[Federal Register Volume 81, Number 242 (Friday, December 16, 2016)]
[Proposed Rules]
[Pages 91401-91416]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-28300]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
49 CFR Chapter XII
[Docket No. TSA-2016-0002]
RIN 1652-AA56
Surface Transportation Vulnerability Assessments and Security
Plans (VASP)
AGENCY: Transportation Security Administration, DHS.
ACTION: Advance notice of proposed rulemaking (ANPRM).
-----------------------------------------------------------------------
SUMMARY: The Transportation Security Administration (TSA) is issuing
this ANPRM to request public comments on several topics relevant to the
development of surface transportation vulnerability assessment and
security plan regulations mandated by the Implementing Recommendations
of the 9/11 Commission Act of 2007 (9/11 Act). Based on its regular
interaction with stakeholders, TSA assumes many higher-risk railroads
(freight and passenger), public transportation agencies, and over-the-
road buses (OTRBs) have implemented security programs with security
measures similar to those identified by the 9/11 Act's regulatory
requirements. In general, TSA is requesting information on three types
of issues. First, existing practices, standards, tools, or other
resources used or available for conducting vulnerability assessments
and developing security plans. Second, information on existing security
measures, including whether implemented voluntarily or in response to
other regulatory requirements, and the potential impact of additional
requirements on operations. Third, information on the scope/cost of
current security systems and other measures used to provide security
and mitigate vulnerabilities. This information is necessary for TSA to
establish the current baseline, estimate cost of implementing the
statutory mandate, and develop appropriate performance standards.
While TSA will review and consider all comments submitted, TSA
invites responses to a number of specific questions posed in the ANPRM.
See the Comments Invited section under SUPPLEMENTARY INFORMATION that
follows.
DATES: Submit comments by February 14, 2017.
ADDRESSES: You may submit comments, identified by the TSA docket number
to this rulemaking, to the Federal Docket Management System (FDMS), a
government-wide, electronic docket management system, using any one of
the following methods:
Electronically: You may submit comments through the Federal
eRulemaking portal at http://www.regulations.gov. Follow the online
instructions for submitting comments.
Mail, In Person, or Fax: Address, hand-deliver, or fax your written
comments to the Docket Management Facility, U.S. Department of
Transportation, 1200 New Jersey Avenue SE., West Building Ground Floor,
Room W12-140, Washington, DC 20590-0001; fax (202) 493-2251. The
Department of Transportation (DOT), which maintains and processes TSA's
official regulatory dockets, will scan the submission and post it to
FDMS.
See SUPPLEMENTARY INFORMATION for format and other information
about comment submissions.
FOR FURTHER INFORMATION CONTACT: Harry Schultz (TSA Office of Security
Policy and Industry Engagement) or Traci Klemm (TSA Office of the Chief
Counsel) at telephone (571) 227-3531 or email to
[email protected].
SUPPLEMENTARY INFORMATION:
Comments Invited
TSA invites interested persons to participate in this rulemaking by
submitting written comments, data, or views. We also invite comments
relating to the economic, environmental, energy, or federalism impacts
that might result from this rulemaking action. See ADDRESSES above for
information on where to submit comments.
With each comment, please identify the docket number at the
beginning of your comments. You may submit comments and material
electronically, in person, by mail, or fax as provided under ADDRESSES,
but please submit your comments and material by only one means. If you
submit comments by mail or delivery, submit them in an unbound format,
no larger than 8.5 by 11 inches, suitable for copying and electronic
filing.
If you would like TSA to acknowledge receipt of comments submitted
by mail, include with your comments a self-addressed, stamped postcard
on which the docket number appears. TSA will stamp the date on the
postcard and mail it to you.
TSA will file all comments to our docket address, as well as items
sent to the address or email under FOR FURTHER INFORMATION CONTACT, in
the public docket, except for comments containing confidential
information and sensitive security information (SSI).\1\ Should you
wish your personally identifiable information redacted prior to filing
in the docket, please so state. TSA will consider all comments that are
in the docket on or before the closing date for
[[Page 91402]]
comments and will consider comments filed late to the extent
practicable. The docket is available for public inspection before and
after the comment closing date.
---------------------------------------------------------------------------
\1\ ``Sensitive Security Information'' or ``SSI'' is information
obtained or developed in the conduct of security activities, the
disclosure of which would constitute an unwarranted invasion of
privacy, reveal trade secrets or privileged or confidential
information, or be detrimental to the security of transportation.
The protection of SSI is governed by 49 CFR part 1520.
---------------------------------------------------------------------------
Specific Questions
In general, TSA seeks comments on the broad areas outlined within
this ANPRM and approaches TSA can take to integrate existing
requirements and voluntarily initiated programs to enhance security as
intended by the statutory requirements this rulemaking will fulfill.
TSA also seeks comments on how this rulemaking could be implemented to
meet the requirements of the law in a manner that maximizes benefits
without imposing excessive, unjustified, or unnecessary costs.
Specific questions are included in this ANPRM immediately following
the discussion of the relevant issues. TSA asks that commenters provide
as much information as possible. In some areas, TSA requests very
specific information. Whenever possible, please provide citations and
copies of any relevant studies or reports on which you rely, as well as
any additional data which supports your comment. It is also helpful to
explain the basis and reasoning underlying your comment. TSA
appreciates any information provided. While complete answers are
preferable, TSA recognizes that providing detailed comments on every
question could be burdensome and will consider all comments, regardless
of whether the response is complete. Each commenting party should
include the identifying number of the specific question(s) to which it
is responding. To assist commenters, a fillable template with all of
the questions in sequential order is included in the docket. Commenters
can download the template, complete it, and then upload it to the
docket or submit a hard copy as directed under ADDRESSES.
TSA will use comments to make decisions regarding the content and
direction of the notice of proposed rulemaking (NPRM). TSA also
requests additional comments and information not addressed by these
questions that would promote an understanding of the implications of
imposing a VASP regulatory requirement. TSA does not expect that every
commenter will be able to answer every question. Please respond to
those questions you feel able to answer or that address your particular
issue.
TSA encourages responses from all interested entities, not just the
transportation sectors to which this rulemaking would apply. Each
comment filed by a party, other than public transportation agencies,
railroads, or OTRB companies, or their representatives, should explain
the commenter's interest in this rulemaking and how their comments may
assist in TSA's development of the regulation.
Handling of Confidential or Proprietary Information and SSI Submitted
in Public Comments
Do not submit comments that include trade secrets, confidential
commercial or financial information, or SSI to the public regulatory
docket. Please submit such comments separately from other comments on
the rulemaking. Comments containing this type of information should be
appropriately marked as containing such information and submitted by
mail to the address listed in the FOR FURTHER INFORMATION CONTACT
section.
TSA will not place comments containing SSI in the public docket and
will handle them in accordance with applicable safeguards and
restrictions on access. TSA will hold documents containing SSI,
confidential business information, or trade secrets in a separate file
to which the public does not have access, and place a note in the
public docket explaining that commenters have submitted such documents.
TSA may include a redacted version of the comment in the public docket.
If an individual requests to examine or copy information that is not in
the public docket, TSA will treat it as any other request under the
Freedom of Information Act (FOIA) (5 U.S.C. 552) and the Department of
Homeland Security's (DHS') FOIA regulation found in 6 CFR part 5.
Reviewing Comments in the Docket
Please be aware that anyone is able to search the electronic form
of all comments in any of our dockets by the name of the individual who
submitted the comment (or signed the comment, if an association,
business, labor union, etc., submitted the comment). You may review the
applicable Privacy Act Statement published in the Federal Register on
April 11, 2000 (65 FR 19477), and modified on January 17, 2008 (73 FR
3316).
You may review TSA's electronic public docket on the Internet at
http://www.regulations.gov. In addition, DOT's Docket Management
Facility provides a physical facility, staff, equipment, and assistance
to the public. To obtain assistance or to review comments in TSA's
public docket, you may visit this facility between 9:00 a.m. and 5:00
p.m., Monday through Friday, excluding legal holidays, or call (202)
366-9826. This docket operations facility is located in the West
Building Ground Floor, Room W12-140 at 1200 New Jersey Avenue SE.,
Washington, DC 20590.
Availability of Rulemaking Document
You can get an electronic copy using the Internet by--
(1) Searching the electronic FDMS Web page at http://www.regulations.gov; or
(2) Accessing the Government Printing Office's Web page at http://www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR to view
the daily published Federal Register edition; or accessing the ``Search
the Federal Register by Citation'' in the ``Related Resources'' column
on the left, if you need to do a Simple or Advanced search for
information, such as a type of document that crosses multiple agencies
or dates.
In addition, copies are available by writing or calling the
individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to
identify the docket number of this rulemaking.
Abbreviations and Terms Used in This Document
17 SAIs--17 Security and Emergency Preparedness Action Items for
Transit Agencies
AAR--Association of American Railroads
AMTRAK--National Railroad Passenger Corporation
ANPRM--Advance Notice of Proposed Rulemaking
APTA--American Public Transportation Association
BASE--Baseline Assessment for Security Enhancement
CSRs--Corporate Security Reviews
DOT--Department of Transportation
DHS--Department of Homeland Security
EXIS--Exercise Information System
FEMA--Federal Emergency Management Agency
FMCSA--Federal Motor Carrier Safety Administration
FRA--Federal Railroad Administration
FTA--Federal Transit Administration
HMR--Hazardous Materials Regulations
HSA--Homeland Security Act of 2002
HSAS--Homeland Security Advisory System
HSEEP--Homeland Security Exercise and Evaluation Program
HTUA--High-Threat Urban Area
I-STEP--Intermodal Security Training and Exercise Program
NCIPP--National Critical Infrastructure Prioritization Program
NPRM--Notice of Proposed Rulemaking
NTAS--National Terrorism Advisory System
NY MTA--New York Metropolitan Transportation Authority
OMB--Office of Management and Budget
OTRB--Over-the-Road Bus
OAs--Oversight Agencies
PHMSA--Pipeline and Hazardous Materials Safety Administration
PPD--Presidential Policy Directive
PRA--Paperwork Reduction Act of 1995
[[Page 91403]]
PTPR--Public Transportation and Passenger Railroads
RSSM--Rail Security-Sensitive Materials
RTAs--Rail Transit Agencies
SMARToolbox--Security Measures and Resources Toolbox
SSI--Sensitive Security Information
SSO--State Safety Oversight
STB--Surface Transportation Board
TSA--Transportation Security Administration
TSGP--Transit Security Grant Program
T-START--Transportation Security Template and Assessment Review
Toolkit
TWIC--Transportation Worker Identification Credential
UASI--Urban Area Security Initiative
VASP--Vulnerability Assessments and Security Plans
Table of Contents
I. Introduction
II. Background
A. Surface Transportation
B. TSA's Role and Responsibility
C. The 9/11 Act
D. Applicability
III. Rulemaking Context
A. Grant Programs
B. Intermodal Security Training and Exercise Program
C. Department of Transportation Regulations
1. Hazardous Material Regulations
2. Transit Safety and Security
3. Emergency Preparedness Plans
D. 17 Security and Emergency Action Items
E. Baseline Assessment for Security Enhancement Program
F. Transportation Security Template and Assessment Review
Toolkit
G. Security Measures and Resources Toolbox
H. Terrorism Risk Analysis and Security Management Plan
Developed by the Association of American Railroads
I. Best Practices Developed by the American Public
Transportation Association
J. Security and Emergency Preparedness Plans
IV. Assessments
A. General
B. Assessments of Security Systems and Operations
C. Identifying Performance Standards for Assessments of Security
Systems and Operations
D. Determination of Critical Assets and Infrastructure
E. Identifying Performance Standards for Assessments of Critical
Assets and Infrastructure
V. Security Plans
A. Identifying Performance Standards for Security Plans
B. Tools and Other Resources
C. Risk-Reduction or Mitigation Measures
VI. Drills and Exercises
VII. Updates
VII. Accountable Executive
IX. Considerations for Small Owner/Operators
X. Estimating the Benefits and Costs of Requirements
XI. Next Steps and Public Participation
I. Introduction
This ANPRM is part of a series of rulemakings applicable to public
transportation and passenger railroads (PTPR) systems, freight
railroads, and OTRBs to comply with requirements of the 9/11 Act.\2\
The 9/11 Act requires TSA to promulgate regulations involving: (1)
Security training of frontline employees,\3\ (2) vulnerability
assessments and security plans,\4\ and (3) employee vetting.\5\
---------------------------------------------------------------------------
\2\ Public Law 110-53, 121 Stat. 266 (Aug. 3, 2007).
\3\ Id. secs. 1408, 1517, and 1534. For a discussion regarding
the applicability of the 9/11 Act to these proposed rules, see
Section II of this ANPRM.
\4\ 9/11 Act secs. 1405, 1512, and 1531. See also Section II of
this ANPRM.
\5\ 9/11 Act secs. 1411, 1520, and 1531(e)(2). See also Section
II of this ANPRM.
---------------------------------------------------------------------------
This ANPRM is limited to the requirements for VASP regulations.
Through this ANPRM, TSA is seeking comments on: (1) Requirements for
vulnerability assessments of security systems and operations and
critical assets/infrastructure, (2) requirements for security plans,
and (3) resources or other required programs that TSA should consider
as relevant for meeting these requirements. Knowledgeable and
constructive input from railroads, public transportation agencies, OTRB
operators, their representative associations, labor unions, state and
local governments, and the general public who rely on these systems is
critical for developing a regulation with the proper balance between
costs and benefits.
By imposing VASP requirements on higher-risk railroads, public
transportation agencies, and OTRBs, this rulemaking should establish a
uniform base of vulnerability assessments and security plans for
security systems and operations, as well as critical assets and/or
infrastructure that these owner/operators may own or control.
TSA believes the VASP regulations should consider current
voluntarily implemented security measures and operational issues in
establishing performance standards for compliance. To that end, TSA is
seeking specific information to assist in developing effective
regulatory policies, resources for implementation, and valid cost
estimates. To provide context for the questions, this ANPRM is
organized to include requests for comment immediately following
discussions of the relevant issues.
TSA is requesting public comment and data to assist in identifying
the current baseline in order to determine the incremental cost of
compliance with the assessment and planning elements required by the 9/
11 Act. In general, TSA is particularly interested in data from surface
transportation owner/operators who currently have security plans
specifically based on a vulnerability or similar assessment. For
example, TSA needs data on the cost of conducting an assessment (if not
conducted by TSA), cost of developing a security plan, and the types
and cost of risk-reduction or mitigation measures. While TSA has
gathered significant information in these areas as part of its ongoing
rulemaking efforts, there are some areas where it would be helpful to
validate cost elements and ensure our understanding of the existing
baseline is current. The requests for comment seek information to close
these information gaps.
As discussed below, TSA is concerned about the impact of this
regulation based on the diversity of surface transportation owner/
operators, which could include large (national) companies, publicly
owned systems, and small businesses. While not required, TSA asks
commenters to include information regarding the nature and size of the
business. Information on the nature of the business operation of the
person commenting will help TSA better understand and analyze the
information provided. Failure to include this specific information will
not preclude the agency's consideration of the information submitted.
II. Background
A. Surface Transportation
The surface transportation rules required by the 9/11 Act must
address a decentralized, diffuse, complex, and evolving terrorist
threat in the context of an inherently open and diverse transportation
system. The U.S. surface transportation network is immense, consisting
of public transportation systems, passenger and freight railroads,
highways, motor carrier operators, pipelines, and maritime facilities.
The New York Metropolitan Transportation Authority (NY MTA) alone
transports over 11 million passengers daily and represents just one of
the more than 6,800 U.S. public transit agencies for which TSA has
oversight, ranging from very small bus-only systems in rural areas to
very large multi-modal systems in urban areas like the NY MTA. More
than 500 individual freight railroads operate on nearly 140 thousand
miles of track carrying essential goods. Eight million large capacity
commercial trucks and almost 4 thousand commercial bus companies travel
on the
[[Page 91404]]
4 million miles of roadway in the United States and on more than 600
thousand highway bridges and through 350 tunnels greater than 300 feet
in length. Surface transportation operators carry approximately 750
million intercity bus passengers and 10 billion passenger trips on
public transportation each year. Securing such diverse surface
transportation systems in a society that depends upon the free movement
of people and commerce is a complex undertaking that requires extensive
collaboration with surface transportation operators.
Unlike the aviation mode of transportation, direct responsibility
to secure surface transportation systems falls primarily on the system
owners and operators. In further contrast to aviation, surface
transportation systems are, by nature, open systems. Surface
transportation systems can be national and privately held companies,
public transportation systems owned and operated by the government, or
a family-owned business with two buses. Regardless of the size of the
business, surface transportation owner/operators are in the best
position to know their facilities and their operational challenges. As
a whole, these owner/operators have spent billions of dollars of their
own funds to secure critical infrastructure, provide uniformed law
enforcement and specialty security teams, and conduct operational
activities and deterrence efforts.
Security and emergency response planning is not new to surface
transportation owner/operators; they have been working under DOT \6\
and DHS \7\ regulations. Although DOT's regulations relate primarily to
safety, many safety activities and programs also benefit security and
help to reduce risk. In the surface environment, TSA has built upon
these standards to improve security programs with minimal regulations.
---------------------------------------------------------------------------
\6\ For example, the Pipeline and Hazardous Materials Safety
Administration regulates the transportation of hazardous materials
in commerce, including requirements for safety and security training
and for security planning (49 CFR parts 171-180); the Federal
Railroad Administration regulates passenger train emergency
preparedness (49 CFR parts 200-299); and the Federal Transit
Administration requires system safety programs for rail transit
agencies (49 CFR part 659).
\7\ For example, the Transportation Worker Identification
Credential (TWIC) program is a TSA and U.S. Coast Guard initiative
in the United States. For more information, see https://www.tsa.gov/for-industry/twic. A TWIC is required for workers who need access to
secure areas of the nation's maritime facilities and vessels. TSA
conducts a security threat assessment (background check) to
determine a person's eligibility and issues the credential. U.S.
citizens and immigrants in certain immigration categories may apply
for the credential. Most mariners licensed by the U.S. Coast Guard
also require a credential. See 49 CFR part 1572. The National
Protection and Programs Directorate of DHS regulates the security of
certain high-risk chemical facilities in the United States. See 6
CFR part 27.
---------------------------------------------------------------------------
B. TSA's Role and Responsibility
TSA is responsible for assessing security risks for any mode of
transportation, developing appropriate security measures for dealing
with those risks, and ensuring implementation of those measures.\8\
Assessments include analysis of intelligence information and on-site
reviews of transportation systems and operations. TSA works
collaboratively with its surface stakeholders to enhance information
sharing and develop security measures and best practices appropriate
for the operational environment. DHS provides funding to support
information sharing and implementation of security measures. This
funding supports information sharing and analysis centers (ISACs) that
facilitate threat warning and incident reporting for railroads, public
transportation systems, and over-the-road buses. In addition, TSA works
with DHS to develop and implement a risk-based determination for
allocation of Federal grant funds. Eligible surface transportation
owner/operators can supplement their own investment in security, using
this funding to identify and mitigate operational vulnerabilities.
---------------------------------------------------------------------------
\8\ See 49 U.S.C. 114(d) and (f), codifying provisions of the
Aviation and Transportation Security Act (ATSA), Public Law 107-71,
115 Stat. 597 (Nov. 19, 2001). ATSA created TSA and made it the
primary federal agency responsible to enhance security for all modes
of transportation. Section 403(2) of the Homeland Security Act of
2002 (HSA), Public Law 107-296, 116 Stat. 2135 (Nov. 25, 2002),
transferred all functions related to transportation security,
including those of the Secretary of Transportation and the Under
Secretary of Transportation for Security related to TSA, to the
Secretary of Homeland Security. Pursuant to DHS, ``Delegation to the
Administrator of the Transportation Security Administration,''
Delegation Number 7060.2 (Nov. 5, 2003), the Secretary delegated to
the Administrator, subject to the Secretary's guidance and control,
the authority vested in the Secretary with respect to TSA, including
that in sec. 403(2) of the HSA.
---------------------------------------------------------------------------
TSA can also ensure implementation through promulgation of
regulations.\9\ For example, the Rail Transportation Security
regulation (published in 2008 and codified at 49 CFR part 1580)
requires all rail systems (freight, passenger, and public
transportation) to appoint rail security coordinators \10\ and report
significant security concerns to TSA through the Transportation
Security Operations Center (located at the ``Freedom Center'').\11\ In
addition, freight railroads are required to report (upon request by
TSA) the location and shipping information for rail cars containing
certain hazardous materials and provide ``chain of custody'' to ensure
security of those materials when transported through high-risk
areas.\12\
---------------------------------------------------------------------------
\9\ 49 U.S.C. 114(l)(1).
\10\ 49 CFR 1580.101 and 1580.201.
\11\ 49 CFR 1580.105 and 1580.203.
\12\ 49 CFR 1580.107.
---------------------------------------------------------------------------
C. The 9/11 Act
The 9/11 Act includes numerous mandates related to surface
transportation security. These requirements include development of
security strategies, reporting on implementation, information sharing,
civil penalties, Visible Intermodal Prevention and Response teams,
security assessments, grant programs for security enhancements, a
national security exercise program, background check programs,
protection for employees reporting security violations, public outreach
campaigns, and studies on particular hazards and threats.\13\
---------------------------------------------------------------------------
\13\ See 9/11 Act, at Title XII (Transportation Security
Planning and Information Sharing), Title XIII (Transportation
Security Enhancements), Title XIV (Public Transportation Security),
and Title XV (Surface Transportation Security).
---------------------------------------------------------------------------
As previously noted, the 9/11 Act also mandates that TSA require
VASP for higher-risk public transportation agencies, railroads, and
OTRBs; security training of their frontline employees; and, employee
background checks.\14\ TSA is addressing these requirements in three
separate, but related, rulemakings.\15\ The docket for this ANPRM
includes a table aligning the statutory provisions for VASP across the
three modes (public transportation, railroads, and OTRBs).
---------------------------------------------------------------------------
\14\ See 9/11 Act secs. 1405, 1512, and 1531 for VASP
requirements; secs. 1408, 1517, and 1534 for employee security
training requirements; and secs. 1411 and 1520 for employee vetting
requirements. The statutory mandates for VASP in secs. 1512, and
1531 also include a requirement to conduct security threat
assessments of security coordinators.
\15\ TSA published an NPRM to implement requirements related to
employee security training, titled ``Security Training Programs for
Surface Transportation Employees,'' published elsewhere in this
issue of the Federal Register. TSA will address requirements for
employee vetting in a separate NPRM. See Fall 2016 Unified Agenda,
RIN 1652-AA69.
---------------------------------------------------------------------------
D. Applicability
For purposes of this ANPRM, TSA is limiting the scope of its
request for comments related to applicability. As previously noted, the
VASP rulemaking is part of a series of rulemakings to implement
requirements of the 9/11 Act. As the first of these rulemakings
published by TSA, the Security Training NPRM provides the general
structure, including proposed applicability and the framework for a
regulatory program. TSA intends for the applicability proposed in the
Security Training NPRM to apply generally to the three
[[Page 91405]]
related rulemakings.\16\ In other words, the higher-risk PTPR, freight
railroad, and OTRB owner/operators required to have a security-training
program (surface owner/operators) would also be required to conduct
vulnerability assessments, implement security plans, and implement
requirements for employee vetting (security threat assessments).
---------------------------------------------------------------------------
\16\ The Security Training NPRM incorporates all of requirements
in current 49 CFR part 1580. The rail operations subject to the
requirements in current part 1580 is broader than the proposed
applicability for rail operations in the Security Training NPRM. To
the extent an owner/operator must comply with requirements in
current part 1580, applicability proposed in the Security Training
NPRM would not affect that obligation. For example, if a railroad is
required to have a security coordinator under current part 1580, but
is not within the scope of proposed applicability for security
training, they must still have a security coordinator. TSA
anticipates capturing this additional security coordinator
population in the related rulemaking for vetting requirements,
consistent with the 9/11 Act's requirement to conduct security
threat assessments of all security coordinators. See 9/11 Act secs.
1512(e)(2) and 1531(e)(2).
---------------------------------------------------------------------------
Consistent with the proposed applicability for the Security
Training NPRM, TSA assumes the VASP requirements would apply to--
Class 1 railroads (as assigned by regulations of the
Surface Transportation Board (STB) (49 CFR part 1201; General
Instructions 1-1);
Railroads transporting rail security-sensitive materials
(RSSM) \17\ in a high-threat urban area (HTUA);
---------------------------------------------------------------------------
\17\ See definition in proposed 49 CFR 1580.3 of the Security
Training NPRM, which is consistent with the definition in current 49
CFR 1580.100(b).
---------------------------------------------------------------------------
Railroads hosting higher-risk rail operations (including
freight railroads and the intercity or commuter systems);
PTPR systems identified as higher-risk operating in one of
the following eight regions (geographically consistent with
designations under the Urban Area Security Initiative (UASI)): San
Francisco Bay area, Los Angeles/Long Beach and Anaheim/Santa Ana areas,
National Capital Region and Baltimore areas, Atlanta area, Chicago
area, Boston area, New York City and Jersey City/Newark areas, and
Philadelphia area;
Amtrak (the Security Training NPRM includes a list of
systems); and
OTRB owner/operators providing fixed-route service to,
through, or from one of the following areas (geographically consistent
with designations under the UASI): Anaheim/Los Angeles/Long Beach/Santa
Ana areas, San Diego area, San Francisco Bay area, National Capital
Region, Boston area, New York City/Jersey City/Newark area,
Philadelphia area/Southern New Jersey area, Dallas/Fort Worth/Arlington
area, Chicago area, and Houston area.
As TSA has included a full discussion of the proposed and
alternative applicability options in the Security Training NPRM, as
well as an opportunity to comment, that discussion is not duplicated as
part of this ANPRM. Later in this ANPRM, however, a specific request
for comments is included for the impact on small businesses. TSA will
consider all comments received on this ANPRM.
III. Rulemaking Context
The baseline of security for surface transportation has been
substantially enhanced since the 9/11 Act was enacted through programs
(including some required by the 9/11 Act), and the cooperative and
collaborative relationship between TSA and the surface transportation
industry. These relationships have led to enhanced security through
development of best practices, sharing of information (both reporting
of security-related incidents by the industry, intelligence sharing by
the government, and other efforts such as the ISACs), and security
programs and measures to strengthen and enhance the security of surface
transportation networks.
The VASP regulations will be part of this broad and sustained
effort to develop and maintain an enhanced security baseline for
surface transportation as well as strengthening the security of
nationally significant critical assets. Understanding the scope of
these efforts is essential to this rulemaking as the 9/11 Act
specifically authorizes TSA to recognize existing procedures,
protocols, and standards that can be used to meet all or part of the
regulatory requirements for assessments and planning.\18\ Additional
information on a few of these programs is provided below.
---------------------------------------------------------------------------
\18\ See 9/11 Act secs. 1405(i), 1512(j), and 1531(i).
---------------------------------------------------------------------------
A. Grant Programs
The 9/11 Act authorized funding for surface security enhancements
specifically for PTPR, freight railroads, and OTRB owner/operators.\19\
To the extent funds are appropriated for this purpose, TSA provides the
Federal Emergency Management Agency (FEMA) with subject matter
expertise, assisting in the development of risk determinations, review
of investment justifications, and other aspects of the surface
transportation security grant programs. These grants support surface
transportation risk-reduction or mitigation measures by applying
Federal funding to critical security projects. Between fiscal years
(FYs) 2006 and 2016, DHS awarded more than $2.4 billion in
transportation security grant funding to freight railroad carriers and
operators, OTRB operators, the trucking community, and public mass
transit owners and operators, including Amtrak, and their dedicated law
enforcement providers. Congress appropriated $100 million in FY 2016,
from which DHS awarded $87 million for mass transit, $10 million for
passenger rail, and $3 million for motor coach security grants.
---------------------------------------------------------------------------
\19\ See 9/11 Act secs. 1406(a)(2) (public transportation
security assistance), 1513(a)(2) (railroads), 1514(b) (Amtrak), and
1532(f)(1) (OTRBs).
---------------------------------------------------------------------------
TSA assumes surface transportation owner/operators will incorporate
security measures and other security enhancements funded by these grant
programs into security programs complying with the regulatory
requirements mandated by the 9/11 Act. This assumption recognizes
requirements in the authorizing statutes for these grant programs,
which all prioritized funding for meeting 9/11 Act requirements for
security training, assessments, and planning.
B. Intermodal Security Training and Exercise Program
The 9/11 Act also required development of a security exercise
program to ``assess[ ] and improv[e] the capabilities'' of surface
modes ``to prevent, prepare for, mitigate against, respond to, and
recover from acts of terrorism.'' \20\ TSA implemented this requirement
through the Intermodal Security Training and Exercise Program (I-STEP).
I-STEP brings public and private sector partners together to exercise,
train, share information, and address transportation security issues to
protect travelers, commerce, and infrastructure. Through the program,
TSA facilitates modal and intermodal exercises and workshops throughout
the country. The program also provides training support to help modal
operators meet their training objectives. The Exercise Information
System (EXIS) is an online tool developed by TSA, which leverages the
concept of I-STEP in support of all operators, but particularly those
operators that may be less competitive for I-STEP exercises because
they are lower risk systems.
---------------------------------------------------------------------------
\20\ See 9/11 Act secs. 1407, 1516 and 1533. See also sec. 114
of the Security and Accountability for Every Port Act of 2006 (SAFE
Port Act), Public Law 109-347, 120 Stat. 1884, 1896-97 (Oct. 13,
2006).
---------------------------------------------------------------------------
C. Department of Transportation Regulations
1. Hazardous Material Regulations
DOT modes also have regulatory programs that may be relevant to
[[Page 91406]]
meeting VASP requirements. For example, every freight railroad
transporting at least one of the hazardous materials that trigger
applicability under 49 CFR part 172 (known as the Hazardous Materials
Regulations (HMR)) is required to have and adhere to a security plan.
While the security plan requirements of the HMR may not be identical to
the requirements in the 9/11 Act, TSA anticipates that freight railroad
owner/operators may be able to use plans developed and implemented
under the HMR to satisfy a portion of TSA's VASP regulations.
2. Transit Safety and Security
The Federal Transit Administration (FTA) has responsibility for
managing State oversight for rail transit agencies (RTAs). Under 49 CFR
part 659, State Oversight Agencies (SOAs) must require the rail transit
agencies to develop and implement a written system safety program plan
and system security plan that complies with requirements in 49 CFR part
659.
Part 659 requires SOAs to approve and annually review the rail
transit agency system safety and security plans. Moreover, the SOAs
must require covered agencies to develop and document a process for the
performance of ongoing internal safety and security reviews as part of
their plans. Finally, the SOAs themselves must conduct on-site reviews
of system safety program plan and system security plan implementation.
The FTA has announced its intent to rescind part 659.\21\ On March
16, 2016, the FTA published a safety-focused final rule, adding part
674 to their regulations to supersede part 659.\22\ The safety
requirements of part 674 took effect April 15, 2016. The FTA has stated
its intent to rescind the security requirements in part 659 no later
than April 15, 2019,\23\ noting TSA's responsibility for rulemakings
related to security of public transportation.\24\ It also noted that
RTAs may continue to implement measures to secure their operations and
assets, but it is no longer the requirement of the SOAs to oversee
those measures.\25\
---------------------------------------------------------------------------
\21\ See 81 FR 14230 (Mar. 16, 2016) (adding part 674 to title
49 of the CFR).
\22\ Id.
\23\ Id.
\24\ Id. at 14233.
\25\ Id.
---------------------------------------------------------------------------
The security measures that RTAs have implemented because of
requirements under part 659 may be similar to what TSA proposes within
the parameters set by the 9/11 Act. As with freight rail, TSA
anticipates that PTPR owner/operators may be able to use plans
developed and implemented under these DOT regulatory requirements to
satisfy a portion of TSA's VASP regulations.
3. Emergency Preparedness Plans
The Federal Railroad Administration (FRA) safety standards require
emergency preparedness plans by railroads connected with the operation
of passenger trains (including freight carriers hosting passenger rail
operations). Under 49 CFR part 239, these railroads must implement
emergency preparedness plans that include: Communication measures
(including notification to on-board crewmembers and passengers about
the nature of the emergency and control center personnel of outside
emergency responders and adjacent rail modes of transportation);
passenger evacuation in emergency situations; employee training and
qualification; joint operations; tunnel safety; liaison with emergency
responders; on-board emergency equipment; and, passenger safety
information. In the Security Training NPRM, TSA proposes to allow
training required by 49 CFR 239.101(a)(2) to be combined with other
training in order to partially or fully meet requirements under Sec.
1580.115(f) or Sec. 1582.115(f) of that NPRM.\26\ TSA expects that
portions of the emergency response plans developed under part 239 could
be equally relevant for satisfying some of the VASP requirements.
---------------------------------------------------------------------------
\26\ Titled ``Security Training Programs for Surface
Transportation Employees,'' published elsewhere in this issue of the
Federal Register.
---------------------------------------------------------------------------
D. 17 Security and Emergency Action Items
Following the events of September 11, 2001, FTA developed security
and emergency preparedness resources and provided technical assistance
to transit agencies across the United States, including the ``Top 20
Security and Emergency Preparedness Action Items for Transit Agencies''
(published in 2003). In 2006, FTA and TSA collaborated to update and
consolidate the FTA list into 17 Security and Emergency Preparedness
Action Items for Transit Agencies (17 SAIs).
In 2012, FTA and TSA revised the 17 SAIs to ensure alignment with
changes TSA was implementing in its assessment program. These changes
added cyber-security as a topic, replaced the color-coded Homeland
Security Advisory System (HSAS) with the National Terrorism Advisory
System (NTAS), and revised and highlighted the priorities of risk
management and risk information gathering and analysis. All changes
reflected consultation with the industry through TSA's Mass Transit
Sector Coordinating Council, chaired by the American Public
Transportation Association (APTA).
The 17 SAIs reflect the high-level priority topics included in a
security and emergency preparedness program, appropriately scaled to
risk environment and operations. Table 1 identifies the current 17
SAIs.
Table 1--17 Security and Emergency Preparedness Action Items
------------------------------------------------------------------------
------------------------------------------------------------------------
Management and Accountability.......... 1. Establish written system
security programs (SSPs) and
emergency management
operations/response plans.
2. Define roles and
responsibilities for security
and emergency preparedness.
3. Ensure that operations and
maintenance supervisors,
forepersons, and managers are
held accountable for security
issues under their control.
4. Coordinate security and
emergency operations/response
plan(s) with local and
regional agencies.
Security and Emergency Response 5. Establish and maintain a
Training. security and emergency
training program.
National Terrorism Advisory System 6. Establish plans and
(NTAS). protocols to respond to the
NTAS alert levels.
Public Awareness....................... 7. Implement and reinforce a
public security and emergency
awareness program.
Risk Management and Information Sharing 8. Establish and use a risk
management process.
Risk Information Collection and Sharing 9. Establish and use an
information sharing process
for threat and intelligence
information.
Drills and Exercises................... 10. Conduct tabletop exercises
and functional drills.
[[Page 91407]]
Cybersecurity.......................... 11. Develop a comprehensive
cyber-security strategy.
Facility Security, Access Controls, and 12. Control access to security
Background Investigations. critical facilities with
identification (ID) badges for
all visitors, employees, and
contractors.
13. Conduct physical security
inspections.
14. Conduct background
investigations of employees
and contractors.
Document Control....................... 15. Control access to documents
of security critical systems
and facilities.
16. Process for handling and
access to SSI.
Security Program Audits................ 17. Establish and conduct
security program audits.
------------------------------------------------------------------------
E. Baseline Assessment for Security Enhancement Program
In 2006, TSA established the BASE program, through which TSA
inspectors conduct a thorough security assessment of public
transportation agencies, passenger railroads, bus companies, and
trucking companies. To conduct an assessment, inspectors ask a series
of questions to develop a ``snapshot'' of current security measures
(questions are slightly different for each mode). Within the relevant
SAI categories, TSA applies numerical values to the level of
implementation of an effective security measure. Final SAI scores
quantify the entity's comprehensive transportation security posture.
TSA collaborates with owner/operators to develop options that could
help mitigate a security-related vulnerability relative to the industry
standard and identifies resources that TSA or other areas of the
Federal government can provide to support raising the security
baseline. The results of these assessments inform TSA policies and
development of best practices to align such policy and program
priorities with industry-wide security weaknesses. For example, during
the interaction with owner/operators as part of a BASE assessment, TSA
obtains information about whether specific measures for addressing
identified issues are feasible within the specific-type of operation.
TSA uses this information to develop alternative tools to enhance
security. As TSA identifies industry-wide security weaknesses, the
information informs priorities, policies, and programs. For example,
TSA has used BASE statistics to recommend funding priorities to FEMA in
an effort to ensure allocation priorities are consistent with
identified industry-wide security weaknesses in light of current risks.
In 2007, TSA's review of the industry-wide scores in the training
category of the BASE assessments indicated deficiencies. Based on this
information, DHS prioritized frontline employee training within the
Transit Security Grant Program (TSGP).
In FY 2011, TSA's review of BASE scores and discussions with
industry revealed deficiencies at nationally critical infrastructure
assets that were not being addressed at all, or as quickly as they
could be. TSA worked with FEMA to overhaul the TSGP framework to
prioritize these assets (``Top Transit Asset List'') for funding
through a wholly competitive process.\27\ DHS subsequently awarded over
$565 million to protect critical infrastructure assets. This funding
resulted in increased preventive security for over 80 percent of
nationally critical infrastructure assets.
---------------------------------------------------------------------------
\27\ See FEMA, ``FY 2012 Transit Security Grant Program,''
available at https://www.fema.gov/fy-2012-transit-security-grant-program.
---------------------------------------------------------------------------
In addition, as an initial requirement for grant eligibility,
applicants must validate they have an updated security plan based on a
security assessment, such as the BASE. They then must align all
requests for funding (investment justifications) with items identified
in the security assessment or security plan.
In FY 2015, TSA Inspectors completed 92 BASE assessments on mass
transit and passenger rail agencies, of which 13 resulted in Gold
Standard Awards for those entities achieving overall excellence in
security program management. In 2012, TSA expanded the BASE program to
the highway and motor carrier \28\ mode and has since conducted over
400 reviews of highway and motor carrier operators, with 98 reviews
conducted in FY 2015. On average, TSA conducts approximately 150
reviews on mass transit and highway and motor carrier operators each
year, with numerous reviews in various stages of completion for FY
2016.
---------------------------------------------------------------------------
\28\ See 77 FR 31632 (May 29, 2012) (60-day notice for
Information Collection Request (ICR) for more information on
expanding the BASE to highway and motor carrier transportation).
---------------------------------------------------------------------------
F. Transportation Security Template and Assessment Review Toolkit
The Transportation Security Template and Assessment Review Toolkit
(T-START) is a resource created by TSA to assist owner/operators in
developing effective security practices and in the construction of a
security plan. The current version of T-START incorporates the BASE
assessment for the highway mode. It is available for small companies,
political subdivisions, or governmental entities having ownership or
control over large systems (such as school buses), and large companies
with national coverage. T-START currently includes five modules that
walk the owner/operator's representative through the process of
understanding security management and risk, a tool for conducting
assessments, identification of risk-reduction, or mitigation options
through awareness of industry ``best practices'' and other options
developed by TSA, and a template for developing a security plan, the
final crucial step toward an effective security program. T-START is
currently scoped to address highway transportation security issues.
G. Security Measures and Resources Toolbox
The Security Measures and Resources Toolbox (SMARToolbox) is a
resource to help surface transportation professionals identify relevant
insights, security measures, and smart practices to increase their
security baseline. The SMARToolbox is not a set of standards, rules, or
regulations; rather, it is a compilation of smart security practices
developed by industry, for industry across all modes of surface
transportation. The heart of the SMARToolbox is a searchable,
modifiable database of security measures identified by surface
transportation professionals as valuable to their organization's
operations. The SMARToolbox aligns security measures with category
filters to allow for various searches by, among other things, mode,
threat scenario, and core capability. TSA intends this database to be a
resource for the industry to assess the value of implementing various
security measures into transportation systems. To augment the
usefulness of the security measures database, the SMARToolbox also
offers resources designed to facilitate implementation of the measures
(for example, implementation checklists and self-assessment functions).
[[Page 91408]]
H. Terrorism Risk Analysis and Security Management Plan Developed by
the Association of American Railroads
As an industry, the railroads have undertaken efforts to enhance
the security and resiliency of the freight rail transportation system.
In the aftermath of the 9/11 terrorist attacks, the railroad industry
worked closely with local, State, and Federal officials and used their
own police forces; the railroads increased inspections and patrols,
restricted access to key facilities, briefly suspended freight traffic
in the New York City area, and changed certain operational practices as
anti-terrorist measures.
The Association of American Railroads (AAR) developed the Railroad
Risk Analysis and Security Plan (AAR Plan) in April 2003 in response to
the terrorist attacks, and as a proactive measure in collaboration with
DHS to address perceived security vulnerabilities within the freight
rail system. TSA anticipates that freight railroad owner/operators who
have participated in this AAR initiative would use the results of those
security assessments to expedite their compliance with the proposed
requirements in the VASP regulations.
The AAR created five critical action teams, each for a specific
area of concern within the rail industry.\29\ The critical action teams
examined and prioritized all railroad assets, vulnerabilities, and
threats, and identified countermeasures. As part of the AAR Plan, the
industry developed four threat-based alert levels, laying out
progressively higher levels of action for the industry to implement in
the event of certain security situations.
---------------------------------------------------------------------------
\29\ These action teams focus on critical security issues for
railroad systems, including hazardous materials, information
technology, communications, and military movements.
---------------------------------------------------------------------------
The AAR Plan provides an overall framework for industry-wide
security measures while leaving the actual implementation up to each
individual railroad carrier. Carriers used the plan as a guidance
document to create security management plans for their respective
company addressing their unique security concerns. The industry sees
the AAR Plan as a living document reflecting changes in risk. As
appropriate based on a continuous risk assessment process, they update
and revise the plan.
I. Best Practices Developed by the American Public Transportation
Association
APTA has instituted a Standards Development Program. Four working
groups within the program have developed security oriented recommended
practices for use by public transit agencies. The four working groups
are focused on the following issues:
Control and Communications Security;
Emergency Management;
Enterprise Cybersecurity; and
Infrastructure & Systems Security.
Through these working groups, APTA has published white papers and
recommended practices.\30\
---------------------------------------------------------------------------
\30\ More information on these standards can be found at http://www.apta.com/resources/standards/Pages/default.aspx.
---------------------------------------------------------------------------
J. Security and Emergency Preparedness Plans
Both the commercial bus industry and public transportation agencies
have created documents, which they named ``Security and Emergency
Preparedness Plans (SEPP).'' Commercial OTRB companies created and
distributed the OTRB SEPP in 2005. This document contained a proposed
security assessment matrix and a template for creation of a company-
wide security plan. TSA used the SEPP as the foundation for the T-
START, discussed in section III.F.
In 2008, APTA released a SEPP with recommended security practices
for public transit agencies and guidance for the creation of agency
security assessments and protective plans. Both of these resources
optimize--within the constraints of time, cost, and operational
effectiveness--the protection of employees and passengers.
The SEPP meets several objectives: (1) Achieving a level of
security performance and emergency readiness that meets or exceeds the
needs of similarly-sized operations; (2) increasing and strengthening a
company's involvement in safety and security; (3) developing and
implementing an assessment program focused on improving physical
security and emergency response; (4) expanding security awareness and
emergency management training for employees, volunteers, first
responders, and contractors, and (5) enhancing security and emergency
preparedness coordination with applicable local, State, and Federal
agencies.
IV. Assessments
A. General
The 9/11 Act's requirements for ``vulnerability assessments''
address both operations and assets. As shown in Diagram A, conducting
such an assessment is a two-step process: (1) Assessments of security
systems and operations and (2) assessments of critical assets.
BILLING CODE 9110-05-P
[[Page 91409]]
[GRAPHIC] [TIFF OMITTED] TP16DE16.011
TSA understands that submitting information about weaknesses in
security systems/operations and critical asset protection may raise
concerns regarding the public availability of the information. Under
TSA's regulations for SSI,\31\ all vulnerability assessments
``directed, created, held, funded, or approved by'' TSA are SSI.\32\
Similar provisions apply to security programs or contingency plans
``issued, established, required, received, or approved'' by TSA.\33\
Generally, access to SSI is strictly limited to those persons with a
need to know, as defined in 49 CFR 1520.11, and to those persons to
whom TSA grants specific access authorization under 49 CFR 1520.15.
Pursuant to statute,\34\ there is limited access to specific SSI in
Federal district court proceedings to civil litigants who do not
otherwise have a need to know under part 1520. This requirement only
affects TSA's application of its non-disclosure policy in civil
proceedings in Federal district court; it does not affect TSA
administrative, State, or other Federal proceedings.
---------------------------------------------------------------------------
\31\ See 49 CFR part 1520.
\32\ Id. at 1520.5(b)(5).
\33\ Id. at 1520.5(b)(1).
\34\ See Department of Homeland Security Appropriations Act,
2007, Public Law 109-295, sec. 525(d), 120 Stat. 1355 (Oct. 4,
2006). Section 525 is uncodified, but Congress has reenacted the
provisions in sec. 525(d) in each subsequent Department of Homeland
Security Appropriations Act. Currently, the provision can be found
at Public Law 114-113, div. F, sec. 510(a), 129 Stat. 2242, 2513
(Dec. 18, 2015, continued to December 9, 2016), by the Continuing
Appropriations and Military Construction, Veterans Affairs, and
Related Agencies Appropriations Act, 2017, and Zika Response and
Preparedness Act, Public Law 114-223, sec. 101(6) (Sept. 30, 2016).
---------------------------------------------------------------------------
B. Assessments of Security Systems and Operations
A vulnerability assessment of security systems and operations is
the foundation for an effective security program, including
understanding the threat, identification of risk-reduction or
mitigation measures, resource allocation decisions, employee training,
drills and/or exercises to test preparedness and planning, and
reassessments to determine areas for change or improvement. As noted in
Diagram B, assessment is part of a cyclical process.
[[Page 91410]]
[GRAPHIC] [TIFF OMITTED] TP16DE16.012
BILLING CODE 9110-05-C
Collecting and analyzing information on deficiencies and weaknesses
is a critical first step in managing and mitigating risks as it enables
surface owner/operators to detect and manage security vulnerabilities.
As assessment results, current intelligence/threat and other relevant
information, and after-action reports of drills/exercises is fed into
the planning cycle, surface owner/operators can better direct resources
towards effective risk management.
C. Identifying Performance Standards for Assessments of Security
Systems and Operations
TSA considers the BASE to be an important resource for developing
the VASP regulations. The scope of the BASE program is fundamentally
consistent with the 9/11 Act's requirements for assessments of security
systems and operations.\35\ Using the categories identified in Table 1
for the 17 SAIs, Table 2 crosswalks the categories for the 17 SAIs with
the 9/11 Act's requirements for security assessments. In addition, the
program and the assessment questions are familiar to many of the owner/
operators who may be subject to these regulations.\36\
---------------------------------------------------------------------------
\35\ The current PTPR BASE is based on the 17 SAIs developed
jointly by FTA and TSA. The highway BASE has 20 SAIs. In the past,
TSA conducted Corporate Security Reviews (CSRs) for freight
railroads, which were similar to the BASE. The CSR had fewer items.
While the numbers may vary, the issues are generally the same (with
the exception of some issues unique to a particular mode).
Therefore, for purposes of this ANPRM, TSA will use 17 SAIs as a
generic term for all of them.
\36\ TSA is providing an appropriately detailed sample of
questions in the docket for this rulemaking for commenters who are
not familiar with the BASE.
Table 2--Crosswalk Between 9/11 Act Assessment Requirements and 17 SAIs
------------------------------------------------------------------------
9/11 Act requirement 17 SAIs category
------------------------------------------------------------------------
Identification and evaluation of Risk Management and Information
emergency response planning and other Sharing.
vulnerabilities related to passenger/
cargo security.
Identify weaknesses in emergency Management and Accountability.
response planning related to passenger/ National Terrorism Advisory
cargo security. System (NTAS).
Public Awareness Risk
Information Collection and
Sharing.
Identify weaknesses in employee Security and Emergency Response
training and emergency response Training.
planning. Drills and Exercises.
Identification of weaknesses in the Cybersecurity.
security of programmable electronic
devices, computers, or other automated
systems; alarms, cameras, and other
protection systems; and communication
systems and utilities needed for
security purposes.
[[Page 91411]]
Identification of vulnerabilities to Facility Security, Access
critical assets and infrastructure and Controls, and Background
weaknesses in physical security. Investigations.
------------------------------------------------------------------------
While the questions used for a BASE assessment do not establish or
identify performance standards, they could be the starting point for
developing appropriate performance standards. For example, the 9/11 Act
requires an assessment of strengths and weaknesses in emergency
response planning. Currently, the BASE includes the following ``yes''
or ``no'' questions relevant to this requirement:
Does the plan address personnel security, facility
security, vehicle security, and Threat/Vulnerability Management?
Does the plan include methods to identify and actively
monitor the goals and objectives for the security program?
Does the plan include a written policy statement that
endorses and adopts the policies and procedures of the plan? Does top
management, such as the agency's chief executive, approve and sign the
plan?
Does the plan address protection and response for critical
systems?
Does the plan clearly identify responsibilities (or
reference other documents establishing procedures) for the management
of security incidents by the operations control center (or dispatch
center) or other formal process?
Does the plan clearly identify (or reference other
documents establishing) plans, procedures, or protocols for responding
to security events with external agencies (such as law enforcement,
local EMA, fire departments, etc.)?
Has the owner/operator partnered with local law
enforcement/first responders to develop active shooter procedures or
protocols?
Does the security plan contain or reference other
documents that establish procedures or protocols for responding to
active shooter events?
Does the security plan contain or reference other
documents that establish protocols addressing specific threats from:
(1) Improvised Explosive Devices (IED), and (2) Weapons of Mass
Destruction (chemical, biological, radiological hazards)?
Does the security plan integrate visible, random security
measures, based on employee-type, to introduce unpredictability into
security activities for deterrent effect?
Does the security plan require consideration of security
before implementation of extensions, major projects, new vehicles and
equipment procurement, and other capital projects?
Does the security plan include or reference other
documents adopting Crime Prevention Through Environmental Design
(CPTED) or similar security-focused preventive principles as part of
the agency's engineering practices?
Does the security plan require an annual review?
Does the owner/operator produce periodic reports reviewing
its progress in meeting its security plan goals and objectives?
Has the company conducted, and documented, an annual
review of the security plan within the preceding 12 months?
Does the security plan outline a process for securing
review for updates and necessary approval of updates to the security
plan?
Beginning with these ``yes'' or ``no'' questions, TSA could develop
qualitative standards to help a surface owner/operator determine
whether its security measure is weak, adequate, or strong based on how
effective it is. Answers to those questions would help the surface
owner/operator identify weaknesses in its security measures and inform
development and prioritization of risk-reduction measures.
For surface owner/operators that have conducted vulnerability
assessments of security systems/operations, TSA seeks comment on the
following questions:
1. Have you conducted a vulnerability assessment of your security
system/operations within the last three (3) years?
2. If yes, did TSA conduct the assessment as part of the BASE
program? If not TSA, did an independent auditor or company employees
conduct the audit? How long did it to take to perform this assessment?
How many individuals were involved in conducting the assessments
(please provide information on the time and personnel costs for those
essential to the assessment process, such as man-hours, permanent
employees or contractor cost, etc.)?
3. How frequently do you update assessments of security systems/
operations? Do you have internal or other requirements to update
assessments? Are these requirements based on a schedule or changes to
operations, assets and infrastructure, or threat information? How much
time do these updates take?
4. Was the assessment of security systems/operations site-specific,
system-wide, or both?
5. What resources or tools did you use for conducting your
assessment?
6. What features of those resources or tools were most useful?
7. If the evaluation assesses operational security processes, such
as training and operations, what methodologies or criteria are used to
evaluate these processes?
8. What types of questions or other criteria were used to help
identify strengths and weaknesses? Which of these were most relevant to
your operations?
9. Do you use the results of the assessment for developing security
plans, or emergency response plans, continuity of operations plans,
etc.? Please describe how the assessment is used.
10. Was the assessment conducted in order to meet other Federal
requirements (such as grant eligibility) or other standards? If so,
please provide a description or source for those requirements or
standards?
11. How can other required assessments addressing security systems/
operations be used to satisfy TSA's regulatory requirements? For
example, how relevant are FRA emergency preparedness requirements,
PHMSA security plan requirements, and FTA's requirements? What
standards should TSA use to determine if those plans meet TSA's
requirements?
12. How could TSA ensure a surface owner/operator is in compliance
with other agency requirements if it permits those measures to satisfy
the requirements of TSA's regulation?
13. What barriers and/or challenges to conducting this assessment
did you encounter?
D. Determination of Critical Assets and Infrastructure
As previously noted, the 9/11 Act requires a vulnerability
assessment of critical assets/infrastructure. The statute does not
provide criteria for determining whether an asset is
[[Page 91412]]
``critical.'' \37\ Depending on the criteria, TSA could either require
surface owner/operators to self-determine critical assets/
infrastructure or inform surface owner/operators of a TSA-determination
of criticality. The different approaches have significant impacts on
the cost/benefits of vulnerability assessments, as well as the scope of
required risk-reduction measures implemented as part of a security
plan.
---------------------------------------------------------------------------
\37\ The 9/11 Act includes a list of critical asset types to be
considered, as appropriate, but does not describe the criteria that
would make them ``critical.'' See 9/11 Act secs. 1405(a)(3)(A),
1512(d)(1)(A), and 1531(d)(1)(A).
---------------------------------------------------------------------------
Self-determination of critical assets would require surface owner/
operators to determine whether an asset is critical. Such a process
would likely require owner/operators to first identify all of their
assets (at least in the categories identified by the 9/11 Act) then use
TSA-provided criteria to determine if any of those assets are critical.
TSA would need to provide a tool or other measures to ensure consistent
application of the criteria across all regulated parties.
A self-determination approach to criticality is likely to capture
assets that may be critical from a business perspective, but not
necessarily critical from the perspective of national security. This is
a significant cost issue as identification of critical assets carries
with it the regulatory burden to conduct a vulnerability assessment of
the asset and implement appropriate risk-reduction measures to address
any identified vulnerabilities, even if the asset is not critical from
a national security perspective.
To address this concern, TSA could limit the requirement to
``nationally critical assets and infrastructure'' as determined by TSA.
This determination would begin with a definition of national
criticality. While there have been many efforts to define critical
infrastructure and refine lists of critical assets in order to apply
the appropriate protective measures since the terrorist attacks of 9/
11. TSA finds the definition in Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism (USA PATRIOT ACT) Act of 2001 \38\ has particular resonance
as it was developed within the context of protecting assets from
terrorist attack:
---------------------------------------------------------------------------
\38\ Public Law 107-56, 115 Stat. 272 (Oct. 26, 2001).
In this section, the term ``critical infrastructure'' means systems
and assets, whether physical or virtual, so vital to the United
States that the incapacity or destruction of such systems and assets
would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of
those matters.\39\
---------------------------------------------------------------------------
\39\ Id. at sec. 1016(e) (codified at 42 U.S.C. 5195c(e)).
This definition was adopted by reference in the Homeland Security Act
of 2002 \40\ and is used for the definition of ``critical
infrastructure'' in the Presidential Policy Directive (PPD) on
``Critical Infrastructure Security and Resilience'' (PPD-21, issued
Feb. 12, 2013) which replaces Homeland Security Presidential Directive
7.
---------------------------------------------------------------------------
\40\ Public Law 107-296, sec. 2(4), 116 Stat. 2135, 2140 (Nov.
25, 2002) (codified at 6 U.S.C. 101(4)).
---------------------------------------------------------------------------
Within the scope of such a definition, TSA would need to consider
the criteria necessary for identifying nationally critical assets. For
purposes of identifying a list of ``nationally significant surface
critical infrastructure,'' TSA has developed similar criteria in
consultation with intelligence analysts and the industry. Such criteria
consider location of the asset and the direct consequences of an act
that incapacitates or destroys the asset.
Other possible criteria for consideration include those developed
under the National Critical Infrastructure Prioritization Program
(NCIPP). Identification and prioritization of critical infrastructure
for purposes of the NCIPP consider the destruction or disruption of
infrastructure that could have catastrophic national or regional
consequences. This determination provides the foundation for
infrastructure protection and risk reduction programs and activities
executed by DHS and its public and private sector partners. Table 3
provides the considerations for Level 1 and Level 2 under the NCIPP.
Table 3--NCIPP Categories
------------------------------------------------------------------------
Level 2 (all
Level 1 (all sectors excluding
Impact sectors) agriculture and
food)
------------------------------------------------------------------------
Casualties...................... Greater than 5000 Greater than 2500
prompt fatalities. prompt
fatalities.
Economic Consequences........... Greater than $75 Greater than $25
billion in first billion in first
year. year.
Mass evacuations................ Prolonged absence Prolonged absence
of greater than 3 of greater than 1
months. month.
---------------------------------------
Security capabilities........... Severe degradation of Nation's
national security capabilities
including intelligence and defense
functions, but excluding military
facilities.
------------------------------------------------------------------------
For purposes of this rulemaking, surface owner/operators would only
be notified if they owned or controlled an asset identified by TSA as
nationally significant. For example, surface owner/operators may not
own or have any operational control over the stations, terminals, or
bridges they use for their operations.\41\
---------------------------------------------------------------------------
\41\ Notwithstanding its authority to regulate all aspects of
the transportation system, there are no current plans to apply the
requirements to entities not identified as surface owner/operators
in the Security Training NPRM.
---------------------------------------------------------------------------
But TSA also recognizes that lack of ownership or control does not
obviate the need to consider security. Operations of a surface owner/
operator may rely on transportation infrastructure at risk based on its
iconic significance. That risk could also apply to those who use it.
While the surface owner/operator may not be able to reduce the risk for
the asset, it can take measures to reduce the risk for its system when
using that asset.
TSA seeks comments on the following questions:
14. Should TSA use other standards to determine criticality? If so,
please provide alternative standards.
15. If alternative standards were provided in response to Question
14, what types of assets or infrastructure would be determined as
critical using the alternative standards? Answers containing SSI should
be submitted according to the directions under SUPPLEMENTARY
INFORMATION.
16. Would the alternative standards provided in response to
Question 14 result in a criticality designation for any or all of the
assets and infrastructure identified in secs. 1512(d)(1)(A) and
1531(d)(1(A) of the 9/11 Act? See docket for this rulemaking for a
table that aligns
[[Page 91413]]
the 9/11 Act's requirements across the three modes.
17. If TSA were to adopt a broader list of assets and
infrastructure--such as all of those identified in secs. 1512(d)(1)(A)
or 1531(d)(1)(A) of the 9/11 Act--are some inappropriate for inclusion
because the cost associated with assessments and planning would result
in a corresponding benefit to surface transportation security? Are
there some that are rarely, if ever, under the ownership or control of
the owner/operators that would be subject to the rule's requirements?
18. What type of information and technical assistance would you
need from TSA to facilitate conducting a vulnerability assessment?
For entities currently conducting self-determinations of critical
assets and infrastructure, TSA seeks comments on the following
questions:
19. How do you make the determination of criticality? For example,
should TSA use criteria such as traffic volume (such as ton-miles over
or through, passenger trains, daily ridership, and/or number of
shipments) or some other criteria associated with network criticality?
20. What is the cost of this process (how many hours, permanent
employee or contractor, are required, etc.)?
21. Do you use the determination of criticality for development of
general continuity of operations plans?
E. Identifying Performance Standards for Assessments of Critical Assets
and Infrastructure
While there are many ways to complete an intelligence driven, risk-
based vulnerability assessment for critical assets, they all rely on
some form of subjective ranking system to identify and evaluate
specified strengths and weaknesses. For example, a surface owner/
operator could prioritize the threats relative to the asset as highly
likely, somewhat likely, possible, unlikely, or improbable. Such owner/
operator could then rate vulnerabilities (perhaps on a scale from very
low to high), based on subjective decisions regarding how easy it would
be to exploit that vulnerability given current operations. The owner/
operator could also rate the consequence based on the type of threat.
Combining all three ratings into an overall risk score helps identify
the greatest risks in order to focus energies and limited resources on
related vulnerabilities.
TSA is seeking information on appropriate resources that can inform
development of performance standards for vulnerability assessments.
Known resources include DHS tools, such as the framework of the
Integrated Rapid Visual Screening (IRVS); issues addressed in questions
related to asset protection that are part of a BASE assessment; and
standards developed by the American Public Transportation Association
(APTA).
For surface owner/operators that have conducted vulnerability
assessments of critical assets and infrastructure, TSA seeks comments
on the following questions:
22. Did you perform the vulnerability assessment on specific
assets? If so, what assets? What criteria did you use to determine
which assets to assess?
23. How long did it to take to perform this assessment? How many
individuals were involved in conducting the assessments? Please provide
information on the time and personnel costs for those essential to the
assessment process, such as man-hours, permanent employees or
contractor cost, etc.
24. Do you use the results of the vulnerability assessment for
developing security plans, or emergency response plans, continuity of
operations plans, etc.? Please describe how the assessment is used.
25. How frequently do you update vulnerability assessments? Do you
have internal or other requirements to update assessments? Are these
requirements based on a schedule or changes to operations, assets and
infrastructure, or threat information?
26. Did you perform the vulnerability assessment in order to meet
other Federal requirements (such as grant eligibility) or other
standards? If so, please provide a description or source for those
requirements or standards.
27. How can other required assessments be used to satisfy TSA's
regulatory requirements? For example, how relevant are FRA emergency
preparedness requirements or other DOT-modal requirements? What
standards should TSA use to determine if that assessment meets TSA's
requirements?
28. How could TSA ensure a surface owner/operator is complying with
other regulatory requirements if it permits actions taken under those
requirements to satisfy a TSA regulation? For example, if a passenger
railroad is required to develop and implement emergency evacuation
planning under 49 CFR part 239 and wants to use that planning to
satisfy a requirement that may be in the final VASP rule, how would TSA
know whether the railroad is, in fact, complying with requirements
imposed by the FRA? The fact that the FRA has not penalized an owner/
operator for non-compliance is not a guarantee that the owner/operator
is complying with the FRA requirements.
29. What barriers and/or challenges to conducting this assessment
did you encounter?
V. Security Plans
Regulations imposing security plan requirements have a direct
impact on operations. Thus, any rulemaking effort must recognize that
measures beneficial to security may have a negative impact on
operations. The purpose of this ANPRM is to solicit the input and data
necessary for TSA to develop a proposed rule that ensures the level of
security intended by the 9/11 Act without having an unintended impact
on operations.
A. Identifying Performance Standards for Security Plans
For purposes of this ANPRM, TSA has grouped the 9/11 Act's specific
requirements for security plans into the following categories:
Results of security and vulnerability assessments and list
of capital and operational improvements necessary to address identified
vulnerabilities.
Specific procedures to be implemented or used to prevent
and detect unauthorized access to restricted areas designated by the
owner/operator.
Identification of measures to be implemented in response
to emergencies or periods of heightened security, including--
[cir] A coordinated response plan that establishes procedures for
appropriate interaction with State, local, and tribal law enforcement
agencies, emergency responders, and Federal officials in order to
coordinate security measures and plans for response in the event of a
terrorist threat, attack, or other transportation security-related
incident;
[cir] Specific procedures to be implemented or used by the owner/
operator in response to a terrorist attack, including evacuation and
communication plans that include individuals with disabilities; and
[cir] Additional measures to be adopted to address weaknesses in
incident management identified during reviews, drills, or exercises
testing emergency response.
Identification of any redundant and backup systems that
the owner/operator will use to ensure the continuity of operations of
critical assets and infrastructure in the event of a terrorist attack
or other transportation security-related incident.
As previously noted in Table 2, there is a correlation between the
17 SAIs and the 9/11 Act's requirements. As with the security
assessment (covering security
[[Page 91414]]
systems and operations), the quantitative questions used in the BASE
could be used as a starting point for developing qualitative
performance standards for security plans.
For surface owner/operators that have security plans, TSA seeks
comments on the following questions:
30. Does your security plan address the issues discussed at the
beginning of this section?
31. Is your security plan site-specific, system or corporate-wide,
or both?
32. Did you use a vulnerability or similar assessment (BASE or
other) to develop a security plan? If not BASE, please describe the
assessment. If so, what is the process for incorporating the results
into your planning process and development of risk-reduction or
mitigation measures (or investment justifications for grant purposes)?
What levels of management are involved in reviewing the results of the
assessment and making decisions regarding security planning related to
those results?
33. How long did it to take to develop the security plan? How many
individuals were involved in the planning process? Please provide
information on the time and personnel costs for those essential to the
planning process, including man-hours, permanent employee and/or
contractor cost, etc.
34. How frequently do you update your security plan? Do you have
internal requirements to update plans based on a schedule or changes to
operations, assets and infrastructure, or threat information?
35. Does your security plan exist in order to meet other Federal
requirements (such as grant eligibility) or other standards? If so,
please provide a description or source for those requirements or
standards.
36. How can other required plans be used to satisfy TSA regulatory
requirements? For example, how relevant are FRA emergency preparedness
requirements, PHMSA security plan requirements, and FTA's requirements?
What standards should TSA use to determine if those plans meet TSA's
requirements?
37. How could TSA ensure a surface owner/operator is in compliance
with other agency requirements if it permits those measures to satisfy
the requirements of TSA's regulation?
38. What barriers or challenges to developing and implementing a
security plan did you encounter?
B. Tools and Other Resources
TSA is considering modifying T-START to provide a resource to
owner/operators subject to the VASP regulations. As discussed in
section III.F of this ANPRM, T-START currently includes several modules
that cover the assessment and planning cycle for the highway mode. The
revised T-START would include modules consistent with requirements TSA
incorporates into a final VASP rule and be applicable to PTPR and
freight railroads, with modules that are relevant to the specific type
of operation. TSA would provide this tool at no cost to surface owner/
operators. For those not within the scope of applicability, T-START
would provide guidance to them for conducting assessments and
developing plans.\42\
---------------------------------------------------------------------------
\42\ The 9/11 Act requires TSA to provide guidance to owner/
operators not within the high-risk tier. See 9/11 Act secs.
1512(b)(1) and 1531(b)(1).
---------------------------------------------------------------------------
TSA seeks comments on the following questions:
39. Have you used T-START to conduct assessments or develop a
security plan?
40. What features of T-START or other resources or tools were most
useful?
41. Did the availability of T-START or other similar resources
reduce the time necessary to conduct assessments or develop security
plans? If so, please provide an estimate of the savings in time and
personnel.
42. What other types of information, tools, and/or technical
assistance could TSA provide to facilitate compliance with the VASP
regulation? If you identified barriers or challenges in conducting
vulnerability assessments or developing/implementing security plans in
response to questions 13, 29, and/or 38, please provide specific
suggestions on how TSA could provide information, tools, or other
technical assistance in overcoming those barriers and/or challenges.
43. If you have not used T-START, please describe the programs,
tools, or resources you have used.
44. Are there assessment/planning tools or resources that TSA
should consider as relevant for developing the VASP proposed rule? If
so, please provide names and sources.
C. Risk-Reduction or Mitigation Measures
As previously noted, the 9/11 Act specifies that security plans
must include results of security and vulnerability assessments and list
of capital and operational improvements necessary to address identified
vulnerabilities.
TSA seeks comments on the following questions:
45. What security measures have owner/operators implemented to
address weaknesses in either security of systems/operations or security
of critical assets relevant to the requirements of the 9/11 Act (for
example, measures to strengthen security of systems/operations and
equipment).
Table 4--List of Possible Risk-Reduction or Mitigation Measures
------------------------------------------------------------------------
------------------------------------------------------------------------
Cameras (please provide information on Speakers (public address
the brand, model, requirement, etc.). systems or emergency
communication systems).
Employee background checks............. Access control (such as Jersey
barriers, automated gates,
etc.).
Lighting............................... Dedicated law enforcement or
other security personnel.
ID card reader/badging systems......... Signage.
Screening technologies (such as metal Intrusion detection systems.
detectors, random baggage checks,
etc.).
Canine teams........................... Other (specify measure).
------------------------------------------------------------------------
46. What data can you provide on the cost of purchase,
implementation, and on-going maintenance of these measures, as
appropriate? If possible, for each of the types of possible risk-
reduction or mitigation measures identified in Table 4, please provide
information on--
(a) Whether the company has installed this type of measure;
(b) How does the company use this measure (is it used randomly, in
specific locations based on risk, or system-wide); and
(c) What are the costs associated with implementing this measure
(purchase cost, installation, on-going maintenance, replacement,
monitoring, etc.)?
47. Do your security measures include provisions for adding
contracted security services in the event of elevated alert levels?
48. For those that have implemented security measures, can you
provide data regarding implementation schedules (time between
identification of the need, commitment to addressing it as part of
planning, and actual full implementation or installation)?
49. What data sources are available for identifying industry
standards relevant to implementation of risk-reduction or mitigation
measures?
[[Page 91415]]
VI. Drills and Exercises
The 9/11 Act includes ``[l]ive situational training exercises . .
.'' as a program element of the Security Training NPRM.\43\ TSA decided
not to include this requirement in the Security Training NPRM because
it is inconsistent with the DHS methodology for exercises. The Homeland
Security Exercise and Evaluation Program (HSEEP)--an exercise support
program that focuses on the need to test planning and preparedness--
focuses on the need to test effectiveness of the overall plan. By
testing planning and preparedness, the drills and/or exercises reveal
any weaknesses in training. Furthermore, the HSEEP does not require
every exercise to be full-scale, live, and situational in order to be
an effective test of the security plan. Many resources and methods are
available to test the effectiveness of the plan and the preparedness of
the organization and its employees to implement it other than full-
scale, live, situational exercises. These range from seminars and
workshops to basic or advanced tabletop exercises.
---------------------------------------------------------------------------
\43\ See secs. 1408(c)(7) (public transportation), 1517(c)(8)
(freight rail), and 1534(c)(8) (OTRB).
---------------------------------------------------------------------------
TSA is also concerned that a requirement to conduct live,
situational exercises would impose a regulatory burden that owner/
operators could not meet because they do not control all of the
resources necessary for a live situational exercise, such as first
responders, medical support, and other local and State government
participation.
TSA seeks comments on the following questions:
50. To what extent do you have access to EXIS or other resources
for conducting drills and/or exercises?
51. Have you participated in an I-STEP exercise?
52. Have you used EXIS as a resource for conducting drills and/or
exercises?
53. If not through I-STEP or EXIS, how often do you conduct or
participate in drills and/or exercises, what job positions participate,
and what are the costs (development, implementation, after-action
analysis, and reports)?
54. Based upon your experience with drills and exercises, are they
an adequate method for assessing effectiveness of employee training, or
are additional assessment tools needed for assessments?
55. Based on your experience, what are the most effective types of
drills and/or exercises for testing preparedness, including identifying
weaknesses in training?
56. Do you regularly use ``after action reports'' to modify
security measures and procedures or make other operational or capital
changes to improve security?
VII. Updates
The 9/11 Act specifies that owner/operators must update assessments
and security plans on a regular basis. For public transportation, the
9/11 Act stipulates annual updates, including updates to assessments,
improvement priorities, and security plans as appropriate. Eligibility
for funding under the TSGP requires: (1) An assessment within three
years before the request for funding, and (2) all requests for funding
must be consistent with addressing vulnerabilities identified in that
assessment. For railroads and OTRB owner/operators, the 9/11 Act
requires updates to the assessment no later than three years after
initial approval of the assessments or plans required in the regulation
and at least once every five years after that date.
In a provision applicable to all aspects of the regulatory security
program, the Security Training NPRM proposes requiring surface owner/
operators to request amendments to their programs (training,
assessment, or planning) whenever there are changes to their
operations, measures, training, or staffing. TSA would also be able to
require updates if, for example, new threat information indicates the
necessity of review and modification of security measures. TSA also
anticipates the necessity for updates if there are significant changes
to operations or assets, such as expanding operations, changes to
routes, or modifications to hazardous materials designated as high-risk
for transport.
TSA requests comments on the following questions:
57. How often do surface owner/operators update their assessments
(either security systems/operations or critical assets)? Please include
in your response information on the time and personnel costs for those
essential to the updating process, such as man-hours, permanent
employees or contractor cost, etc.
58. How frequently do these updates of assessments require changes
to emergency response, safety, or security plans? If there are changes
required, what types of changes do you typically make?
59. Are these updates required by other Federal or State
regulations? If so, please provide a citation and any other relevant
information regarding the requirement.
VIII. Accountable Executive
Every transportation system, whether plane, train, or bus, must
make decisions for budgeting, allocating funds, and planning for the
future. Recognizing the diversity of business organization and
ownership represented by the scope of this rulemaking, TSA anticipates
that the need to identify a decision-maker who has responsibility over
the process for approving assessments and plans within the context of
making decisions regarding organization, operations, and allocation of
resources. This ``accountable executive,'' and any relevant boards or
equivalent entities with which this individual may work, needs to have
awareness of the risks (threats, vulnerabilities, and potential
consequences) relevant to its security systems/operations and critical
assets. Having responsibility to approve assessments submitted to TSA
ensures this information can be used as part of informed, deliberate,
and transparent decisions regarding the commitments made in the
security plan.
Based on a review of how the term ``accountable executive'' is
defined within various business contexts, TSA anticipates defining the
term as a person responsible for implementation and security-related
decisions, including allocation of corporate resources related to
security. The ``accountable executive'' should be a single,
identifiable person who has ultimate responsibility for the owner/
operator's compliance with the security plan requirements, including
obtaining written validation that the plan has been reviewed and
approved by senior management (board of directors or equivalent
entity). TSA also expects that this person will serve as the primary
point of contact for TSA during the review and approval process of the
security plan.
TSA seeks comment on the following questions:
60. Should the ``accountable executive'' be a chief executive
officer or equivalent rather than an executive designated for this
purpose?
61. For entities within the applicability proposed in the Security
Training NPRM, do you have an accountable executive? What level is this
person within the corporate structure? What other responsibilities does
this person have? Do you have some other process for ensuring senior
management is made aware of the results of the assessment, approves its
transmittal to TSA, and approves the security plan?
[[Page 91416]]
IX. Considerations for Small Owner/Operators
While TSA recognizes the administrative burden on small owner/
operators,\44\ the statute requires TSA to apply the requirements based
on risk, not size of the operations. As a result, small PTPR systems
that feed into larger systems covered by the applicability could be
required to conduct assessments, develop a security plan, and implement
related security measures. Similarly, the requirements could affect
small OTRB owner/operators.
---------------------------------------------------------------------------
\44\ The Small Business Administration (SBA) sets a threshold of
$15.0 million in annual receipts for bus systems and mixed-mode
transit systems, and 1,500 employees for short line railroads. See
13 CFR 121.201.
---------------------------------------------------------------------------
TSA anticipates that owner/operators of larger systems or fleets
would develop an organization-wide approach for their assessments and
plans, addressing different perspectives of operations, safety,
planning, engineering, budget, and information technology along with
the need to enhance and sustain security. TSA is considering whether
owner/operators of smaller systems or operations would need to take a
simpler approach in developing an assessment and plan and implementing
security measures. If so, the regulation would need to consider owner/
operators of smaller systems or operations could use information that
is already largely on-hand or readily available to meet the same
performance standards applied to larger companies.
TSA seeks comments on the following questions:
62. As TSA has determined that the higher-risk is associated with
where the transportation occurs, not size of the company providing the
transportation, what options are there for minimizing the burden on
small owner/operators without reducing the intended security benefit?
63. How should the VASP requirements apply to owner/operators who
rely on the security of an asset or infrastructure owned by a third
party?
64. What are the barriers for surface owner/operators with a
smaller scope of operation--other than costs--to develop and implement
a more comprehensive security program or plan with specific security
measures, training, and assets?
65. How can TSA ensure consistent application of the standards or
performance criteria of its rulemaking in light of the dynamic
population to which the requirements would apply--large, small,
publicly owned, small budgets, large tax-based budgets, etc.?
X. Estimating the Benefits and Cost of Requirements
Executive Orders 12866 and 13563 direct agencies to propose or
adopt a regulation only upon a reasoned determination that its benefits
justify its costs, tailor a regulation to impose the least burden on
society consistent with obtaining the regulatory objectives, and in
choosing among alternative regulatory approaches, select those
approaches that maximize net benefits.
Consistent with the requirements in these executive orders, TSA
seeks comment on the following questions:
66. For those who are already conducting vulnerability assessments
and developing/implementing security plans, what are the security
benefits? What would be the security benefits of a consistent, national
standard for VASP?
67. TSA seeks information from the public in order to assist it in
assessing the cost of alternative regulatory approaches for
implementing the VASP regulations. For example, for commenters who
suggest that TSA consider adopting certain security performance
criteria or objective standards for measuring the security of assets
and infrastructure or security systems/operations, what information do
you have to assist TSA in assessing the incremental cost of adopting
your suggestion? TSA is interested in information to assist it in
assessing the full cost of the suggestion, such as the cost for owner/
operators to collect and assess information and the cost to take action
based on the information.
68. Likewise, TSA seeks information from the public to assist TSA
in assessing the potential benefits of alternative regulatory
approaches for implementing the VASP regulations. For example, for
commenters who suggest that TSA consider adopting certain security
performance criteria or objective standards for measuring the security
of assets and infrastructure or security systems/operations, what
information do you have to assist TSA in assessing the incremental
benefit \45\ from adopting your suggestion?
---------------------------------------------------------------------------
\45\ When requesting the assessment of an incremental benefit,
TSA is referring to the additional benefits of the alternative the
commenter is proposing compared to what TSA is proposing and
compared to not taking any action at all.
---------------------------------------------------------------------------
69. What resources (for example, people, Web sites, organizations,
companies) could be useful if TSA has difficulty obtaining accurate and
timely data on public transportation systems, railroads, or OTRB modes
necessary for developing a valid estimate of potential costs for
compliance with a proposed VASP regulation? TSA specifically seeks data
on employee wages, cost of equipment, and population data on companies
within an industry or transportation mode.
XI. Next Steps and Public Participation
This ANPRM seeks input from the public on these topics to ensure
that the NPRM to follow addresses all relevant information, provides
the explanations necessary to understand the proposed requirements, and
appropriately estimates costs. It is important that freight railroad,
PTPR, and OTRB owner/operators, other organizations, as well as
interested members of the public potentially affected by a final rule,
take this opportunity to share thoughts, concerns, ideas, and general
comments on the topics presented.
After TSA reviews the comments collected through this ANPRM, TSA
will prepare and publish an NPRM that reflects TSA's analysis of the
statutory requirements and relevant issues, as well as comments
received from the public through this ANPRM. Once TSA publishes the
NPRM, stakeholders and the public will have another opportunity to
provide comments that TSA will take into consideration before issuing a
final rule.
Dated: November 18, 2016.
Huban A. Gowadia,
Deputy Administrator.
[FR Doc. 2016-28300 Filed 12-15-16; 8:45 am]
BILLING CODE 9110-05-P