[Federal Register Volume 68, Number 57 (Tuesday, March 25, 2003)]
[Rules and Regulations]
[Pages 14510-14521]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-7080]



[[Page 14509]]

-----------------------------------------------------------------------

Part IV





Department of Transportation





-----------------------------------------------------------------------



Research and Special Programs Administration



-----------------------------------------------------------------------



49 CFR Part 172



Hazardous Materials: Security Requirements for Offerors and 
Transporters of Hazardous Materials; Final Rule

  Federal Register / Vol. 68, No. 57 / Tuesday, March 25, 2003 / Rules 
and Regulations  

[[Page 14510]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Research and Special Programs Administration

49 CFR Part 172

[Docket No. RSPA-02-12064 (HM-232)]
RIN 2137-AD67


Hazardous Materials: Security Requirements for Offerors and 
Transporters of Hazardous Materials

AGENCY: Research and Special Programs Administration (RSPA), DOT.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Research and Special Programs Administration is 
establishing new requirements to enhance the security of hazardous 
materials transported in commerce. Shippers and carriers of certain 
highly hazardous materials must develop and implement security plans. 
In addition, all shippers and carriers of hazardous materials must 
assure that their employee training includes a security component.

EFFECTIVE DATE: This final rule is effective March 25, 2003.

FOR FURTHER INFORMATION CONTACT: Susan Gorsky, (202) 366-8553, Office 
of Hazardous Materials Standards, Research and Special Programs 
Administration.

SUPPLEMENTARY INFORMATION:

I. Background

    On May 2, 2002, the Research and Special Programs Administration 
(RSPA, we) published a notice of proposed rulemaking (NPRM) to enhance 
the security of hazardous materials in transportation (67 FR 22028). 
Proposals for amending the Hazardous Materials Regulations (HMR; 49 CFR 
parts 171-180) included a requirement for motor carriers registered 
with the agency to maintain a copy of their current registration 
certificate on each motor vehicle. We further proposed to require 
shipping papers to include the name and address of the consignor and 
consignee and the shipper's DOT Hazmat Registration number, if 
applicable. In addition, we proposed to require shippers and carriers 
of certain highly hazardous materials to develop and implement security 
plans. We also proposed to require hazardous materials shippers and 
carriers to assure that their employee training includes a security 
component. The NPRM provided a 30-day comment period.
    On May 23, 2002, in response to a number of requests, we extended 
the comment period for the NPRM an additional 30 days (67 FR 36138). 
The comment period closed July 3, 2002.
    In addition, on July 16, 2002, RSPA and the Federal Motor Carrier 
Safety Administration (FMCSA) published an advance notice of proposed 
rulemaking (ANPRM) to examine the need for enhanced security 
requirements for hazardous materials transported by motor carriers (67 
FR 46622). The two agencies are seeking comments on the feasibility of 
specific security enhancements and the potential costs and benefits of 
deploying such enhancements. Security measures addressed in the ANPRM 
include escorts, vehicle tracking and monitoring systems, emergency 
warning systems, remote shut-offs, direct short-range communications, 
notification to State and local authorities, and operational measures. 
The comment period for the ANPRM was extended until November 15, 2002. 
Late-filed comments will be considered to the extent feasible.
    In this final rule, we are adopting the following revisions to the 
HMR to enhance the security of hazardous materials transported in 
commerce:

--Shippers and carriers subject to the registration requirements in 49 
CFR part 107 or who offer or transport select agents and toxins 
regulated by the Centers for Disease Control and Prevention (CDC) must 
develop and implement security plans.
--Hazmat employers must provide security training to their hazmat 
employees. Hazmat employees of companies required to have a security 
plan under this final rule must be trained in the plan's specifics. All 
hazmat employees must receive training that provides an awareness of 
the security issues associated with hazardous materials transportation 
and possible methods to enhance transportation security. This training 
must also include a component covering how to recognize and respond to 
possible security threats.

    When conducting inspections at shipper and other facilities, DOT 
inspectors will be looking for security plans and training records 
related to security. If violations are found, appropriate penalty 
action will be initiated. Baseline penalties for these violations will 
be provided in a civil penalty rulemaking that we expect to issue in 
the near future.

II. Analysis of Comments

    We received over 270 comments on the May 3, 2002, NPRM from 
hazardous materials shippers, carriers, industry associations, and 
State and local government agencies. Commenters unanimously support the 
NPRM's goal of enhancing the secure transportation of hazardous 
materials. However, most commenters have significant concerns about 
some or all of the specific proposals in the NPRM. For example, some 
commenters suggest that the NPRM proposals do not provide an 
appropriate balance between security and economic goals. In addition, 
some commenters oppose some or all of the proposed security 
requirements because they would not have prevented the September 11, 
2001, terrorist attacks. Several commenters also suggest that we should 
defer to the Transportation Security Administration (TSA) or the 
proposed Department of Homeland Security on security issues. Further, 
many commenters express reservations about the scope of the NPRM and 
the applicability of some of its provisions to most shipments of 
hazardous materials. As well, a significant proportion of commenters 
oppose some or all of the proposals concerning registration numbers and 
certificates, shipping documentation requirements, security plans, and 
security training. Finally, many commenters suggest that we seriously 
underestimated the potential cost impacts of the proposals in the NPRM. 
These comments are discussed in detail below.

A. Security Versus Economic Efficiency

    Several commenters express concern that the NPRM proposals in the 
aggregate will result in unacceptable economic burdens on the industry 
and will adversely affect the efficiency with which hazardous materials 
are routinely transported. ``We also are concerned that the proposed 
measures will be expensive to implement and will introduce 
inefficiencies to the manner in which hazardous materials are 
transported. In responding to the events of September 11th, we must not 
compromise our ability to move large amounts of hazardous materials in 
an efficient, cost-effective manner. Introducing inefficiencies to our 
freight transportation system helps further the terrorists' goals of 
disrupting the American way of life.'' (American Trucking Associations)
    As we stated in the NPRM, hazardous materials are essential to the 
economy of the United States and the well-being of its people. Our goal 
in this rulemaking is to implement security requirements that will be 
effective in preventing hazardous materials from being used as tools of 
destruction and terror while permitting continued transportation of 
these essential products. We applaud those in the industry who have 
recognized their responsibility for

[[Page 14511]]

enhanced security for the products they manufacture and transport and 
have developed and implemented thorough and detailed security programs. 
We do not agree that the imposition of prudent, common-sense security 
measures will cause massive disruptions in the movement of hazardous 
materials. We recognize that the provisions proposed in the NPRM and 
adopted, with modifications, in this final rule, will impose new costs 
of doing business on both hazardous materials shippers and carriers. As 
discussed in the following sections, in this final rule we revised 
certain proposals in response to comments on the NPRM to increase the 
effectiveness and reduce potential costs impacts of the new security 
provisions.
    Several commenters note that the security measures proposed in the 
NPRM would not have prevented the September 11th terrorist attacks, the 
1993 attack on the World Trade Center, or the 1995 attack on the Murrah 
Building in Oklahoma City. Nowhere in the NPRM do we state that the 
proposed security requirements would have prevented past attacks. 
Rather, we discussed the September 11th terrorist atrocities to 
indicate the heightened risk of terrorism with which we all now live 
and the need to reassess and address security vulnerabilities in all 
areas of our public and private lives. The discussion of the attack on 
the Murrah Building was intended as an illustration of the devastating 
consequences that can result from a criminal or terrorist act involving 
hazardous materials and to provide an estimate of the economic costs of 
such an act. We cannot limit our actions on security to efforts to 
prevent terrorist attacks that have already occurred. It is incumbent 
on everyone responsible for the safety and security of the United 
States to proactively assess future terrorist threats and take actions 
to try to prevent future attacks. We believe that the new requirements 
in this final rule will enhance the security of hazardous materials in 
transportation and, thus, help to deter and prevent terrorists from 
using hazardous materials in the transportation system as weapons of 
destruction or intimidation.

B. Security Authority

    Some commenters question whether RSPA is the appropriate agency to 
issue transportation security regulations. These commenters suggest 
that the Transportation Security Agency (TSA) or the proposed 
Department of Homeland Security would be better suited to issue 
transportation security-related regulations. One commenter points out 
that TSA has been given the responsibility for security in all modes of 
transportation, and that TSA has been authorized to issue, rescind and 
revise such regulations as are necessary to carry out the functions of 
the Administration.
    The HMR are promulgated under the mandate in Sec.  5103(b) of 
Federal hazardous materials transportation law (Federal hazmat law; 49 
U.S.C. 5101 et seq., as amended by Sec.  1711 of the Homeland Security 
Act of 2002, Pub. L. 107-296) that the Secretary of Transportation 
``prescribe regulations for the safe transportation, including 
security, of hazardous material in intrastate, interstate, and foreign 
commerce.'' Section 5103(b)(1)(B) provides that the HMR ``shall govern 
safety aspects, including security, of the transportation of hazardous 
material the Secretary considers appropriate.''
    Hazardous materials shippers and carriers should be aware that this 
final rule is the first step in what may be a series of rulemakings to 
address the security of hazardous materials shipments. The joint RSPA-
FMCSA ANPRM described above may result in one or more proposals to 
require specific security measures for hazardous materials that pose a 
significant security risk in transportation. In addition, TSA is 
developing regulations that are likely to impose additional 
requirements beyond those established in this final rule. We consult 
and coordinate with TSA concerning security-related hazardous materials 
transportation regulations and will continue to do so after TSA becomes 
part of the new Department of Homeland Security.

C. Industry Consensus Standards

    One commenter suggests that we should work with the hazardous 
materials industry to develop consensus standards for hazardous 
materials transportation security. ``Instead of implementing its 
proposals, RSPA should hold one or more public meetings to solicit 
recommendations from shippers, carriers, and other members of the 
interested public as to security enhancements, and as to regulatory 
approaches, that will accomplish more, and do so more efficiently.'' 
(National Small Shipments Traffic Conference, Inc., and the Health and 
Personal Care Logistics Conference, Inc.) We appreciate this 
suggestion; indeed, we are aware that a number of industry associations 
have developed and disseminated recommendations for enhancing the 
security of hazardous materials and expect that they will form the 
basis for many individual company plans. However, we do not agree that 
a consensus-standards approach is appropriate for this rulemaking. 
Consensus standards generally are specification standards; that is, 
they set forth specific requirements for achieving a regulatory goal. 
One of the goals of this final rule is to establish a performance 
standard for hazardous materials transportation security plans. 
Performance standards generally permit a regulated entity to determine 
the specific measures necessary to achieve compliance with the 
established performance goal. In the case of hazardous materials 
transportation security, the flexibility provided by a performance 
standard permits a company to implement a security plan that is 
tailored to its specific circumstances and operations.
    A consensus-standards process is a lengthy process. It can take 
many months or even years for the parties developing such a standard to 
reach consensus on the appropriate measures to be implemented. The 
security threat is real and ongoing. We do not have the time to spend 
on development of a consensus standard for hazardous materials 
transportation security.

D. Registration Certificates

    Currently, each motor carrier transporting certain classes or 
divisions of hazardous materials is required to file with RSPA a 
registration statement and pay an annual fee (49 CFR part 107). A 
Certificate of Registration (certificate), which includes a U.S. DOT 
Hazmat Registration Number, is then issued by RSPA to the carrier. A 
carrier must display its registration number on a document carried on 
each motor vehicle, but need not maintain a copy of the certificate 
itself on each vehicle. The NPRM proposed to require each motor carrier 
registered with RSPA to maintain a copy of its current registration 
certificate on each motor vehicle used to transport hazardous 
materials. We suggested that the actual certificate could assist State 
and local law enforcement personnel to determine whether a carrier is a 
legitimate transporter of hazardous materials.
    Commenters overwhelmingly oppose this proposal, primarily because 
the registration system as currently structured is not designed to make 
determinations as to the legitimacy of registrants. ``[A] valid 
registration certificate is no indication that a transporter is 
`legitimate.' It is not an endorsement of regulatory compliance. It is 
simply proof of payment.'' (Institute of Makers of Explosives) 
Commenters also note that the registration system has no relevance to 
transportation security. ``[T]he act of registering and obtaining a DOT 
registration certificate and number * * * does nothing to ensure that 
the

[[Page 14512]]

registrant is not a potential risk to transport security. * * * In no 
case is any background investigation conducted before registering an 
applicant, or even investigation to ensure that the applicant is a bona 
fide company legitimately engaged in the offering for transport and/or 
transport of hazardous materials.'' (The Conference on the Safe 
Transportation of Hazardous Articles, Inc.) In addition, commenters 
suggest that a registration certificate can easily be copied or 
falsified. Even those commenters who support the proposal for motor 
carriers to maintain a copy of their registration certificates on 
transport vehicles state that the proposal will not enhance 
transportation security.
    We have reconsidered this issue in light of the overwhelming 
opposition expressed by commenters to this proposal, and it is not 
adopted in this final rule. We agree with commenters that, absent 
significant changes to the current registration system, the mere 
presence of a registration certificate in a motor vehicle transporting 
hazardous materials will do little to enhance transportation security 
or to assist enforcement personnel to verify the legitimacy of 
hazardous materials carriers.

E. Shipping Papers

    Currently, the HMR generally require each person who offers a 
hazardous material for transportation to describe the material on a 
shipping paper. However, there is no requirement for a shipping paper 
to include the name and address of the person offering the shipment or 
the person to whom the shipment will be delivered. The NPRM proposed to 
require each shipping paper to include the name of the shipment 
consignor and the address from which the shipment originates and the 
name and address of each person to whom the shipment will be delivered. 
In addition, we proposed to require each shipping paper to include the 
U.S. DOT Hazmat Registration Number, if applicable, of the person 
offering the shipment for transportation. The proposal was intended to 
assure that shipping papers included information to assist law 
enforcement personnel to promptly ascertain the legitimacy of hazardous 
materials shipments during routine or random roadside inspections and 
to identify suspicious or questionable situations where additional 
investigation may be necessary.
    As with the proposal to require motor carriers to maintain copies 
of registration certificates in vehicles transporting hazardous 
materials, commenters overwhelmingly oppose the proposal to require 
shippers to include registration numbers on shipping papers. Commenters 
say that the registration program is not designed to determine whether 
shippers are ``legitimate'' and that the proposed requirement will not 
enhance shipment security. In addition, commenters suggest that a 
requirement to include registration numbers on shipping papers would be 
expensive to implement because many shippers would have to modify 
computer systems and shipping paper forms to include the new 
information. ``Configuring computer systems to provide new data on 
shipping documents will cause significant problems for shippers, 
carriers, freight forwarders, brokers, agents, and others. Available 
display fields are limited and companies will need to redirect their 
limited Information Technology (IT) resources to reprogram their 
information management systems.'' (Dangerous Goods Advisory Council) 
While we believe that commenters have overstated the costs that might 
be incurred to modify information systems to accommodate the proposed 
registration number requirement, we agree that the paperwork burden is 
not justified by the limited security benefits that might result. 
Therefore, the registration number proposal is not adopted in this 
final rule.
    A number of commenters support the proposal to include the names 
and addresses of consignors and consignees on shipping papers. ``This 
provision, to include the name of the shipment consignor and the 
address of the person to whom the shipment will be delivered, is 
already widely in use by most companies that ship hazardous materials 
and therefore is readily acceptable.'' (Dow Chemical Company) 
Similarly, ``[i]ndustry routinely prepares thousands of shipping papers 
each year and the requirement that the addresses of the consignor and 
consignee appear on such documents should not pose a problem or 
burden.'' (Nuclear Energy Institute)
    Other commenters, however, express serious reservations about the 
proposal to require consignor and consignee names and addresses on 
shipping papers. Most commenters question whether such a requirement 
would actually make it easier to identify suspicious shipments, as 
stated in the NPRM, without a system in place to verify the consignor 
and consignee information provided. ``Establishing the legitimacy of 
any consignor or consignee, and their respective addresses, requires 
knowledge and information not `promptly ascertainable' from the 
roadside more than a thousand miles from the consignor and consignee as 
indicated in the shipping paper.'' (The Conference on the Safe 
Transportation of Hazardous Articles, Inc.) As well, commenters suggest 
that the proposal is unnecessarily broad and would apply to shipments 
of hazardous materials that pose little or no security threat. In 
addition, commenters say that, while the proposed requirement for 
consignor/consignee names and addresses on shipping papers may have 
some security benefit for motor carrier operations, it is not 
appropriate for all modes of transportation. Rail carriers, for 
example, suggest that the proposal would result in little or no 
security benefit for rail car transportation. ``Adding information to 
the shipping papers might be useful to a law enforcement officer 
stopping a truck on the highway * * * but would add nothing to rail 
security. * * * The carload rail network is a fixed network that serves 
only those shippers connecting to it. The identity and location of 
every rail car shipper is known and only specific destinations can be 
reached by rail. The security issues addressed by the proposed street 
address requirement are simply not present in rail transportation.'' 
(CSX Transportation)
    Further, shippers and carriers of specific classes and types of 
materials cite operational difficulties that they say will make it 
difficult to comply with the proposed new requirement. Hazardous waste 
generators suggest that the proposed requirement to include consignor 
and consignee names and addresses on shipping papers is redundant for 
hazardous waste shipments because the EPA hazardous waste manifest 
already includes sufficient information for tracking hazardous wastes 
from origin to destination. Other commenters are concerned that the 
NPRM proposal concerning shipping papers did not consider the positive 
security implications of electronic tracking systems that are utilized 
by a number of shippers and carriers to monitor shipments. ``[There 
are] superior technology and tracking systems in place that not only 
track all shipments but also the vehicle or container used to transport 
the freight. Unfortunately, RSPA does not give indication that it has 
considered the advanced or enhanced security benefits gained from 
having such a system in place. RSPA should recognize and waive any 
proposed requirements for carriers and companies with these type 
information

[[Page 14513]]

systems in place * * * '' (FedEx Express)
    Commenters representing shippers and carriers of hazardous 
materials used in agricultural applications note that many of the 
locations to which they deliver do not have street addresses, making it 
difficult to complete a shipping paper as proposed in the NPRM. 
``[Agricultural retailers] often deliver their product to farm fields 
that don't have addresses, or to farms with rural addresses, and in 
some cases in one State, no addresses. * * * Many applicators 
intimately know the customer's fields they are delivering to and thus 
don't need addresses. Some use maps or air photos that show the fields 
or sections of fields that need the products applied.'' (Agricultural 
Retailers Association) Representatives of shippers and carriers of 
hazardous materials used at construction sites have similar concerns. 
Shippers and carriers of compressed gas cylinders used in medical care 
and heating oil, diesel fuel, propane, gasoline, and similar materials 
that use individual motor vehicles to deliver product to multiple 
locations point out that drivers frequently make changes to their 
delivery schedules or make emergency or unscheduled deliveries in the 
course of a single day, so that a shipping paper with a list of 
delivery locations completed in the morning would have to be 
significantly altered by the driver during the course of the day as his 
delivery schedule is modified. ``It is common practice to have multiple 
deliveries of fuel throughout the day. The shipment locations may be 
known for some deliveries, but there are numerous instances where the 
location of a particular delivery is not known until the truck has 
already begun its route. In other words, not every gallon of petroleum 
is accounted for when loaded at the bulk plant.'' (BOC Oil Company and 
others) Finally, shippers of so-called ``blind shipments'' of hazardous 
materials suggest that they would be adversely affected by the 
proposal. Blind shipments are transported under product trading 
transactions in which the receiving person is not provided information 
about the true origin of the shipments delivered to them and the 
shipper may not know the true destination of the shipment. ``Thousands 
of shipments are made from unnamed locations or from shippers acting as 
agents for suppliers who do not wish to be identified for business 
reasons. Perhaps an equal number of shipments are made to unnamed 
consignees. This NPRM would eliminate this practice resulting in the 
loss of millions of dollars in revenue annually for shippers with no 
increase in security.'' (Compressed Gas Association)
    We do not agree with commenters that the proposed requirement for 
consignor and consignee names on shipping papers would provide little 
or no security benefit. In the absence of requirements for route plans 
or electronic tracking, the name and address of the shipment consignor 
and consignee can help law enforcement personnel determine whether a 
shipment has been unreasonably diverted and, thus, whether further 
investigation is warranted. However, having considered the adverse 
comments received on this proposal, we are not adopting it in this 
final rule. Instead, we are considering modified procedures for making 
consignor and consignee information available to law enforcement 
personnel. A modified procedure may be proposed in a future rulemaking. 
We note in this regard that the UN Recommendations on the Transport of 
Dangerous Goods require the name and address of both the shipment 
consignor and consignee to be included on shipping papers (chapter 
5.4.1.3). A similar requirement is also in the International Civil 
Aviation Organization's Technical Instructions for the Safe Transport 
of Dangerous Goods by Air (chapter 4.1.6). Moreover, a provision to 
require the consignor and consignee name and address has been adopted 
by the International Maritime Organization for inclusion in Amendment 
3.1 of the International Maritime Dangerous Goods Code. We also note 
that the U.S. Customs Service has issued a final rule to require 
consignor/consignee information on bills of lading for all cargoes 
entering the United States (67 FR 66318; October 31, 2002).

F. Security Plans

    The NPRM proposed a new subpart I in part 172 to require persons 
subject to the registration requirements in subpart G of part 107 and 
persons who offer or transport select agents and toxins regulated by 
CDC in 42 CFR part 73 to develop and implement written security plans. 
Those persons required to register under subpart G of part 107 include 
persons who offer for transportation or transport: (1) A highway route-
controlled quantity of a Class 7 (radioactive) material; (2) more than 
25 kg (55 lbs) of a Division 1.1, 1.2, or 1.3 (explosive) material; (3) 
more than 1 L (1.06 qt) per package of a material poisonous by 
inhalation in Hazard Zone A; (4) a shipment in a bulk packaging with a 
capacity equal to or greater than 13,248 L (3,500 gal) for liquids or 
gases or greater than 13.24 cubic meters (468 cubic feet) for solids; 
(5) a shipment in a non-bulk packaging of 2,268 kg (5,000 pounds) gross 
weight or more of one class of hazardous materials for which placarding 
is required; and (6) a shipment that requires placarding. Select agents 
and toxins are materials regulated by CDC because they have the 
potential to pose a severe threat to the public health and safety. We 
suggested that a security plan should focus not only on the potential 
threats posed by the material being transported, but on personnel, 
facility, and en route security issues, as well. The NPRM did not 
include a prescriptive list of actions that must be included in a 
security plan. Rather, we proposed that a company should implement a 
plan that is appropriate to its individual circumstances, considering 
the types and amounts of hazardous materials shipped or transported and 
the modes used for transportation.
    Commenters generally support the proposed requirement. However, 
commenters are concerned about certain details of the proposal. A major 
concern for many commenters is the language used in the NPRM to 
describe the security plan and its purpose. In the words of one 
commenter, ``The written plan requirement is too strongly worded. [We 
are] deeply concerned with much of the language in the security plan 
component of the NPRM. The purpose of any planning, whether for 
security or safety, is to reduce and mitigate risks. However, the NPRM 
as worded mandates `assurance' of 100% risk-free operations. This is 
not possible.'' (National Propane Gas Association) Other commenters 
express similar reservations. ``The security plan should `address' 
various subjects, but no requirement of the regulations should require 
that the plan `assure' that unauthorized or unlawful actions will not 
take place. The word `assure' has a strong legal content, and would 
serve to impose undue strict liability on anyone who had the misfortune 
to experience a security incident, no matter how unavoidable that 
incident was.'' (Sulfur Dioxide Mutual Assistance Response Team) We 
agree that the term ``assure,'' as used in the NPRM to describe the 
purposes and goals of a security plan, was inappropriate. No plan, no 
matter how comprehensive and detailed, can provide absolute assurance 
that each shipment of hazardous materials to which it applies will be 
transported without incident. In this final rule, we are modifying 
subpart I, as suggested by commenters, to more properly

[[Page 14514]]

characterize a security plan in terms of addressing and reducing 
security risks presented by the transportation of certain hazardous 
materials in commerce.
    Related to the liability concern, commenters ask how the proposed 
security plan requirement would be enforced. ``Any measurement of a 
security plan would be entirely subjective. * * * If our products were 
somehow involved in a terrorist act, does this mean our security plan 
failed? And if so, what enforcement action will be taken?'' (Airgas, 
Inc.) Other commenters ask what standard will be used to determine 
whether security plans comply with regulatory requirements.
    Each security plan will differ because each security plan will be 
based on a company's assessment of the security risks associated with 
the materials it ships or transports. There is no ``one-size-fits-all'' 
security plan that will be appropriate for each company's individual 
circumstances; similarly, there is no ``one-size-fits-all'' enforcement 
standard that can be applied to individual companies. We will examine a 
company's security plans, including the vulnerability assessment on 
which the security plan is based, as necessary to ascertain that a 
company has a plan in place, that it includes the components specified 
in this final rule, and that its personnel have been trained concerning 
the plan's specific components.
    The fact that a product is used in a terrorist, criminal, or 
destructive action does not automatically mean that the security plan 
failed or that Federal security requirements are inadequate. A security 
plan should represent a company's best, good-faith effort to address 
identified security risks. However, plans must be updated as new 
information and technology become available. Compliance with Federal 
regulatory standards may constitute an effective defense in private 
litigation. However, failure to comply with those standards can be 
argued to constitute negligence.
    Several commenters suggest that the requirement for security plans 
should be applied more narrowly than proposed in the NPRM. For example, 
shipments of bulk packagings that contain residues of certain hazardous 
materials must be placarded and, thus, would be subject to the proposed 
security plan requirement. Similarly, shipments of certain corrosive or 
flammable materials in Packing Groups II or III, such as institutional 
cleaning products, must be placarded in some circumstances and, thus, 
would be subject to the proposed security plan requirement. Commenters 
suggest that ``the requirement for an offeror or transporter to develop 
and implement a security plan should more appropriately be predicated 
upon the types (in terms of hazard) and/or quantities of hazardous 
materials offered or transported by the person, rather than on whether 
that person is required to register. * * * [S]ecurity plans should only 
be required for offerors and transporters of hazardous materials that 
have the potential to pose a significant threat from a security 
perspective if those hazardous materials were to fall into the wrong 
hands.'' (Conference on Safe Transportation of Hazardous Articles, 
Inc.) We agree that a requirement for security plans should apply only 
to those materials that present significant security threats. The 
registration and select agent and toxins lists cover the materials that 
present the most significant security threats in transportation and 
provide a relatively straightforward way to distinguish materials that 
may present a significant security threat from materials that do not. 
Further, the requirements for security plans proposed in the NPRM and 
adopted in this final rule permit a shipper or carrier to develop a 
security plan that assesses the specific security risks of the 
materials to be transported and put into place measures that are 
commensurate with the assessed risks. If a shipper or carrier 
determines that the security risks of the materials it handles are 
relatively small, then its security plan may well be limited in scope 
and complexity.
    One commenter suggests that materials such as propane do not 
present a security risk sufficient to require development of shipper 
and carrier security plans. ``Propane has an excellent safety record 
both at the storage site and in transit. Propane's narrow range of 
flammability, its tendency to disperse rapidly if released, and the 
robust, Federally-regulated systems used to contain the product all 
support the assertion that propane should not be considered a weapon of 
mass destruction.'' (National Propane Gas Association) We disagree. 
Propane is among the liquefied compressed gases most commonly 
transported throughout the nation. When liquid propane is released into 
the atmosphere, it quickly vaporizes into the gaseous form that is its 
normal state at atmospheric pressure. This happens very rapidly, and in 
the process, the propane combines readily with air to form fuel-air 
mixtures that are ignitable over a range of 2.2 to 9.5 percent propane 
by volume. If an ignition source is present in the vicinity of a highly 
flammable mixture, the vapor cloud ignites and burns very rapidly 
(characterized by some experts as ``explosively''). Based on these 
characteristics and the frequency with which propane is transported in 
this country, we believe that propane presents a sufficient security 
risk to warrant the imposition of security plan and security training 
requirements.
    Another commenter requests an exception from the proposed security 
plan requirements for petroleum marketer transporters ``given the 
already heightened level of security practiced by this unique branch of 
hazardous materials transporters.'' (Ohio Petroleum Marketers 
Association) In support of this request, the commenter cites 
regulations such as State fire codes, workers compensation laws, and 
Federal transportation safety laws ``that reduce the potential for 
certain hazardous materials to be targets for terrorists, and that 
maintain a high level of security awareness for hazardous materials 
employees.'' Again, we disagree. The regulations cited by the commenter 
are focused on safety, not security. Products transported by petroleum 
marketers, such as fuel oil and motor fuel, can potentially be used as 
weapons of opportunity or can be combined with other materials to 
construct weapons of mass destruction. Indeed, trucks loaded with 
petroleum products have been used in terrorist attacks on at least two 
occasions in recent months overseas. In addition, on June 21, 2002, the 
Federal Bureau of Investigation disclosed that it had information that 
terrorists using fuel tanker trucks might try to attack fuel depots or 
Jewish schools or synagogues. The warning was based on interviews with 
captured al Qaeda fighters and other sources. Therefore, we reject the 
requested exceptions.
    A number of commenters note that, as drafted, the NPRM suggests 
that the proposed security plan requirements apply to every shipment 
offered for transportation or transported in commerce by a person 
required to register by subpart G of part 107. For example, one 
commenter says, ``A corporation subject to the hazmat registration 
requirements may easily have more than one facility--some of which 
might perform operations that would benefit from a security plan, 
others of which might not. It would be patently unreasonable to require 
each facility operated by the same corporation subject to hazmat 
registration requirements * * * develop and implement a security plan 
regardless of whether the particular facility transports hazardous 
materials

[[Page 14515]]

subject to those requirements.'' (Utility Solid Waste Activities Group) 
We agree. Our intention in the NPRM was for those shipments that are 
listed as triggering the registration requirements in subpart G of part 
107 to be subject to security plan requirements, not for every shipment 
transported by a registered entity or every facility operated by a 
registered entity. This final rule clarifies that persons who offer for 
transportation or transport any of the materials listed in subpart G of 
part 107 or a select agent or toxin regulated by CDC must develop and 
adhere to security plans applicable to the listed materials.
    The NPRM proposed that a security plan address the security of 
shipments stored incidental to movement in transportation. Several 
commenters are concerned about the applicability of the security plan 
requirement to persons that do not offer or transport hazardous 
materials in commerce, but who may operate facilities at which 
hazardous materials are stored during transportation. One commenter 
notes that ``[i]n many situations, HAZMAT are delivered to or through 
facilities operated by entities that are not subject to the security 
plan requirements because they may not be legally required to 
register.'' (Dangerous Goods Advisory Council) We agree that the final 
rule should clarify responsibility for security plans applicable to 
hazardous materials stored incidental to movement in transportation. 
Generally, these hazardous materials will be stored at a shipper or 
carrier-owned or -operated facilities, and the shipper or carrier will 
be responsible for developing a security plan. In this final rule, the 
requirement for developing and adhering to a security plan applies to 
persons who offer for transportation or transport hazardous materials 
in commerce, including loading, unloading, or storage operations 
incidental to the movement of hazardous materials in commerce.
    Another commenter proposes that we adopt a definition for ``storage 
incidental to movement'' to distinguish storage that is part of 
transportation, and therefore subject to security plan requirements, 
from storage that is not part of transportation. For purposes of this 
final rule, storage incidental to movement of a hazardous material in 
commerce is storage that takes place between the time that a hazardous 
material is offered for transportation to a carrier and the time it 
reaches its destination. This definition is consistent with long-
standing administrative determinations and letters of interpretation 
concerning the applicability of the HMR to materials stored incidental 
to their movement in commerce. We note in this regard that this agency 
is currently engaged in a rulemaking to clarify the applicability of 
the HMR to specific functions and activities, including storage of 
hazardous materials during transportation (HM-223; RSPA-98-4952). The 
NPRM issued under HM-223 proposed to define ``storage incidental to 
movement'' to mean ``storage of a transport vehicle, freight container, 
or package containing a hazardous material between the time that a 
carrier takes physical possession of the hazardous material for the 
purpose of transporting it until the package containing the hazardous 
material is delivered to the destination indicated on a shipping 
document, package marking, or other medium, or, in the case of a 
private motor carrier, between the time that a motor vehicle driver 
takes physical possession of the hazardous material for the purpose of 
transporting it until the driver relinquishes possession of the package 
containing the hazardous material at its destination and is no longer 
responsible for performing functions subject to the HMR.'' We are 
currently in the process of evaluating comments to the HM-223 NPRM. If 
a final rule issued under docket HM-223 revises the definition of 
``storage incidental to movement'' in a way that affects the 
applicability to such storage of the security plan requirements in this 
final rule, we will address such revision, including its implications 
for security plans and any transition time necessary to implement 
changes, in the HM-223 final rule.
    Most commenters support ``the flexibility RSPA provides in [the] 
proposal to regulated entities in how they go about meeting [the 
security plan] requirement.'' (National Association of Chemical 
Distributors) These commenters agree that ``the regulated community 
needs the flexibility to select those elements [of a security plan] 
that are consistent with their methods of operation.'' (Independent 
Fuel Terminal Operators Association) Other commenters, however, are 
concerned that the elements suggested in the NPRM for possible 
inclusion in a security plan are ``extremely general. In fact, they are 
so general as to be either unenforceable, or worse, subject to widely 
varying interpretations by field inspectors and adjudicators. The 
security plans and codes that have been developed by industry and are 
being further refined at the current time are far more specific and 
useful in addressing the security issues facing the various hazardous 
materials moving in commerce. If it is RSPA's purpose simply to require 
security plans for transporters and offerors without specifying the 
nature or content of those plans, [we] have no objection. If on the 
other hand, RSPA intends to somehow oversee the substance of such 
plans, the proposed requirements are too vague to be enforced.'' (The 
Chlorine Institute) Similarly, other commenters do not agree with the 
NPRM approach to list non-mandatory items in the regulatory text for 
security plans, such as the specific elements listed in the NPRM for 
possible inclusion in a security plan to address en route shipment 
security issues. These commenters suggest that recommendations should 
not be made part of regulatory text because of enforcement and 
liability concerns. Additionally, commenters are concerned that 
establishing specific requirements for security plans could be counter-
productive. One commenter cites as an example the proposal in the NPRM 
that a security plan must include a process to verify information 
provided by job applicants. ``While a natural temptation would be to 
specify exactly the kind of checks to be applied, doing so would merely 
lay out a road map for the potential terrorist seeking employment with 
a carrier. If a check of X, Y, and Z is required, the terrorist 
organization will select operatives who can pass a check of X, Y, and 
Z, but perhaps not A or B. The essence of security is 
unpredictability--concept in conflict with regulatory precision.'' (CSX 
Transportation)
    We carefully considered the comments offered concerning the 
security plan requirements proposed in the NPRM. We continue to believe 
that, if it is to be effective, a regulation mandating development and 
implementation of a security plan must provide sufficient flexibility 
so that a shipper or carrier can adapt its requirements to individual 
circumstances. Thus, the requirement for a security plan adopted in 
this final rule sets forth general requirements for a security plan's 
components rather than a prescriptive list of specific items that must 
be included. In this final rule, the proposed security plan 
requirements are modified as follows:
    Applicability. The security plan requirement applies to persons who 
offer for transportation or transport in commerce one or more of the 
hazardous materials listed in subpart G of 49 CFR part 107 or a select 
agent or toxin regulated by CDC. The security plan requirement also 
applies to persons who operate facilities at which one or more

[[Page 14516]]

of the hazardous materials listed in subpart G of 49 CFR part 107 or 
select agent or toxin regulated by CDC is stored incidental to the 
movement of the hazardous material(s) in commerce. As indicated above, 
for purposes of this final rule, ``storage incidental to movement'' is 
storage that takes place between the time that a hazardous material is 
offered for transportation to a carrier and the time it reaches its 
destination. The security plan requirement applies only to shipments of 
the specified hazardous materials and to facilities at which the 
specified hazardous materials are prepared for transportation or stored 
during transportation.
    Security plan components. A security plan must address risks 
related to the transportation of hazardous materials in commerce. Thus, 
this final rule requires persons subject to the security plan 
requirement to perform an assessment of the transportation security 
risks associated with the materials they handle. As we stated in the 
preamble to the NPRM, we have developed a security template to 
illustrate how risk management methodology can be used to identify 
points in the transportation process where security procedures should 
be enhanced within the context of an overall risk management strategy. 
The security template is posted on our website at http://hazmat.dot.gov/rmsef.htm. Other risk assessment tools are equally 
valid, however. This final rule does not require persons subject to the 
security plan requirement to use a specific risk assessment tool to 
meet the risk assessment requirement.
    Using risk assessment methodology, a company will select an 
appropriate level of detail for its security plan based on the assessed 
risks identified for such material or materials. Factors that may be 
considered are the type or types of materials transported, the quantity 
of material transported, the area from or to which the material is 
shipped, and the mode of transportation used.
    A security plan must include a method or methods for confirming 
information provided by applicants for jobs that involve access to or 
handling of the hazardous materials covered by the plan. In response to 
commenters' concerns, we revised this aspect of the security plan to 
substitute the term ``confirm'' for the term ``verify.'' Commenters are 
concerned that the standard implied by the term ``verify'' may be 
impossible to meet. In addition, this final rule requires employers to 
confirm information provided by job applicants who are hired to perform 
jobs that involve access to or handling of the hazardous materials 
covered by the plan. Read literally, the NPRM language would have 
required employers to confirm information provided by all job 
applicants.
    Also in response to commenters, we have added language to indicate 
those persons to whom the requirement applies. Some commenters suggest 
that we should specify that the requirement applies to hazmat 
employees, as defined in Sec.  171.8 of the HMR. We do not believe that 
this is necessary, although an employer may decide to include all 
hazmat employees. The requirement in this final rule is limited to 
applicants for hazmat employee positions that involve access to or 
handling of the hazardous materials covered by the security plan. We do 
not believe it necessary to include persons whose sole responsibility 
is preparing shipping documentation, for example, nor do we believe it 
necessary to include persons who manufacture, maintain, or requalify 
packagings.
    We do not expect companies to confirm all of the information that a 
job applicant may provide as part of the application process. However, 
employers should make an effort to check information related to an 
applicant's recent employment history, references, and citizenship 
status. In short, we expect companies to take reasonable and prudent 
measures to address personnel security issues. In response to 
commenters, in this final rule we added a requirement that efforts to 
confirm information provided by job applicants must be consistent with 
applicable Federal and State laws concerning employment practices and 
individual privacy.
    A security plan must also include methods to address the 
possibility that unauthorized persons may attempt to gain access to 
hazardous materials or transport vehicles being prepared for 
transportation. Some commenters suggest that we include a definition of 
``unauthorized persons'' in this final rule. The term ``unauthorized 
persons'' as used in this final rule includes persons who are not 
employed by the company or members of the general public, unless such 
persons are specifically authorized by the company to have access to 
hazardous materials or transport vehicles being prepared for 
transportation. Beyond these persons, however, each entity to whom the 
security plan requirement applies will need to define the universe of 
unauthorized persons to account for the nature of the facility and the 
type of activity that takes place there. An unauthorized person is any 
person who is not authorized by the shipper or carrier to have access 
to hazardous materials or transport conveyances being prepared for 
transportation.
    The third element of a security plan is a method or methods to 
address en route security risks. As noted above, commenters express a 
number of concerns about this provision of the NPRM. Many commenters 
address the shared responsibility of shippers and carriers for reducing 
security risks related to the transportation of hazardous materials in 
commerce. In particular, some commenters suggest that 
``[r]esponsibility for the security of a shipment in transit should in 
the final analysis rest with the transporter. The shipper does not 
ultimately determine the routes for movement of cargo or the locations 
for incidental stops or storage. This responsibility appropriately 
rests with the carrier.'' (Boeing Company) Other commenters agree that 
en route security should primarily be the responsibility of the 
carrier. ``[T]o a great extent, shippers must rely on the carriers to 
generate en route security plans. This may mean that in some cases 
there would be two separate plans instead of a joint shipper and 
carrier plan. * * * [We] believe that shippers and carriers should have 
the flexibility to determine the best way to address en route 
security.'' (American Chemistry Council) Other commenters suggest that 
the proposal places ``too much emphasis on the shipper and recipient, 
and effectively absolves the transporter of responsibility for 
security. The carrier has control of the HM for the majority of any 
shipment, and should also bear the responsibility for ensuring an 
adequate safety plan and implementation of same.'' (CF Industries)
    We agree that a hazardous materials transporter's security plan 
will address en route security issues in some detail. However, we do 
not agree that shippers need not address this aspect of transportation 
security. As one commenter suggests, ``[C]arrier `security plans' must 
involve considerable input from the shipper community. It is the 
shipper who has best access to information relative to the hazardous 
properties of the commodity. It is the shipper who controls: Carrier 
selection and order entry; loading; time and method of dispatch; and, 
destination.'' (National Tank Truck Carriers) At the same time, we 
recognize that ``the carrier has the best information relative to the 
route taken and the security along that route. This includes driving 
time, route deviations, and rest stop selection.'' (American Chemistry 
Council) We expect shippers to work with carriers to address en route 
security risks of the materials covered

[[Page 14517]]

by their security plans. In some cases, a shipper and carrier may have 
a joint plan; in others, a shipper and carrier may have two separate 
security plans. This final rule provides shippers and carriers with the 
flexibility necessary to determine the best methods for addressing en 
route security issues.
    A number of commenters object to the NPRM language that a security 
plan should include a system for verifying that a carrier has an on-
going transportation security program. ``In effect, this aspect of the 
proposal would require that customers of carriers take an active role 
in ensuring that carriers are in compliance with the security plan 
requirements proposed by RSPA. In effect, RSPA is deputizing offerors 
of hazmat to police their carrier's compliance efforts.'' 
(International Sanitary Supply Association) We are not requiring 
shippers to compel compliance by carriers. At a minimum, however, a 
shipper should satisfy itself that the carrier that will be 
transporting its material has a security plan in place that adequately 
addresses the assessed security risks of the material to be 
transported, including risks related to storage of the material during 
transportation.
    Relationship to other requirements. The NPRM included a provision 
permitting security plans that conform to regulations of other Federal 
or international agencies to be used to satisfy the requirement 
proposed for the HMR. All commenters support this provision. Several 
suggest that we specify that plans that conform to requirements of the 
Department of Defense or the Nuclear Regulatory Commission are 
acceptable. We do not think it is necessary to specifically list in the 
regulation Federal or international agencies that have now or may in 
the future impose security plan requirements on persons who handle 
hazardous materials. A security plan that conforms to regulations 
issued by any other Federal agency is acceptable, so long as it 
includes the requirements for security plans in this final rule. Other 
commenters request that we include plans developed by industry 
associations, such as the American Chemistry Council or the Association 
of American Railroads. Certainly, we expect that many companies will 
develop security plans using guidance and recommendations developed by 
the industry. In fact, we encourage companies to take advantage of 
existing guidance, model security plans, and the like when developing 
security plans tailored to their own operations. This includes 
industry-developed protocols or guidelines and recommendations issued 
by other Federal or international agencies. This provision is modified 
in this final rule to clarify that regulations, protocols, guidelines, 
or standards developed by other Federal agencies, international 
organizations, or industry are acceptable, provided such regulations or 
guidelines address the specific security vulnerabilities of the 
company.
    We note in this regard that, while a security plan developed in 
conformance with regulations issued by another Federal agency may 
suffice to meet the requirements of this final rule, the reverse is not 
necessarily true. For example, air cargo security requirements 
promulgated by TSA are more stringent than the security requirements in 
this final rule. Similarly, requirements promulgated by NRC to address 
the transportation security of radioactive materials may be more 
stringent than the requirements in this final rule. Shippers and 
carriers should be aware that they may be subject to additional, more 
stringent security requirements promulgated by other Federal agencies, 
depending on the materials they transport and the mode of 
transportation.
    Availability to the public. Several commenters express concern 
about the possibility that security plans may become publicly 
available. ``It is critical that carrier and shipper plans remain 
confidential; not subject to public disclosure and Freedom of 
Information Act requests.'' (CSX Transportation) Commenters are 
particularly concerned about plans that may be obtained by enforcement 
personnel during a compliance inspection.
    Generally, RSPA will not collect or retain security plans. With 
regard to security plans, our enforcement focus during the compliance 
inspection is to ensure that companies have developed a security plan. 
Inspectors will review the existing plan on site and generally will not 
take copies with them or require companies to submit security plans.
    In the rare instance that RSPA enforcement personnel identify a 
need to collect a copy of a security plan, or if a company voluntarily 
submits a copy of its security plan, we will analyze all applicable 
laws and Freedom of Information Act exemptions to determine whether the 
information or portions of information in the security plan can be 
withheld from release. Prior to submission of a security plan to DOT in 
these unusual instances, companies should follow the procedures 
described in 49 CFR 105.30 for requesting confidentiality. Under those 
procedures, a company should identify and mark the information it 
believes is confidential and explain why. We will then determine 
whether the information may be released or protected under the law.
    Timing of implementation. Commenters are concerned that the final 
rule provide sufficient time for development and implementation of 
security plans. The NPRM did not specify a transition period. We agree 
that a transition period is necessary. Therefore, in this final rule, 
we provide persons subject to the security plan requirement 6 months 
from the effective date of the final rule to develop and implement 
security plans.

G. Training

    The HMR currently require hazmat employees to be trained so they 
are: (1) Familiar with the general provisions of the HMR and can 
recognize and identify hazardous materials; (2) knowledgeable about 
specific HMR requirements applicable to functions performed; and (3) 
knowledgeable about emergency response information, self-protection 
measures, and accident prevention methods. A hazmat employee is one who 
directly affects hazardous materials transportation safety (Sec.  
171.8). Hazmat employers must ensure that their hazmat employees are 
trained. For new employees, training must be completed within 90 days 
after employment or a change in job function. All hazmat employees must 
receive recurrent training every three years.
    The safety training provided by hazmat employers may include the 
physical security of hazardous materials and ways to prevent vandalism 
and theft. However, such training may not be adequate to meet current 
threats. Because many hazardous materials transported in commerce may 
potentially be used as weapons of mass destruction or weapons of 
convenience, it is critical to the assurance of public safety that 
training for persons who offer and transport hazardous materials in 
commerce include a security component. Therefore, in the May 2, 2002 
NPRM, we proposed to add a provision to Sec.  172.704 to require the 
training of each hazmat employee to include a security component. We 
proposed that hazmat employees of persons required to have a security 
plan must be trained in the plan's specifics. In addition, we proposed 
that all hazmat employees must receive training that provides an 
awareness of the security issues associated with hazardous materials 
transportation and possible methods to enhance transportation security. 
As proposed in the NPRM, all hazmat employees would be required to

[[Page 14518]]

be trained within three months of issuance of a final rule.
    Commenters generally support the proposal to require hazmat 
employee training to include a security component. However, commenters 
suggest that three months is not sufficient to implement and conduct 
training programs, particularly for hazmat employees of companies 
subject to the requirement for security plans. ARequiring security 
training for each hazmat employee within three months of the final rule 
effective date will be very difficult to implement. Once the 
requirements are published by DOT, companies will then be able to 
finalize development of their security training by combining components 
of the final rule with other requirement[s] of the hazmat employer's 
circumstances. Subsequently, training must be approved, disseminated 
within the company, trainers educated on the module's requirements, and 
hazmat employees scheduled for training.'' (Air Products) Some 
commenters suggest that security training should be required on a 
schedule consistent with current 3-year training cycles for hazmat 
employees. Others request implementation periods ranging from 6 months 
to one year.
    We do not agree with commenters that development and implementation 
of transportation security awareness training will require a lengthy 
period for development and implementation. As we stated in the NPRM, to 
assist hazmat employers to meet any new security training requirements, 
we are developing a Hazardous Materials Transportation Security 
Awareness Training Module directed at law enforcement, industry, and 
hazmat personnel. Imminently, this training module will be available 
for distribution and use, free of charge. The module takes one hour to 
complete. This training module or similar training programs that may be 
developed by commercial vendors or hazmat employers will be sufficient 
to meet the security awareness training requirement in this final rule. 
However, we are sympathetic to the industry's concerns about the time 
required to complete training for all affected hazmat employees. 
Therefore, this final rule permits hazmat employers to provide security 
awareness training on the same 3-year schedule as other types of 
required hazmat training; thus, security awareness training must be 
provided an at employee's next scheduled retraining at or within the 3-
year training cycle. However, we strongly encourage hazmat employers to 
provide security awareness training to hazmat employees on an 
accelerated schedule wherever possible.
    We agree with commenters that 3 months from the effective date of a 
final rule does not provide sufficient time for training of hazmat 
employees by hazmat employers who are subject to the new requirement 
for security plans. However, once a security plan is implemented, we 
believe that employee training about its provisions should be completed 
no later than 3 months after the plan's implementation. Therefore, in 
this final rule, we are providing up to 9 months (6 months to develop 
and implement a security plan plus 3 months to train employees) for 
completion of training for these hazmat employees. As with the new 
requirement for security awareness training, it is not necessary to 
test or retain records concerning this new security plan training 
requirement until an employee's next scheduled retraining at or within 
the 3-year training cycle.

III. Regulatory Analyses and Notices

A. Executive Order 12866 and DOT Regulatory Policies and Procedures

    This final rule is a significant regulatory action under Executive 
Order 12866 and the regulatory policies and procedures of the 
Department of Transportation (44 FR 11034) because of substantial 
public interest. The Office of Management and Budget reviewed this 
final rule.
    Compliance costs resulting from this final rule are associated with 
the new requirements for certain shippers and carriers to implement 
security plans and for hazmat employee training to include a security 
component. An analysis of the costs and benefits of this final rule is 
included in the rulemaking docket. The cost-benefit analysis also 
addresses comments we received on the estimates included in the May 2, 
2002 NPRM.
    Costs. We estimate that companies subject to the security plan 
requirement in this final rule will incur first-year compliance costs 
totaling about $54.3 million to develop and implement security plans 
and subsequent-year costs totaling about $11 million/year for annual 
updates to the plans. Each security plan will be unique; thus, it is 
difficult to develop cost estimates for the measures that companies may 
implement to enhance hazardous materials transportation security. 
Ultimately, we expect each company to make reasonable decisions on 
measures it can take to improve security. Because companies will set 
security priorities and factor costs into their decisions, we believe 
the measures they choose will be cost-effective. Accordingly, we have 
not attempted separately to cost out or justify these actions as part 
of this rulemaking.
    For the security training mandated in this final rule, we estimate 
that companies will incur first-year compliance costs totaling about 
$34 million, with subsequent-year costs totaling about $18 million/year 
for recurrent training.
    Benefits. Safety benefits of regulatory changes frequently can be 
estimated with some degree of precision. Incident and accident history 
often provide a basis for estimating fatality, injury, property damage, 
environmental damage, and similar costs to society that can be avoided 
by the implementation of new requirements. Models can even estimate the 
costs to society of high consequence, low probability accidents. 
Benefit estimates can then be balanced against the estimated costs of 
new requirements to determine whether the changes are justified.
    Estimating the security benefits of new requirements is much more 
challenging. Accident causation probabilities, based on previous 
accident histories and analysis, can be estimated in a way that the 
chances of a criminal or terrorist act cannot. Indeed, the threat of 
attack is virtually impossible to assess from a quantitative 
standpoint. That hazardous materials in transportation are a possible 
target of terrorism or sabotage is undeniable; the probability that 
hazardous materials in transportation will be targeted is, at best, a 
guess. Similarly, the projected outcome of a terrorist attack cannot be 
precisely estimated. Given a decision to attack the system, one must 
assume that choices will be made to maximize consequences and damage.
    It is possible to envision scenarios where hazardous materials in 
transportation could be used to inflict hundreds or even thousands of 
fatalities. Direct costs and those attributable to transportation 
system disruption that would surely result could easily total in the 
billions of dollars. We are operating under the premise that, in 
today's environment, it is necessary to take reasonable measures to 
reduce the likelihood that such events will be successful. The presence 
of such measures should, in fact, help deter potential attacks. The 
provisions we are adopting have been crafted with this in mind.
    If the measures adopted by this rule have the potential of reducing 
the likelihood of success of such an attack, we believe they are 
worthwhile. Moreover, the American public has an expectation that 
reasonable measures will be taken to help ensure the security

[[Page 14519]]

of chemicals and substances present in our society so that they are not 
used for nefarious purposes. We believe many, if not most, companies 
are taking or have already taken steps to develop systematic security 
plans and security awareness training. These requirements will help 
ensure a consistent approach in the area while permitting flexibilities 
that are important in keeping costs at reasonable levels.
    In the end, when security measures are evaluated, an element of 
judgment is required to determine whether the costs of the measures are 
justified by the benefits that will accrue. We believe that the 
relatively small costs imposed on individual companies by the new 
security requirements in this final rule are more than offset by the 
potential benefits if there is a finite chance that these measures 
might avert a successful attack. The new requirements are not onerous. 
They are prudent, common-sense security measures that are in line with 
public expectations about the need to take action to protect hazardous 
materials shipments from terrorist acts.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires an 
agency to review regulations to assess their impact on small entities 
unless the agency determines that a rule is not expected to have a 
significant impact on a substantial number of small entities. A 
complete analysis of the small business impacts of this final rule is 
available in the rulemaking docket. I hereby certify that, while the 
requirements in this final rule apply to a substantial number of small 
entities, there will not be a significant economic impact on those 
small entities.

C. Executive Order 13132

    This final rule has been analyzed in accordance with the principles 
and criteria contained in Executive Order 13132 (``Federalism''). This 
final rule preempts State, local, and Indian tribe requirements but 
does not impose any regulation with substantial direct effects on the 
States, the relationship between the National government and the 
States, or the distribution of power and responsibilities among the 
various levels of government. Therefore, the consultation and funding 
requirements of Executive Order 13132 do not apply.
    In the NPRM, we invited comments on whether, and to what extent, 
State or local governments or Indian tribes should be permitted to 
impose similar additional requirements to those proposed in the NPRM. 
Commenters who address this issue unanimously agree that State, local, 
or tribal governments should not be permitted to impose hazardous 
materials transportation security requirements that differ from or are 
in addition to those adopted in this final rule. We agree. Therefore, 
in the absence of a waiver of preemption by the Secretary under 49 
U.S.C. 5125(e) or unless it is authorized by another Federal law, a 
hazardous materials transportation security requirement of a State, 
political subdivision of a State, or Indian tribe is explicitly 
preempted if: (1) Complying with a requirement of the State, political 
subdivision or Indian tribe and a requirement of this chapter or a 
regulation issued under this chapter is not possible; or (2) the 
requirement of the State, political subdivision, or Indian tribe, as 
applied or enforced, is an obstacle to accomplishing and carrying out 
this chapter or a regulation prescribed under this chapter.

D. Executive Order 13175

    This final rule has been analyzed in accordance with the principles 
and criteria contained in Executive Order 13175 (``Consultation and 
Coordination with Indian Tribal Governments''). Because this final rule 
does not significantly or uniquely affect the communities of the Indian 
tribal governments and does not impose substantial direct compliance 
costs, the funding and consultation requirements of Executive Order 
13175 do not apply.

E. Unfunded Mandates Reform Act of 1995

    This final rule does not impose unfunded mandates under the 
Unfunded Mandates Reform Act of 1995. It does not result in annual 
costs of $100 million or more, in the aggregate, to any of the 
following: State, local, or Indian tribal governments, or the private 
sector. This rule is the least burdensome alternative to achieve the 
objective of the rule.

F. Paperwork Reduction Act

    We submitted the information collection and recordkeeping 
requirements contained in this final rule to the Office of Management 
and Budget (OMB) for approval under the provisions of the Paperwork 
Reduction Act of 1995, section 1320.8(d). Title 5, Code of Federal 
Regulations requires us to provide interested members of the public and 
affected agencies an opportunity to comment on information collection 
and recordkeeping requests. Under the Paperwork Reduction Act, no 
person is required to respond to an information collection unless it 
has been approved by OMB and displays a valid OMB control number.
    The May 2, 2002, NPRM included the following estimate for the 
information and recordkeeping burden resulting from the development and 
maintenance of security plans:
Hazardous Materials Security Plans
OMB No. 2137-xxxx
First Year Burden:
    Total Annual Number of Respondents: 44,000.
    Total Annual Responses: 44,000.
    Total Annual Burden Hours: 880,000.
    Total Annual Burden Cost: $26,400,000.
Subsequent Year Burden:
    Total Annual Number of Respondents: 44,200.
    Total Annual Responses: 44,200.
    Total Annual Burden Hours: 48,000.
    Total Annual Burden Cost: $1,440,000.

    In the NPRM, we estimated that most companies would require about 
20 hours to develop and implement a security plan conforming to the new 
regulatory requirements. This estimate was based on our understanding, 
confirmed by commenters to the NPRM, that many industry groups have 
developed guidance and model security plans for use by their members. 
Further, to assist persons to perform the risk management analysis 
required by this final rule, we designed a security template for the 
Risk Management Self-Evaluation Framework (RMSEF), developed to assist 
regulators, shippers, carriers, and emergency response personnel to 
examine their operations and consider how they assess and manage risk. 
The security template illustrates how risk management methodology can 
be used to identify points in the transportation process where security 
procedures should be enhanced within the context of an overall risk 
management strategy. Because of the widespread availability of tools to 
assist persons to develop and implement security plans, we concluded 
that the cost to an individual company to comply with the security plan 
requirement would average about $600 per affected entity.
    Commenters who address security plan costs disagree with our 
conclusion. For example, one commenter estimates that, ``[f]or the 6000 
(15% of the total registrants) large HAZMAT registrants, [we] estimate 
that it will take a minimum of 200 hours to develop a comprehensive 
security plan (estimated cost for the 6000 registrants: $100 per hour x 
200 hours = $120 million).'' (Dangerous Goods Advisory Council) Other 
commenters offered similar cost estimates.

[[Page 14520]]

    As commenters themselves point out, a number of industry 
associations have developed guidelines and model security plans that 
can be readily adapted to meet a company=s individual circumstances, 
thereby reducing individual company costs. Indeed, on June 5, 2002, the 
American Chemistry Council (ACC) made enhanced security activities 
mandatory for its members, to help assure the public that all member 
facilities are involved in making their neighbors and America more 
secure. The ACC Board approved a new Security Code under Responsible 
Care [reg], the industry's initiative for improving performance, that 
consists of increased specific commitments to further safeguard 
chemical operations from potential terrorist attacks. The Security Code 
includes measures to enhance chemical transportation security. Over 200 
chemical companies are ACC members; in addition, nearly 40 industry 
associations are Responsible Care [reg] Partner Associations.
    Further, the Association of American Railroads has developed a 
``comprehensive Terrorism Risk Analysis and Security Management Plan. 
The industry formed a security task force * * * Outside consultants 
with expertise in intelligence and counter-terrorism were retained to 
provide advice on best practices. * * * The task force undertook a 
comprehensive risk analysis which identified critical assets, 
vulnerabilities, and threats, and assessed the overall risk to people, 
national security, and the nation's economy. The task force then 
proceeded to identify over fifty countermeasures. The Terrorism Risk 
Analysis and Security Management Plan * * * is now in effect. * * *'' 
The Association of American Railroads includes 14 Class I railroads and 
10 non-Class I railroads.
    Many companies will not need to perform sophisticated analyses or 
develop complicated security plans in order to comply with the new 
requirement. Companies that only occasionally transport one of the 
hazardous materials to which the security plan requirement applies may 
be able to utilize one of the off-the-shelf security manuals now being 
marketed by several vendors. These manuals include information and 
guidelines that assist companies to identify and address areas of 
concern, including concerns related to personnel safety and security, 
site security, en route security, and training. One such security 
manual sells for $165, with regular updates available under an annual 
subscription costing about $80.
    Because there is such a wealth of information and assistance 
available to companies subject to the security plan requirements of 
this final rule, we do not agree with commenters who suggest that our 
cost estimate for developing hazardous materials transportation 
security plans in the May 2 NPRM was ``greatly under-estimated.'' 
Actual per-company costs will vary, depending on the nature of the 
materials transported and the size and complexity of a company's 
operations. We estimate that the time necessary to develop a security 
plan will range between our initial estimate of 20 hours per company 
and the industry estimate of 200 hours per company. For purposes of 
this analysis, we believe that, on average, a large company, using 
information available from RSPA, industry associations, or vendors, 
will require about 50 hours to develop a security plan that meets the 
requirements of this final rule. A smaller company, on average, will 
require about 25 hours to develop a security plan that meets the 
requirements of this final rule. Using Bureau of Labor Statistics 
information on employee compensation (March 2001), we estimate that the 
cost per hour of developing a security plan is $45.00 (one professional 
plus one administrative support staff). Thus, for the large companies 
subject to the security plan requirements of this final rule, we 
estimate that the costs to develop a security plan will total 
$14,512,500 (6,450 large entities x 50 hours/entity x $45/hour) or 
$2,250 per entity. For the small companies subject to the security plan 
requirements of this final rule, we estimate that the costs to develop 
a security plan will total $41,118,750 (36,550 small entities x 25 
hours/entity x $45/hour) or $1,125 per entity.
    This final rule requires companies to update security plans as 
necessary to account for changing circumstances. We expect that most 
companies will update their security plans at least once a year. We 
estimate the hours required to update a security plan will average 10 
hours for a large company and 5 hours for a small entity. Thus, for 
large companies, we estimate the costs to update a security plan will 
total $2,902,500/year (6,450 large entities x 10 hours/entity x $45/
hour), or $450 per entity. For small companies, we estimate the costs 
to update a security plan will total $8,223,650/year (36,550 small 
entities x 5 hours/entity x $45/hour), or $225 per entity.
    Our revised estimate of the information collection and 
recordkeeping burden related to the security plan requirements in this 
final rule is shown below. This new information collection, ``Hazardous 
Materials Security Plans'', will be assigned an OMB control number 
after review and approval by OMB. We estimate that the new total 
information collection and recordkeeping burden resulting from the 
development and maintenance of security plans under this rule is as 
follows.
Hazardous Materials Security Plans
OMB No. 2137-xxxx
First Year Annual Burden:
    Total Annual Number of Respondents: 42,000.
    Total Annual Responses: 42,000.
    Total Annual Burden Hours: 1,207,500.
    Total Annual Burden Cost: $54,337,500.
Subsequent Year Burden:
    Total Annual Number of Respondents: 42,200.
    Total Annual Responses: 42,200.
    Total Annual Burden Hours: 247,250.
    Total Annual Burden Cost: $11,126,250.
    Requests for a copy of this information collection should be 
directed to Deborah Boothe, Office of Hazardous Materials Standards 
(DHM-10), Research and Special Programs Administration, Room 8422, 400 
Seventh Street, SW., Washington, DC 20590-0001. Telephone (202) 366-
8553. We will publish a notice advising interested parties of the OMB 
control number for this information collection when assigned by OMB.

G. Regulation Identifier Number (RIN)

    A regulation identifier number (RIN) is assigned to each regulatory 
action listed in the Unified Agenda of Federal Regulations. The 
Regulatory Information Service Center publishes the Unified Agenda in 
April and October of each year. The RIN contained in the heading of 
this document can be used to cross-reference this action with the 
Unified Agenda.

H. Environmental Assessment

    There are no significant environmental impacts associated with this 
final rule. An environmental assessment is available in the docket for 
this rulemaking.

List of Subjects in 49 CFR Part 172

    Hazardous materials transportation, Hazardous waste, Labeling, 
Packaging and containers, Reporting and recordkeeping requirements.

    In consideration of the foregoing, we are amending title 49, 
chapter I, subchapter C, as follows:

[[Page 14521]]

PART 172--HAZARDOUS MATERIALS TABLE, SPECIAL PROVISIONS, HAZARDOUS 
MATERIALS COMMUNICATIONS, EMERGENCY RESPONSE INFORMATION, AND 
TRAINING REQUIREMENTS

    1. The authority citation for part 172 continues to read as 
follows:

    Authority: 49 U.S.C. 5101-5127; 49 CFR 1.53.

    2. In Sec.  172.704, paragraph (a) introductory text is revised, 
paragraphs (a)(4) and (a)(5) are added, and paragraph (b) is revised to 
read as follows:


Sec.  172.704  Training requirements.

    (a) Hazmat employee training must include the following:
* * * * *
    (4) Security awareness training. No later than the date of the 
first scheduled recurrent training after March 25, 2003, and in no case 
later than March 24, 2006, each hazmat employee must receive training 
that provides an awareness of security risks associated with hazardous 
materials transportation and methods designed to enhance transportation 
security. This training must also include a component covering how to 
recognize and respond to possible security threats. After March 25, 
2003, new hazmat employees must receive the security awareness training 
required by this paragraph within 90 days after employment.
    (5) In-depth security training. By December 22, 2003, each hazmat 
employee of a person required to have a security plan in accordance 
with subpart I of this part must be trained concerning the security 
plan and its implementation. Security training must include company 
security objectives, specific security procedures, employee 
responsibilities, actions to take in the event of a security breach, 
and the organizational security structure.
    (b) OSHA, EPA, and other training. Training conducted by employers 
to comply with the hazard communication programs required by the 
Occupational Safety and Health Administration of the Department of 
Labor (29 CFR 1910.120 or 1910.1200) or the Environmental Protection 
Agency (40 CFR 311.1), or training conducted by employers to comply 
with security training programs required by other Federal or 
international agencies, may be used to satisfy the training 
requirements in paragraph (a) of this section to the extent that such 
training addresses the training components specified in paragraph (a) 
of this section.
* * * * *

    3. Subpart I is added to read as follows:

Subpart I--Security Plans

Sec.
172.800 Purpose and applicability.
172.802 Components of a security plan.
172.804 Relationship to other Federal requirements.


172.800  Purpose and applicability.

    (a) Purpose. This subpart prescribes requirements for development 
and implementation of plans to address security risks related to the 
transportation of hazardous materials in commerce.
    (b) Applicability. By September 25, 2003, each person who offers 
for transportation in commerce or transports in commerce one or more of 
the following hazardous materials must develop and adhere to a security 
plan for hazardous materials that conforms to the requirements of this 
subpart:
    (1) A highway route-controlled quantity of a Class 7 (radioactive) 
material, as defined in Sec.  173.403 of this subchapter, in a motor 
vehicle, rail car, or freight container;
    (2) More than 25 kg (55 pounds) of a Division 1.1, 1.2, or 1.3 
(explosive) material in a motor vehicle, rail car, or freight 
container;
    (3) More than one L (1.06 qt) per package of a material poisonous 
by inhalation, as defined in Sec.  171.8 of this subchapter, that meets 
the criteria for Hazard Zone A, as specified in Sec. Sec.  173.116(a) 
or 173.133(a) of this subchapter;
    (4) A shipment of a quantity of hazardous materials in a bulk 
packaging having a capacity equal to or greater than 13,248 L (3,500 
gallons) for liquids or gases or more than 13.24 cubic meters (468 
cubic feet) for solids;
    (5) A shipment in other than a bulk packaging of 2,268 kg (5,000 
pounds) gross weight or more of one class of hazardous materials for 
which placarding of a vehicle, rail car, or freight container is 
required for that class under the provisions of subpart F of this part;
    (6) A select agent or toxin regulated by the Centers for Disease 
Control and Prevention under 42 CFR part 73; or
    (7) A quantity of hazardous material that requires placarding under 
the provisions of subpart F of this part.


Sec.  172.802  Components of a security plan.

    (a) The security plan must include an assessment of possible 
transportation security risks for shipments of the hazardous materials 
listed in Sec.  172.800 and appropriate measures to address the 
assessed risks. Specific measures put into place by the plan may vary 
commensurate with the level of threat at a particular time. At a 
minimum, a security plan must include the following elements:
    (1) Personnel security. Measures to confirm information provided by 
job applicants hired for positions that involve access to and handling 
of the hazardous materials covered by the security plan. Such 
confirmation system must be consistent with applicable Federal and 
State laws and requirements concerning employment practices and 
individual privacy.
    (2) Unauthorized access. Measures to address the assessed risk that 
unauthorized persons may gain access to the hazardous materials covered 
by the security plan or transport conveyances being prepared for 
transportation of the hazardous materials covered by the security plan.
    (3) En route security. Measures to address the assessed security 
risks of shipments of hazardous materials covered by the security plan 
en route from origin to destination, including shipments stored 
incidental to movement.
    (b) The security plan must be in writing and must be retained for 
as long as it remains in effect. Copies of the security plan, or 
portions thereof, must be available to the employees who are 
responsible for implementing it, consistent with personnel security 
clearance or background investigation restrictions and a demonstrated 
need to know. The security plan must be revised and updated as 
necessary to reflect changing circumstances. When the security plan is 
updated or revised, all copies of the plan must be maintained as of the 
date of the most recent revision.


Sec.  172.804  Relationship to other Federal requirements.

    To avoid unnecessary duplication of security requirements, security 
plans that conform to regulations, standards, protocols, or guidelines 
issued by other Federal agencies, international organizations, or 
industry organizations may be used to satisfy the requirements in this 
subpart, provided such security plans address the requirements 
specified in this subpart.

    Issued in Washington DC on March 19, 2003, under authority 
delegated in 49 CFR part 1.
Ellen G. Engleman,
Administrator, Research and Special Programs Administration.
[FR Doc. 03-7080 Filed 3-24-03; 8:45 am]
BILLING CODE 4910-60-P