with the principles, methodology, processes and procedures established for conducting such activities, and on the basis of the MoU signed by ICAO and each Member State. The priorities, frequency, type and scope of such activities will vary based on each Member State’s specific circumstances. 3.1.6 The USAP-CMA forms an integral part of ICAO’s overall aviation security framework, which encompasses policy, audits and assistance. The USAP-CMA generates up-to-date State-specific and regional data which provides useful and critical information to facilitate the provision of targeted and tailored assistance to States, while also providing valuable feedback to ICAO for the development of SARPs and guidance material. The USAP-CMA, therefore, is a key driver for both the provision of effective assistance with a view to enabling States to improve their aviation security and oversight systems in compliance with ICAO security-related SARPs, and for policy development.


3.2 USAP-CMA OBJECTIVE The objective of the USAP-CMA is to promote global aviation security through continuous auditing and monitoring the aviation security performance of Member States. This objective is achieved by: • regularly and continuously obtaining and analysing data on the aviation security performance of

Member States; • identifying deficiencies in the overall aviation security performance of Member States and assessing

the risks associated with such deficiencies; • providing prioritized recommendations to assist Member States in addressing identified deficiencies; • evaluating and validating corrective actions taken by Member States; and • re-assessing the aviation security performance of Member States in order to continuously enhance

their aviation security oversight and compliance capabilities.

3.3 USAP-CMA PROCESS 3.3.1 The USAP-CMA process consists of the following components: a) determination of State-specific USAP-CMA activity; b) conduct of State-specific USAP-CMA activity; c) identification and analysis of deficiencies; d) measurement of the State’s aviation security performance; e) provision of prioritized recommendations; and f) evaluation of State corrective actions to address deficiencies. 3.3.2 These components enable ICAO to continuously audit and monitor the aviation security performance of Member States. Figure 3-1 shows the USAP-CMA process components.

Chapter 3. The Continuous Monitoring Approach (CMA) 3-3

Figure 3-1. USAP-CMA process components

3.4 DETERMINATION OF A STATE-SPECIFIC USAP-CMA ACTIVITY 3.4.1 The USAP-CMA takes into consideration the varying levels of development and maturity of aviation security and oversight systems of Member States, and incorporates a variety of audit and monitoring activities tailored to each Member State’s aviation security situation as part of the strategy for promoting the enhancement of global aviation security on a continuous basis. The determination of a specific type of USAP-CMA activity for a given State will be made by ASA using defined criteria based on: a) the results of the previous USAP activity; b) the State’s aviation security performance indicators, in particular the average EIs of establishment

CEs and implementation CEs; c) updates on CAP implementation; and d) updated information submitted by the State through the SASAQ.

Determine State-specific USAP-CMA

activity

Evaluate State’scorrective actions toaddress deficiencies

Conduct State-specific USAP-CMA

activity

Provide prioritizedrecommendations

Identify and analysedeficiencies

MeasureState’s aviation

securityperformance


3.4.2 The USAP-CMA activities include: a) documentation-based audits; b) oversight-focused audits; c) compliance-focused audits; and d) other audit and monitoring activities. Documentation-based audits 3.4.3 Documentation-based audits are conducted primarily by correspondence between ICAO Headquarters and the States concerned and include increased requirements for submission of documentation by States. States identified for documentation-based audits could still receive on-site audits, as appropriate. Any specific areas of concern are identified and addressed either remotely from ICAO Headquarters or by means of a physical visit to the State concerned. Documentation-based audits may identify potential SSeCs, requiring a USAP-CMA on-site audit. 3.4.4 The scope of documentation-based audits will include a tailored set of core PQs related to the implementation of continuous processes within the State’s aviation security oversight system, such as amendment of national aviation security requirements, coordination of aviation security activities at the national and airport levels, training of aviation security personnel, certification and approval obligations, quality control activities and resolution of security concerns. This set of PQs will be augmented by additional PQs based on previous USAP audit results of the State, the updated CAP, new Annex provisions, the State quality control activity results derived from the State Quality Control Activity Summary Form, any significant change in the State’s aviation security and oversight systems and acts of unlawful interference in the State. Failure by the State to provide required documentation and information will make the State ineligible for a documentation-based audit, and the State will be scheduled for a USAP-CMA on-site audit. 3.4.5 Documentation-based audits will primarily measure the State’s aviation security oversight system, while also giving a strong indication of the State’s degree of regulatory compliance with Annex 17 Standards and security-related provisions of Annex 9 to the Chicago Convention. Certain PQs related to the operational implementation of security measures under Annex 17 and security-related provisions of Annex 9 will be marked as undetermined until their status is assessed through a USAP-CMA on-site activity. Oversight-focused audits 3.4.6 Oversight-focused audits are conducted by means of on-site audits similar to USAP second-cycle audits, and include the review of national-level regulations and programmes, such as the NCASP, the NCASTP and the NQCP, followed by spot checks conducted at the airport(s) selected for observation to verify the effectiveness of aviation security requirements and measures on the ground. The scope of oversight-focused audits might be full, covering all USAP-CMA audit areas, or partial, covering one or more audit areas, based on previous USAP audit results, as well as on other information available to ICAO.


3.4.7 A fundamental component of oversight-focused audits is the review of the implementation of the State’s NQCP, i.e. the evaluation of the effectiveness of the State’s quality control measures which may be defined as the surveillance techniques and activities used by the State to assess its civil aviation security system and, whenever required, to resolve identified deficiencies. This review is based on the assessment of three major issues related to the implementation of the NQCP: — the adequacy of compliance monitoring activities; — the effectiveness of compliance monitoring activities; and — the availability of national aviation security inspectors for compliance monitoring. 3.4.8 Adequacy of compliance monitoring activities. Standards 3.4.5 and 3.4.6 of Annex 17 require each Contracting State to: — ensure that the implementation of security measures is regularly subjected to verification of

compliance with the NCASP; and — arrange for security audits, tests, surveys and inspections to be conducted on a regular basis, to verify

compliance with the NCASP and to provide for the rapid and effective rectification of any deficiencies. 3.4.9 To this end, the USAP-CMA audit should make an assessment of the frequency and scope of the State’s monitoring activities. The frequency of national monitoring activities should be established in the NQCP. The verification therefore should confirm if the NQCP does establish minimum frequencies for at least security audits and inspections. The USAP-CMA audit should also assess if the monitoring activities carried out at the national level are sufficiently frequent and if the priorities and frequency of national monitoring activities are determined on the basis of risk assessment carried out by the relevant authorities, as required by Standard 3.4.5 of Annex 17. 3.4.10 It should be noted that there is no requirement to inspect every airport every year but, as a general rule, one should consider that airports with an annual traffic volume of more than 10 million passengers should be subject to a security audit covering all aviation security standards at least every 4 years. At airports with an annual traffic volume of more than 2 million passengers, the minimum frequency for inspecting all sets of directly linked security measures in the areas of airport security, aircraft security, passenger and cabin/hold baggage security and cargo/mail security should be at least every 12 months, unless an audit has been carried out at the airport during that time. The frequency for inspecting all security measures related to airport and in-flight supplies, staff recruitment and training and security equipment may be determined based on a risk assessment. Where a State has no airport with an annual traffic volume exceeding 2 million passengers, the above requirement should apply to the airport in the State with the greatest annual traffic volume. Note.— A set of directly linked security measures is a set of two or more requirements that impact on each other so closely that achievement of the objective cannot be adequately assessed unless they are considered together. 3.4.11 The USAP-CMA audit should also assess if the monitoring activities carried out ensured a regular monitoring of all airports and entities situated in the State. Therefore, the USAP-CMA audit should assess the scope of the State’s monitoring activities and the deployment of a variety of quality control activities, as required by Standard 3.4.6 of Annex 17. To this end, a representative sample of national quality control activity reports should be analysed for the last two years. The verification should allow to establish if all security measures were monitored at least once, if a suitable combination of compliance monitoring types (security audits, inspections and tests) were used and if the minimum frequencies for security audits and inspections were met.


3.4.12 Effectiveness of compliance monitoring activities. The USAP-CMA audit should assess if the common methodology requirements are respected, if rapid and effective rectification of deficiencies takes place and if enforcement powers are available and used whenever appropriate. 3.4.13 Regarding the common methodology, the verification of a representative sample of national quality control activity reports should confirm that: — a standardized approach was used for the conduct of audits, inspections and tests, which included

planning, preparation, on-site activity, the classification of findings, the debriefing and reporting/recording, the correction process and monitoring;

— a systematic gathering of information by means of observations, interviews and review of documents

was employed; — the compliance monitoring activities undertaken did include announced and unannounced activities; — a harmonized classification system of compliance was used; and — the quality control activity reports include elements such as the date and time of the activity, entity

monitored, type and scope of the activity, findings with the corresponding provisions of the NCASP, classification of compliance, recommendations for remedial actions and time frame for correction, where appropriate.

3.4.14 Regarding the rapid and effective rectification of deficiencies, the assessment of the selected sample of national quality control activity reports should allow to confirm if rapid and effective rectification takes places. The USAP-CMA audit should also verify if the appropriate authority systematically requires the submission of CAPs together with a timeframe for implementation of the remedial actions and if it actively follows up on the rectification process. In addition, the visit of the airport(s) selected for observation will confirm actual rectification to be verified in the field. 3.4.15 Regarding the enforcement powers, the USAP-CMA audit should establish if the appropriate authority has been invested with enforcement powers, including the power to impose penalties, and also actually uses them whenever appropriate. Samples of enforcement actions applied during the monitoring should be analysed. The audit should also verify if a graduated and proportionate approach is established regarding deficiency correction activities and enforcement measures, and if the national aviation security inspectors are provided with sufficient authority to obtain the information necessary to carry out their tasks. 3.4.16 Availability of national aviation security inspectors for compliance monitoring activities. An assessment of available human resources for national compliance monitoring activities needs to be conducted and should include such factors as independence, competencies, initial, on-the-job and recurrent training. To this end, the frequency of the different monitoring activities, their scope, as well as the number of follow-up activities should be analysed. An insufficient number of monitoring activities is a clear indication that the available human resources are either insufficient or used for purposes other than monitoring compliance. Hence, the number of national aviation security inspectors available, and the actual number of hours spent monitoring compliance in the field, are two crucial elements. 3.4.17 The USAP-CMA audit will validate information obtained from the SASAQ on the number of airports in the State serving civil aviation and their size in terms of passenger/cargo traffic, the number of national and foreign aircraft operators providing service from the State, as well as the number of regulated agents, known consignors, known airport and in-flight suppliers, as applicable. These figures will be used to establish if the man-days invested in national monitoring activities reflect the number of airports, aircraft operators and entities to be monitored.


3.4.18 The verification of the effectiveness of national monitoring activities at the airport level should take place at the airport(s) selected for observation. Prior to the verification, all national monitoring reports relating to the airport should be carefully analysed to identify deficiencies previously detected and the status of deficiency rectification. The on-site verification should then establish: a) if deficiency rectification actually took place; b) which areas were still deficient; and c) if there are any other areas with shortcomings that were not identified in national quality control activity

reports. Compliance-focused audits 3.4.19 Compliance-focused audits are conducted by means of on-site audits, similar to USAP second-cycle audits, and include the review of national-level regulations and programmes, followed by more detailed observations of the implementation of security measures by various airport-level entities at the airport(s) selected for observation to assess the State’s compliance with relevant SARPs. These full-scale or partial audits will focus on a set of PQs related to CE-1 to CE-6 and include more observations of the implementation of security measures on the ground using CE-8-related PQs. The status of the PQs related to CE-7 would be determined as satisfactory or not satisfactory based on the level of maturity of the national quality control system. Other audit and monitoring activities 3.4.20 Cost-recovery audits. USAP-CMA cost-recovery audits may be conducted at the request of a Member State and will be accommodated as resources and time permit. The methodology for USAP-CMA cost-recovery audits will be the same as for compliance-focused audits or oversight-focused audits, as applicable. However, ICAO identifies the need for compliance-focused or oversight-focused audits and determines their scope, whereas the type, scope and scheduling of any USAP-CMA cost-recovery audit will require agreement between ICAO and the State, and will be assessed by ICAO on a case-by-case basis. The results of USAP-CMA cost-recovery audits will be treated in the same manner as the results from regularly scheduled USAP-CMA activities, including the possibility of invoking the SSeC mechanism. 3.4.21 Validation missions. ICAO will plan and conduct on-site validation missions to specifically assess and validate corrective actions implemented by the State to resolve or mitigate SSeCs. A State may also request ICAO to conduct an on-site cost-recovery validation mission to assess and validate the CAP implemented by the State to address previously identified deficiencies. Such cost-recovery validation missions will be considered as USAP-CMA cost-recovery audits with specific audit scope and will be accommodated as resources and time permit. 3.4.22 Referral for assistance. The experience of the first and second cycles of USAP audits has demonstrated that a small number of States are not in a position to derive full benefit from an audit. Under the USAP-CMA, such States will be referred to the Implementation Support and Development — Security Programme and the Technical Cooperation Programme for needs assessment surveys and for subsequent determination and provision of appropriate assistance. ASA will monitor such assistance activities in coordination with the Implementation Support and Development — Security Section (ISD-SEC) to determine the appropriate timing for a USAP-CMA activity to be conducted in those States.


3.5 CONDUCT OF A STATE-SPECIFIC USAP-CMA ACTIVITY 3.5.1 USAP-CMA activities are conducted based on available resources and in accordance with the roles, responsibilities and procedures described throughout this manual. ASA conducts an appropriate type of USAP-CMA (on-site or off-site) activity for States included in the annual schedule of USAP-CMA activities, as determined through the planning and scheduling process described in 4.6. 3.5.2 The conduct of a State-specific USAP-CMA activity is a systematic and objective assessment of the State’s aviation security and oversight systems, using USAP-CMA PQs, which allows ASA to collect and document evidence presented and/or submitted by the State in support of the implementation of Annex 17 Standards and security-related provisions of Annex 9, as well as the CEs of a State’s aviation security oversight system. The conduct of a USAP-CMA activity serves as a data collection process necessary to evaluate the State’s aviation security performance. The conduct phase of the USAP-CMA activity is described in detail in 6.3.

3.6 IDENTIFICATION AND ANALYSIS OF DEFICIENCIES 3.6.1 Analysis of data collected during the conduct of a USAP-CMA activity allows the identification of deficiencies, if any, in the State’s aviation security performance, which adversely affect the State’s oversight and compliance capabilities. Identified deficiencies are subjected to risk assessment in terms of their impact on the State’s aviation security and oversight systems. 3.6.2 The USAP-CMA utilizes a classification system for USAP-CMA PQs, whereby each PQ is classified based on its significance in terms of impact on aviation security. The purpose of the classification system is not to differentiate between related Annex provisions in terms of their importance, but rather to provide States with a mechanism for prioritizing their corrective actions to rectify identified deficiencies and allocate resources accordingly. The classification system uses “Low”, “Medium”, “High” and “Very high” priorities for classifying USAP-CMA PQs. 3.6.3 The deficiencies identified following a State-specific USAP-CMA activity are prioritized on the basis of associated PQs. The identified deficiencies are further subjected to analysis by ASA within the context of State-specific audit results in terms of associated risks, which may entail upgrading or downgrading the priorities of certain deficiencies.

3.7 MEASUREMENT OF THE STATE’S AVIATION SECURITY PERFORMANCE 3.7.1 The final output of the State’s aviation security performance audit and monitoring process is the measurement of the State’s aviation security performance indicators based on the analysis of data collected through the USAP-CMA activity. By analysing all pertinent data derived from the USAP-CMA activity results, the State’s aviation security performance is measured using the indicators defined in 2.8. 3.7.2 The State’s Oversight Indicator depicts the State’s overall level of implementation of the CEs of an aviation security oversight system, while the State’s Compliance Indicator provides only a picture of indicative compliance of the State with Annex 17 Standards and security-related provisions of Annex 9. The State’s USAP-CMA PQ Indicator provides the percentage of PQs found satisfactory during the USAP-CMA activity.


3.8 PROVISION OF PRIORITIZED RECOMMENDATIONS For each not satisfactory PQ, a recommendation is provided to the State for implementation in order to rectify the identified deficiency related to that PQ. Under the USAP-CMA, the recommendations are prioritized based on the nature of the deficiencies they address. This will provide States with a clear strategy to help prioritize their own corrective actions and allocation of resources to best address identified deficiencies.

3.9 EVALUATION OF STATE CORRECTIVE ACTIONS TO ADDRESS DEFICIENCIES 3.9.1 In the event that action for improvement is recommended by ICAO following completion of a USAP-CMA audit, the State is responsible for developing a CAP defining the corrective actions it plans to take to resolve any deficiencies identified in its aviation security and oversight systems. 3.9.2 CAP review. The State’s CAP will be reviewed by an ASA TL who will provide feedback on the acceptability of the CAP, as necessary. If any proposed corrective actions do not fully address the associated findings and recommendations, the State will be notified accordingly and requested to resubmit its CAP. 3.9.3 CAP evaluation. The State’s CAP, including progress updates, will be evaluated by ASA to measure (unvalidated) progress achieved by the State in the rectification of deficiencies identified by the USAP-CMA audit. Such evaluations may result in updating the State’s USAP-CMA key parameters. States should continue sending information to ASA on the progress made in the implementation of their CAPs. 3.9.4 CAP validation. The validation of progress made by the State in the implementation of its CAP to address previously identified deficiencies will be included in the scope of the subsequent USAP-CMA activity for the State. ICAO may opt to conduct an off-site validation at ICAO Headquarters, as part of the subsequent USAP-CMA off-site activity for the State, which may typically address PQ findings associated with establishment CEs, provided that the State submits sufficient and tangible evidence of their full implementation. Corrective actions related to PQ findings associated with implementation CEs do not qualify for an off-site validation and must be assessed and validated on-site as part of the subsequent USAP-CMA on-site activity for the State. 3.9.5 The results of subsequent USAP-CMA activities for the State, including changes in the SSeC status, if any, will be reflected in the State’s aviation security performance indicators. Any such update will also result in updating the State’s USAP-CMA key parameters. Continuous improvement in the State’s oversight and compliance capabilities is measured through the monitoring of the State’s aviation security performance indicators.

3.10 AVIATION SECURITY PERFORMANCE-RELATED ANALYSIS 3.10.1 ASA uses a dedicated USAP-CMA activity management and analysis software for recording and analysing the USAP-CMA activity results and for the production of USAP-CMA audit reports. The software allows continuous monitoring and reporting of security-related information received from Member States through USAP-CMA activities, including monitoring the aviation security performance indicators of States using basic quantitative data trending tools that generate graphs or charts. This enhances the effectiveness and efficiency of the USAP-CMA in identifying deficiencies and associated security risks.


3.10.2 The software also facilitates the administration and management of USAP-CMA PQs and PQ findings. As each PQ is associated with one CE and one Annex 17 Standard or one security-related provision of Annex 9, the software allows the tracking of the status of implementation of the PQs and the analysis of not satisfactory PQs by CE or by ICAO SARP. This allows ASA to conduct global, regional, sub-regional and State-specific analysis of USAP-CMA activity results by any grouping of PQs, CEs or ICAO SARPs. Such analysis enables ICAO to identify common deficiencies and define measures to assist its Member States.

______________________

4-1

Chapter 4

PROGRAMME MANAGEMENT

4.1 GENERAL 4.1.1 In order to effectively manage and ensure the success of the USAP-CMA, all components of the programme, including roles and responsibilities of each entity, the required resources and procedures, are clearly defined in this chapter. 4.1.2 The effective implementation of the USAP-CMA depends on partnerships, communication and exchange of information between ICAO, Member States and regional organizations, who all have a specific, defined role. 4.1.3 Implemented within the USAP-CMA, ASA’s internal procedures provide the mechanisms to effectively implement established processes, monitor and review the components of the USAP-CMA, determine the need for corrective or preventive action and identify opportunities for improvement. It also allows ICAO to collect and analyse data to measure the satisfaction level of stakeholders with the USAP-CMA and to take appropriate actions to improve USAP-CMA processes, procedures and components. Note.— The roles and responsibilities outlined in this chapter solely pertain to the USAP-CMA processes and are not intended to provide a comprehensive description of roles and responsibilities of individuals, entities and organizations beyond the scope of this manual and the USAP-CMA.

4.2 ROLES AND RESPONSIBILITIES OF ICAO 4.2.1 Within the scope of the USAP-CMA, the Secretary General of ICAO is the convening authority for USAP-CMA activities in accordance with the annual activity plan. 4.2.2 The Chief, Aviation Security Audit Section (C/ASA), in coordination with other relevant sections and ICAO Regional Offices (ROs), is responsible for the administration, implementation and management of the USAP-CMA on a day-to-day basis and for approving all USAP-CMA audit reports. 4.2.3 ASA is responsible for managing the overall development, implementation, maintenance and quality of the USAP-CMA, including, but not limited to: a) monitoring the State’s USAP-CMA key parameters to identify and prioritize appropriate USAP-CMA

activities; b) developing and updating the annual schedule of USAP-CMA activities in coordination with ROs, which

includes the list of States to be subjected to USAP-CMA activities, the dates of USAP-CMA activities and the composition of USAP-CMA audit teams;

c) providing timely notification to States regarding scheduled USAP-CMA activities and audit team

composition;


d) providing guidance and information to States to prepare for the conduct of USAP-CMA activities; e) ensuring coordination between States and ASA in a timely manner on all issues related to the

USAP-CMA, including facilitating the exchange of information and documents between the TL and the National Coordinator (NC) and ensuring that all appropriate arrangements have been made for the conduct of the USAP-CMA activity;

f) developing and conducting regional USAP-CMA seminars; g) developing, conducting and overseeing USAP-CMA auditor training and certification courses; h) selecting and assigning appropriately qualified TLs and TMs to conduct USAP-CMA on-site activities

in accordance with the qualification standards established in this manual and in coordination with the respective ROs;

i) maintaining a roster of certified USAP-CMA auditors; j) managing the conduct of USAP-CMA activities; k) developing and implementing the tools and processes required for implementing USAP-CMA

components and conducting activities; l) monitoring the progress of States in submitting and updating required information; m) monitoring the status of findings and/or SSeCs; n) assessing the acceptability of CAPs submitted by States; o) assessing and monitoring corrective actions and mitigating measures proposed by States; p) updating the State’s aviation security performance indicators; q) developing and overseeing the implementation of information security instructions to protect sensitive

security information collected through the USAP-CMA activity process from unauthorized disclosure; r) developing working papers and reports for the Assembly, the ICAO Council, the UIC and the Aviation

Security Panel on the implementation of the USAP-CMA and progress made in resolving identified deficiencies, and improving the global EI of the eight CEs and the global compliance with Annex 17 Standards and security-related provisions of Annex 9 to the Chicago Convention; and

s) facilitating and coordinating support functions for all USAP-CMA activities and performing quality

control measures of all aspects of the USAP-CMA to ensure standardization, fairness and transparency in the activities of the programme.

4.2.4 C/ASA monitors the conduct of all USAP-CMA tasks to ensure that they are carried out effectively and identifies any required corrective or preventive actions.

Chapter 4. Programme management 4-3

Roles and responsibilities of other sections 4.2.5 Other sections within the ICAO Secretariat provide technical support to the USAP-CMA by: a) providing input for the amendment of USAP-CMA PQs and the development of related guidance

material; b) providing consultation for the review and confirmation of findings and SSeCs, when needed; c) developing and maintaining the USAP-CMA software; d) providing information to ASA regarding assistance projects and the readiness of States for

USAP-CMA activities; and e) supporting training, seminars and activities related to the USAP-CMA.

Roles and responsibilities of the ICAO Technical Cooperation Bureau (TCB) and ROs 4.2.6 Member States have a responsibility under the Chicago Convention for the security of their aviation industry, airspace and infrastructure. While the USAP-CMA assesses a State’s capability to oversee its aviation security activities and determines its degree of compliance with the applicable SARPs, ICAO also has a mandate to assist States, where possible, in establishing effective aviation security and oversight systems. 4.2.7 The ICAO Technical Cooperation Bureau (TCB) maintains prime responsibility for providing technical assistance to States, when requested and as required. In addition, ISD-SEC may provide urgent immediate technical assistance to States under the Implementation Support and Development – Security Programme. Finally, ASA, through its auditors, may also provide on-site technical advice to States. 4.2.8 The ROs play an important role in assisting with the preparation and conduct of USAP-CMA activities, facilitating effective communication between ICAO Headquarters and States and providing advice and assistance to States, as required. The relevant Regional Officer, Aviation Security and Facilitation (ROASF) may, for example, assist a State in resolving identified deficiencies where requested and coordinated through ICAO Headquarters, and assist with the preparation and delivery of USAP-CMA training and certification courses and regional seminars. The key responsibilities of the ROs within the USAP-CMA with respect to the States they are accredited to, include, but are not limited to: a) facilitating the exchange of information between ICAO Headquarters and States; b) providing input to ASA on the selection and prioritization of USAP-CMA activities; c) assisting in the coordination of the regional implementation of the USAP-CMA with ICAO

Headquarters; d) instituting follow-up discussions with States on the development and implementation of their CAPs;

and e) ensuring that corrective actions are taken by States in their regions in a timely manner.


4.2.9 When practicable, ROASFs will be trained and subjected to the certification process as ICAO USAP-CMA auditors. This will benefit the programme by ensuring the continuing availability of expertise within the regions. ROASFs may participate in USAP-CMA audits as assigned and coordinate regional activities related to the USAP-CMA. However, given the need to maintain a strict separation between ICAO’s audit and assistance activities and to prevent any potential conflict of interests, ROASFs generally should not be involved in both audit and assistance activities for the same States within their regions.

4.3 ROLES AND RESPONSIBILITIES OF MEMBER STATES 4.3.1 The success of the USAP-CMA depends on the cooperation of States and their participation in the programme. Member States shall sign an MoU with ICAO to confirm their full support of and participation in the USAP-CMA process by taking part in all USAP-CMA activities and by committing to provide information related to the establishment and implementation of their aviation security and oversight systems, as requested by ICAO, and taking into consideration the recommendations of the USAP-CMA audit report in the development of a State-specific CAP. 4.3.2 According to the MoU, States shall: a) complete and maintain up to date the SASAQ and the CCs; b) provide updates on the implementation of specific USAP-CMA PQs; c) implement and provide updates and evidence related to the implementation of CAPs addressing not

satisfactory PQs; d) take appropriate and timely action to resolve SSeCs; and e) provide other relevant information, as requested by ICAO, such as national-level aviation security

legislation and airport-level aviation security procedures and practices. 4.3.3 Each Member State shall facilitate USAP-CMA on-site activities by accepting the dates and scope of USAP-CMA activities and by: a) making appropriate staff from its administration responsible for the regulation and oversight of aviation

security activities and matters related to facilitation, as well as relevant staff of airport operators, locally based commercial air transport operators and any other entities responsible for the implementation of aviation security measures available for interview by the USAP-CMA audit team;

b) making all relevant files, records and documentation of the appropriate authority for aviation security

and those of any other relevant entities responsible for aviation security and facilitation matters, including national legislation, programmes and regulations related to aviation security and facilitation, quality control activity records, airport-level programmes, procedures and internal quality control activity records, available for review by the USAP-CMA audit team; and

c) providing the USAP-CMA audit team access to aerodrome facilities and restricted areas of the airport

for observation of aviation security measures implemented by all relevant entities. 4.3.4 The State should also facilitate the audit process by ensuring that the USAP-CMA audit team has a private work space and access to electronic communications media such as the Internet.


Roles and responsibilities of National Coordinators (NCs) 4.3.5 In order to support the USAP-CMA and facilitate related activities, each State is responsible for designating an NC to act as a primary point of contact for all USAP-CMA processes and activities on an ongoing basis. States are responsible for providing ICAO with updates and information, through their NCs, upon request. Each State should advise ICAO whenever there is a change in a designated NC. The NC is responsible for submitting, maintaining and/or updating the information to be provided by the State to ASA on an ongoing basis, including, but not limited to: a) PQ compliance status; b) CAPs; c) corrective actions taken by the State to resolve or mitigate SSeCs; d) SASAQ; e) CCs; and f) other relevant information, as requested by ICAO. 4.3.6 The TL will work directly with the NC as designated by the Member State. The NC should be familiar with all aspects of the national aviation security and oversight systems, including all programmes and requirements, and knowledgeable about the airport(s) to be visited by the USAP-CMA audit team. The NC should also be knowledgeable about the entities responsible for the implementation of the security-related provisions of Annex 9, as well as all security-related operations (e.g. access control measures, screening procedures, cargo and mail, etc.). 4.3.7 The NC will be involved in every phase of the conduct of the USAP-CMA activity and will be kept informed of the USAP-CMA audit team’s preliminary findings during daily meetings with the TL. The NC may be invited by the USAP-CMA audit team to provide assistance and clarifications but should not seek to influence the audit’s outcome. 4.3.8 For facilitation purposes, the NC may decide to delegate some of his/her duties and tasks to a local and/or airport representative (e.g. hotel reservations, escort of the USAP-CMA audit team, etc.). However, the overall responsibility remains with the NC who is the main representative of the Member State for the purpose of the USAP-CMA. 4.3.9 Prior to the USAP-CMA on-site activity, the NC will be required to: a) act as the link between the Member State and both C/ASA and the TL; b) ensure that the TL’s requests are fully understood and met; c) inform and assist the USAP-CMA audit team with regard to the State’s entry requirements; d) ensure the availability of a Technical Liaison Officer (TLO) (see the role of a TLO in 4.3.14 – 4.3.16)

for the purpose of answering any equipment-related questions; e) adequately inform the airport authority and other entities to be involved in the USAP-CMA activity

(e.g. aircraft operators, cargo handlers, catering companies and/or immigration authorities, as appropriate) about the USAP-CMA activity objectives, procedures, dates and schedule;


f) organize appointments for the USAP-CMA audit team, including meetings with representatives of organizations other than the appropriate authority for aviation security that have a direct role in either oversight or implementation of the national aviation security system or implementation of the security-related provisions of Annex 9;

g) ensure that all details of the USAP-CMA daily work plan (e.g. meetings and escorts) are arranged and

confirmed before the USAP-CMA audit team’s arrival; h) provide the TL with adequate information, such as records of quality control activities, airport

diagrams, flight schedules, etc; i) assist in making hotel reservations for the USAP-CMA audit team, as requested; j) reserve meeting rooms for the national briefing and post-audit debriefing; k) ensure coordination with the airport authority and other relevant entities with regard to completion of

the SASAQ and CCs; l) ensure that the SASAQ and CCs are completed by the Member State and sent back to C/ASA along

with associated documentation in due time; m) provide USAP-CMA audit team participants with airport identification cards and access permits, as

applicable; n) ensure the availability of an appropriate escort at all times during visits to the airport(s) (escort(s)

should have adequate means of communication); o) obtain protective clothing (e.g. high-visibility jackets) for USAP-CMA audit team participants according

to national regulations; p) ensure that transportation is available for the duration of the USAP-CMA on-site audit; and q) ensure that printing facilities are available to photocopy and print, as necessary, any documents the

USAP-CMA audit team might need. 4.3.10 During the USAP-CMA on-site activity, the NC will be required to: a) facilitate the work of the USAP-CMA audit team (e.g. translation, interpretation and/or ensuring access

to all required documentation); b) ensure that the airport authority and other entities involved in the USAP-CMA cooperate fully with the

USAP-CMA audit team; c) escort the USAP-CMA audit team during the mission without interfering with its work and/or ensure

that appropriate escorts are available when the USAP-CMA audit team requires them; and d) respond to the USAP-CMA audit team’s requests for clarification concerning information with respect

to the national/airport aviation security organization and security measures, practices and procedures.


4.3.11 The NC should be available at all times during the USAP-CMA on-site activity. He/she will be briefed daily on the work and findings of the USAP-CMA audit team but will not attend any internal discussions of the USAP-CMA audit team. As far as practicable, the TL and the NC will liaise closely to facilitate preparation for the USAP-CMA activity, discussing any information related to the USAP-CMA PQs that may not be possible to be verified prior to the USAP-CMA audit team’s arrival. 4.3.12 As far as possible, representatives from the USAP-CMA audit team will share a common language with the audited State, airport authority, aircraft operators, regulated agents, etc., being interviewed. When necessary, interpreters should be made available by the State for the duration of the USAP-CMA mission. Ideally, the interpreters should have a basic knowledge of aviation security terminology. 4.3.13 After the USAP-CMA on-site activity, the NC should be available to clarify/confirm any information required by the TL related to the USAP-CMA activity completed.

Roles and responsibilities of Technical Liaison Officers (TLOs) 4.3.14 The Member State should identify a TLO to act as the USAP-CMA on-site audit team’s point of contact for all technical matters, such as to demonstrate to the USAP-CMA auditors technical procedures in place and provide security equipment-related information. The State may appoint more than one TLO considering the field of expertise. The technical component of the USAP-CMA on-site activity has the following objectives: a) verify whether security equipment standards, which include equipment types, performance

capabilities, minimum detection settings, testing and agreed levels of performance, as well as specifications of performance test pieces, have been adopted by the Member State and the audited airport;

b) obtain evidence that these standards are in routine use, have been implemented in a manner that

complies with the national requirements, and are verified through the national quality control process; and

c) check the evidence obtained by assessing particular pieces of equipment to ensure that they conform

to the requirements. 4.3.15 Prior to the USAP-CMA on-site activity, the TLO will be required to: a) organize appointments for the USAP-CMA audit team with appropriate staff concerning technical

issues; b) ensure coordination with the airport authority/appropriate authority with regard to the answers to the

SASAQ; and c) ensure that persons (e.g. representatives of police, private security companies, etc.) to be met by the

USAP-CMA audit team are informed about the objectives and procedures of the USAP-CMA activity. 4.3.16 During the USAP-CMA on-site activity, the TLO will be required to: a) organize a presentation of relevant documentation and items, such as routine test reports and test

pieces, for/review/observation by the USAP-CMA audit team; b) facilitate the work of the USAP-CMA audit team (e.g. translation, etc.);


c) escort the USAP-CMA audit team, as required, without interfering with its work; d) clarify any questions the USAP-CMA audit team might have on the security screening equipment,

performance tests, etc; and e) facilitate cooperation with the airport authority or other entities, as required. 4.3.17 The TLO should be available for the USAP-CMA audit team at all times during the USAP-CMA on-site activity but will not be allowed to attend any internal discussions of the USAP-CMA audit team, such as its daily internal debriefing. After the USAP-CMA on-site activity, the TLO should be available to clarify/confirm any information required by the USAP-CMA activity TL concerning the equipment and security procedures at the audited airport.

4.4 ROLES AND RESPONSIBILITIES OF REGIONAL AVIATION SECURITY OVERSIGHT ORGANIZATIONS

4.4.1 ICAO supports the establishment of regional aviation security oversight organizations performing aviation security oversight-related activities on behalf of a group of Member States. Activities performed by such organizations may include: a) harmonization of legislation and regulations; b) development of comprehensive and detailed procedures; and c) selection and training of a regional core of qualified and experienced inspectors to perform a full range

of aviation security oversight activities on behalf of participating States. 4.4.2 If a regional aviation security oversight organization performs security-related activities on behalf of Member States, ICAO, with the consent of participating States, may elect to enter into a working arrangement with this organization to facilitate the monitoring of those States.

4.5 MEMORANDUM OF UNDERSTANDING (MoU) 4.5.1 An MoU signed between each Member State and ICAO establishes the official agreement outlining the terms and responsibilities of the Member State and ICAO in the effective implementation and maintenance of the USAP-CMA and conduct of USAP-CMA activities. The signed MoU represents the commitment of the Member State concerned not only to participate in USAP-CMA activities but also to take into consideration the recommendations of the USAP-CMA audit team in developing and implementing a State-specific CAP. The generic MoU, approved by the ICAO Council, is set forth in Appendix A. 4.5.2 Prior to the conduct of a USAP-CMA activity, all ICAO Member States shall return to ICAO two signed copies of the Model MoU approved by the Council (see Appendix A). These two copies will be countersigned by the Secretary General of ICAO, and one signed copy will be returned to Member States. The Model MoU is available for downloading on the ATB-USAP-MOU secure website at http://portallogin.icao.int/.


4.5.3 The signed MoU will confirm that the USAP-CMA activities will be conducted in accordance with the terms specified in the MoU and on the basis of the criteria contained in this manual. No USAP-CMA activity will be undertaken unless an appropriately signed MoU has been returned to ICAO and further countersigned by the Secretary General of ICAO. Member States that do not sign and submit two signed copies of the MoU to ICAO shall be reported to the ICAO Council. All other Member States shall also be informed of the State’s refusal to sign the MoU and participate in the USAP-CMA.

4.6 PLANNING AND SCHEDULING 4.6.1 In accordance with the principle of universality, all Member States are subject to continuous audit and monitoring activities by ICAO, though the priorities, frequency, type and scope of such activities vary based on each Member State’s specific circumstances. Under the USAP-CMA, ASA uses defined criteria to select and prioritize States for the conduct of the appropriate type of USAP-CMA activity. These activities, as defined in 3.4, are part of the strategy for promoting the enhancement of global aviation security on a continuous basis. 4.6.2 ASA selects and prioritizes States for USAP-CMA activities through the planning and scheduling process. The USAP-CMA annual activity plan is established in accordance with criteria that use the State’s USAP-CMA key parameters. These parameters include various risk and performance indicators, as well as certain critical information, impacting on the selection and prioritization of States for USAP-CMA activities. The State’s USAP-CMA key parameters cover the following areas: Risk information • Level or nature of activity inconsistent with security oversight capability; • Security incidents linked to deficiencies in a State’s security oversight responsibilities and obligations; • State security record - acts of unlawful interference; • Failure or refusal to participate in significant aspects of the USAP-CMA process, including, but not

limited to, preparation, conduct and reporting requirements; • Failure to resolve the critical security-related deficiencies identified during the USAP-CMA activity,

such as SSeCs. Performance information • Results of the previous USAP activity; • State Compliance Indicator; • State Oversight Indicator; • Existing or potential SSeCs; • Level of acceptability of the State’s CAP; • State’s CAP implementation progress.


Critical information • Number of airports in the State serving international civil aviation; • Number of aircraft operators providing service from the State; • Annual number of aircraft movements; • Annual number of originating and transfer passengers; • Annual volume of exported cargo and mail; • Significant development in the State's aviation security and oversight systems; • ICAO assistance activities in the State; • Time elapsed since the last USAP activity. Note.— Risk information should not be confused with threat and risk assessment, as described in the Aviation Security Manual (Doc 8973 — Restricted), and is used for the purpose of determining the priorities in planning and scheduling of USAP-CMA activities in conjunction with performance information and critical information. 4.6.3 In applying the above criteria, certain operational and technical factors influence the selection and scheduling process, such as: a) regional balance in terms of the percentage of States audited within each ICAO region; b) aviation security concerns and other information made known by ROs, other ICAO sections or the

States to be audited; c) State requests to be audited; d) information shared by recognized international organizations; e) geographical proximity and ease of transportation between States; f) the availability of USAP-CMA TLs and TMs; g) field security status reports from the office of the United Nations Department of Safety and Security;

and h) the activity schedule of the ICAO USOAP-CMA and the audit schedules of other regional aviation

security audit programmes. 4.6.4 States’ USAP-CMA key parameters will be monitored and analysed on an ongoing basis by ASA, and the priorities and frequency of USAP-CMA audit and monitoring activities for each State will be determined accordingly. 4.6.5 If a regional entity is empowered by a group of States with legal authority and responsibility to regulate and/or oversee aviation security activities in those States, ICAO, with the consent of those States, may elect to enter into a working arrangement with this regulatory and/or oversight entity to facilitate the monitoring of aviation security oversight and compliance capabilities of the States Members of the regional group.


4.6.6 ICAO publishes an annual schedule of USAP-CMA activities, identifying the States that will receive USAP-CMA on-site and off-site activities. The annual schedule and its amendments are provided to States via EBs posted on the ICAO-NET and the USAP secure website. 4.6.7 In addition to USAP-CMA activities in the periodic schedule, ICAO will consider specific requests from States for cost-recovery audits. The type, scope and scheduling of any such cost-recovery audit shall require agreement between ICAO and the State, and will be assessed by ICAO on a case-by-case basis. The methodology for conducting USAP-CMA cost-recovery audits will be the same as for compliance-focused audits or oversight-focused audits, as applicable. The results of these cost-recovery audits will be treated in the same manner as the results from regularly scheduled USAP-CMA activities. States requesting cost-recovery audits will be expected to provide logistical assistance in making travel arrangements for the USAP-CMA audit team participants and to cover all travel-related costs, local transportation and the daily subsistence allowance (DSA). For regularly scheduled USAP-CMA on-site audits, ICAO will be responsible for the cost of transportation to and from the State, as well as for the DSA of all USAP-CMA audit team participants. Note.— The DSA is based on rates established by the United Nations and includes accommodation, meals and incidental expenses. 4.6.8 ICAO will notify selected States at least 120 calendar days prior to the scheduled USAP-CMA activity through a State notification letter signed by the Secretary General of ICAO providing the name(s) of the airport(s) selected for observation, if applicable. States are required to acknowledge receipt of the State notification letter and confirm their acceptance of the USAP-CMA activity within 30 days after receipt of the notification letter. 4.6.9 According to the MoU, Member States are urged to accept scheduled USAP-CMA activities without any changes, unless there are compelling reasons not to do so. However, should changes be required, adjustments may be made to the programme schedule to ensure the overall effectiveness and efficiency of the USAP-CMA. 4.6.10 If a State needs to make any changes to the programme schedule, the State is required to advise ICAO of its inability to accept a scheduled activity as soon as possible after ICAO publishes an annual schedule of USAP-CMA activities and, in any event, within 30 days after receipt of the State notification letter. In addition, the State shall clearly indicate the compelling reasons for not accepting or postponing the USAP-CMA activity as initially scheduled. 4.6.11 USAP-CMA activity deferrals are strongly discouraged as they have an adverse impact on the overall schedule of USAP-CMA activities and cause considerable difficulty for ICAO and other Member States affected by the schedule change. A request for deferral should be addressed to the Secretary General and should be signed by the designated appropriate authority of the State or his/her designee, clearly stating the compelling reason for not accepting the USAP-CMA activity as scheduled. 4.6.12 Although everything possible will be done to maintain the activity schedule, changes to activity dates may occur for reasons beyond ICAO’s control. Additionally, once a TL and TMs are assigned to an activity, all efforts will be made to avoid changes to the composition of the USAP-CMA audit team, specifically the TL. 4.6.13 ICAO will submit requests for the release of short-term seconded auditors by States at least 90 days before the start of the USAP-CMA on-site activity. In order to facilitate planning and scheduling, all auditors will be requested to provide their non-availability dates as early as possible.


4.7 PROGRAMME RECORDS 4.7.1 All supporting documentation, correspondence, notes, records and other information relating to USAP-CMA activities are obtained, managed and filed by ASA through an established and controlled system. 4.7.2 At the end of each mission, all TMs shall submit all supporting documentation and notes from the mission to the TL. TMs shall also ensure that at the end of the mission and before their departure, all information in electronic format is deleted from their computers. 4.7.3 TMs are responsible for their own material until it is given to the TL. The TL is also responsible for his/her notes and materials from the USAP-CMA activity, and for those handed over by TMs, as applicable, until they are submitted to ASA. 4.7.4 At the end of the mission, the TL shall submit the following documents and records to ASA (preferably an electronic version) for processing and filing according to established procedures: a) PQ Worksheets duly completed by the TL and TMs; b) draft preliminary findings and recommendations; c) draft preliminary SSeCs, if applicable; d) supporting evidence and documentation submitted by the State, including primary aviation security

legislation, programmes and regulations; and e) any other relevant documents used in the preparation and conduct of the USAP-CMA activity. 4.7.5 ASA maintains supporting documentation, notes and records pertaining to USAP-CMA activities for a minimum of five years. USAP-CMA activities reports are retained electronically for an indefinite period.

4.8 PROGRAMME QUALITY MANAGEMENT 4.8.1 An internal quality assurance process has been established and implemented within ASA to ensure standardization, consistency and confidence of delivery of all aspects of USAP-CMA activities, including their preparation, conduct and reporting. The process encompasses the review of auditing standards and procedures and the guidelines for their application during USAP-CMA activities, as well as a quality control review of all written materials produced by ASA. 4.8.2 ASA monitors the level of satisfaction of Member States that receive USAP-CMA activities through a State USAP-CMA activity feedback form that allows States to provide comments, complaints and suggestions for improvement regarding the planning, coordination, conduct and reporting of the USAP-CMA activity they have received. The TL shall provide a confidential State USAP-CMA activity feedback form to the State NC at the end of the USAP-CMA activity, requesting the State to complete and return it to C/ASA. 4.8.3 ASA also obtains feedback on USAP-CMA activities through the TL and TM mission reports, which provide comments and information on the conduct of USAP-CMA activities from preparation to conduct and assist ASA in improving USAP-CMA procedures and processes. 4.8.4 ASA maintains a record of all State, TL and TM feedback forms, related recommendations and actions taken by ASA to address issues and concerns.


4.9 CONFIDENTIALITY 4.9.1 In recognition of the special sensitivity of information related to aviation security, the USAP, from its inception, adopted the principle of confidentiality. In practice, this means that audit reports receive a security classification and are subjected to rigorous physical controls by ICAO. In accordance with established guidelines for the protection of sensitive security information, audit reports are strictly protected from release to any entity other than the appropriate authority for aviation security of the audited States and those with an operational need to know within ICAO, while the names of the States and airports audited are released to all Member States on a regular basis. All other records, notes and documents collected during, or related to an audit, remain confidential between the audited State and ICAO. In keeping with the principle of confidentiality, the 36th Session of the ICAO Assembly (Assembly Resolution A36-20, Appendix E refers) encouraged all States to share their audit reports and information on a bilateral or multilateral basis in order to promote mutual confidence in the level of aviation security between States. Assembly Resolution A36-20 has been reinforced with the inclusion of Recommended Practice 2.4.5 in Annex 17, whereby each Contracting State should share, as appropriate, and consistent with its sovereignty, the results of the audit carried out by ICAO and the corrective actions taken by the audited State, if requested by another State. To facilitate the exchange of information, ICAO regularly issues an audit activity report to Member States advising of States audited and airports visited under the programme. 4.9.2 The 36th Session of the Assembly also directed the Council to consider the introduction of a limited level of disclosure with respect to aviation security audit results, balancing the need for States to be aware of unresolved security concerns with the need to keep sensitive security information out of the public realm. Accordingly, the Council approved, in June 2008, a proposal to introduce a limited level of disclosure with respect to USAP second-cycle audit results, whereby a graphical representation depicting the level of implementation of the CEs of an aviation security oversight system for each audited State was posted on the USAP secure website. 4.9.3 The principle of confidentiality continues to apply to the USAP-CMA, as amended by the Council and based on the generic MoU between ICAO and a Member State regarding the USAP-CMA approved by the Council. The confidentiality principle stipulates that sensitive security information collected as part of the USAP-CMA will be protected from unauthorized disclosure. Accordingly, USAP-CMA audit reports are confidential and are only made available to the audited State and ICAO staff on a need-to-know basis. However, in the interest of promoting global aviation security, a limited level of disclosure applies whereby charts depicting the level of implementation of the CEs of an aviation security oversight system by a Member State and the indicative degree of compliance by a Member State with Annex 17 Standards, as well as information pertaining to the existence of unresolved SSeCs in a Member State, are made available to all Member States on the USAP secure website. States can then take specific actions as they deem appropriate, such as: a) request a copy of the relevant ICAO USAP-CMA audit report from the State in question, on the basis

of which further action/decisions may be initiated on a bilateral basis; b) engage in consultations to assist the State in question in improving its security measures; c) instruct their aircraft operators to take extra precautions and/or apply additional security measures

regarding flights to/from the State in question; and d) request additional security measures to be implemented by the State in question with respect to

specific flights. 4.9.4 All security-related information collected or generated during the USAP-CMA activity or as part of the USAP-CMA process, including answers to the SASAQ, CCs, PQ Worksheets filled in by the USAP-CMA audit team, auditor notes, and copies of the USAP-CMA audit reports will be marked as “sensitive security information”, stored and safeguarded at ICAO Headquarters with an appropriate level of protection in accordance with internal procedures developed by ASA for the protection of audit-related sensitive security information. Such information will be made


available only to the Member State concerned and to those within ICAO with an operational need to know, and then only when it has been determined by C/ASA that the individual has a specific need to know the information in order to perform his/her duties with respect to the USAP-CMA activities. When the sensitive security information is not being reviewed, it will be protected against unauthorized access by securing the information in an approved container or secure database, access to which is strictly limited. A list of persons provided access to the documents will be maintained. Sensitive security information will not be reproduced except for the functioning of the USAP-CMA, and then only as authorized by C/ASA. Copies will be numbered and accounted for. 4.9.5 The State USAP-CMA file, to be kept at ICAO Headquarters, will include, but may not be limited to, the following documents: a) completed SASAQ and associated documents; b) completed CCs; c) preliminary list of findings and recommendations made by the USAP-CMA audit team; d) State’s USAP-CMA key parameters; e) State USAP-CMA audit report; f) CAP submitted by the State (if required), including feedback by ASA; g) any other audit documents, such as PQ Worksheets and notes made by the auditors; and h) national- and airport-level documentation collected during the USAP-CMA audit as evidence. 4.9.6 All material used or generated during the USAP-CMA on-site activity shall remain confidential, including personal notes and draft reports prepared by the USAP-CMA audit team. All sensitive audit documents are considered the property of ICAO and shall be returned to ICAO upon completion of the USAP-CMA on-site activity. USAP-CMA audit team participants are to maintain strict confidentiality in respect of audit-related information and in particular the content of audit reports. TMs shall not: a) leave printed or handwritten notes behind when performing on-site activities and must dispose of them

appropriately; b) make personal copies of any documents provided to them by the State, nor share any information

contained therein with any person other than the TL, TMs, State officials and counterparts concerned, and then only to facilitate the USAP-CMA activity;

c) be allowed to keep any handwritten or electronic documents concerning the audit performed and are

prohibited from using any information gained during the USAP-CMA activity for their own and/or national purposes.

4.9.7 In this respect, as with other issues relating to confidentiality of USAP-CMA activities, TMs should adhere to The ICAO Service Code (Doc 7350/9), Staff Regulation 1.8, which states that: Staff members shall exercise the utmost discretion in regard to all matters of official business. They shall

not communicate to any person any information known to them by reason of their official position which has not been made public, except in the course of their duties or by authorization of the Secretary General. They shall not at any time use such information to private advantage. These obligations do not cease upon separation from service.


4.9.8 The ICAO Service Code (Doc 7350/9), Staff Regulation 1.4 states that: Staff members shall conduct themselves at all times in a manner befitting their status as international civil

servants. This is binding for all TMs with respect to all their assignments as USAP-CMA activity TMs, and is applicable to all information received in any form as a result of their association with the USAP-CMA. 4.9.9 Information regarding a refusal by a State to undergo a USAP-CMA audit, a deferral of the USAP-CMA audit, or a refusal to comply with the terms of the relevant MoU, is not treated as confidential.

4.10 LANGUAGE 4.10.1 USAP-CMA activities will be conducted in English, French or Spanish. Member States shall indicate which of these languages they wish to be used for the conduct of the scheduled USAP-CMA activities and for communicating with ASA. 4.10.2 In the case of USAP-CMA on-site activities, if the ICAO working language of the State is one of the remaining three ICAO working languages (Russian, Arabic or Chinese), every effort will be made to ensure that at least one TM participating in the activity has command of the ICAO working language of the State concerned. 4.10.3 USAP-CMA activities in Member States whose language is not one of the ICAO working languages may be conducted with the assistance of an interpreter. Note.— Use of interpreters in the USAP-CMA on-site activity with the purpose of facilitating communications between the State and the USAP-CMA audit team is at the discretion of the State. 4.10.4 Interpretation and translation support during the conduct of USAP-CMA on-site activities shall be provided by Member States. 4.10.5 To facilitate timely and effective review, any documentation submitted by a State to ASA, including primary aviation security legislation, programmes and regulations, should be in one of the ICAO working languages, but preferably in the language of the USAP-CMA activity. 4.10.6 The USAP-CMA activity report will be forwarded to the State in the ICAO working language selected by the State for the conduct of the USAP-CMA activity. If the ICAO working language of the State is Russian, Arabic or Chinese, the USAP-CMA activity report will be translated into the corresponding ICAO working language of the State, and additional time will be allocated, as required.

4.11 RESOLUTION OF DISPUTES 4.11.1 In performing duties related to the USAP-CMA, all assigned personnel shall aim to prevent disputes by working closely with their State counterparts as transparently and fairly as possible. 4.11.2 Disputes may arise during a USAP-CMA activity process. For example, there could be a dispute between TMs, or a dispute between the audited State and the USAP-CMA audit team concerning the: a) adherence to the USAP-CMA procedures;


b) findings in the post-audit debrief and/or USAP-CMA audit report; and/or c) recommendations in the USAP-CMA audit report, whether as a result of the interpretation of Annex 17

Standards or security-related provisions of Annex 9, or otherwise. 4.11.3 In the case of a dispute within a USAP-CMA audit team, the TL has veto power to resolve the disagreement. If necessary, an incident report outlining the circumstances of the dispute may be attached to the TL and/or TM mission report that is forwarded to C/ASA. 4.11.4 In the case of a dispute between the audit team and the audited State at any stage of the USAP-CMA process that cannot be resolved by the assigned personnel, the dispute shall be reported to C/ASA, who will work to facilitate an amicable resolution, failing which the issue may be referred to an appropriate authority within ICAO for consideration and resolution. 4.11.5 In any case where the audited State proposes not to implement a recommendation because it disagrees with the findings of the USAP-CMA audit team or the interpretation of the Annex 17 Standards or security-related provisions of Annex 9 by the USAP-CMA audit team, it will cooperate with ICAO to resolve that disagreement. 4.11.6 In all cases, audited States are given an opportunity to submit comments and feedback on the report. The audit report may be revised as a result of this feedback.

______________________

5-1

Chapter 5

USAP-CMA AUDIT TEAMS

5.1 USAP-CMA AUDIT TEAM COMPOSITION 5.1.1 USAP-CMA audit teams are assigned by C/ASA and consist of a TL and a number of TMs, as required, covering the scope of the USAP-CMA activity to be conducted. USAP-CMA on-site audit teams normally consist of a TL and three TMs and may be augmented or reduced depending on the scope of the USAP-CMA activity and the complexity of civil aviation operations in the State. USAP-CMA off-site audit teams consist of a TL only. 5.1.2 USAP-CMA audit teams will be assigned for each USAP-CMA activity, and although the same auditors may be involved in multi-State missions, the audit team structure may change for each activity. The USAP-CMA audit team will be comprised to ensure that both a high level of expertise is available, and the requirements of objectivity and fair geographical representation are met. Prior to the commencement of a USAP-CMA activity, the State will be advised of the USAP-CMA audit team’s composition in sufficient time to have the opportunity to provide any desired feedback to ICAO and to be able to facilitate applications for visas and other administrative matters. 5.1.3 With the exception of the TL, the USAP-CMA activity TMs will remain employees of their nominating Member State. As such, it is necessary for each TM to look to his/her own insurance arrangements to ensure adequate medical coverage while participating in a USAP-CMA activity. 5.1.4 During their period of service on a USAP-CMA assignment, all TMs are considered as international officials working under the auspices of ICAO and representing only ICAO for the entire duration of the USAP-CMA activity. They must clearly understand that they are not, in any sense, serving as representatives of a national government. All TMs are entitled to privileges and immunities granted to ICAO staff on mission and are subject to The ICAO Service Code (Doc 7350/9). Each TM will be required to sign the ICAO Code of Conduct Form for Auditors set forth in Appendix D, which defines the responsibilities, including, but not limited to, confidentiality requirements undertaken by any person participating in a USAP-CMA audit team. 5.1.5 The minimum qualifications and experience requirements to be met for certification as a USAP-CMA auditor, along with the requirements for maintaining certification, are set forth in Appendix B. No individual may participate as a TL or a TM in a USAP-CMA activity unless they have met these specific requirements. 5.1.6 ASA maintains a roster of certified auditors. The members of each USAP-CMA audit team are selected from this roster based on their availability, up-to-date training status and currency to conduct USAP-CMA activities. The roster of certified auditors provides information on the qualifications, roles (as TM or TL), languages and any special skills, knowledge or abilities possessed by each auditor. It also tracks the records of their initial, on-the-job and recurrent training and the USAP activities carried out by each auditor. Such records will facilitate the assignment of auditors and help determine recurrent training requirements. The geographical location of each auditor is also indicated to facilitate planning and scheduling and to minimize travel costs for each on-site activity. 5.1.7 On occasion, ICAO may wish to include observers in the USAP-CMA on-site activity. Such observers do not participate in the USAP-CMA activity in an official capacity as TMs and shall only observe the interaction of other TMs with State counterparts. If ICAO wishes to include an observer, the State must be notified before the start of the on-site activity and must agree with the participation of the observer. Non-ICAO observers are not privy to the State’s confidential information and are not entitled to any privileges and immunities granted to staff representing ICAO while on mission.


5.2 TRAINING AND CERTIFICATION OF AUDITORS 5.2.1 Assessment of the implementation of the CEs of a State’s aviation security oversight system, Annex 17 Standards and security-related provisions of Annex 9 to the Chicago Convention requires an understanding of how each CE or ICAO provision may be implemented. USAP-CMA auditors are required to undergo training in order to standardize the working methodology used for achieving the programme’s goals, and to obtain the information and documentation required to be fully conversant with the programme. To ensure commonality of purpose among USAP-CMA auditors, each aviation security expert nominated by a State is required to successfully complete training and certification prior to any assignment as a USAP-CMA TM. 5.2.2 USAP-CMA training procedures define and establish the criteria related to the acceptable qualifications of auditors, based on a combination of their education, work experience, technical background and training. ASA conducts and oversees USAP-CMA auditor training and certification. Each aviation security expert nominated by a State will be required to successfully complete both training and certification prior to any assignment as a USAP-CMA activity TM. 5.2.3 The objective of the USAP-CMA auditor training and certification course is to provide the participants with a thorough knowledge and understanding of the methodology, tools and techniques used by ASA for the conduct of activities under the ICAO USAP-CMA. A candidate who meets the basic minimum qualifications for a USAP-CMA auditor may be nominated to undergo the ICAO USAP-CMA auditor training and certification process. The description of the USAP-CMA auditor training and certification course, including the prerequisites for participation and criteria for initial certification, is set forth in Appendix B of this manual. 5.2.4 Auditors who have successfully completed the USAP-CMA Auditor Training and Certification Course receive on-the-job training (OJT) during the USAP-CMA on-site activity from a USAP-CMA activity TL who evaluates the auditor’s performance, competency and ability to conduct assigned tasks, and reports the OJT results to C/ASA. The TL makes a recommendation to C/ASA regarding the auditor’s readiness to participate in future USAP-CMA activities as a TM. 5.2.5 C/ASA reviews the auditor’s input to the activity results along with the TL’s report and decides on the auditor’s participation in future USAP-CMA activities as a TM. C/ASA approves auditors who have successfully completed all required training and adds them to the roster of certified auditors. Training, certification and OJT records are considered in future decisions about assignment of TMs to USAP-CMA activities. 5.2.6 ASA maintains a consolidated, current list of certified USAP-CMA auditors. This list contains records of initial and recurrent training, ICAO USAP-CMA activities performed, and any special skills, knowledge or abilities with respect to each certified auditor. Such records facilitate the assignment of auditors and help determine recurrent training and recertification requirements. Information related to the maintenance of certification as a USAP-CMA auditor is included in Appendix B.

5.3 TEAM LEADERS 5.3.1 C/ASA will appoint a USAP-CMA activity TL for each USAP-CMA activity. A USAP-CMA activity TL must be an ASA staff member, whether on a long- or short-term contract. C/ASA will take into consideration the qualifications, language abilities, experience and relations with other TMs when assigning a TL for a USAP-CMA activity.

Chapter 5. USAP-CMA audit teams 5-3

5.3.2 The USAP-CMA activity TL assumes responsibility for all phases of the assigned USAP-CMA activity: preparation, conduct and reporting, in accordance with guidance and instructions provided by ASA, including those found in this manual. In addition to specific tasks assigned by C/ASA, a USAP-CMA activity TL’s responsibilities include: a) preparing for the USAP-CMA activity and coordinating related details with ASA and the State NC on

matters related to the conduct of the USAP-CMA activity; b) preparing the State-specific USAP-CMA audit plan for USAP-CMA on-site activities; c) communicating with the State regarding technical, administrative and logistical issues; d) liaising with ROs or regional civil aviation organizations, if required; e) communicating with and informing assigned TMs regarding the preparation phase and other pertinent

information; f) conducting a USAP-CMA on-site audit team briefing for the TMs prior to the national briefing with the

State appropriate authority; g) conducting a national briefing and a post-audit debriefing with the State appropriate authority; h) conducting a daily debriefing with the NC during the conduct of the USAP-CMA activity to share

results of the audit to date; i) conducting a daily meeting with the USAP-CMA on-site audit team to discuss the day’s activities, to

identify additional needs, and to prepare for the forthcoming day; j) immediately notifying C/ASA of any serious concerns encountered during the USAP-CMA activity,

such as potential SSeCs; k) collecting and consolidating TMs’ input for preparation of the USAP-CMA activity results and the draft

preliminary findings and recommendations; l) ensuring the quality of TMs’ input and collected evidence; m) ensuring the accuracy and quality of the contents of the draft preliminary findings and

recommendations; n) managing the USAP-CMA audit team’s workload and progress to accomplish the activity; o) providing leadership, guidance and support to TMs at all times during the USAP-CMA on-site activity; p) ensuring that the USAP-CMA audit team follows the USAP-CMA procedures and the ICAO Code of

Conduct for Auditors (Appendix D); q) collecting all evidence, contributions, notes, information, documents and forms from TMs and

submitting them to ASA; r) developing and submitting to C/ASA the draft USAP-CMA audit report in compliance with the

established timelines and requirements of ASA;


s) providing ASA with additional information and clarification during the report production phase, as required;

t) preparing the TL’s mission report; u) evaluating the performance and abilities of TMs and providing a completed evaluation form to C/ASA

for each TM; v) providing OJT to TLs and TMs in training; w) submitting to C/ASA all confidential documents and notes collected during the USAP-CMA activity

process; and x) participating in USAP-CMA auditor training and certification courses as an instructor. 5.3.3 Each TL is also assigned to cover one (or more) of the audit areas within the scope of the USAP-CMA on-site activity, except in cases where the size and complexity of the State requires a large audit team and a dedicated TL.

5.4 TEAM MEMBERS 5.4.1 USAP-CMA activity TMs are assigned to a specific activity by C/ASA and are responsible to the USAP-CMA activity TL. TMs are selected from the roster of certified auditors available to C/ASA. 5.4.2 As representatives of ICAO, TMs are required to be free from bias and influences that could affect their objectivity as USAP-CMA activity TMs. They must maintain independence from the audited State. They must always remain within the scope of the USAP-CMA activity, display integrity, exercise objectivity and remain alert to any indication of evidence that may have an adverse impact on the activity result. TMs are to cooperate and comply with the TL’s requirements and instructions and to carry out their assigned duties with objectivity, confidentiality, and in an ethical manner. They must act in accordance with the ICAO Code of Conduct for Auditors (Appendix D) at all times. They must also be guided by the auditing principles described in 2.4. 5.4.3 In addition to the specific tasks assigned by C/ASA or the USAP-CMA activity TL, the USAP-CMA on-site audit TM’s responsibilities include: a) communicating and clarifying USAP-CMA activity requirements; b) planning and carrying out assigned responsibilities effectively and efficiently; c) collecting, assessing and submitting evidence; d) documenting all findings and observations; e) coordinating with and assisting other TMs; f) completing PQ Worksheets in their assigned audit areas and determining the status of those PQs; g) participating in, and contributing to, all briefings and meetings, including the daily presentation of work

progress made in the various audit areas; h) providing input to the draft preliminary findings and recommendations;


i) submitting all evidence, contributions, notes, information, documents and forms by the deadlines specified by the TL at the conclusion of the activity, in accordance with the requirements of ASA;

j) submitting to ASA, through the USAP-CMA activity TL, all confidential documents and notes pertaining

to the activity; k) submitting to C/ASA, through the USAP-CMA activity TL, a TM mission report; l) cooperating with and assisting the USAP-CMA activity TL at all times during the preparation, conduct

and completion of the USAP-CMA activity; and m) responding to ASA’s queries during the report production process. 5.4.4 Although the TL is responsible overall for ensuring that tasks are completed at the appropriate time during the activity, all TMs must be vigilant and support the TL and each other in achieving the goals and objectives of USAP-CMA activities.

5.5 COMPETENCIES 5.5.1 TLs and TMs shall possess the competencies required for conducting USAP-CMA activities, performing related tasks and applying USAP-CMA tools and procedures. Required competencies shall include: a) applying auditing principles and techniques; b) performing TL and TM responsibilities and functions; c) complying with USAP-CMA procedures and completing PQ Worksheets and mission report forms

related to the conduct of USAP-CMA audits; d) identifying and generating findings; and e) identifying and reporting SSeCs. 5.5.2 TMs are expected to have: a) recent work experience with an appropriate authority as an inspector in any one of the following audit

areas pertaining to USAP-CMA: 1) OPS; 2) IFS; 3) PAX; and 4) CGO.


b) working knowledge of the Chicago Convention and thorough knowledge of the ICAO documents used in conducting the USAP-CMA activities, such as the current editions of:

1) Annex 17 — Security; 2) Annex 9 — Facilitation; 3) Aviation Security Manual (Doc 8973 — Restricted); 4) Aviation Security Oversight Manual — The Establishment and Management of a State’s Aviation

Security Oversight System (Doc 10047); and 5) this manual. c) working knowledge and experience related to aviation security legislation, programmes and

regulations, and familiarity with internationally recognized regulatory systems; d) command of written and spoken English, French or Spanish; e) ability to write clearly and concisely; and f) ability to use office automation equipment and contemporary computer software. 5.5.3 It is desirable for TMs to have the following: a) knowledge of ICAO’s organization, functions and activities; b) aviation industry experience, such as with an airport or aircraft operator; and c) knowledge of one of the other working languages of ICAO (Russian, Arabic or Chinese).

5.6 CODE OF CONDUCT 5.6.1 All USAP-CMA auditors that participate in on-site activities, regardless of their role, are expected to maintain the highest standards of ethical and professional conduct, thus contributing to the effective completion of a USAP-CMA on-site activity. Their relationship with representatives of the audited State should be characterized by respect and professionalism. 5.6.2 The ICAO Code of Conduct for Auditors (Appendix D) defines the responsibilities of any person assigned to a USAP-CMA on-site audit team. It provides TMs with guidelines regarding their behaviour during and after a USAP-CMA on-site activity, such as the need for auditors to act fairly, avoid testing security measures, show respect for safety requirements, wear appropriate identification badges and maintain the confidentiality of the audit results. 5.6.3 USAP-CMA auditors should approach officials in the State undergoing the audit in a spirit of cooperation that conveys mutual concern about the potential threats to civil aviation and a desire to observe, learn, share information and work together in enhancing aviation security. USAP-CMA auditors should be sensitive to the State’s concerns, needs and resources available, and should present and conduct themselves at all times in a manner befitting their role as representatives of ICAO.


5.6.4 USAP-CMA auditors should at all times observe the laws, customs, and except in rare circumstances, the social norms of the host country. Alleged offensive language, gestures or other distasteful actions toward the local population may result in an investigation and, if substantiated, possible ineligibility to continue as a USAP-CMA auditor. USAP-CMA auditors should be sensitive to any differences in status or rank and conduct themselves accordingly. Courtesy and diplomacy are not merely helpful qualities to the successful attainment of the USAP’s goals — they are essential. 5.6.5 For safety reasons, USAP-CMA auditors should not draw undue attention to themselves and should blend into the local environment as much as possible. They should not engage in loud conversations or flaunt their citizenship unnecessarily through their dress, actions or words. It is imperative that USAP-CMA auditors never discuss their official business in public areas, while on public transportation, or with those who do not have an official need to know. 5.6.6 USAP-CMA auditors must become as familiar as possible with the State to be visited. This includes information concerning the language, basic history and geography, social customs and current political climate. Prior coordination with the TL to confirm the proposed itinerary, passport and visa requirements, inoculations and similar administrative details is essential. 5.6.7 Climate permitting, USAP-CMA auditors should conduct their official business in appropriate business attire. The TL should provide guidance on appropriate dress for the culture and climate of the State to be visited. In most cases, appropriate dress will be the business attire normally worn in the international community. In some locations, however, traditional business attire may be less formal or otherwise different. 5.6.8 Prior to departure, the USAP-CMA auditors should become thoroughly familiar with the information regarding general security conditions at the locations to be visited. Where applicable, the local United Nations Security Coordinator should be contacted to arrange an on-site briefing at the start of the audit mission. 5.6.9 A prerequisite for official travel by United Nations system personnel is successful completion of all required training, including Basic Security in the Field (BSITF) on-line training for all official travel and Advanced Security in the Field (ASITF) on-line training for official travel to any field location. All USAP-CMA auditors are required to successfully complete the BSITF and ASITF training courses and provide ICAO with a copy of their printed course certificates. BSITF and ASITF certificates are valid for three years, at which point USAP-CMA auditors must follow the courses again to recertify. 5.6.10 USAP-CMA TMs will be briefed by the TL on security conditions in the State to be audited and are expected to act on this information while also adhering to any requirements set forth by the State. 5.6.11 USAP-CMA TMs must adhere to the itinerary provided by the TL and be on time for all meetings or appointments made by the State. Any sightseeing, shopping, personal visits or other unofficial activities that occur at the expense of the USAP’s objectives will not be tolerated. 5.6.12 As a member of an audit team tasked with conducting the USAP-CMA activity, each USAP-CMA auditor is expected to participate in the audit to his/her fullest ability. 5.6.13 Each TM is responsible for documenting all information gathered through the review of documents, interview of relevant personnel and observation of measures and procedures by completing an electronic version of PQ Worksheets. Information gathered and documented during an audit should represent the TM’s most conscientious effort at objectivity, thoroughness and good judgement.

______________________

6-1

Chapter 6

USAP-CMA ACTIVITY PHASES AND PROCEDURES

6.1 USAP-CMA ACTIVITY PHASES The USAP-CMA activity is divided into the following three phases: a) preparation phase; b) conduct phase; and c) reporting phase.

6.2 PREPARATION PHASE 6.2.1 The USAP-CMA activity preparation phase starts when the ICAO Member State is formally notified of the conduct of a USAP-CMA activity by means of a letter signed by the ICAO Secretary General, at least 120 calendar days prior to the commencement of the planned USAP-CMA activity. The accredited ICAO RO is informed of the formal notification of a USAP-CMA activity and may be requested to follow up the initiative with the State. The notification letter specifies the dates and the type of planned USAP-CMA activity (on-site, i.e. oversight/compliance-focused audit, including the name(s) of the airport(s) selected for observation, or off-site, i.e. documentation-based audit). The USAP-CMA activity preparation phase concludes with the USAP-CMA audit team briefing prior to the opening national briefing with the State’s authorities, in the case of a USAP-CMA on-site activity, or on the starting date specified in the ICAO letter of notification, in the case of a USAP-CMA off-site activity. 6.2.2 The Member State is urged to give full support to ICAO by accepting the USAP-CMA activity as scheduled by ICAO by confirming, as soon as possible, the acceptability of the dates of the proposed USAP-CMA activity. In the notification letter, the Member State is also requested to submit to ICAO: a) no later than 60 calendar days prior to the start of the USAP-CMA activity, the duly completed SASAQ

designed to provide ICAO with preliminary information concerning the State’s aviation security and oversight systems, including the duly completed State Quality Control Activity Summary Form and the schedule of quality control activities for the previous calendar year and for the current year;

b) the duly completed CCs, reflecting State’s compliance with the SARPs of Annex 17 and

security-related provisions of Annex 9 to the Chicago Convention; c) the updated CAP, reflecting the progress made by the State in the implementation of corrective

actions since the last USAP audit and addressing the status of not satisfactory PQs; and d) appropriate documentation that will assist in the preparation of the USAP-CMA activity, such as the

State’s primary aviation security legislation, national-level aviation security programmes and regulations, and airport-level aviation security programmes and procedures.


Note.— The scope of documentation to be completed and submitted by the State may vary depending on the type of USAP-CMA activity, which will be clearly described in the notification letter to the State. 6.2.3 If available, the State’s primary aviation security legislation, specific aviation security regulations and national-level programmes, such as the NCASP, the NCASTP and the NQCP, should be provided at the same time as the SASAQ and CCs. This documentation should be provided in one of the official ICAO languages and preferably in the working language of the planned USAP-CMA activity. The provision of such documentation will also allow the USAP-CMA audit team to prepare and validate information prior to the conduct phase of the USAP-CMA activity. 6.2.4 C/ASA appoints a TL for each USAP-CMA activity at least six months prior to the commencement of the USAP-CMA activity. The TL is an ICAO staff member who is responsible for the: a) preparation, conduct and reporting of the assigned USAP-CMA activity in accordance with guidance

and instructions developed by ICAO; and b) provision of leadership and guidance to TMs in the case of a USAP-CMA on-site activity. 6.2.5 C/ASA also assigns TMs for a USAP-CMA on-site activity shortly after the appointment of the TL, normally three to six months prior to the commencement of a USAP-CMA activity. TMs are selected from the roster of ICAO-certified USAP-CMA auditors taking into consideration the geographical region, their area of expertise and the language of the USAP-CMA activity. The audit team size depends on the type and scope of the USAP-CMA activity, as well as the complexity of civil aviation activities in the State. 6.2.6 The State to be audited will be provided with the name(s) of the assigned TL and TMs approximately two months prior to any scheduled USAP-CMA activity and will have the opportunity to provide any desired feedback to ICAO. Any concerns the State may have regarding the composition of the USAP-CMA audit team may be raised and will be considered by C/ASA. The final composition of the USAP-CMA audit team will be provided to the State prior to any scheduled on-site activity in sufficient time to enable it to facilitate applications for visas and other administrative matters. Auditors nominated for participation in the USAP-CMA activity will receive a clear mandate and credentials letter from ICAO in order to act as representatives of ICAO for the purpose of the USAP-CMA activity. 6.2.7 Once the TL has been appointed by C/ASA, he/she will contact the NC appointed by the Member State to coordinate the preparation of the USAP-CMA activity. The TL will work directly with the NC who will represent the interests of the Member State for the purpose of the USAP-CMA activity. 6.2.8 Prior to the commencement of a USAP-CMA activity, the TL will conduct a review of the information provided in the SASAQ, CCs and updated CAP, as completed by the State, as well as previous USAP audit results and any documentation provided by the State. Differences filed by the State with respect to Annex 17 SARPs and security-related provisions of Annex 9 will also be reviewed at this time. This information will be confirmed or updated during the course of the USAP-CMA activity using the CCs that contain information on the State’s compliance with Annex 17 SARPs and security-related provisions of Annex 9, which the Member State shall complete and maintain up to date in accordance with the MoU. It should be noted, however, that the filing of a difference by a State with respect to any particular SARP will not preclude the possibility of an audit finding and recommendation being made with regard to the SARP concerned. 6.2.9 One of the objectives of the USAP-CMA activity preparation phase is to define the scope of the activity in terms of applicable USAP-CMA PQs to be addressed during the USAP-CMA activity. The type and scope of a USAP-CMA on-site audit, as well as the complexity of civil aviation activities in the State, define the amount of work to be performed on-site, which determines the size of the USAP-CMA audit team and the duration of the USAP-CMA activity. The TL confirms the scope and number of days scheduled for the USAP-CMA on-site audit to ensure that the assigned audit team will be able to accomplish the activity’s goals. If required, the TL may request C/ASA for adjustments to the duration of the activity or assignment of additional TMs.

Chapter 6. USAP-CMA activity phases and procedures 6-3

6.2.10 The TL determines the scope of the USAP-CMA activity in the form of a set of USAP-CMA PQs and forwards it to the NC, normally one month prior to the commencement of the USAP-CMA activity, for coordination with the State’s relevant national- and airport-level entities. These PQs may include, but are not necessarily limited to: a) PQs relating to processes that States should continuously implement; b) new PQs added since the previous USAP audit of the State, such as PQs relating to new Standards of

Annex 17 or security-related provisions of Annex 9; c) not satisfactory PQs from the previous USAP audit of the State; d) not applicable PQs from the previous USAP audit of the State to confirm/update the current status of

those PQs; and e) any PQs relating to information obtained from other sources that might indicate a change in the State’s

USAP-CMA key parameters. Note 1.— States may request ICAO to modify the scope of a USAP-CMA activity only in extreme circumstances and by providing ICAO with a valid justification. Note 2.— For USAP-CMA off-site activities, the status of certain PQs related to operational implementation of various security measures will be marked as undetermined. The status of such PQs will be assessed during USAP-CMA on-site activities. 6.2.11 For USAP-CMA off-site activities, the TL forwards the scope of the USAP-CMA activity to the NC in the form of USAP-CMA PQ Worksheets. The NC coordinates with the State’s relevant national- and airport-level entities the completion of PQ Worksheets within the established scope of the USAP-CMA activity and their subsequent submission to the TL. The evaluation of completed PQ Worksheets will be conducted by the TL during the conduct phase of the USAP-CMA off-site activity. 6.2.12 For USAP-CMA on-site activities, a State-specific audit plan will be developed by the TL based on the defined scope of the USAP-CMA activity and forwarded to the NC for coordination with State authorities prior to the commencement of the USAP-CMA activity. The TL also forwards the State-specific audit plan to all assigned TMs for information to assist them in preparing for the USAP-CMA on-site activity. The purpose of the State-specific audit plan is to outline in detail the proposed schedule of on-site activities (daily work plan), such as meetings, briefings and visits to concerned authorities, facilities and aviation security service providers, as well as to provide the State with the necessary administrative information related to the conduct of the USAP-CMA on-site activity. Last-minute modifications to the State-specific audit plan may occur, in which case the TL will inform the State authorities as soon as practicable. The daily work plan is submitted to the State for its consideration and agreement. It is approved during the national briefing with the State’s authorities. 6.2.13 The State-specific USAP-CMA audit plan will include the following information: a) general information, such as: • MoU signature date and audit period; • national briefing and post-audit debriefing venue, date and time; • contact details of the appropriate authority and the NC; • objective and scope of the audit (audit areas to be considered);


• language to be used for the conduct of the audit and for the audit report; and • checklist of documents submitted by the State; b) TMs’ names and assigned audit areas; c) daily work plan; d) list of entities to be visited under each audit area; and e) logistics and miscellaneous, such as: • travel itineraries for the TL and all TMs; • visa information; • health information; • security information; • hotel reservations; • ICAO DSA and hotel portion; and • other useful travel tips (departure taxes, local currency and exchange rate to USD, time

difference, etc.). 6.2.14 The TL coordinates with the NC any visits by the USAP-CMA audit team to industry or service providers. The State is responsible for arranging and coordinating domestic travel and for covering related transportation costs. The NC will be the USAP-CMA audit team’s primary point of contact for all meetings and visits during audit activities. The NC will be involved and informed at every phase of the audit but should not seek to influence the audit results. The NC’s assistance and comments may be sought by the USAP-CMA audit team. 6.2.15 The TL, in coordination with the NC, shall determine the requirements for language interpretation services, if required, the provision of which is the State’s responsibility. 6.2.16 The TL will meet with TMs for a USAP-CMA on-site audit team briefing one day prior to the commencement of the USAP-CMA activity. The objective of the briefing is to build team synergy, provide further familiarization to TMs on the processes and tools of the USAP-CMA activity and ensure that all TMs are aware of pertinent information. The USAP-CMA audit team will discuss the USAP-CMA audit, review the completed SASAQ and CCs and develop a list of questions and/or identify additional information required by the USAP-CMA audit team. In addition to determining points of specific focus to be addressed with the Member State, the USAP-CMA audit team will review the State-specific USAP-CMA audit plan and daily schedule of audit activities (daily work plan). 6.2.17 The following elements should be addressed by the TL during the USAP-CMA on-site audit team briefing: a) welcome all TMs and make introductions; b) describe objectives and methodology of the USAP-CMA activity; c) confirm domestic arrangements, including accommodation and transportation details;


d) provide copies of the ICAO Code of Conduct for Auditors (Appendix D) to each TM, and ensure that all TMs read and sign the cover sheet and return it to the TL;

e) reinforce the ICAO Code of Conduct for Auditors, including the confidentiality requirements relating to

audit results and documents, and the policy of not accepting gifts; f) provide guidelines on dealing with State counterparts and external entities (such as media, reporters

and labour unions); g) distribute all available documents to the audit team (completed SASAQ, CCs, documentation provided

by the State, USAP-CMA audit plan, PQ Worksheets, mission reports, etc.); h) review the State-specific audit plan, scheduled daily work plan and any ad hoc arrangements

(e.g. transportation); i) review audit areas assigned to each TM; j) review the completed SASAQ and CCs; k) confirm work methods to be used during the audit, as well as the tasks, responsibilities and

deliverables of TL and TMs; and l) clarify and confirm deadlines for the completion of individual contributions and submission of

completed PQ Worksheets to the TL.

6.3 CONDUCT PHASE 6.3.1 During this phase, a USAP-CMA audit team visits the State for the selected USAP-CMA on-site activity within the determined scope and: a) conducts a systematic and objective assessment of the State’s aviation security oversight system and

the State’s compliance with Annex 17 Standards and security-related provisions of Annex 9 using USAP-CMA PQs, and recommends the issuance of any findings and/or SSeCs to address identified deficiencies;

b) collects and records any evidence provided by the State regarding the implementation of CAPs and

the actions taken to resolve any pre-existing findings; and c) informs the State of the outcome of the USAP-CMA audit during the post-audit debriefing between the

USAP-CMA audit team and State authorities. 6.3.2 The State should: a) ensure that State representatives, counterparts and staff members implicated in the conduct of the

USAP-CMA audit are available for interviews and discussions with the USAP-CMA audit team; b) make the evidence, information and documentation requested by the USAP-CMA audit team readily

available and submit these to the audit team in a timely manner; c) facilitate and arrange visits to industry and/or service providers;


d) provide a suitable working environment for the USAP-CMA audit team; and e) arrange daily transportation and administrative support, as required. 6.3.3 The conduct of the USAP-CMA on-site audit will be focused on the systematic gathering of information by means of observation, interviews and review of documents, whenever possible. All activities undertaken by the USAP-CMA audit team will be transparent and conducted only with the approval of the State. At no time will the USAP-CMA audit team engage in activities that could be perceived as covert efforts to test or penetrate security operations. 6.3.4 For USAP-CMA off-site activities, as mentioned in 6.2.11, the TL submits a set of USAP-CMA PQ Worksheets within the defined scope of the USAP-CMA activity to the NC for coordination with the State’s relevant national- and airport-level entities for self-assessment and subsequent return to the TL. The TL evaluates the State’s answers in those PQ Worksheets received from the NC in conjunction with the documents and evidence submitted by the State that support the implementation of selected PQs, including, but not limited to, the updated CAP and associated evidence, the SASAQ, CCs and other documentation submitted by the State. The TL may request the NC to provide other relevant or necessary documentation related to the scope of the USAP-CMA activity, as applicable. The TL may request additional information and/or clarification from the State and may interview relevant personnel via telephone or other means. The NC should facilitate this process and communicate with the TL in a timely manner and provide all required information and documentation.

National briefing 6.3.5 The USAP-CMA audit TL will conduct a national briefing on the first day of the USAP-CMA on-site audit, which should be scheduled in advance and included in the State-specific audit plan. The purpose of the briefing is to: a) introduce the USAP-CMA audit team; b) brief the appropriate authority and senior officials of the State hosting the audit on the USAP-CMA

methodology, processes, procedures and scope of the USAP-CMA audit; c) provide an overview of the USAP-CMA audit team’s activities at the airport(s) selected for observation,

including the manner in which the collection of information surrounding the security controls and measures will occur;

d) finalize and confirm audit plan arrangements and organizational aspects related to the USAP-CMA

audit; and e) gather additional information, if necessary. 6.3.6 The national briefing may be co-chaired by the senior executive of the State, who may also wish to provide information and/or a briefing to the USAP-CMA audit team. TMs should also attend the national briefing. 6.3.7 During the national briefing, the TL should: a) thank representatives of the State and other aviation security stakeholders for their cooperation; b) introduce him/herself and the TMs, citing their qualifications and background; c) reiterate the language to be used during the USAP-CMA audit, and notify participants of any special

language skills among the USAP-CMA audit TMs;


d) explain the objective of the USAP-CMA; e) review the MoU signed between ICAO and the State, specifically objectives and principles of the

USAP-CMA audit (responsibilities and duties of the State and the USAP-CMA audit team); f) describe the USAP-CMA audit process and methods of gathering information (e.g. observation,

discussion, review of documents) during the audit and the scope of the audit; g) briefly present and confirm the State-specific audit plan and schedule of activities, and adjust if

required; h) outline the concluding phase of the USAP-CMA audit, including the presentation of the preliminary list

of findings and recommendations at the post-audit debriefing, and confirm the arrangements for the debriefing (participants, location, date and time);

i) explain the reporting system, including the USAP-CMA audit report and the CAP based on the

USAP-CMA audit findings and recommendations; j) confirm the name of the official designated by the State to receive the USAP-CMA audit report; k) review and clarify, if necessary, the answers provided by the State to the SASAQ and CCs; l) request and clarify additional information pertaining to Annex 17, security-related provisions of

Annex 9 and the SASAQ, as appropriate; m) provide an overview of the USAP-CMA audit team’s understanding of the aviation security

organization and responsibilities for implementing security measures at the airport(s) selected for observation, when necessary;

n) note any special comments or concerns of the State with regard to the conduct of the audit or areas to

be observed; o) confirm the location of the USAP-CMA audit team facilities; p) confirm the identity of the official USAP-CMA audit team escorts and the means of communication

between the audit team and its escorts (e.g. mobile telephones); q) confirm the schedule of the flights selected in the audit plan for observation to determine the timing for

observing airport security operations; and r) reinforce confidentiality provisions concerning any information or documents received by the

USAP-CMA audit team. Note.— Any clarification on answers provided in the SASAQ that could be done on site should not be sought during the national briefing, but should be directly observed by the USAP-CMA audit team instead. If no clarification can be obtained from observation, then the answer should be sought in cooperation with the NC.


Conduct of the on-site audit 6.3.8 During the conduct of the USAP-CMA on-site audit, the USAP-CMA audit team will assess the level of implementation of the CEs of an aviation security oversight system and the degree of compliance of the State with Annex 17 Standards and security-related provisions of Annex 9. If the USAP-CMA audit team perceives deficiencies in the implementation of the aviation security oversight system or lack of compliance with ICAO SARPs, the audit team will attempt to identify the reasons and will seek to assist the State in achieving the recommended improvements. 6.3.9 The on-site gathering of evidence should be systematic and objective, using the State-specific PQs. All audit findings should be recorded in a preliminary list of findings and recommendations in a clear, concise manner and supported by evidence, with reference made to the relevant CEs of an aviation security oversight system as well as the relevant ICAO SARPs and PQs. 6.3.10 The USAP-CMA audit team, under the leadership of the TL, collects evidence and information by examining records, reviewing documentation and relevant material, observing the implementation of security measures and conducting interviews. Depending on the scope of the USAP-CMA audit, the USAP-CMA audit team will review the State's legislative and regulatory provisions, the implementation of relevant ICAO SARPs, the application of guidance material and relevant security-related practices in use in the aviation industry. The State should provide the appropriate evidence in order to fulfil the requirements of the USAP-CMA audit being conducted. The TL provides the State with a deadline for providing evidence to be considered during the USAP-CMA on-site audit. 6.3.11 The USAP-CMA audit will also be based in part on observing security measures and practices in effect at the airport(s) selected for observation. During such visits, observation of operational measures and procedures of selected aircraft operators, cargo agents, mail authorities, catering companies, etc., will be undertaken as necessary to establish compliance with Annex 17 Standards and security-related provisions of Annex 9. By checking records, not only in the State but also in the industry, and by looking into how the industry conducts its business in areas related to the audit, the USAP-CMA audit team is able to assess whether Annex 17 Standards and security-related provisions of Annex 9 are being implemented effectively. 6.3.12 Specific observations should include the following information: the place, company or authority visited; job titles of people met or spoken to; notes on the procedures observed; and notes on any deficiencies seen in those procedures in reference to the specific Annex 17 Standard or relevant security-related provision of Annex 9. 6.3.13 Industry visits should be conducted in the company of the appropriate authority representatives and on the basis of the State-specific audit plan already agreed upon for the USAP-CMA on-site activity. These visits are used to determine the State’s aviation security oversight capabilities or its implementation of the CAP or mitigating measures. Security concerns that may be identified during these visits can only be identified as a finding or an SSeC in regard to the State aviation security system and not in regard to the industry or service providers. 6.3.14 The audited State will determine the type of escort to be provided to the USAP-CMA audit team during the audit. The TL and TMs will be issued with airport identification badges that should be displayed in a visible place, as mandated by the national requirements. In the event of an emergency (e.g. hijacking, bomb threat, aircraft accident, etc.), the USAP-CMA audit will be suspended upon request of the audited State. In this case, arrangements should be made as soon as possible to resume or reschedule the USAP-CMA audit. 6.3.15 The USAP-CMA audit team may encounter situations during on-site activities that reveal an SSeC, resulting in an immediate security risk to international civil aviation. The mechanism established to address such SSeCs as a priority is described in 2.9. As soon as a preliminary SSeC is identified, the TL, after coordination with C/ASA, brings it to the attention of the State to allow the State to initiate corrective action immediately. The TL provides all relevant information on the preliminary SSeC to C/ASA. At this point, the identification of an SSeC is considered preliminary until it is validated and confirmed by the SSeC Validation Committee.


6.3.16 During the USAP-CMA on-site audit process, the USAP-CMA audit team must conduct an internal meeting on a daily basis to: a) discuss the day’s activities and findings and review the audit team’s daily progress; b) address and resolve potential issues and delays encountered during daily tasks; c) identify areas of concern, including potential SSeCs; d) identify any part of the USAP-CMA PQs that has not been addressed; e) determine required changes in the work plan, if any; f) coordinate common areas; g) discuss the next day’s activities; h) identify any information that must be collected or clarified; and i) enhance team coordination and support. 6.3.17 The TL will meet with the NC on a daily basis to inform him/her of the preliminary findings and deficiencies identified during the ongoing audit with the objective of providing preliminary recommendations for corrective action, facilitating the post-audit debriefing, and to discuss any changes in the audit plan or new requests for meetings and/or documents. 6.3.18 Audits may result in raising the awareness and interest of several aviation bodies, some of which may request interviews with the USAP-CMA audit team. Interviews with organizations other than the State, such as the media, labour unions or other interested bodies, shall not be conducted under any circumstances by the USAP-CMA audit team. 6.3.19 In assessing the State’s level of implementation of the CEs of an aviation security oversight system and determining the degree of compliance with Annex 17 Standards and security-related provisions of Annex 9, USAP-CMA auditors will be guided by the verification process described in the USAP-CMA PQs. Although several PQs may have been reviewed during the preparation phase of the USAP-CMA activity, the status of these PQs is determined during the on-site activity. At the same time, given the differing nature of national- and airport-level security systems among States, USAP-CMA auditors should, to the extent practicable, apply an outcome-based approach and be open to different means of compliance that are not explicitly addressed by the USAP-CMA PQs but are implemented by States to achieve the same outcome. 6.3.20 During the conduct of the USAP-CMA audit, TMs take comprehensive notes and assess the applicable PQs, which will be used in developing the draft USAP-CMA audit report, including the findings. Each finding is related to one relevant PQ. The USAP-CMA audit team records the finding, marks the status of the associated PQ as not satisfactory and clearly indicates how and why they were made. Absence of evidence will normally be reflected as a finding. The State is required to propose a CAP to address each finding. 6.3.21 The TL will provide the TMs with blank copies of PQ Worksheets in their respective areas of responsibility within the scope of the USAP-CMA audit. TMs shall submit their duly completed PQ Worksheets to the TL. The USAP-CMA audit team should review all findings to ensure that they are objective, clear and concise and associated with the relevant PQ.


Post-audit debriefing 6.3.22 At the end of the USAP-CMA on-site audit, the audit team will meet with State officials for a post-audit debriefing to present a preliminary list of findings and recommendations addressing areas that require improvement. Furthermore, before the post-audit debriefing, the TL will meet with the NC to undertake a final review of the preliminary list of findings and recommendations and those significant elements to be addressed during the post-audit debriefing. If applicable, any preliminary SSeCs identified in the course of the audit will be described to the NC and State officials. 6.3.23 The post-audit debriefing provides high-level State representatives with information related to the USAP-CMA audit team’s conclusions regarding the status of implementation of the CEs of the State’s aviation security oversight system and the compliance with Annex 17 Standards and security-related provisions of Annex 9. The post-audit debriefing emphasizes the most significant security issues, and concisely presents the USAP-CMA audit team’s findings and recommendations regarding the effectiveness of the State’s aviation security oversight system. 6.3.24 The post-audit debriefing should be a review of the issues already covered in the daily briefings with the State NC. All identified deficiencies and findings should have already been discussed in the daily briefings and well understood by everyone attending the post-audit debriefing. Any preliminary SSeCs should have also been discussed and well understood by everyone before the post-audit debriefing. While the State may choose to further discuss or debate the identified findings and deficiencies, including any preliminary SSeCs, during the post-audit debriefing, the State should have presented all available evidence to the USAP-CMA audit team before the post-audit debriefing. 6.3.25 At the post-audit debriefing, the TL provides a draft paper copy of preliminary findings and recommendations to the State. Each recommendation describes the corrective action to be implemented by the State, as well as identifies the relevant PQ, CE, SARP and the priority of each corrective action. 6.3.26 During the post-audit debriefing, the TL should: a) thank officials of the Member State and any persons directly involved in the USAP-CMA audit for their

cooperation; b) reintroduce the USAP-CMA audit team, if any State officials present did not attend the national

briefing; c) briefly review the objective and scope of the USAP-CMA audit; d) provide a verbal overview of the effectiveness of the State’s aviation security oversight system and

capabilities and overall findings for each CE assessed, focusing first on positive aspects and then on identified deficiencies that need to be addressed;

e) provide a preliminary list of findings and recommendations concerning the degree of compliance with

Annex 17 Standards and security-related provisions of Annex 9, highlighting the priorities of recommendations requiring short-, medium and long-term corrective actions;

f) present preliminary SSeCs, if applicable, and explain that the SSeC Validation Committee at ICAO

Headquarters will review and confirm the validity of any preliminary SSeCs; g) ensure that State officials clearly understand the USAP-CMA audit results and encourage TMs to

provide additional clarification, as required, to resolve any uncertainty the State officials may have; h) invite comments from State officials on the USAP-CMA audit results;


i) remind State officials that the preliminary list of findings and recommendations is being provided solely to allow the State to begin working on its corrective actions and that these will undergo a technical and editorial review by ASA before being forwarded to the State in the form of a final USAP-CMA audit report;

j) remind the State about post-audit reporting actions to be performed by ICAO and the State, including

target dates for issuing the USAP-CMA audit report to the State and for receipt of the State’s CAP; k) remind the State about confidentiality provisions; and l) remind the State about the availability of urgent and immediate assistance through ISD-SEC, and

longer term assistance through TCB. 6.3.27 Specialist meetings of the USAP-CMA audit team and the State’s technical counterparts may be held prior to or following the post-audit debriefing at the discretion of the TL and the State authorities. 6.3.28 The TL will meet with the TMs both before and after the post-audit debriefing in order to review and assess the entire audit process. All audit team participants should be asked to express their views about the audit performed. 6.3.29 Prior to the post-audit debriefing, the TL will work closely with each TM concerning their contribution to the USAP-CMA audit report, focusing on the adequacy of completed PQ Worksheets and reviewing the preliminary list of findings and recommendations. During the USAP-CMA audit team debriefing that is held following the post-audit debriefing, the TL should: a) thank the TMs for their work; b) raise any concerns about the teamwork, the audit process and tools, or other issues; c) reinforce rules of confidentiality; d) collect any remaining portions of TM submissions (e.g. paper copies and electronic versions of

PQ Worksheets) and ensure that no information, including electronic copies of documents, has been retained by any individual TM;

e) collect all audit documents, including documentation provided by the State, copies of the preliminary

list of findings and recommendations, auditor notebooks, etc.; f) collect mission reports from TMs; g) collect, whenever possible, a preliminary travel claim form from each TM with hotel receipts and airline

boarding passes, as well as receipts for any other official expenses; h) collect business cards or copies of business cards obtained by TMs during the USAP-CMA audit; i) provide guidance on the proper methods of communicating audit-related sensitive security information

to avoid accidental disclosure; and j) confirm the departure arrangements. 6.3.30 Upon completion of an off-site audit, the TL will conduct a post-audit debriefing with the NC to provide a summary of the results of the USAP-CMA activity. The TL will advise the NC of the next steps in the USAP-CMA activity process and provide the State with the preliminary list of findings and recommendations.


6.4 REPORTING PHASE 6.4.1 Each USAP-CMA activity will conclude with the preparation of a USAP-CMA audit report to be submitted to the audited State within established time frames following the completion of the USAP-CMA audit. The USAP-CMA audit report summarizes the level of implementation of the CEs of the State’s aviation security oversight system and provides full details of the audit findings and recommendations. The State CAP should be based on the USAP-CMA audit report, although the State has an opportunity to initiate its corrective actions based on the preliminary list of findings and recommendations presented at the post-audit debriefing. 6.4.2 In accordance with the terms of the MoU between ICAO and the Member State, ICAO will submit a USAP-CMA audit report to the audited State within 60 calendar days from the post-audit debriefing. If the ICAO working language of the State is other than the language in which the USAP-CMA audit was conducted, an advance copy of the USAP-CMA audit report will be sent to the State within 60 calendar days from the post-audit debriefing in the language in which the USAP-CMA audit was conducted. The USAP-CMA audit report will then be translated into the ICAO working language of the State and submitted to the State, and subsequent timelines will be adjusted accordingly. ASA will retain a copy of the USAP-CMA audit report submitted to the State. 6.4.3 The USAP-CMA audit report will be confidential and made available only to the audited State and to persons with an official need to know within ICAO. In addition, the charts depicting the level of implementation of the CEs of an aviation security oversight system by the audited State and an indication of the degree of compliance of the audited State with Annex 17 Standards will be made available to all Member States on the USAP secure website in accordance with the limited level of disclosure, as indicated in 4.9.3. All other materials, notes and reports obtained or generated during the USAP-CMA audit will be treated as strictly confidential by ICAO. 6.4.4 Access to the USAP secure website is restricted to Member State appropriate authority officials. All access requests will be scrutinized and granted by ASA only to those with an operational need to know. Member States will make their own decision as to whether they need to approach the audited State on a bilateral or multilateral basis to discuss the results of the audit. The audited State has the right to publish, or otherwise distribute in any way it deems appropriate, its audit report or its CAP. 6.4.5 The USAP-CMA audit report is an objective reflection of the results of the USAP-CMA audit. It is prepared on the basis of the reporting principles and procedures contained in this manual. The USAP-CMA audit report is designed to provide: a) information to the audited State regarding its aviation security performance in terms of the level of

implementation of the CEs of the State’s aviation security oversight system, and the indicative degree of the State’s compliance with Annex 17 Standards and security-related provisions of Annex 9;

b) prioritized recommendations to the audited State to initiate corrective actions; and c) information to ICAO related to common deficiencies in order to define measures to assist its Member

States. 6.4.6 The draft USAP-CMA audit report is compiled by the TL based on submissions received from the TMs. TMs are expected to prepare their PQ Worksheets during the on-site audit on a daily basis. Prior to the return of the TMs to their home States at the conclusion of an on-site audit, the TL reviews and coordinates their individual submissions and discusses them with the TM concerned. The TL is required to submit the draft USAP-CMA audit report to C/ASA within seven working days of the date of his/her return to ICAO Headquarters following the post-audit debriefing. If the TL’s mission includes more than one USAP-CMA on-site audit, the timelines for submission of draft audit reports will be adjusted accordingly.


6.4.7 The draft USAP-CMA audit report is then subjected to a technical and editorial review by ASA, in accordance with the USAP-CMA quality management procedures. The TL, in coordination with ASA, is responsible for verifying and ensuring the technical content and the overall accuracy of the USAP-CMA audit report throughout the report production phase. ASA shall consult with the TL during the report production process for questions or clarifications related to the report content. The final USAP-CMA audit report is submitted to C/ASA for approval. 6.4.8 The key principles that guide the development of a USAP-CMA audit report are as follows: a) the TL should consolidate the contributions of the TMs and finalize the draft audit report; b) audit findings should be presented in an objective manner; c) the audit report should be confined to facts only, not suppositions or opinions, i.e. what was observed

and found to be deficient; d) findings and recommendations in the post-audit debriefing and the USAP-CMA audit report should be

consistent; e) findings and recommendations should be described in a clear, concise and consistent manner; f) each recommendation should be related to an identified deficiency, specifically detailing what

corrective action is required from the State; g) recommendations should be prioritized as “Low”, “Medium”, “High” and “Very high” based on the

nature of the deficiencies they address, with a view to assisting the State in preparing an effective CAP for short-, medium- and long-term corrective actions for the resolution of deficiencies identified during the USAP-CMA audit;

h) all conclusions should be substantiated with references; i) generalities and vague observations should be avoided; j) only widely accepted international civil aviation terminology should be used, avoiding acronyms and

jargon; and k) criticism of individuals or positions should be avoided. 6.4.9 The USAP-CMA audit report is prepared following a standard reporting format developed by ASA. This format permits input from a confidential electronic database, facilitating the retrieval of information for the purpose of analysis and follow-up activities. 6.4.10 The content of the USAP-CMA audit report is as follows: • Introduction • Objectives of the USAP-CMA audit • Summary of the USAP-CMA audit results • Appendix 1. Analysis of the USAP-CMA Audit Results by CE • Appendix 2. USAP-CMA Audit Findings and Recommendations


6.4.11 The first two parts of the USAP-CMA audit report (introduction and objectives of the USAP-CMA audit) contain background information on the USAP and the objective of the USAP-CMA, the USAP-CMA audit team composition, overview of the USAP-CMA activity scope and the visits to industry and service providers, if applicable. The summary of the USAP-CMA audit results contains textual and graphical information on the State’s aviation security performance in the form of the State’s: a) Oversight Indicator: average EI of the eight CEs of the State’s aviation security oversight system; b) Compliance Indicator: average compliance of the State with Annex 17 Standards and average

compliance of the State with security-related provisions of Annex 9; and c) USAP-CMA PQ Indicator: percentage of USAP-CMA PQs found satisfactory during the USAP-CMA

audit of the State. The summary of the USAP-CMA audit results also contains information on the existence of SSeCs, if any, and the current status of such SSeCs. 6.4.12 Appendix 1 of the USAP-CMA audit report provides an analysis of the State’s aviation security oversight system, highlighting the EI and LEI of each CE, as well as the graphical depiction of the EI for each CE. Appendix 2 of the USAP-CMA audit report contains a detailed list of the USAP-CMA audit findings and recommendations, together with associated PQs found not satisfactory, related CEs, SARPs and the priorities assigned to these recommendations. 6.4.13 Upon receipt of the USAP-CMA audit report, the State will have 30 calendar days to submit comments and feedback on the report. The USAP-CMA audit report may be revised as a result of this feedback. In all cases, comments submitted by the State will become part of the information related to the USAP-CMA activity conducted in the State. 6.4.14 In the event that action for improvement is recommended by ICAO following completion of a USAP-CMA audit, the State is responsible for developing an acceptable CAP defining the action the State plans to take to resolve deficiencies in its aviation security and oversight systems identified by the USAP-CMA audit. Guidance on the development of the CAP by the State will be provided by the TL during the post-audit debriefing. Appendix C provides guidance for States on developing CAPs. 6.4.15 The audited State should provide ASA with a CAP within 60 calendar days after receiving the USAP-CMA audit report in the ICAO working language of the State (i.e. approximately at least 120 days following the post-audit debriefing), using the CAP template provided by ICAO together with the USAP-CMA audit report. In accordance with the terms of the MoU agreed to by the State, the CAP should show how the improvements will be achieved by addressing the findings and recommendations of the USAP-CMA audit report, providing specific actions, indicating the entities responsible for the implementation of such actions, and providing deadlines for the correction of the deficiencies identified during the USAP-CMA audit. Corrective actions and deadlines for implementation should be established to address each of the ICAO recommendations contained in the USAP-CMA audit report. 6.4.16 The CAP should contain detailed and specific measures that the State has taken or proposes to take to implement the ICAO recommendations. All corrective actions should consider the various aspects that may affect their implementation. Due to the complexity for implementing new aviation security requirements and given the resources available, consideration should be given to setting starting and completion dates that are as feasible and practicable as possible. In developing the CAP, corrective actions should be established by phases of implementation or by short-, medium- and long-term goals based on the priorities of the recommendations contained in the USAP-CMA audit report. 6.4.17 ICAO will provide the State with feedback on the acceptability of the proposed CAP. If any proposed corrective actions do not fully address the associated findings and recommendations, the State will be notified accordingly and requested to resubmit its CAP. In any case where the audited State proposes not to implement a recommendation because it disagrees with the finding of the USAP-CMA audit team or with the audit team’s


interpretation of the relevant ICAO Standard or security-related provision, the State should cooperate with ICAO to resolve this disagreement. If such cooperation results in a proposal by the State to modify its CAP, C/ASA should be provided with the modified CAP at the earliest opportunity. 6.4.18 USAP-CMA audit team participants will prepare separate mission reports describing the conduct of the audit and any difficulties encountered. The USAP-CMA mission reports may also advance proposals for improving the future planning and execution of USAP-CMA activities. The USAP-CMA mission reports provide feedback on the conduct of the audit, from planning to completion. The mission reports are an integral part of the USAP-CMA quality assurance process and will be used by ASA to improve the USAP-CMA. ASA will maintain a record of all feedback, recommendations and any action taken to address concerns raised. Should the USAP-CMA mission report identify issues that could be addressed by amending Annex 17 SARPs or security-related provisions of Annex 9, this information will be relayed to the ICAO Aviation Security Panel or Facilitation Panel, as appropriate. 6.4.19 A State USAP-CMA Activity Feedback Form will be provided to the State together with the USAP-CMA audit report. The purpose of this form is to allow the State to advise ICAO on aspects of preparation and conduct of the USAP-CMA audit for the purpose of ensuring continuous improvement of the USAP-CMA. 6.4.20 C/ASA will periodically prepare a report on the progress of the USAP-CMA to be submitted to the Secretary General and subsequently distributed to the ICAO Council and other appropriate ICAO bodies, as required. All necessary steps will be taken to ensure these reports are in a form that maintains the confidentiality of State-specific capabilities and/or deficiencies. USAP-CMA progress reports include, but are not limited to: a) names of States that accepted USAP-CMA activities, including the dates of each activity and the

names of airports visited, if applicable; b) the status of confidential USAP-CMA audit reports completed and submitted to audited States; c) the number of State CAPs that have been received and accepted; d) States that are over 60 days late in submitting their CAPs; e) progress made by States in implementing their CAPs; f) a summary of feedback received from audited States on the USAP-CMA audit process; g) common deficiencies identified so that any trend in significant deficiencies experienced by States can

be assessed to enable ICAO to study possible solutions as part of the remedial action process; h) USAP-CMA regional seminars and USAP-CMA auditor training and certification courses planned and

conducted; and i) information regarding a refusal by a State to undergo a USAP-CMA audit, a deferral of the audit, or a

refusal to comply with the terms of the relevant MoU.

______________________

App A-1

Appendix A

GENERIC MEMORANDUM OF UNDERSTANDING (MOU)

Memorandum of Understanding (MoU) between the International Civil Aviation Organization and State [formal name]

regarding the Universal Security Audit Programme Continuous Monitoring Approach Whereas the 33rd Session of the Assembly of the International Civil Aviation Organization (ICAO) in Assembly Resolution A33-1 directed the Council and the Secretary General to consider the establishment of an ICAO Universal Security Audit Programme (USAP); Whereas the Council during its 166th Session approved the Aviation Security Plan of Action, including the establishment of the USAP, and agreed that priority be given to undertaking audits; Whereas the 35th Session of the Assembly of ICAO in Assembly Resolution A35-9 requested the Secretary General to continue the USAP, and urged all Member States to agree to audits to be carried out upon ICAO’s initiative by signing a bilateral MoU and to accept the audit missions as scheduled by the Organization; Whereas the Council during its 176th and 181st Sessions agreed that future audits be guided by the principle of universality, while recognizing that not all States need to be audited at the same frequency; focus, wherever possible, on a State’s capability to provide appropriate national oversight of its aviation security activities through the effective implementation of the critical elements of a security oversight system; and be expanded to include relevant security-related provisions of Annex 9 — Facilitation; Whereas the Council, during its 187th Session, recognized the need to determine the future nature and direction of the USAP and directed the Secretariat to study the feasibility of applying a continuous monitoring approach (CMA) to the USAP after the conclusion of the second cycle of audits in 2013; Whereas the 197th Session of the Council formally approved the concept of the USAP Continuous Monitoring Approach (USAP-CMA) and the associated transition plan; Whereas the 38th Session of the Assembly in Assembly Resolution A38-15 endorsed the Council’s decision to extend the CMA to the USAP in 2015, and requested the Council to oversee the activities of the USAP-CMA; Whereas the 38th Session of the Assembly urged all Member States to give full support to ICAO by accepting USAP-CMA missions as scheduled by the Organization, facilitating the work of the USAP-CMA teams, and preparing and submitting to ICAO all required documentation; Recognizing that the effective implementation of State corrective action plans to address deficiencies identified through USAP-CMA activities is an integral and crucial part of the monitoring process in order to achieve the overall objective of enhancing global aviation security; and Recalling that the ultimate responsibility for the security of civil aviation rests with Member States;

Universal Security Audit Programme App A-2 Continuous Monitoring Manual

IT IS AGREED AS FOLLOWS:

PART I — USAP-CMA ACTIVITIES — GENERAL 1. State [formal name], hereinafter referred to as State [abbreviated name], hereby agrees to participate fully

in the USAP-CMA by taking part in all USAP-CMA activities and by committing to provide information related to the establishment and implementation of its aviation security and oversight systems as requested by ICAO. USAP-CMA activities will cover the Convention on International Civil Aviation (the “Chicago Convention”), Annex 17 – Security and the security-related provisions of Annex 9 —– Facilitation.

2. State [abbreviated name] accepts that the development, implementation and maintenance of the national

civil aviation security programme required by Annex 17 remains its responsibility before, during and after any USAP-CMA activity. State [abbreviated name] and ICAO accept that all actions taken by the parties and activities carried out under the USAP-CMA will be conducted in accordance with established USAP principles.

3. State [abbreviated name] agrees to facilitate USAP-CMA activities by designating an appropriate person to

act as National Coordinator (NC) on an on-going basis. The NC will act as a facilitator and primary point of contact for ICAO with regard to all USAP-CMA processes and activities. State [abbreviated name] will be responsible for providing ICAO with updates and information, through its NC, upon request. State [abbreviated name] agrees to advise ICAO whenever there is a change in designated NC.

4. The types of information that ICAO may request to be submitted by State [abbreviated name] under the

USAP-CMA will vary depending on the aviation security situation in each State, but may include completing and providing updates to the State Aviation Security Activity Questionnaire (SASAQ), status reports on the implementation of specific USAP-CMA protocol questions (PQs), information relating to Significant Security Concerns (SSeCs), updates to the State Corrective Action Plan (CAP) and any other relevant security information, such as national-level aviation security legislation and airport-level aviation security procedures and practices.

5. State [abbreviated name] agrees to complete and maintain up-to-date Compliance Checklists, which

contain information on the State’s compliance with the Annex 17 Standards and Recommended Practices and the security-related provisions of Annex 9.

6. If a regional aviation security regulatory and/or oversight body, or any other entity, performs securityrelated

functions on behalf of State [abbreviated name], ICAO, with the consent of State [abbreviated name], may elect to enter into a working arrangement with this regulatory and/or oversight body or entity, as appropriate, to facilitate the monitoring of the State’s aviation security compliance and oversight capabilities.

7. While monitoring of all ICAO Member States will be conducted on an on-going basis, specific USAP-CMA

activities will be scheduled in all States from time to time. These activities include documentation-based audits, conducted primarily by correspondence between ICAO and the States concerned, oversight-focused audits, compliance-focused audits and validation missions. The type of activity to be conducted in each State will be determined by ICAO based on information available to ICAO. State [abbreviated name] may, at any time, request that a USAP-CMA audit be conducted on a cost-recovery basis. The type, scope and scheduling of any such cost-recovery audit shall require agreement between ICAO and the State, and will be assessed by ICAO on a case-by-case basis. The results of these USAP-CMA audits will be treated in the same manner as the results from regularly-scheduled USAP-CMA activities.

Appendix A. Generic Memorandum of Understanding (MoU) App A-3

8. During all USAP-CMA activities, ICAO will assess, based on the scope of the activity, a State’s capability to provide appropriate national oversight of its aviation security activities through the effective implementation of the critical elements of an aviation security oversight system, and will evaluate compliance with Annex 17 Standards and relevant security-related provisions of Annex 9. Subsequent USAP-CMA activities will include a process to validate progress made by the State in addressing any identified deficiencies. Validation missions will be used to validate measures taken by States to resolve SSeCs.

PART II — USAP-CMA ACTIVITIES — PREPARATION 9. ICAO will generate, distribute and publish an annual schedule of planned USAP-CMA activities for the

following 12-month period, including both on-site activities and documentation-based audits. This annual schedule of activities will be regularly updated on the USAP secure website.

10. Direct notification of USAP-CMA activities will be provided to State [abbreviated name] by ICAO with at

least 120 calendar days’ advance notice, together with the name(s) of any designated airport(s) to be visited, if applicable. When necessary or useful, State [abbreviated name] and ICAO may mutually agree on a shorter notice period. Unless documented reasons lead the parties to mutually agree upon alternate dates, State [abbreviated name] is urged to accept USAP-CMA activities as scheduled by ICAO.

11. No change to scheduled USAP-CMA activities will be allowed within 60 calendar days prior to the starting

date of an on-site activity, and no change to a scheduled documentation-based audit will be allowed within 30 calendar days of the starting date, except for a compelling reason, such as an act of God or an act of war, submitted to the President of the Council of ICAO for his consideration. Any change made by State [abbreviated name] to the dates of a scheduled cost-recovery activity will be made on a case-by-case basis, with the State incurring all costs associated with such change.

12. State [abbreviated name] agrees to submit to ICAO, no later than 60 calendar days prior to the start of a

USAP-CMA activity, a completed SASAQ designed to provide ICAO with preliminary information concerning the State’s aviation security and oversight systems.

13. The exact scope of all USAP-CMA activities, including the audit areas and PQs to be covered, will be

determined by ICAO based on pre-existing audit information and information provided by State [abbreviated name] and will be communicated to the State at least 30 days in advance of the activity.

14. For each scheduled USAP-CMA activity, ICAO will identify one or more ICAO-certified auditors to conduct

the activity, all of whom will be experts in the field of aviation security. State [abbreviated name] will be provided with the name(s) of the assigned auditor or audit team prior to any scheduled activity and will have the opportunity to provide any desired feedback to ICAO. The composition of the team will be provided to State [abbreviated name] prior to any scheduled on-site activity in sufficient time to enable it to facilitate applications for visas and other administrative matters.

15. With the exception of cost-recovery activities, where all costs are borne by State [abbreviated name], ICAO

will be responsible for the cost of transportation to and from State [abbreviated name], as well as for the daily subsistence allowance (DSA) of the ICAO team members.

16. In the case of a scheduled documentation-based audit, failure by State [abbreviated name] to provide

documentation as requested by ICAO will make the State ineligible for a documentation-based audit and the State will be scheduled for an on-site USAP-CMA activity.


17. Without prejudice to other privileges and immunities applicable to ICAO as a Specialized Agency of the United Nations and its personnel, all members of ICAO USAP-CMA audit teams shall be immune from legal process in respect of words spoken or written and all acts performed by them in their official capacity.

PART III — USAP-CMA ACTIVITIES — CONDUCT 18. USAP-CMA activities will be conducted in English, French or Spanish, as requested by State [abbreviated

name]. In the case of on-site activities, if the language of correspondence of the State with ICAO is one of the remaining three ICAO working languages, every effort will be made to ensure that at least one team member participating in the activity has command of the ICAO working language of the State concerned.

19. The ICAO team will develop a State-specific audit plan for each USAP-CMA on-site activity in State

[abbreviated name], containing information on the conduct of the scheduled activity. The plan will be forwarded to the NC prior to the activity to facilitate cooperation and coordination. If necessary, last-minute and minor modifications to the State-specific audit plan may be agreed between ICAO and State [abbreviated name] during the opening national briefing.

20. The NC will be responsible for coordinating all on-site USAP-CMA activities on behalf of State [abbreviated

name]. This includes providing the ICAO team with access to all relevant documentation, and all relevant persons and entities responsible for aviation security and facilitation-related matters during the interview and records-review stage of the activity, as well as securing access to areas of the airport or other facilities, as appropriate, for observation as deemed necessary by the ICAO team during the conduct of the USAP-CMA activity.

21. For on-site activities, State [abbreviated name] agrees to: a) make appropriate staff from its administration responsible for the regulation and oversight of aviation

security activities and matters related to facilitation, as well as relevant staff of airport operators, locally-based commercial air transport operators and any other entities responsible for the implementation of aviation security measures available for interview by the ICAO team;

b) make all relevant files, records and documentation of the appropriate authority for aviation security

and those of any other relevant entities responsible for aviation security and facilitation matters, including national legislation, programmes and regulations related to aviation security and facilitation, quality control activity records, airport-level programmes, procedures and internal quality control activity records, available for review by the ICAO team; and

c) provide access to aerodrome facilities and restricted areas of the airport for observation by the ICAO

team of aviation security measures implemented by all relevant entities. 22. State [abbreviated name] agrees to provide support to the USAP-CMA on-site activities by: a) providing interpretation services for the duration of the on-site activity or as requested by the ICAO

team; b) assisting with administrative arrangements for the accommodation of the ICAO team for the duration

of the on-site activity; c) arranging and meeting the cost of local and intra-State transportation when visits to various locations

within the State are required under the State-specific audit plan;


d) providing adequate working space with privacy for the ICAO team; e) providing access to a printer, photocopier, scanner and facsimile machine, if available; f) providing Internet access, if available; g) providing the ICAO team with airport identification passes for access to facilities and restricted areas

of the airport; and h) identifying a technical liaison officer to provide security equipment-related information. 23. During on-site USAP-CMA activities, the ICAO team will assess, based on the scope of the activity, State

[abbreviated name]’s capability to provide appropriate national oversight of its aviation security activities through the effective implementation of the critical elements of an aviation security oversight system. The ICAO team will also evaluate State [abbreviated name]’s compliance with Annex 17 Standards and the relevant security-related provisions of Annex 9. In addition to the review of relevant national/airport level regulatory provisions and quality control activity records, the on-site USAP-CMA activity will include a verification of the implementation of aviation security measures through on-site observations at the designated airport(s).

24. During documentation-based audits, the USAP-CMA auditor will conduct a review of the documents

submitted by State [abbreviated name] beginning on the date specified in the annual activity schedule. The auditor may request additional information and/or clarification from State [abbreviated name] and may interview relevant personnel via telephone or other means. The NC will be made available by State [abbreviated name] to facilitate this process and provide all information required.

25. If, at any time, the ICAO team identifies a potential SSeC during the conduct of any type of USAP-CMA

on-site activity, State [abbreviated name] will be immediately notified and the SSeC process outlined in paragraphs 33 to 36 below will be initiated.

26. Upon completion of an on-site USAP-CMA activity, the ICAO team will conduct a post-audit debriefing in

which the team will provide a summary of the results of the USAP-CMA activity to the appropriate government officials, as determined by State [abbreviated name]. These should include senior aviation security management officials and other State and industry representatives responsible for the areas covered by the scope of the USAP-CMA activity. The ICAO team will also provide a briefing on the next steps in the USAP-CMA process. If necessary and appropriate, the post-audit debriefing will be used to notify the State of any preliminary SSeCs identified during the activity. Before departing State [abbreviated name] the ICAO team will also provide the appropriate authority with preliminary findings and recommendations.

27. Upon completion of a documentation-based audit, the ICAO auditor will conduct a post-audit debriefing

with the NC to provide a summary of the results of the activity. The ICAO auditor will advise the NC of the next steps in the USAP-CMA process and provide State [abbreviated name] with preliminary findings and recommendations.


PART IV — USAP-CMA ACTIVITIES — REPORTING 28. Following completion of a USAP-CMA audit, ICAO undertakes to make available to State [abbreviated

name] a confidential report within 60 calendar days from the post-audit debriefing. If the ICAO working language of the State is other than the language of the activity, the audit report will be translated into that language and subsequent timelines will be adjusted accordingly. The confidential report will detail:

a) information on the level of effective implementation of the critical elements of a State’s aviation

security oversight system, as well as analysis of audit results by critical element; and b) an indication of the State’s compliance with ICAO Annex 17 Standards and security-related provisions

of Annex 9, together with prioritized recommendations for the resolution of identified deficiencies requiring remedial action by the State.

29. Upon receipt of the audit report, State [abbreviated name] will have 30 calendar days to submit comments

and feedback on the report. The audit report may be revised as a result of this feedback. 30. Should action be necessary to remedy deficiencies identified through the findings and recommendations

developed during an audit, State [abbreviated name] undertakes to start working on the preparation of an appropriate CAP immediately after State [abbreviated name] has been debriefed on the audit results and provided with preliminary findings and recommendations, as described in paragraphs 26 and 27 of this MoU. Feedback on the development of the action plan by State [abbreviated name] will be provided during the post-audit debriefing.

31. Should action be necessary to remedy deficiencies, State [abbreviated name] undertakes to provide ICAO

with a CAP within 60 calendar days from the date the USAP-CMA audit report has been made available to the State. The action plan should address the findings and recommendations of the USAP-CMA audit report, providing specific actions, entities responsible for the implementation of such actions, and deadlines for the correction of the deficiencies identified during the audit. If the report requires translation, the timeline for the production of a CAP starts when the State receives the translated USAP-CMA audit report. All subsequent actions will be sequenced accordingly. ICAO will provide State [abbreviated name] with feedback on the acceptability of any proposed CAP. If any proposed corrective actions do not fully address the associated findings and recommendations, State [abbreviated name] will be notified accordingly and requested to resubmit the CAP.

32. USAP-CMA audit reports will be confidential and made available to State [abbreviated name] and ICAO

staff on a need-to-know basis. Concurrently with the preparation of the report, a non-confidential audit activity summary limited to the name of the audited State, the identity of airports visited during the audit, and the completion date of the audit will be developed for release to all Member States. In addition, charts depicting the level of implementation of the critical elements of an aviation security oversight system by State [abbreviated name] and an indication of compliance by State [abbreviated name] with Annex 17 Standards will be made available to all Member States on the USAP secure website.

33. If applicable, ICAO undertakes to notify to State [abbreviated name] in writing, as soon as possible, but not

later than 15 calendar days after the last day of the USAP-CMA activity, of the existence and details of any SSeCs requiring immediate corrective action by State [abbreviated name].


34. In the event that any SSeCs are identified and confirmed, State [abbreviated name] undertakes to provide, within the time frame prescribed by ICAO, but not later than 15 calendar days following the receipt by State [abbreviated name] of the written notification from ICAO, its immediate corrective action to resolve the SSeCs. Failure by State [abbreviated name] to implement satisfactory corrective action and to notify such action to ICAO within the prescribed time frame will result in information pertaining to unresolved SSeCs being made available to all Member States through the USAP secure website until resolved.

35. No report will be issued following the conduct of a USAP-CMA validation mission. However, if such a

mission reveals that one or more SSeCs have been resolved or mitigated by a State, notification of the existence of such SSeC(s) will be removed from the USAP secure website, and the State’s charts on the USAP secure website will be amended accordingly.

36. If requested by State [abbreviated name], ICAO will evaluate and provide, where possible, direct

assistance through relevant technical assistance and/or technical co-operation programmes. Assistance provided through ICAO’s Technical Co-operation Programme would be funded by State [abbreviated name] or another sponsor.

37. The ICAO Regional Office accredited to State [abbreviated name] will be actively involved in monitoring the

progress made by State [abbreviated name] towards implementing its CAP and in the provision of advice and assistance, as required.

PART V — DISPUTE RESOLUTION 38. Any difference or dispute concerning the interpretation or the application of this Memorandum of

Understanding will be resolved by negotiation between the parties concerned.

For the International Civil Aviation Organization

For the Appropriate Authority of State [formal name]

Secretary General Name: Title:

Date Date

______________________

App B-1

Appendix B

CRITERIA FOR CERTIFICATION AS AN ICAO USAP-CMA AUDITOR

1. INTRODUCTION 1.1 This document sets forth the criteria for initial certification of ICAO USAP-CMA auditors as required for the conduct of aviation security audits in accordance with this manual and the MoU signed between ICAO and a Member State. The principal objective of these criteria is to ensure that ICAO USAP-CMA activities are conducted by appropriately qualified and experienced aviation security experts who have been trained in the specific application of ICAO USAP-CMA methodology. 1.2 The process used in developing these criteria was to establish first the key competencies required for ICAO USAP auditors, and then to determine the methods by which those competencies would be demonstrated and measured.

2. LEVELS OF AUDITOR 2.1 There are two levels of auditor within the ICAO USAP-CMA: a) ICAO USAP-CMA auditor; and b) ICAO USAP-CMA TL. 2.2 ICAO USAP-CMA Auditor level recognizes that a candidate has met the specific competency and training requirements for certification required for the conduct of ICAO USAP-CMA activities as a TM. 2.3 ICAO USAP-CMA TL level recognizes that a candidate has satisfied the criteria for USAP-CMA auditor certification and, in addition, has demonstrated the competencies necessary to manage a USAP-CMA audit team and coordinate all aspects of a complete ICAO USAP-CMA activity.

3. REQUIREMENTS FOR CERTIFICATION

3.1 Key competencies 3.1.1 Skills and knowledge requirements for USAP-CMA auditors All ICAO USAP-CMA auditors shall, through education, work experience, auditor training and/or auditing experience, be able to demonstrate a satisfactory level of competence in the following areas:

Universal Security Audit Programme App B-2 Continuous Monitoring Manual

a) knowledge of aviation security, including national-level aviation security oversight responsibilities and operational aviation security practices and procedures;

b) ability to carry out audits of aviation security at the national (State) level and at airports; c) knowledge of the Chicago Convention, Annex 17, the aviation security conventions, and related ICAO

guidance material; d) ability to speak, read and write in an ICAO language; e) ability to use office automation equipment and contemporary computer software; and f) knowledge of ICAO auditing principles, procedures and techniques, including the ability to: 1) conduct audits in a consistent and systematic manner in varying situations and circumstances; 2) collect information through effective interviewing, listening, observing and reviewing

documentation and records; 3) verify the accuracy of collected information and confirm the sufficiency and appropriateness of

evidence to support audit findings and recommendations; 4) record audit activities through the use of appropriate work documents; 5) prepare accurate, clear and concise audit reports; and 6) communicate and interact in an international environment as part of a multinational audit team. 3.1.2 Skills and knowledge requirements for USAP-CMA TLs TLs should have additional knowledge and skills in audit leadership to enable the management of the USAP-CMA audit team and to ensure the overall conduct of the audit in an efficient and effective manner. Thus, the TL must satisfy all of the knowledge and skills requirements for the USAP-CMA auditor, as set forth in 3.1.1 of this appendix, plus have a demonstrated ability to plan, manage and lead a USAP-CMA audit team. Knowledge and skills in this area include the ability to: a) plan the USAP-CMA activity and make effective use of resources during the conduct of the activity; b) represent the USAP-CMA audit team in communications with the NC and high-level State officials; c) organize and direct USAP-CMA activity TMs; d) lead the USAP-CMA audit team to reach audit conclusions; e) prevent and resolve conflicts; and f) prepare and complete the USAP-CMA audit report and related documentation.

Appendix B. Criteria for certification as an ICAO USAP-CMA auditor App B-3

3.2 Nomination by an ICAO Member State 3.2.1 All candidates for ICAO USAP-CMA auditor training and certification, other than those who are staff members of ICAO, will be required to be nominated by an ICAO Member State. Details are contained in the State nomination package which consists of the following two parts: a) Part I — Nomination by Government; and b) Part II — Nominee’s Personal History. 3.2.2 Part I — Nomination by Government. Each Member State nominating a candidate shall agree to assume responsibility for the nominee’s transportation, accommodation and other costs to and from the auditor training course venue. The Member State shall also certify that the nominee is medically fit and is in possession of medical insurance coverage to meet expenses for any sickness or medical emergency during the auditor training and certification. Each Member State shall certify that the nominee meets the following minimum qualification and experience requirements: a) the nominee has complete fluency in an ICAO language (both spoken and written) and in the

language of instruction of the applicable ICAO USAP-CMA Auditor Training and Certification Course; b) the nominee is an aviation security subject matter expert, with a minimum of three years’ operational

aviation security experience and extensive knowledge of aviation security using Annex 17 as a reference;

c) appropriate background and screening checks have been conducted on the nominee to verify identity

and previous experience, including any criminal history, and the nominee has been assessed as being suitable to have access to restricted documentation and for work in security restricted areas;

d) the State has evidence and/or personal knowledge of the truth of the statements contained in the

nominee’s personal history form regarding the nominee’s technical and specialized training record, employment history and any auditing/technical evaluation experience;

e) the nominee is actively employed by the appropriate authority for aviation security of an ICAO Member

State in aviation security activities, and any change in this status will be notified to ASA (in certain circumstances, nominees working for aviation industry entities, who meet all other criteria, may be accepted as long as nominated by the government of a Member State); and

f) upon successful certification, the nominee will, as far as practicable, be made available to ICAO by the

State a minimum of once per year for at least the following two years for the purpose of conducting USAP-CMA audits.

3.2.3 Part II — Nominee’s Personal History. Each nominee shall complete a personal history form as part of the State nomination package and shall certify the truth of the following information: a) relevant personal details, including language abilities; b) technical and/or specialized training record, including diplomas and certificates acquired; c) employment record; and d) auditing and technical/evaluation experience.


3.2.4 Nomination packages will be submitted to the responsible RO who will review the packages for completeness and perform an initial evaluation as to the suitability of candidates to participate in the training and certification process. The nomination packages of those nominees meeting the selection criteria will be forwarded to ASA. 3.2.5 In the event that the number of nominees exceeds the space available in a particular auditor training course, ASA shall review each nominee’s qualifications and experience and select those that it believes to be the most qualified and suitable, while at the same time allowing for the widest geographical representation of States possible. Nominees not accepted to a particular course due to space restrictions may resubmit their nomination for consideration in a subsequent course. 3.2.6 In the case of candidates who are ICAO staff members and therefore not nominated by a Member State, C/ASA shall be satisfied that the candidate meets similar experience and qualification requirements, as applicable, (as per 3.2.2 of this appendix) prior to proceeding to training and certification, unless specially authorized by ICAO.

3.3 USAP-CMA auditor initial training and certification 3.3.1 Nominees that have been accepted by ICAO as meeting the minimum qualification and experience requirements outlined in 3.2.2 of this appendix must successfully complete the ICAO USAP-CMA Auditor Training and Certification Course. 3.3.2 The objectives of the USAP-CMA Auditor Training and Certification Course are to: • provide the auditors with a thorough knowledge and understanding of the methodology, tools and

techniques used by ASA for the conduct of activities under the ICAO USAP-CMA; • promote a shared understanding of how to evaluate the State’s aviation security and oversight

systems and the implementation of ICAO security-related SARPs; • help auditors understand the USAP-CMA procedures and methodology; • give the auditors the necessary information and tools to enable them to apply the USAP-CMA

methodology effectively; • ensure awareness and the acquisition of auditing skills and techniques in an international

environment; and • ensure consistency of performance between different audit teams. 3.3.3 The USAP-CMA Auditor Training and Certification Course is highly interactive and task-oriented, designed to enable trainees to effectively perform selected auditing functions. Teaching methods include lectures, slides, hand-outs, and individual and group exercises. In addition, module tests are given at the completion of each subject-matter module in order to ensure that trainees have mastered the required skills and knowledge necessary to achieve the set objectives of the module. 3.3.4 Due to the interactive nature of the training course, attendance will normally be limited to 15 participants. There will be a minimum of two instructors for each course, of which at least one will be an ASA staff member. Course instructors will normally be certified USAP auditors with extensive experience in conducting international audits and experience in training.


3.3.5 In order to allow for the continual improvement of the Auditor Training and Certification Course, participants are requested to complete and submit, on an anonymous basis, an evaluation questionnaire at the completion of the course. Feedback is sought in the following areas: a) the extent to which the stated course objectives were achieved; b) the extent to which the student’s expectations for the module were met; c) an evaluation of the class instructors; d) an evaluation of the instructional materials and activities (including hand-out materials and module

tests); and e) an evaluation of the facilities (classroom environment).

3.4 Certification 3.4.1 The certification process consists of four elements: module tests, exercises, a written examination and a practical examination. Below is a description of the different elements of the certification process and how they combine to yield each candidate’s final grade. Module Tests 3.4.2 The candidates will be expected to complete short module tests based on modules covered. There will be a total of 7 module tests, one each for modules 2 to 8. The purpose of these module tests is twofold: 1) as a teaching aid, they will allow the facilitators to ensure that candidates have a solid understanding

of the subject matter covered; and 2) as an evaluation tool, the combined score from these tests will provide 20 per cent of each candidate’s

final grade for the course. Exercise 3.4.3 Module 9 of the course involves an exercise that will be used to evaluate each candidate’s knowledge, as well as their ability to synthesize information and draft USAP audit findings and recommendations. The exercise will provide 20 per cent of each candidate’s final grade for the course. This exercise will also provide the basis for the practical examination outlined below. Written Examination 3.4.4 The written examination will take place on day 6 of the training course and will be comprised of three parts: Part I — Knowledge of aviation security (including Annex 17 SARPs and security-related provisions of

Annex 9, the Aviation Security Manual (Doc 8973 — Restricted), the Aviation Security Oversight Manual — The Establishment and Management of a State’s Aviation Security Oversight System (Doc 10047), and operational aviation security practices and procedures);


Part II — USAP-CMA methodology (principles, processes and procedures) and auditing skills and techniques (including conflict and group management); and

Part III — Identification of security deficiencies and drafting of appropriate findings and recommendations. 3.4.5 Candidates must achieve an overall mark of at least 70 per cent on the written examination. The written examination will provide 40 per cent of each candidate’s final grade for the course. Practical Examination 3.4.6 The practical examination will take place immediately following the written examination. Candidates will make presentations individually before a panel consisting of the course instructors and, whenever possible, external members. All panel members will be certified USAP auditors. 3.4.7 The practical examination is designed to test the candidate’s knowledge and ability to react in role-playing exercises in simulated audit conditions. Candidates will be required to conduct a post-audit debriefing and to undergo an interview with the panel based on the completed exercises described above. During this examination, candidates will be faced with various hypothetical scenarios and audit issues. Candidates will be evaluated according to their general behaviour and form, the structure and content of their answers, and their ability to deal with challenges and pressure. In addition, personal attributes and interpersonal skills, as set forth in 5.6, will be evaluated by the course instructors during the practical examination, according to a pass/fail criterion, with particular emphasis on the display of any negative attributes. 3.4.8 Each member of the panel will first mark the candidate individually and will then discuss these results in order to achieve panel consensus. Candidates must achieve an overall mark of at least 70 per cent on the practical examination. The practical examination will provide 20 per cent of each candidate’s final grade for the course. Grading 3.4.9 In order to be certified as an ICAO USAP-CMA auditor, a candidate must pass: a) the written examination as well as the practical examination with a grade of at least 70 per cent in

each; and b) all four elements of the certification process with an overall grade of at least 80 per cent. 3.4.10 All certification documents (including the written examination and the results of the practical examination) shall be forwarded to ASA who will then proceed to evaluate the training and certification outcomes to make a determination concerning the suitability of a candidate for certification. Nominating States will be informed, and successful candidates will be provided certificates signed by the Secretary General of ICAO designating them as ICAO-certified USAP-CMA auditors. 3.4.11 Candidates who do not successfully pass the required components for auditor certification will not be precluded from retaking the auditor training and certification course if nominated again by their State in accordance with the procedures set forth in 3.2 of this appendix. However, the nominating State shall be invited to carefully consider its nomination, particularly in light of the fact that the space available in each Auditor Training and Certification Course is very limited and entry to the course for this reason cannot be guaranteed.


3.5 Certification of TLs 3.5.1 As indicated in 3.1.2 of this appendix, USAP-CMA TLs are required to possess additional knowledge and skills in audit management and team leadership and sufficient experience in aviation security to provide guidance to the USAP-CMA audit team in reaching audit conclusions and formulating recommendations. Thus, in addition to satisfying all of the requirements for an ICAO USAP-CMA certified auditor as set forth above, a USAP-CMA TL must ideally meet the following additional requirements: a) have additional experience in an international civil aviation environment, including extensive

operational experience in aviation security with experience in the conduct of audits/ evaluations/inspections or similar oversight responsibility;

b) be an ICAO employee, whether on short- or long-term contract; and c) perform TL OJT under the direct supervision of an experienced TL designated by C/ASA. The OJT will

be designed to test the candidate’s abilities to plan, manage and lead a USAP-CMA audit team and will be evaluated in accordance with the TL OJT Evaluation Form.

4. MAINTAINING CERTIFICATION

4.1 USAP-CMA auditors In order to maintain certification, all ICAO USAP-CMA auditors shall fulfil the following requirements: a) meet at least one of the following criteria: 1) conduct a minimum of one USAP-CMA on-site audit every two years; or 2) complete a USAP-CMA auditor recurrent training and recertification course, as required; b) continue to fulfil the requirements of 3.2.2 e) of this appendix); and c) continue to act in compliance with the ICAO Code of Conduct for Auditors (Appendix D).

4.2 USAP-CMA TLs In order to maintain certification as an ICAO USAP-CMA TL, auditors shall: a) conduct a minimum of two ICAO USAP-CMA activities per year, of which at least one is as TL; b) remain employed by ICAO; and c) continue to act in compliance with the ICAO Code of Conduct for Auditors (Appendix D).

______________________

App C-1

Appendix C

GUIDANCE FOR STATES ON DEVELOPING CAPs

The development of the CAP primarily serves the purpose of helping the State improve its own aviation security and oversight systems by developing a detailed and logical plan to address deficiencies identified during the USAP-CMA activity. Once a comprehensive plan is developed and submitted to ASA, the CAP will be reviewed, and the State will be provided with any feedback that may be of use to the State. In order for ASA to be able to review and evaluate a CAP, States must provide CAPs that meet certain criteria. This guidance is designed to assist States in the development of effective CAPs that meet ICAO’s requirements. Note.— If the State disagrees with the finding issued by ICAO and does not submit a CAP for the finding, the State must provide a clear and detailed reason in the “Comments and Observations” field.

General • Ensure that the required information for each part of the CAP is entered in the correct field of the CAP. • Address each recommendation individually and provide comments, a proposed corrective action, an

office assigned the responsibility to implement the corrective action, and an estimated implementation date (EID).

CAP steps and proposed action items • Ensure that the proposed actions in a CAP directly and fully address the ICAO recommendation

related to the not satisfactory PQ. Pay attention to the Annex SARP and the CE related to the not satisfactory PQ when developing a corrective action to address the recommendation.

• If required, break down large action items into smaller and more manageable steps. • Describe each proposed action in a clear and detailed manner. • List the step-by-step corrective actions in the correct sequential and/or chronological order

(e.g. establishing a requirement before implementing it). • Provide a good and clear working plan and adequate detail for the implementation of each proposed

action. • For PQ recommendations associated with CEs 6, 7 and 8, i.e. implementation CEs, describe the

process of implementation by providing necessary details on implementing requirements and procedures.

Universal Security Audit Programme App C-2 Continuous Monitoring Manual

Action office • Ensure that an action office is indicated for each one of the corrective action steps. • If more than one organization or entity is involved in each step, identify and record each one clearly. • Ensure that the action offices identified in each step of the corrective action have the authority to

complete the action, especially with respect to the promulgation of legislation and/or regulations. • For higher level corrective actions, such as the promulgation of primary aviation legislation, enter the

name of the entity that has the authority to complete the action. • Spell out the acronym for the title of an action office the first time it is used in the CAP; use the

acronym thereafter.

Evidence reference • Indicate the document containing the evidence in a clear manner. • Provide a specific and clear reference to the page, section or paragraph of the document that contains

the information that the ICAO officer needs to review and evaluate. • Avoid broad and generic reference to a large document. Be as specific as possible.

Estimated implementation date (EID) • State must enter an EID (starting date and completion date) for each step. • Ensure that the EID is realistic for the action item. • Ensure that the EID is appropriate for the priority associated with the recommendation; for example,

the State should not indicate that it will start conducting quality control activities three years from now. • State must prioritize its corrective actions for short-, medium- and long-term actions based on priorities

associated with the recommendations. Note.— Some proposed actions may be required on an ongoing basis. In such cases, the word

“ongoing” should be included under the “Completion Date” column.

Responding to ASA’s review • If ASA’s initial review of the CAP reveals that the CAP does not address or only partially addresses

the PQ-related recommendations, the State must revise the CAP based on ASA feedback, ensuring that it addresses the shortcomings indicated by ASA.

Appendix C. Guidance for States on developing CAPs App C-3

Updating CAPs • States must also ensure that they continuously update their CAPs by indicating the: a) level of progress for each action item as it is being implemented; and b) the date of completion for each action item as it is completed. • If the initial EID of an action item has passed and the action has not been completed, the State must

indicate a new EID in the CAP and advise ASA accordingly.

______________________

App D-1

Appendix D

ICAO CODE OF CONDUCT FOR AUDITORS

1. As a participant of the USAP-CMA audit team, I solemnly agree to the following: • to exercise in all loyalty, discretion and conscience the functions entrusted to me as a participant of

the USAP-CMA audit team; • to discharge these functions to the best of my ability; • to conduct myself with integrity, impartiality and honesty; • to abide by the rules, procedures, and guidance set out in the ICAO Universal Security Audit

Programme Continuous Monitoring Manual; • not to misuse my official position as part of the USAP-CMA audit team; • not to receive benefits of any kind from a third party which might reasonably be seen to compromise

my personal judgement or integrity; • to understand and respect the culture, customs, habits and national laws of the country in which the

audit takes place; • to avoid giving cause for resentment and abstain from conduct which would reflect adversely on the

USAP-CMA audit team and which would prejudice ICAO; • not to disclose any information of a confidential nature related to the findings of the USAP-CMA audit

to any other party; • not to disclose any of the following documents to any other party: — SASAQ and CCs when filled in by the Member State; — PQ Worksheets; — Personal notes; — USAP-CMA audit report.

Universal Security Audit Programme App D-2 Continuous Monitoring Manual

2. If I have reason to believe I am being required to act in a way that: • is illegal, improper or unethical; • is in breach of the procedures set out in the ICAO Universal Security Audit Programme Continuous

Monitoring Manual; • may involve possible misadministration or is otherwise inconsistent with the above, I will report this matter in writing to C/ASA.

NAME: SIGNATURE:

DATE:

Appendix D. ICAO Code of Conduct for Auditors App D-3

INTERNATIONAL CIVIL SERVICE COMMISSION

STANDARDS OF CONDUCT FOR THE INTERNATIONAL CIVIL SERVICE

2013

Introduction 1. The United Nations and the specialized agencies embody the highest aspirations of the peoples of the world. Their aim is to save succeeding generations from the scourge of war and to enable every man, woman and child to live in dignity and freedom. 2. The international civil service bears responsibility for translating these ideals into reality. It relies on the great traditions of public administration that have grown up in member States: competence, integrity, impartiality, independence and discretion. But over and above this, international civil servants have a special calling: to serve the ideals of peace, respect for fundamental rights, economic and social progress, and international cooperation. It is therefore incumbent on international civil servants to adhere to the highest standards of conduct; for, ultimately, it is the international civil service that will enable the United Nations system to bring about a just and peaceful world.

Guiding principles 3. The values that are enshrined in the United Nations organizations must also be those that guide international civil servants in all their actions: fundamental human rights, social justice, the dignity and worth of the human person and respect for the equal rights of men and women and of nations great and small. 4. International civil servants should share the vision of their organizations. It is loyalty to this vision that ensures the integrity and international outlook of international civil servants; a shared vision guarantees that they will place the interests of their organization above their own and use its resources in a responsible manner. 5. The concept of integrity enshrined in the Charter of the United Nations embraces all aspects of an international civil servant’s behaviour, including such qualities as honesty, truthfulness, impartiality and incorruptibility. These qualities are as basic as those of competence and efficiency, also enshrined in the Charter. 6. Tolerance and understanding are basic human values. They are essential for international civil servants, who must respect all persons equally, without any distinction whatsoever. This respect fosters a climate and a working environment sensitive to the needs of all. To achieve this in a multicultural setting calls for a positive affirmation going well beyond passive acceptance. 7. International loyalty means loyalty to the whole United Nations system and not only to the organization for which one works; international civil servants have an obligation to understand and exemplify this wider loyalty. The need for a cooperative and understanding attitude towards international civil servants of other United Nations organizations is obviously most important where international civil servants of several organizations are serving in the same country or region.


8. If the impartiality of the international civil service is to be maintained, international civil servants must remain independent of any authority outside their organization; their conduct must reflect that independence. In keeping with their oath of office, they should not seek nor should they accept instructions from any Government, person or entity external to the organization. It cannot be too strongly stressed that international civil servants are not, in any sense, representatives of Governments or other entities, nor are they proponents of their policies. This applies equally to those on secondment from Governments and to those whose services have been made available from elsewhere. International civil servants should be constantly aware that, through their allegiance to the Charter and the corresponding instruments of each organization, member States and their representatives are committed to respect their independent status. 9. Impartiality implies tolerance and restraint, particularly in dealing with political or religious convictions. While their personal views remain inviolate, international civil servants do not have the freedom of private persons to take sides or to express their convictions publicly on controversial matters, either individually or as members of a group, irrespective of the medium used. This can mean that, in certain situations, personal views should be expressed only with tact and discretion. 10. This does not mean that international civil servants have to give up their personal political views or national perspectives. It does mean, however, that they must at all times maintain a broad international outlook and an understanding of the international community as a whole. 11. The independence of the international civil service does not conflict with, or obscure, the fact that it is the member States that collectively make up — in some cases with other constituents — the organization. Conduct that furthers good relations with individual member States and that contributes to their trust and confidence in the organizations’ secretariat strengthens the organizations and promotes their interest. 12. International civil servants who are responsible for projects in particular countries or regions may be called upon to exercise special care in maintaining their independence. At times they might receive instructions from the host country but this should not compromise their independence. If at any time they consider that such instructions threaten their independence, they must consult their supervisors. 13. International civil servants at all levels are accountable and answerable for all actions carried out, as well as decisions taken, and commitments made by them in performing their functions. 14. An international outlook stems from an understanding of and loyalty to the objectives and purposes of the organizations of the United Nations system as set forth in their legal instruments. It implies, inter alia, respect for the right of others to hold different points of view and follow different cultural practices. It requires a willingness to work without bias with persons of all nationalities, religions and cultures; it calls for constant sensitivity as to how words and actions may look to others. It requires avoidance of any expressions that could be interpreted as biased or intolerant. As working methods can be different in different cultures, international civil servants should not be wedded to the attitudes, working methods or work habits of their own country or region. 15. Freedom from discrimination is a basic human right. International civil servants are expected to respect the dignity, worth and equality of all people without any distinction whatsoever. Assumptions based on stereotypes must be assiduously avoided. One of the main tenets of the Charter is the equality of men and women, and organizations should therefore do their utmost to promote gender equality.


Working relations 16. Managers and supervisors are in positions of leadership and it is their responsibility to ensure a harmonious workplace based on mutual respect; they should be open to all views and opinions and make sure that the merits of staff are properly recognized. They need to provide support to them; this is particularly important when staff are subject to criticism arising from the performance of their duties. Managers are also responsible for guiding and motivating their staff and promoting their development. 17. Managers and supervisors serve as role models and they have therefore a special obligation to uphold the highest standards of conduct. It is quite improper for them to solicit favours, gifts or loans from their staff; they must act impartially, without favouritism and intimidation. In matters relating to the appointment or career of others, international civil servants should not try to influence colleagues for personal reasons. 18. Managers and supervisors should communicate effectively with their staff and share relevant information with them. International civil servants have a reciprocal responsibility to provide all pertinent facts and information to their supervisors and to abide by and defend any decisions taken, even when those do not accord with their personal views. 19. International civil servants must follow the instructions they receive in connection with their official functions and, if they have doubts as to whether an instruction is consistent with the Charter or any other constitutional instrument, decisions of the governing bodies or administrative rules and regulations, they should first consult their supervisors. If the international civil servant and supervisor cannot agree, the international civil servant may ask for written instructions. These may be challenged through the proper institutional mechanisms, but any challenge should not delay carrying out the instruction. International civil servants may also record their views in official files. They should not follow verbal or written instructions that are manifestly inconsistent with their official functions or that threaten their safety or that of others. 20. International civil servants have the duty to report any breach of the organization’s regulations and rules to the official or entity within their organizations whose responsibility it is to take appropriate action, and to cooperate with duly authorized audits and investigations. An international civil servant who reports such a breach in good faith or who cooperates with an audit or investigation has the right to be protected against retaliation for doing so.

Harassment and abuse of authority 21. Harassment in any shape or form is an affront to human dignity and international civil servants must not engage in any form of harassment. International civil servants have the right to a workplace environment free of harassment or abuse. All organizations must prohibit any kind of harassment. Organizations have a duty to establish rules and provide guidance on what constitutes harassment and abuse of authority and how unacceptable behaviour will be addressed. 22. International civil servants must not abuse their authority or use their power or position in a manner that is offensive, humiliating, embarrassing or intimidating to another person.

Conflict of interest 23. Conflicts of interest may occur when an international civil servant’s personal interests interfere with the performance of his/her official duties or call into question the qualities of integrity, independence and impartiality required the status of an international civil servant. Conflicts of interest include circumstances in which international civil servants, directly or indirectly, may benefit improperly, or allow a third party to benefit improperly, from their association with their organization. Conflicts of interest can arise from an international civil servant’s personal or familial dealings with third parties, individuals, beneficiaries, or other institutions. If a conflict of interest or possible conflict of interest does arise,


the conflict shall be disclosed, addressed and resolved in the best interest of the organization. Questions entailing a conflict of interest can be very sensitive and need to be treated with care.

Disclosure of information 24. International civil servants should avoid assisting third parties in their dealings with their organization where this might lead to actual or perceived preferential treatment. This is particularly important in procurement matters or when negotiating prospective employment. At times, international civil servants may, owing to their position or functions in accordance with the organization’s policies, be required to disclose certain personal assets if this is necessary to enable their organizations to make sure that there is no conflict. The organizations must ensure confidentiality of any information so disclosed, and must use it only for defined purposes or as authorized by the international civil servant concerned. International civil servants should also disclose in advance possible conflicts of interest that may arise in the course of carrying out their duties and seek advice on mitigation and remediation. They should perform their official duties and conduct their personal affairs in a manner that preserves and enhances public confidence in their own integrity and that of their organization.

Use of the resources of United Nations organizations 25. International civil servants are responsible for safeguarding the resources of United Nations organizations which are to be used for the purpose of delivering an organization’s mandate and to advance the best interests of the organization. International civil servants shall use the assets, property, information and other resources of their organizations for authorized purposes only and with care. Limited personal use of the resources of an organization, such as electronic and communications resources, may be permitted by the organization in accordance with applicable policies.

Post-employment restrictions 26. After leaving service with organizations of the United Nations system, international civil servants should not take improper advantage of their former official functions and positions, including through unauthorized use or distribution of privileged or confidential information; nor should international civil servants, including those working in procurement services and as requisitioning officers, attempt to unduly influence the decisions of the organization in the interest or at the request of third parties with a view to seeking an opportunity to be employed by such third parties.

Role of the secretariats (headquarters and field duty stations) 27. The main function of all secretariats is to assist legislative bodies in their work and to carry out their decisions. The executive heads are responsible for directing and controlling the work of the secretariats. Accordingly, when submitting proposals or advocating positions before a legislative body or committee, international civil servants are presenting the position of the executive head, not that of an individual or organizational unit. 28. In providing services to a legislative or representative body, international civil servants should serve only the interests of the organization, not that of an individual or organizational unit. It would not be appropriate for international civil servants to prepare for Government or other international civil service representatives any speeches, arguments or proposals on questions under discussion without approval of the executive head. It could, however, be quite appropriate to provide factual information, technical advice or assistance with such tasks as the preparation of draft resolutions.


29. It is entirely improper for international civil servants to lobby or seek support from Government representatives or members of legislative organs to obtain advancement either for themselves or for others or to block or reverse unfavourable decisions regarding their status. By adhering to the Charter and the constitutions of the organizations of the United Nations system, Governments have undertaken to safeguard the independence of the international civil service; it is therefore understood that Government representatives and members of legislative bodies will neither accede to such requests nor intervene in such matters. The proper method for an international civil servant to address such matters is through administrative channels; each organization is responsible for providing these.

Staff-management relations 30. An enabling environment is essential for constructive staff-management relations and serves the interests of the organizations. Relations between management and staff should be guided by mutual respect. Elected staff representatives have a cardinal role to play in the consideration of conditions of employment and work, as well as in matters of staff welfare. Freedom of association is a fundamental human right and international civil servants have the right to form and join associations, unions or other groupings to promote and defend their interests. Continuing dialogue between staff and management is indispensable. Management should facilitate this dialogue. 31. Elected staff representatives enjoy rights that derive from their status; this may include the opportunity to address the legislative organs of their organization. These rights should be exercised in a manner that is consistent with the Charter of the United Nations, the Universal Declaration of Human Rights and the international covenants on human rights, and does not undermine the independence and integrity of the international civil service. In using the broad freedom of expression they enjoy, staff representatives must exercise a sense of responsibility and avoid undue criticism of the organization. 32. Staff representatives must be protected against discriminatory or prejudicial treatment based on their status or activities as staff representatives, both during their term of office and after it has ended. Organizations should avoid unwarranted interference in the administration of their staff unions or associations.

Relations with member States and legislative bodies 33. It is the clear duty of all international civil servants to maintain the best possible relations with Governments and avoid any action that might impair this. They should not interfere in the policies or affairs of Governments. It is unacceptable for them, either individually or collectively, to criticize or try to discredit a Government. At the same time, it is understood that international civil servants may speak freely in support of their organizations’ policies. Any activity, direct or indirect, to undermine or overthrow a Government constitutes serious misconduct. 34. International civil servants are not representatives of their countries, nor do they have authority to act as liaison agents between organizations of the United Nations system and their Governments. The executive head may, however, request an international civil servant to undertake such duties, a unique role for which international loyalty and integrity are essential. For their part, neither Governments nor organizations should place international civil servants in a position where their international and national loyalties may conflict.

Relations with the public 35. For an organization of the United Nations system to function successfully, it must have the support of the public. All international civil servants therefore have a continuing responsibility to promote a better understanding of the objectives and work of their organizations. This requires them to be well informed of the achievements of their own organizations and to familiarize themselves with the work of the United Nations system as a whole.


36. There is a risk that on occasion international civil servants may be subject to criticism from outside their organizations; in keeping with their responsibility as international civil servants, they should respond with tact and restraint. It is the obligation of their organizations to defend them against criticism for actions taken in fulfilment of their duties. 37. It would not be proper for international civil servants to air personal grievances or criticize their organizations in public. International civil servants should endeavour at all times to promote a positive image of the international civil service, in conformity with their oath of loyalty.

Relations with the media 38. Openness and transparency in relations with the media are effective means of communicating the organizations’ messages. The organizations should have guidelines and procedures in place for which the following principles should apply: international civil servants should regard themselves as speaking in the name of their organizations and avoid personal references and views; in no circumstances should they use the media to further their own interests, to air their own grievances, to reveal unauthorized information or attempt to influence their organizations’ policy decisions.

Use and protection of information 39. Because disclosure of confidential information may seriously jeopardize the efficiency and credibility of an organization, international civil servants are responsible for exercising discretion in all matters of official business. They must not divulge confidential information without authorization. International civil servants should not use information to personal advantage that has not been made public and is known to them by virtue of their official position. These obligations do not cease upon separation from service. Organizations must maintain guidelines for the use and protection of confidential information, and it is equally necessary for such guidelines to keep pace with developments in communications and other new technology. It is understood that these provisions do not affect established practices governing the exchange of information between the secretariats and member States, which ensure the fullest participation of member States in the life and work of the organizations.

Respect for different customs and culture 40. The world is home to a myriad of different peoples, languages, cultures, customs and traditions. A genuine respect for them all is a fundamental requirement for an international civil servant. Any behaviour that is not acceptable in a particular cultural context must be avoided. However, if a tradition is directly contrary to any human rights instrument adopted by the United Nations system, the international civil servant must be guided by the latter. International civil servants should avoid an ostentatious lifestyle and any display of an inflated sense of personal importance.

Security and safety 41. While an executive head assigns staff in accordance with the exigencies of the service, it is the responsibility of organizations to ensure that the health, well-being, security and lives of their staff, without any discrimination whatsoever, will not be subject to undue risk. The organizations should take measures to protect the safety of their staff and that of their family members. At the same time, it is incumbent on international civil servants to comply with all instructions designed to protect their safety.


Personal conduct 42. The private life of international civil servants is their own concern and organizations should not intrude upon it. There may be situations, however, in which the behaviour of an international civil servant may reflect on the organization. International civil servants must therefore bear in mind that their conduct and activities outside the workplace, even if unrelated to official duties, can compromise the image and the interests of the organizations. This can also result from the conduct of members of international civil servants’ households, and it is the responsibility of international civil servants to make sure that their households are fully aware of this. 43. The privileges and immunities that international civil servants enjoy are conferred upon them solely in the interests of the organizations. They do not exempt international civil servants from observing local laws, nor do they provide an excuse for ignoring private legal or financial obligations. It should be remembered that only the executive head is competent to waive the immunity accorded to international civil servants or to determine its scope. 44. Violations of the law can range from serious criminal activities to trivial offences, and organizations may be called upon to exercise judgement depending on the nature and circumstances of individual cases. A conviction by a national court will usually, although not always, be persuasive evidence of the act for which an international civil servant was prosecuted; acts that are generally recognized as offences by national criminal laws will normally also be considered violations of the standards of conduct for the international civil service.

Outside employment and activities 45. The primary obligation of international civil servants is to devote their energies to the work of their organizations. Therefore, international civil servants should not engage, without prior authorization, in any outside activity, whether remunerated or not, that interferes with that obligation or is incompatible with their status or conflicts with the interests of the organization. Any questions about this should be referred to the executive head. 46. Subject to the above, outside activities may, of course, be beneficial both to staff members and to their organizations. Organizations should allow, encourage and facilitate the participation of international civil servants in professional activities that foster contacts with private and public bodies and thus serve to maintain and enhance their professional and technical competencies. 47. International civil servants on leave, either with or without pay, should bear in mind that they remain international civil servants in the employ of their organization and remain subject to its rules. They may, therefore, accept employment, paid or unpaid, during their leave only with proper authorization. 48. In view of the independence and impartiality that they must maintain, international civil servants, while retaining the right to vote, should not participate in political activities, such as standing for or holding local or national political office. This does not, however, preclude participation in local community or civic activities, provided that such participation is consistent with the oath of service in the United Nations system. It is necessary for international civil servants to exercise discretion in their support for a political party or campaign, and they should not accept or solicit funds, write articles or make public speeches or statements to the press. These cases require the exercise of judgement and, in case of doubt, should be referred to the executive head. 49. The significance of membership in a political party varies from country to country and it is difficult to formulate standards that will apply in all cases. In general, international civil servants may be members of a political party, provided its prevailing views and the obligations imposed on its members are consistent with the oath of service in the United Nations system.


Gifts, honours and remuneration from outside sources 50. To protect the international civil service from any appearance of impropriety, international civil servants must not accept, without authorization from the executive head, any honour, decoration, gift, remuneration, favour or economic benefit of more than nominal value from any source external to their organizations; it is understood that this includes Governments as well as commercial firms and other entities. 51. International civil servants should not accept supplementary payments or other subsidies from a Government or any other source prior to, during or after their assignment with an organization of the United Nations system if the payment is related to that assignment. Balancing this requirement, it is understood that Governments or other entities, recognizing that they are at variance with the spirit of the Charter and the constitutions of the organizations of the United Nations system, should not make or offer such payments.

Conclusion 52. The attainment of the standards of conduct for the international civil service requires the highest commitment of all parties. International civil servants must be committed to the values, principles and standards set forth herein. They are expected to uphold them in a positive and active manner. They should feel responsible for contributing to the broad ideals to which they dedicated themselves in joining the United Nations system. Organizations have the obligation to implement these standards through their policy framework, including rules, regulations and other administrative instruments. For their part, member States are expected, through their allegiance to the Charter and other constituent instruments, to preserve the independence and impartiality of the international civil service. 53. For these standards to be effectively applied, it is essential that they be widely disseminated and that measures be taken and mechanisms put in place to ensure that their scope and importance are understood throughout the international civil service, the member States and the organizations of the United Nations system. 54. Respect for these standards assures that the international civil service will continue to be an effective instrument in fulfilling its responsibilities and in meeting the aspirations of the peoples of the world.

— END —

Doc 9807 - icscc.org.cn · ASITF Advanced Security in the Field AUI Response to acts of unlawful interference BSITF Basic Security in the Field C/ASA Chief, Aviation Security Audit

Documents