[Federal Register Volume 85, Number 56 (Monday, March 23, 2020)]
[Rules and Regulations]
[Pages 16456-16517]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-05126]



[[Page 16455]]

Vol. 85

Monday,

No. 56

March 23, 2020

Part II





Department of Homeland Security





-----------------------------------------------------------------------





Transportation Security Administration





-----------------------------------------------------------------------





49 CFR Parts 1500, 1520, et al.





Security Training for Surface Transportation Employees; Final Rule

Federal Register / Vol. 85 , No. 56 / Monday, March 23, 2020 / Rules 
and Regulations

[[Page 16456]]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

49 CFR Parts 1500, 1520, 1570, 1580, 1582, and 1584

[Docket No. TSA-2015-0001]
RIN 1652-AA55


Security Training for Surface Transportation Employees

AGENCY: Transportation Security Administration, DHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Transportation Security Administration (TSA) is requiring 
owner/operators of higher-risk freight railroad carriers, public 
transportation agencies (including rail mass transit and bus systems), 
passenger railroad carriers, and over-the-road bus companies, to 
provide TSA-approved security training to employees performing 
security-sensitive functions. The training curriculum must teach 
employees how to observe, assess, and respond to terrorist-related 
threats and/or incidents. Additionally, TSA is expanding its 
requirements for security coordinators and reporting of significant 
security concerns (currently limited to rail operations) to include bus 
operations within the scope of the regulation's applicability. TSA is 
amending other provisions of its regulations, as necessary, to 
implement these requirements.

DATES: 
    Effective date: This rule is effective June 22, 2020.
    Compliance date: In general, compliance schedules are indicated in 
this rule. The requirements in 49 CFR 1570.201 must be met no later 
than July 29, 2020.

FOR FURTHER INFORMATION CONTACT: Harry Schultz (TSA, Security Policy 
and Industry Engagement, Surface Division) or David Kasminoff (TSA, 
Senior Counsel, Regulations and Security Standards) at telephone (571) 
227-5563, or email to [email protected].

SUPPLEMENTARY INFORMATION:

Availability of Rulemaking Document

    An electronic copy can be obtained using the internet by--
    (1) Searching the electronic Federal Docket Management System 
(FDMS) web page at http://www.regulations.gov;
    (2) Accessing the Government Printing Office's web page at http://www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR to view 
the daily published Federal Register edition; or accessing the ``Search 
the Federal Register by Citation'' in the ``Related Resources'' column 
on the left, if you need to do a Simple or Advanced search for 
information, such as a type of document that crosses multiple agencies 
or dates.
    In addition, copies are available by writing or calling the 
individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to 
identify the docket number of this rulemaking.

Small Entity Inquiries

    The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 
1996 requires TSA to comply with small entity requests for information 
and advice about compliance with statutes and regulations within TSA's 
jurisdiction.\1\ Any small entity that has a question regarding this 
document may contact the person listed in the FOR FURTHER INFORMATION 
CONTACT section. Persons can obtain further information regarding 
SBREFA on the Small Business Administration's web page at https://www.sba.gov/category/advocacy-navigation-structure/regulatory-policy/regulatory-flexibility-act/sbrefa.
---------------------------------------------------------------------------

    \1\ Public Law 104-121, 110 Stat. 857 (Mar. 29, 1996).
---------------------------------------------------------------------------

Abbreviations and Terms Used in This Document

Amtrak--National Railroad Passenger Corporation
APTA--American Public Transportation Association
CDL--Commercial Driver's License
DHS--Department of Homeland Security
DOT--Department of Transportation
FRA--Federal Railroad Administration
FTA--Federal Transit Administration
GAO--U.S. Government Accountability Office
HSA--Homeland Security Act of 2002
HTUA--High Threat Urban Area
IED--Improvised Explosive Device
MOU--Memorandum of Understanding
NSI--Nationwide Suspicious Activity Reporting (SAR) Initiative
OMB--Office of Management and Budget
OSHA--Occupational Health and Safety Administration
OTRB--Over-the-Road Bus
PHMSA--Pipeline and Hazardous Materials Safety Administration
PRA--Paperwork Reduction Act of 1995
PTPR--Public Transportation and Passenger Railroads
RFA--Regulatory Flexibility Act of 1980
RIA--Regulatory Impact Analysis
RSC--Rail Security Coordinator
RSSM--Rail Security-Sensitive Material
SBA--Small Business Administration
SBREFA--Small Business Regulatory Enforcement Fairness Act of 1996
SSI--Sensitive Security Information
TSA--Transportation Security Administration
TSSM--Transportation Security-Sensitive Material
UASI--Urban Area Security Initiative
UMRA--Unfunded Mandates Reform Act of 1995
VBIED--Vehicle-Borne Improvised Explosive Device

Table of Contents

I. Executive Summary and Background
    A. Statutory Mandate
    B. Benefits of Requiring Security Training
    C. Costs of This Final Rule
    D. Organization of This Final Rule
II. Security Program Requirements
    A. Who must provide security training?
    1. Freight Railroads (Sec.  1580.101)
    2. Public Transportation and Passenger Railroads (Sec.  
1582.101)
    3. Over-the-Road Buses (Sec.  1584.101)
    4. Impact on Certain Business Operations
    B. Who is responsible for determining whether a specific owner/
operator is subject to the requirements of the rule (applicability 
determinations)? (Sec.  1570.105)
    C. Which employees must receive security training? (Sec. Sec.  
1580.115(a), 1582.115(a) and 1584.115(a))
    D. How does an owner/operator determine if someone is a 
security-sensitive employee? (Sec. Sec.  1580.3, 1582.3, and 1584.3)
    E. Can untrained security-sensitive employees perform security-
sensitive functions? (Sec. Sec.  1580.115(b), 1582.115(b), and 
1584.115(b))
    F. What topics must be included in the security training? 
(Sec. Sec.  1580.115(c)-(f), 1582.115(c)-(f), and 1584.115(c)-(f))
    G. Who will provide the security training curriculum? 
(Sec. Sec.  1580.113, 1582.113, and 1584.113)?
    H. Can owner/operators use pre-existing material or other third-
party material? (Sec.  1570.103)
    I. How do these requirements relate to other security training 
required by other Federal or State agencies? (Sec. Sec.  
1580.115(c), 1582.115(c), and 1584.115(c))
    J. What is the required schedule for providing training? (Sec.  
1570.111)
    1. Initial Training (Sec.  1570.111(a))
    2. Recurrent Training (Sec.  1570.111(b))
    3. Previous Training (Sec.  1570.107)
    K. Do employees have to pass a test? ((Sec. Sec.  
1580.113(b)(9), 1582.113(b)(9), and 1584.113(b)(9))

III. Operational Requirements (Subpart D)

    A. Security Coordinator Requirements (Sec.  1570.201)
    B. Requirement To Report Security Concerns (Sec.  1570.203)
    C. Methods for Reporting Information and Substance of 
Information Provided (Sec.  1570.203 (a) and (c))
IV. Security Program Procedures
    A. Deadlines Related to Submission and Approval of Security 
Training Program
    B. Amendments
    1. Amendments Initiated by Owner/Operator (Sec.  1570.113)
    2. Amendments Initiated by TSA (Sec.  1570.115)

[[Page 16457]]

    C. Alternative Measures (Sec.  1570.117)
    D. Petitions for Reconsideration (Sec.  1570.119)
    E. Recordkeeping Requirements (Sec.  1570.121)
    F. Summary of Deadlines
V. Miscellaneous Changes
    A. Amendments to Part 1500
    B. Amendments to Part 1503
    C. Amendments to Part 1520
    D. Amendments to Part 1570
    1. Security Responsibilities for Employees and Other Persons 
(Sec.  1570.7)
    2. Compliance, Inspection, and Enforcement (Sec.  1570.9)
    3. ``Covered Person'' (Sec.  1570.305)
VI. Summary of Changes
VII. Response to Comments on NPRM
    A. General Comments
    1. Need for Rule
    2. Cost of Rule
    3. Stakeholder Consultation
    4. Terms
    B. Investigative and Enforcement Procedures
    C. Part 1570--General Rules
    1. Terms Used in This Subchapter (Sec.  1570.3)
    2. Recognition of Prior or Established Security Measures or 
Programs (Sec.  1570.7)
    3. Submission and Approval (Sec.  1570.109)
    4. Implementation Schedule (Sec.  1570.111)
    5. Recordkeeping and Availability (Sec.  1570.121)
    6. Security Coordinator (Sec.  1570.201)
    7. Reporting Significant Security Concerns (Sec.  1570.203)
    D. Subpart B--Security Programs
    1. Security Training Program General Requirements (Sec. Sec.  
1580.113, 1582.113, and 1584.113)
    2. Security Training and Knowledge for Security-Sensitive 
Employees (Sec. Sec.  1580.115, 1582.115, and 1584.115)
    E. Freight Rail Specific Issues
    1. Applicability of Security Training Requirements (Sec.  
1580.101)
    2. Chain of Custody and Control Requirements (Sec.  1580.205)
    F. Public Transportation and Passenger Railroad Specific Issues
    G. OTRB Specific Issues
    1. Definition of Security-Sensitive Employees (Sec.  1584.3 and 
Appendix B to Part 1584)
    2. Applicability (Sec.  1584.101)
    H. Comments Beyond Scope of Rulemaking
VIII. Rulemaking Analyses and Notices
    A. Paperwork Reduction Act
    B. Economic Impact Analyses
    1. Regulatory Impact Analysis Summary
    2. Executive Orders 12866, 13563, and 13711 Assessments
    3. OMB A-4 Statement
    4. Alternatives Considered
    5. Regulatory Flexibility Assessment
    6. International Trade Impact Assessment
    7. Unfunded Mandates Assessment
    C. Executive Order 13132, Federalism
    D. Environmental Analysis
    E. Energy Impact Analysis

I. Executive Summary and Background

A. Statutory Mandate

    Following the attacks of September 11, 2001, Congress created TSA 
under the Aviation and Transportation Security Act (ATSA) and 
established the agency's primary Federal role to enhance security for 
all modes of transportation.\2\ The scope of TSA's authority includes 
assessing security risks, developing security measures to address 
identified risks, and enforcing compliance with these measures.\3\ TSA 
also has broad regulatory authority to issue, rescind, and revise 
regulations as necessary to carry out its transportation security 
functions.\4\
---------------------------------------------------------------------------

    \2\ Public Law 107-71, 115 Stat. 597 (Nov. 19, 2001). ATSA 
created TSA as a component of the Department of Transportation 
(DOT). Section 403(2) of the Homeland Security Act of 2002 (HSA), 
Public Law 107-296, 116 Stat. 2135 (Nov. 25, 2002), transferred all 
functions related to transportation security, including those of the 
Secretary of Transportation and the Under Secretary of 
Transportation for Security, to the Secretary of Homeland Security. 
Pursuant to DHS Delegation Number 7060.2, the Secretary delegated to 
the Administrator, subject to the Secretary's guidance and control, 
the authority vested in the Secretary with respect to TSA, including 
the authority in sec. 403(2) of the HSA.
    \3\ See 49 U.S.C. 114, which codified section 101 of ATSA.
    \4\ 49 U.S.C. 114(l)(1).
---------------------------------------------------------------------------

    As part of the Implementing Recommendations of the 9/11 Commission 
Act of 2007 (9/11 Act),\5\ Congress mandated regulations to enhance 
surface transportation security through security training of frontline 
employees. The mandate includes prescriptive requirements for who must 
be trained, what the training must encompass, and how to submit and 
obtain approval for a training program.\6\ The 9/11 Act also mandates 
regulations requiring higher-risk railroads and over-the-road buses 
(OTRBs) to appoint security coordinators.\7\ In addition to 
implementing these provisions, this final rule also addresses a mandate 
to define Transportation Security-Sensitive Materials.\8\
---------------------------------------------------------------------------

    \5\ Public Law 110-53, 121 Stat. 266 (Aug. 3, 2007).
    \6\ See secs. 1408, 1517, and 1534 of the 9/11 Act, codified at 
6 U.S.C. 1137, 1167, and 1184, respectively.
    \7\ See secs. 1512 and 1531 of the 9/11 Act, codified at 6 
U.S.C. 1162 and 1181, respectively. TSA addresses 1512(e)(1)(A) and 
1531(e)(1)(A) in this rulemaking. TSA intends to address the other 
regulatory requirements of these provisions in separate rulemakings.
    \8\ See sec. 1501 of the 9/11 Act, codified at 6 U.S.C. 1151.
---------------------------------------------------------------------------

B. Benefits of Requiring Security Training

    TSA is issuing this rule pursuant to its authority and 
responsibility over the security of the nation's transportation 
systems. TSA fulfills its transportation security mission in 
partnership with its industry and government stakeholders. As noted in 
the 2018 National Strategy for Counterterrorism in the United States:

    The critical infrastructure of the United States--much of which 
is privately owned--provides the essential goods and services that 
drive American prosperity. Coordinated efforts are, therefore, 
necessary to strengthen and maintain secure and resilient critical 
infrastructure and to prepare Americans to respond appropriately 
should an attack occur. By integrating and improving preparedness 
across all levels of government as well as the private and public 
sectors, we will stop terrorists from undermining our security and 
prosperity.\9\
---------------------------------------------------------------------------

    \9\ See The White House, National Strategy for Counterterorrism 
in the United States, at 19 (Oct. 2018), available at https://www.dni.gov/files/NCTC/documents/news_documents/NSCT.pdf (last 
accessed Nov. 26, 2018) (National Strategy).

    Consistent with this strategy, the purpose of this rule is to 
solidify the baseline of security for higher-risk surface 
transportation operations by improving and sustaining the preparedness 
of surface transportation employees in higher-risk operations, 
including their critical capability to observe, assess, and respond to 
security risks and potential security breaches within their unique 
working environment. In developing this rulemaking, TSA recognizes 
private sector capabilities, voluntary initiatives, and other Federal 
requirements to raise security within distinct surface transportation 
operations. By integrating these efforts, setting a national standard 
for surface transportation employee security training, and ensuring 
this training is sustained across higher-risk operations, this rule 
promotes national security in alignment with the intent of the 9/11 Act 
and the National Strategy.
    The rule accomplishes this purpose by requiring higher-risk public 
transportation systems, railroad carriers (passenger and freight), and 
OTRB owner/operators to prepare and train their employees performing 
security-sensitive job functions. Through security training, employees 
will have the capability to identify, report, and appropriately react 
to suspicious activity, suspicious items, dangerous substances, and 
security incidents that may be associated with terrorist 
reconnaissance, preparation, or action. TSA believes this training may 
be the critical point for preventing a terrorist act and mitigating the 
consequences.
    In order to ensure effective communication regarding threats (both 
to regulated parties and from regulated parties), TSA is also expanding 
applicability of current requirements for rail operations to have 
security coordinators and report security incidents to TSA. With this 
rulemaking,

[[Page 16458]]

the applicability for this requirement is expanded to include any 
owner/operator required to provide security training. Requiring higher-
risk owner/operators to have security coordinators and report 
significant security concerns to TSA will enhance TSA's ability to 
recognize trends and communicate directly with individuals within 
higher-risk operations that have direct responsibility for security.

C. Costs of This Final Rule

    Table 1 identifies TSA's estimates for the overall cost of this 
rule.

                       Table 1--Cost of Final Rule
------------------------------------------------------------------------
                                              Estimated costs (over 10
                                               years, discounted at 7
                                                      percent)
------------------------------------------------------------------------
Freight Railroads.........................  $25.09 million.
Public Transportation and Passenger         17.12 million.
 Railroads (PTPRs).
OTRBs.....................................  8.06 million.
TSA.......................................  2.03 million.
                                           -----------------------------
    Total.................................  52.30 million.
------------------------------------------------------------------------

D. Organization of This Final Rule

    Subchapter D of chapter XII of title 49, ``Maritime and Surface 
Transportation Security'' \10\ (Subchapter D), includes security 
program requirements for surface transportation, including the 
requirements in this final rule. Before this final rule, Subchapter D 
included requirements relevant to two vetting programs (the 
Transportation Worker Identification Credential (TWIC) and Hazmat 
Material Endorsement (HME), as well as certain rail security 
requirements, including chain of custody for Rail Security-Sensitive 
Materials (RSSM), appointment of security coordinators, and reporting 
security issues.
---------------------------------------------------------------------------

    \10\ TSA is modifying the title of this subchapter, changing it 
from ``Maritime and Land Transportation Security'' to ``Maritime and 
Surface Transportation Security.''
---------------------------------------------------------------------------

    This final rule (1) adds requirements for security training for 
certain surface transportation owner/operators; (2) expands 
applicability of the security coordinator and reporting security issue 
requirements to include higher-risk bus operations; and (3) adds other 
miscellaneous provisions necessary for implementation of a new 
regulatory program.
    To incorporate these new elements, TSA is organizing Subchapter D 
as follows.
     Part 1570 is divided into four subparts: (1) Subpart A 
includes requirements generally applicable to all aspects of subchapter 
D; (2) subpart B includes security program requirements consistently 
relevant to multiple modes; (3) subpart C includes operational 
requirements consistently applicable to multiple modes; and (4) subpart 
D moves and consolidates general provisions related to security threat 
assessments (STAs) which are more specifically addressed in part 1572. 
As noted below, mode-specific requirements are contained in subsequent 
parts.
     Part 1580 is modified to limit requirements applicable to 
rail security. This part includes operational requirements unique to 
freight railroads and rail hazardous materials shippers/receivers (such 
as chain of custody) \11\ and modal-specific security training 
requirements for freight railroads. The requirements for appointment of 
security coordinators and reporting security issues are moved to part 
1570 and several definitions are moved to part 1500.
---------------------------------------------------------------------------

    \11\ See Rail Transportation Security Final Rule (Rail Security 
Rule), 73 FR 72130, (Nov. 26, 2008).
---------------------------------------------------------------------------

     Part 1582, a new part entitled ``Public Transportation and 
Passenger Railroad Security,'' includes modal-specific security 
training requirements for public transportation system and passenger 
railroads (PTPR). The requirements for appointment of security 
coordinators and reporting security issues applicable to PTPR rail 
operations are moved to part 1570 and several definitions are moved to 
part 1500.
     Part 1584, a new part entitled, ``Highway and Motor 
Carrier Security,'' includes modal-specific security training 
requirements for OTRB owner/operators.
    Owner/operators subject to the requirements of this final rule will 
need to address the requirements in part 1570 as well as the 
requirements applicable to their respective mode in parts 1582 through 
1584. Sections II through IV, which follow, provide a comprehensive 
discussion of these requirements as they will be implemented, rather 
than a sequential section-by-section analysis. Section II addresses 
general programmatic requirements, including: Applicability 
determinations, which employees must be trained, content of training, 
and the required training schedule. Section III discusses operational 
requirements, such as the requirement for security coordinators and 
reporting of security incidents. Section IV provides the procedural 
requirements for submission and approval of a security training 
program, amendments to the program, and recordkeeping requirements. 
This section also includes a table that summarizes the compliance 
deadlines owner/operators must meet. Section V discusses other 
revisions to TSA's regulations that result from adding these new 
requirements to Subchapter D.\12\
---------------------------------------------------------------------------

    \12\ The discussion does not address provisions that are moved, 
as discussed above, but not modified.
---------------------------------------------------------------------------

    This final rule includes TSA's responses to comments received on 
the NPRM. Section VI includes a chart summarizing the minimal changes 
between the NPRM and final rule. Section VII provides TSA's responses 
to comments on the NPRM.
    Section VIII includes the rulemaking analysis and notices. This 
analysis includes any changes in the impact estimates between the NPRM 
and the final rule and the basis for those changes.

II. Security Program Requirements

A. Who must provide security training?

    Consistent with TSA's commitment to a risk-based approach to 
transportation security, the requirements of this rule only apply to 
higher-risk operations. A higher-risk operation is one that meets the 
criteria in Sec. Sec.  1580.101 (freight railroads), 1582.101 (PTPR), 
and 1584.101 (OTRB). These criteria are used to identify operations 
with a relatively higher-risk of being targeted or used by terrorists. 
While there are approximately 10,000 surface transportation operations, 
approximately 300 of them currently meet the criteria.\13\
---------------------------------------------------------------------------

    \13\ A full discussion of TSA's analysis and considerations in 
making its determination and developing the applicability criteria 
can be found in the NPRM. See 81 FR at 91355 et seq. (section III.F. 
of the NPRM).
---------------------------------------------------------------------------

    While the requirements of this rule are limited to higher-risk 
operations, TSA encourages all owner/operators to consider implementing 
the security training program required by this rule, modified and 
adapted to their operations, as appropriate. TSA will ensure resources 
developed for regulated owner/operators, such as TSA-created training 
materials, are available to owner/operators of non-higher-risk 
operations who are committed to enhancing security through improving 
the security awareness of employees.
    TSA's applicability criteria for freight railroads, PTPR, OTRB, and 
certain business operations are as follows.
1. Freight Railroads (Sec.  1580.101)
    A freight railroad owner/operator must provide security training if 
it is: (a)

[[Page 16459]]

Designated as Class I; \14\ (b) transports RSSM in one or more of the 
areas listed in current Appendix A to 49 CFR part 1580; \15\ and/or (c) 
hosts a higher-risk rail operation (including freight railroads and the 
intercity or commuter systems identified in Sec.  1582.101). The 
flowchart in Figure 1 summarizes when a freight railroad owner/operator 
must provide security training and when this training is recommended by 
TSA. TSA estimates the requirements of this rule currently apply to 33 
freight railroads.
---------------------------------------------------------------------------

    \14\ The Surface Transportation Board defines a Class I railroad 
as one with annual operating revenue in excess of $447,621,226 
(adjusted for inflation).
    \15\ See Sec.  1580.3 for definition of RSSM.
    [GRAPHIC] [TIFF OMITTED] TR23MR20.000
    
2. Public Transportation and Passenger Railroads (Sec.  1582.101)
    A public transportation agency or passenger railroad must provide 
security training if it is (a) one of the 46 identified PTPR systems 
listed in 49 CFR part 1582, Appendix A; (b) Amtrak; or (c) hosts a 
higher-risk freight railroad. DHS consistently identifies the eight 
regions where the 46 systems operate as having the highest transit-
specific risk. Applying the rule's requirements to these systems 
corresponds to providing enhanced security for more than 80 percent of 
all PTPR passengers.
3. Over-the-Road Buses (Sec.  1584.101)
    An OTRB owner/operator must provide security training if it 
provides fixed-route service to, through, or from any of ten areas 
identified in 49 CFR part 1584, Appendix A. These ten areas receive the 
highest funding allocation under the FY 2018 Urban Area Security 
Initiative (UASI) grant program (87 percent of the total available 
funding).\16\ TSA estimates that this rule will apply to approximately 
205 OTRB owner/operators.
---------------------------------------------------------------------------

    \16\ UASI funds are allocated based on a risk methodology 
employed by DHS and the Federal Emergency Management Agency (FEMA). 
For the list of UASI allocations for the FY 2018 UASI grant program, 
which is administered by FEMA as part of the larger Homeland 
Security Grant Program, see the FY 2018 Homeland Security Grant 
Program Notice of Funding Opportunity, Appendix A at https://www.fema.gov/media-library-data/1526578809767-7f08f471f36d22b2c0d8afb848048c96/FY_2018_HSGP_NOFO_FINAL_508.pdf.
---------------------------------------------------------------------------

    The determining factor for whether a fixed-route OTRB owner/
operator is within the scope of the rule is not where they are 
headquartered, but where they provide service. In deciding to rely on 
where the owner/operator provides service, rather than corporate 
headquarters locations, TSA considered factors that could make an OTRB 
a potential target for a terrorist attack, including (1) its visibility 
(the size of its operations); (2) the extent to which its schedule is 
publicly available; (3) whether or not it is relatively easy for 
unknown individuals to board the bus; (4) and whether the bus will have 
ease of access to high-consequence locations.
    TSA is aware that some private companies provide commuter services 
that may trigger applicability of the rule. Figure 2 provides a 
flowchart to assist companies with determining if the security training 
requirements apply.

[[Page 16460]]

[GRAPHIC] [TIFF OMITTED] TR23MR20.001

4. Impact on Certain Business Operations
    Parent corporations and subsidiaries. While the criteria for 
higher-risk determinations presumes similarities for operations within 
each mode,\17\ TSA recognizes there are other considerations that could 
affect applicability, particularly related to subsidiaries. As 
discussed in section III.F of the NPRM,\18\ TSA is limiting the 
requirements to the level of the subsidiary whose operations fit the 
applicability criteria identified in the rule.
---------------------------------------------------------------------------

    \17\ See discussion on applicability at 81 FR 91355 et seq. 
(sec. III.F. of NPRM).
    \18\ 81 FR at 91355.
---------------------------------------------------------------------------

    During the review and approval process of the security training 
program, TSA will work with owner/operators to address any compliance 
issues based on corporate structure. For example, owner/operator A may 
be organized to make each regional area a separate subsidiary. As such, 
only the subsidiary that meets the applicability requirements must 
develop a security training program. Owner/operator B may be a single 
entity for purposes of corporate-legal structure with branches, rather 
than subsidiaries, providing service on specific routes. Under this 
rule, the entire corporation is subject to the requirements based on 
the operations of one route. In this situation, owner/operator B could 
choose to submit a proposed alternative to limit application of the 
requirements to branches and a handful of headquarters or other 
regional employees that provide operational support. The submission 
requirements and procedures for requesting alternative measures are 
discussed in section IV.
    Foreign owner/operators. While the applicability provisions for 
security training do not specifically reference foreign owner/
operators, the requirements apply to employees performing a security-
sensitive function ``. . . in the United States or in direct support of 
the common carriage of persons or property between a place in the 
United States and any place outside the United States.'' Therefore, the 
training requirements of this rule apply to both domestic owner/
operators and foreign owner/operators with employees performing covered 
functions within the United States or in support of operations within 
the United States. For example, the rule may apply to a Canadian OTRB 
owner/operator offering fixed-route service that begins at a point in 
Canada and transits through an area identified in part 1584, Appendix A 
before concluding at a point in Mexico. Even if only one employee (for 
example, the driver), performs a security-sensitive function while 
physically in the United States, applicability is triggered by the 
route. The Canadian OTRB owner/operator would be required to have a 
security training program and provide the required training to the 
driver and any other employee performing a security-sensitive function 
that supports the operations transiting through higher-risk regions in 
the United States (such as individuals providing maintenance or 
inspection services and dispatch information applicable to the covered 
route). Once applicability is triggered, it is irrelevant where the 
OTRB owner/operator's company is located or where the function is being 
performed (whether the employee is performing the security-sensitive 
function at a location in Canada or along the route in the United 
States).
    In addition, while foreign owner/operators providing service in the 
United States are required to have a security coordinator and 
alternate, foreign owner/operators are only required to report 
potential threats and significant security concerns for operations in 
the United States or transportation to, from, or within the United 
States. A similar requirement currently applies to foreign freight 
railroad owner/operators under 49 CFR part 1580. This approach is also 
consistent with that taken by the Federal Railroad Administration 
(FRA).
    Hosting relationships. TSA recognizes that joint operations are 
common within the rail industry and include agreements

[[Page 16461]]

such as hosting. In a hosting relationship, the ``host railroad'' owns 
the track and exercises operational control of the movement of trains 
of other railroads (the ``tenant'' railroads) while they are using that 
track.
    Under this rule, both the host and tenant railroads are required to 
have a training program that appropriately addresses the ramifications 
of the hosting relationship. For example, the host railroad's training 
program will need to address the operational considerations of the 
hosting relationship, such as training dispatchers on their role and 
responsibilities in halting the tenant railroad's operations over a 
segment of track where there is a potential threat (such as a suspected 
improvised explosive device (IED) or tampering with infrastructure). 
Similarly, a tenant railroad subject to the security training 
requirements of 49 CFR part 1582 (PTPR), will need to address the 
operational considerations of the hosting relationship, such as 
instructing its train and engine employees on the proper communication 
procedures to follow when a potential threat is identified. Under 
either example, the host and tenant railroad owner/operators are only 
responsible for training their own employees.
    Contracted services. Contracted services may involve joint 
operation pursuant to specific terms, but are different from hosting 
relationships. For example, some commuter passenger train services are 
owned by public transportation agencies, but the agency has a contract 
with a private company (such as a freight railroad) to operate the 
train. This is not a hosting relationship.
    When inspecting compliance by participants in this type of a 
contracted services agreement, TSA will consider the freight railroad 
carrier (the private company/contractor) to be an authorized 
representative of the PTPR owner/operator (the owner/operator of the 
passenger train service). TSA will hold the PTPR owner/operator 
primarily responsible for compliance and for ensuring that all 
security-sensitive employees receive the required training, whether 
they are employed directly by the PTPR owner/operator or contractor. 
The PTPR owner/operator must train the freight railroad carrier's 
employees performing security-sensitive functions related to the 
passenger train service.
    To the extent the contract between the PTPR owner/operator and the 
freight railroad includes a provision for the freight railroad to train 
its own employees, the passenger operation is responsible for 
documenting satisfaction of the training requirements within its TSA-
approved-security training program. TSA will expect the passenger 
operation to clearly state in its security training program, as part of 
the submission process under 49 CFR 1570.109, that the freight railroad 
carrier will conduct the training and provide the required information 
on that training.
    Regardless of how the parties define who will do what, TSA has 
authority to inspect both parties' operations for compliance. The 
regulated party is primarily responsible, but TSA has authority to 
initiate enforcement actions for non-compliance against either party 
based upon a fact-specific determination. While TSA historically 
initiates enforcement actions against the regulated entity, we have 
begun to look more closely at authorized representative/contractual 
relationships in our effort to address the root cause of noncompliance.

B. Who is responsible for determining whether a specific owner/operator 
is subject to the requirements of the rule (applicability 
determinations)? (Sec.  1570.105)

    Owner/operators are required to use the criteria in 49 CFR parts 
1580, 1582, and 1584 (contained in a subpart B to each part) to 
determine whether their operations are higher-risk. If the operations 
meet the criteria, the requirements of this rule apply. Under Sec.  
1570.105(a), owner/operators must notify TSA within 30 days of the 
effective date of this final rule if they meet the criteria for 
applicability. This obligation also applies to new and modified 
operations (commencing after publication of the final rule). Under 
Sec.  1570.105(b), owner/operators must notify TSA no later than 90 
calendar days before commencing operations or implementing 
modifications triggering applicability of the requirements.
    While the rule requires owner/operators to determine whether the 
criteria apply, TSA is aware of the operations that are likely to be 
within the scope of applicability. TSA may initiate a compliance 
investigation if an owner/operator fails to self-identify within the 
required period.
    To mitigate the likelihood of an owner/operator failing to comply 
based upon lack of recognition of the applicability for these 
requirements, TSA will use a variety of communication strategies to 
notify regulated parties that are likely to meet the applicability 
criteria. For example, TSA will use email to immediately notify its key 
stakeholder points of contact regarding publication of this final rule. 
In addition to these established information sharing mechanisms, TSA 
also conducts regular calls, workshops, and meetings with major 
industry partners and trade associations. TSA's surface representatives 
also work closely with surface-system owner/operators during industry-
led security work groups, conferences, roundtables, and other sector-
specific government coordination meetings. TSA plans to use all of 
these mechanisms to notify relevant industry partners of the new 
requirements.

C. Which employees must receive security training? (Sec. Sec.  
1580.115(a), 1582.115(a) and 1584.115(a))

    Any owner/operator required to have a security training program 
under Sec. Sec.  1580.101, 1582.101, or 1584.101, must provide security 
training to all security-sensitive employees. Security-sensitive 
employees include any direct employee, contractor, employee of a 
contractor, or other authorized person who is compensated for 
performing a security-sensitive function on behalf of or for the 
benefit of the owner/operator.\19\ For example, if an OTRB owner/
operator does not employ any drivers directly, but uses drivers under 
contract, these drivers will need to be trained. Similarly, if an 
owner/operator has chosen to combine dispatch services with any 
affiliates of its parent corporation, the owner/operator required to 
provide security training to its direct employees will also be required 
to provide security training to any dispatchers providing services for 
its fleet.
---------------------------------------------------------------------------

    \19\ See Sec.  1570.3 for the definition of an ``employee.''
---------------------------------------------------------------------------

D. How does an owner/operator determine if someone is a security-
sensitive employee? (Sec. Sec.  1580.3, 1582.3, and 1584.3)

    Definitions of mode-specific ``security-sensitive employees'' are 
included in Sec. Sec.  1580.3 (freight rail), 1582.3 (PTPR), and 1584.3 
(OTRB), with additional detail regarding job functions provided in 
mode-specific tables published as appendices to parts 1580,\20\ 1582, 
and 1584. As discussed in section III.E. of the NPRM, ``security-
sensitive employees'' are individuals who perform functions with a 
direct nexus to, or impact on, transportation

[[Page 16462]]

security.\21\ These functions fall into the following categories: (1) 
Operating a vehicle; inspecting and maintaining vehicles; (2) 
inspecting or maintaining building or transportation infrastructure; 
(3) controlling dispatch or movement of vehicles; (4) providing 
security of the owner/operator's equipment and property; (5) loading or 
unloading cargo or baggage; (6) interacting with travelling public (on 
board a vehicle or within a transportation facility); and (7) complying 
with security programs or measures, including those required by Federal 
law (a catch-all category that includes a small number of employees 
such as security coordinators and any other individuals who may have 
responsibility for carrying out aspects of the owner/operator's 
security program or other security measures who are not otherwise 
identified in the previous categories).
---------------------------------------------------------------------------

    \20\ The table in part 1580 Appendix B is unique in that it 
includes examples of the job titles related to these functions based 
on historic use of these terms for railroads. The job titles, 
however, are provided solely as a resource to help understand the 
functions described; whether an employee must be trained is based 
upon the function, not the job title.
    \21\ See 81 FR at 91353 et seq. for more information on how TSA 
identifies these employees and how the chosen functions align with 
requirements in the 9/11 Act.
---------------------------------------------------------------------------

    The requirements also apply to managers, supervisors, or others who 
perform a security-sensitive function or who so directly supervise the 
performance of such a function that their nexus is equivalent to the 
security-sensitive employee.\22\ For example, a yardmaster in freight 
railroad operations is considered a security-sensitive employee because 
he or she directs security-sensitive functions, even if not in the 
direct management chain of all individuals performing these functions. 
At the same time, individuals within a corporate structure who neither 
perform a security-sensitive function nor have direct management 
responsibilities over individuals who do are unlikely to have a 
position within the corporation with a significant nexus to the 
transportation operations of the business (such as accounting 
functions). To the extent there are such individuals in the management 
structure, they will not be considered ``security-sensitive'' 
employees.
---------------------------------------------------------------------------

    \22\ The definition of ``employee,'' which is in Sec.  1570.3, 
includes immediate supervisors.
---------------------------------------------------------------------------

    In some circumstances, security-sensitive functions may be 
performed by individuals not within the definition of ``employee.'' For 
example, police officers employed by a local law enforcement agency may 
be routinely patrolling the owner/operator's premises and/or 
operations, but do not work directly for, or under contract to, the 
owner/operator. Owner/operators are not required to provide training to 
these individuals. To the extent, however, these individuals work in 
the same environment as security-sensitive employees, TSA encourages 
owner/operators to make their training materials and sessions 
available. Providing awareness of training content to local law 
enforcement personnel regularly assigned to patrols at locations where 
security-sensitive employees work can enhance communication and 
cooperation in response to potential threats or actual terrorist-
related incidents.
    The law enforcement agency or personnel may be considered security-
sensitive employees of the owner/operator if, for example, there is a 
contractual relationship for the law enforcement agency to provide 
services to the owner/operator and the law enforcement officer is 
assigned to that location by the owner/operator. Similarly, where the 
owner/operator has a dedicated police or security force who are 
employees of the owner/operator, these individuals are security-
sensitive employees who must be trained under this rule.
    TSA encourages owner/operators to consider other employees within 
their corporate structure or business operations who may not be 
performing a security-sensitive function as identified in the rule, but 
who could provide an additional layer of security if they received 
security training. Furthermore, if an owner/operator identifies 
positions or functions not listed by TSA as security-sensitive, but 
which have the nexus to transportation security that is intended to be 
covered by the rule, TSA encourages the owner/operator to identify and 
include these employees within its security training program.

E. Can untrained security-sensitive employees perform security-
sensitive functions? (Sec. Sec.  1580.115(b), 1582.115(b), and 
1584.115(b))

    If a security-sensitive employee does not receive the required 
security training, this employee is prohibited from performing a 
security-sensitive function without the direct supervision of an 
employee who has met the training requirements applicable to that 
security-sensitive function. While TSA is not defining ``direct,'' TSA 
expects the supervisor to be located in reasonable proximity to the 
employee to supervise actions and provide the necessary level of 
security awareness and response capabilities.
    Furthermore, even if an employee is directly supervised, TSA 
imposes a 60-day limit for the amount of time that an employee may 
perform a security-sensitive function without completing the required 
training. After 60 days, the rule requires the owner/operator to remove 
the employee from a security-sensitive function. This requirement does 
not affect the owner/operators' discretion to reassign the individual 
to other non-security-sensitive job functions.

F. What topics must be included in the security training? (Sec. Sec.  
1580.115(c)-(f), 1582.115(c)-(f), and 1584.115(c)-(f))

    TSA is requiring a training program that focuses on the specific 
knowledge provided to security-sensitive employees related to 
preparedness, observation, assessment and response. As a key aspect of 
security awareness is the ability to detect anomalies in the operating 
environment, the rule affords flexibility for owner/operators to 
develop and implement a program that addresses the above-required 
components in the context of their unique operational environments.
    The ``prepare'' category addresses training on discharging any 
security responsibilities that security-sensitive employees may have 
under an owner/operator's existing security plan or security measure. 
This rule does not require any owner/operator to adopt or implement a 
security plan or measures, but TSA is aware that many owner/operators 
have security plans or measures implemented to comply with Federal 
requirements, to qualify for Federal grants, or as the result of 
voluntary initiatives. To the extent these plans or procedures exist, 
employees must be trained in order to ensure they are effective. 
Similar to the threat and incident prevention and response training, 
this portion of the training program will need to be tailored to the 
specific operation.
    The ``prepare'' element provides multiple benefits to 
transportation security and to owner/operators. First, the requirement 
recognizes that the time when a crisis is occurring is not the time to 
provide training on how to implement crisis-response measures. 
Employees need to be prepared in advance, especially if they have 
responsibilities related to responding to a terrorist incident in order 
to mitigate the consequences. Second, this training element ensures 
that training conducted under this rule meets all of the requirements 
for security training required for ``hazmat employees'' under 49 CFR 
172.704(a)(5).\23\ Third, this

[[Page 16463]]

element also captures specific training for freight railroads related 
to the requirements in Sec.  1580.115(c) for chain of custody and 
control requirements, ensuring appropriate procedures are followed to 
comply with the security requirements in subpart C to part 1580 (which 
contains the requirements moved from Sec. Sec.  1580.103 and 1580.107 
as a result of this rulemaking).
---------------------------------------------------------------------------

    \23\ An analysis of the relationship between the Pipeline and 
Hazardous Materials Safety Administration (PHMSA) required training 
and the training provided by this final rule can be found in Diagram 
B of the NPRM. See 81 FR at 91364. The relation with other training 
is also discussed in section II.H. and I. of this preamble.
---------------------------------------------------------------------------

    Finally, the ``prepare'' category captures training that may vary 
based on the specific nature of an employee's responsibilities. For 
example, appropriate methods of self-defense may vary based upon an 
employee's job and extent to which he or she interacts with the public. 
Similarly, an employee's need to be trained in how to operate and 
maintain security equipment may be dictated by the employee's 
responsibilities. Within this category, owner/operators have some 
flexibility to shape the training to be appropriate for their specific 
employees and operations. This flexibility allows owner/operators to 
avoid situations where employees are required to sit through training 
completely irrelevant to their roles and responsibilities.
    TSA intends for the training required in the Observe, Assess, and 
Respond categories to be relevant to all employees, regardless of their 
job functions. Training in security awareness and behavior recognition 
is appropriate for all employees and TSA believes there should be a 
common level of proficiency on these issues among security-sensitive 
employees of the owner/operators.
    The ``observe'' category is intended to provide knowledge to 
increase a security-sensitive employee's observational skills. In 
general, this training focuses on recognizing the difference between 
what is normal for the operational environment and abnormalities that 
could indicate terrorist planning or imminent attack. Training 
delivered should teach the employees that suspicious activity is a 
combination of actions and individual behaviors that appear strange, 
inconsistent, or out of the ordinary for the employee's work 
environment. In most instances, it will not be a single factor, but a 
combination of factors taking place at a particular time and place, 
that will accurately identify a suspicious individual or act.
    The ``assess'' category requires providing knowledge of how to 
determine the most appropriate response to what is observed. For 
example, does the incident require a response and, if so, what is the 
appropriate response?
    The ``respond'' category includes training on security incident 
responses--including how to appropriately report a security threat, 
interact with the public and first responders at the scene of a threat 
or incident, applicable uses of self-defense devices or protective 
equipment, and communication with passengers. In addition to meeting 
training requirements enumerated in the 9/11 Act,\24\ this category is 
intended to provide elements of security awareness training required by 
49 CFR 172.704(a)(4). To the extent owner/operators need to provide 
training on specific self-defense devices or protective equipment, TSA 
has not calculated these costs. Such training is not a cost of this 
rule based on an assumption that training on the use of self-defense 
devices and equipment is a standard part of any operation before 
providing such devices or equipment to individuals.
---------------------------------------------------------------------------

    \24\ Diagram B in the NPRM, Development Considerations for 
Requirements in Sec. Sec.  1580.113, 1582.113, and 1584.11, provides 
an analysis of the 9/11 Act's requirements and other considerations 
incorporated into the four categories of training required by this 
rule. See 81 FR at 91364.
---------------------------------------------------------------------------

    TSA recognizes that owner/operators may choose, or have chosen, to 
integrate varying levels of training into their security training 
programs, such as for particular categories of employees or job 
functions, to meet the objectives of their overall security program or 
plan. As noted in section I, TSA intends for this rule to establish and 
solidify the baseline of security for higher-risk surface 
transportation operations. To the extent an owner/operator has a 
program that goes beyond the required baseline, TSA encourages 
continuation of these efforts as long as the owner/operator can meet 
the minimum training required by this rule for all security-sensitive 
employees.

G. Who will provide the security training curriculum? (Sec. Sec.  
1580.113, 1582.113, and 1584.113)?

    Owner/operators are required to train security-sensitive employees 
using curriculum approved by TSA. TSA assumes that many of the owner/
operators required to provide security training under this rule already 
have training programs in place that may substantially comply with the 
rule's requirements. This assumption is based on TSA's involvement in 
allocations of grant funding to owner/operators for the development of 
security training materials, funded through various DHS-grant program 
appropriations, as well as a comprehensive review of available training 
materials to determine whether they meet the standards and criteria 
required by the 9/11 Act. This assumption is also bolstered by certain 
industry responses to TSA's Notice published in 2013 in which TSA 
sought public comment and data on current security training 
practices.\25\
---------------------------------------------------------------------------

    \25\ See Request for Comments on Security Training Programs for 
Surface Mode Employees, 78 FR 35945, 35948 (June 14, 2013) 
(discussion on grant-funded training programs under ``Relation to 
Other Training Programs''). TSA summarizes the response to the 2013 
Notice in this final rule's RIA, Section 1.5. TSA explains in 
Sections 1.8.2. and 1.8.3. of the RIA how it used information from 
the responses to the 2013 Notice to assess the level of training in 
the baseline for PTPR and OTRB owner/operators, respectively.
---------------------------------------------------------------------------

    TSA is committed to mitigating the costs of training for all owner/
operators through several initiatives. For example, TSA has, and will 
continue, to identify existing training materials that address the 
curriculum content requirements identified in the rule and will make 
this information available to regulated parties.\26\ TSA is also 
developing training materials that meet specific training requirements 
in this rule. TSA will notify regulated parties as the relevant 
training materials are completed.
---------------------------------------------------------------------------

    \26\ See, e.g., Example of Security Training Matrix (TSA-2013-
0005-0084) available in the docket to this rulemaking at 
www.regulations.gov.
---------------------------------------------------------------------------

H. Can owner/operators use pre-existing material or other third-party 
material? (Sec.  1570.103)

    This rule does not require the owner/operator to create their own 
material or impose limits on the use of third-party material. If, 
however, owner/operators choose to rely on previously prepared training 
material, including material developed to satisfy other regulatory 
requirements, or third-party material, they must incorporate that 
material into an appendix to their security training program and 
reference that appendix in the corresponding portions of their security 
program, as discussed below.

I. How do these requirements relate to other security training required 
by other Federal or State agencies? (Sec. Sec.  1580.115(c), 
1582.115(c), and 1584.115(c))

    TSA recognizes that many owner/operators covered by this rule are 
subject to training requirements under regulations of the Department of 
Transportation (DOT) that overlap with the training content required in 
the 9/11 Act.\27\ TSA does not expect owner/operators to duplicate 
training. To the extent that an owner/operator intends to use existing 
training programs

[[Page 16464]]

implemented to comply with other Federal requirements or other 
standards in order to satisfy some or all of the requirements of this 
rule, the program submitted to TSA for approval must identify how the 
owner/operators intends to use the other training to satisfy TSA's 
requirements, such as the curriculum or lesson plan for that program. 
TSA intends to maintain an iterative list available to regulated owner/
operators of training programs that have been approved by TSA for use 
in meeting this rule's requirements.
---------------------------------------------------------------------------

    \27\ See sections III.G.5 and I of NPRM for a discussion of 
other related training. 81 FR at 91361-91362 and 91364 et seq.
---------------------------------------------------------------------------

    Paragraph (c)(2) requires an index to be provided if the owner/
operator chooses to submit all or part of an existing security training 
program to TSA for approval. The index must be organized in the same 
sequence as the content requirements in Sec. Sec.  1580.115, 1582.115, 
and 1584.115. Indexing is a necessary requirement if TSA is to provide 
flexibility for owner/operators to use existing training programs to 
satisfy this rule. TSA may request additional information on the 
program through the review and approval process.

J. What is the required schedule for providing training? (Sec.  
1570.111)

1. Initial Training (Sec.  1570.111(a))
    Current employees must be trained within one year of TSA's approval 
of the security training program. Initial training for new employees or 
those transitioning to a covered job function (as identified in 
Appendix B to parts 1580 (freight rail), 1582 (PTPR), and 1584 (OTRB)), 
must occur within the first 60 days of the date an employee begins to 
perform a security-sensitive function. In general, this means that an 
employee must be trained within 60 days of starting in a permanent-
employment position that may require performance of a security-
sensitive function, whether full or part-time.\28\
---------------------------------------------------------------------------

    \28\ These deadlines are set by secs. 1408(d)(3), 1517(d)(3), 
1534(d)3 of the 9/11 Act, codified at 6 U.S.C. 1137, 1167, and 1184.
---------------------------------------------------------------------------

    Section 1570.111(a)(3) addresses non-permanent employees. Non-
permanent employees must receive training within 60 calendar days after 
employment that meets the definition of a security-sensitive employee. 
If an individual is employed on an intermittent or non-permanent basis, 
such as a contractor hired to perform a security-sensitive function for 
short durations, then the training must take place before the 
individual's aggregated length of employment by the owner/operator 
equals 60 calendar days within a consecutive twelve-month period. 
Training is not required if an individual is employed to perform a 
security-sensitive function one time for less than 60 days. Training is 
required if an individual performs a security-sensitive function for 
short but repeated durations and the aggregated period of time equals 
60 days. TSA recognizes that some owner/operators may choose to train 
all regular contractors or other individuals employed for short but 
regular durations rather than having to monitor aggregated days of 
employment.
    In meeting the initial training schedule, TSA expects that many 
owner/operators will rely on the provisions in Sec.  1570.107, which 
provide standards for accepting previous training. TSA may allow 
``training credit'' to be given for employees who received equivalent 
security training within one year before the rule's effective date. 
This training credit may include the following:
     Training on emergency preparedness plans that railroads 
connected with the operation of passenger trains must implement to 
address subjects such as communication, employee training and 
qualification, joint operations, tunnel safety, liaison with emergency 
responders, on-board emergency equipment, and passenger safety 
information.
     Training on policies that public transportation agencies 
implement to ensure safety promotion to support the execution of the 
Public Transportation Agency Safety Plan required under 49 CFR part 673 
for all employees, agents, and contractors of any State, local 
government authority, or other operator of a public transportation 
system that receives Federal financial assistance under 49 U.S.C. 
Chapter 53.
     Training provided through funds granted under the Transit 
Security Grant Program or other grant programs.
    The recordkeeping provisions, discussed below, require an owner/
operator to provide current and former employees with documentation 
upon request of any training completed to meet the requirements of this 
rule. Options for compliance with this requirement could include 
providing employees with certificates to validate completed training. 
Providing employees with documentation of training is particularly 
relevant for operations such as those in the OTRB industry, where 
employees (for example, commercial drivers) may work for multiple 
owner/operators. If an owner/operator can validate an employee has 
received the required training within the specified timeframe, the 
training does not need to be repeated. Because of its obligation to 
ensure all training requirements are met, the current owner/operator is 
responsible for ensuring that any previous training courses satisfy the 
rule's requirements and documenting that the training was received 
within the required timeframe.
    Finally, there may be situations where ``dual-hatted'' or other 
specific-function employees are required to receive security training 
from other sources as part of their jobs, such as railroad police 
officers employed by the owner/operator. As indicated above, it is the 
obligation of the owner/operator to ensure and document the training, 
including training received under these circumstances.
2. Recurrent Training (Sec.  1570.111(b))
    TSA believes regular recurrent training is essential for 
transportation employees to maintain a high level of awareness and 
competency. To ensure this need is met, this rule requires owner/
operators to provide the TSA-approved security training curriculum to 
their security-sensitive employees at least once every three years. 
This frequency is consistent with the requirements for security 
training imposed by the Pipeline and Hazardous Material Safety 
Administration (PHMSA) for hazardous materials employees under 49 CFR 
part 172.
    In addition, consistent with 49 CFR 172.704, if the owner/operator 
modifies a security program or security plan for which training is 
required under this rule, the owner/operator must ensure that each 
security-sensitive employee with position- or function-specific 
responsibilities related to the revised plan or program changes 
receives training on the revisions within 90 days of implementation of 
the revised plan or program changes. This requirement ensures employees 
responsible for implementing the security program or plan will be 
trained in a timely manner concerning any changes or revisions to the 
security plan or program as necessary to reflect changes in security 
affecting their specific operating environment or the surface 
transportation system.
3. Previous Training (Sec.  1570.107)
    While there is no specific requirement in the 9/11 Act for TSA to 
allow use of existing training programs to satisfy the security 
training regulatory requirements, this rule provides an opportunity for 
owner/operators to seek recognition of previously provided training. 
Under Sec.  1570.107, an owner/operator may rely on previous training 
that occurred within the identified periods for initial or recurrent 
training.

[[Page 16465]]

In order to use previous training, the owner/operator must validate 
that the previous training satisfies the requirements of this rule (for 
example, reviewing records of training and curriculum), is relevant to 
the employee's job function, and appropriate for owner/operator's 
operations. As part of its inspection and compliance authority, TSA may 
require the owner/operator to provide the documentation used to 
determine the previous training met the requirements of this rule.

K. Do employees have to pass a test? ((Sec. Sec.  1580.113(b)(9), 
1582.113(b)(9), and 1584.113(b)(9))

    TSA is not requiring security training programs to include employee 
testing, with prescribed pass/fail rates. The security training 
programs submitted to TSA, however, must include how the owner/operator 
will measure the effectiveness of the training program. TSA will afford 
flexibility to each individual owner/operator to identify measures for 
determining the effectiveness of their security training program using 
methods and criteria appropriate for their operations. For example, TSA 
expects that some owner/operators will choose to administer a written 
test or evaluation to gauge their employees' level of knowledge in 
order to assess the overall effectiveness of training, while others may 
rely upon operational tests conducted by supervisors to determine 
whether employees are being trained effectively. Some may use the 
results of drills and exercises to measure effectiveness and identify 
areas where modifications are needed.
    Similarly, TSA is not prescribing conditions for a pass/fail policy 
that may be associated with post-training testing. While individual 
companies may elect to enforce pass/fail criteria with associated 
personnel actions, TSA is neither requiring nor recommending a 
specified maximum number of times that an individual may take a test or 
evaluation to demonstrate knowledge and competency. As previously 
noted, however, the methods submitted by an owner/operator for 
determining training efficacy may affect TSA's approval of any 
alternative measures for compliance. In reviewing security training 
programs, TSA's focus is on whether the program includes measures for 
the effectiveness of the training program, not an individual employee's 
performance.

III. Operational Requirements (Subpart D)

    TSA requires freight and passenger railroad carriers, rail transit 
systems, rail hazardous materials shippers, and certain rail hazardous 
materials receivers, to appoint ``rail security coordinators'' \29\ 
(RSCs) and report significant security concerns to TSA.\30\ The RSCs 
are security liaisons to TSA, providing a single point of contact for 
receiving communications and inquiries from TSA concerning threat 
information or security procedures, and coordinating responses with 
appropriate law enforcement and emergency response agencies. This 
information, reported to TSA from the frontline of rail operations, is 
consolidated and analyzed by TSA to identify developing threats and 
trend analysis.
---------------------------------------------------------------------------

    \29\ These requirements were promulgated in 2008, see supra n. 
8, codified at 49 CFR 1580.101 and 1580.201 (before changes made by 
this rule).
    \30\ See id. at 49 CFR 1580.105 and 1580.203 (before changes 
made by this rule).
---------------------------------------------------------------------------

    TSA is expanding applicability of these requirements to the owner/
operators subject to the security training requirements. As a result, 
the scope of the requirement applies to:
     All rail operations subject to the security coordinator 
and reporting requirements under previous 1580.101, 1580.105, 1580.201, 
and 1580.203 (now located in sections 1570.201 and 1570.203);
     Any bus operations of a public transportation owner/
operator required to provide security training under this rule; and
     Any OTRB owner/operator required to provide security 
training under this rule.\31\
---------------------------------------------------------------------------

    \31\ As previously noted, TSA currently requires security 
coordinators for rail operations, including freight railroads, 
passenger railroads, and public transportation rail operations. In 
addition to mandating security coordinators for railroads, the 9/11 
Act also requires security coordinators for bus operations. See 9/11 
Act sec. 1531, codified at 6 U.S.C. 1181(e)(1)(A) (``Identification 
of a security coordinator having authority--(i) to implement 
security actions under the plan; (ii) to coordinate security 
improvements; (iii) to receive immediate communications from 
appropriate Federal officials regarding over-the-road bus 
security''). See 9/11 Act sec. 1512, codified at 6 U.S.C. 
1162(e)(1)(A). For a similar provision applicable to railroads. 
Consistent with this mandate, TSA is extending the requirement to 
appoint a primary and at least one alternate security coordinator 
for OTRB companies and bus operations of PTPR owner/operators 
identified as higher-risk through this rulemaking. This will have a 
limited impact on the PTPR mode as most public transportation bus 
agencies covered by this rule are part of a larger system that is 
already required to have a security coordinator under current 49 CFR 
part 1580. See sec. III.D.4 of the NPRM for more discussion 
regarding the security coordinator and reporting requirements (81 FR 
at 91350 et seq.).
---------------------------------------------------------------------------

    As proposed in the NPRM, the rule text for applicability of the 
security coordinator requirements erroneously included all bus-only 
public transportation systems, TSA intended, however, to limit 
applicability to the bus-only public transportation systems within the 
scope of the security training requirements, that is, the higher-risk 
bus-only systems.\32\ To be consistent with TSA's intent as explained 
above and in the preamble of the NPRM, TSA is clarifying the 
requirement in the final rule text.
---------------------------------------------------------------------------

    \32\ See 81 FR at 91350: ``Because of the benefits of [the 
security coordinator and reporting requirements] to transportation 
security, TSA is proposing to extend these requirements to the modes 
of transportation covered by this proposed rule that are not 
currently subject to the requirements of 49 CFR part 1580. . . . TSA 
proposes to extend the requirement to appoint a primary and at least 
one alternate security coordinator for OTRB companies and the bus 
operations of PTPR owner/operators (with a limited impact as most 
public transportation bus agencies are part of a larger system that 
is required to have a security coordinator under current 49 CFR part 
1580).''
---------------------------------------------------------------------------

    Table 2 compares applicability scope of the previous requirement 
with the expanded applicability. The cost estimate for this requirement 
in the NPRM is consistent with TSA's intent and the corrected rule 
text.

    Table 2--Comparison of Applicability for Security Coordinator and
                         Reporting Requirements
------------------------------------------------------------------------
                                          Previous  Sec.
                                                Sec.         New  Sec.
                                           1580.101/103        Sec.
                                           and 1580.201/   1570.201/203
                                                203
------------------------------------------------------------------------
Freight railroad carriers...............               X               X
Rail hazardous materials shippers.......               X               X
Rail hazardous materials receivers in                  X               X
 High Threat Urban Areas (HTUAs)........
Owner/operators of private rail cars*...               X               X
Railroads hosting freight or PTPR rail                 X               X
 operations.............................

[[Page 16466]]

 
PTPR operating rail transit systems on                 X               X
 general railroad system, intercity
 passenger train service, and commuter
 train services.........................
PTPR operating rail transit systems not                X               X
 part of general railroad system........
PTPR operating bus transit or commuter    ..............               X
 bus systems in designated areas........
Tourist, scenic, historic, and excursion               X               X
 rail owner/operators*..................
OTRB owner/operators providing fixed-     ..............               X
 route service in designated areas......
------------------------------------------------------------------------
* Security Coordinator only required if notified by TSA in writing that
  a threat exists. Requirement to report significant security concerns
  always applies.

A. Security Coordinator Requirements (Sec.  1570.201)

    Security coordinators are a vital part of transportation security, 
providing TSA and other government agencies with an identified point of 
contact with access to company leadership and knowledge of the owner/
operators' operations, in the event it is necessary to convey extremely 
time-sensitive information about threats or security procedures to an 
owner/operator, particularly in situations requiring frequent 
information updates. The security coordinator and alternate provide TSA 
with a contact in a position to understand security problems; 
immediately raise issues with, or transmit information to, corporate or 
system leadership; and help recognize when emergency response action is 
appropriate. The individuals must be accessible to TSA 24 hours per 
day, 7 days per week.
    The rule does not change the expectation that the security 
coordinator and alternate be appointed at the headquarters level. Nor 
does the rule require the security coordinator or alternate to be a 
dedicated position who has no other primary or additional duties. As 
with the previous part 1580 requirements, TSA's primary concern is 
having a designated point of contact available to TSA at all times.
    The rule also requires the owner/operator to submit contact 
information for both the security coordinator and alternate and to 
update this information within 7 days if it changes. As previously 
noted, this is not a new requirement for owner/operators of railroads, 
including the rail transit operations of PTPR owner/operators. If an 
owner/operator subject to this rule has provided current information 
for primary and alternate RSCs to TSA, it will not have to take further 
action to meet the requirement.\33\ TSA assumes this is true for 
passenger rail carriers, freight railroad carriers, and rail transit 
systems operated by public transportation agencies. Owner/operators 
required to appoint security coordinators for the first time under this 
rule must provide this information to TSA by July 29, 2020. TSA will 
also use this contact for communications related to requirements in 
this rule.
---------------------------------------------------------------------------

    \33\ Any changes to the information must, as previously 
required, be reported within seven calendar days of the change 
taking effect.
---------------------------------------------------------------------------

B. Requirement To Report Security Concerns (Sec.  1570.203)

    As with the security coordinator requirement, TSA is moving and 
consolidating the requirement to report security concerns from part 
1580 into Sec.  1570.203 and extending it to higher-risk bus 
operations.\34\ The list of reportable incidents can be found in 
Appendix A to part 1570 and includes not only a list of incidents, but 
descriptions and examples to assist regulated parties in making a 
determination of whether an incident must be reported based on its 
similarity to one of the examples.
---------------------------------------------------------------------------

    \34\ This extension is within TSA's discretion to require other 
actions or procedures determined to be appropriate to address the 
security of public transportation and OTRB operations. See 9/11 Act 
sections. 1405(c)(2)(I) and 1531(e)(1)(H), as codified at 6 U.S.C. 
1134 and 1181, respectively.
---------------------------------------------------------------------------

    This list of reportable significant security concerns is consistent 
with the Nationwide Suspicious Activity Reporting (SAR) Initiative 
(NSI). The NSI is a partnership between Federal, State, local, tribal, 
and territorial law enforcement that ``establishes a national capacity 
for gathering, documenting, processing, analyzing and sharing SAR 
information . . . in a manner that rigorously protects the privacy and 
civil liberties of Americans.'' \35\ The NSI defines ``suspicious 
activity'' as ``observed behavior reasonably indicative of pre-
operational planning associated with terrorism or other criminal 
activity.'' \36\ The standardized approach among law enforcement 
officers and security officials with surface transportation entities 
produces more informative reports that can, more effectively, focus 
investigative efforts and intelligence analysis for potential trends 
and indicators of terrorism-related activity.
---------------------------------------------------------------------------

    \35\ See Nationwide SAR Initiative (NSI), ``About the NSI'' 
(accessed Nov. 3, 2016), available at http://nsi.ncirc.gov/about_nsi.aspx.
    \36\ Id.
---------------------------------------------------------------------------

    Finally, consistent with TSA's purpose in requiring submission of 
the information, the rule requires notification within 24-hours of the 
initial discovery of the incident by the owner/operator (see 49 CFR 
1570.203(a)).\37\ This schedule will enable TSA to obtain timely 
information, without undermining the ability of the owner/operator to 
appropriately handle a situation. If there is an immediate threat, 
owner/operators and/or their employees should prioritize notifying and 
working with first responders. The notification to TSA should occur 
after the immediate crisis is addressed, but within a timeframe that 
allows TSA to assess and share timely information.
---------------------------------------------------------------------------

    \37\ This change to reporting is a modification from the 
requirement as promulgated in the Rail Security Rule, which required 
immediate reporting.
---------------------------------------------------------------------------

    For purposes of this requirement, the clock ``starts running'' when 
the owner/operator becomes aware of the incident. Awareness of the 
owner/operator includes awareness of (or discovery by) employees of the 
owner/operator.\38\ TSA recognizes that local law enforcement do not 
always immediately notify owner/operators when there is a security-
related incident on the owner/operator's property or affecting their 
operations.
---------------------------------------------------------------------------

    \38\ One of the required training elements includes how to 
appropriately report security issues.
---------------------------------------------------------------------------

C. Methods for Reporting Information and Substance of Information 
Provided (Sec.  1570.203 (a) and (c))

    As previously noted, TSA has almost a decade of experience with 
incidents reported by railroads. Based on this experience, TSA 
recognizes that its ability to analyze the data and improve

[[Page 16467]]

the quality of information disseminated back to its stakeholders is 
proportional to the quality of information it receives. Section 
1570.203(b) is consistent with the reporting requirements as 
promulgated in 2008, which reflected the need for detailed and verified 
information from individual owner/operators to enhance TSA's ability to 
provide timely and useful information products to all of the relevant 
stakeholders.
    TSA is working on two initiatives that should assist owner/
operators with reporting information. The first is to pilot an 
electronic reporting option for significant security concerns.\39\ If 
made a permanent capability, TSA intends to develop an online form that 
owner/operators, or their designated employees, may use to submit 
information to TSA to meet the requirements of this rule. If the pilot 
succeeds, TSA may pursue a second initiative to provide an electronic 
reporting form on a secure website. TSA will provide updates on 
development of these capabilities to owner/operators through the 
designated security coordinators as well as appropriate notices in the 
Federal Register. Pending completion of these capabilities owner/
operators and their designated employees are generally required to meet 
the requirements of this section by contacting the Transportation 
Security Operations Center at 1-866-615-5150. There is an exception for 
owner/operators participating in the pilot to report electronically.
---------------------------------------------------------------------------

    \39\ See OMB Control No. 1652-0051, 30-Day Notice: Revision of 
Agency Information Collection Activity Under OMB Review: Rail 
Transportation Security, 83 FR 40542 (Aug. 15, 2018), and related 
supporting statement available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201809-1652-002.
---------------------------------------------------------------------------

IV. Security Program Procedures

A. Deadlines Related to Submission and Approval of Security Training 
Program

    Section 1570.109 identifies the required deadlines for submitting 
security training programs and the process for TSA approval. In 
general, not later than 90 days from the effective date of this final 
rule, owner/operators are required to submit programs to TSA in a form 
and manner prescribed by TSA. Owner/operators commencing new businesses 
or operations triggering applicability are required to submit their 
security training programs to TSA no less than 60 days before 
commencing operations.
    TSA will provide details for submission of security programs 
directly to security coordinators identified under section 1570.201, 
within 10 business days from the effective date of this final rule. 
Consistent with comments received on the NPRM, this information will 
include the designated email address and any related information 
regarding submission of Sensitive Security Information (SSI).
    As required by the 9/11 Act, TSA will review the programs within 60 
days of receipt and either approve them or specify changes that are 
needed for approval.\40\ If TSA requires changes, the owner/operator 
must submit a modified training program that meets TSA's specifications 
within 30 days of notification by TSA. TSA provides an analysis of 
burden and estimated costs associated with this information collection 
in section VIII.A. of this preamble and the Office of Management and 
Budget (OMB) 83-I Supporting Statement for its information collection 
request, which is available in the docket for this rulemaking.
---------------------------------------------------------------------------

    \40\ See 9/11 Act secs. 1137(d)(2), 1167(d)(2), and 1184(d)(2), 
codified at 6 U.S.C. 1137, 1167, and 1184.
---------------------------------------------------------------------------

B. Amendments

    Procedures related to revision and/or amendment of security 
training programs, as described in Sec. Sec.  1570.113, 1570.115, and 
1570.117, are necessary as part of developing a regulatory program and 
are consistent with the 9/11 Act's requirements for implementation and 
submission of programs. These procedures are also consistent with TSA's 
statutory authority to allow exemptions from regulatory 
requirements.\41\ The rule provides for two types of amendments: (1) 
Amendments initiated by owner/operators and (2) amendments initiated by 
TSA.
---------------------------------------------------------------------------

    \41\ See 49 U.S.C. 114(q).
---------------------------------------------------------------------------

1. Amendments Initiated by Owner/Operator (Sec.  1570.113)
    Under section 1570.113, there are three situations which require 
owner/operators to submit a request to amend their security training 
programs: (1) Changes affecting ownership or control of the operations; 
(2) changes to conditions affecting security; and (3) changes to 
content in the security training program. Owner/operators must seek an 
amendment if any of these changes are expected to have a duration of 
more than 60 days.
    Amendments related to changes in ownership/control are necessary 
for TSA to maintain current information about relevant contacts as well 
as for purposes related to enforcement and liability. Amendments 
related to the second and third categories are necessary to ensure the 
training programs are providing relevant and timely information to 
security-sensitive employees.
    This final rule revises the NPRM's proposed requirement for seeking 
an amendment for any changes relating to ``measures, training, or 
staffing described in the security program.'' Since publication of the 
NPRM, TSA determined that the scope of this requirement is too broad as 
it could capture measures relevant to security in general, such as 
theft. As proposed, the requirement could impose an unnecessary burden 
on owner/operators and create conflict between the programmatic 
requirements. For example, the overly broad requirement for amendments 
could result in the need to revise a security training program to 
address issues not related to reducing the risk of terrorism-related 
incidents.
    To narrow the scope of the amendment requirement, the final rule 
incorporates a specific list of the types of changes to security that 
require an amendment. For purposes of identifying what types of changes 
should be included in the list, TSA determined the most appropriate 
source is the 9/11 Act's requirements for TSA to issue a vulnerability 
assessment and security planning regulation for surface owner/
operators.\42\ The 9/11 Act's provisions are tailored to security 
issues related to reducing the risk of terrorism-related incidents.
---------------------------------------------------------------------------

    \42\ As previously discussed, the 9/11 Act includes a mandate 
for TSA to issue regulations requiring vulnerability assessments and 
security plans in addition to the requirements for security 
training. See 9/11 Act sections 1405, 1612, and 1531, codified at 6 
U.S.C. 1134, 1162, and 1181, respectively. The security planning 
requirements include a detailed list of security measures that must 
be incorporated into an owner/operator's TSA-approved security plan. 
TSA intends to address the vulnerability assessment and security 
training requirements through a separate rulemaking.
---------------------------------------------------------------------------

    If an owner/operator makes any changes to the security measures 
identified in Sec.  1570.113, the owner/operator must request an 
amendment to modify the TSA-approved security training program to align 
with these changes. In general, the program must be amended if there 
are changes to procedures intended to prevent and detect unauthorized 
access to restricted areas; measures to be implemented in response to 
periods of heightened security risk; and changes to emergency response 
plans.
    The security program requirements established by this rulemaking 
will also be applicable to a future rulemaking to address the 9/11 
Act's requirements for

[[Page 16468]]

vulnerability assessments and security planning. As a result, 
incorporating the 9/11 Act's list of security measures to be 
incorporated in security planning as the basis for determining when an 
amendment is necessary to a security training program establishes a 
framework that can be consistently applied in the future as the scope 
of requirements for higher-risk owner/operators of surface 
transportation systems is expanded.\43\
---------------------------------------------------------------------------

    \43\ See discussion supra in n. 42
---------------------------------------------------------------------------

    Finally, owner/operators must request an amendment if their 
security training program is modified, including modifications related 
to addressing the effectiveness of the program or development of 
recurrent training materials that differ from the initial training. 
This provision is intended to ensure an owner/operator is appropriately 
addressing the results of its TSA-approved method for determining 
effectiveness of security training.\44\ It is TSA's intent that this 
specificity will reduce the burden for owner/operators by providing 
clarity on the types of changes that may trigger the need for an 
amendment. If there are any changes in these areas, it is reasonable to 
expect that some aspects of the security training program must be 
revised.
---------------------------------------------------------------------------

    \44\ See requirements in subpart B to parts 1580, 1582, and 
1584.
---------------------------------------------------------------------------

    In addition to the preceding issues that require owner/operators to 
request an amendment, the same procedures can be used when the owner/
operator seeks to amend its program to address other operation issues. 
For example, an owner/operator may choose to seek an amendment to 
modify the required training schedule. The same procedural requirements 
for seeking an amendment apply.
    TSA may approve an amendment if it is in the interest of public and 
transportation security and meets the required security standards. As 
part of its standard practice for security program administration, TSA 
works with owner/operators on amendment requests to develop options 
acceptable to both TSA and the requesting owner/operator. TSA may ask 
for additional information from the owner/operator or require more time 
in order to makes its determination.
    If TSA is unable to come to agreement with the owner/operator on 
the content or scope of the amendment, TSA may deny the amendment 
request. The denial will include a statement of why the request is 
denied. The owner/operator can petition for reconsideration under 
section 1570.119.
    While the rule only requires amendments if the change is to be 
permanent (defined as 60 or more calendar days), TSA recognizes that 
there are times when a change of short duration could have a 
significant impact on training. For example, if a city is hosting a 
National Special Security Event (NSSE), the public transportation 
system serving that city may implement additional security measures. It 
is likely that additional training will be necessary to raise 
appropriate awareness of these additional measures. The rule does not 
require the owner/operator to request an amendment to provide this 
additional training.
    TSA is also modifying the schedule for submitting an amendment from 
the requirement as proposed in the NPRM. Under the NPRM, an amendment 
had to be submitted no later than 45 days before the change takes 
effect. This schedule does not work with the provision that allows 
changes to security measures to be in effect for 60 days before they 
are considered permanent, and only permanent changes require 
notification and amendment. To address this inconsistency, TSA is 
requiring amendments to be submitted within 65 days of the change. As 
the owner/operator controls changes to the security measures identified 
in the rule and whether these changes will be permanent, it is presumed 
the owner/operator will have sufficient advance notice that an 
amendment is needed and can prepare and submit the request within this 
timeframe. This specificity is added to provide clarity for compliance.
2. Amendments Initiated by TSA (Sec.  1570.115)
    TSA may require amendments in the interest of the public and 
transportation security. As indicated in Sec.  1570.115, TSA may 
require owner/operators to revise their training based on emerging 
threats or methods for addressing emerging threats. This is consistent 
with TSA's authorities under 49 U.S.C. 114 and the 9/11 Act, which 
specifically provide that TSA must update the requirements, as 
appropriate, ``to reflect new or changing security threats.'' \45\ For 
example, the curriculum requirements identified in the 9/11 Act do not 
address training to respond to active shooter incidents. Following 
several active shooter incidents, including one that resulted in the 
death of a Transportation Security Officer in Los Angeles, Congress 
prioritized the need for this type of training.\46\ TSA could also 
require an amendment to provide additional training to address risks 
like the NSSE discussed above, in section C. As with other requirements 
imposed by TSA, the owner/operator may request a petition for 
reconsideration of TSA-required amendments.
---------------------------------------------------------------------------

    \45\ See 9/11 Act at 1408(d)(4), 1517(d)(4), and 1534(d)(4), 
codified at 6 U.S.C. 1137, 1167, and 1184, respectively. This 
provision also requires owner/operators change their programs to 
address TSA's requires updates and retrain employees as necessary, 
within a reasonable time.
    \46\ Section 7 of the Gerardo Hernandez Airport Security Act of 
2015 (Pub. L. 114-50), which directed TSA, in consultation with the 
Department of Transportation and other relevant agencies, to conduct 
outreach to all passenger transportation agencies and providers of 
high-risk facilities to verify such agencies and providers have in 
place plans to respond to active shooters, acts of terrorism, or 
other security-related incidents that target passengers.
---------------------------------------------------------------------------

C. Alternative Measures (Sec.  1570.117)

    Section 1570.117 includes the procedures for requesting a waiver, 
procedures for requesting the use of alternative measures, and 
identification of the types of information TSA will need in order to 
make a decision to grant such requests. TSA may grant such a request 
under the authority 49 U.S.C. 114(q), based on a determination that the 
alternative measure or exemption is in the public interest. In general, 
TSA will consider factors such as risk associated with the type of 
operation, current threat information, and any other factors relevant 
to potential risk to the public and transportation security if the 
request is granted.
    These procedures can be used by an owner/operator to request 
alternative measures to satisfy all of some or all of the requirements 
of subchapter D. For example, the owner/operator could request to 
extend the time period for submitting its training program or for 
training all of its security-sensitive employees. An owner/operator 
could also request a waiver from some or all of the regulatory 
requirements. For example, a freight railroad may meet the criteria for 
applicability, but the operations that trigger applicability may be a 
de minimis part of its overall business operations. In such a 
situation, the owner/operator might consider requesting either a 
complete waiver or an alternative that limits the requirements to a 
more discrete part of its business.

D. Petitions for Reconsideration (Sec.  1570.119)

    Section 1570.119 describes the review and petition process for 
TSA's reconsideration when it denies a request for amendment, waiver, 
or alternative measures, as well as a TSA requirement

[[Page 16469]]

to modify or amend a program. If an owner/operator seeks to challenge 
the decision, the owner/operator is required to submit a written 
petition for reconsideration within the time frame identified in the 
applicable section. The petition must include a statement, with 
supporting documentation, explaining why the owner/operator believes 
the reason for the denial or for the amendment, as applicable, is 
incorrect. If the owner/operator requested the amendment, the results 
of the reconsideration could be confirmation of TSA's previous denial 
or approval of the proposed amendment. If the issue involves a TSA-
required amendment, the results of the reconsideration could be 
withdrawal, affirmation, or modification of the amendment. A 
disposition pursuant to 49 CFR 1570.119 occurs when the Administrator 
or designee has disposed of the petition by affirming, modifying, or 
rescinding the previous decision. Such disposition constitutes a final 
agency action for purposes of review under 49 U.S.C. 46110.

E. Recordkeeping Requirements (Sec.  1570.121)

    The final rule requires owner/operators to create and maintain 
lists of their security-sensitive employees and specify when these 
employees received the required training. Training records must include 
each trained employee's name, job title or function, date of hiring, 
and date and course information on the most recent security training 
that each employee received. Records for individual employees must 
reflect the training courses completed and date of completion. Records 
of an employee's initial and recurrent training must be maintained by 
owner/operators for no less than five years from the date of the 
training and available at the location(s) specified in the security 
training program approved by TSA.
    The final rule provides flexibility to owner/operators to decide 
whether to maintain the records in electronic format provided that (1) 
any electronic records system used is designed to prevent tampering, 
loss of data, or corruption of records, and (2) paper copies of 
records, and any amendments to these records, must be made available to 
TSA upon request for inspection or copying. Whether the records are 
kept in electronic or other form, the employee must be provided with 
proof of training upon request, at any time during the three-year 
recordkeeping period, without regard to the requestor's current status 
as an employee of that entity. As discussed above in II.J. (Initial 
Training), owner/operators may meet the proof-of-training requirement 
by providing a certificate, letter, or other similar documentation to 
the employee upon completion of training. In order for TSA to allow any 
owner/operator to rely upon previous security training to satisfy the 
requirements of this rule, it is critical that employees be able to 
validate whether they received previous training.
    TSA assumes training records are unlikely to include SSI, but 
nonetheless provides a reminder in this provision that any SSI 
maintained as a result of these recordkeeping requirements must be 
maintained consistent with the requirements in 49 CFR part 1520. For 
example, an owner/operator may decide to keep a copy of the content of 
the training program with the employee files (which is not required by 
the rule). If the curriculum contains SSI information, any file it is 
in must be stored as required by the SSI regulations. Owner/operators 
needing additional information about appropriately maintaining SSI may 
contact TSA for assistance and/or find information on TSA's 
website.\47\
---------------------------------------------------------------------------

    \47\ See https://www.tsa.gov/for-industry/sensitive-security-information.
---------------------------------------------------------------------------

F. Summary of Deadlines

    The following table summarizes the deadlines for the preceding 
programmatic requirements. The information is provided for operations 
that exist on the effective date of this rule and those that may 
commence or trigger applicability based on future modifications.

                                  Table 3--Summary of Deadlines for Compliance
----------------------------------------------------------------------------------------------------------------
                                                                         Dates
                                      --------------------------------------------------------------------------
             Requirement                                                                   New employees (hired
                                         Existing operations        New or modified       after TSA approves the
                                                                       operations           security program)
----------------------------------------------------------------------------------------------------------------
Effective date of rule...............  June 22, 2020..........
Deadline for notifying TSA of          July 22, 2020..........  90 calendar days before
 applicability determination                                     commencing new or
 (1570.105).                                                     modified operations.
Deadline for providing security        July 29, 2020..........  7 calendar days after
 coordinator information to TSA                                  commencement of
 (1570.201).                                                     operations.
Deadline for submission of security    90 calendar days from    90 calendar days after
 training program to TSA for approval   effective date.          commencing new or
 (1570.109(b)).                                                  modified operations.
TSA approval or notification of        60 calendar days from    60 calendar days from
 required modification (1570.109(c)).   receipt of security      receipt of security
                                        training program.        training program.
Initial training of security-          1 year from TSA          1 year from TSA          60 calendar days after
 sensitive employees (1570.111(a)).     approval of security     approval of security     employee first
                                        training program.        training program.        performs a security-
                                                                                          sensitive job function
                                                                                          (60th day, aggregated
                                                                                          over 12-month period,
                                                                                          if intermittent
                                                                                          employee).
Recurrent training of security-        Within three-years of    Within 90 days of
 sensitive employees (1570.111(b)).     the date of initial      changes to security
                                        training and every       program or security
                                        three-years thereafter.  plan affecting
                                                                 employees' security-
                                                                 related
                                                                 responsibilities.
----------------------------------------------------------------------------------------------------------------


[[Page 16470]]

V. Miscellaneous Changes

    This final rule includes the following changes to other provisions 
in TSA's regulations as necessary to implement these requirements.

A. Amendments to Part 1500

    Consistent with the rule's organization, TSA includes definitions 
for terms relevant to several subchapters of TSA regulations, beyond 
the requirements of subchapter D, in part 1500. Terms only relevant to 
the provisions in subchapter D are incorporated in Sec.  1570.3. Terms 
uniquely relevant to each mode or the other requirements in subchapter 
D are incorporated into the relevant parts.
    As noted in the NPRM, TSA is meeting a 9/11 mandate to define, 
through notice and comment rulemaking, the term ``security-sensitive 
material.'' To meet the requirement, TSA is incorporating by reference 
the definition of hazardous materials for which a security program is 
required under 49 CFR 172.800(b), promulgated by PHMSA through notice 
and comment rulemaking and in consultation with TSA.\48\ There are no 
current TSA-programmatic requirements linked to this definition. A full 
discussion of amendments to the terms in part 1500 is provided in the 
NPRM.\49\
---------------------------------------------------------------------------

    \48\ See 81 FR at 91344.
    \49\ See section III.A. of the NPRM. 81 FR at 91342 et seq.
---------------------------------------------------------------------------

B. Amendments to Part 1503

    TSA is making minor amendments to part 1503 (Investigative and 
Enforcement Procedures), as necessary, to conform these regulations to 
changes made by this final rule. In Sec.  1503.101(b), the scope of 
statutory provisions is amended to add authorities from the 9/11 Act 
that are administered by the TSA Administrator. These are conforming 
amendments with no cost impact.

C. Amendments to Part 1520

    TSA is also finalizing proposed modifications to part 1520 
(Protection of Sensitive Security Information). As discussed in the 
NPRM, these changes are necessary to conform the SSI provisions to 
include the transportation security-related requirements in this 
rule.\50\ The amendments are limited to: (1) Eliminating unnecessary 
terms from part 1520 that are added to part 1500 and (2) replacing the 
limiting term ``rail transportation security requirement'' with 
``surface transportation security requirement.'' In some places, such 
as the definition of ``vulnerability assessment'' in Sec.  1520.3, TSA 
is streamlining a lengthy description of types of transportation to 
simply state ``aviation, maritime, or surface transportation.''
---------------------------------------------------------------------------

    \50\ See id. at 91343-91345.
---------------------------------------------------------------------------

    The impact of these revisions should also be minimal. Under Sec.  
1520.7(j), any person who has access to SSI is required to protect it 
according to the requirements of the regulation. Most of the population 
affected by this rule has previously received SSI information from TSA, 
as well as training on the proper handling of SSI, and have procedures 
in place to ensure the requirements of the regulation are met.\51\
---------------------------------------------------------------------------

    \51\ See https://www.tsa.gov/for-industry/sensitive-security-information.
---------------------------------------------------------------------------

D. Amendments to Part 1570

    Because of the significant restructuring of part 1570, as discussed 
above, the rule text includes the entire part. In addition, TSA is 
adding a provision related to security responsibilities and relocating 
to this part the provisions related to compliance, inspection, and 
enforcement (previously in part 1580).
1. Security Responsibilities for Employees and Other Persons (Sec.  
1570.7)
    Under Sec.  1570.7, the obligation for compliance is not limited to 
owner/operators specifically referenced under applicability provisions. 
Rather, any person may be held to have violated these rules, including 
contractors who provide service to owner/operators and the employees of 
such contractors. This provision in subchapter D ensures a uniform 
application of TSA's enforcement policy across all modes of 
transportation, consistent with TSA's authority under 49 U.S.C. 
114(f).\52\ In addition to violations for failure to comply with 
requirements, TSA can also pursue enforcement actions for interfering 
with compliance or hiding evidence of non-compliance. Contractors are 
also subject to inspection for compliance with this rule and 
enforcement actions, as discussed below.
---------------------------------------------------------------------------

    \52\ See 49 U.S.C. 114(f)(7) and (11). A similar provision 
applicable to aviation employees and other related persons is in 49 
CFR 1540.105(a)(1) and (b).
---------------------------------------------------------------------------

2. Compliance, Inspection, and Enforcement (Sec.  1570.9)

    TSA is mandated to: (1) Enforce its regulations and requirements; 
(2) oversee the implementation and ensure the adequacy of security 
measures; and (3) inspect, maintain, and test security facilities, 
equipment, and systems for all modes of transportation.\53\ This 
mandate applies even in the absence of rulemaking, but TSA has chosen 
to include a restatement of its authority in its rules. The statute 
specifically requires TSA to--
---------------------------------------------------------------------------

    \53\ See 49 U.S.C. 114(f).
---------------------------------------------------------------------------

     Assess threats to transportation;
     Enforce security-related regulations and requirements;
     Inspect, maintain, and test security of facilities, 
equipment, and systems;
     Ensure the adequacy of security measures for the 
transportation of cargo;
     Oversee the implementation, and ensure the adequacy, of 
security measures at airports and other transportation facilities;
     Require background checks for airport security screening 
personnel, individuals with access to secure areas of airports, and 
other transportation security personnel; and
     Carry out such other duties, and exercise such other 
powers, relating to transportation security as the Administrator 
considers appropriate, to the extent authorized by law.
    While current part 1570 includes a provision stating TSA's 
compliance, inspection, and enforcement authority, it is not provide 
the same detail found in other regulatory provisions.\54\ Therefore, 
TSA is transferring the text of current Sec.  1580.5 to subpart A as 
Sec.  1570.9, with minor modifications to reflect the addition of 
certain bus operations that have previously been unregulated by 
TSA.\55\
---------------------------------------------------------------------------

    \54\ Compare current Sec.  1570.11 with current Sec.  1580.5. 
The provision in part 1580 is also consistent with 49 CFR 1542.5, 
1544.3. 1546.3, 1548.3, and 1549.3.
    \55\ A more detailed discussion of current Sec.  1580.5, still 
relevant to the section, can be found in the preamble for current 
part 1580. See 71 FR 76852 (Dec. 21, 2006) and the Rail Security 
Rule, see supra n. 8. (Final Rule).
---------------------------------------------------------------------------

3. ``Covered Person'' (Sec.  1570.305)
    This final rule includes a technical correction to Sec.  1570.305 
(currently Sec.  1570.13) of subchapter D as part of this rulemaking. 
This provision prohibits public transportation agencies and rail 
carriers from knowingly misrepresenting Federal guidance or regulations 
related to security background checks for certain individuals.\56\ The 
definitions in the section currently include the term ``covered 
individual,'' which may result in confusion as to whether the term has 
the same meaning as ``covered person'' in TSA's programs to address 
access to SSI.\57\ To eliminate any potential for confusion, this rule 
amends Sec.  1570.305

[[Page 16471]]

to delete the definition and consistently use the term ``employee'' (as 
defined by this rulemaking in Sec.  1570.3) rather than ``covered 
individual.'' This change is for clarification purposes only and has no 
substantive impact.
---------------------------------------------------------------------------

    \56\ This final rule moves this section from Sec.  1570.13 of 
subchapter D to section Sec.  1570.305. The requirement was added to 
address another 9/11 Act requirement. See 73 FR 44665 (July 31, 
2008) for more information on the rulemaking that added this 
provision.
    \57\ See 49 CFR 1520.7.
---------------------------------------------------------------------------

VI. Summary of Changes

    The following table summarizes changes between the NPRM and final 
rule.

                             Table 4--Summary of Changes Between NPRM and Final Rule
----------------------------------------------------------------------------------------------------------------
            Section No.                 Section title           Change from NPRM              Implication
----------------------------------------------------------------------------------------------------------------
1570.111(b).......................  Implementation         In response to comments,    Cost Savings.
                                     schedules (recurrent   TSA is modifying the
                                     security training).    recurrent security
                                                            training schedule to a
                                                            three-year cycle rather
                                                            than annual. Changes to
                                                            security programs and
                                                            plans may require
                                                            training certain
                                                            employees within 90 days
                                                            of the changes.
1570.113..........................  Amendments requested   NPRM proposed requiring     TSA recognizes that some
                                     by owner/operator.     owner/operators to          owner/operators may have
                                                            request an amendment to     security programs that
                                                            their security training     address issues not
                                                            programs when there are     related to
                                                            changes to (a) ownership    transportation security,
                                                            or control of operations    such as theft or
                                                            and/or (b) measures,        vandalism. TSA is
                                                            training, or staffing       narrowing the scope of
                                                            described in the security   the requirement to
                                                            program. The final rule     reduce the burden. The
                                                            includes a specific list    final rule identifies
                                                            of the types of changes     the types of issues that
                                                            that would trigger the      would require amendment.
                                                            need to update the          The list of issues used
                                                            security training           by TSA is consistent
                                                            program. The NPRM also      with the requirements
                                                            proposed to require an      for security plans in
                                                            amendment to be filed       sections 1405, 1512, and
                                                            within 45 days before the   1531 of the 9/11 Act.
                                                            amendment takes effect.     Modifying the deadline
                                                            The final rule requires     for requesting an
                                                            an amendment to be          amendment is intended to
                                                            requested no later than     provide clarity for
                                                            65 days after the change    compliance and be more
                                                            to the security program/    appropriate for the
                                                            measures/plans takes        types of amendment-
                                                            effect.                     requests TSA expects to
                                                                                        receive.
1570.201..........................  Security coordinator.  NPRM proposed requiring     The scope of this
                                                            all public transportation   requirement in the NPRM
                                                            agencies to have a          was broader than TSA
                                                            security coordinator.       intended as the result a
                                                            Final rule limits the       drafting error. TSA
                                                            scope of the requirement    intended the security
                                                            to rail operations of       coordinator requirement
                                                            public transportation       to apply to all of the
                                                            agencies and the bus-only   rail operations and
                                                            operations of those         shippers/receivers
                                                            determined by TSA to be     covered by the Rail
                                                            higher-risk.                Security Rule, plus bus
                                                                                        operations required to
                                                                                        provide security
                                                                                        training under this
                                                                                        rule.
1570.203..........................  Reporting significant  NPRM proposed requiring     The scope of this
                                     security concerns.     all public transportation   requirement in the NPRM
                                                            agencies to report          was broader than TSA
                                                            security issues. Final      intended as the result
                                                            rule limits the scope of    of a drafting error. TSA
                                                            the requirement to rail     intended the reporting
                                                            operations of public        requirement to apply to
                                                            transportation agencies     all of the rail
                                                            and the bus-only            operations and shippers/
                                                            operations of those         receivers covered by the
                                                            determined by TSA to be     Rail Security Rule, plus
                                                            higher-risk.                bus operations that are
                                                                                        required to provide
                                                                                        security training under
                                                                                        this rule.
1570.305..........................  False statements       TSA is making a technical   This technical revision
                                     regarding security     correction to this          eliminates potential
                                     background checks by   provision by replacing      confusion in the
                                     public                 the term ``covered          terminology.
                                     transportation         individual,'' with the
                                     agency or railroad     term ``employee,'' which
                                     carrier.               is defined by this
                                                            rulemaking in Sec.
                                                            1570.3.
----------------------------------------------------------------------------------------------------------------

VII. Response to Comments on NPRM

    Following TSA's publication of the NRPM on December 16, 2016, 
industry associations, unions, and private citizens were among those 
who submitted comments in docket TSA 2015-0001. TSA's responses are 
organized by topic.

A. General Comments

1. Need for Rule
    Comments endorsing the rulemaking and recommending an expanded 
scope: A number of submissions included a statement of general support 
for TSA to issue this rulemaking. Commenters also endorsed the rule, 
noting that proper training could prevent harm to both employees and 
passengers. A few commenters suggested expanding the scope of the 
rulemaking to include additional training for surface workers, such as 
self-defense training, or to provide training to all American citizens 
to identify terrorist threats. One commenter supported a ``community of 
the whole'' approach, reflecting the collaborative and cooperative 
partnership between TSA and industry to detect and deter individuals 
seeking to commit acts of terrorism.
    TSA response: This rulemaking is intended to solidify a baseline of 
security training. Promulgation of this rule does not signal a change 
in TSA's commitment to maximize enhancements to surface transportation 
security through voluntary cooperation and collaboration. Consistent 
with this commitment, TSA does not believe it is necessary to expand 
the scope of applicability or requirements, but encourages owner/
operators to provide additional security training as they consider 
appropriate to address potential vulnerabilities or threats within 
their unique operational environments. As noted in the NPRM, TSA 
encourages owner/operators covered by this rule to determine

[[Page 16472]]

whether there are employees not covered by the scope of the security-
sensitive definition who could provide benefits to security if trained.
    Regarding the recommended expansion of the rule to cover broader 
populations, including the general public, DHS has numerous programs 
and initiatives to provide and encourage awareness of terrorist threats 
and appropriate responses. These initiatives include ``hometown 
security'' and the ``See Something, Say Something'' campaign. More 
information on these initiatives and training available to support them 
can be found on the DHS website.\58\ TSA also encourages owners/
operators not within the scope of the rule's applicability to 
voluntarily provide security training to their employees, using the 
curriculum requirements in this rule to guide development of voluntary 
security training programs. As noted in section II.A., TSA also intends 
to provide resources developed to support this rule to other owner/
operators, as appropriate.
---------------------------------------------------------------------------

    \58\ See www.dhs.gov/hometown-security and www.dhs.gov/see-something-say-something.
---------------------------------------------------------------------------

    Comments opposing rulemaking: Other commenters opposed the 
rulemaking, primarily because they believe certain modes already 
conduct training, and asserted these efforts make the rulemaking 
unnecessary. Three commenters expressed concern the rule overlaps with 
existing State and Federal training requirements, including the FRA's 
2014 final rule, which established minimum training standards for all 
safety-related railroad employees.\59\ One commenter suggested States 
may have different requirements, which should be considered in this 
rulemaking. Several commenters advocated for the rule to be voluntary, 
and noted voluntary training has so far produced exceptional results.
---------------------------------------------------------------------------

    \59\ See 79 FR 66460 (Nov. 7, 2014), codified at 49 CFR part 
243.
---------------------------------------------------------------------------

    TSA response: As previously discussed, TSA has a statutory mandate 
to publish a final rule requiring security training for frontline 
employees of public transportation agencies, railroads, and OTRB owner/
operators.\60\ The statutory mandate includes specific requirements for 
the content of the required security training. In addition, TSA 
determined it is necessary to require security training for employees 
of higher-risk surface transportation operations and appropriate to use 
its general authority under ATSA to issue a rule including these 
requirements.\61\
---------------------------------------------------------------------------

    \60\ See discussion in section I.A. of this rule. See also 81 FR 
91341 (discussion of statutory authorities and requirements for this 
rulemaking).
    \61\ See 81 FR 91339-91341 (discussion of purpose and 
authorities).
---------------------------------------------------------------------------

    The terrorism-related threat to surface transportation modes has 
not subsided and Congress has not retreated from its commitment to the 
need for this rule. Since enactment of the 9/11 Act, Members of 
Congress and the DHS Office of the Inspector General (OIG) have 
expressed continued interest in the publication of this rule.
    This rulemaking is intended to solidify the baseline for security 
training of surface employees. TSA recognizes the substantial efforts 
of our stakeholders to enhance their security posture since 9/11 and 
seeks to recognize and build upon these efforts. As noted in the NPRM, 
owner/operators subject to requirements to provide similar training may 
request to use this training to satisfy requirements in this rule. For 
example, TSA is aware that many public transportation agencies and 
railroads currently provide security training to comply with State or 
Federal training requirements. (TSA is not aware of any overlapping 
requirements for OTRB owner/operators.) If an owner/operator intends to 
use previous training or existing training programs in order to satisfy 
some or all of the requirements of this rule, the program submitted to 
TSA for approval must identify how the other training satisfies TSA's 
requirements. This will likely necessitate submitting the curriculum or 
lesson plan for that program and training records, as well as 
information on the employees who have completed the training and the 
date of the most recent training.
    Regarding voluntary training, TSA acknowledges many owner/operators 
of higher-risk surface transportation operations have voluntarily 
implemented security training programs addressing some of the 
requirements in this rule. As noted in the Preliminary Regulatory 
Impact Analysis and Initial Regulatory Flexibility Analysis (NPRM RIA), 
however, the private market may not provide adequate incentives for 
owner/operators to make an optimal investment in the full range of 
measures to reduce the probability of a successful terrorist attack 
based on the economics of externalities. Mandating security training 
for higher-risk operations will solidify the current baseline of 
security training established through voluntary measures.\62\
---------------------------------------------------------------------------

    \62\ See NPRM RIA at 116-117 (available in the docket to this 
rulemaking at www.regulations.gov).
---------------------------------------------------------------------------

2. Cost of Rule
    Comments: Some commenters expressed concern that the cost of the 
rulemaking is too high, and that the rule is too costly for industry to 
implement. Commenters also asserted the estimate of OTRB owner/
operators is too low, and questioned whether TSA's cost-estimate 
analysis considers the Unfunded Mandate Reform Act of 1995 (UMRA).\63\ 
One commenter generally suggested that the expense of providing 
security awareness training to surface transportation personnel may not 
be justified by the potential benefits. Another commenter, a mass 
transit agency in a large metropolitan area, estimated the cost of the 
rule to be higher than the estimate TSA provided in the NPRM RIA.
---------------------------------------------------------------------------

    \63\ Public Law 104-4, 109 Stat. 48 (Mar. 22, 1995), codified at 
2 U.S.C. 1501-1538.
---------------------------------------------------------------------------

    TSA response: A full discussion of the cost-benefit analysis is 
included in the Final Regulatory Impact Analysis and Regulatory 
Flexibility Analysis (Final RIA) \64\ and summarized in section 
VIII.B.1. While training and the other requirements of this final rule 
are not absolute deterrents for a terrorist intent on carrying out 
attacks on surface modes of transportation, TSA expects the probability 
of success for such attacks to decrease when the requirements of this 
rule are fully implemented.
---------------------------------------------------------------------------

    \64\ The Final RIA is available in the docket for this 
rulemaking at www.regulations.gov.
---------------------------------------------------------------------------

    Regarding the commenters concerns that TSA's estimate of OTRB 
owner/operators within the scope of applicability is too low, TSA 
acknowledges the inherent uncertainty in this estimate due to the fluid 
and opaque nature of the industry. As described in the Final RIA, 
``many [OTRB] owner/operators that operate charter and/or tour services 
also provide scheduled or fixed-route services, sometimes on an ad hoc 
basis, making it difficult for any one source to keep track of those 
that may provide scheduled service as part of their non-primary 
operation.'' \65\ In response to the issue of disparate data, TSA 
consulted multiple sources and databases to build its estimate.' The 
commenter who stated the OTRB estimate was too low did not provide any 
reason to support the claim that TSA underestimated the number of 
affected owner/operators or any source/

[[Page 16473]]

data to back up the assertion. As mentioned in the NPRM RIA, TSA sought 
public contribution to refine its estimate, but neither the commenter 
nor anyone else provided any data or new information on which to build 
a different estimate.
---------------------------------------------------------------------------

    \65\ Id. at 40. Note: Under the requirements of this rule, any 
owner/operators conducting ad hoc or sub-contracted service for a 
regulated person must comply with the requirements of the rule as an 
authorized representative. Similarly, an owner/operator not subject 
to the requirements of the rule may trigger applicability if they 
contract for ad hoc or subcontracted service through an area that 
triggers applicability.
---------------------------------------------------------------------------

    Title II of UMRA, establishes requirements for Federal Agencies to 
assess the effects of their regulatory actions on State, local, and 
tribal governments and the private sector.\66\ Agencies must prepare a 
written statement, including a cost-benefit analysis, for proposed and 
final rules with ``Federal mandates'' that may result in expenditures 
by State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100 million or more in any one year.\67\ TSA's 
analysis for both the NPRM RIA and Final RIA determined this rule does 
not contain a Federal mandate that may result in expenditures of $100 
million or more either for State, local, and tribal governments in the 
aggregate, or for the private sector in any one year.
---------------------------------------------------------------------------

    \66\ See supra n. 63.
    \67\ Id. at sec. 202, codified at 2 U.S.C. 1532. The $100 
million in 1995 dollars is adjusted for inflation to 2017 dollars 
using the GDP implicit price deflator for the U.S. economy. Bureau 
of Economic Analysis, National Data, Table 1.1.4. Price Indexes for 
Gross Domestic Product, Line 1 Gross domestic product. Available at: 
https://apps.bea.gov/iTable/iTable.cfm?reqid=19&step=2#reqid=19&step=2&isuri=1&1921=survey.
---------------------------------------------------------------------------

    The commenter who stated security awareness training may not be 
justified by the potential benefits did not provide data to support 
this assertion. Based upon the data available to TSA, as shown in the 
Final RIA, TSA disagrees with the commenter. In both the NPRM and Final 
RIA, TSA includes a chapter, titled ``Benefits of Employee Security 
Training,'' which identifies the security risks to surface 
transportation and explained how providing employees with the knowledge 
to prepare, observe, assess, and respond to a terrorist related threat 
or incident reduces the vulnerability to a terrorist attack. In 
addition, TSA conducted a break even analysis that compared the cost of 
the surface training program to the direct economic losses that would 
be averted by avoiding certain terrorist attack scenarios. Given the 
relative small costs of implementing training compared to the 
catastrophic costs of a successful terrorist attack, this analysis 
found that the rule would only have to deter, at minimum, one attack 
every 40 years for the benefits to equal costs for freight rail, a 
number that increases to one attack every 166 years for OTRBs.\68\ The 
monetized benefits of preventing an attack would likely be greater were 
TSA to conduct a break even analysis that accounts for the difficult-
to-estimate macroeconomic and other indirect impacts (avoided indirect 
costs) that may be even more significant than the direct impacts of the 
attack. Avoided consequences, such as the value of a reduction in fear 
felt by the public at large, are not included in the analysis because 
they are difficult to measure and quantify. Given these results and the 
demonstrated effectiveness of employee training--including security 
awareness in mitigating terrorist attacks \69\--TSA believes the 
benefits of the rule justify its costs. Finally, as previously 
discussed, TSA is under a statutory mandate to publish a final rule 
requiring security training for frontline employees of public 
transportation agencies, railroads, and OTRB owner/operators.
---------------------------------------------------------------------------

    \68\ See Final RIA at Section 4.3.
    \69\ See id. at Section 4.1 (full summary of the threat to 
surface transportation and an example of security training 
effectiveness).
---------------------------------------------------------------------------

    One commenter, from a large metropolitan area public transportation 
system, provided information to support statements that the costs of 
implementing the rule would be higher than TSA estimated in the NPRM 
RIA for that commenter. TSA believes there are a number of issues with 
the commenter's estimate that result in an overestimation of the rule's 
burden. The commenter assumed the duration of training to be three 
hours when TSA estimates that training for security-sensitive employees 
of a PTPR owner/operator will likely average 1 hour and 20 minutes in 
order to address all of the required elements in this rule.\70\ The 
commenter appears to base their three hour estimate on an assumption 
that a classroom setting and development of original course material is 
necessary. As further discussed below in section VII.D., TSA is not 
requiring instructor or classroom training and will further mitigate 
costs by providing a video, free of charge, to regulated owner/
operators for compliance with the parts of the rule. TSA intends for 
this material to cover three of the four PTPR training elements in the 
rule and take less than one hour.
---------------------------------------------------------------------------

    \70\ See Final RIA at Section 2.4 for an explanation and 
rationale to why TSA estimates 1 and 20 minutes needed to train mass 
transit agencies' security-sensitive employees on the training 
components of the final rule.
---------------------------------------------------------------------------

    Finally, the commenter comes from one of the largest metropolitan 
areas in the United States with one of highest costs of living. This 
leads TSA to believe that the estimate provided by the commenter is 
likely higher than the national average of transit agencies. TSA used 
national wage data for transit agencies from the Bureau of Labor 
Statistics to estimate cost of the rule to PTPR owner/operators. TSA 
believes this is a reasonable rate to calculate incurred costs to 
regulated PTPR owner/operators because it encompasses the entire 
transit industry (which are typically found in cities around the 
country). Based on this analysis, TSA believes its cost-assessment for 
the final rule is representative of the incremental burden PTPR owner/
operators will incur from implementing the regulatory requirements at a 
national level. However, TSA does acknowledge that differences in the 
cost of labor among the various cities may contribute to certain 
transit agencies having higher or lower costs than the national 
average.
3. Stakeholder Consultation
    Comments: Several commenters suggested TSA consult with labor 
unions in drafting the rulemaking, as required by the 9/11 Act, and 
also reach out to international security experts.
    TSA response: The 9/11 Act directed TSA to consult with major 
stakeholders during the development of the NPRM, including labor 
organizations. As noted and summarized in the NPRM, TSA conducted 
numerous meetings and conference calls with all necessary parties, 
including relevant labor organizations.\71\ In addition to inviting 
participation of labor union representatives in many of the mode-
specific meetings, TSA also met directly with labor unions as part of 
its stakeholder consultation process, including the Transportation 
Trades Department of the American Federation of Labor and Congress of 
Industrial Organizations, the International Brotherhood of Teamsters, 
the Brotherhood of Locomotive Engineers, and the Amalgamated Transit 
Union.\72\
---------------------------------------------------------------------------

    \71\ See 81 FR 91336 at 91368-91370.
    \72\ See id. at 91370.
---------------------------------------------------------------------------

    International outreach is also a key component of TSA's 
transportation security mission. TSA surface representatives partner 
with the international community through a number of forums, such as 
INTERPOL, European Network of Railway Police Forces (RAILPOL), and the 
United Nations led International Working Group Land Transport Security 
(IWGLTS). These meetings include a regular exchange of lessons learned 
in addressing emerging threats within the surface transportation 
environment.
4. Terms
    Comments on definition of ``transportation security-sensitive 
materials (TSSM)'': Several commenters

[[Page 16474]]

asked for clarification regarding how the TSSM definition applies to 
motor coaches, and suggested industry aid TSA in determining what 
should qualify as TSSM. One commenter asked TSA to provide handling and 
storage information regarding TSSM specific to the motor coach 
industry.
    TSA response: As noted in the NPRM, TSA is satisfying a 9/11 Act 
requirement to define TSSM \73\ by incorporating by reference the 
hazardous materials identified in 49 CFR 172.800(b). There are no 
specific requirements in the rule related to the definition. To the 
extent there are requirements associated with the materials identified 
in 49 CFR 172.800(b), persons should consult 49 CFR part 172, the 
hazardous materials rules promulgated by PHMSA. The PHMSA rules include 
security requirements related to these specific materials. The PHMSA 
requirements were promulgated through notice and comment rulemaking, 
including participation by relevant stakeholders in developing the list 
of materials.
---------------------------------------------------------------------------

    \73\ Id. at 91344.
---------------------------------------------------------------------------

    Comments on definition of ``host railroad'': One commenter asserted 
the definition of ``host railroad'' is confusing. Additionally, the 
commenter noted TSA's expectations of the railroads responsible for 
ensuring training of employees in ``host'' situations are unclear, as 
railroads currently train employees under existing training programs.
    TSA response: As noted in the NPRM,\74\ TSA is defining ``host 
railroad'' consistent with the definition well-established by use for 
the rail industry under rules of the FRA.\75\ Under this rule, both the 
host and tenant railroads are required to have a training program that 
appropriately addresses the ramifications of the hosting relationship. 
For example, the host railroad's training program will need to address 
the operational considerations of the hosting relationship, such as 
training dispatchers on their role and responsibilities in halting the 
tenant railroad's operations over a segment of track where there is a 
potential threat (such as a suspected IED or tampering with 
infrastructure). Similarly, a tenant railroad subject to the security 
training requirements of 49 CFR part 1582 (PTPR), will need to address 
the operational considerations of the hosting relationship, such as 
instructing its train and engine employees on the proper communication 
procedures to follow when a potential threat is identified. Under 
either example, the host and tenant railroad owner/operators will only 
be responsible for training their own employees.
---------------------------------------------------------------------------

    \74\ Id. at Table 3, Explanation of Proposed Terms and 
Definitions.
    \75\ See 49 CFR 236.1003.
---------------------------------------------------------------------------

    When inspecting for compliance by regulated parties participating 
in a contractual relationship, TSA will consider the freight railroad 
carrier (the private company) to be an authorized representative of the 
PTPR owner/operator (the owner/operator of the passenger train 
service). TSA will hold the PTPR owner/operator primarily responsible 
for compliance and for ensuring that all security-sensitive employees 
receive the required training, whether they are employed directly by 
the PTPR owner/operator or contractor. The PTPR owner/operator must 
train the freight railroad carrier's employees performing security-
sensitive functions related to the passenger train service.\76\
---------------------------------------------------------------------------

    \76\ See supra, section II.A.4 for more discussion on the 
distinction between hosting and contractual relationships and the 
ramifications for responsibility of providing security training.
---------------------------------------------------------------------------

B. Investigative and Enforcement Procedures

    Comments on penalties and violations under 49 CFR part 1503: 
Several commenters requested clarification regarding the exact 
penalties for non-compliance, and others asked TSA to explain the basis 
of violations.
    TSA response: The 9/11 Act included authority for TSA to assess 
civil penalties for violations of title 49 of the U.S. Code, including 
surface transportation requirements.\77\ TSA posts, and regularly 
updates, its sanction policies on its website.\78\ Between this rule's 
date of publication and effective date, TSA will update this policy to 
address violations of this rule.
---------------------------------------------------------------------------

    \77\ See sec. 1302(a) of the 9/11 Act. TSA is issuing this rule 
under the authority of 49 U.S.C. 114.
    \78\ See https://www.tsa.gov/sites/default/files/enforcement_sanction_guidance_policy.pdf.
---------------------------------------------------------------------------

    Comments on compliance, inspection, and enforcement under 49 CFR 
1570.9: Several commenters expressed concern regarding how TSA will 
enforce the rule. One commenter suggested TSA and relevant DOT 
components should develop a cooperative enforcement program allowing 
DOT personnel to enforce TSA's security training requirements as they 
conduct their safety inspections. Several commenters suggested TSA 
coordinate with the owner/operator before an inspection, and one 
suggested that TSA provide an audit checklist before arriving on the 
owner/operator's property. Another commenter asked TSA inspectors to 
undergo safety training before visiting the property. Finally, one 
commenter suggested TSA consider an audit program for contractors, 
rather than making the owner/operator responsible for ensuring 
contractor receives training or otherwise comply with the rule's 
requirements.
    TSA response: As explained in the NPRM, TSA is mandated to: (1) 
Enforce its rules and requirements; (2) oversee the implementation and 
ensure the adequacy of security measures; and; (3) inspect, maintain, 
and test security facilities, equipment, and systems for all modes of 
transportation.\79\ TSA's authority over transportation security is 
comprehensive and supported with specific powers related to the 
development and enforcement of security-related regulations and other 
requirements. Within this broad authority, the agency may assess a 
security risk for any mode of transportation and develop security 
measures for dealing with this risk.\80\ If TSA identifies 
noncompliance with its requirements, TSA may hold the owner/operators 
responsible for the violation and subject to enforcement action, which 
may result in civil monetary penalties.\81\
---------------------------------------------------------------------------

    \79\ See 81 FR 91341, citing 49 U.S.C. 114.
    \80\ 49 U.S.C. 114(f) and (l).
    \81\ 49 U.S.C. 114(f) and (v).
---------------------------------------------------------------------------

    Pursuant to its statutory authority and responsibilities, TSA is 
the sole Federal agency with authority to enforce its regulations. 
DOT's components do not have authority to enforce TSA's rules and TSA 
cannot enforce theirs. DHS and DOT, however, do consult and coordinate 
with each other on security-related issues pursuant to various 
memoranda of understanding (MOU). To mitigate concerns about 
duplication of efforts by inspectors, DHS has entered into an MOU with 
DOT with separate annexes between TSA and the modal components of DOT. 
These annexes address coordination on regulatory matters.
    When appropriate, TSA will coordinate with an owner/operator on 
inspections. Notice gives the parties to be inspected the opportunity 
to gather evidence of compliance and to arrange to have the appropriate 
personnel available to assist TSA. Some inspections, however, can only 
be effective if TSA's presence is unannounced. TSA must have the 
flexibility to respond to information, operations, and specific 
circumstances whenever they exist or develop.
    Security concerns are different at different times of the day and 
on different days of the week. Terrorists may seek to take advantage of 
vulnerabilities whenever they occur.

[[Page 16475]]

TSA has the authority to assess the security of transportation entities 
during all times of the day or night and under all operational 
situations (including nights, weekends, and holidays). The nature of 
any given TSA inspection will depend on the specific circumstances 
surrounding a particular owner/operator at a given point in time and 
will be considered in conjunction with available threat information.
    An audit checklist is unnecessary for this program. Under the rule, 
owner/operators are required to submit a security training program to 
TSA for approval. As the regulated owner/operators are the original 
drafters of the security training program approved by TSA, they should 
not need a checklist from TSA to inform them of the program's content 
and requirements. The use of TSA-provided training material does not 
eliminate the owner/operator's ownership of the program and knowledge 
of the program's contents. The security training program developed and 
submitted by the owner/operator to TSA for approval is likely to 
include additional information provided or developed by the owner/
operator to meet all of the curriculum requirements.
    Regarding having TSA inspectors undergo safety training prior to 
visiting a property, TSA's inspectors are properly trained regarding 
how to safely inspect an owner/operator's property and the importance 
of complying with official safety-related requirements while on the 
owner/operator's property. For example, TSA puts its inspectors through 
a rigorous training program, incorporating classroom and field 
training, so inspectors are knowledgeable on all aspects related to 
this regulatory program as well as on safety issues. TSA recognizes the 
importance of this training to ensure inspectors avoid danger to 
themselves, to workers on the inspected property, to travelers, and to 
the inspected property.
    Finally, concerning the suggestion that TSA consider an audit 
program for contractors, in lieu of making the owner/operator 
responsible for ensuring contractor receives training, TSA applies two 
important regulatory policies related to responsibilities of 
contractors. First, contractors performing measures required under 
TSA's rules are ``authorized representatives'' of the regulated 
party.\82\ As part of its general enforcement policy, TSA consistently 
holds regulated parties responsible for the actions of their authorized 
representatives.
---------------------------------------------------------------------------

    \82\ See the rule's definition of ``authorized representative'' 
in 49 CFR 1500.3.
---------------------------------------------------------------------------

    Second, authorized representatives and other contractors (and their 
employees) are also responsible for complying with TSA's regulatory 
requirements. Under section 1570.7 of this rule, any person may be 
subject to enforcement action for violations of the rule, including 
contractors who provide service to owner/operators and the employees of 
such contractors. As a result, TSA could pursue an enforcement action 
against the regulated party, the regulated party and the contractor as 
an authorized representative, or against the contractor.

C. Part 1570--General Rules

1. Terms Used in This Subchapter (Sec.  1570.3)
    Comments on definition of ``security-sensitive employees'': In 
addition to comments of general support for the definition of security-
sensitive employee, TSA received a few questions about the term. One 
commenter sought more information on what defines an employee in a 
security-sensitive position, specifically asking whether the definition 
includes a cyber-expert or a frontline engineer staffing a commuter 
train. Another commenter suggested replacing the term with ``Frontline 
Employees'' for consistency with the 9/11 Act, finding the term 
``security-sensitive'' to be confusing and therefore subject to 
misinterpretation. Further, this commenter found no risk-based 
justification for establishing a classification of employees to 
determine who should receive security training.
    TSA response: As discussed in the NPRM, the definition of 
``security-sensitive employees'' includes employees who perform 
functions with a direct nexus to, or impact on, transportation security 
based on their job functions.\83\ Engineers are specifically covered 
within the job functions identified for 49 CFR parts 1580 (freight 
railroads) and 1582 (public transportation and passenger railroads). A 
cyber-expert may be considered a security-sensitive employee based upon 
specific job functions, such as functions involving control or movement 
of trains, or because of other cyber-security responsibilities related 
to the owner/operators security measures in its security plan to 
protect the integrity of its information systems.
---------------------------------------------------------------------------

    \83\ 81 FR 91333 et seq.
---------------------------------------------------------------------------

    TSA chose the term ``security-sensitive'' for this rule to mirror 
the term ``safety-sensitive'' used in rules promulgated by DOT. There 
is no statutory requirement for TSA to specifically use the term 
``frontline employee,'' as long as the scope of the rule includes the 
employees identified in relevant portions of the 9/11 Act, which it 
does.
    Finally, as discussed in the NPRM,\84\ TSA applied a risk-based 
approach to all requirements in this rule, including the definition of 
security-sensitive employee. The NPRM explained TSA began with an 
analysis of the employees listed in the 9/11 Act's definitions of 
``frontline employees'' who must receive training \85\ and then 
considered whether other employees may also be in a position to spot 
suspicious activity because of where they work, their interaction with 
the public, or their access to information. TSA also considered who 
needs to know how to report or respond to these potential threats. This 
additional group of employees includes managers, supervisors, or others 
who perform the function or who so directly supervise the performance 
of a function that their nexus to the job function is equivalent to the 
employee.
---------------------------------------------------------------------------

    \84\ See id. at 61353-61355.
    \85\ See id. at Table 6, Comparison of security training NPRM 
proposed categories for ``security-sensitive employees'' to 9/11 Act 
definitions of ``frontline employees'' who must be trained.
---------------------------------------------------------------------------

2. Recognition of Prior or Established Security Measures or Programs 
(Sec.  1570.7)
    Comments related to use of existing training: Several commenters 
suggested that TSA should allow use of previous training or programs to 
satisfy the rule's requirements. The range of these existing programs 
include training provided under TSA's First ObserverTM 
program and existing railroad security training, which commenters 
assert meets the intent of the 9/11 Act. Commenters noted that both 
freight and passenger railroads currently maintain effective security 
training programs.
    Comments on how to use these existing programs varied, including 
allowing owner/operators to amend their existing programs to make them 
comply with the rule's requirements; letting currently trained 
employees be ``grandfathered'' in as long as their training meets the 
rule's requirements; and a request that TSA determine these existing 
training programs meet the 9/11 Act's requirements without imposing 
additional regulatory requirements.
    Finally, a commenter expressed concern that owner/operators will be 
allowed to fulfill the training requirements in a variety of ways, 
creating unique programs for each system. The commenter noted the

[[Page 16476]]

training requirements may become overly burdensome for employees and 
employers if an employee must be re-trained every time he or she leaves 
one transportation operation and joins another.
    TSA response: Consistent with requirements of the 9/11 Act, the 
rule specifically provides for recognition of previous training in 
Sec.  1570.107.\86\ Under this section, owner/operators can use 
previously provided training meeting or exceeding the requirements of 
the rule to the extent they can provide documentation of the training 
and validation this training satisfies the requirements applicable to 
that employee. The rule also provides owner/operators with the 
flexibility to use other training programs addressing some or all of 
the same topics to satisfy the regulatory requirements in Sec. Sec.  
1580.113(c), 1582.113(c), and 1584.113(c).\87\
---------------------------------------------------------------------------

    \86\ See id. at 91347 for the discussion on this topic in the 
NPRM.
    \87\ See id. at 91361-91362.
---------------------------------------------------------------------------

    TSA recognizes that many of the owner/operators to be regulated by 
this rule have taken voluntary actions to raise their security 
baseline. TSA applauds these efforts, but also notes that they do not 
negate the benefits of this rulemaking. The purpose of this rule is to 
solidify the baseline for those that have already implemented security 
training programs, and to raise those who have not to a consistent 
standard across higher-risk operations. To the extent owner/operators 
established security training programs consistent with the 9/11 Act as 
a voluntary initiative or implemented use of TSA's First 
ObserverTM program,\88\ and continue to provide regular 
training to their employees, these efforts should significantly 
mitigate any costs for compliance with the rule.
---------------------------------------------------------------------------

    \88\ The First ObserverTM program, previously known 
as Operation Secure Transport, has been in use for highway motor 
carriers (OTRB owner/operators) and covers the Observe, Assess, and 
Respond security training components required by this rulemaking. 
TSA credits those OTRB owner/operators who have used the First 
ObserverTM program in its RIA (full description in 
Section 1.5 of the Final RIA).
---------------------------------------------------------------------------

    Finally, the provision on use of previous training, in Sec.  
1570.107, also addresses concerns about unique training programs and 
the impact on employees who change jobs. If the owner/operator can 
validate the content and timing of the previous training, the rule 
allows this training to be credited towards satisfying the regulatory 
requirements. At most, the new employer may need to supplement portions 
of previous training to address unique aspects of its own TSA-approved 
security training program. This allows the owner/operator to ensure all 
of the security-sensitive employees receive training specific to their 
operations in order to best mitigate security risks.
3. Submission and Approval (Sec.  1570.109)
    Comments on frequency of submitting security training programs to 
TSA: Two commenters suggested companies should be permitted to submit 
training plans and curriculum only once to TSA, which TSA would store 
and review on a yearly basis and make recommended changes based on the 
current threat.
    TSA response: The rule does not impose a specific schedule for 
owner/operators to submit updates to their security programs, such as 
an annual update. It does, however, require owner/operators to request 
to amend their programs if necessary to reflect changes in ownership or 
permanent changes in operations affecting the security training program 
or curriculum.\89\ For example, a program may need to be updated if the 
owner/operator replaces equipment resulting in instructions conflicting 
with the current security training curriculum, or expands operations 
into a new commodity with different risks, changes personnel structures 
affecting reporting, or begins operations in a new geographical area. 
In addition, the final rule narrows the scope of amendments required 
for changes to security measures or plans. Recognizing an owner/
operator's security program may include issues not specifically 
relevant to the scope of transportation security this rule is intended 
to address, the final rule includes a list of the specific type of 
measures and program changes triggering the requirement to request an 
amendment. TSA may also require owner/operators to amend their plans in 
the interest of the public and transportation security.\90\
---------------------------------------------------------------------------

    \89\ See Sec.  1570.113 and discussion in section IV.B.1.
    \90\ See Sec.  1570.115 and discussion in section IV.B.2.
---------------------------------------------------------------------------

    Comments on methods for submitting security programs to TSA: A 
number of commenters supported submitting training programs to TSA via 
electronic means, such as in email on a secured password protected 
platform. One commenter also expressed support for the proposed initial 
security program submission and approval process, as well as the 
amendment approval process.
    Two commenters, however, raised concerns with this process, 
claiming it is too rigid and cumbersome to be effective. Commenters 
noted railroad training programs are robust and adaptable, evolving to 
address threats and security concerns. To continue to be effective, the 
commenters advocated that they be allowed to update their programs as 
needed without TSA approval. They also noted the FRA already oversees 
railroad security training programs, and TSA inspectors can review the 
same materials. They noted that given their current process, the NPRM 
lacked adequate justification for the imposition of a prescriptive 
process for submission, review, and approval of training programs 
already in effect.
    TSA response: In response to concerns regarding form of submission, 
TSA intends to allow for electronic submission of required 
documentation, consistent with SSI requirements. Relating to the need 
for updating programs, the final rule requires owner/operators to adapt 
their training materials to address specific threats in the various 
modes as they emerge. TSA approval is not required for an update unless 
the changes stay in effect for more than 60 days. For example, an 
owner/operator may provide additional training to address risks 
associated with a city hosting a national special security event. If 
the changes are to stay in effect for more than 60 days, the owner/
operator must formally request approval to amend their security 
program. As the required content for the required security training is 
general operation security, TSA does not anticipate the TSA-approved 
security training needing to change significantly in response to a 
specific threat.
    As to the concern about duplication of effort, TSA may accept all 
or portions of an owner/operator's existing security training. Under 
Sec.  1570.107, an owner/operator may rely on previous training 
provided within the stipulated periods for initial or recurrent 
training, as validated by TSA (based on information submitted by the 
owner/operator). In addition, the rule provides for owner/operators to 
rely on training conducted pursuant to other requirements to satisfy 
the rule's security training requirements.\91\ In fact, the rule 
specifically references training required by FRA.\92\ In reviewing 
material prepared for other requirements, TSA will determine whether 
the material adequately addresses security training from TSA's 
perspective and reduces the risk of a terrorist-related attack on the 
transportation. As previously noted, TSA mitigates concerns about

[[Page 16477]]

duplication of inspections, through the annexes to the DHS/DOT MOU. 
These annexes address distinctions between TSA's focus on security and 
DOT's focus on safety, as well as coordination on regulatory matters 
between TSA and the relevant modal components of DOT.
---------------------------------------------------------------------------

    \91\ See Sec. Sec.  1580.113(c), 1582.113(c), and 1584.113(c).
    \92\ See Sec. Sec.  1580.113(c) and 1582.113(c).
---------------------------------------------------------------------------

    Finally, regarding the prescriptive process requirements, TSA 
reviewed all requirements in this rule to identify any options to 
reduce the burden without undermining the rule's effectiveness or 
conflicting with requirements in the 9/11 Act. The 9/11 Act 
specifically requires submission of the training programs to DHS for 
approval and regular updates.\93\ TSA believes the submission and 
approval requirements in Sec.  1570.109 are consistent with this 
statutory requirement, provide clear instruction on how this 
requirement is to be met, and ensure consistent application of the 
rule's requirements.
---------------------------------------------------------------------------

    \93\ 9/11 Act sections 1408(d), 1517(d), and 1534(d).
---------------------------------------------------------------------------

4. Implementation Schedule (Sec.  1570.111)
    Comments on initial security training: Several commenters advocated 
for the proposed accumulated grace periods, ranging from 90 to 180 
days, to allow recently hired employees to work before they complete 
the training requirements. One commenter suggested abandoning the 
accumulated days concept and replacing it with a requirement for all 
employees to receive security training no later than 90 days after 
beginning employment. One commenter suggested a method for calculating 
date: A day should be based on full-time employment, with each 8-hour 
period worked counting as one day. Regarding contractors, the same 
commenter suggested the training responsibility should rest with the 
contracted company.
    Comments also addressed how to regulate temporary and/or part-time 
employees. One commenter suggested all drivers, whether employees or 
contractors, should be trained. Another commenter explained ``pooling 
agreements,'' which allow or require employees from other companies to 
operate their equipment, and noted these arrangements should be covered 
in the final rule.
    TSA response: While TSA appreciates concerns regarding the 
implementation schedule for initial training, the 60-day requirement is 
set by the statute. As noted in the NPRM, the 9/11 Act requires initial 
training within the first 60-days of employment for new employees or 
for those transitioning to a covered job function (as identified in 
Appendix B to parts 1580 (freight rail), 1582 (PTPR), and 1584 
(OTRB).\94\ TSA is not adopting the suggestion of a day equaling an 
aggregated 8-hour period. TSA's intent with this rule is to ensure 
employee's that are regularly positioned to identify and respond to 
security threats are prepared to do so. TSA does not believe that this 
priority is served by hourly calculations to determine what constitutes 
a day.
---------------------------------------------------------------------------

    \94\ See 81 FR 91347.
---------------------------------------------------------------------------

    As to contractors, TSA consistently applies a policy requiring 
regulated parties to accept responsibility for their contractors, 
including employees operating under pooling agreements. Any person 
working for an owner/operators within the scope of applicability, 
performing a security-sensitive position--without regard to primary 
employer or full/part-time status--must be trained. In other words, a 
pooling agreement does not mitigate the need for security training. The 
impact of this policy is more fully discussed under comments related to 
49 CFR part 1503.
    Finally, TSA is not changing the aggregated employment requirement 
in Sec.  1570.111(4) nor the requirement for employees (whether 
intermittent or contract) to be trained no later than the 60th day of 
aggregated employment performing a security-sensitive function. This 
requirement ensures these employees are trained after they are in a 
position with a particular owner/operator long enough to gain awareness 
of the operations necessary to determine when there is an anomaly that 
could constitute a threat.
    In response to the comment about all drivers (presumably of OTRBs) 
being required to receive training, TSA is limiting it to individuals 
with a commercial driver's license to focus on those with a nexus to 
security, in other words, those likely to operate a bus to, through, or 
from a high-risk location, rather than employees moving a bus across a 
yard. While TSA is not currently requiring all drivers to receive the 
security training, this does not prevent owner/operators from 
voluntarily providing the security training required for security-
sensitive employees to a broader population of employees.
    In addition, TSA is developing training materials that can be 
consistently used across a particular mode. Use of this material, 
coupled with the ability to use previous training, will minimize the 
burden of ensuring employees in pooling agreements received adequate 
training. Owner/operators can rely on the TSA-provided material to 
address most of the requirements and limit their operation-specific 
training to procedures unique to their operation, such as points of 
contact to report security concerns and emergencies.
    Comments on recurrent security training: TSA received a variety of 
comments on recurrent training. Some commenters generally supported 
annual recurrent training. Other commenters stated they should have 
flexibility to self-determine the training schedule for their 
employees, as opposed to an adhering to a ``one size fits all'' 
approach. Some commenters expressed concern with the time frame due to 
cost constraints and the practicality of training employees while 
simultaneously maintaining service. These commenters suggested longer 
time periods between training, such as two or three years. One 
commenter highlighted the safety requirements in FRA's rules, which 
require training every three years.
    TSA response: TSA considered options for recurrent training both 
before proposing the requirement in the NPRM and in consideration of 
comments submitted on the NPRM. TSA continues to believe in the 
importance of recurrent training to meet the purpose of the rule, but 
is adjusting the frequency of training in consideration of the 
comments. The final rule requires recurrent training once every three 
years. If, however, the owner/operator modifies its security program or 
plan and those changes affect the responsibilities of specific 
security-sensitive employees, based on their position or function in 
relation to security program or plan requirements, the affected 
employees must receive recurrent training to address the changes within 
90 days of implementation of the revisions. This change is consistent 
with the requirements for hazardous materials employees under 49 CFR 
172.704.\95\ The recurrent training requirements are discussed in more 
detail in section II.J.2.
---------------------------------------------------------------------------

    \95\ In addition, TSA notes that it may order modifications to a 
security program or plan, or order additional training, as 
necessary. See, e.g., 49 U.S.C. 114(l).
---------------------------------------------------------------------------

5. Recordkeeping and Availability (Sec.  1570.121)
    Comments: Two commenters said the proposed 5-year record-keeping 
requirement would be excessive in duration, costly and burdensome in 
administration, and unjustified by any risk-based factors. As an 
alternative, they suggested owner/operators should only be required to 
retain training from

[[Page 16478]]

the past three years (assuming TSA adopts a 3-year training 
requirement).
    TSA response: Within the context of an annual recurrent training 
requirement, TSA considered modifying the record retention period based 
on the comments as three years would provide adequate records of 
previous training. The change, however, to recurrent training on a 
three-year cycle necessitates maintaining the 5-year retention schedule 
in order to ensure that the owner/operator can provide adequate 
representation of previous training consistent with recurrent training 
requirements as well as any training based on modification to the 
owner/operator's security program or plan.
6. Security Coordinator (Sec.  1570.201)
    Comments on security coordinator availability: Two commenters 
suggested changes to the security coordinator requirements specifically 
for railroad companies. First, they suggested TSA only require affected 
railroads to maintain a 24/7 communications capability to ensure TSA 
can reach the rail security coordinators and designated representatives 
for the stated purpose of receiving intelligence information and 
coordinating on security practices and procedures.
    Second, there was one objection to the proposed requirement for 
freight railroad operators to name rail security coordinators (RSC) 
``accessible to TSA on a 24-hour a day, 7-day a week basis.'' The 
commenter suggests modifying this proposal to require the railroad to 
``maintain a 24/7 communications capability to ensure TSA can reach the 
RSCs and designated representatives for the stated purpose of receiving 
intelligence information and coordinating on security practices and 
procedures.''
    TSA response: First, TSA is reorganizing the location of the RSC 
requirements promulgated in 2008, moving the requirements from 49 CFR 
part 1580 to part 1570 (Sec. Sec.  1570.201 and 1570.203) and expanding 
applicability of the existing RSC requirement to include bus operations 
of public transportation systems and OTRB owner/operators within the 
scope of the rule's applicability. TSA neither proposed nor is adopting 
any modifications to the RSC requirements as they apply to railroads 
and the requirement regarding 24/7 accessibility of security 
coordinators.
    It is critical for security coordinators to be ``accessible to TSA 
on a [24/7] basis'' rather than accepting ``a 24/7 communications 
capability [that] can reach the RSCs.'' Although most communication 
between TSA and security coordinators may be routine, these individuals 
are intended to serve key roles in times of heightened and specific 
security threat and incident. During such periods, immediate 
communication with the security coordinators may be required to prevent 
or mitigate loss of life or severe harm to transportation security. TSA 
believes the requirement for security coordinators to be accessible to 
TSA on a 24-hour a day, 7-day a week basis is amply justified by 
commonly accepted principles of emergency and security management. If 
TSA needs to convey extremely time-sensitive security information to a 
regulated party, particularly in situations requiring frequent 
information updates, the information exchange benefits if there is 
continuity in participants. The security coordinator must be in a 
position to understand security problems, raise issues with corporate 
leadership, and recognize when emergency response action is 
appropriate. If the contact changes every time TSA makes a call, the 
loss of continuity will undermine the effectiveness of the 
communication.
    Comments on citizenship requirement for security coordinators: Two 
commenters stated disclosing citizenship status is unnecessary and 
should not be required. One of the two commenters suggests TSA should 
recognize Canadian government security clearances in lieu of requiring 
RSC to be citizens of the United States.
    TSA response: The rule does not require a rail security coordinator 
to be a citizen of the United States. It does however, require each 
owner/operator to report the citizen status of individuals it intends 
to put forward as its RSC under Sec.  1570.201(d). This requirement is 
necessary to meet the 9/11 Act requirement that security coordinators 
be U.S. citizens unless TSA determines it is appropriate to waive the 
requirement ``based on a background check of the individual and a 
review of the consolidated terrorist watchlist.'' \96\ By providing 
this information up front, TSA can initiate any additional actions 
necessary to comply with this requirement.
---------------------------------------------------------------------------

    \96\ See 9/11 Act sections 1512(e)(2) and 1531(e)(2).
---------------------------------------------------------------------------

7. Reporting Significant Security Concerns (Sec.  1570.203)
    Comments on mandatory reporting requirement, scope of reporting, 
and form of reporting: Several commenters opposed a mandatory reporting 
requirement. A few argued the requirements would open up their 
companies and employees to liability should an incident occur and an 
earlier warning action was not observed. Several other commenters 
specifically opposed the 24-hour proposed time limit, stating it was 
too short, and some transit agencies may not know what the threat is in 
that amount of time.
    Commenters also suggested TSA authorize electronic reporting of 
significant security concerns to meet the reporting requirements in 
Sec.  1580.203. These commenters noted the rail industry has developed 
an electronic reporting capability and demonstrated its effectiveness 
in three industry-wide exercises.
    Finally, a few commenters asked for additional clarity regarding 
what ``significant security concern'' entails, and one asked for a list 
of examples. One commenter specifically suggested TSA harmonize its 
definition of ``security threat'' with the FRA's requirement in 49 CFR 
part 239. Several commenters suggested streamlining the requirements.
    TSA response: As with the security coordinator requirement, TSA is 
reorganizing the location of the reporting significant security 
concerns requirements promulgated in 2008 (which were at 49 CFR part 
1580), placing the requirement in part 1570 to expand its applicability 
to OTRBs and bus operations of public transportation system companies 
within the scope of the rule's applicability. As proposed in the NPRM, 
TSA is making three primary changes to the current requirement through 
this final rule. These changes affect all owner/operators required to 
report, but results in a reduced burden for rail operators previously 
required to report. First, the rule modifies the current requirement to 
report immediately, to allow up to 24 hours to report significant 
security concerns. TSA is providing a period of up to 24 hours to 
report the information for two reasons: (1) If there is an emergency, 
the immediate priority is to notify and work with first responders, not 
call TS, and (2) TSA is aware the quality of information provided is 
improved when owner/operators have an opportunity to review the 
information and ensure it constitutes a valid significant security 
concern consistent with the description of activities in Appendix A to 
part 1570 before it is reported. TSA believes 24 hours is an adequate 
period for this process to work effectively. If more time is granted, 
the information may be too stale to be of benefit to TSA or its other 
stakeholders.
    Second, TSA is modifying the existing requirement to allow for 
electronic reporting. The current rule requires reporting to be made by 
telephone. With

[[Page 16479]]

this final rule, TSA is expanding the requirement to allow for other 
methods prescribed by TSA. TSA will communicate these methods directly 
to security coordinators to avoid a situation where a phone number or 
email address may become outdated based on changes or requirements 
beyond the scope of this rulemaking.
    Third, as noted in the NPRM and discussed in section III.C, TSA is 
including in the final rule a table that identifies categories of 
incidents and provides detailed descriptions.\97\ These incidents are 
modified from the requirements promulgated in 2008 to align with other 
standards, including those mentioned by commenters, and recommendations 
from the Government Accountability Officer (GAO).
---------------------------------------------------------------------------

    \97\ See Appendix A to part 1570. See also 81 FR 91351-91353.
---------------------------------------------------------------------------

D. Subpart B--Security Programs

1. Security Training Program General Requirements (Sec. Sec.  1580.113, 
1582.113, and 1584.113)
    Comment on content creation: TSA received several comments 
regarding responsibility for creating training content. TSA also 
received questions concerning who will conduct training and the 
training format, including recommendations for TSA to consider video 
training, in-classroom, and/or field training. Another commenter 
suggested putting a one-hour cap on course length. One commenter 
suggested an outside entity, not TSA, should provide oversight for 
compliance with the training. Several commenters also suggested TSA 
should require transit systems, rail carriers and OTRB operators to 
seek the input of employees and union representatives as they draft 
their training plans, which would ensure the plans consider individual 
circumstances and are effective in promoting transportation security.
    TSA response: Rather than putting limits on curriculum development, 
the rule requires owner/operators to submit their security training 
programs to TSA for review and approval. While the burden is on owner/
operators to develop and provide the training, the rule neither 
prescribes how the content is to be created nor dictates how it is to 
be provided. The flexible requirement is an intentional effort to 
address the varied operational issues for owner/operators required to 
provide training. For example, larger owner/operators may determine it 
is more cost-effective to incorporate the training required by this 
rule into existing training provided in a classroom. For smaller 
operators, web-based training may be easier.
    To address this variety, the rule requires owner/operators to 
develop and implement a security training program meeting the 
requirements of the relevant subparts and ensures the standards are met 
by requiring the program to be submitted to TSA for review and approval 
of the curriculum (including lesson plans, objectives, and modes of 
delivery) and method for measuring effectiveness.\98\ TSA is unwilling 
to put a cap on the requirement. Based on the security awareness 
training TSA requires for its own employees as well as its work and 
discussions with experts on content development, TSA assumes adequately 
addressing all of the required elements will take approximately one 
hour.
---------------------------------------------------------------------------

    \98\ See Sec. Sec.  1580.113(b)(6), 1582.113(b)(6), and 
1584.113(b)(6).
---------------------------------------------------------------------------

    TSA is committed to providing maximum flexibility within the 
constraints of the 9/11 Act's requirements and needs of regulatory 
compliance. To support compliance, TSA intends to provide complimentary 
training material satisfying many of the rule's requirements. If owner/
operators choose not to use this material, they will need to develop a 
full curriculum to be approved by TSA. If they do use it, they may 
still need to submit additional material for any portion of the 
required training (based on their unique operations) not covered by the 
TSA materials. As a result, the rule provides a process balancing 
flexibility (for owner/operators to develop a program specific to their 
operational environment) and TSA's need to ensure training programs 
meet the rule's purpose.
    TSA does not agree with suggestions for third-parties (not TSA) to 
oversee the curriculum development and training. In light of the 
flexibility given for curriculum development, TSA must ensure the 
minimum requirements of the rule are met in order to satisfy both the 
mandate of the 9/11 Act and TSA's intent for this rule to provide a 
consistent baseline of security training across higher-risk operations. 
TSA's subject matter experts for the modes of operation covered by this 
rule will lead this review and approval process.
    TSA agrees the materials should be relevant to the operational 
environment and the employees who work within that environment. Like 
other aspects of curriculum development, the rule gives owner/operators 
the flexibility necessary to meet this objective without imposing a 
prescriptive requirement. Similarly, the rule does not prohibit owner/
operators from consulting with relevant parties or developing programs 
appropriate for their operational environment.
    Comment on size of train crew: One commenter noted that a two-
person minimum crew in train cabs is vital to defending national 
security. Their concerns reflected current operational requirements, 
such as monitoring of computer screens rather than monitoring 
conditions outside of the train (such as the track).
    TSA response: The purpose of this regulation is to ensure employees 
performing security-sensitive functions receive adequate training. 
Staffing requirements for train operation are beyond the scope of this 
rulemaking.
    Comments on effectiveness of security training: The rule requires 
owner/operators to include in their security training programs a method 
for evaluating the effectiveness of the program.\99\ A few commenters 
suggested ways to ensure the training is effective and applicable to 
real-world situations. Suggestions included having businesses put up a 
poster as a general reminder of the material covered in the class, 
creating incentives (monetary or time-off awards) to completing 
training, and ensuring class is engaging and not only a lecture in a 
classroom. Another suggestion was to integrate randomized written tests 
or drills of the covered material, of which successful completion could 
warrant an award. Comments included suggestions for training to be 
conducted in a classroom, citing two benefits of classroom training: 
(1) Allows employees to ask questions and learn from questions and 
discussions and (2) allows instructors to work with employees through a 
variety of scenarios, which would include teaching how to look out for 
and spot various security threat and explain the various roles each 
employee serves in responding to these threats. One commenter asked 
whether the training could be incorporated into ``Entry Level Driver''-
training, and also suggested an online ``train the trainer'' course.
---------------------------------------------------------------------------

    \99\ See Sec. Sec.  1580.113(b)(9), 1582.113(b)(9), and 
1584.113(b)(9). See also discussion at II.K.
---------------------------------------------------------------------------

    Commenters were divided on the question of whether the training's 
effectiveness should be documented through testing. Several commenters 
stated that classroom testing should be augmented by field testing. 
Others suggested no testing should be required. Several commenters 
suggested that TSA incorporate efficacy standards or incentives for 
public transportation agency employees. As an alternative, a number of 
commenters opposed any kind of proficiency testing on the training 
course material.

[[Page 16480]]

    TSA response: TSA is requiring the owner/operator to describe the 
method to be used for measuring effectiveness of security training and 
will conduct inspections to ensure the approved method is being used, 
as part of implementing the TSA-approved security training program. 
While TSA appreciates the information provided by commenters for 
measuring the effectiveness of training, TSA has decided not to dictate 
which method must be used. As part of its commitment to recognizing the 
many unique operational environments for owner/operators subject to 
this regulation, as well as the commitment to balance maximum 
flexibility with effective security, TSA is not requiring a specific 
method for measuring effectiveness.\100\
---------------------------------------------------------------------------

    \100\ For further discussion, see 81 FR at 91361.
---------------------------------------------------------------------------

    TSA recognizes that pre- and post-testing in a classroom setting is 
an efficient way to determine the effectiveness of training. TSA also 
acknowledges, however, that, other methods of documenting the 
effectiveness of training exist, which may be preferable for some 
employees and/or circumstances. Therefore, TSA is not specifying a 
particular type of testing or other method for determining 
effectiveness, but will use the owner/operator's TSA-approved standard 
for measuring effectiveness when inspecting an owner/operator's 
training documentation to verify that each employee who must be trained 
has received the required training and that the owner/operator has 
determined that the training is effective.
2. Security Training and Knowledge for Security-Sensitive Employees 
(Sec. Sec.  1580.115, 1582.115, and 1584.115)
    Comments on security training knowledge requirements: TSA received 
varied comments on the required security training curriculum content 
requirements. The comments ranged from asserting that the scope of the 
training content is overly broad to proposing additional training 
requirements to be added to the rule.
    One commenter, concerned that the scope is too broad, suggested 
training beyond awareness observation and reporting may be excessive 
and counterproductive to the safety and convenience of passengers. The 
commenter recommended that security training requirements not exceed 
the parameters of the employee's unique tasks or working environment.
    Finally, some commenters wanted topics added to the curriculum. Two 
commenters suggested the training focus on civil liberties, and 
integrate community policing principles. Other proposed topics included 
how to respond to an attack, high-jacking, and/or kidnapping scenario; 
self-defense training; specified training on high-risk events; training 
on accessing and interpreting situations; and development of 
communication skills.
    Commenters suggested the training address issue of civil rights and 
liberties, expressing concerns about training employees to identify 
individuals as threats based on their socioeconomic status. One 
commenter specifically cautioned against enabling transit security 
personnel to profile riders based on race or religion, and suggested 
personnel should first be trained to respect rights of all individuals, 
and should also be trained in effective measures not involving ``stop 
and frisk,'' or similar measures.
    TSA response: TSA believes the required security-training topics 
(covering prepare, observe, assess, and response) will provide a 
baseline of security awareness to enhance the overall safety and 
security of passenger and cargo transported by rail and highway. This 
type of security awareness does not inconvenience passengers or 
undermine their safety. It does, however, enhance passenger security. 
Furthermore, nothing in the rule empowers employees to engage in racial 
profiling or conduct police operations. TSA will not approve a training 
curriculum encouraging employees to conduct racial profiling or report 
threats based on socioeconomic status.
    Finally, the regulatory requirements for training content provide 
flexibility to owner/operators to develop programs appropriate to their 
operational environment, including known threats and vulnerabilities. 
As a result, training may include how to identify threats such as a 
potential hijackers and how to prepare and use the required training 
during high-profile events (including appropriate communications with 
the public and first responders). The requirements of this rule will 
enhance such targeted, optional training. The rule's requirements will 
result in employees possessing an understanding of the norm for their 
operational environment, the skills and knowledge necessary to identify 
anomalies indicating a potential threat, and the capability to respond 
appropriately.
    Comments on training to satisfy regulatory requirements: Several 
commenters requested more specificity regarding what type of training 
will satisfy the curriculum requirements, including a list of examples. 
One commenter asked for guidance on what type of training will satisfy 
the curriculum requirement concerning ``defending oneself.''
    TSA response: In the past, TSA has worked with the relevant 
associations and FEMA to identify training to address specific security 
needs and anticipates continuing to do so as it relates to the 
requirements in this rule. In addition, TSA has partnered with national 
associations and industry to cooperatively develop security training 
curriculum and programs. While TSA does not intend to endorse specific 
third-party training programs owner/operators may submit these programs 
to TSA as part of their security training programs. TSA will assess all 
submitted programs to ensure compliance with the rule's requirements 
before approving the training program. As to the comment on providing 
more information on ``defending oneself,'' the rule does not require 
training on how to use self-defense devices or other protective 
equipment provided by the employer. TSA assumes the employer's standard 
employee training will address these issues at the time the equipment 
is provided (one commenter noted the Occupational Health and Safety 
Administration (OSHA) requires employees to receive training in the use 
of (PPE) required by their job functions).
    Comments on impact of TSA-developed security training materials: 
One commenter suggested that TSA develop an annual course based on 
current threat and intelligence rather than requiring companies to 
create annual plans for TSA approval. Similarly, several commenters 
suggested that TSA create a baseline curriculum, such as a video, that 
would meet the regulatory requirements. One commenter suggested that 
companies could voluntarily submit supplemental training that exceeds 
the recommended baseline training that is specific to their mode. One 
commenter, however, specifically stated that TSA's First 
ObserverTM training materials are inadequate.
    TSA response: This rule does not require owner/operators to submit 
updated plans every year. Updates, or amendments, are only required for 
specific reasons, as discussed in section IV.B.
    In regard to the comments regarding use of First 
ObserverTM, TSA notes that the First ObserverTM 
program most familiar to regulated parties was created primarily for 
highway and motor carrier professionals. While TSA assessed that First 
ObserverTM covers three of the required training elements 
for OTRB owner/operators, the program was not created to specifically 
address this rule

[[Page 16481]]

nor was it meant to be applicable to all surface modes of 
transportation.
    At the time the NPRM was published, TSA anticipated expanding the 
First ObserverTM program to incorporate additional training 
material. Since publication of the NPRM, however, TSA initiated 
development of new materials to address three of the required training 
program components (Observe, Assess, and Respond) that are relevant to 
all owner/operators within the three covered modes.\101\ While these 
videos are a new product intended to specifically align with the rule's 
requirements, they build upon previous training developed by TSA under 
First ObserverTM and other transportation security-related 
training programs. TSA adapted this previously developed information, 
and supplemented it as necessary, to ensure the videos address as many 
of the required training elements as can be met through a one-size fits 
all training video. These materials may eventually be placed under the 
First ObserverTM umbrella, but will not be the same as the 
original program.
---------------------------------------------------------------------------

    \101\ The ``Prepare'' element of the required training 
curriculum is, by its nature, specific to each the operations of 
each owner/operator covered by the rule. As such, this element 
cannot be addressed in material intended to be applicable to 
multiple owner/operators.
---------------------------------------------------------------------------

    As noted in the NPRM, use of TSA-developed and provided material is 
optional. TSA developed these materials to further reduce the burden of 
compliance to owner/operators with a resource they may use to meet a 
majority of the security training requirements under this rule. These 
videos will be made available to all of TSA's surface stakeholders.
    TSA is aware that not all owner/operators will choose to use TSA-
provided material, particularly if they are incorporating their 
training into existing training programs to meet other Federal, state, 
or local training requirements. Owner/operators may need to develop 
and/or provide supplemental material to ensure the training provided 
meets all of the training requirements, specifically reflecting nuances 
within the operations of a particular owner/operator or a particular 
sub-set or location of these operations. This additional information 
must be identified and included in the security training program 
submitted to TSA. As the videos use is not mandatory, the economic 
analysis does not account for them when estimating costs of compliance.

E. Freight Rail Specific Issues

1. Applicability of Security Training Requirements (Sec.  1580.101)
    Comments: Several commenters expressed concern related to the 
designated list of HTUAs in Appendix A to part 1580. One commenter 
believed the training is necessary for all frontline employees, not 
just those employed by higher-risk operations. Another noted that 
improving security at some locations may result in terrorists 
redirecting their operations to softer targets not covered under the 
rule. The commenter suggested the rule should require security training 
at all transportation locations. The commenter specifically recommended 
that the rule cover freight, passenger rail, and public transit 
systems.
    TSA response: As discussed in the NPRM, TSA's risk-based 
determinations for applicability are consistent with the focus of the 
9/11 Act's requirements on higher-risk operations.\102\ This risk-based 
focus is reflected in the statutory requirement for the training to be 
provided to frontline employees, not all employees, and placing the 
security training requirements within the context of a broader security 
program focusing on higher-risk operations.
---------------------------------------------------------------------------

    \102\ See 81 FR 91355 et seq.
---------------------------------------------------------------------------

    While hardening one target could make those with nefarious intent 
believe that other targets are more vulnerable, the threat (an 
adversary's intent and capability) is only one of the critical factors 
affecting risk (which also includes vulnerabilities and consequences). 
The risk analysis underlying the applicability for freight railroad is 
heavily weighted to address concerns regarding the vulnerabilities and 
consequences. TSA determined the highest risk freight railroads are 
those designated as Class I, based on their revenue and the Nation's 
dependence on these systems to move both freight in support of critical 
sectors and passengers. All Class I railroads must provide security 
training. Similarly, some shortlines (also known as Class II or Class 
III railroads) are higher-risk because of what they transport and where 
they transport it. As noted above, and in the NPRM, certain materials 
have a higher-risk associated with them based on the potential 
consequences should they be released.\103\ The likelihood of 
catastrophic consequences is greater in HTUAs. By reducing the 
vulnerability through increased security training, the rule's 
applicability is intended to reduce the risk for these systems without 
increasing the risk for others. Finally, TSA encourages owner/operators 
not within the scope of the rule's applicability to use the regulatory 
requirements as guidance for voluntarily implementing a security 
training program for its security-sensitive and other employees, 
whether by using TSA-developed programs or through its own training. 
These owner/operators may contact TSA through the numbers and addressed 
identified in under FOR FURTHER INFORMATION CONTACT, or through modal 
associations (with whom TSA regularly interacts).
---------------------------------------------------------------------------

    \103\ See id.
---------------------------------------------------------------------------

2. Chain of Custody and Control Requirements (Sec.  1580.205)
    Comments: Two commenters asserted threat assessments indicate 
freight railroads face a lower terrorist threat. The commenters 
concluded the transfer of custody procedures should only apply at 
elevated or imminent terrorism levels.
    TSA response: TSA understands this comment to be about the chain of 
custody requirements currently required by 49 CFR 1580.107 and not this 
rule's requirements to provide training on the chain of custody 
procedures employed by the railroad. For the underlying chain of 
custody requirements, this rule merely relocates the requirement within 
the CFR; TSA did not propose modifying them. TSA thus considers these 
comments pertaining to substantive changes to the chain of custody 
requirements as beyond the scope of this rulemaking. Consistent, 
however, with the requirements of Executive Order 13777, Enforcing the 
Regulatory Reform Agenda (Feb. 24, 2017), TSA is addressing this 
comment as a suggested revision to existing regulations.
    Under 49 U.S.C. 114(l)(3), TSA is required to consider the 
potential impact on security before it rescinds or revises a regulatory 
requirement. Transfer of custody requirements are intended to prevent 
access by unauthorized persons to railcars loaded with certain 
chemicals or materials may constitute an immediate threat to life or 
health if released into the environment. TSA does not agree that 
transfer of custody procedures should only apply to elevated or 
immediate threat risk. The state of the terrorism alert level is not 
related to the need to deny unauthorized persons access to railcars 
loaded with hazardous materials; unauthorized persons must be denied 
access to such railcars at all times. Terrorism alert levels are 
increased when there is reason to believe a heightened threat of an 
attack exists or may exist. Accessible freight cars containing 
hazardous materials may be

[[Page 16482]]

used to mount an attack spontaneously, without elaborate planning or 
premeditation on the part of the attacker, and therefore without 
warning or reason to elevate the threat level in advance of the attack. 
Current ``chain of custody'' requirements accomplish this objective and 
are retained in the final rule.

F. Public Transportation and Passenger Railroad Specific Issues

    Comments: Several commenters questioned the scope of the rulemaking 
in relation to PTPR. Commenters specifically questioned TSA's criteria 
for identifying the current PTPR systems, and asked whether TSA will 
identify additional PTPR systems in the future. One commenter urged TSA 
to reconsider limiting the applicability to 46 systems rather than all 
PTPR systems, as the cost-savings is far outweighed by the cost-
effectiveness achieved by meaningful training of all frontline transit 
employees in security-sensitive positions. One commenter asked if the 
Federal Transit Administration's (FTA's) impending repeal of 49 CFR 
part 659 would mean only TSA's identified ``higher risk'' PTPR systems 
will have security training requirements, vulnerability assessments, 
and security planning requirements after April 15, 2019.
    TSA response: As noted above, TSA's risk-based determinations for 
applicability are consistent with the 9/11 Act's requirements regarding 
higher-risk operations. This focus on risk is reflected in the 
statutory requirement for training frontline employees, not all 
employees, and placement of the security training requirements within 
the context of a broader security program required to focus on higher-
risk operations. In questioning TSA's criteria for its determination, 
the commenter provided no specific information regarding TSA's 
perceived failures nor provided alternatives. If TSA decides to expand 
the rule's applicability to additional systems, it would do so through 
appropriate rulemaking procedures consistent with TSA's statutory 
authorities and rulemaking requirements.
    TSA cannot confirm the rule will continue to be as cost-effective 
if the number of PTPR systems is expanded. In the NPRM and Final RIA, 
TSA performed an alternatives analysis (Section 5.2 of the Final RIA), 
in which one of the alternatives expanded the scope of affected PTPR 
owner/operators from 47 (46 PTPR systems + Amtrak) to 253. This 
alternative would result in the costs of compliance for the PTPR 
industry to increase from $2.44 million to $14.93 million (both 
annualized and discounted at 7 percent).\104\ It seems unlikely that 
expanding security training to an additional 206 owner/operators, to 
include operations not considered higher-risk, will yield a 
corresponding reduction in risk. As previously noted, TSA encourages 
owner/operators not covered by the rule's applicability to use the 
regulatory requirements as guidance for voluntarily implementing a 
security training program for its frontline employees, whether by using 
TSA-developed programs or through its own training.
---------------------------------------------------------------------------

    \104\ See Final Rule RIA, tables 40 and 91 for total costs to 
PTPR in the preferred alternative and Alternative 2 (expanded 
population), respectively.
---------------------------------------------------------------------------

    Finally, the nexus between the FTA's requirements and this rule are 
more fully discussed in the NPRM.\105\
---------------------------------------------------------------------------

    \105\ See 81 FR at 91365.
---------------------------------------------------------------------------

G. OTRB Specific Issues

1. Definition of Security-Sensitive Employees (Sec.  1584.3 and 
Appendix B to Part 1584)
    Comments: Two commenters expressed concern that bus companies do 
not always know in advance exactly which buses will be used for which 
service. One of the commenters suggested it would be easiest for their 
company if all drivers take part in mandatory training, regardless of 
their normal scheduled route, as there is potential for a driver to be 
transferred to a different assignment at the last minute. Another 
commenter cautioned the rule may cause confusion as to which employees 
of an operation should be trained, and asked for clarification whether 
an operator should only train front line employees servicing identified 
destinations. The commenter explained a scheduled service operator may 
offer charter, shuttle bus, or other transportation services, in 
addition to fixed-route service to areas that are outside the UASI 
areas.
    TSA response: To address the request for clarity, TSA recommends 
owner/operators first determine whether they have operations placing 
them within the scope of the rule's applicability, i.e., whether the 
owner/operator provides fixed-route service to, through, or from one of 
the areas identified in Appendix A to part 1584. If so, the owner/
operator must provide security training to all of its security-
sensitive employees. The question of which employees receive training 
is not based on where the employee's job takes them, but what their job 
requires them to do. Thus, all employees who have a commercial driver's 
license and operate an OTRB for the owner/operator must receive 
security training, not just those who drive an OTRB to, through, or 
from an identified area.
    The comments provided conflicting opinions on whether requiring all 
security-sensitive employees to receive the training, regardless of 
where the individual operates, is necessary. TSA is requiring that all 
security-sensitive employees must be trained, but notes that owner/
operators may request alternative measures under the procedures in 
Sec.  1570.117.
2. Applicability (Sec.  1584.101)
    Comments on threat: One commenter disagreed that vehicle borne 
improvised explosive devices (VBIED) are the greatest and most likely 
attack risk, citing recent terrorism-related incidents involving 
vehicle ramming.
    TSA response: Within the context of the 9/11 Act's mandate for TSA 
to require OTRB owner/operators to provide security training to their 
employees, TSA's risk analysis focused on what risks were greatest for 
OTRB, not all forms of motor vehicles. To the extent the commenter is 
suggesting use of an OTRB for vehicle ramming is greater than the risk 
of using an OTRB as a VBIED, the distinction would have no impact on 
how TSA uses its risk analysis to determine applicability as the 
vulnerabilities and consequences for OTRBs are similar. To the extent 
the commenter is referring to other types of motor carrier-related 
threats, TSA notes that security awareness training is a valuable 
countermeasure against vehicle ramming attacks. Because large 
commercial vehicles can do more damage in a ramming attack, teaching 
large vehicle operators to be more sensitive to and aware of possible 
hijacking or other attempts to procure their vehicle can mitigate 
losses and damages.
    Comments on applicability: Several commenters expressed concern 
with the scope and applicability of the rule. One commenter agreed with 
the definition of ``higher risk'' and their application to the rule, 
but urged TSA to ensure DHS provides consistency throughout all its 
components regarding ``the factors that could make an OTRB a potential 
target.'' One commenter suggested that UASI may be ``over kill,'' and 
suggested only 10 areas. Another expressed concern that as UASI areas 
are re-determined annually, the prioritized locations could change 
frequently, which would result in an undue burden on operators and 
foster soft targets as resources are shifted to address new threats. 
Finally, commenters expressed concern that the rule may create ``soft 
targets'' which could be exploited by terrorists.

[[Page 16483]]

    TSA response: As discussed in the NPRM,\106\ TSA's risk-based 
determinations for applicability are consistent with the focus of the 
9/11 Act's requirements on higher-risk operations. This is reflected in 
the statutory requirement for the training to be provided to frontline 
employees, not all employees, and placing the security training 
requirements within the context of a broader security program that 
focuses on higher-risk operations.
---------------------------------------------------------------------------

    \106\ See general discussion on applicability, id. at 91355 et 
seq. See also OTRB specific discussion, id. at 91358 et seq.
---------------------------------------------------------------------------

    While hardening one target could make those with nefarious intent 
believe that other targets are more vulnerable, the threat (an 
adversary's intent and capability) is only one of the critical factors 
affecting risk (which also includes vulnerabilities and consequences). 
The risk analysis underlying the applicability for OTRB is heavily 
weighted to address concerns regarding the vulnerabilities and 
consequences, including the vulnerability associated with scheduled 
service and the consequences should an attack occur in highly populated 
urban areas.
    Because the risk involving an OTRB as a VBIED is primarily to the 
targeted urban area, TSA relied on a risk model developed by DHS to 
determine highest risk urban areas for the UASI grant program. This 
model has been approved by the Secretary of Homeland Security for 
calculating the relative risk of urban areas in order to inform UASI 
allocation determinations.\107\ As with PTPR, TSA drew the line for 
applicability where there is a natural and significant break in the 
funding allocations as informed by the risk methodology.
---------------------------------------------------------------------------

    \107\ As the risk methodology relies upon SSI, it is not 
available to the public.
---------------------------------------------------------------------------

    As to concern about the impact of future changes to UASI 
designations, that concern is misplaced. While TSA used the UASI 
designations to develop its applicability determination, the term UASI 
is not used in the applicability. Instead, the rule applies to those 
providing fixed-route service to, through, or from one of the areas 
identified in Appendix A to part 1584. The table in this appendix 
includes specific counties to avoid any potential confusion regarding 
applicability.
    Finally, TSA does not believe the regulation creates soft targets. 
By reducing the vulnerability through increased security training, the 
rule's applicability is intended to reduce the risk for these systems 
without increasing the risk for others. Finally, TSA notes that it 
encourages owner/operators not covered by the rule's applicability to 
use the regulatory requirements as guidance for voluntarily 
implementing a security training program for its frontline employees, 
whether by using TSA-developed programs or through its own training.

H. Comments Beyond Scope of Rulemaking

    TSA received several comments regarding issuance of self-defense 
devices, such as tasers and mace, ranging from suggesting that we 
require employers to issue them to suggesting that we prohibit it. 
Either suggestion is beyond the scope of this rulemaking. The comment 
indicating that OSHA mandates employee training in the use of PPE, if 
required by their job functions, has already been noted.

VIII. Rulemaking Analyses and Notices

A. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (PRA) requires Federal agencies 
to consider the impact of paperwork and other information collection 
burdens imposed on the public and, under the provisions of PRA sec. 
3507(d), obtain approval from the OMB for each collection of 
information it conducts, sponsors, or requires through 
regulations.\108\
---------------------------------------------------------------------------

    \108\ Public Law 96-511, 94 Stat. 2812 (Dec. 11, 1980), as 
codified at 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    OMB has approved a related information collection request for 
contact information for RSCs and alternate RSCs, as well as the 
reporting of significant security concerns by freight railroad 
carriers, passenger railroad carriers, and rail transit systems.\109\
---------------------------------------------------------------------------

    \109\ See OMB Control No. 1652-0051.
---------------------------------------------------------------------------

    This final rule, however, contains new information-collection 
activities subject to the PRA. Accordingly, TSA has submitted the 
following information requirements to OMB for its review. The 
Supporting Statement for this information collection request is 
available in the docket for this rulemaking.
    Title: Security Training Programs for Surface Mode Employees.
    Summary: This final rule requires the following information 
collections:
    First, owner/operators identified in 49 CFR 1580.101, 1582.101, and 
1584.101 are required to submit a security training program for 
security-sensitive employees that meets the requirements of subpart B 
of 49 CFR part 1580, subpart B of 49 CFR part 1582, and subpart B of 49 
CFR part 1584. Additionally, they are required to submit a request to 
amend their security training program if certain changes are made to 
their operations or if notified by TSA that an amendment is necessary. 
For purposes of its burden estimates, TSA assumes such modification 
will occur every three years.
    Second, the public transportation bus systems and OTRB owner/
operators to whom the final rule applies would be required to obtain 
personal and contact information from their designated security 
coordinator, and alternate, and submit such records to TSA.
    Third, respondents would be required to retain individual training 
records on security-sensitive employees at the location(s) specified in 
each respondent's respective security training program, and make such 
records available to TSA upon request.
    Fourth, the public transportation bus systems and OTRB owner/
operators to whom the final rule applies would be required to report 
significant security concerns, which includes incidents, suspicious 
activities, and/or threat information.
    Use of: This information will be used to support the implementation 
of this final rule, including to TSA determinations that security 
training programs satisfy the requirements in this final rule. 
Recordkeeping requirements are necessary for TSA to verify employee 
training is in compliance with the final rule. Security coordinator 
information supports respondent communications with TSA concerning 
intelligence information, security related activities, and incident or 
threat response with appropriate law enforcement and emergency response 
agencies. The reporting of significant security concerns supports the 
analysis of trends and indicators of developing threats and potential 
terrorist activity.
    Respondents (including number of): The likely respondents to this 
information collection are the owner/operators of covered surface 
modes, which are estimated to incur approximately 579,070 responses 
over the next 3 years (including 145,731 freight railroad responses; 
254,754 PTPR responses; and 178,586 OTRB company responses), which 
amounts to an average annual cost of $0.93 million.
    Frequency: TSA estimates that following initial submission, 
security training programs would need to be periodically updated as 
appropriate. Security training records would need to be updated after 
each training occurrence. Security coordinator information would need 
to be updated as appropriate. Significant security concerns would be 
reported as they occur. TSA estimates inspections for

[[Page 16484]]

compliance would occur at a rate of one inspection per year per owner/
operator.
    Annual Burden Estimate: The average yearly burden for security 
training program development and submission, security coordinator 
submission, employee training documentation recordkeeping, and incident 
reporting is estimated to be 2,729 hours for freight railroads; 3,311 
hours for PTPRs; and 6,278 hours for OTRB companies. The total average 
annual time burden estimate is approximately 12,318 hours. Table 5 
shows the information collections and corresponding hour burdens for 
entities falling under the requirements of the final rule.

                                                              Table 5--PRA Hours of Burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                             Time per                   Number of responses                                   Average
                       Collection                            response    ------------------------------------------------   3-Year time     annual time
                                                              (hours)         Year 1          Year 2          Year 3          burden          burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                              Initial Security Training Program Development and Submission
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................             152              33               0               0           5,016           1,672
PTPR....................................................              88              47               0               0           4,136           1,379
OTRB (Large to Medium)..................................              44              31               1               1           1,439             480
OTRB (Small)............................................              28             174               3               3           5,062           1,687
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                              Modified Security Training Program Development and Submission
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................              25              30               0               0             743             248
PTPR....................................................              25              42               0               0           1,058             353
OTRB (Large to Medium)..................................              25              28               1               1             736             245
OTRB (Small)............................................              25             157               3               3           4,068           1,356
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                       Security Coordinator Information Submission
--------------------------------------------------------------------------------------------------------------------------------------------------------
PTPR....................................................             0.5              52               6               6              32              11
OTRB....................................................             0.5             467              65              66             299             100
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                      Employee Training Documentation Recordkeeping
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................           0.017         136,155           4,750           4,764           2,428             809
PTPR....................................................           0.017         194,219          23,173          23,251           4,011           1,337
OTRB....................................................           0.017          39,147           5,142           5,206             825             275
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   Incident Reporting
--------------------------------------------------------------------------------------------------------------------------------------------------------
PTPR....................................................            0.05           4,652           4,652           4,652             698             233
OTRB....................................................            0.05          41,881          42,691          43,516           6,404           2,135
                                                         -----------------------------------------------------------------------------------------------
    Total Burden (responses)............................  ..............  ..............  ..............  ..............         579,070         193,023
                                                         -----------------------------------------------------------------------------------------------
    Total Burden (hours)................................  ..............  ..............  ..............  ..............          36,953          12,318
--------------------------------------------------------------------------------------------------------------------------------------------------------

B. Economic Impact Analyses

1. Regulatory Impact Analysis Summary
    Changes to Federal regulations must undergo several economic 
analyses. First, Executive Order 12866, Regulatory Planning and 
Review,\110\ as supplemented by Executive Order 13563, Improving 
Regulation and Regulatory Review,\111\ directs each Federal agency to 
propose or adopt a regulation only upon a reasoned determination that 
the benefits of the intended regulation justify its costs. Second, E.O. 
13771, Reducing Regulation and Controlling Regulatory Costs,\112\ 
requires agencies to identify at least two regulations to be eliminated 
for every new regulation, and also requires that the cost of planned 
regulations be prudently managed and controlled through a budgeting 
process. Third, the Regulatory Flexibility Act of 1980 \113\ requires 
agencies to consider the economic impact of regulatory changes on small 
entities. Fourth, the Trade Agreement Act of 1979 \114\ prohibits 
agencies from setting standards that create unnecessary obstacles to 
the foreign commerce of the United States. Fifth, UMRA requires 
agencies to prepare a written assessment of the costs, benefits, and 
other effects of proposed or final rules that include a Federal mandate 
likely to result in the expenditure by State, local, or tribal 
governments, in the aggregate, or by the private sector, of $100 
million or more annually (adjusted for inflation).\115\
---------------------------------------------------------------------------

    \110\ 58 FR 51735 (Oct. 4, 1993).
    \111\ 76 FR 3821 (Jan. 21, 2011).
    \112\ 82 FR 9339 (Feb. 3, 2017).
    \113\ Public Law 96-354, 94 Stat. 1164 (Sept. 19, 1980) as 
codified at 5 U.S.C. 601 et seq.
    \114\ Public Law 96-39, 93 Stat. 144 (July 26, 1979), codified 
at 19 U.S.C. 2531-2533.
    \115\ Supra n. 63.
---------------------------------------------------------------------------

2. Executive Orders 12866, 13563, and 13711 Assessments
    Under the requirements of Executive Orders 12866 and 13563, 
agencies must assess the costs and benefits of available regulatory 
alternatives and, if regulation is necessary, select regulatory 
approaches that maximize net benefits (including potential economic, 
environmental, public health and safety effects, distributive impacts, 
and equity). These requirements were supplemented by Executive Order 
13563, which emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. Under Executive Order 13711, Reducing Regulation and 
Controlling Regulatory Costs,\116\ agencies must identify whether a

[[Page 16485]]

rulemaking is a regulatory or deregulatory action.
---------------------------------------------------------------------------

    \116\ 82 FR 9339 (Feb. 3, 2017).
---------------------------------------------------------------------------

    In conducting these analyses, TSA has determined:
    1. This rulemaking is a significant regulatory action within the 
meaning of Executive Order 12866 and a regulatory action under 
Executive Order 13771. TSA has determined that this rulemaking is not 
economically significant. The rule will not result in an effect on the 
economy of $100 million or more in any year of the analysis. The total 
annualized costs of the final rule over a perpetual time period using a 
7 percent discount rate, in 2016 dollars, and discounted back to 2016 
is $5.28 million. The rule will not adversely affect the economy, 
interfere with actions taken or planned by other agencies, or generally 
alter the budgetary impact of any entitlements.
    2. TSA prepared a Final Regulatory Flexibility Analysis (FRFA), 
which finds that this rulemaking would likely have a regulatory cost 
that exceeds one percent of revenue for 47 small entities--1 freight 
rail and 46 OTRB owner/operators--of the total 200 small entities that 
would be regulated by the final rule.
    3. This rulemaking would not constitute a barrier to international 
trade.
    4. This rulemaking does not impose an unfunded mandate on State, 
local, or tribal governments, or on the private sector under UMRA.
    In the NPRM RIA, TSA estimated that the rule would cost $157.27 
million over ten years, discounted at 7 percent. In the Final RIA, TSA 
updated its benefit-cost analysis and estimated this regulation will 
cost $52.30 million over ten years, discounted at 7 percent. The change 
in cost estimate from the NPRM RIA to the Final RIA is due to the 
following:
     The final rule will require affected surface mode 
employees to undergo security training at least once every three years, 
which is a change in frequency from the annual training requirement in 
the NPRM. TSA updated training burden cost estimates to reflect the 
final rule's triennial training cycle.
     TSA updated employee population estimates in each of the 
three industries regulated by this final rule. In all three modes, the 
final rule employee population estimates decreased from the estimates 
in the NPRM: (1) The population of impacted freight rail employees 
decreased based on an updated source.\117\ (2) The population of 
impacted PTPR employees decreased as a result of TSA using more 
detailed population data in this Final RIA, as well as an update in the 
percentage of employees performing security-sensitive roles. (3) The 
population of impacted OTRB employees decreased as a result of 
reevaluating the population of impacted OTRB owner/operators from the 
NPRM dataset. TSA made revisions based on new information about the 
owner/operator's operations (such as the lack of scheduled services), 
as well as the consolidation and closure of owner/operators within the 
industry. This re-evaluation resulted in eight fewer OTRB owner/
operators than previously estimated in the NPRM, which in turn meant 
fewer employees were impacted.
---------------------------------------------------------------------------

    \117\ The Final RIA used the 2017 version of ``AAR Railroad 
Facts'' versus the 2014 version used in the NPRM.
---------------------------------------------------------------------------

     TSA updated its estimates of compensation rates, employee 
turnover rates, and various other inputs. TSA has reviewed all the 
inputs used in the NPRM RIA and updated them to ensure that the Final 
RIA uses the most recently available data.
     TSA added the cost for owner/operators to develop their 
own training programs in its primary cost analysis; in the NPRM RIA, 
only Alternative 2 made this assumption. In the primary cost analysis 
of the NPRM RIA, TSA assumed owner/operators would use a video provided 
by TSA, free of charge, to meet a majority of the training 
requirements. TSA still plans to make this video available, however for 
the purpose of presenting the full range of possible costs for owner/
operators from the final rule, TSA decided to include the cost of 
developing a custom training program in the Final RIA. Because of this 
change, TSA increased the time burden for owner/operators to develop a 
training program. TSA also increased the time burden for TSA to review, 
modify, and re-review these programs. Lastly, TSA increased its 
estimate of hours spent per inspection because TSA believes 
Transportation Security Inspectors will need more time to inspect 
owner/operators on the particulars of their unique training program.
     TSA revised its assumption that owner/operators will, on 
average, update their training program every five years (as assumed in 
the NPRM RIA) to every three years. TSA made this change because it 
better aligns with the new assumption that owner/operators would create 
their own training program. TSA assumes a custom training program would 
involve more owner/operator-specific circumstantial changes and those 
would occur, on average, more often. This change increased the 
estimated cost to owner/operators and TSA because they will, 
respectively, submit and review training programs more frequently 
within a ten-year period.
     TSA added the cost for a name check of new security 
coordinators against its Terrorist Screening Database. This cost is 
absorbed by TSA, not owner/operators nor the security coordinators.
     TSA revised its time burden estimate for recordkeeping 
from 15 seconds to 1 minute. This more closely aligns to previous 
estimates TSA has made for other employee-specific recordkeeping 
requirements.
    Table 6 shows the cost components that TSA expects industry and 
Government will incur from implementing the final rule. This table 
compares these cost components to their respective estimates in the 
NPRM and describes the changes made from the original analysis.

[[Page 16486]]



                                                    Table 6--10-Year Total Cost of NPRM vs Final Rule
                                                        [Discounted at 7 percent, in $ thousands]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                        NPRM and FR comparison                                       Significant change
            Requirements                    Section        ------------------------------------------------      Description         from NPRM to final
                                                                 NPRM         Final rule      Difference                                    rule
--------------------------------------------------------------------------------------------------------------------------------------------------------
Training Cost......................  1580.113, 1582.113,          $152,277         $43,429      ($108,848)  Requirement to train   Changed cost estimate
                                      and 1584.113.                                                          security-sensitive     to reflect three-
                                                                                                             employees on           year training cycle.
                                                                                                             required elements      Updated and refined
                                                                                                             (one of the elements   population data of
                                                                                                             is expanded for        security-sensitive
                                                                                                             freight rail) of       employees. Overall
                                                                                                             security training.     estimate of affected
                                                                                                                                    employees decreased
                                                                                                                                    from the NPRM.
Training Plan......................  1570.109.............           1,653           4,372           2,718  Requirement to submit  Added the cost for
                                                                                                             a training program     creating custom
                                                                                                             to TSA. Costs          training plans; TSA
                                                                                                             include planning,      previously, assumed
                                                                                                             drafting, review and   they would use the
                                                                                                             submission.            TSA-provided video.
Security Coordinator...............  1570.201.............              77              48            (29)  Requirement to assign  Added the TSA cost to
                                                                                                             a security             perform a name check
                                                                                                             coordinator and an     of new security
                                                                                                             alternate to serve     coordinators against
                                                                                                             as a security          the Terrorist
                                                                                                             liaison with TSA.      Screening Database.
                                                                                                             Costs include
                                                                                                             initial and updated
                                                                                                             submissions from
                                                                                                             security coordinator
                                                                                                             turnover.
Incident Reporting.................  1570.203.............           2,052           2,404             353  Requirement to report  Included additional
                                                                                                             significant security   post-call
                                                                                                             concerns within 24     administrative costs
                                                                                                             hours of initial       for TSA.
                                                                                                             discovery. TSA
                                                                                                             assumes incident
                                                                                                             reporting will occur
                                                                                                             telephonically.
Recordkeeping......................  1570.121.............             592             875             283  Requirement to         (1) Decreased cost
                                                                                                             maintain security      associated with
                                                                                                             training records for   number of records
                                                                                                             each individual        due to reduced
                                                                                                             trained. These         frequency of
                                                                                                             records may be         training and (2)
                                                                                                             stored either          increased the time
                                                                                                             electronically or      burden per record
                                                                                                             printed on paper and   from 15 seconds to 1
                                                                                                             filed.                 minute. This
                                                                                                                                    estimate is also
                                                                                                                                    more aligned with
                                                                                                                                    previous estimates
                                                                                                                                    TSA made for
                                                                                                                                    recordkeeping of
                                                                                                                                    other vetting
                                                                                                                                    programs.
Inspections........................  1570.9...............             622           1,175             553  Availability for       No significant
                                                                                                             inspection by TSA      changes. Cost
                                                                                                             for compliance with    difference due to
                                                                                                             the final rule.        updates in wages and
                                                                                                             Costs assume annual    population
                                                                                                             inspections for each   estimates.
                                                                                                             owner/operator;
                                                                                                             industry cost to
                                                                                                             prepare for and host
                                                                                                             TSA inspections. and
                                                                                                             presentation of
                                                                                                             training records and
                                                                                                             program curriculum
                                                                                                             when requested by
                                                                                                             TSA during
                                                                                                             inspection.
                                    --------------------------------------------------------------------------------------------------------------------
    Total Costs....................  .....................         157,274          52,303       (104,971)
--------------------------------------------------------------------------------------------------------------------------------------------------------

    TSA has prepared an analysis of its estimated costs and benefits, 
summarized in the following paragraphs. The OMB Circular A-4 Accounting 
Statement for this final rule is in section VIII.B.3. When estimating 
the cost of a rulemaking, agencies typically estimate future expected 
costs imposed by a regulation over a period of analysis. For this 
rule's period of analysis, TSA uses a 10-year period of analysis to 
estimate the initial and recurring costs of the regulated surface mode 
owner/operators and new owner/operators that are expected due to 
industry growth.
    TSA concluded the following about the current, or baseline, 
training

[[Page 16487]]

environment for freight rail, public transportation and passenger 
railroad (PTPR), and OTRB employees (see section 1.8 of the RIA placed 
in the docket for further detailed information on the current 
baseline):
    There are 574 U.S. freight rail owners/operators and are composed 
of 7 Class I, 21 Class II, and 546 Class III railroads.\118\ A total of 
33 (7 Class I, 8 Class II, and 18 Class III) out of the 574 U.S. 
freight rail owner/operators carry RSSM through an HTUA and would be 
affected by the final rule.\119\ These 33 freight rail owner/operators 
provide security awareness \120\ and chain of custody and control \121\ 
trainings to their employees. These trainings address two of the 
required elements of security training required by the final rule in 
Sec.  1580.115 (Security training and knowledge for security-sensitive 
employees: Prepare and Assess). Additionally, freight rail owner/
operators are already required to comply with the requirements to 
assign security coordinators and report significant security concerns 
to TSA under current 49 CFR 1580. Table 7 below identifies the 
requirements of the final rule implemented by freight rail owner/
operators. The check marked items in the table represent existing 
requirements under PHMSA's regulations (see 49 CFR 172.704 and 
1580.107) and, therefore, do not represent additional burden to the 
freight rail owners/operators.
---------------------------------------------------------------------------

    \118\ AAR, ``Railroad Facts, 2017 Edition,'' at pg.3 (2017).
    \119\ TSA used its railcar tracking system that monitors toxic 
inhalant hazard cars, the Rail Asset Integrated Logistics System, 
(RAILS), to identify freight rail owner/operators that transported 
one or more shipments of RSSM during the period in calendar year 
2017.
    \120\ As required by PHMSA. See 49 CFR 172.704.
    \121\ In place because of the chain of custody requirement in 49 
CFR 1580.107.
[GRAPHIC] [TIFF OMITTED] TR23MR20.002

    There are nearly 6,800 public transportation organizations in the 
United States.\122\ Of these, 47 PTPR owner/operators \123\ fall within 
the applicability of the final rule. Twenty-four of these 47 PTPR 
owner/operators effectively provide training to their employees on 
security awareness and employee- and company-specific security programs 
and measures.\124\ This training address two of the required elements 
of security training required by the final rule in Sec.  1582.115 
(Prepare and Assess). Additionally, 24 PTPR owner/operators with rail 
operations are already required to comply with the requirements to 
assign security coordinators and report significant security concerns 
to TSA under current 49 CFR part 1580. Table 8 below identifies the 
requirements of the final rule already implemented by PTPR owner/
operators. The check marked items in the table represent existing 
requirements under 49 CFR part 1580 and, therefore do not represent 
additional burden to the freight rail owners/operators.
---------------------------------------------------------------------------

    \122\ APTA, ``2016 Public Transportation Fact Book'' (Feb. 
2017), available at http://www.apta.com/resources/statistics/Documents/FactBook/2016-APTA-Fact-Book.pdf.
    \123\ TSA elicited and used input from SMEs in its Surface 
Division, combined with data from the Federal Transit 
Administration's (FTA) National Transit Database (NTD) to identify 
the 47 PTPR owner/operators.
    \124\ Agencies identified using latest evaluation from TSA's 
BASE assessment. Information on BASE assessment can be found at: 
https://www.tsa.gov/news/top-stories/2015/09/21/transit-agencies-earn-high-ratings-through-base-program.

---------------------------------------------------------------------------

[[Page 16488]]

[GRAPHIC] [TIFF OMITTED] TR23MR20.003

    There are 2,990 U.S. companies in the motorcoach industry.\125\ Of 
these, 205 \126\ fall within the applicability of the final rule. Three 
of the 205 are large OTRB companies that currently use the TSA-supplied 
First ObserverTM program, which covers a majority of the 9/
11 Act security training requirements, to train their employees. This 
training addresses three of the security training elements of this 
final rule (Observe, Assess, and Respond). Table 9 identifies the 
requirements of this final rule implemented by OTRB owner/operators. 
The check marked items in the table represent the training components 
already covered by the First ObserverTM program and, 
therefore do not represent additional burden to the OTRB owners/
operators currently using this program compared to the ``no-action'' 
baseline.\127\ In Appendix A of the RIA, however, TSA has also 
monetized the cost of their current participation in First 
ObserverTM. TSA estimated this cost at $0.57 million to 
these owner/operators over 10 years (discounted at 7 percent).\128\
---------------------------------------------------------------------------

    \125\ American Bus Association Foundation, ``Motorcoach Census 
2015'' (Oct. 9, 2017), available at https://www.buses.org/assets/images/uploads/pdf/Motorcoach_Census_2015.pdf.
    \126\ TSA relied on a variety of sources to identify the 205 
owner/operators: Intercity Bus Security Grant Program (IBSGP) 
applications submitted to FEMA and reviewed by TSA, the American 
Intercity Bus Riders Association (AIBRA) intercity bus service 
operator list, consultations with ABA, and internet research of 
websites like GotoBus.com and other publicly available sources of 
information.
    \127\ OMB, ``Circular A-4,'' at 2, available at https://www.whitehouse.gov/sites/default/files/omb/assets/regulatory_matters_pdf/a-4.pdf. (``Benefits and costs are defined in 
comparison with a clearly stated alternative. This normally will be 
a `no action' baseline: What the world will be like if the proposed 
rule is not adopted.'')
    \128\ OMB also requires TSA to consider a ``pre-statute'' 
baseline. Id. at 16. Costs of First ObserverTM have 
accrued since passage of the 9/11 Act and are part of this ``pre-
statute'' baseline.
[GRAPHIC] [TIFF OMITTED] TR23MR20.004

    TSA summarizes the costs of the final rule to be borne by four 
affected parties: freight railroad owner/operators, PTPR owner/
operators, OTRB owner/operators, and TSA. As displayed in Table 10, TSA 
estimates the 10-year total cost of this final rule to be $73.17 
million undiscounted, $62.82 million discounted at 3 percent, and 
$52.30 million discounted at 7 percent. The costs to industry (all 
three surface modes) comprise approximately 96.2 percent of the total 
costs of the rule; and the remaining costs are incurred by TSA.

                                                    Table 10--Total Cost of the Final Rule by Entity
                                                                      [$ millions]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                       Total final rule cost
                                                                                                         -----------------------------------------------
                  Year                     Freight rail        PTPR            OTRB             TSA                        Discounted at   Discounted at
                                                                                                           Undiscounted         3%              7%
--------------------------------------------------------------------------------------------------------------------------------------------------------
1                                                  $8.82           $5.74           $2.28           $0.63          $17.46          $16.95          $16.32
2                                                   0.31            0.67            0.42            0.21            1.60            1.50            1.39
3                                                   0.31            0.67            0.42            0.21            1.61            1.47            1.31

[[Page 16489]]

 
4                                                   8.08            4.49            2.02            0.27           14.87           13.21           11.34
5                                                   0.58            1.10            0.56            0.22            2.46            2.12            1.75
6                                                   0.58            1.11            0.57            0.22            2.48            2.07            1.65
7                                                   7.64            3.82            1.91            0.28           13.65           11.10            8.50
8                                                   0.82            1.41            0.68            0.23            3.14            2.48            1.83
9                                                   0.83            1.42            0.69            0.23            3.17            2.43            1.72
10                                                  7.25            3.35            1.85            0.29           12.74            9.48            6.48
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Total                                              35.21           23.78           11.40            2.78           73.17           62.82           52.30
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
    Annualized                            ..............  ..............  ..............  ..............  ..............            7.36            7.45
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    TSA estimates the 10-year costs to the freight railroad industry to 
be $35.21 million undiscounted, $30.18 million discounted at 3 percent, 
and $25.09 million discounted at 7 percent, as displayed by cost 
categories in Table 11.
[GRAPHIC] [TIFF OMITTED] TR23MR20.005

    TSA estimates the 10-year costs to the PTPR industry to be $23.78 
million undiscounted, $20.48 million discounted at 3 percent, and 
$17.12 million discounted at 7 percent, as displayed by cost categories 
in Table 12.

[[Page 16490]]

[GRAPHIC] [TIFF OMITTED] TR23MR20.006

    TSA estimates the 10-year costs to the OTRB industry to be $11.40 
million undiscounted, $9.74 million discounted at 3 percent, and $8.06 
million discounted at 7 percent, as displayed by cost categories in 
Table 13.
[GRAPHIC] [TIFF OMITTED] TR23MR20.007

    TSA estimates the 10-year costs to TSA to be $2.78 million 
undiscounted, $2.41 million discounted at 3 percent, and $2.03 million 
discounted at 7 percent, as displayed by cost categories in Table 14.

[[Page 16491]]

[GRAPHIC] [TIFF OMITTED] TR23MR20.008

    This final rule will enhance surface transportation security by 
reducing the risk of terrorist attacks in four ways. First, the rule 
ensures employees on the frontline of higher-risk surface 
transportation systems and operations (defined as ``security-sensitive 
employees'') are trained on how to observe, assess, and respond to a 
security threat, enhancing their capabilities to take appropriate 
actions and mitigate the consequences of any threat or incident. 
Second, security-sensitive employees with responsibilities under their 
employer's security plan or for specific security measures will be 
prepared through training to perform any actions associated with that 
responsibility. Third, there will be more effective communication 
between TSA and all higher-risk operations through the designation of 
security coordinators by all higher-risk operations. Finally, the 
expanded scope of owner/operators required to report significant 
security concerns will enhance TSA's ability to identify risks and 
recommend appropriate actions based on a more comprehensive picture of 
threats to surface transportation security.
    While training and the other requirements of this final rule are 
not absolute deterrents for terrorists intent on carrying out attacks 
on surface modes of transportation, TSA expects the probability of 
success for such attacks to decrease when the requirements of this rule 
are fully implemented.
    TSA uses a break-even analysis to frame the relationship between 
the potential benefits of the final rule and the costs of implementing 
the rule. When it is not possible to quantify or monetize a majority of 
the incremental benefits of a regulation, OMB recommends conducting a 
threshold, or ``break-even'' analysis. According to OMB Circular No. A-
4, ``Regulatory Analysis,'' such an analysis answers the question ``How 
small could the value of the non-qualified benefits be (or how large 
would the value of the non-quantified costs need to be) before the rule 
would yield zero net benefits?'' \129\
---------------------------------------------------------------------------

    \129\ See id.
---------------------------------------------------------------------------

    To conduct the break-even analysis, TSA evaluates three composite 
scenarios for each the three modes covered by the final rule. For each 
scenario, TSA calculates a total monetary consequence from an estimated 
statistical value of the human casualties and capital replacement 
resulting from the attack (see Section 4.3 of the Final RIA for a more 
detailed description of these calculations; however, many assumptions 
regarding specific terrorist attacks scenarios are SSI and cannot be 
publicly released).
    Table 15 presents the composite or weighted average of direct 
consequences from a successful attack on each mode.
---------------------------------------------------------------------------

    \130\ As explained in the Final RIA, available in the docket, to 
monetize injuries, TSA used two approaches (depending on whether the 
injury was due to exposure to hazardous chemicals). To monetize 
``non-chemical'' injuries, TSA uses guidance from the Department of 
Transportation for valuing injuries based on the Abbreviated Injury 
Scale. To monetize chemical-related injuries, TSA obtained 
information on the cost of medical treatment for poisoning injuries.
    \131\ Total Direct Consequences = (Deaths x $9.6 million VSL) + 
(Severe injuries x $2.55 million) + (Moderate injuries x $0.45 
million) + (Severe chemical injuries x $43,743) + (Moderate chemical 
injuries x $1,687) + Public property loss + Private property loss + 
Rescue and clean-up cost.

---------------------------------------------------------------------------

[[Page 16492]]

[GRAPHIC] [TIFF OMITTED] TR23MR20.009

    TSA compared the estimated direct monetary costs of an attack to 
the annualized cost (discounted at 7 percent) to industry and TSA from 
the final rule for each mode to estimate how often an attack of that 
nature would need to be averted for the expected benefits to equal 
estimated costs. Table 16 presents the results of the break-even 
analysis for each mode. For example, Table 16 shows that if the freight 
rail training requirements in this rule prevents one freight rail 
terrorist attack every 141 years, this rule ``breaks-even'' (the 
benefits equal the costs).
    The break-even analysis does not include the difficult-to-quantify 
indirect costs of an attack or the macroeconomic impacts that could 
occur due to a major attack. In addition to the direct impacts of a 
terrorist attack in terms of lost life and property, there are other 
more indirect impacts that are difficult to measure. As noted by Cass 
Sunstein in Laws of Fear, ``. . . fear is a real social cost, and it is 
likely to lead to other social costs.'' \132\ In addition, Ackerman and 
Heinzerling state ``. . . terrorism `works' through the fear and 
demoralization caused by uncontrollable uncertainty.'' \133\ As 
devastating as the direct impacts of a successful terrorist attack can 
be in terms of the immediate loss of life and property, avoiding the 
impacts of the more difficult to measure indirect effects are also 
substantial benefits of preventing a terrorist attack.
---------------------------------------------------------------------------

    \132\ Cass R. Sunstein, Laws of Fear at 127 (2005).
    \133\ Frank Ackerman and Lisa Heinzerling, Priceless On Knowing 
the Price of Everything and the Value of Nothing at 136 (2004).

                                      Table 16--Break-Even Analysis Results
                                                  [$ millions]
----------------------------------------------------------------------------------------------------------------
                                              Weighted average   Annualized cost
                   Modes                     direct costs of a  of the final rule     Breakeven averted attack
                                             successful attack        at 7%                  frequency
                                                             a                  b  c = a / b
----------------------------------------------------------------------------------------------------------------
Freight Rail...............................            $505.87              $3.60  One attack every 141 years.
PTPR.......................................             487.80               2.48  One attack every 197 years.
OTRB.......................................             371.00               1.37  One attack every 271 years.
----------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

3. OMB A-4 Statement
    The OMB A-4 Accounting Statement (in Table 17) presents annualized 
costs and qualitative benefits of the final rule.

[[Page 16493]]



                                     Table 17--OMB A-4 Accounting Statement
                                          [in $ millions, 2017 dollars]
----------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------
Category                               Primary estimate                Minimum         Maximum  Source citation
                                                                      estimate        estimate   (Final RIA,
                                                                                                 preamble, etc.)
----------------------------------------------------------------------------------------------------------------
                                              Benefits ($ millions)
----------------------------------------------------------------------------------------------------------------
Annualized monetized benefits              N/A             N/A             N/A             N/A  Final RIA
 (discount rate in
 parentheses).
----------------------------------------------------------------------------------------------------------------
Unquantified benefits.........    The requirements proposed in this rule produce benefits by    Final RIA
                                  reducing security risks through training security-sensitive
                                     surface mode employees to identify and/or mitigate an
                                                  attempted terrorist attack.
----------------------------------------------------------------------------------------------------------------
                                               Costs ($ millions)
----------------------------------------------------------------------------------------------------------------
Annualized monetized costs                (7%)           $7.45  ..............  ..............  Final RIA
 (discount rate in                        (3%)           $7.36
 parentheses).
----------------------------------------------------------------------------------------------------------------
Annualized quantified, but                     0                             0               0  Final RIA
 unmonetized, costs.
----------------------------------------------------------------------------------------------------------------
Qualitative costs                                             N/A                               Final RIA
 (unquantified).
----------------------------------------------------------------------------------------------------------------
                                                    Transfers
----------------------------------------------------------------------------------------------------------------
Annualized monetized                          N/A                          N/A             N/A  Final RIA
 transfers: ``on budget''.
From whom to whom?............                N/A                          N/A             N/A  None
Annualized monetized                          N/A                          N/A             N/A  Final RIA
 transfers: ``off-budget''.
From whom to whom?............                N/A                          N/A             N/A  None
----------------------------------------------------------------------------------------------------------------
Miscellaneous analyses/                                     Effects                             Source citation
 category.                                                                                       (NPRM RIA,
                                                                                                 preamble, etc.)
----------------------------------------------------------------------------------------------------------------
Effects on State, local, and/                                None                               Final RIA
 or tribal governments.
Effects on small businesses...                           Prepared FRFA                          FRFA (Chapter 6
                                                                                                 RIA)
Effects on wages..............                               None                               None
Effects on growth.............                               None                               None
----------------------------------------------------------------------------------------------------------------

4. Alternatives Considered
    In addition to the final rule, TSA also considered two alternative 
policies. In comparison to the final rule, the first alternative 
(Alternative 1) removes requirements for recordkeeping, security 
incident reporting, and security coordinators for bus-only PTPR owner/
operators. This alternative also removes the requirement to train 
freight railroad security-sensitive employees on chain of custody and 
control requirements.\134\ The second alternative (Alternative 2) 
increases the training frequency to an annual basis and expands the 
population of owners/operators to all who operate within any UASI, 
which includes the entire metropolitan statistical area.\135\ All other 
requirements remain the same.
---------------------------------------------------------------------------

    \134\ Table 64 in the RIA found in the docket provides a 
section-by section analysis of which regulatory provisions are 
statutorily required and which provisions are discretionary.
    \135\ As previously noted, see section VII.C.4. of the preamble 
to this final rule, TSA proposed an annual recurrent training 
requirement in the NPRM. See also 81 FR at 91348. For the NPRM, TSA 
also considered an alternative to ``train security-sensitive 
employees once every three years using TSA-provided materials. Id. 
at 91379. In response to comments, TSA is adopting a three-year 
recurrent training cycle for purposes of the final rule, making the 
annual recurrent training requirement the alternative considered for 
purposes of the alternatives analysis.
---------------------------------------------------------------------------

    Though not the least costly option, TSA selects the requirements in 
this final rule as the preferred alternative. TSA rejected Alternative 
1 because it omitted the following important security measures TSA 
proposed in the NPRM: (1) Recordkeeping requirements to ensure TSA can 
determine compliance (all modes), (2) expanding security coordinator 
requirements to provide a security point of contact for bus-only 
operations (PTPR), (3) expanding reporting requirements for security 
incidents to ensure TSA has a more complete picture of potential 
threats to surface transportation (PTPR and OTRB); and (4) ensuring 
freight railroad security-sensitive employees with responsibilities 
under TSA's chain of custody and control requirements have the 
necessary training to ensure compliance with these security measures in 
place since promulgation of TSA's Rail Security Rule.\136\ By including 
these security measures, TSA can ensure compliance with the rule, 
obtain a complete picture of potential threats to surface 
transportation across multiple modes, and enhance compliance with 
security measures required for freight railroads.
---------------------------------------------------------------------------

    \136\ 73 FR 72129, 72130-72179 (Nov. 26, 2008). ``Rail 
Transportation Security; Final Rule.''
---------------------------------------------------------------------------

    TSA also rejected Alternative 2. As discussed in the NPRM, TSA 
applied a risk-based approach to determining applicability of this 
final rule.\137\ Expanding the population would be inconsistent with 
TSA's commitment to risk-based security.\138\ TSA is also rejecting 
requiring annual recurrent training in response to comments

[[Page 16494]]

received on the NPRM.\139\ In response to these comments which 
suggested longer time periods between training, TSA modified the 
recurrent training requirement to at least once every three years in 
the final rule, and rejected the annual recurrent training requirement 
in Alternative 2.
---------------------------------------------------------------------------

    \137\ See supra n. 13.
    \138\ Id..
    \139\ See section VI.C.4 of this final rule.

                                                   Table 18--Comparison of Costs Between Alternatives
                                                                      [in millions]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                          10-Year costs (in $ millions) at a 7% discount
                                           Initial Affected population                                                         rate
                                           (number of owner/operators)            Requirements           -----------------------------------------------
                                                                                                             Industry           TSA            Total
--------------------------------------------------------------------------------------------------------------------------------------------------------
Final Rule...............................  33 Freight Rails...........  1. Provide security training to           $50.28           $2.03          $52.30
                                           47 PTPRs...................   security-sensitive employees
                                           205 OTRBs..................   once every three years.
                                           ...........................  2. Designate a security
                                                                         coordinator (expanded
                                                                         requirement to include bus-only
                                                                         PTPR and OTRB).
                                           ...........................  3. Report significant security
                                                                         incidents to TSA (expanded
                                                                         requirement to include bus-only
                                                                         PTPR and OTRB) Maintain
                                                                         employee training records and.
                                           ...........................  4. Provide access to TSA and
                                                                         proof of compliance.
Alternative 1............................  ...........................  1. Provide security training to            48.03            0.99           49.02
                                                                         security-sensitive employees
                                                                         once every three years (except
                                                                         for Chain of custody and
                                                                         control);.
                                           ...........................  2. Designate a security
                                                                         coordinator (expanded
                                                                         requirement limited to OTRB).
                                           ...........................  3. Maintain employee training
                                                                         records and.
                                           ...........................  4. Provide access to TSA and
                                                                         proof of compliance.
Alternative 2............................  69 Freight Rails...........  1. Provide annual security                219.54            4.52          224.05
                                           253 PTPRs..................   training to security-sensitive
                                           403 OTRBs..................   employees within expanded
                                                                         applicability.
                                           ...........................  2. Designate a security
                                                                         coordinator.
                                           ...........................  3. Report significant security
                                                                         incidents to TSA.
                                           ...........................  4. Maintain employee training
                                                                         records and.
                                           ...........................  5. Provide access to TSA and
                                                                         proof of compliance.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

5. Regulatory Flexibility Assessment
    The RFA \140\ requires agencies to consider the impacts of their 
rules on small entities. TSA performed a Final Regulatory Flexibility 
Analysis (FRFA) to analyze the impact to small entities affected by the 
final rule.\141\ The RFA analysis presented below is a summary of the 
FRFA, including the six elements in 5 U.S.C. 604.
---------------------------------------------------------------------------

    \140\ See supra n. 113.
    \141\ See Chapter 6 of the Final RIA in the docket for the full 
FRFA.
---------------------------------------------------------------------------

    a. A Statement of the Need for, and Objectives of, the Rule. 
Sections 1408, 1517, and 1534 of the 9/11 Act require TSA to issue a 
security training rule requiring owner/operators of various modes of 
surface transportation to provide training to frontline employees of 
freight rail, PTPR, and OTRB employees. Owner/operators are required to 
submit a training program to TSA for review that will be marked SSI. An 
owner/operator must also keep records of whether each employee has 
successfully completed their training. Additionally, TSA will collect 
security coordinator and alternate coordinator information from 
entities covered in the final rule, as well as require reporting of 
suspicious activities or incidents by these owner/operators. TSA 
requests this information from owner/operators to be better prepared to 
respond to emergencies or incidents and to have designated points of 
contacts with covered entities when information needs to be shared or 
retrieved. TSA requests reporting of security-related incidents and 
suspicious activities to assess if there is a new threat or increased 
threat to the surface modes of transportation.
    b. A Statement of the Significant Issues Raised by Public Comments 
in Response to the IRFA, a Statement of the Assessment of the Agency of 
Such Issues, and a Statement of Any Changes Made in the Proposed Rule 
as a Result of Such Comments. The public did not submit significant 
comments during the comment period specifically on the IRFA. However, 
elsewhere in in the preamble of the final rule, TSA answered public 
comments on the cost estimate of the rule.
    c. Description of and an Estimate of the Number of Small Entities 
to Which the Rule Will Apply or an Explanation of Why No Such Estimate 
is Available. Under the RFA, the term ``small entities'' comprises 
small businesses, not-for-profit organizations that are independently 
owned and operated and are not dominant in their fields, and small 
governmental jurisdictions with populations of less than 50,000. 
Individuals and States are not considered ``small entities'' based on 
the definitions in the RFA (5 U.S.C. 601).
    The PTPR owner/operators affected by this final rule are not 
considered small entities because they are either owned/operated by 
governmental jurisdictions that exceed the RFA population threshold of 
50,000 or a

[[Page 16495]]

business that exceeds the Small Business Administration's (SBA) size 
threshold. Only freight rail and OTRB owner/operators have small 
entities affected by the final rule.
    The final rule requires security training for Class I freight rail 
owner/operators and freight rail owner/operators that transport RSSM in 
one or more HTUAs \142\ or host high-risk passenger rail operations on 
their tracks. TSA identified 33 freight railroad entities affected by 
the final rule.
---------------------------------------------------------------------------

    \142\ See Appendix A to part 1580 of this final rule for list of 
HTUAs.
---------------------------------------------------------------------------

    TSA uses the SBA size standards to identify that 18 of the 33 
freight rail owner/operators affected by the final rule are considered 
a small business. TSA calculates that final rule's requirements are 
estimated to cost $61.82 per employee and $18,390.32 per freight rail 
owner/operator. Of these 18 small freight rail owner/operators, TSA 
estimates that one of these freight rail owner/operators would likely 
have a regulatory cost that exceeds one percent of their revenue. Table 
19 presents the likely distribution of costs for small freight rail 
owner/operators.

  Table 19--Costs as a Percent of Revenue for Small Freight Rail Owner/
                                Operators
------------------------------------------------------------------------
                                             Number of      Percent of
          Revenue impact range               entities        entities
------------------------------------------------------------------------
0% < Impact <= 1%.......................              17              94
1% < Impact <= 3%.......................               0               0
3% < Impact <= 5%.......................               1               6
5% < Impact <= 10%......................               0               0
Above 10%...............................               0               0
                                         -------------------------------
    Total...............................              18           100.0
------------------------------------------------------------------------

    TSA identified 205 OTRB owner/operators entities affected by the 
final rule. Using SBA's size threshold, TSA estimates that 182 OTRB 
owner/operators regulated by the final rule are considered a small 
business. TSA calculates that the final rule's requirements are 
estimated to cost $35.68 per employee and $5,759.94 per entity to these 
OTRB owner/operators. Using a relevant sample of these 143 small OTRB 
owner/operators, TSA estimates that 32% of them would likely have a 
regulatory cost that exceeds one percent of their revenue. Table 20 
presents the likely distribution of costs for this sample of small OTRB 
owner/operators.

 Table 20--Costs as a Percent of Revenue for Small OTRB Owner/Operators
------------------------------------------------------------------------
                                             Number of      Percent of
          Revenue impact range               entities        entities
------------------------------------------------------------------------
0% < Impact <= 1%.......................              97              68
1% < Impact <= 3%.......................              36              25
3% < Impact <= 5%.......................               6               4
5% < Impact <= 10%......................               4               3
Above 10%...............................               0               0
                                         -------------------------------
    Total...............................             143           100.0
------------------------------------------------------------------------

    d. The Response of the Agency to Any Comments Filed by the Chief 
Counsel for Advocacy of the Small Business Administration in Response 
to the Proposed Rule, and a Detailed Statement of Any Change Made to 
the Proposed Rule in the Final Rule as a Result of the Comments. The 
Small Business Administration did not submit any comments during the 
comment period for the NPRM.
    e. A Description of the Projected Reporting, Recordkeeping, and 
Other Compliance Requirements of the Final Rule, Including an Estimate 
of the Classes of Small Entities that Will Be Subject to the 
Requirement and the Type of Professional Skills Necessary for 
Preparation of the Report or Record. This final rule's reporting, 
recordkeeping and other compliance requirements will include submission 
of security training programs, security coordinator and security 
incident information, retention of training records, and availability 
for compliance inspections. TSA assumes that any training program, 
incident report, security coordinator package, or other information 
submitted to TSA will be completed by management-level personnel. TSA 
also assumes that owner/operators will have a manager prepare before a 
TSA compliance inspection. TSA assumes the recordkeeping requirements 
of the final rule will be fulfilled by employees with administrative 
and clerical skills.
    f. A Description of the Steps the Agency has Taken to Minimize 
Significant Economic Impact on Small Entities Consistent with the 
Stated Objectives of Applicable Statutes, including a Statement of the 
Factual, Policy, and Legal Reasons for Selecting the Alternative 
Adopted in the Final Rule and Why Each of the Other Significant 
Alternatives to the Rule Considered by the Agency which Affect the 
Impact on Small Entities was Rejected. TSA will allow owner/operators 
to develop their own training programs (which must receive TSA 
approval). TSA will give owner/operators the flexibility to use 
different training materials to satisfy the final rule's training 
requirements. Additionally, in an effort to create a baseline for 
security training and minimize costs on regulated owner/operators, TSA 
will provide training videos to incorporate the non-entity-specific 
training requirements laid out in the final rule. TSA will make these 
training videos available to all owner/operators, including small 
entities not

[[Page 16496]]

covered by the high-risk criteria, which could be used on a voluntary 
basis by entities seeking to improve their security posture.
    TSA considered two other feasible alternatives, detailed in chapter 
5 of the Final RIA, in addition to the final rule.
    Alternative 1: Requirements Limited to Those Expressly Authorized 
by Statute. In comparison to the final rule, the first regulatory 
alternative TSA considered would limit the requirements to those 
expressly authorized by the 9/11 Act or other relevant statutory 
provisions, such as 49 U.S.C. 114. Under this alternative, the 
applicability of owner/operators required to comply and employees to be 
trained would remain the same and the recurrence of training would be 
the same as the final rule (once every three years), but TSA would 
remove the following requirements:
     Recordkeeping (final rule requires retention of records 
necessary to validate compliance);
     Training freight rail employees on the chain of custody 
procedures required by TSA's regulations (see Sec.  1580.205 for chain 
of custody and control requirements relocated from Sec.  1580.107);
     Security coordinators and reporting security incidents by 
bus-only PTPR owner/operators; and
     Reporting security incidents by OTRB owner/operators.
    The alternative would still include requirements to provide 
security training to security-sensitive employees (with the exception 
of chain of custody and control) once every three years, designating 
security coordinators for OTRB owner/operators, and providing access to 
TSA to inspect for compliance. The narrower scope from this alternative 
means the costs to small businesses would be less than the final rule. 
TSA rejected this alternative based on the determination that 
recordkeeping is implicitly required as it is a necessary component of 
enforcing a regulation, and the other measures are necessary for 
consistent application of the TSA's requirements imposed to enhance 
surface transportation security.
    Alternative 2: Increased Population Alternative with Program 
Creation Assumptions. TSA considered a second regulatory alternative 
that would require annual training and increase the population of 
owner/operators required to comply with the final rule. For Alternative 
2, TSA considered expanding the scope of applicability to any freight 
railroad, PTPR system, or OTRB operator operating fixed-route service 
to, through, or from a UASI. Under this alternative, TSA would impose 
additional burdens to a significant number of small owner/operators, 
including those that TSA has not determined to be higher-risk. This 
alternative could have a disproportionate impact upon small entities. 
Alternative 2 would increase total costs upon the regulated community 
as a whole. Additionally, TSA received comments to the NPRM (section 
VI.C.4 of this preamble) that suggested longer time periods between 
training, such as two or three years. In response to these comments, 
TSA modified the recurrent training requirement to at least once every 
three years in the final rule, and rejected the annual recurrent 
training requirement in Alternative 2. TSA rejected this alternative as 
it is inconsistent with the agency's risk-based security policy 
determination to focus on higher-risk owner/operators and commitment to 
outcomes-based regulations. TSA also rejected this alternative because 
of its annual recurrent training requirement.
6. International Trade Impact Assessment
    The Trade Agreement Act of 1979 prohibits Federal agencies from 
establishing any standards or engaging in related activities that 
create unnecessary obstacles to the foreign commerce of the United 
States. Legitimate domestic objectives, such as safety, are not 
considered unnecessary obstacles. The statute also requires 
consideration of international standards and, where appropriate, that 
they be the basis for U.S. standards. TSA has assessed the potential 
effect of this final rule and has determined that it would have only a 
domestic impact and therefore no effect on any trade-sensitive 
activity.
7. Unfunded Mandates Assessment
    The Unfunded Mandates Reform Act of 1995 is intended, among other 
things, to curb the practice of imposing unfunded Federal mandates on 
State, local, and tribal governments. Title II of UMRA requires each 
Federal agency to prepare a written statement assessing the effects of 
any Federal mandate in a proposed or final agency rule that may result 
in a $100 million or more expenditure (adjusted annually for inflation) 
in any one year by State, local, and tribal governments, in the 
aggregate, or by the private sector; such a mandate is deemed to be a 
``significant regulatory action.'' \143\
---------------------------------------------------------------------------

    \143\ Supra n. 63 as codified at 2 U.S.C. 1532.
---------------------------------------------------------------------------

    This final rule does not contain such a mandate. Therefore, the 
requirements in Title II of UMRA do not apply and TSA has not prepared 
a statement.

C. Executive Order 13132, Federalism

    TSA has analyzed this rulemaking under the principles and criteria 
of Executive Order 13132, Federalism. We determined that this action 
would not have a substantial direct effect on the States, on the 
relationship between the National Government and the States, or on the 
distribution of power and responsibilities among the various levels of 
government, and therefore would not have federalism implications.

D. Environmental Analysis

    TSA has reviewed this rulemaking for purposes of the National 
Environmental Policy Act of 1969 (NEPA) (42 U.S.C. 4321-4347) and has 
determined that this action will not have a significant effect on the 
human environment. This action is covered by categorical exclusion 
(CATEX) number A3(b) in DHS Management Directive 023-01 (formerly 
Management Directive 5100.1), Environmental Planning Program, which 
guides TSA compliance with NEPA.

E. Energy Impact Analysis

    The energy impact of this rulemaking has been assessed in 
accordance with the Energy Policy and Conservation Act (EPCA), Public 
Law 94-163, as amended (42 U.S.C. 6362). TSA has determined that this 
rulemaking is not a major regulatory action under the provisions of the 
EPCA.

List of Subjects

49 CFR Part 1500

    Air carriers, Air transportation, Aircraft, Airports, Bus transit 
systems, Commuter bus systems, Law enforcement officer, Maritime 
carriers, Over-the-Road buses, Public transportation, Rail hazardous 
materials receivers, Rail hazardous materials shippers, Rail transit 
systems, Railroad carriers, Railroad safety, Railroads, Reporting and 
recordkeeping requirements, Security measures, Transportation facility, 
Vessels.

49 CFR Part 1520

    Air carriers, Air transportation, Aircraft, Airports, Bus transit 
systems, Commuter bus systems, Law enforcement officer, Maritime 
carriers, Over-the-Road buses, Public transportation, Rail hazardous 
materials receivers, Rail hazardous materials shippers, Rail transit 
systems, Railroad carriers, Railroad safety, Railroads, Reporting and 
recordkeeping requirements, Security measures, Transportation facility, 
Vessels.

[[Page 16497]]

49 CFR Part 1570

    Commuter bus systems, Crime, Fraud, Hazardous materials 
transportation, Motor carriers, Over-the-Road bus safety, Over-the-Road 
buses, Public transportation, Public transportation safety, Rail 
hazardous materials receivers, Rail hazardous materials shippers, Rail 
transit systems, Railroad carriers, Railroad safety, Railroads, 
Reporting and recordkeeping requirements, Security measures, 
Transportation facility, Transportation Security-Sensitive Materials.

49 CFR Part 1580

    Hazardous materials transportation, Rail hazardous materials 
receivers, Rail hazardous materials shippers, Railroad carriers, 
Railroad safety, Railroads, Reporting and recordkeeping requirements, 
Security measures.

49 CFR Part 1582

    Public transportation, Public transportation safety, Railroad 
carriers, Railroad safety, Railroads, Rail transit systems, Reporting 
and recordkeeping requirements, Security measures.

49 CFR Part 1584

    Over-the-Road bus safety, Over-the-Road buses, Reporting and 
recordkeeping requirements, Security measures.

The Amendments

    For the reasons set forth in the preamble, the Transportation 
Security Administration amends chapter XII, of title 49, Code of 
Federal Regulations as follows:

Subchapter A--Administrative and Procedural Rules

PART 1500--APPLICABILITY, TERMS, AND ABBREVIATIONS

0
1. The authority citation for part 1500 is revised to read as follows:

    Authority: 49 U.S.C. 114, 5103, 40113, 44901-44907, 44913-44914, 
44916-44918, 44935-44936, 44942, 46105; Pub. L. 110-53 (121 Stat. 
266, Aug. 3, 2007) secs. 1408 (6 U.S.C. 1137), 1501 (6 U.S.C. 1151), 
1517 (6 U.S.C. 1167), and 1534 (6 U.S.C. 1184).


0
2. Revise Sec.  1500.3 to read as follows:


Sec.  1500.3  Terms and abbreviations used in this chapter.

    As used in this chapter:
    Administrator means the Assistant Secretary for Homeland Security, 
Transportation Security Administration (Assistant Secretary), who is 
the highest-ranking TSA official, or his or her designee. Administrator 
also means the Under Secretary of Transportation for Security 
identified in 49 U.S.C. 114(b).
    Authorized representative means any individual who is not a direct 
employee of a person regulated under this title, but is authorized to 
act on that person's behalf to perform measures required under the 
Transportation Security Regulations, or a TSA security program. For 
purposes of this subchapter, the term ``authorized representative'' 
includes agents, contractors, and subcontractors, and employees of the 
same.
    Bus means any of several types of motor vehicles used by public or 
private entities to provide transportation service for passengers.
    Bus transit system means a public transportation system providing 
frequent transportation service (not limited to morning and evening 
peak travel times) for the primary purpose of moving passengers between 
bus stops, often through multiple connections (a bus transit system 
does not become a commuter bus system even if its primary purpose is 
the transportation of commuters). This term does not include tourist, 
scenic, historic, or excursion operations.
    Commuter bus system means a system providing passenger service 
primarily during morning and evening peak periods, between an urban 
area and more distant outlying communities in a greater metropolitan 
area. This term does not include tourist, scenic, historic, or 
excursion operations.
    Commuter passenger train service means ``train, commuter'' as 
defined in 49 CFR 238.5, and includes service provided by diesel or 
electric powered locomotives and railroad passenger cars to serve an 
urban area, its suburbs, and more distant outlying communities in the 
greater metropolitan area. A commuter passenger train service is part 
of the general railroad system of transportation regardless of whether 
it is physically connected to other railroads.
    DHS means the Department of Homeland Security and any directorate, 
bureau, or other component within the Department of Homeland Security, 
including the United States Coast Guard.
    DOT means the Department of Transportation and any operating 
administration, entity, or office within the Department of 
Transportation.
    Fixed-route service means the provision of transportation service 
by private entities operated along a prescribed route according to a 
fixed schedule.
    General railroad system of transportation means ``the network of 
standard gauge track over which goods may be transported throughout the 
nation and passengers may travel between cities and within metropolitan 
and suburban areas'' as defined in appendix A to 49 CFR part 209.
    Hazardous material means ``hazardous material'' as defined in 49 
CFR 171.8.
    Heavy rail transit means service provided by self-propelled 
electric railcars, typically drawing power from a third rail, operating 
in separate rights-of-way in multiple cars; also referred to as 
subways, metros or regional rail.
    Host railroad means a railroad that has effective control over a 
segment of track.
    Improvised explosive device (IED) means a device fabricated in an 
improvised manner that incorporates explosives or destructive, lethal, 
noxious, pyrotechnic, or incendiary chemicals in its design, and 
generally includes a power supply, a switch or timer, and a detonator 
or initiator.
    Intercity passenger train service means both ``train, long-distance 
intercity passenger'' and ``train, short-distance intercity passenger'' 
as defined in 49 CFR 238.5.
    Light rail transit means service provided by self-propelled 
electric railcars, typically drawing power from an overhead wire, 
operating in either exclusive or non-exclusive rights-of-way in single 
or multiple cars, with shorter distance trips, and frequent stops; also 
referred to as streetcars, trolleys, and trams.
    Motor vehicle means a vehicle, machine, tractor, trailer, or 
semitrailer propelled or drawn by mechanical power and used upon the 
highways in the transportation of passengers or property, or any 
combination thereof, but does not include any vehicle, locomotive, or 
car operated exclusively on a rail or rails, or a trolley bus operated 
by electric power derived from a fixed overhead wire, furnishing local 
passenger transportation similar to street-railway service.
    Over-the-Road Bus (OTRB) means a bus characterized by an elevated 
passenger deck located over a baggage compartment.
    Owner/operator means any person that owns, or maintains operational 
control over, any transportation infrastructure asset, facility, or 
system regulated under this title, including airport operator, aircraft 
operator, foreign air carrier, indirect air carrier, certified cargo 
screening facility, flight school within the meaning of 49 CFR 
1552.1(b), motor vehicle, public transportation agency, or railroad 
carrier. For purposes of a maritime facility or a vessel, owner/
operator has

[[Page 16498]]

the same meaning as defined in 33 CFR 101.105.
    Passenger rail car means rail rolling equipment intended to provide 
transportation for members of the general public and includes a self-
propelled rail car designed to carry passengers, baggage, mail, or 
express. This term includes a rail passenger coach, cab car, and a 
Multiple Unit (MU) locomotive. In the context of articulated equipment, 
``passenger rail car'' means that segment of the rail rolling equipment 
located between two trucks. This term does not include a private rail 
car.
    Passenger railroad carrier means a railroad carrier that provides 
transportation to persons (other than employees, contractors, or 
persons riding equipment to observe or monitor railroad operations) by 
railroad in intercity passenger service or commuter or other short-haul 
passenger service in a metropolitan or suburban area.
    Passenger train means a train that transports or is available to 
transport members of the general public.
    Person means an individual, corporation, company, association, 
firm, partnership, society, joint-stock company, or governmental 
authority. It includes a trustee, receiver, assignee, successor, or 
similar representative of any of them.
    Private rail car means rail rolling equipment that is used only for 
excursion, recreational, or private transportation purposes. A private 
rail car is not a passenger rail car.
    Public transportation means transportation provided to the general 
public by a regular and continuing general or specific transportation 
vehicle that is owned or operated by a public transportation agency, 
including providing one or more of the following types of passenger 
transportation:
    (1) Intercity or commuter passenger train service or other short-
haul railroad passenger service in a metropolitan or suburban area (as 
described by 49 U.S.C. 20102(1)).
    (2) Heavy or light rail transit service, whether on or off the 
general railroad system of transportation.
    (3) An automated guideway, cable car, inclined plane, funicular, or 
monorail system.
    (4) Bus transit or commuter bus service.
    Public transportation agency means any publicly-owned or operated 
provider of regular and continuing public transportation.
    Rail hazardous materials receiver means any owner/operator of a 
fixed-site facility that has a physical connection to the general 
railroad system of transportation and receives or unloads from 
transportation in commerce by rail one or more of the categories and 
quantities of rail security-sensitive materials identified in 49 CFR 
1580.3, but does not include the owner/operator of a facility owned or 
operated by a department, agency or instrumentality of the Federal 
Government.
    Rail hazardous materials shipper means the owner/operator of any 
fixed-site facility that has a physical connection to the general 
railroad system of transportation and offers (as defined in the 
definition of ``person who offers or offeror'' in 49 CFR 171.8), 
prepares or loads for transportation by rail one or more of the 
categories and quantities of rail security-sensitive materials as 
identified in 49 CFR 1580.3, but does not include the owner/operator of 
a facility owned or operated by a department, agency or instrumentality 
of the Federal Government.
    Rail secure area means a secure location(s) identified by a rail 
hazardous materials shipper or rail hazardous materials receiver where 
security-related pre-transportation or transportation functions are 
performed or rail cars containing the categories and quantities of rail 
security-sensitive materials are prepared, loaded, stored, and/or 
unloaded.
    Rail transit facility means rail transit stations, terminals, and 
locations at which rail transit infrastructure assets are stored, 
command and control operations are performed, or maintenance is 
performed. The term also includes rail yards, crew management centers, 
dispatching centers, transportation terminals and stations, fueling 
centers, and telecommunication centers.
    Rail transit system or ``Rail Fixed Guideway System'' means any 
light, heavy, or rapid rail system, monorail, inclined plane, 
funicular, cable car, trolley, or automated guideway that traditionally 
does not operate on track that is part of the general railroad system 
of transportation.
    Railroad carrier means an owner/operator providing railroad 
transportation.
    Railroad transportation means:
    (1) Any form of non-highway ground transportation that runs on 
rails or electromagnetic guideways, including:
    (i) Commuter or other short-haul rail passenger service in a 
metropolitan or suburban area; and
    (ii) High speed ground transportation systems that connect 
metropolitan areas, without regard to whether these systems use new 
technologies not associated with traditional railroads.
    (2) Such term includes rail transit service operating on track that 
is part of the general railroad system of transportation but does not 
include rapid transit operations in an urban area that are not 
connected to the general railroad system of transportation.
    Record includes any means by which information is preserved, 
irrespective of format, including a book, paper, drawing, map, 
recording, tape, film, photograph, machine-readable material, and any 
information stored in an electronic format. The term record also 
includes any draft, proposed, or recommended change to any record.
    Sensitive security information (SSI) means information that is 
described in and must be managed in accordance with 49 CFR part 1520.
    State means a State of the United States and the District of 
Columbia.
    Tourist, scenic, historic, or excursion operation means a railroad 
or bus operation that carries passengers, often using antiquated 
equipment, with the conveyance of the passengers to a particular 
destination not being the principal purpose. Train or bus movements of 
new passenger equipment for demonstration purposes are not tourist, 
scenic, historic, or excursion operations.
    Transit means mass transportation by a conveyance that provides 
regular and continuing general or special transportation to the public, 
but does not include school bus, charter, or sightseeing 
transportation. Rail transit may occur on or off the general railroad 
system of transportation.
    Transportation or transport means the movement of property 
including loading, unloading, and storage. Transportation or transport 
also includes the movement of people, boarding, and disembarking 
incident to that movement.
    Transportation facility means a location at which transportation 
cargo, equipment or infrastructure assets are stored, equipment is 
transferred between conveyances and/or modes of transportation, 
transportation command and control operations are performed, or 
maintenance operations are performed. The term also includes, but is 
not limited to, passenger stations and terminals (including any fixed 
facility at which passengers are picked-up or discharged), vehicle 
storage buildings or yards, crew management centers, dispatching 
centers, fueling centers, and telecommunication centers.
    Transportation security equipment and systems means items, both 
integrated into a system and stand-alone, used by owner/operators to 
enhance capabilities to detect, deter,

[[Page 16499]]

prevent, or respond to a threat or incident, including, but not limited 
to, video surveillance, explosives detection, radiological detection, 
intrusion detection, motion detection, and security screening.
    Transportation Security Regulations (TSR) means the regulations 
issued by the Transportation Security Administration, in title 49 of 
the Code of Federal Regulations, chapter XII, which includes parts 1500 
through 1699.
    Transportation Security-Sensitive Material (TSSM) means hazardous 
materials identified in 49 CFR 172.800(b).
    TSA means the Transportation Security Administration.
    United States, in a geographical sense, means the States of the 
United States, the District of Columbia, and territories and 
possessions of the United States, including the territorial sea and the 
overlying airspace.
    Vulnerability assessment includes any review, audit, or other 
examination of the security of a transportation system, infrastructure 
asset, or a transportation-related automated system or network to 
determine its vulnerability to unlawful interference, whether during 
the conception, planning, design, construction, operation, or 
decommissioning phase. A vulnerability assessment includes the 
methodology for the assessment, the results of the assessment, and any 
proposed, recommended, or directed actions or countermeasures to 
address security concerns.

PART 1503--INVESTIGATIVE AND ENFORCEMENT PROCEDURES

0
3. The authority citation for part 1503 continues to read as follows:

    Authority: 18 U.S.C. 6002; 28 U.S.C. 2461 (note); 49 U.S.C. 114, 
20109, 31105, 40113-40114, 40119, 44901-44907, 46101-46107, 46109-
46110, 46301, 46305, 46311, 46313-46314; Public Law 104-134 (110 
Stat. 1321; April 26, 1996), as amended by Pub. L. 114-74 (129 Stat. 
584; Nov. 2, 2015); and Pub. L. 110-53 (121 Stat. 266, Aug. 3, 2007) 
secs. 1408 (6 U.S.C. 1137), 1413 (6 U.S.C. 1142), 1501 (6 U.S.C. 
1151), 1512 (6 U.S.C. 1162), 1517 (6 U.S.C. 1167), 1531 (6 U.S.C. 
1181), and 1534 (6 U.S.C. 1184).

Subpart B--Scope of Investigative and Enforcement Procedures

0
4. In Sec.  1503.101 revise paragraphs (b)(1) and (2) and add paragraph 
(b)(3) to read as follows:


Sec.  1503.101  TSA requirements.

* * * * *
    (b) * * *
    (1) Those provisions of title 49 U.S.C. administered by the 
Administrator;
    (2) 46 U.S.C. chapter 701; and
    (3) Provisions of Public Law 110-53 (121 Stat. 266, Aug. 3, 2007) 
not codified in title 49 U.S.C. that are administered by the 
Administrator.

Subchapter B--Security Rules for all Modes of Transportation

PART 1520--PROTECTION OF SENSITIVE SECURITY INFORMATION

0
5. The authority citation for part 1520 continues to read as follows:

    Authority:  46 U.S.C. 114, 40113, 44901-44907, 44913-44914, 
44916-44918, 44935-44936, 44942, 46105, 70102-70106, 70117; Pub. L. 
110-53 (121 Stat. 266, Aug. 3, 2007) secs. 1408 (6 U.S.C. 1137), 
1413 (6 U.S.C. 1142), 1501 (6 U.S.C. 1151), 1512 (6 U.S.C. 1162), 
1517 (6 U.S.C. 1167), 1531 (6 U.S.C. 1181), and 1534 (6 U.S.C. 
1184).


Sec.  1520.3   [Amended]

0
6. In Sec.  1520.3, remove the definitions of ``DHS, ``DOT'', ``Rail 
facility'', ``Rail hazardous materials receiver'', ``Rail hazardous 
materials shipper, ``Rail transit facility'', ``Rail transit system or 
Rail Fixed Guideway System'', ``Railroad'', ``Record'', and 
``Vulnerability assessment''.

0
7. In Sec.  1520.5, revise paragraphs (b)(1), (b)(6)(i), (b)(8) 
introductory text, (b)(10), (b)(12) introductory text, and (b)(15) to 
read as follows:


Sec.  1520.5  Sensitive security information.

* * * * *
    (b) * * *
    (1) Security programs, security plans, and contingency plans. Any 
security program, security plan, or security contingency plan issued, 
established, required, received, or approved by DHS or DOT, including 
any comments, instructions, or implementing guidance, including--
    (i) Any aircraft operator, airport operator, fixed base operator, 
or air cargo security program, or security contingency plan under this 
chapter;
    (ii) Any vessel, maritime facility, or port area security plan 
required or directed under Federal law;
    (iii) Any national or area security plan prepared under 46 U.S.C. 
70103;
    (iv) Any security incident response plan established under 46 
U.S.C. 70104, and
    (v) Any security program or plan required under subchapter D of 
this title.
* * * * *
    (6) * * *
    (i) Details of any aviation, maritime, or surface transportation 
inspection, or any investigation or an alleged violation of aviation, 
maritime, or surface transportation security requirements of Federal 
law, that could reveal a security vulnerability, including the identity 
of the Federal special agent or other Federal employee who conducted 
the inspection or investigation, and including any recommendations 
concerning the inspection or investigation.
* * * * *
    (8) Security measures. Specific details of aviation, maritime, or 
surface transportation security measures, both operational and 
technical, whether applied directly by the Federal government or 
another person, including the following:
* * * * *
    (10) Security training materials. Records created or obtained for 
the purpose of training persons employed by, contracted with, or acting 
for the Federal government or another person to carry out aviation, 
maritime, or surface transportation security measures required or 
recommended by DHS or DOT.
* * * * *
    (12) Critical transportation infrastructure asset information. Any 
list identifying systems or assets, whether physical or virtual, so 
vital to the aviation, maritime, or surface transportation that the 
incapacity or destruction of such assets would have a debilitating 
impact on transportation security, if the list is--
* * * * *
    (15) Research and development. Information obtained or developed in 
the conduct of research related to aviation, maritime, or surface 
transportation, where such research is approved, accepted, funded, 
recommended, or directed by DHS or DOT, including research results.
* * * * *

0
8. In Sec.  1520.7, revise paragraph (n) to read as follows:


Sec.  1520.7   Covered persons.

* * * * *
    (n) Each owner/operator of maritime or surface transportation 
subject to the requirements of subchapter D of this chapter.

0
9. Revise the heading for subchapter D to read as follows:

Subchapter D--Maritime and Surface Transportation Security

0
10. Revise part 1570 to read as follows:

[[Page 16500]]

PART 1570--GENERAL RULES

Subpart A--General
Sec.
1570.1 Scope.
1570.3 Terms used in this subchapter.
1570.5 Fraud and intentional falsification of records.
1570.7 Security responsibilities of employees and other persons.
1570.9 Compliance, inspection, and enforcement.
Subpart B--Security Programs
1570.101 Scope.
1570.103 Content.
1570.105 Responsibility for Determinations.
1570.107 Recognition of prior or established security measures or 
programs.
1570.109 Submission and approval.
1570.111 Implementation schedules.
1570.113 Amendments requested by owner/operator.
1570.115 Amendments required by TSA.
1570.117 Alternative measures.
1570.119 Petitions for reconsideration.
1570.121 Recordkeeping and availability.
Subpart C--Operations
1570.201 Security Coordinator.
1570.203 Reporting significant security concerns.
Subpart D--Security Threat Assessments
1570.301 Fraudulent use or manufacture; responsibilities of persons.
1570.303 Inspection of credential.
1570.305 False statements regarding security background checks by 
public transportation agency or railroad carrier.
Appendix A to Part 1570--Reporting of Significant Security Concerns

    Authority: 18 U.S.C. 842, 845; 46 U.S.C. 70105; 49 U.S.C. 114, 
5103a, 40113, and 46105; Pub. L. 108-90 (117 Stat. 1156, Oct. 1, 
2003), sec. 520 (6 U.S.C. 469), as amended by Pub. L. 110-329 (122 
Stat. 3689, Sept. 30, 2008) sec. 543 (6 U.S.C. 469); Pub. L. 110-53 
(121 Stat. 266, Aug. 3, 2007) secs. 1402 (6 U.S.C. 1131), 1405 (6 
U.S.C. 1134), 1408 (6 U.S.C. 1137), 1413 (6 U.S.C. 1142), 1414 (6 
U.S.C. 1143), 1501 (6 U.S.C. 1151), 1512 (6 U.S.C. 1162), 1517 (6 
U.S.C. 1167), 1522 (6 U.S.C. 1170), 1531 (6 U.S.C. 1181), and 1534 
(6 U.S.C. 1184).

Subpart A--General


Sec.  1570.1   Scope.

    This part applies to any person involved in maritime or surface 
transportation as specified in this subchapter.


Sec.  1570.3   Terms used in this subchapter.

    In addition to the definitions in Sec. Sec.  1500.3, 1500.5, and 
1503.202 of subchapter A, the following terms are used in this 
subchapter:
    Adjudicate means to make an administrative determination of whether 
an applicant meets the standards in this subchapter, based on the 
merits of the issues raised.
    Alien means any person not a citizen or national of the United 
States.
    Alien registration number means the number issued by the DHS to an 
individual when he or she becomes a lawful permanent resident of the 
United States or attains other lawful, non-citizen status.
    Applicant means a person who has applied for one of the security 
threat assessments identified in this subchapter.
    Commercial driver's license (CDL) is used as defined in 49 CFR 
383.5.
    Contractor means a person or organization that provides a service 
for an owner/operator regulated under this subchapter consistent with a 
specific understanding or arrangement. The understanding can be a 
written contract or an informal arrangement that reflects an ongoing 
relationship between the parties.
    Convicted means any plea of guilty or nolo contendere, or any 
finding of guilt, except when the finding of guilt is subsequently 
overturned on appeal, pardoned, or expunged. For purposes of this 
subchapter, a conviction is expunged when the conviction is removed 
from the individual's criminal history record and there are no legal 
disabilities or restrictions associated with the expunged conviction, 
other than the fact that the conviction may be used for sentencing 
purposes for subsequent convictions. In addition, where an individual 
is allowed to withdraw an original plea of guilty or nolo contendere 
and enter a plea of not guilty and the case is subsequently dismissed, 
the individual is no longer considered to have a conviction for 
purposes of this subchapter.
    Determination of No Security Threat means an administrative 
determination by TSA that an individual does not pose a security threat 
warranting denial of an HME or a TWIC.
    Employee means an individual who is engaged or compensated by an 
owner/operator regulated under this subchapter, or by a contractor to 
an owner/operator regulated under this subchapter. The term includes 
direct employees, contractor employees, authorized representatives, 
immediate supervisors, and individuals who are self-employed.
    Federal Maritime Security Coordinator (FMSC) has the same meaning 
as defined in 46 U.S.C. 70103(a)(2)(G); is the Captain of the Port 
(COTP) exercising authority for the COTP zones described in 33 CFR part 
3, and is the Port Facility Security Officer as described in the 
International Ship and Port Facility Security (ISPS) Code, part A.
    Final Determination of Threat Assessment means a final 
administrative determination by TSA, including the resolution of 
related appeals, that an individual poses a security threat warranting 
denial of an HME or a TWIC.
    Hazardous materials endorsement (HME) means the authorization for 
an individual to transport hazardous materials in commerce, an 
indication of which must be on the individual's commercial driver's 
license, as provided in the Federal Motor Carrier Safety Administration 
regulations in 49 CFR part 383.
    Immediate supervisor means a manager, supervisor, or agent of the 
owner/operator to the extent the individual:
    (1) Performs the work of a security-sensitive employee; or
    (2) Supervises and otherwise directs the performance of a security-
sensitive employee.
    Imprisoned or imprisonment means confined to a prison, jail, or 
institution for the criminally insane, on a full-time basis, pursuant 
to a sentence imposed as the result of a criminal conviction or finding 
of not guilty by reason of insanity. Time spent confined or restricted 
to a half-way house, treatment facility, or similar institution, 
pursuant to a sentence imposed as the result of a criminal conviction 
or finding of not guilty by reason of insanity, does not constitute 
imprisonment for purposes of this rule.
    Incarceration means confined or otherwise restricted to a jail-type 
institution, half-way house, treatment facility, or another institution 
on a full or part-time basis, pursuant to a sentence imposed as the 
result of a criminal conviction or finding of not guilty by reason of 
insanity.
    Initial Determination of Threat Assessment means an initial 
administrative determination by TSA that an applicant poses a security 
threat warranting denial of an HME or a TWIC.
    Initial Determination of Threat Assessment and Immediate Revocation 
means an initial administrative determination that an individual poses 
a security threat that warrants immediate revocation of an HME or 
invalidation of a TWIC. In the case of an HME, the State must 
immediately revoke the HME if TSA issues an Initial Determination of 
Threat Assessment and Immediate Revocation. In the case of a TWIC, TSA 
invalidates the TWIC when TSA issues an Initial Determination of Threat 
Assessment and Immediate Revocation.
    Invalidate means the action TSA takes to make a credential 
inoperative when

[[Page 16501]]

it is reported as lost, stolen, damaged, no longer needed, or when TSA 
determines an applicant does not meet the security threat assessment 
standards of 49 CFR part 1572.
    Lawful permanent resident means an alien lawfully admitted for 
permanent residence, as defined in 8 U.S.C. 1101(a)(20).
    Maritime facility has the same meaning as ``facility'' together 
with ``OCS facility'' (Outer Continental Shelf facility), as defined in 
33 CFR 101.105.
    Mental health facility means a mental institution, mental hospital, 
sanitarium, psychiatric facility, and any other facility that provides 
diagnoses by licensed professionals of mental retardation or mental 
illness, including a psychiatric ward in a general hospital.
    National of the United States means a citizen of the United States, 
or a person who, though not a citizen, owes permanent allegiance to the 
United States, as defined in 8 U.S.C. 1101(a)(22), and includes 
American Samoa and Swains Island.
    Revocation means the termination, deactivation, rescission, 
invalidation, cancellation, or withdrawal of the privileges and duties 
conferred by an HME or TWIC, when TSA determines an applicant does not 
meet the security threat assessment standards of 49 CFR part 1572.
    Secure area means the area on board a vessel or at a facility or 
outer continental shelf facility, over which the owner/operator has 
implemented security measures for access control, as defined by a Coast 
Guard approved security plan. It does not include passenger access 
areas or public access areas, as these terms are defined in 33 CFR 
104.106 and 105.106 respectively. Vessels operating under the waivers 
provided for at 46 U.S.C. 8103(b)(3)(A) or (B) have no secure areas. 
Facilities subject to 33 CFR chapter I, subchapter H, part 105 may, 
with approval of the Coast Guard, designate only those portions of 
their facility that are directly connected to maritime transportation 
or are at risk of being involved in a transportation security incident 
as their secure areas.
    Security-sensitive employee, for purposes of this part, means 
``security sensitive employee'' as defined in Sec.  1580.3, Sec.  
1582.3, or Sec.  1584.3 of this title.
    Security-sensitive job function, for purposes of this part, means a 
job function identified in appendix B to part 1580, appendix B to part 
1582, and appendix B to part 1584 of this title.
    Security threat means an individual whom TSA determines or suspects 
of posing a threat to national security; to transportation security; or 
of terrorism.
    Transportation Worker Identification Credential (TWIC) means a 
Federal biometric credential, issued to an individual, when TSA 
determines that the individual does not pose a security threat.
    Withdrawal of Initial Determination of Threat Assessment is the 
document that TSA issues after issuing an Initial Determination of 
Security Threat, when TSA determines that an individual does not pose a 
security threat that warrants denial of an HME or TWIC.


Sec.  1570.5  Fraud and intentional falsification of records.

    No person may make, cause to be made, attempt, or cause to attempt 
any of the following:
    (a) Any fraudulent or intentionally false statement in any record 
or report that is kept, made, or used to show compliance with the 
subchapter, or exercise any privileges under this subchapter.
    (b) Any reproduction or alteration, for fraudulent purpose, of any 
record, report, security program, access medium, or identification 
medium issued under this subchapter or pursuant to standards in this 
subchapter.


Sec.  1570.7   Security responsibilities of employees and other 
persons.

    (a) No person may--
    (1) Tamper or interfere with, compromise, modify, attempt to 
circumvent, or cause another person to tamper or interfere with, 
compromise, modify, or attempt to circumvent any security measure 
implemented under this subchapter.
    (2) Enter, or be present within, a secured or restricted area 
without complying with the security measures applied as required under 
this subchapter to control access to, or presence or movement in, such 
areas.
    (3) Use, allow to be used, or cause to be used, any approved access 
medium or identification medium that authorizes the access, presence, 
or movement of persons or vehicles in secured or restricted areas in 
any other manner than that for which it was issued by the appropriate 
authority to meet the requirements of this subchapter.
    (b) The provisions of paragraph (a) of this section do not apply to 
conducting inspections or tests to determine compliance with this 
subchapter authorized by--
    (1) TSA and DHS officials working with TSA; or
    (2) The owner/operator when acting in accordance with the 
procedures described in a security plan and/or program approved by TSA.


Sec.  1570.9  Compliance, inspection, and enforcement.

    (a) Each person subject to any of the requirements of this 
subchapter, must allow TSA and other authorized DHS officials, at any 
time and in a reasonable manner, without advance notice, to enter, 
assess, inspect, and test property, facilities, equipment, and 
operations; and to view, inspect, and copy records, as necessary to 
carry out TSA's security-related statutory or regulatory authorities, 
including its authority to--
    (1) Assess threats to transportation.
    (2) Enforce security-related laws, regulations, directives, and 
requirements.
    (3) Inspect, maintain, and test the security of facilities, 
equipment, and systems.
    (4) Ensure the adequacy of security measures for the transportation 
of passengers and cargo.
    (5) Oversee the implementation, and ensure the adequacy, of 
security measures for the owner/operator's conveyances and vehicles, at 
transportation facilities and infrastructure and other assets related 
to transportation.
    (6) Review security plans and/or programs.
    (7) Determine compliance with any requirements in this chapter.
    (8) Carry out such other duties, and exercise such other powers, 
relating to transportation security, as the Administrator for TSA 
considers appropriate, to the extent authorized by law.
    (b) At the request of TSA, each owner/operator subject to the 
requirements of this subchapter must provide evidence of compliance 
with this chapter, including copies of records.
    (c) TSA and other authorized DHS officials, may enter, without 
advance notice, and be present within any area or within any vehicle or 
conveyance, terminal, or other facility covered by this chapter without 
access media or identification media issued or approved by an owner/
operator covered by this chapter in order to inspect or test 
compliance, or perform other such duties as TSA may direct.
    (d) TSA inspectors and other authorized DHS officials working with 
TSA will, on request, present their credentials for examination, but 
the credentials may not be photocopied or otherwise reproduced.

[[Page 16502]]

Subpart B--Security Programs


Sec.  1570.101   Scope.

    The requirements of this subpart address general security program 
requirements applicable to each owner/operator required to have a 
security program under subpart B to 49 CFR parts 1580, 1582, and 1584.


Sec.  1570.103   Content.

    (a) Security program. Except as otherwise approved by TSA, each 
owner/operator required to have a security program must address each of 
the security program requirements identified in subpart B to 49 CFR 
parts 1580, 1582, and 1584.
    (b) Use of appendices. The owner/operator may comply with the 
requirements referenced in paragraph (a) of this section by including 
in its security program, as an appendix, any document that contains the 
information required by the applicable subpart B, including procedures, 
protocols or memorandums of understanding related to external agency 
response to security incidents or events. The appendix must be 
referenced in the corresponding section(s) of the security program.


Sec.  1570.105   Responsibility for Determinations.

    (a) Higher-risk operations. While TSA has determined the criteria 
for applicability of the requirements in subpart B to 49 CFR parts 
1580, 1582, and 1584 based on risk-assessments for freight railroad, 
public transportation system, passenger railroad, or over-the-road 
(OTRB) owner/operators are required to determine if the applicability 
criteria identified in subpart B to parts 1580, 1582, and 1584 apply to 
their operations. Owner/operators are required to notify TSA of 
applicability within 30 days of June 22, 2020.
    (b) New or modified operations. If an owner/operator commences new 
operations or modifies existing operations after June 22, 2020, that 
person is responsible for determining whether the new or modified 
operations would meet the applicability criteria in subpart B to 49 CFR 
part 1580, 1582, or 1584 and must notify TSA no later than 90 calendar 
days before commencing operations or implementing modifications.


Sec.  1570.107   Recognition of prior or established security measures 
or programs.

    Previously provided security training may be credited towards 
satisfying the requirements of this subchapter provided the owner/
operator--
    (a) Obtains a complete record of such training and validates the 
training meets requirements of Sec.  1580.115, Sec.  1582.115, or Sec.  
1584.115 of this subchapter as it relates to the function of the 
individual security-sensitive employee and the training was provided 
within the schedule required for recurrent training.
    (b) Retains a record of such training in compliance with the 
requirements of Sec.  1570.121 of this part.


Sec.  1570.109   Submission and approval.

    (a) Submission of security program. Each owner/operator required 
under parts 1580, 1582, or 1584 of this subchapter to adopt and carry 
out a security program must submit it to TSA for approval in a form and 
manner prescribed by TSA.
    (b) Security training deadlines. Except as otherwise directed by 
TSA, each owner/operator required under subpart B to part 1580, 1582, 
or 1584 of this subchapter to develop a security training program 
must--
    (1) Submit its program to TSA for approval no later than 90 
calendar days after June 22, 2020.
    (2) If commencing or modifying operations so as to be subject to 
the requirements of subpart B to 49 CFR part 1580, 1582, or 1584 after 
June 22, 2020, submit a training program to TSA no later than 90 
calendar days before commencing new or modified operations.
    (c) TSA approval. (1) No later than 60 calendar days after 
receiving the proposed security program required by subpart B to 49 CFR 
parts 1580, 1582, and 1584, TSA will either approve the program or 
provide the owner/operator with written notice to modify the program to 
comply with the applicable requirements of this subchapter. TSA will 
notify the owner/operator if it needs an extension of time to approve 
the program or provide the owner/operator with written notice to modify 
the program to comply with the applicable requirements of this 
subchapter.
    (2) Notice to modify. If TSA provides the owner/operator with 
written notice to modify the security program to comply with the 
applicable requirements of this subchapter, the owner/operator must 
provide a modified security program to TSA for approval within the 
timeframe specified by TSA.
    (3) TSA may request additional information, and the owner/operator 
must provide the information within the time period TSA prescribes. The 
60-day period for TSA approval or modification will begin when the 
owner/operator provides the additional information.
    (g) Petition for reconsideration. Within 30 days of receiving the 
notice to modify, the owner/operator may file a petition for 
reconsideration under Sec.  1570.119 of this part.


Sec.  1570.111   Implementation schedules.

    (a) Initial security training. Each owner/operator required under 
parts 1580, 1582, or 1584 of this subchapter to adopt and carry out a 
security program must provide initial security training to security-
sensitive employees, using the curriculum approved by TSA--
    (1) No later than one year after the date of TSA-approval of the 
owner/operator's security training program if the employee is employed 
to perform a security-sensitive function on the date TSA approves the 
program.
    (2) No later than 60 calendar days after the employee first 
performs a security-sensitive job function if performance of a 
security-sensitive job function is initiated after TSA approves the 
security training program.
    (3) No later than the 60th calendar day of employment performing a 
security-sensitive function, aggregated over a consecutive 12-month 
period, if the security-sensitive job function is performed 
intermittently.
    (b) Recurrent security training. (1) Except as provided in 
paragraph (b)(2) of this section, a security-sensitive employee 
required to receive training under part 1580, 1582, or 1584 of this 
subchapter must receive the required training at least once every three 
years.
    (2) If an owner/operator modifies a security program or security 
plan for which training is required under Sec.  1580.203(b), Sec.  
1582.115(b), or Sec.  1584.115(b) of this subchapter, the owner/
operator must ensure each security-sensitive employee with position- or 
function-specific responsibilities related to the revised plan or 
program changes receives training on the revisions within 90 days of 
implementation of the revised plan or program changes. All other 
employees must receive training that reflects the changes to the 
operating security requirements as part of their regularly scheduled 
recurrent training.
    (3) The three-year recurrent training cycle is based on the 
anniversary calendar month of the employee's initial security training. 
If the owner/operator provides the recurrent security training in the 
month of, the month before, or the month after it is due, the employee 
is considered to have taken the training in the month it is due.
    (c) Extensions of time. TSA may grant an extension of time for 
implementing a security program identified in subpart B to parts 1580, 
1582, and 1584 of this subchapter upon a showing of good

[[Page 16503]]

cause. The owner/operator must request the extension of time in writing 
and TSA must receive the request within a reasonable time before the 
due date to be extended; an owner/operator may request an extension 
after the expiration of a due date by sending a written request 
describing why the failure to meet the due date was excusable. TSA will 
respond to the request in writing.


Sec.  1570.113   Amendments requested by owner/operator.

    (a) Changes to ownership or control of operations. Each owner/
operator required under part 1580, 1582, or 1584 of this subchapter to 
adopt and carry out a security program must submit a request to amend 
its security program if, after approval, there are any changes to the 
ownership or control of the operation.
    (b) Changes to conditions affecting security. Each owner/operator 
required under part 1580, 1582, or 1584 of this subchapter to adopt and 
carry out a security program must submit a request to amend its 
security program if, after approval, the owner/operator makes, or 
intends to make, permanent changes to any of the following procedures, 
measures, or other aspects of security or emergency response planning 
implemented by the owner/operator to address:
    (1) Specific procedures implemented or used to prevent and detect 
unauthorized access to restricted areas designated by the owner/
operator;
    (2) Measures to be implemented in response to a period of 
heightened security risk, communicated through a DHS enhanced security 
notification, including the process used to notify all employees of 
changes in alert level status or requirements to implement specific 
elements of the security plan and verify that appropriate enhanced 
security measures have been implemented at all relevant locations.
    (3) Emergency response plans, including:
    (i) Coordinated response plans establishing procedures for 
appropriate interaction with State, local, and tribal law enforcement 
agencies, emergency responders, and Federal officials in order to 
coordinate security measures and plans for response in the event of a 
terrorist threat, attack, or other transportation security-related 
incident;
    (ii) Specific procedures to be implemented or used by the owner/
operator in response to a terrorist attack, including evacuation and 
communication plans that include individuals with disabilities; and
    (iii) Additional measures to be adopted to address weaknesses in 
emergency response procedures identified during regular drills or 
exercises that test corporate capabilities to direct, coordinate, and 
execute prevention and response activities for terrorist attacks or 
other security threats, including tunnel evacuation procedures, if 
applicable.
    (iv) Redundant and backup systems to ensure the continuity of 
operations of critical assets and infrastructure system in the event of 
a terrorist attack or other transportation security-related incident.
    (c) Changes to security training curriculum. Each owner/operator 
required under part 1580, 1582, or 1584 of this subchapter to adopt and 
carry out a security program must submit a request to amend its 
security program if, after approval, the owner/operator makes, or 
intends to make, permanent changes to its security training curriculum 
required under part 1580, 1582, or 1584, including changes to address:
    (1) Determinations that the security training program is 
ineffective based on the approved method for evaluating effectiveness 
in the security training program approved by TSA under subpart B of 
parts 1580, 1582, and 1584; or
    (2) Development of recurrent training material for purposes of 
meeting the requirements in Sec.  1570.111(b) of this part or other 
alternative training materials not previously approved by TSA.
    (d) Permanent change. For purposes of this section, a ``permanent 
change'' is one intended to be in effect for 60 or more calendar days.
    (e) Schedule for requesting amendment. The owner/operator must file 
the request for an amendment with TSA no later than 65 calendar days 
after the change in subsection (b) takes effect, unless TSA allows a 
shorter time period.
    (f) TSA approval. (1) Within 30 calendar days after receiving a 
proposed amendment, TSA will, in writing, either approve or deny the 
request to amend. TSA will notify the owner/operator if it needs an 
extension of time to consider the proposed amendment.
    (2) TSA may approve--
    (i) An amendment to a security program if TSA determines that it is 
in the interest of the public and transportation security and the 
proposed amendment provides the level of security required under this 
subchapter.
    (ii) Modification to security training curriculum, including 
alternative training for purposes of meeting the recurrent training 
requirement, if all the required training elements are addressed and 
the material is consistent with the most recent iteration of the 
security program submitted to, and approved by, TSA (including 
amendments made to reflect relevant changes to operations and/or 
security measures and response plans).
    (iii) TSA may request additional information from the owner/
operator before rendering a decision.
    (g) Petition for reconsideration. No later than 30 calendar days 
after receiving a denial, the owner/operator may file a petition for 
reconsideration under Sec.  1570.119 of this part.


Sec.  1570.115  Amendments required by TSA.

    (a) Notification of requirement to amend. TSA may require 
amendments to a security program in the interest of the public and 
transportation security, including any new information about emerging 
threats, or methods for addressing emerging threats, as follows:
    (1) TSA will notify the owner/operator of the proposed amendment, 
fixing a period of not less than 30 calendar days within which the 
owner/operator may submit written information, views, and arguments on 
the amendment.
    (2) After TSA considers all relevant material received, TSA will 
notify the owner/operator of any amendment adopted or rescind the 
notice.
    (b) Effective date of amendment. If TSA adopts the amendment, it 
becomes effective not less than 30 calendar days after the owner/
operator receives the notice of amendment, unless the owner/operator 
disagrees with the proposed amendment and files a petition for 
reconsideration under Sec.  1570.119 of this part no later than 15 
calendar days before the effective date of the amendment. A timely 
petition for reconsideration stays the effective date of the amendment.
    (c) Emergency amendments. If TSA determines that there is an 
emergency requiring immediate action in the interest of the public or 
transportation security, TSA may issue an amendment, without the prior 
notice and comment procedures in paragraph (a) of this section, 
effective without stay on the date the covered owner/operator receives 
notice of it. In such a case, TSA will incorporate in the notice a 
brief statement of the reasons and findings for the amendment to be 
adopted. The owner/operator may file a petition for reconsideration 
under Sec.  1570.119 of this part; however, this does not stay the 
effective date of the emergency amendment.

[[Page 16504]]

Sec.  1570.117  Alternative measures.

    (a) If in TSA's judgment, the overall security of transportation 
provided by an owner/operator subject to the requirements of 49 CFR 
part 1580, 1582, or 1584 are not diminished, TSA may approve 
alternative measures.
    (b) Each owner/operator requesting alternative measures must file 
the request for approval in a form and manner prescribed by TSA. The 
filing of such a request does not affect the owner/operator's 
responsibility for compliance while the request is being considered.
    (c) TSA may request additional information, and the owner/operator 
must provide the information within the time period TSA prescribes. 
Within 30 calendar days after receiving a request for alternative 
measures and all requested information, TSA will, in writing, either 
approve or deny the request.
    (d) If TSA finds that the use of the alternative measures is in the 
interest of the public and transportation security, it may grant the 
request subject to any conditions TSA deems necessary. In considering 
the request for alternative measures, TSA will review all relevant 
factors including--
    (1) The risks associated with the type of operation, for example, 
whether the owner/operator transports hazardous materials or passengers 
within a high threat urban area, whether the owner/operator transports 
passengers and the volume of passengers transported, or whether the 
owner/operator hosts a passenger operation.
    (2) Any relevant threat information.
    (3) Other circumstances concerning potential risk to the public and 
transportation security.
    (e) No later than 30 calendar days after receiving a denial, the 
owner/operator may petition for reconsideration under Sec.  1570.119 of 
this part.


Sec.  1570.119   Petitions for reconsideration.

    (a) If an owner/operator seeks to petition for reconsideration of a 
determination, required modification, denial of a request for amendment 
by the owner/operator, denial to rescind a TSA-required amendment, or 
denial of an alternative measure, the owner/operator must submit a 
written petition for reconsideration that includes a statement and any 
supporting documentation explaining why the owner/operator believes 
TSA's decision is incorrect.
    (b) Upon review of the petition for reconsideration, the 
Administrator or designee will dispose of the petition by affirming, 
modifying, or rescinding its previous decision. This is considered a 
final agency action.


Sec.  1570.121   Recordkeeping and availability.

    (a) Retention. Each owner/operator required to have a security 
program under subpart B to parts 1580, 1582, and 1584 of this 
subchapter must--
    (1) Retain security training records for each individual required 
to receive security training under Sec. Sec.  1580.115, 1582.115, and 
1584.115 that, at a minimum--
    (i) Includes employee's full name, job title or function, date of 
hire, and date of initial and recurrent security training; and
    (ii) Identifies the date, course name, course length, and list of 
topics addressed for the security training most recently provided in 
each of the areas required under Sec. Sec.  1580.115, 1582.115, and 
1584.115 of this subchapter.
    (2) Retain records of initial and recurrent security training for 
no less than five (5) years from the date of training.
    (3) Provide records to current and former employees upon request 
and at no charge as necessary to provide proof of training.
    (b) Electronic records. Each owner/operator required to retain 
records under this section may keep them in electronic form. An owner/
operator may maintain and transfer records through electronic 
transmission, storage, and retrieval provided that the electronic 
system provides for the maintenance of records as originally submitted 
without corruption, loss of data, or tampering.
    (c) Protection of SSI. Each owner/operator must restrict the 
distribution, disclosure, and availability of security sensitive 
information, as identified in part 1520 of this chapter, to persons 
with a need to know. The owner/operator must refer requests for such 
information by other persons to TSA.
    (d) Availability. Each owner/operator must make the records 
available to TSA upon request for inspection and copying.

Subpart C--Operations


Sec.  1570.201  Security Coordinator.

    (a) Except as provided in paragraphs (b) and (c) of this section, 
each owner/operator identified in Sec. Sec.  1580.1, 1582.1, and 
1584.101 of this subchapter must designate and use a primary and at 
least one alternate Security Coordinator.
    (b) An owner/operator identified in Sec.  1582.1(a)(2) of this 
subchapter (public transportation agency) that owns or operates a bus-
only operation must designate and use a primary and at least one 
alternate Security Coordinator only if the owner/operator is identified 
in appendix A to part 1582 of this subchapter or is notified by TSA in 
writing that a threat exists concerning that operation.
    (c) An owner/operator identified in Sec.  1580.1(a)(5) or Sec.  
1582.1(a)(4) of this subchapter (private rail car, tourist, scenic, 
historic, or excursion rail operations) must designate and use a 
primary and at least one alternate Security Coordinator, only if 
notified by TSA in writing that a threat exists concerning that type of 
operation.
    (d) The Security Coordinator and alternate(s) must be appointed at 
the corporate level.
    (e) Each owner/operator required to have a Security Coordinator 
must provide in writing to TSA the names, U.S. citizenship status, 
titles, phone number(s), and email address(es) of the Security 
Coordinator and alternate Security Coordinator(s) within 37 calendar 
days of the effective date of this rule, commencement of operations, or 
change in any of the information required by this section.
    (f) Each owner/operator required to have a Security Coordinator 
must ensure that at least one Security Coordinator--
    (1) Serves as the primary contact for intelligence information and 
security-related activities and communications with TSA. Any individual 
designated as a Security Coordinator may perform other duties in 
addition to the duties described in this section.
    (2) Is accessible to TSA on a 24 hours a day, 7 days a week basis.
    (3) Coordinates security practices and procedures internally and 
with appropriate law enforcement and emergency response agencies.


Sec.  1570.203  Reporting significant security concerns.

    (a) Each owner/operator identified in Sec. Sec.  1580.1, 1582.1, 
and 1584.101 of this subchapter must report, within 24 hours of initial 
discovery, any potential threats and significant security concerns 
involving transportation-related operations in the United States or 
transportation to, from, or within the United States as soon as 
possible by the methods prescribed by TSA.
    (b) Potential threats or significant security concerns encompass 
incidents, suspicious activities, and threat information including, but 
not limited to, the categories of reportable events listed in appendix 
A to this part.
    (c) Information reported must include the following, as available 
and applicable:
    (1) The name of the reporting individual and contact information,

[[Page 16505]]

including a telephone number or email address.
    (2) The affected freight or passenger train, transit vehicle, motor 
vehicle, station, terminal, rail hazardous materials facility, or other 
facility or infrastructure, including identifying information and 
current location.
    (3) Scheduled origination and termination locations for the 
affected freight or passenger train, transit vehicle, or motor vehicle-
including departure and destination city and route.
    (4) Description of the threat, incident, or activity, including who 
has been notified and what action has been taken.
    (5) The names, other available biographical data, and/or 
descriptions (including vehicle or license plate information) of 
individuals or motor vehicles known or suspected to be involved in the 
threat, incident, or activity.
    (6) The source of any threat information.

Subpart D--Security Threat Assessments


Sec.  1570.301   Fraudulent use or manufacture; responsibilities of 
persons.

    (a) No person may use or attempt to use a credential, security 
threat assessment, access control medium, or identification medium 
issued or conducted under this subchapter that was issued or conducted 
for another person.
    (b) No person may make, produce, use or attempt to use a false or 
fraudulently created access control medium, identification medium or 
security threat assessment issued or conducted under this subchapter.
    (c) No person may tamper or interfere with, compromise, modify, 
attempt to circumvent, or circumvent TWIC access control procedures.
    (d) No person may cause or attempt to cause another person to 
violate paragraphs (a) through (c) of this section.


Sec.  1570.303  Inspection of credential.

    (a) Each person who has been issued or possesses a TWIC must 
present the TWIC for inspection upon a request from TSA, the Coast 
Guard, or other authorized DHS representative; an authorized 
representative of the National Transportation Safety Board; or a 
Federal, State, or local law enforcement officer.
    (b) Each person who has been issued or who possesses a TWIC must 
allow his or her TWIC to be read by a reader and must submit his or her 
reference biometric, such as a fingerprint, and any other required 
information, such as a PIN, to the reader, upon a request from TSA, the 
Coast Guard, other authorized DHS representative; or a Federal, State, 
or local law enforcement officer.


Sec.  1570.305   False statements regarding security background checks 
by public transportation agency or railroad carrier.

    (a) Scope. This section implements sections 1414(e) (6 U.S.C. 1143) 
and 1522(e) (6 U.S.C. 1170) of the ``Implementing Recommendations of 
the 9/11 Commission Act of 2007,'' Public Law 110-53 (121 Stat. 266, 
Aug. 3, 2007).
    (b) Definitions. In addition to the terms in Sec. Sec.  1500.3, 
1500.5, and 1503.202 of subchapter A and Sec.  1570.3 of subchapter D 
of this chapter, the following term applies to this part:
    Security background check means reviewing the following for the 
purpose of identifying individuals who may pose a threat to 
transportation security, national security, or of terrorism:
    (i) Relevant criminal history databases.
    (ii) In the case of an alien (as defined in sec. 101 of the 
Immigration and Nationality Act (8 U.S.C. 1101(a)(3)), the relevant 
databases to determine the status of the alien under the immigration 
laws of the United States.
    (iii) Other relevant information or databases, as determined by the 
Secretary of Homeland Security.
    (c) Prohibitions. (1) A public transportation agency or a 
contractor or subcontractor of a public transportation agency may not 
knowingly misrepresent to an employee or other relevant person, 
including an arbiter involved in a labor arbitration, the scope, 
application, or meaning of any rules, regulations, directives, or 
guidance issued by the Secretary of Homeland Security related to 
security background check requirements for employees when conducting a 
security background check.
    (2) A railroad carrier or a contractor or subcontractor of a 
railroad carrier may not knowingly misrepresent to an employee or other 
relevant person, including an arbiter involved in a labor arbitration, 
the scope, application, or meaning of any rules, regulations, 
directives, or guidance issued by the Secretary of Homeland Security 
related to security background check requirements for employees when 
conducting a security background check.

Appendix A to Part 1570--Reporting of Significant Security Concerns

------------------------------------------------------------------------
           Category                           Description
------------------------------------------------------------------------
Breach, Attempted Intrusion,   Unauthorized personnel attempting to or
 and/or Interference.           actually entering a restricted area or
                                secure site relating to a transportation
                                facility or conveyance owned, operated,
                                or used by an owner/operator subject to
                                this part. This includes individuals
                                entering or attempting to enter by
                                impersonation of authorized personnel
                                (for example, police/security, janitor,
                                vehicle owner/operator). Activity that
                                could interfere with the ability of
                                employees to perform duties to the
                                extent that security is threatened.
Misrepresentation............  Presenting false, or misusing, insignia,
                                documents, and/or identification, to
                                misrepresent one's affiliation with an
                                owner/operator subject to this part to
                                cover possible illicit activity that may
                                pose a risk to transportation security.
Theft, Loss, and/or Diversion  Stealing or diverting identification
                                media or badges, uniforms, vehicles,
                                keys, tools capable of compromising
                                track integrity, portable derails,
                                technology, or classified or sensitive
                                security information documents which are
                                proprietary to the facility or
                                conveyance owned, operated, or used by
                                an owner/operator subject to this part.
Sabotage, Tampering, and/or    Damaging, manipulating, or defeating
 Vandalism.                     safety and security appliances in
                                connection with a facility,
                                infrastructure, conveyance, or routing
                                mechanism, resulting in the compromised
                                use or the temporary or permanent loss
                                of use of the facility, infrastructure,
                                conveyance or routing mechanism. Placing
                                or attaching a foreign object to a rail
                                car(s).
Cyber Attack.................  Compromising, or attempting to compromise
                                or disrupt the information/technology
                                infrastructure of an owner/operator
                                subject to this part.
Expressed or Implied Threat..  Communicating a spoken or written threat
                                to damage or compromise a facility/
                                infrastructure/conveyance owned,
                                operated, or used by an owner/operator
                                subject to this part (for example, a
                                bomb threat or active shooter).

[[Page 16506]]

 
Eliciting Information........  Questioning that may pose a risk to
                                transportation or national security,
                                such as asking one or more employees of
                                an owner/operator subject to this part
                                about particular facets of a facility's
                                conveyance's purpose, operations, or
                                security procedures.
Testing or Probing of          Deliberate interactions with employees of
 Security.                      an owner/operator subject to this part
                                or challenges to facilities or systems
                                owned, operated, or used by an owner/
                                operator subject to this part that
                                reveal physical, personnel, or cyber
                                security capabilities.
Photography..................  Taking photographs or video of
                                facilities, conveyances, or
                                infrastructure owned, operated, or used
                                by an owner/operator subject to this
                                part in a manner that may pose a risk to
                                transportation or national security.
                                Examples include taking photographs or
                                video of infrequently used access
                                points, personnel performing security
                                functions (for example, patrols, badge/
                                vehicle checking), or security-related
                                equipment (for example, perimeter
                                fencing, security cameras).
Observation or Surveillance..  Demonstrating unusual interest in
                                facilities or loitering near
                                conveyances, railcar routing appliances
                                or any potentially critical
                                infrastructure owned or operated by an
                                owner/operator subject to this part in a
                                manner that may pose a risk to
                                transportation or national security.
                                Examples include observation through
                                binoculars, taking notes, or attempting
                                to measure distances.
Materials Acquisition and/or   Acquisition and/or storage by an employee
 Storage.                       of an owner/operator subject to this
                                part of materials such as cell phones,
                                pagers, fuel, chemicals, toxic
                                materials, and/or timers that may pose a
                                risk to transportation or national
                                security (for example, storage of
                                chemicals not needed by an employee for
                                the performance of his or her job
                                duties).
Weapons Discovery, Discharge,  Weapons or explosives in or around a
 or Seizure..                   facility, conveyance, or infrastructure
                                of an owner/operator subject to this
                                part that may present a risk to
                                transportation or national security (for
                                example, discovery of weapons
                                inconsistent with the type or quantity
                                traditionally used by company security
                                personnel).
Suspicious Items or Activity.  Discovery or observation of suspicious
                                items, activity or behavior in or around
                                a facility, conveyance, or
                                infrastructure of an owner/operator
                                subject to this part that results in the
                                disruption or termination of operations
                                (for example, halting the operation of a
                                conveyance while law enforcement
                                personnel investigate a suspicious bag,
                                briefcase, or package).
------------------------------------------------------------------------


0
 11. Revise part 1580 to read as follows:

PART 1580--FREIGHT RAIL TRANSPORTATION SECURITY

Subpart A--General
Sec.
1580.1 Scope.
1580.3 Terms used in this part.
1580.5 Preemptive effect.
Subpart B--Security Programs
1580.101 Applicability.
1580.103 [Reserved]
1580.105 [Reserved]
1580.107 [Reserved]
1580.109 [Reserved]
1580.111 [Reserved]
1580.113 Security training program general requirements.
1580.115 Security training and knowledge for security-sensitive 
employees.
Subpart C--Operations
1580.201 Applicability.
1580.203 Location and shipping information.
1580.205 Chain of custody and control requirements.
1580.207 Harmonization of Federal regulation of nuclear facilities.
Appendix A to Part 1580--High Threat Urban Areas (HTUAS)
Appendix B to Part 1580--Security-Sensitive Job Functions for 
Freight Rail

    Authority: 49 U.S.C. 114; Pub. L. 110-53 (121 Stat. 266, Aug. 3, 
2007) secs. 1501 (6 U.S.C. 1151), 1512 (6 U.S.C. 1162) and 1517 (6 
U.S.C. 1167).

Subpart A--General


Sec.  1580.1   Scope.

    (a) Except as provided in paragraph (b) of this section, this part 
includes requirements for the following persons. Specific sections in 
this part provide detailed requirements.
    (1) Each freight railroad carrier that operates rolling equipment 
on track that is part of the general railroad system of transportation.
    (2) Each rail hazardous materials shipper.
    (3) Each rail hazardous materials receiver located within an HTUA.
    (4) Each freight railroad carrier serving as a host railroad to a 
freight railroad operation described in paragraph (a)(1) of this 
section or a passenger operation described in Sec.  1582.1 of this 
subchapter.
    (5) Each owner/operator of private rail cars, including business/
office cars and circus trains, on or connected to the general railroad 
system of transportation.
    (b) This part does not apply to a freight railroad carrier that 
operates rolling equipment only on track inside an installation that is 
not part of the general railroad system of transportation.


Sec.  1580.3   Terms used in this part.

    In addition to the terms in Sec. Sec.  1500.3, 1500.5, and 1503.202 
of subchapter A and Sec.  1570.3 of subchapter D of this chapter, the 
following terms apply to this part:
    Class I means Class I as assigned by regulations of the Surface 
Transportation Board (STB) (49 CFR part 1201; General Instructions 1-
1).
    Attended, in reference to a rail car, means an employee--
    (1) Is physically located on-site in reasonable proximity to the 
rail car;
    (2) Is capable of promptly responding to unauthorized access or 
activity at or near the rail car, including immediately contacting law 
enforcement or other authorities; and
    (3) Immediately responds to any unauthorized access or activity at 
or near the rail car either personally or by contacting law enforcement 
or other authorities.
    Document the transfer means documentation uniquely identifying that 
the rail car was attended during the transfer of custody, including:
    (1) Car initial and number.
    (2) Identification of individuals who attended the transfer (names 
or uniquely identifying employee number).
    (3) Location of transfer.
    (4) Date and time the transfer was completed.
    High threat urban area (HTUA) means, for purposes of this part, an 
area comprising one or more cities and surrounding areas including a 
10-mile buffer zone, as listed in appendix A to this part 1580.
    Maintains positive control means that the rail hazardous materials 
receiver

[[Page 16507]]

and the railroad carrier communicate and cooperate with each other to 
provide for the security of the rail car during the physical transfer 
of custody. Attending the rail car is a component of maintaining 
positive control.
    Rail security-sensitive materials (RSSM) means--
    (1) A rail car containing more than 2,268 kg (5,000 lbs.) of a 
Division 1.1, 1.2, or 1.3 (explosive) material, as defined in 49 CFR 
173.50;
    (2) A tank car containing a material poisonous by inhalation as 
defined in 49 CFR 171.8, including anhydrous ammonia, Division 2.3 
gases poisonous by inhalation as set forth in 49 CFR 173.115(c), and 
Division 6.1 liquids meeting the defining criteria in 49 CFR 
173.132(a)(1)(iii) and assigned to hazard zone A or hazard zone B in 
accordance with 49 CFR 173.133(a), excluding residue quantities of 
these materials; and
    (3) A rail car containing a highway route-controlled quantity of a 
Class 7 (radioactive) material, as defined in 49 CFR 173.403.
    Residue means the hazardous material remaining in a packaging, 
including a tank car, after its contents have been unloaded to the 
maximum extent practicable and before the packaging is either refilled 
or cleaned of hazardous material and purged to remove any hazardous 
vapors.
    Security-sensitive employee means an employee who performs--
    (1) Service subject to the Federal hours of service laws (49 U.S.C. 
chapter 211), regardless of whether the employee actually performs such 
service during a particular duty tour; or
    (2) One or more of the security-sensitive job functions identified 
in Appendix B to this part where the security-sensitive function is 
performed in the United States or in direct support of the common 
carriage of persons or property between a place in the United States 
and any place outside of the United States.


Sec.  1580.5   Preemptive effect.

    Under 49 U.S.C. 20106, issuance of the regulations in this 
subchapter preempts any State law, regulation, or order covering the 
same subject matter, except an additional or more stringent law, 
regulation, or order that is necessary to eliminate or reduce an 
essentially local security hazard; that is not incompatible with a law, 
regulation, or order of the U.S. Government; and that does not 
unreasonably burden interstate commerce. For example, under 49 U.S.C. 
20106, issuance of 49 CFR 1580.205 preempts any State or tribal law, 
rule, regulation, order or common law requirement covering the same 
subject matter.

Subpart B--Security Programs


Sec.  1580.101   Applicability.

    This subpart applies to each of the following owner/operators:
    (a) Described in Sec.  1580.1(a)(1) of this part that is a Class I 
freight railroad.
    (b) Described in Sec.  1580.1(a)(1) of this part that transports 
one or more of the categories and quantities of RSSM in an HTUA.
    (c) Described in Sec.  1580.1(a)(4) of this part that serves as a 
host railroad to a freight railroad described in paragraph (a) of (b) 
of this section or a passenger operation described in Sec.  1582.101 of 
this subchapter.


Sec.  1580.103   [Reserved]


Sec.  1580.105   [Reserved]


Sec.  1580.107   [Reserved]


Sec.  1580.109  [Reserved]


Sec.  1580.111   [Reserved]


Sec.  1580.113   Security training program general requirements.

    (a) Security training program required. Each owner/operator 
identified in Sec.  1580.101 of this part is required to adopt and 
carry out a security training program under this subpart.
    (b) General requirements. The security training program must 
include the following information:
    (1) Name of owner/operator.
    (2) Name, title, telephone number, and email address of the primary 
individual to be contacted with regard to review of the security 
training program.
    (3) Number, by specific job function category identified in 
Appendix B to this part, of security-sensitive employees trained or to 
be trained.
    (4) Implementation schedule that identifies a specific date by 
which initial and recurrent security training required by Sec.  
1570.111 of this subchapter will be completed.
    (5) Location where training program records will be maintained.
    (6) Curriculum or lesson plan, including learning objectives and 
method of delivery (such as instructor-led or computer-based training) 
for each course used to meet the requirements of Sec.  1580.115 of this 
part. TSA may request additional information regarding the curriculum 
during the review and approval process. If recurrent training under 
Sec.  1570.111 of this subchapter is not the same as initial training, 
a curriculum or lesson plan for the recurrent training will need to be 
submitted and approved by TSA.
    (7) Plan for ensuring supervision of untrained security-sensitive 
employees performing functions identified in Appendix B to this part.
    (8) Plan for notifying employees of changes to security measures 
that could change information provided in previously provided training.
    (9) Method(s) for evaluating the effectiveness of the security 
training program in each area required by Sec.  1580.115 of this part.
    (c) Relation to other training. (1) Training conducted by owner/
operators to comply other requirements or standards, such as emergency 
preparedness training required by the Department of Transportation 
(DOT) (49 CFR part 239) or other training for communicating with 
emergency responders to arrange the evacuation of passengers, may be 
combined with and used to satisfy elements of the training requirements 
in this subpart.
    (2) If the owner/operator submits a security training program that 
relies on pre-existing or previous training materials to meet the 
requirements of subpart B, the program submitted for approval must 
include an index, organized in the same sequence as the requirements in 
this subpart.
    (d) Submission and implementation. The owner/operator must submit 
and implement the security training program in accordance with the 
schedules identified in Sec. Sec.  1570.109 and 1570.111 of this 
subchapter.


Sec.  1580.115   Security training and knowledge for security-sensitive 
employees.

    (a) Training required for security-sensitive employees. No owner/
operator required to have a security training program under Sec.  
1580.101 of this part may use a security-sensitive employee to perform 
a function identified in Appendix B to this part, unless that 
individual has received training as part of a security training program 
approved by TSA under 49 CFR part 1570, subpart B, or is under the 
direct supervision of an employee who has received the training 
required by this section as applicable to that security-sensitive 
function.
    (b) Limits on use of untrained employees. Notwithstanding paragraph 
(a) of this section, a security-sensitive employee may not perform a 
security-sensitive function for more than sixty (60) calendar days 
without receiving security training.
    (c) Prepare. (1) Each owner/operator must ensure that each of its 
security-sensitive employees with position- or

[[Page 16508]]

function-specific responsibilities under the owner/operator's security 
program has knowledge of how to fulfill those responsibilities in the 
event of a security threat, breach, or incident to ensure--
    (i) Employees with responsibility for transportation security 
equipment and systems are aware of their responsibilities and can 
verify the equipment and systems are operating and properly maintained; 
and
    (ii) Employees with other duties and responsibilities under the 
company's security plans and/or programs, including those required by 
Federal law, know their assignments and the steps or resources needed 
to fulfill them.
    (2) Each employee who performs any security-related functions under 
Sec.  1580.205 of this subpart must be provided training specifically 
applicable to the functions the employee performs. As applicable, this 
training must address--
    (i) Inspecting rail cars for signs of tampering or compromise, 
IEDs, suspicious items, and items that do not belong;
    (ii) Identification of rail cars that contain rail security-
sensitive materials, including the owner/operator's procedures for 
identifying rail security-sensitive material cars on train documents, 
shipping papers, and in computer train/car management systems; and
    (iii) Procedures for completing transfer of custody documentation.
    (d) Observe. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of the observational skills 
necessary to recognize--
    (1) Suspicious and/or dangerous items (such as substances, 
packages, or conditions (for example, characteristics of an IED and 
signs of equipment tampering or sabotage);
    (2) Combinations of actions and individual behaviors that appear 
suspicious and/or dangerous, inappropriate, inconsistent, or out of the 
ordinary for the employee's work environment, which could indicate a 
threat to transportation security; and
    (3) How a terrorist or someone with malicious intent may attempt to 
gain sensitive information or take advantage of vulnerabilities.
    (e) Assess. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge necessary to--
    (1) Determine whether the item, individual, behavior, or situation 
requires a response as a potential terrorist threat based on the 
respective transportation environment; and
    (2) Identify appropriate responses based on observations and 
context.
    (f) Respond. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of how to--
    (1) Appropriately report a security threat, including knowing how 
and when to report internally to other employees, supervisors, or 
management, and externally to local, state, or Federal agencies 
according to the owner/operator's security procedures or other relevant 
plans;
    (2) Interact with the public and first responders at the scene of 
the threat or incident, including communication with passengers on 
evacuation and any specific procedures for individuals with 
disabilities and the elderly; and
    (3) Use any applicable self-defense devices or other protective 
equipment provided to employees by the owner/operator.

Subpart C--Operations


Sec.  1580.201  Applicability.

    This subpart applies to the following:
    (1) Each owner/operator described in Sec.  1580.1(a)(1) of this 
part that transports one or more of the categories and quantities of 
rail security-sensitive materials.
    (2) Each owner/operator described in Sec.  1580.1(a)(2) and (3) of 
this part.


Sec.  1580.203   Location and shipping information.

    (a) General requirement. Each owner/operator described in Sec.  
1580.201 of this part must have procedures in place to determine the 
location and shipping information for each rail car under its physical 
custody and control that contains one or more of the categories and 
quantities of rail security-sensitive materials.
    (b) Required information. The location and shipping information 
must include the following:
    (1) The rail car's current location by city, county, and state, 
including, for freight railroad carriers, the railroad milepost, track 
designation, and the time that the rail car's location was determined.
    (2) The rail car's routing, if a freight railroad carrier.
    (3) A list of the total number of rail cars containing rail 
security-sensitive materials, broken down by--
    (i) The shipping name prescribed for the material in column 2 of 
the table in 49 CFR 172.101;
    (ii) The hazard class or division number prescribed for the 
material in column 3 of the table in 49 CFR 172.101; and
    (iii) The identification number prescribed for the material in 
column 4 of the table in 49 CFR 172.101.
    (4) Each rail car's initial and number.
    (5) Whether the rail car is in a train, rail yard, siding, rail 
spur, or rail hazardous materials shipper or receiver facility, 
including the name of the rail yard or siding designation.
    (c) Timing-Class I freight railroad carriers. Upon request by TSA, 
each Class I freight railroad carrier described in paragraph (a) of 
this section must provide the location and shipping information to TSA 
no later than--
    (1) Five minutes if the request applies to a single (one) rail car; 
and
    (2) Thirty minutes if the request concerns multiple rail cars or a 
geographic region.
    (d) Timing-other than Class I freight railroad carriers. Upon 
request by TSA, all owner/operators described in paragraph (a) of this 
section, other than Class I freight railroad carriers, must provide the 
location and shipping information to TSA no later than 30 minutes, 
regardless of the number of cars covered by the request.
    (e) Method. All owner/operators described in paragraph (a) of this 
section must provide the requested location and shipping information to 
TSA by one of the following methods:
    (1) Electronic data transmission in spreadsheet format.
    (2) Electronic data transmission in Hyper Text Markup Language 
(HTML) format.
    (3) Electronic data transmission in Extensible Markup Language 
(XML).
    (4) Facsimile transmission of a hard copy spreadsheet in tabular 
format.
    (5) Posting the information to a secure website address approved by 
TSA.
    (6) Another format approved by TSA.
    (f) Telephone number. Each owner/operator described in Sec.  
1580.201 of this part must provide a telephone number for use by TSA to 
request the information required in paragraph (b) of this section.
    (1) The telephone number must be monitored at all times.
    (2) A telephone number that requires a call back (such as an 
answering service, answering machine, or beeper device) does not meet 
the requirements of this paragraph.


Sec.  1580.205  Chain of custody and control requirements.

    (a) Within or outside of an HTUA, rail hazardous materials shipper 
transferring to carrier. Except as provided in paragraph (g) of this 
section, at each location within or outside of an HTUA, a rail 
hazardous materials shipper transferring custody of

[[Page 16509]]

a rail car containing one or more of the categories and quantities of 
rail security-sensitive materials to a freight railroad carrier must do 
the following:
    (1) Physically inspect the rail car before loading for signs of 
tampering, including closures and seals; other signs that the security 
of the car may have been compromised; and suspicious items or items 
that do not belong, including the presence of an improvised explosive 
device.
    (2) Keep the rail car in a rail secure area from the time the 
security inspection required by paragraph (a)(1) of this section or by 
49 CFR 173.31(d), whichever occurs first, until the freight railroad 
carrier takes physical custody of the rail car.
    (3) Document the transfer of custody to the railroad carrier in 
hard copy or electronically.
    (b) Within or outside of an HTUA, carrier receiving from a rail 
hazardous materials shipper. At each location within or outside of an 
HTUA where a freight railroad carrier receives from a rail hazardous 
materials shipper custody of a rail car containing one or more of the 
categories and quantities of rail security-sensitive materials, the 
freight railroad carrier must document the transfer in hard copy or 
electronically and perform the required security inspection in 
accordance with 49 CFR 174.9.
    (c) Within an HTUA, carrier transferring to carrier. Within an 
HTUA, whenever a freight railroad carrier transfers a rail car 
containing one or more of the categories and quantities of rail 
security-sensitive materials to another freight railroad carrier, each 
freight railroad carrier must adopt and carry out procedures to ensure 
that the rail car is not left unattended at any time during the 
physical transfer of custody. These procedures must include the 
receiving freight railroad carrier performing the required security 
inspection in accordance with 49 CFR 174.9. Both the transferring and 
the receiving railroad carrier must document the transfer of custody in 
hard copy or electronically.
    (d) Outside of an HTUA, carrier transferring to carrier. Outside an 
HTUA, whenever a freight railroad carrier transfers a rail car 
containing one or more of the categories and quantities of rail 
security-sensitive materials to another freight railroad carrier, and 
the rail car containing this hazardous material may subsequently enter 
an HTUA, each freight railroad carrier must adopt and carry out 
procedures to ensure that the rail car is not left unattended at any 
time during the physical transfer of custody. These procedures must 
include the receiving railroad carrier performing the required security 
inspection in accordance with 49 CFR 174.9. Both the transferring and 
the receiving railroad carrier must document the transfer of custody in 
hard copy or electronically.
    (e) Within an HTUA, carrier transferring to rail hazardous 
materials receiver. A freight railroad carrier delivering a rail car 
containing one or more of the categories and quantities of rail 
security-sensitive materials to a rail hazardous materials receiver 
located within an HTUA must not leave the rail car unattended in a non-
secure area until the rail hazardous materials receiver accepts custody 
of the rail car. Both the railroad carrier and the rail hazardous 
materials receiver must document the transfer of custody in hard copy 
or electronically.
    (f) Within an HTUA, rail hazardous materials receiver receiving 
from carrier. Except as provided in paragraph (j) of this section, a 
rail hazardous materials receiver located within an HTUA that receives 
a rail car containing one or more of the categories and quantities of 
rail security-sensitive materials from a freight railroad carrier 
must--
    (1) Ensure that the rail hazardous materials receiver or railroad 
carrier maintains positive control of the rail car during the physical 
transfer of custody of the rail car;
    (2) Keep the rail car in a rail secure area until the car is 
unloaded; and
    (3) Document the transfer of custody from the railroad carrier in 
hard copy or electronically.
    (g) Within or outside of an HTUA, rail hazardous materials receiver 
rejecting car. This section does not apply to a rail hazardous 
materials receiver that does not routinely offer, prepare, or load for 
transportation by rail one or more of the categories and quantities of 
rail security-sensitive materials. If such a receiver rejects and 
returns a rail car containing one or more of the categories and 
quantities of rail security-sensitive materials to the originating 
offeror or shipper, the requirements of this section do not apply to 
the receiver. The requirements of this section do apply to any railroad 
carrier to which the receiver transfers custody of the rail car.
    (h) Document retention. Covered entities must maintain the 
documents required under this section for at least 60 calendar days and 
make them available to TSA upon request.
    (i) Rail secure area. The rail hazardous materials shipper and the 
rail hazardous materials receiver must use physical security measures 
to ensure that no unauthorized individual gains access to the rail 
secure area.
    (j) Exemption for rail hazardous materials receivers. A rail 
hazardous materials receiver located within an HTUA may request from 
TSA an exemption from some or all of the requirements of this section 
if the receiver demonstrates that the potential risk from its 
activities is insufficient to warrant compliance with this section. TSA 
will consider all relevant circumstances, including the following:
    (1) The amounts and types of all hazardous materials received.
    (2) The geography of the area surrounding the receiver's facility.
    (3) Proximity to entities that may be attractive targets, including 
other businesses, housing, schools, and hospitals.
    (4) Any information regarding threats to the facility.
    (5) Other circumstances that indicate the potential risk of the 
receiver's facility does not warrant compliance with this section.


Sec.  1580.207   Harmonization of Federal regulation of nuclear 
facilities.

    TSA will coordinate activities under this subpart with the Nuclear 
Regulatory Commission (NRC) and the Department of Energy (DOE) with 
respect to regulation of rail hazardous materials shippers and 
receivers that are also licensed or regulated by the NRC or DOE under 
the Atomic Energy Act of 1954, as amended, to maintain consistency with 
the requirements imposed by the NRC and DOE.

Appendix A to Part 1580--High Threat Urban Areas (HTUAs)

----------------------------------------------------------------------------------------------------------------
                State                         Urban area                        Geographic areas
----------------------------------------------------------------------------------------------------------------
AZ...................................  Phoenix Area...........  Chandler, Gilbert, Glendale, Mesa, Peoria,
                                                                 Phoenix, Scottsdale, Tempe, and a 10-mile
                                                                 buffer extending from the border of the
                                                                 combined area.
CA...................................  Anaheim/Santa Ana Area.  Anaheim, Costa Mesa, Garden Grove, Fullerton,
                                                                 Huntington Beach, Irvine, Orange, Santa Ana,
                                                                 and a 10-mile buffer extending from the border
                                                                 of the combined area.

[[Page 16510]]

 
                                       Bay Area...............  Berkeley, Daly City, Fremont, Hayward, Oakland,
                                                                 Palo Alto, Richmond, San Francisco, San Jose,
                                                                 Santa Clara, Sunnyvale, Vallejo, and a 10-mile
                                                                 buffer extending from the border of the
                                                                 combined area.
                                       Los Angeles/Long Beach   Burbank, Glendale, Inglewood, Long Beach, Los
                                        Area.                    Angeles, Pasadena, Santa Monica, Santa Clarita,
                                                                 Torrance, Simi Valley, Thousand Oaks, and a 10-
                                                                 mile buffer extending from the border of the
                                                                 combined area.
                                       Sacramento Area........  Elk Grove, Sacramento, and a 10-mile buffer
                                                                 extending from the border of the combined area.
                                       San Diego Area.........  Chula Vista, Escondido, and San Diego, and a 10-
                                                                 mile buffer extending from the border of the
                                                                 combined area.
CO...................................  Denver.................  Arvada, Aurora, Denver, Lakewood, Westminster,
                                       Area...................   Thornton, and a 10-mile buffer extending from
                                                                 the border of the combined area.
DC...................................  National Capital Region  National Capital Region and a 10-mile buffer
                                                                 extending from the border of the combined area.
FL...................................  Fort Lauderdale Area...  Fort Lauderdale, Hollywood, Miami Gardens,
                                                                 Miramar, Pembroke Pines, and a 10-mile buffer
                                                                 extending from the border of the combined area.
                                       Jacksonville Area......  Jacksonville and a 10-mile buffer extending from
                                                                 the city border.
                                       Miami Area.............  Hialeah, Miami, and a 10-mile buffer extending
                                                                 from the border of the combined area.
                                       Orlando Area...........  Orlando and a 10-mile buffer extending from the
                                                                 city border.
                                       Tampa Area.............  Clearwater, St. Petersburg, Tampa, and a 10-mile
                                                                 buffer extending from the border of the
                                                                 combined area.
GA...................................  Atlanta Area...........  Atlanta and a 10-mile buffer extending from the
                                                                 city border.
HI...................................  Honolulu Area..........  Honolulu and a 10-mile buffer extending from the
                                                                 city border.
IL...................................  Chicago Area...........  Chicago and a 10-mile buffer extending from the
                                                                 city border.
IN...................................  Indianapolis Area......  Indianapolis and a 10-mile buffer extending from
                                                                 the city border.
KY...................................  Louisville Area........  Louisville and a 10-mile buffer extending from
                                                                 the city border.
LA...................................  Baton Rouge Area.......  Baton Rouge and a 10-mile buffer extending from
                                                                 the city border.
                                       New Orleans Area.......  New Orleans and a 10-mile buffer extending from
                                                                 the city border.
MA...................................  Boston Area............  Boston, Cambridge, and a 10-mile buffer
                                                                 extending from the border of the combined area.
MD...................................  Baltimore Area.........  Baltimore and a 10-mile buffer extending from
                                                                 the city border.
MI...................................  Detroit Area...........  Detroit, Sterling Heights, Warren, and a 10-mile
                                                                 buffer extending from the border of the
                                                                 combined area.
MN...................................  Twin Cities Area.......  Minneapolis, St. Paul, and a 10-mile buffer
                                                                 extending from the border of the combined
                                                                 entity.
MO...................................  Kansas City Area.......  Independence, Kansas City (MO), Kansas City
                                                                 (KS), Olathe, Overland Park, and a 10-mile
                                                                 buffer extending from the border of the
                                                                 combined area.
                                       St. Louis Area.........  St. Louis and a 10-mile buffer extending from
                                                                 the city border.
NC...................................  Charlotte Area.........  Charlotte and a 10-mile buffer extending from
                                                                 the city border.
NE...................................  Omaha Area.............  Omaha and a 10-mile buffer extending from the
                                                                 city border.
NJ...................................  Jersey City/Newark Area  Elizabeth, Jersey City, Newark, and a 10-mile
                                                                 buffer extending from the border of the
                                                                 combined area.
NV...................................  Las Vegas Area.........  Las Vegas, North Las Vegas, and a 10-mile buffer
                                                                 extending from the border of the combined
                                                                 entity.
NY...................................  Buffalo Area...........  Buffalo and a 10-mile buffer extending from the
                                                                 city border.
                                       New York City Area.....  New York City, Yonkers, and a 10-mile buffer
                                                                 extending from the border of the combined area.
OH...................................  Cincinnati Area........  Cincinnati and a 10-mile buffer extending from
                                                                 the city border.
                                       Cleveland Area.........  Cleveland and a 10-mile buffer extending from
                                                                 the city border.
                                       Columbus Area..........  Columbus and a 10-mile buffer extending from the
                                                                 city border.
                                       Toledo Area............  Oregon, Toledo, and a 10-mile buffer extending
                                                                 from the border of the combined area.
OK...................................  Oklahoma City Area.....  Norman, Oklahoma and a 10-mile buffer extending
                                                                 from the border of the combined area.
OR...................................  Portland Area..........  Portland, Vancouver, and a 10-mile buffer
                                                                 extending from the border of the combined area.
PA...................................  Philadelphia Area......  Philadelphia and a 10-mile buffer extending from
                                                                 the city border.
                                       Pittsburgh Area........  Pittsburgh and a 10-mile buffer extending from
                                                                 the city border.
TN...................................  Memphis Area...........  Memphis and a 10-mile buffer extending from the
                                                                 city border.
TX...................................  Dallas/Fort Worth/       Arlington, Carrollton, Dallas, Fort Worth,
                                        Arlington Area.          Garland, Grand Prairie, Irving, Mesquite,
                                                                 Plano, and a 10-mile buffer extending from the
                                                                 border of the combined area.
                                       Houston Area...........  Houston, Pasadena, and a 10-mile buffer
                                                                 extending from the border of the combined
                                                                 entity.
                                       San Antonio Area.......  San Antonio and a 10-mile buffer extending from
                                                                 the city border.
WA...................................  Seattle Area...........  Seattle, Bellevue, and a 10-mile buffer
                                                                 extending from the border of the combined area.
WI...................................  Milwaukee Area.........  Milwaukee and a 10-mile buffer extending from
                                                                 the city border.
----------------------------------------------------------------------------------------------------------------

Appendix B to Part 1580--Security-Sensitive Functions for Freight Rail

    This table identifies security-sensitive job functions for owner/
operators regulated under this part. All employees performing security-
sensitive functions are ``security-sensitive employees'' for purposes 
of this rule and must be trained.

------------------------------------------------------------------------
                                                         Examples of job
                                    Security-sensitive        titles
            Categories               job functions for    applicable to
                                       freight rail      these functions
                                                                *
------------------------------------------------------------------------
A. Operating a vehicle...........  1. Employees who      Engineer,
                                    operate or directly   conductor
                                    control the
                                    movements of
                                    locomotives or
                                    other self-powered
                                    rail vehicles.

[[Page 16511]]

 
                                   2. Train conductor,
                                    trainman, brakeman,
                                    or utility employee
                                    or performs
                                    acceptance
                                    inspections,
                                    couples and
                                    uncouples rail
                                    cars, applies
                                    handbrakes, or
                                    similar functions.
                                   3. Employees covered
                                    under the Federal
                                    hours of service
                                    laws as ``train
                                    employees.'' See 49
                                    U.S.C. 21101(5) and
                                    21103..
B. Inspecting and maintaining      Employees who         Carman, car
 vehicles.                          inspect or repair     repairman, car
                                    rail cars and         inspector,
                                    locomotives.          engineer,
                                                          conductor.
C. Inspecting or maintaining       1. Employees who--..  Signalman,
 building or transportation        a. Maintain,           signal
 infrastructure.                    install, or inspect   maintainer,
                                    communications and    track-man,
                                    signal equipment..    gang foreman,
                                   b. Maintain,           bridge and
                                    install, or inspect   building
                                    track and             laborer,
                                    structures,           roadmaster,
                                    including, but not    bridge, and
                                    limited to,           building
                                    bridges, trestles,    inspector/
                                    and tunnels..         operator.
                                   2. Employees covered
                                    under the Federal
                                    hours of service
                                    laws as ``signal
                                    employees.'' See 49
                                    U.S.C. 21101(3) and
                                    21104.
D. Controlling dispatch or         1. Employees who--..  Yardmaster,
 movement of a vehicle.            a. Dispatch, direct,   dispatcher,
                                    or control the        block
                                    movement of trains..  operator,
                                   b. Operate or          bridge
                                    supervise the         operator.
                                    operations of
                                    moveable bridges..
                                   c. Supervise the
                                    activities of train
                                    crews, car
                                    movements, and
                                    switching
                                    operations in a
                                    yard or terminal.
                                   2. Employees covered
                                    under the Federal
                                    hours of service
                                    laws as
                                    ``dispatching
                                    service
                                    employees.'' See 49
                                    U.S.C. 21101(2) and
                                    21105.
E. Providing security of the       Employees who         Police officer,
 owner/operator's equipment and     provide for the       special agent;
 property.                          security of the       patrolman;
                                    railroad carrier's    watchman;
                                    equipment and         guard.
                                    property, including
                                    acting as a
                                    railroad police
                                    officer (as that
                                    term is defined in
                                    49 CFR 207.2).
F. Loading or unloading cargo or   Includes, but is not  Service track
 baggage.                           limited to,           employee.
                                    employees that load
                                    or unload hazardous
                                    materials.
G. Interacting with travelling     Employees of a        Conductor,
 public (on board a vehicle or      freight railroad      engineer,
 within a transportation            operating in          agent.
 facility).                         passenger service.
H. Complying with security         1. Employees who      Security
 programs or measures, including    serve as security     coordinator,
 those required by Federal law.     coordinators          train master,
                                    designated in Sec.    assistant
                                     1570.201 of this     train master,
                                    subchapter, as well   roadmaster,
                                    as any designated     division
                                    alternates or         roadmaster.
                                    secondary security
                                    coordinators.
                                   2. Employees who--..
                                   a. Conduct training
                                    and testing of
                                    employees when the
                                    training or testing
                                    is required by
                                    TSA's security
                                    regulations.
                                   b. Perform
                                    inspections or
                                    operations required
                                    by Sec.   1580.205
                                    of this subchapter..
                                   c. Manage or direct
                                    implementation of
                                    security plan
                                    requirements..
------------------------------------------------------------------------
* These job titles are provided solely as a resource to help understand
  the functions described; whether an employee must be trained is based
  upon the function, not the job title.


0
12. Add part 1582 to read as follows:

PART 1582--PUBLIC TRANSPORTATION AND PASSENGER RAILROAD SECURITY

Subpart A--General
Sec.
1582.1 Scope.
1582.3 Terms used in this part.
1582.5 Preemptive effect.
Subpart B--Security Programs
1582.101 Applicability.
1582.103 [Reserved]
1582.105 [Reserved]
1582.107 [Reserved]
1582.109 [Reserved]
1582.111 [Reserved]
1582.113 Security training program general requirements.
1582.115 Security training and knowledge for security-sensitive 
employees.
Appendix A to Part 1582--Determinations for Public Transportation 
and Passenger Railroads

[[Page 16512]]

Appendix B to Part 1582--Security-Sensitive Job Functions For Public 
Transportation and Passenger Railroads

    Authority: 49 U.S.C. 114; Pub. L. 110-53 (121 Stat. 266, Aug. 3, 
2007) secs. 1402 (6 U.S.C. 1131), 1405 (6 U.S.C. 1134), and 1408 (6 
U.S.C. 1137).

Subpart A--General


Sec.  1582.1   Scope.

    (a) Except as provided in paragraph (b) of this section, this part 
includes requirements for the following persons. Specific sections in 
this part provide detailed requirements.
    (1) Each passenger railroad carrier.
    (2) Each public transportation agency.
    (3) Each operator of a rail transit system that is not operating on 
track that is part of the general railroad system of transportation, 
including heavy rail transit, light rail transit, automated guideway, 
cable car, inclined plane, funicular, and monorail systems.
    (4) Each tourist, scenic, historic, and excursion rail owner/
operator, whether operating on or off the general railroad system of 
transportation.
    (b) This part does not apply to a ferry system required to conduct 
training pursuant to 46 U.S.C. 70103.


Sec.  1582.3  Terms used in this part.

    In addition to the terms in Sec. Sec.  1500.3, 1500.5, and 1503.202 
of subchapter A and Sec.  1570.3 of subchapter D of this chapter, the 
following term applies to this part.
    Security-sensitive employee means an employee whose 
responsibilities for the owner/operator include one or more of the 
security-sensitive job functions identified in appendix B to this part 
if the security-sensitive function is performed in the United States or 
in direct support of the common carriage of persons or property between 
a place in the United States and any place outside of the United 
States.


Sec.  1582.5   Preemptive effect.

    Under 49 U.S.C. 20106, issuance of the passenger railroad and 
public transportation regulations in this subchapter preempts any State 
law, regulation, or order covering the same subject matter, except an 
additional or more stringent law, regulation, or order that is 
necessary to eliminate or reduce an essentially local security hazard; 
that is not incompatible with a law, regulation, or order of the U.S. 
Government; and that does not unreasonably burden interstate commerce.

Subpart B--Security Programs


Sec.  1582.101  Applicability.

    The requirements of this subpart apply to the following:
    (a) Amtrak (also known as the National Railroad Passenger 
Corporation).
    (b) Each owner/operator identified in Appendix A to this part.
    (c) Each owner/operator described in Sec.  1582.1(a)(1) through (3) 
of this part that serves as a host railroad to a freight operation 
described in Sec.  1580.301 of this subchapter or to a passenger train 
operation described in paragraph (a)(1) or (a)(2) of this section.


Sec.  1582.103   [Reserved]


Sec.  1582.105   [Reserved]


Sec.  1582.107   [Reserved]


Sec.  1582.109   [Reserved]


Sec.  1582.111  [Reserved]


Sec.  1582.113   Security training program general requirements.

    (a) Security training program required. Each owner/operator 
identified in Sec.  1582.101 of this part is required to adopt and 
carry out a security training program under this subpart.
    (b) General requirements. The security training program must 
include the following information:
    (1) Name of owner/operator.
    (2) Name, title, telephone number, and email address of the primary 
individual to be contacted with regard to review of the security 
training program.
    (3) Number, by specific job function category identified in 
Appendix B to this part, of security-sensitive employees trained or to 
be trained.
    (4) Implementation schedule that identifies a specific date by 
which initial and recurrent security training required by Sec.  
1570.111 of this subchapter will be completed.
    (5) Location where training program records will be maintained.
    (6) Curriculum or lesson plan, including learning objectives and 
method of delivery (such as instructor-led or computer-based training) 
for each course used to meet the requirements of Sec.  1582.115 of this 
part. TSA may request additional information regarding the curriculum 
during the review and approval process. If recurrent training under 
Sec.  1570.111 of this subchapter is not the same as initial training, 
a curriculum or lesson plan for the recurrent training will need to be 
submitted and approved by TSA.
    (7) Plan for ensuring supervision of untrained security-sensitive 
employees performing functions identified in Appendix B to this part.
    (8) Plan for notifying employees of changes to security measures 
that could change information provided in previously provided training.
    (9) Method(s) for evaluating the effectiveness of the security 
training program in each area required by Sec.  1582.115 of this part.
    (c) Relation to other training. (1) Training conducted by owner/
operators to comply other requirements or standards, such as emergency 
preparedness training required by the Department of Transportation 
(DOT) (49 CFR part 239) or other training for communicating with 
emergency responders to arrange the evacuation of passengers, may be 
combined with and used to satisfy elements of the training requirements 
in this subpart.
    (2) If the owner/operator submits a security training program that 
relies on pre-existing or previous training materials to meet the 
requirements of subpart B, the program submitted for approval must 
include an index, organized in the same sequence as the requirements in 
this subpart.
    (d) Submission and implementation. The owner/operator must submit 
and implement the security training program in accordance with the 
schedules identified in Sec. Sec.  1570.109 and 1570.111 of this 
subchapter.


Sec.  1582.115   Security training and knowledge for security-sensitive 
employees.

    (a) Training required for security-sensitive employees. No owner/
operator required to have a security training program under Sec.  
1582.101 of this part may use a security-sensitive employee to perform 
a function identified in appendix B to this part unless that individual 
has received training as part of a security training program approved 
by TSA under 49 CFR part 1570, subpart B, or is under the direct 
supervision of an employee who has received the training required by 
this section as applicable to that security-sensitive function.
    (b) Limits on use of untrained employees. Notwithstanding paragraph 
(a) of this section, a security-sensitive employee may not perform a 
security-sensitive function for more than sixty (60) calendar days 
without receiving security training.
    (c) Prepare. Each owner/operator must ensure that each of its 
security-sensitive employees with position- or function-specific 
responsibilities under the owner/operator's security program have 
knowledge of how to fulfill those

[[Page 16513]]

responsibilities in the event of a security threat, breach, or incident 
to ensure--
    (1) Employees with responsibility for transportation security 
equipment and systems are aware of their responsibilities and can 
verify the equipment and systems are operating and properly maintained; 
and
    (2) Employees with other duties and responsibilities under the 
company's security plans and/or programs, including those required by 
Federal law, know their assignments and the steps or resources needed 
to fulfill them.
    (d) Observe. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of the observational skills 
necessary to recognize--
    (1) Suspicious and/or dangerous items (such as substances, 
packages, or conditions (for example, characteristics of an IED and 
signs of equipment tampering or sabotage);
    (2) Combinations of actions and individual behaviors that appear 
suspicious and/or dangerous, inappropriate, inconsistent, or out of the 
ordinary for the employee's work environment, which could indicate a 
threat to transportation security; and
    (3) How a terrorist or someone with malicious intent may attempt to 
gain sensitive information or take advantage of vulnerabilities.
    (e) Assess. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge necessary to--
    (1) Determine whether the item, individual, behavior, or situation 
requires a response as a potential terrorist threat based on the 
respective transportation environment; and
    (2) Identify appropriate responses based on observations and 
context.
    (f) Respond. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of how to--
    (1) Appropriately report a security threat, including knowing how 
and when to report internally to other employees, supervisors, or 
management, and externally to local, state, or Federal agencies 
according to the owner/operator's security procedures or other relevant 
plans;
    (2) Interact with the public and first responders at the scene of 
the threat or incident, including communication with passengers on 
evacuation and any specific procedures for individuals with 
disabilities and the elderly; and
    (3) Use any applicable self-defense devices or other protective 
equipment provided to employees by the owner/operator.

Appendix A to Part 1582--Determinations for Public Transportation and 
Passenger Railroads

------------------------------------------------------------------------
        State             Urban area                 Systems
------------------------------------------------------------------------
CA                    Bay Area.........  Alameda-Contra Costa Transit
                                          District (AC Transit).
                                         Altamont -Corridor Express
                                          (ACE).
                                         City and County of San
                                          Francisco (San Francisco Bay
                                          Area Rapid Transit District)
                                          (BART).
                                         Central Contra Costa Transit
                                          Authority.
                                         >Golden Gate Bridge, Highway
                                          and Transportation District
                                          (GGBHTD).
                                         Peninsula Corridor Joint Powers
                                          Board (PCJPB) (Caltrain).
                                         San Francisco Municipal Railway
                                          (MUNI) (San Francisco
                                          Municipal Transportation
                                          Agency).
                                         San Mateo County Transit
                                          District (San Mateo County
                                          Transit Authority) (SamTrans).
                                         Santa Clara Valley
                                          Transportation Authority
                                          (VTA).
                                         Transbay Joint Powers
                                          Authority.
                      Greater Los        City of Los Angeles Department
                       Angeles Area       of Transportation (LADOT)
                       (Los Angeles/     Foothill Transit.
                       Long Beach and    Long Beach Transit (LBT).
                       Anaheim/Santa     Los Angeles County Metropolitan
                       Ana urban          Transportation Authority
                       Areas)..           (LACMTA).
                                         City of Montebello (Montebello
                                          Bus Lines) (MBL).
                                         Omnitrans (OMNI).
                                         Orange County Transportation
                                          Authority (OCTA).
                                         City of Santa Monica (Santa
                                          Monica's Big Blue Bus) (Big
                                          Blue Bus).
                                         Southern California Regional
                                          Rail Authority (Metrolink).
DC/MD/VA              Greater National   Arlington County, Virginia
                       Capital Region     (Arlington Transit).
                       (National         City of Alexandria (Alexandria
                       Capital Region     Transit Company) (Dash).
                       and Baltimore     Fairfax County Department of
                       urban Areas)..     Transportation--Fairfax
                                          Connector Bus System.
                                         Maryland Transit Administration
                                          (MTA).
                                         Montgomery County Department of
                                          Transportation (Ride-On
                                          Montgomery County Transit).
                                         Potomac and Rappahannock
                                          Transportation Commission.
                                         Prince George's County
                                          Department of Public Works and
                                          Transportation (The Bus).
                                         Virginia Railway Express (VRE).
                                         Washington Metropolitan Area
                                          Transit Authority (WMATA).
GA                    Atlanta Area.....  Georgia Regional Transportation
                                          Authority (GRTA, within State
                                          Road and Tollway Authority
                                          (SRTA)).
Metropolitan Atlanta
 Rapid Transit
 Authority (MARTA)..
IL/IN                 Chicago Area.....  Chicago Transit Authority
                                          (CTA).
                                         Northeast Illinois Regional
                                          Commuter Railroad Corporation
                                          (Metra/NIRCRC).
                                         Northern Indiana Commuter
                                          Transportation District
                                          (NICTD).
                                         PACE Suburban Bus Company.
MA                    Boston Area......  Massachusetts Bay
                                          Transportation Authority
                                          (MBTA).

[[Page 16514]]

 
NY/NJ/CT              New York City/     Connecticut Department of
                       Northern New       Transportation (CDOT).
                       Jersey Area (New  Connecticut Transit (Hartford
                       York City and      Division and New Haven
                       Jersey City/       Divisions of CTTransit).
                       Newark urban      Metropolitan Transportation
                       Areas).            Authority (All Agencies).
                                         New Jersey Transit Corp. (NJT).
                                         New York City Department of
                                          Transportation.
                                         Port Authority Trans-Hudson
                                          Corporation (Port Authority of
                                          New York and New Jersey)
                                          (PANYNJ) (excluding ferry).
                                         Westchester County Department
                                          of Transportation Bee-Line
                                          System (The Bee-Line System).
PA/NJ                 Philadelphia Area  Delaware River Port Authority
                                          (DRPA)--Port Authority Transit
                                          Corporation (PATCO).
                                         Delaware Transit Corporation
                                          (DTC).
                                         New Jersey Transit Corp. (NJT)
                                          (covered under NY).
                                         Pennsylvania Department of
                                          Transportation.
                                         Southeastern Pennsylvania
                                          Transportation Authority
                                          (SEPTA).
------------------------------------------------------------------------

Appendix B to Part 1582--Security-Sensitive Job Functions For Public 
Transportation and Passenger Railroads

    This table identifies security-sensitive job functions for owner/
operators regulated under this part. All employees performing security-
sensitive functions are ``security-sensitive employees'' for purposes 
of this rule and must be trained.

------------------------------------------------------------------------
                                              Security-sensitive job
                                               functions for public
               Categories                  transportation and passenger
                                                 railroads (PTPR)
------------------------------------------------------------------------
A. Operating a vehicle                   1. Employees who--
                                         a. Operate or control the
                                          movements of trains, other
                                          rail vehicles, or transit
                                          buses.
                                         b. Act as train conductor,
                                          trainman, brakeman, or utility
                                          employee or performs
                                          acceptance inspections,
                                          couples and uncouples rail
                                          cars, applies handbrakes, or
                                          similar functions.
                                         2. Employees covered under the
                                          Federal hours of service laws
                                          as ``train employees.'' See 49
                                          U.S.C. 21101(5) and 21103.
B. Inspecting and maintaining vehicles   Employees who--
                                         1. Perform activities related
                                          to the diagnosis, inspection,
                                          maintenance, adjustment,
                                          repair, or overhaul of
                                          electrical or mechanical
                                          equipment relating to
                                          vehicles, including functions
                                          performed by mechanics and
                                          automotive technicians.
                                         2. Provide cleaning services to
                                          vehicles owned, operated, or
                                          controlled by an owner/
                                          operator regulated under this
                                          subchapter.
C. Inspecting or maintaining building    Employees who--
 or transportation infrastructure.       1. Maintain, install, or
                                          inspect communication systems
                                          and signal equipment related
                                          to the delivery of
                                          transportation services.
                                         2. Maintain, install, or
                                          inspect track and structures,
                                          including, but not limited to,
                                          bridges, trestles, and
                                          tunnels.
                                         3. Provide cleaning services to
                                          stations and terminals owned,
                                          operated, or controlled by an
                                          owner/operator regulated under
                                          this subchapter that are
                                          accessible to the general
                                          public or passengers.
                                         4. Provide maintenance services
                                          to stations, terminals, yards,
                                          tunnels, bridges, and
                                          operation control centers
                                          owned, operated, or controlled
                                          by an owner/operator regulated
                                          under this subchapter.
                                         5. Employees covered under the
                                          Federal hours of service laws
                                          as ``signal employees.'' See
                                          49 U.S.C. 21101(4) and 21104.
D. Controlling dispatch or movement of   Employees who--
 a vehicle.                              1. Dispatch, report, transport,
                                          receive or deliver orders
                                          pertaining to specific
                                          vehicles, coordination of
                                          transportation schedules,
                                          tracking of vehicles and
                                          equipment.
                                         2. Manage day-to-day management
                                          delivery of transportation
                                          services and the prevention
                                          of, response to, and redress
                                          of service disruptions.
                                         3. Supervise the activities of
                                          train crews, car movements,
                                          and switching operations in a
                                          yard or terminal.
                                         4. Dispatch, direct, or control
                                          the movement of trains or
                                          buses.
                                         5. Operate or supervise the
                                          operations of moveable
                                          bridges.
                                         6. Employees covered under the
                                          Federal hours of service laws
                                          as ``dispatching service
                                          employees.'' See 49 U.S.C.
                                          21101(2) and 21105.
E. Providing security of the owner/      Employees who--
 operator's equipment and property.      1. Provide for the security of
                                          PTPR equipment and property,
                                          including acting as a police
                                          officer.

[[Page 16515]]

 
                                         2. Patrol and inspect property
                                          of an owner/operator regulated
                                          under this subchapter to
                                          protect the property,
                                          personnel, passengers and/or
                                          cargo.
F. Loading or unloading cargo or         Employees who load, or oversee
 baggage                                  loading of, property tendered
                                          by or on behalf of a passenger
                                          on or off of a portion of a
                                          train that will be
                                          inaccessible to the passenger
                                          while the train is in
                                          operation.
G. Interacting with travelling public    Employees who provide services
 (on board a vehicle or within a          to passengers on-board a train
 transportation facility).                or bus, including collecting
                                          tickets or cash for fares,
                                          providing information, and
                                          other similar services.
                                          Including:
                                         1. On-board food or beverage
                                          employees.
                                         2. Functions on behalf of an
                                          owner/operator regulated under
                                          this subchapter that require
                                          regular interaction with
                                          travelling public within a
                                          transportation facility, such
                                          as ticket agents.
H. Complying with security programs or   1. Employees who serve as
 measures, including those required by    security coordinators
 Federal law.                             designated in Sec.   1570.201
                                          of this subchapter, as well as
                                          any designated alternates or
                                          secondary security
                                          coordinators.
                                         2. Employees who--
                                         a. Conduct training and testing
                                          of employees when the training
                                          or testing is required by
                                          TSA's security regulations.
                                         b. Manage or direct
                                          implementation of security
                                          plan requirements.
------------------------------------------------------------------------


0
13. Add part 1584 to read as follows:

PART 1584--HIGHWAY AND MOTOR CARRIER SECURITY

Subpart A--General
Sec.
1584.1 Scope.
1584.3 Terms used in this part.
Subpart B--Security Programs
1584.101 Applicability.
1584.103 [Reserved]
1584.105 [Reserved]
1584.107 [Reserved]
1584.109 [Reserved]
1584.111 [Reserved]
1584.113 Security training program general requirements.
1584.115 Security training and knowledge for security-sensitive 
employees.
Appendix A to Part 1584--Urban Area Determinations for Over-the-Road 
Buses
Appendix B to Part 1584--Security-Sensitive Job Functions For Over-the-
Road Buses

    Authority:  49 U.S.C. 114; Pub. L. 110-53 (121 Stat. 266, Aug. 
3, 2007) secs. 1501 (6 U.S.C. 1151), 1531 (6 U.S.C. 1181), and 1534 
(6 U.S.C. 1184).

Subpart A--General


Sec.  1584.1   Scope.

    This part includes requirements for persons providing 
transportation by an over-the-road bus (OTRB). Specific sections in 
this part provide detailed requirements.


Sec.  1584.3   Terms used in this part.

    In addition to the terms in Sec. Sec.  1500.3, 1500.5, and 1503.202 
of subchapter A and Sec.  1570.3 of subchapter D of this chapter, the 
following term applies to this part.
    Security-sensitive employee means an employee whose 
responsibilities for the owner/operator include one or more of the 
security-sensitive job functions identified in Appendix B to this part 
where the security-sensitive function is performed in the United States 
or in direct support of the common carriage of persons or property 
between a place in the United States and any place outside of the 
United States.

Subpart B--Security Programs


Sec.  1584.101  Applicability.

    The requirements of this subpart apply to each OTRB owner/operator 
providing fixed-route service that originates, travels through, or ends 
in a geographic location identified in appendix A to this part.


Sec.  1584.103   [Reserved]


Sec.  1584.105   [Reserved]


Sec.  1584.107  [Reserved]


Sec.  1584.109   [Reserved]


Sec.  1584.111   [Reserved]


Sec.  1584.113   Security training program general requirements.

    (a) Security training program required. Each owner/operator 
identified in Sec.  1584.101 of this part is required to adopt and 
carry out a security training program under this subpart.
    (b) General requirements. The security training program must 
include the following information:
    (1) Name of owner/operator.
    (2) Name, title, telephone number, and email address of the primary 
individual to be contacted with regard to review of the security 
training program.
    (3) Number, by specific job function category identified in 
Appendix B to this part, of security-sensitive employees trained or to 
be trained.
    (4) Implementation schedule that identifies a specific date by 
which initial and recurrent security training required by Sec.  
1570.111 of this subchapter will be completed.
    (5) Location where training program records will be maintained.
    (6) Curriculum or lesson plan, including learning objectives and 
method of delivery (such as instructor-led or computer-based training) 
for each course used to meet the requirements of Sec.  1584.115 of this 
part. TSA may request additional information regarding the curriculum 
during the review and approval process. If recurrent training under 
Sec.  1570.111 of this subchapter is not the same as initial training, 
a curriculum or lesson plan for the recurrent training will need to be 
submitted and approved by TSA.
    (7) Plan for ensuring supervision of untrained security-sensitive 
employees performing functions identified in Appendix B to this part.
    (8) Plan for notifying employees of changes to security measures 
that could change information provided in previously provided training.
    (9) Method(s) for evaluating the effectiveness of the security 
training program in each area required by Sec.  1584.115 of this part.
    (c) Relation to other training. (1) Training conducted by owner/
operators to comply other requirements or standards may be combined 
with and used to satisfy elements of the training requirements in this 
subpart.

[[Page 16516]]

    (2) If the owner/operator submits a security training program that 
relies on pre-existing or previous training materials to meet the 
requirements of subpart B, the program submitted for approval must 
include an index, organized in the same sequence as the requirements in 
this subpart.
    (d) Submission and Implementation. The owner/operator must submit 
and implement the security training program in accordance with the 
schedules identified in Sec. Sec.  1570.109 and 1570.111 of this 
subchapter.


Sec.  1584.115  Security training and knowledge for security-sensitive 
employees.

    (a) Training required for security-sensitive employees. No owner/
operator required to have a security training program under Sec.  
1584.101 of this part may use a security-sensitive employee to perform 
a function identified in Appendix B to this part unless that individual 
has received training as part of a security training program approved 
by TSA under 49 CFR part 1570, subpart B, or is under the direct 
supervision of an employee who has received the training required by 
this section as applicable to that security-sensitive function.
    (b) Limits on use of untrained employees. Notwithstanding paragraph 
(a) of this section, a security-sensitive employee may not perform a 
security-sensitive function for more than sixty (60) calendar days 
without receiving security training.
    (c) Prepare. Each owner/operator must ensure that each of its 
security-sensitive employees with position- or function-specific 
responsibilities under the owner/operator's security program have 
knowledge of how to fulfill those responsibilities in the event of a 
security threat, breach, or incident to ensure--
    (1) Employees with responsibility for transportation security 
equipment and systems are aware of their responsibilities and can 
verify the equipment and systems are operating and properly maintained; 
and
    (2) Employees with other duties and responsibilities under the 
company's security plans and/or programs, including those required by 
Federal law, know their assignments and the steps or resources needed 
to fulfill them.
    (d) Observe. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of the observational skills 
necessary to recognize--
    (1) Suspicious and/or dangerous items (such as substances, 
packages, or conditions (for example, characteristics of an IED and 
signs of equipment tampering or sabotage);
    (2) Combinations of actions and individual behaviors that appear 
suspicious and/or dangerous, inappropriate, inconsistent, or out of the 
ordinary for the employee's work environment, which could indicate a 
threat to transportation security; and
    (3) How a terrorist or someone with malicious intent may attempt to 
gain sensitive information or take advantage of vulnerabilities.
    (e) Assess. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge necessary to--
    (1) Determine whether the item, individual, behavior, or situation 
requires a response as a potential terrorist threat based on the 
respective transportation environment; and
    (2) Identify appropriate responses based on observations and 
context.
    (f) Respond. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of how to--
    (1) Appropriately report a security threat, including knowing how 
and when to report internally to other employees, supervisors, or 
management, and externally to local, state, or Federal agencies 
according to the owner/operator's security procedures or other relevant 
plans;
    (2) Interact with the public and first responders at the scene of 
the threat or incident, including communication with passengers on 
evacuation and any specific procedures for individuals with 
disabilities and the elderly; and
    (3) Use any applicable self-defense devices or other protective 
equipment provided to employees by the owner/operator.

Appendix A to Part 1584--Urban Area Determinations for Over-the-Road 
Buses

------------------------------------------------------------------------
        State             Urban area             Geographic areas
------------------------------------------------------------------------
CA                    Anaheim/Los        Los Angeles and Orange
                       Angeles/Long       Counties.
                       Beach/Santa Ana
                       Areas.
                      San Diego Area...  San Diego County.
                      San Francisco Bay  Alameda, Contra Costa, Marin,
                       Area.              San Francisco, and San Mateo
                                          Counties.
DC (VA, MD, and WV).  National Capital   District of Columbia; Counties
                       Region.            of Calvert, Charles,
                                          Frederick, Montgomery, and
                                          Prince George's, MD; Counties
                                          of Arlington, Clarke, Fairfax,
                                          Fauquier, Loudoun, Prince
                                          William, Spotsylvania,
                                          Stafford, and Warren County,
                                          VA; Cities of Alexandria,
                                          Fairfax, Falls Church,
                                          Fredericksburg, Manassas, and
                                          Manassas Park City, VA;
                                          Jefferson County, WV.
IL/IN                 Chicago Area.....  Counties of Cook, DeKalb,
                                          DuPage, Grundy, Kane, Kendall,
                                          Lake, McHenry, and Will, IL;
                                          Counties of Jasper, Lake,
                                          Newton, and Porter, IN;
                                          Kenosha County, WI.
MA                    Boston Area......  Counties of Essex, Norfolk,
                                          Plymouth, Suffolk, Middlesex,
                                          MA; Counties of Rockingham and
                                          Strafford, NH.
NY (NJ and PA)......  New York City/     Counties of Bronx, Kings,
                       Jersey City/       Nassau, New York, Putnam,
                       Newark Area.       Queens, Richmond, Rockland,
                                          Suffolk, and Westchester, NY;
                                          Counties of Bergen, Essex,
                                          Hudson, Hunterdon, Ocean,
                                          Middlesex, Monmouth, Morris,
                                          Passaic, Somerset, Sussex, and
                                          Union, NJ; Pike County, PA.
PA (DE and NJ)......  Philadelphia Area/ Counties of Burlington, Camden,
                       Southern New       and Gloucester, NJ; Counties
                       Jersey Area.       of Bucks, Chester, Delaware,
                                          Montgomery, and Philadelphia,
                                          PA; New Castle County, DE;
                                          Cecil County, MD; Salem
                                          County, NJ.
TX                    Dallas Fort Worth/ Collin, Dallas, Delta, Denton,
                       Arlington Area.    Ellis, Hunt, Kaufman,
                                          Rockwall, Johnson, Parker,
                                          Tarrant, and Wise Counties,
                                          TX.
                      Houston Area.....  Austin, Brazoria, Chambers,
                                          Fort Bend, Galveston, Harris,
                                          Liberty, Montgomery, San
                                          Jacinto, and Waller Counties,
                                          TX.
------------------------------------------------------------------------


[[Page 16517]]

Appendix B to Part 1584--Security-Sensitive Job Functions for Over-the-
Road Buses

    This table identifies security-sensitive job functions for owner/
operators regulated under this part. All employees performing security-
sensitive functions are ``security-sensitive employees'' for purposes 
of this rule and must be trained.

------------------------------------------------------------------------
                               Security-sensitive job functions for over-
          Categories                         the-road buses
------------------------------------------------------------------------
A. Operating a vehicle         Employees who have a CDL and operate an
                                OTRB.
B. Inspecting and maintaining  Employees who--
 vehicles.
                               1. Perform activities related to the
                                diagnosis, inspection, maintenance,
                                adjustment, repair, or overhaul of
                                electrical or mechanical equipment
                                relating to vehicles, including
                                functions performed by mechanics and
                                automotive technicians.
                               2. Does not include cleaning or
                                janitorial activities.
C. Inspecting or maintaining   Employees who--
 building or transportation    1. Provide cleaning services to areas of
 infrastructure.                facilities owned, operated, or
                                controlled by an owner/operator
                                regulated under this subchapter that are
                                accessible to the general public or
                                passengers.
                               2. Provide cleaning services to vehicles
                                owned, operated, or controlled by an
                                owner/operator regulated under this part
                                (does not include vehicle maintenance).
                               3. Provide general building maintenance
                                services to buildings owned, operated,
                                or controlled by an owner/operator
                                regulated under this part.
D. Controlling dispatch or     Employees who--
 movement of a vehicle.        1. Dispatch, report, transport, receive
                                or deliver orders pertaining to specific
                                vehicles, coordination of transportation
                                schedules, tracking of vehicles and
                                equipment.
                               2. Manage day-to-day delivery of
                                transportation services and the
                                prevention of, response to, and redress
                                of disruptions to these services.
                               3. Perform tasks requiring access to or
                                knowledge of specific route information.
E. Providing security of the   Employees who patrol and inspect property
 owner/operator's equipment     of an owner/operator regulated under
 and property.                  this part to protect the property,
                                personnel, passengers and/or cargo.
F. Loading or unloading cargo  Employees who load, or oversee loading
 or baggage.                    of, property tendered by or on behalf of
                                a passenger on or off of a portion of a
                                bus that will be inaccessible to the
                                passenger while the vehicle is in
                                operation.
G. Interacting with            Employees who--
 travelling public (on board   1. Provide services to passengers on-
 a vehicle or within a          board a bus, including collecting
 transportation facility).      tickets or cash for fares, providing
                                information, and other similar services.
                               2. Includes food or beverage employees,
                                tour guides, and functions on behalf of
                                an owner/operator regulated under this
                                part that require regular interaction
                                with travelling public within a
                                transportation facility, such as ticket
                                agents.
H. Complying with security     1. Employees who serve as security
 programs or measures,          coordinators designated in Sec.
 including those required by    1570.201 of this subchapter, as well as
 Federal law.                   any designated alternates or secondary
                                security coordinators.
                               2. Employees who--
                               a. Conduct training and testing of
                                employees when the training or testing
                                is required by TSA's security
                                regulations.
                               b. Manage or direct implementation of
                                security plan requirements.
------------------------------------------------------------------------


    Dated: February 28, 2020.
David P. Pekoske,
Administrator.
[FR Doc. 2020-05126 Filed 3-20-20; 8:45 am]
 BILLING CODE 9110-05-P