[Federal Register Volume 85, Number 56 (Monday, March 23, 2020)]
[Rules and Regulations]
[Pages 16456-16517]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-05126]
[[Page 16455]]
Vol. 85
Monday,
No. 56
March 23, 2020
Part II
Department of Homeland Security
-----------------------------------------------------------------------
Transportation Security Administration
-----------------------------------------------------------------------
49 CFR Parts 1500, 1520, et al.
Security Training for Surface Transportation Employees; Final Rule
��Federal Register / Vol. 85 , No. 56 / Monday, March 23, 2020 / Rules
and Regulations��
[[Page 16456]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
49 CFR Parts 1500, 1520, 1570, 1580, 1582, and 1584
[Docket No. TSA-2015-0001]
RIN 1652-AA55
Security Training for Surface Transportation Employees
AGENCY: Transportation Security Administration, DHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Transportation Security Administration (TSA) is requiring
owner/operators of higher-risk freight railroad carriers, public
transportation agencies (including rail mass transit and bus systems),
passenger railroad carriers, and over-the-road bus companies, to
provide TSA-approved security training to employees performing
security-sensitive functions. The training curriculum must teach
employees how to observe, assess, and respond to terrorist-related
threats and/or incidents. Additionally, TSA is expanding its
requirements for security coordinators and reporting of significant
security concerns (currently limited to rail operations) to include bus
operations within the scope of the regulation's applicability. TSA is
amending other provisions of its regulations, as necessary, to
implement these requirements.
DATES:
Effective date: This rule is effective June 22, 2020.
Compliance date: In general, compliance schedules are indicated in
this rule. The requirements in 49 CFR 1570.201 must be met no later
than July 29, 2020.
FOR FURTHER INFORMATION CONTACT: Harry Schultz (TSA, Security Policy
and Industry Engagement, Surface Division) or David Kasminoff (TSA,
Senior Counsel, Regulations and Security Standards) at telephone (571)
227-5563, or email to [email protected].
SUPPLEMENTARY INFORMATION:
Availability of Rulemaking Document
An electronic copy can be obtained using the internet by--
(1) Searching the electronic Federal Docket Management System
(FDMS) web page at http://www.regulations.gov;
(2) Accessing the Government Printing Office's web page at http://www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR to view
the daily published Federal Register edition; or accessing the ``Search
the Federal Register by Citation'' in the ``Related Resources'' column
on the left, if you need to do a Simple or Advanced search for
information, such as a type of document that crosses multiple agencies
or dates.
In addition, copies are available by writing or calling the
individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to
identify the docket number of this rulemaking.
Small Entity Inquiries
The Small Business Regulatory Enforcement Fairness Act (SBREFA) of
1996 requires TSA to comply with small entity requests for information
and advice about compliance with statutes and regulations within TSA's
jurisdiction.\1\ Any small entity that has a question regarding this
document may contact the person listed in the FOR FURTHER INFORMATION
CONTACT section. Persons can obtain further information regarding
SBREFA on the Small Business Administration's web page at https://www.sba.gov/category/advocacy-navigation-structure/regulatory-policy/regulatory-flexibility-act/sbrefa.
---------------------------------------------------------------------------
\1\ Public Law 104-121, 110 Stat. 857 (Mar. 29, 1996).
---------------------------------------------------------------------------
Abbreviations and Terms Used in This Document
Amtrak--National Railroad Passenger Corporation
APTA--American Public Transportation Association
CDL--Commercial Driver's License
DHS--Department of Homeland Security
DOT--Department of Transportation
FRA--Federal Railroad Administration
FTA--Federal Transit Administration
GAO--U.S. Government Accountability Office
HSA--Homeland Security Act of 2002
HTUA--High Threat Urban Area
IED--Improvised Explosive Device
MOU--Memorandum of Understanding
NSI--Nationwide Suspicious Activity Reporting (SAR) Initiative
OMB--Office of Management and Budget
OSHA--Occupational Health and Safety Administration
OTRB--Over-the-Road Bus
PHMSA--Pipeline and Hazardous Materials Safety Administration
PRA--Paperwork Reduction Act of 1995
PTPR--Public Transportation and Passenger Railroads
RFA--Regulatory Flexibility Act of 1980
RIA--Regulatory Impact Analysis
RSC--Rail Security Coordinator
RSSM--Rail Security-Sensitive Material
SBA--Small Business Administration
SBREFA--Small Business Regulatory Enforcement Fairness Act of 1996
SSI--Sensitive Security Information
TSA--Transportation Security Administration
TSSM--Transportation Security-Sensitive Material
UASI--Urban Area Security Initiative
UMRA--Unfunded Mandates Reform Act of 1995
VBIED--Vehicle-Borne Improvised Explosive Device
Table of Contents
I. Executive Summary and Background
A. Statutory Mandate
B. Benefits of Requiring Security Training
C. Costs of This Final Rule
D. Organization of This Final Rule
II. Security Program Requirements
A. Who must provide security training?
1. Freight Railroads (Sec. 1580.101)
2. Public Transportation and Passenger Railroads (Sec.
1582.101)
3. Over-the-Road Buses (Sec. 1584.101)
4. Impact on Certain Business Operations
B. Who is responsible for determining whether a specific owner/
operator is subject to the requirements of the rule (applicability
determinations)? (Sec. 1570.105)
C. Which employees must receive security training? (Sec. Sec.
1580.115(a), 1582.115(a) and 1584.115(a))
D. How does an owner/operator determine if someone is a
security-sensitive employee? (Sec. Sec. 1580.3, 1582.3, and 1584.3)
E. Can untrained security-sensitive employees perform security-
sensitive functions? (Sec. Sec. 1580.115(b), 1582.115(b), and
1584.115(b))
F. What topics must be included in the security training?
(Sec. Sec. 1580.115(c)-(f), 1582.115(c)-(f), and 1584.115(c)-(f))
G. Who will provide the security training curriculum?
(Sec. Sec. 1580.113, 1582.113, and 1584.113)?
H. Can owner/operators use pre-existing material or other third-
party material? (Sec. 1570.103)
I. How do these requirements relate to other security training
required by other Federal or State agencies? (Sec. Sec.
1580.115(c), 1582.115(c), and 1584.115(c))
J. What is the required schedule for providing training? (Sec.
1570.111)
1. Initial Training (Sec. 1570.111(a))
2. Recurrent Training (Sec. 1570.111(b))
3. Previous Training (Sec. 1570.107)
K. Do employees have to pass a test? ((Sec. Sec.
1580.113(b)(9), 1582.113(b)(9), and 1584.113(b)(9))
III. Operational Requirements (Subpart D)
A. Security Coordinator Requirements (Sec. 1570.201)
B. Requirement To Report Security Concerns (Sec. 1570.203)
C. Methods for Reporting Information and Substance of
Information Provided (Sec. 1570.203 (a) and (c))
IV. Security Program Procedures
A. Deadlines Related to Submission and Approval of Security
Training Program
B. Amendments
1. Amendments Initiated by Owner/Operator (Sec. 1570.113)
2. Amendments Initiated by TSA (Sec. 1570.115)
[[Page 16457]]
C. Alternative Measures (Sec. 1570.117)
D. Petitions for Reconsideration (Sec. 1570.119)
E. Recordkeeping Requirements (Sec. 1570.121)
F. Summary of Deadlines
V. Miscellaneous Changes
A. Amendments to Part 1500
B. Amendments to Part 1503
C. Amendments to Part 1520
D. Amendments to Part 1570
1. Security Responsibilities for Employees and Other Persons
(Sec. 1570.7)
2. Compliance, Inspection, and Enforcement (Sec. 1570.9)
3. ``Covered Person'' (Sec. 1570.305)
VI. Summary of Changes
VII. Response to Comments on NPRM
A. General Comments
1. Need for Rule
2. Cost of Rule
3. Stakeholder Consultation
4. Terms
B. Investigative and Enforcement Procedures
C. Part 1570--General Rules
1. Terms Used in This Subchapter (Sec. 1570.3)
2. Recognition of Prior or Established Security Measures or
Programs (Sec. 1570.7)
3. Submission and Approval (Sec. 1570.109)
4. Implementation Schedule (Sec. 1570.111)
5. Recordkeeping and Availability (Sec. 1570.121)
6. Security Coordinator (Sec. 1570.201)
7. Reporting Significant Security Concerns (Sec. 1570.203)
D. Subpart B--Security Programs
1. Security Training Program General Requirements (Sec. Sec.
1580.113, 1582.113, and 1584.113)
2. Security Training and Knowledge for Security-Sensitive
Employees (Sec. Sec. 1580.115, 1582.115, and 1584.115)
E. Freight Rail Specific Issues
1. Applicability of Security Training Requirements (Sec.
1580.101)
2. Chain of Custody and Control Requirements (Sec. 1580.205)
F. Public Transportation and Passenger Railroad Specific Issues
G. OTRB Specific Issues
1. Definition of Security-Sensitive Employees (Sec. 1584.3 and
Appendix B to Part 1584)
2. Applicability (Sec. 1584.101)
H. Comments Beyond Scope of Rulemaking
VIII. Rulemaking Analyses and Notices
A. Paperwork Reduction Act
B. Economic Impact Analyses
1. Regulatory Impact Analysis Summary
2. Executive Orders 12866, 13563, and 13711 Assessments
3. OMB A-4 Statement
4. Alternatives Considered
5. Regulatory Flexibility Assessment
6. International Trade Impact Assessment
7. Unfunded Mandates Assessment
C. Executive Order 13132, Federalism
D. Environmental Analysis
E. Energy Impact Analysis
I. Executive Summary and Background
A. Statutory Mandate
Following the attacks of September 11, 2001, Congress created TSA
under the Aviation and Transportation Security Act (ATSA) and
established the agency's primary Federal role to enhance security for
all modes of transportation.\2\ The scope of TSA's authority includes
assessing security risks, developing security measures to address
identified risks, and enforcing compliance with these measures.\3\ TSA
also has broad regulatory authority to issue, rescind, and revise
regulations as necessary to carry out its transportation security
functions.\4\
---------------------------------------------------------------------------
\2\ Public Law 107-71, 115 Stat. 597 (Nov. 19, 2001). ATSA
created TSA as a component of the Department of Transportation
(DOT). Section 403(2) of the Homeland Security Act of 2002 (HSA),
Public Law 107-296, 116 Stat. 2135 (Nov. 25, 2002), transferred all
functions related to transportation security, including those of the
Secretary of Transportation and the Under Secretary of
Transportation for Security, to the Secretary of Homeland Security.
Pursuant to DHS Delegation Number 7060.2, the Secretary delegated to
the Administrator, subject to the Secretary's guidance and control,
the authority vested in the Secretary with respect to TSA, including
the authority in sec. 403(2) of the HSA.
\3\ See 49 U.S.C. 114, which codified section 101 of ATSA.
\4\ 49 U.S.C. 114(l)(1).
---------------------------------------------------------------------------
As part of the Implementing Recommendations of the 9/11 Commission
Act of 2007 (9/11 Act),\5\ Congress mandated regulations to enhance
surface transportation security through security training of frontline
employees. The mandate includes prescriptive requirements for who must
be trained, what the training must encompass, and how to submit and
obtain approval for a training program.\6\ The 9/11 Act also mandates
regulations requiring higher-risk railroads and over-the-road buses
(OTRBs) to appoint security coordinators.\7\ In addition to
implementing these provisions, this final rule also addresses a mandate
to define Transportation Security-Sensitive Materials.\8\
---------------------------------------------------------------------------
\5\ Public Law 110-53, 121 Stat. 266 (Aug. 3, 2007).
\6\ See secs. 1408, 1517, and 1534 of the 9/11 Act, codified at
6 U.S.C. 1137, 1167, and 1184, respectively.
\7\ See secs. 1512 and 1531 of the 9/11 Act, codified at 6
U.S.C. 1162 and 1181, respectively. TSA addresses 1512(e)(1)(A) and
1531(e)(1)(A) in this rulemaking. TSA intends to address the other
regulatory requirements of these provisions in separate rulemakings.
\8\ See sec. 1501 of the 9/11 Act, codified at 6 U.S.C. 1151.
---------------------------------------------------------------------------
B. Benefits of Requiring Security Training
TSA is issuing this rule pursuant to its authority and
responsibility over the security of the nation's transportation
systems. TSA fulfills its transportation security mission in
partnership with its industry and government stakeholders. As noted in
the 2018 National Strategy for Counterterrorism in the United States:
The critical infrastructure of the United States--much of which
is privately owned--provides the essential goods and services that
drive American prosperity. Coordinated efforts are, therefore,
necessary to strengthen and maintain secure and resilient critical
infrastructure and to prepare Americans to respond appropriately
should an attack occur. By integrating and improving preparedness
across all levels of government as well as the private and public
sectors, we will stop terrorists from undermining our security and
prosperity.\9\
---------------------------------------------------------------------------
\9\ See The White House, National Strategy for Counterterorrism
in the United States, at 19 (Oct. 2018), available at https://www.dni.gov/files/NCTC/documents/news_documents/NSCT.pdf (last
accessed Nov. 26, 2018) (National Strategy).
Consistent with this strategy, the purpose of this rule is to
solidify the baseline of security for higher-risk surface
transportation operations by improving and sustaining the preparedness
of surface transportation employees in higher-risk operations,
including their critical capability to observe, assess, and respond to
security risks and potential security breaches within their unique
working environment. In developing this rulemaking, TSA recognizes
private sector capabilities, voluntary initiatives, and other Federal
requirements to raise security within distinct surface transportation
operations. By integrating these efforts, setting a national standard
for surface transportation employee security training, and ensuring
this training is sustained across higher-risk operations, this rule
promotes national security in alignment with the intent of the 9/11 Act
and the National Strategy.
The rule accomplishes this purpose by requiring higher-risk public
transportation systems, railroad carriers (passenger and freight), and
OTRB owner/operators to prepare and train their employees performing
security-sensitive job functions. Through security training, employees
will have the capability to identify, report, and appropriately react
to suspicious activity, suspicious items, dangerous substances, and
security incidents that may be associated with terrorist
reconnaissance, preparation, or action. TSA believes this training may
be the critical point for preventing a terrorist act and mitigating the
consequences.
In order to ensure effective communication regarding threats (both
to regulated parties and from regulated parties), TSA is also expanding
applicability of current requirements for rail operations to have
security coordinators and report security incidents to TSA. With this
rulemaking,
[[Page 16458]]
the applicability for this requirement is expanded to include any
owner/operator required to provide security training. Requiring higher-
risk owner/operators to have security coordinators and report
significant security concerns to TSA will enhance TSA's ability to
recognize trends and communicate directly with individuals within
higher-risk operations that have direct responsibility for security.
C. Costs of This Final Rule
Table 1 identifies TSA's estimates for the overall cost of this
rule.
Table 1--Cost of Final Rule
------------------------------------------------------------------------
Estimated costs (over 10
years, discounted at 7
percent)
------------------------------------------------------------------------
Freight Railroads......................... $25.09 million.
Public Transportation and Passenger 17.12 million.
Railroads (PTPRs).
OTRBs..................................... 8.06 million.
TSA....................................... 2.03 million.
-----------------------------
Total................................. 52.30 million.
------------------------------------------------------------------------
D. Organization of This Final Rule
Subchapter D of chapter XII of title 49, ``Maritime and Surface
Transportation Security'' \10\ (Subchapter D), includes security
program requirements for surface transportation, including the
requirements in this final rule. Before this final rule, Subchapter D
included requirements relevant to two vetting programs (the
Transportation Worker Identification Credential (TWIC) and Hazmat
Material Endorsement (HME), as well as certain rail security
requirements, including chain of custody for Rail Security-Sensitive
Materials (RSSM), appointment of security coordinators, and reporting
security issues.
---------------------------------------------------------------------------
\10\ TSA is modifying the title of this subchapter, changing it
from ``Maritime and Land Transportation Security'' to ``Maritime and
Surface Transportation Security.''
---------------------------------------------------------------------------
This final rule (1) adds requirements for security training for
certain surface transportation owner/operators; (2) expands
applicability of the security coordinator and reporting security issue
requirements to include higher-risk bus operations; and (3) adds other
miscellaneous provisions necessary for implementation of a new
regulatory program.
To incorporate these new elements, TSA is organizing Subchapter D
as follows.
Part 1570 is divided into four subparts: (1) Subpart A
includes requirements generally applicable to all aspects of subchapter
D; (2) subpart B includes security program requirements consistently
relevant to multiple modes; (3) subpart C includes operational
requirements consistently applicable to multiple modes; and (4) subpart
D moves and consolidates general provisions related to security threat
assessments (STAs) which are more specifically addressed in part 1572.
As noted below, mode-specific requirements are contained in subsequent
parts.
Part 1580 is modified to limit requirements applicable to
rail security. This part includes operational requirements unique to
freight railroads and rail hazardous materials shippers/receivers (such
as chain of custody) \11\ and modal-specific security training
requirements for freight railroads. The requirements for appointment of
security coordinators and reporting security issues are moved to part
1570 and several definitions are moved to part 1500.
---------------------------------------------------------------------------
\11\ See Rail Transportation Security Final Rule (Rail Security
Rule), 73 FR 72130, (Nov. 26, 2008).
---------------------------------------------------------------------------
Part 1582, a new part entitled ``Public Transportation and
Passenger Railroad Security,'' includes modal-specific security
training requirements for public transportation system and passenger
railroads (PTPR). The requirements for appointment of security
coordinators and reporting security issues applicable to PTPR rail
operations are moved to part 1570 and several definitions are moved to
part 1500.
Part 1584, a new part entitled, ``Highway and Motor
Carrier Security,'' includes modal-specific security training
requirements for OTRB owner/operators.
Owner/operators subject to the requirements of this final rule will
need to address the requirements in part 1570 as well as the
requirements applicable to their respective mode in parts 1582 through
1584. Sections II through IV, which follow, provide a comprehensive
discussion of these requirements as they will be implemented, rather
than a sequential section-by-section analysis. Section II addresses
general programmatic requirements, including: Applicability
determinations, which employees must be trained, content of training,
and the required training schedule. Section III discusses operational
requirements, such as the requirement for security coordinators and
reporting of security incidents. Section IV provides the procedural
requirements for submission and approval of a security training
program, amendments to the program, and recordkeeping requirements.
This section also includes a table that summarizes the compliance
deadlines owner/operators must meet. Section V discusses other
revisions to TSA's regulations that result from adding these new
requirements to Subchapter D.\12\
---------------------------------------------------------------------------
\12\ The discussion does not address provisions that are moved,
as discussed above, but not modified.
---------------------------------------------------------------------------
This final rule includes TSA's responses to comments received on
the NPRM. Section VI includes a chart summarizing the minimal changes
between the NPRM and final rule. Section VII provides TSA's responses
to comments on the NPRM.
Section VIII includes the rulemaking analysis and notices. This
analysis includes any changes in the impact estimates between the NPRM
and the final rule and the basis for those changes.
II. Security Program Requirements
A. Who must provide security training?
Consistent with TSA's commitment to a risk-based approach to
transportation security, the requirements of this rule only apply to
higher-risk operations. A higher-risk operation is one that meets the
criteria in Sec. Sec. 1580.101 (freight railroads), 1582.101 (PTPR),
and 1584.101 (OTRB). These criteria are used to identify operations
with a relatively higher-risk of being targeted or used by terrorists.
While there are approximately 10,000 surface transportation operations,
approximately 300 of them currently meet the criteria.\13\
---------------------------------------------------------------------------
\13\ A full discussion of TSA's analysis and considerations in
making its determination and developing the applicability criteria
can be found in the NPRM. See 81 FR at 91355 et seq. (section III.F.
of the NPRM).
---------------------------------------------------------------------------
While the requirements of this rule are limited to higher-risk
operations, TSA encourages all owner/operators to consider implementing
the security training program required by this rule, modified and
adapted to their operations, as appropriate. TSA will ensure resources
developed for regulated owner/operators, such as TSA-created training
materials, are available to owner/operators of non-higher-risk
operations who are committed to enhancing security through improving
the security awareness of employees.
TSA's applicability criteria for freight railroads, PTPR, OTRB, and
certain business operations are as follows.
1. Freight Railroads (Sec. 1580.101)
A freight railroad owner/operator must provide security training if
it is: (a)
[[Page 16459]]
Designated as Class I; \14\ (b) transports RSSM in one or more of the
areas listed in current Appendix A to 49 CFR part 1580; \15\ and/or (c)
hosts a higher-risk rail operation (including freight railroads and the
intercity or commuter systems identified in Sec. 1582.101). The
flowchart in Figure 1 summarizes when a freight railroad owner/operator
must provide security training and when this training is recommended by
TSA. TSA estimates the requirements of this rule currently apply to 33
freight railroads.
---------------------------------------------------------------------------
\14\ The Surface Transportation Board defines a Class I railroad
as one with annual operating revenue in excess of $447,621,226
(adjusted for inflation).
\15\ See Sec. 1580.3 for definition of RSSM.
[GRAPHIC] [TIFF OMITTED] TR23MR20.000
2. Public Transportation and Passenger Railroads (Sec. 1582.101)
A public transportation agency or passenger railroad must provide
security training if it is (a) one of the 46 identified PTPR systems
listed in 49 CFR part 1582, Appendix A; (b) Amtrak; or (c) hosts a
higher-risk freight railroad. DHS consistently identifies the eight
regions where the 46 systems operate as having the highest transit-
specific risk. Applying the rule's requirements to these systems
corresponds to providing enhanced security for more than 80 percent of
all PTPR passengers.
3. Over-the-Road Buses (Sec. 1584.101)
An OTRB owner/operator must provide security training if it
provides fixed-route service to, through, or from any of ten areas
identified in 49 CFR part 1584, Appendix A. These ten areas receive the
highest funding allocation under the FY 2018 Urban Area Security
Initiative (UASI) grant program (87 percent of the total available
funding).\16\ TSA estimates that this rule will apply to approximately
205 OTRB owner/operators.
---------------------------------------------------------------------------
\16\ UASI funds are allocated based on a risk methodology
employed by DHS and the Federal Emergency Management Agency (FEMA).
For the list of UASI allocations for the FY 2018 UASI grant program,
which is administered by FEMA as part of the larger Homeland
Security Grant Program, see the FY 2018 Homeland Security Grant
Program Notice of Funding Opportunity, Appendix A at https://www.fema.gov/media-library-data/1526578809767-7f08f471f36d22b2c0d8afb848048c96/FY_2018_HSGP_NOFO_FINAL_508.pdf.
---------------------------------------------------------------------------
The determining factor for whether a fixed-route OTRB owner/
operator is within the scope of the rule is not where they are
headquartered, but where they provide service. In deciding to rely on
where the owner/operator provides service, rather than corporate
headquarters locations, TSA considered factors that could make an OTRB
a potential target for a terrorist attack, including (1) its visibility
(the size of its operations); (2) the extent to which its schedule is
publicly available; (3) whether or not it is relatively easy for
unknown individuals to board the bus; (4) and whether the bus will have
ease of access to high-consequence locations.
TSA is aware that some private companies provide commuter services
that may trigger applicability of the rule. Figure 2 provides a
flowchart to assist companies with determining if the security training
requirements apply.
[[Page 16460]]
[GRAPHIC] [TIFF OMITTED] TR23MR20.001
4. Impact on Certain Business Operations
Parent corporations and subsidiaries. While the criteria for
higher-risk determinations presumes similarities for operations within
each mode,\17\ TSA recognizes there are other considerations that could
affect applicability, particularly related to subsidiaries. As
discussed in section III.F of the NPRM,\18\ TSA is limiting the
requirements to the level of the subsidiary whose operations fit the
applicability criteria identified in the rule.
---------------------------------------------------------------------------
\17\ See discussion on applicability at 81 FR 91355 et seq.
(sec. III.F. of NPRM).
\18\ 81 FR at 91355.
---------------------------------------------------------------------------
During the review and approval process of the security training
program, TSA will work with owner/operators to address any compliance
issues based on corporate structure. For example, owner/operator A may
be organized to make each regional area a separate subsidiary. As such,
only the subsidiary that meets the applicability requirements must
develop a security training program. Owner/operator B may be a single
entity for purposes of corporate-legal structure with branches, rather
than subsidiaries, providing service on specific routes. Under this
rule, the entire corporation is subject to the requirements based on
the operations of one route. In this situation, owner/operator B could
choose to submit a proposed alternative to limit application of the
requirements to branches and a handful of headquarters or other
regional employees that provide operational support. The submission
requirements and procedures for requesting alternative measures are
discussed in section IV.
Foreign owner/operators. While the applicability provisions for
security training do not specifically reference foreign owner/
operators, the requirements apply to employees performing a security-
sensitive function ``. . . in the United States or in direct support of
the common carriage of persons or property between a place in the
United States and any place outside the United States.'' Therefore, the
training requirements of this rule apply to both domestic owner/
operators and foreign owner/operators with employees performing covered
functions within the United States or in support of operations within
the United States. For example, the rule may apply to a Canadian OTRB
owner/operator offering fixed-route service that begins at a point in
Canada and transits through an area identified in part 1584, Appendix A
before concluding at a point in Mexico. Even if only one employee (for
example, the driver), performs a security-sensitive function while
physically in the United States, applicability is triggered by the
route. The Canadian OTRB owner/operator would be required to have a
security training program and provide the required training to the
driver and any other employee performing a security-sensitive function
that supports the operations transiting through higher-risk regions in
the United States (such as individuals providing maintenance or
inspection services and dispatch information applicable to the covered
route). Once applicability is triggered, it is irrelevant where the
OTRB owner/operator's company is located or where the function is being
performed (whether the employee is performing the security-sensitive
function at a location in Canada or along the route in the United
States).
In addition, while foreign owner/operators providing service in the
United States are required to have a security coordinator and
alternate, foreign owner/operators are only required to report
potential threats and significant security concerns for operations in
the United States or transportation to, from, or within the United
States. A similar requirement currently applies to foreign freight
railroad owner/operators under 49 CFR part 1580. This approach is also
consistent with that taken by the Federal Railroad Administration
(FRA).
Hosting relationships. TSA recognizes that joint operations are
common within the rail industry and include agreements
[[Page 16461]]
such as hosting. In a hosting relationship, the ``host railroad'' owns
the track and exercises operational control of the movement of trains
of other railroads (the ``tenant'' railroads) while they are using that
track.
Under this rule, both the host and tenant railroads are required to
have a training program that appropriately addresses the ramifications
of the hosting relationship. For example, the host railroad's training
program will need to address the operational considerations of the
hosting relationship, such as training dispatchers on their role and
responsibilities in halting the tenant railroad's operations over a
segment of track where there is a potential threat (such as a suspected
improvised explosive device (IED) or tampering with infrastructure).
Similarly, a tenant railroad subject to the security training
requirements of 49 CFR part 1582 (PTPR), will need to address the
operational considerations of the hosting relationship, such as
instructing its train and engine employees on the proper communication
procedures to follow when a potential threat is identified. Under
either example, the host and tenant railroad owner/operators are only
responsible for training their own employees.
Contracted services. Contracted services may involve joint
operation pursuant to specific terms, but are different from hosting
relationships. For example, some commuter passenger train services are
owned by public transportation agencies, but the agency has a contract
with a private company (such as a freight railroad) to operate the
train. This is not a hosting relationship.
When inspecting compliance by participants in this type of a
contracted services agreement, TSA will consider the freight railroad
carrier (the private company/contractor) to be an authorized
representative of the PTPR owner/operator (the owner/operator of the
passenger train service). TSA will hold the PTPR owner/operator
primarily responsible for compliance and for ensuring that all
security-sensitive employees receive the required training, whether
they are employed directly by the PTPR owner/operator or contractor.
The PTPR owner/operator must train the freight railroad carrier's
employees performing security-sensitive functions related to the
passenger train service.
To the extent the contract between the PTPR owner/operator and the
freight railroad includes a provision for the freight railroad to train
its own employees, the passenger operation is responsible for
documenting satisfaction of the training requirements within its TSA-
approved-security training program. TSA will expect the passenger
operation to clearly state in its security training program, as part of
the submission process under 49 CFR 1570.109, that the freight railroad
carrier will conduct the training and provide the required information
on that training.
Regardless of how the parties define who will do what, TSA has
authority to inspect both parties' operations for compliance. The
regulated party is primarily responsible, but TSA has authority to
initiate enforcement actions for non-compliance against either party
based upon a fact-specific determination. While TSA historically
initiates enforcement actions against the regulated entity, we have
begun to look more closely at authorized representative/contractual
relationships in our effort to address the root cause of noncompliance.
B. Who is responsible for determining whether a specific owner/operator
is subject to the requirements of the rule (applicability
determinations)? (Sec. 1570.105)
Owner/operators are required to use the criteria in 49 CFR parts
1580, 1582, and 1584 (contained in a subpart B to each part) to
determine whether their operations are higher-risk. If the operations
meet the criteria, the requirements of this rule apply. Under Sec.
1570.105(a), owner/operators must notify TSA within 30 days of the
effective date of this final rule if they meet the criteria for
applicability. This obligation also applies to new and modified
operations (commencing after publication of the final rule). Under
Sec. 1570.105(b), owner/operators must notify TSA no later than 90
calendar days before commencing operations or implementing
modifications triggering applicability of the requirements.
While the rule requires owner/operators to determine whether the
criteria apply, TSA is aware of the operations that are likely to be
within the scope of applicability. TSA may initiate a compliance
investigation if an owner/operator fails to self-identify within the
required period.
To mitigate the likelihood of an owner/operator failing to comply
based upon lack of recognition of the applicability for these
requirements, TSA will use a variety of communication strategies to
notify regulated parties that are likely to meet the applicability
criteria. For example, TSA will use email to immediately notify its key
stakeholder points of contact regarding publication of this final rule.
In addition to these established information sharing mechanisms, TSA
also conducts regular calls, workshops, and meetings with major
industry partners and trade associations. TSA's surface representatives
also work closely with surface-system owner/operators during industry-
led security work groups, conferences, roundtables, and other sector-
specific government coordination meetings. TSA plans to use all of
these mechanisms to notify relevant industry partners of the new
requirements.
C. Which employees must receive security training? (Sec. Sec.
1580.115(a), 1582.115(a) and 1584.115(a))
Any owner/operator required to have a security training program
under Sec. Sec. 1580.101, 1582.101, or 1584.101, must provide security
training to all security-sensitive employees. Security-sensitive
employees include any direct employee, contractor, employee of a
contractor, or other authorized person who is compensated for
performing a security-sensitive function on behalf of or for the
benefit of the owner/operator.\19\ For example, if an OTRB owner/
operator does not employ any drivers directly, but uses drivers under
contract, these drivers will need to be trained. Similarly, if an
owner/operator has chosen to combine dispatch services with any
affiliates of its parent corporation, the owner/operator required to
provide security training to its direct employees will also be required
to provide security training to any dispatchers providing services for
its fleet.
---------------------------------------------------------------------------
\19\ See Sec. 1570.3 for the definition of an ``employee.''
---------------------------------------------------------------------------
D. How does an owner/operator determine if someone is a security-
sensitive employee? (Sec. Sec. 1580.3, 1582.3, and 1584.3)
Definitions of mode-specific ``security-sensitive employees'' are
included in Sec. Sec. 1580.3 (freight rail), 1582.3 (PTPR), and 1584.3
(OTRB), with additional detail regarding job functions provided in
mode-specific tables published as appendices to parts 1580,\20\ 1582,
and 1584. As discussed in section III.E. of the NPRM, ``security-
sensitive employees'' are individuals who perform functions with a
direct nexus to, or impact on, transportation
[[Page 16462]]
security.\21\ These functions fall into the following categories: (1)
Operating a vehicle; inspecting and maintaining vehicles; (2)
inspecting or maintaining building or transportation infrastructure;
(3) controlling dispatch or movement of vehicles; (4) providing
security of the owner/operator's equipment and property; (5) loading or
unloading cargo or baggage; (6) interacting with travelling public (on
board a vehicle or within a transportation facility); and (7) complying
with security programs or measures, including those required by Federal
law (a catch-all category that includes a small number of employees
such as security coordinators and any other individuals who may have
responsibility for carrying out aspects of the owner/operator's
security program or other security measures who are not otherwise
identified in the previous categories).
---------------------------------------------------------------------------
\20\ The table in part 1580 Appendix B is unique in that it
includes examples of the job titles related to these functions based
on historic use of these terms for railroads. The job titles,
however, are provided solely as a resource to help understand the
functions described; whether an employee must be trained is based
upon the function, not the job title.
\21\ See 81 FR at 91353 et seq. for more information on how TSA
identifies these employees and how the chosen functions align with
requirements in the 9/11 Act.
---------------------------------------------------------------------------
The requirements also apply to managers, supervisors, or others who
perform a security-sensitive function or who so directly supervise the
performance of such a function that their nexus is equivalent to the
security-sensitive employee.\22\ For example, a yardmaster in freight
railroad operations is considered a security-sensitive employee because
he or she directs security-sensitive functions, even if not in the
direct management chain of all individuals performing these functions.
At the same time, individuals within a corporate structure who neither
perform a security-sensitive function nor have direct management
responsibilities over individuals who do are unlikely to have a
position within the corporation with a significant nexus to the
transportation operations of the business (such as accounting
functions). To the extent there are such individuals in the management
structure, they will not be considered ``security-sensitive''
employees.
---------------------------------------------------------------------------
\22\ The definition of ``employee,'' which is in Sec. 1570.3,
includes immediate supervisors.
---------------------------------------------------------------------------
In some circumstances, security-sensitive functions may be
performed by individuals not within the definition of ``employee.'' For
example, police officers employed by a local law enforcement agency may
be routinely patrolling the owner/operator's premises and/or
operations, but do not work directly for, or under contract to, the
owner/operator. Owner/operators are not required to provide training to
these individuals. To the extent, however, these individuals work in
the same environment as security-sensitive employees, TSA encourages
owner/operators to make their training materials and sessions
available. Providing awareness of training content to local law
enforcement personnel regularly assigned to patrols at locations where
security-sensitive employees work can enhance communication and
cooperation in response to potential threats or actual terrorist-
related incidents.
The law enforcement agency or personnel may be considered security-
sensitive employees of the owner/operator if, for example, there is a
contractual relationship for the law enforcement agency to provide
services to the owner/operator and the law enforcement officer is
assigned to that location by the owner/operator. Similarly, where the
owner/operator has a dedicated police or security force who are
employees of the owner/operator, these individuals are security-
sensitive employees who must be trained under this rule.
TSA encourages owner/operators to consider other employees within
their corporate structure or business operations who may not be
performing a security-sensitive function as identified in the rule, but
who could provide an additional layer of security if they received
security training. Furthermore, if an owner/operator identifies
positions or functions not listed by TSA as security-sensitive, but
which have the nexus to transportation security that is intended to be
covered by the rule, TSA encourages the owner/operator to identify and
include these employees within its security training program.
E. Can untrained security-sensitive employees perform security-
sensitive functions? (Sec. Sec. 1580.115(b), 1582.115(b), and
1584.115(b))
If a security-sensitive employee does not receive the required
security training, this employee is prohibited from performing a
security-sensitive function without the direct supervision of an
employee who has met the training requirements applicable to that
security-sensitive function. While TSA is not defining ``direct,'' TSA
expects the supervisor to be located in reasonable proximity to the
employee to supervise actions and provide the necessary level of
security awareness and response capabilities.
Furthermore, even if an employee is directly supervised, TSA
imposes a 60-day limit for the amount of time that an employee may
perform a security-sensitive function without completing the required
training. After 60 days, the rule requires the owner/operator to remove
the employee from a security-sensitive function. This requirement does
not affect the owner/operators' discretion to reassign the individual
to other non-security-sensitive job functions.
F. What topics must be included in the security training? (Sec. Sec.
1580.115(c)-(f), 1582.115(c)-(f), and 1584.115(c)-(f))
TSA is requiring a training program that focuses on the specific
knowledge provided to security-sensitive employees related to
preparedness, observation, assessment and response. As a key aspect of
security awareness is the ability to detect anomalies in the operating
environment, the rule affords flexibility for owner/operators to
develop and implement a program that addresses the above-required
components in the context of their unique operational environments.
The ``prepare'' category addresses training on discharging any
security responsibilities that security-sensitive employees may have
under an owner/operator's existing security plan or security measure.
This rule does not require any owner/operator to adopt or implement a
security plan or measures, but TSA is aware that many owner/operators
have security plans or measures implemented to comply with Federal
requirements, to qualify for Federal grants, or as the result of
voluntary initiatives. To the extent these plans or procedures exist,
employees must be trained in order to ensure they are effective.
Similar to the threat and incident prevention and response training,
this portion of the training program will need to be tailored to the
specific operation.
The ``prepare'' element provides multiple benefits to
transportation security and to owner/operators. First, the requirement
recognizes that the time when a crisis is occurring is not the time to
provide training on how to implement crisis-response measures.
Employees need to be prepared in advance, especially if they have
responsibilities related to responding to a terrorist incident in order
to mitigate the consequences. Second, this training element ensures
that training conducted under this rule meets all of the requirements
for security training required for ``hazmat employees'' under 49 CFR
172.704(a)(5).\23\ Third, this
[[Page 16463]]
element also captures specific training for freight railroads related
to the requirements in Sec. 1580.115(c) for chain of custody and
control requirements, ensuring appropriate procedures are followed to
comply with the security requirements in subpart C to part 1580 (which
contains the requirements moved from Sec. Sec. 1580.103 and 1580.107
as a result of this rulemaking).
---------------------------------------------------------------------------
\23\ An analysis of the relationship between the Pipeline and
Hazardous Materials Safety Administration (PHMSA) required training
and the training provided by this final rule can be found in Diagram
B of the NPRM. See 81 FR at 91364. The relation with other training
is also discussed in section II.H. and I. of this preamble.
---------------------------------------------------------------------------
Finally, the ``prepare'' category captures training that may vary
based on the specific nature of an employee's responsibilities. For
example, appropriate methods of self-defense may vary based upon an
employee's job and extent to which he or she interacts with the public.
Similarly, an employee's need to be trained in how to operate and
maintain security equipment may be dictated by the employee's
responsibilities. Within this category, owner/operators have some
flexibility to shape the training to be appropriate for their specific
employees and operations. This flexibility allows owner/operators to
avoid situations where employees are required to sit through training
completely irrelevant to their roles and responsibilities.
TSA intends for the training required in the Observe, Assess, and
Respond categories to be relevant to all employees, regardless of their
job functions. Training in security awareness and behavior recognition
is appropriate for all employees and TSA believes there should be a
common level of proficiency on these issues among security-sensitive
employees of the owner/operators.
The ``observe'' category is intended to provide knowledge to
increase a security-sensitive employee's observational skills. In
general, this training focuses on recognizing the difference between
what is normal for the operational environment and abnormalities that
could indicate terrorist planning or imminent attack. Training
delivered should teach the employees that suspicious activity is a
combination of actions and individual behaviors that appear strange,
inconsistent, or out of the ordinary for the employee's work
environment. In most instances, it will not be a single factor, but a
combination of factors taking place at a particular time and place,
that will accurately identify a suspicious individual or act.
The ``assess'' category requires providing knowledge of how to
determine the most appropriate response to what is observed. For
example, does the incident require a response and, if so, what is the
appropriate response?
The ``respond'' category includes training on security incident
responses--including how to appropriately report a security threat,
interact with the public and first responders at the scene of a threat
or incident, applicable uses of self-defense devices or protective
equipment, and communication with passengers. In addition to meeting
training requirements enumerated in the 9/11 Act,\24\ this category is
intended to provide elements of security awareness training required by
49 CFR 172.704(a)(4). To the extent owner/operators need to provide
training on specific self-defense devices or protective equipment, TSA
has not calculated these costs. Such training is not a cost of this
rule based on an assumption that training on the use of self-defense
devices and equipment is a standard part of any operation before
providing such devices or equipment to individuals.
---------------------------------------------------------------------------
\24\ Diagram B in the NPRM, Development Considerations for
Requirements in Sec. Sec. 1580.113, 1582.113, and 1584.11, provides
an analysis of the 9/11 Act's requirements and other considerations
incorporated into the four categories of training required by this
rule. See 81 FR at 91364.
---------------------------------------------------------------------------
TSA recognizes that owner/operators may choose, or have chosen, to
integrate varying levels of training into their security training
programs, such as for particular categories of employees or job
functions, to meet the objectives of their overall security program or
plan. As noted in section I, TSA intends for this rule to establish and
solidify the baseline of security for higher-risk surface
transportation operations. To the extent an owner/operator has a
program that goes beyond the required baseline, TSA encourages
continuation of these efforts as long as the owner/operator can meet
the minimum training required by this rule for all security-sensitive
employees.
G. Who will provide the security training curriculum? (Sec. Sec.
1580.113, 1582.113, and 1584.113)?
Owner/operators are required to train security-sensitive employees
using curriculum approved by TSA. TSA assumes that many of the owner/
operators required to provide security training under this rule already
have training programs in place that may substantially comply with the
rule's requirements. This assumption is based on TSA's involvement in
allocations of grant funding to owner/operators for the development of
security training materials, funded through various DHS-grant program
appropriations, as well as a comprehensive review of available training
materials to determine whether they meet the standards and criteria
required by the 9/11 Act. This assumption is also bolstered by certain
industry responses to TSA's Notice published in 2013 in which TSA
sought public comment and data on current security training
practices.\25\
---------------------------------------------------------------------------
\25\ See Request for Comments on Security Training Programs for
Surface Mode Employees, 78 FR 35945, 35948 (June 14, 2013)
(discussion on grant-funded training programs under ``Relation to
Other Training Programs''). TSA summarizes the response to the 2013
Notice in this final rule's RIA, Section 1.5. TSA explains in
Sections 1.8.2. and 1.8.3. of the RIA how it used information from
the responses to the 2013 Notice to assess the level of training in
the baseline for PTPR and OTRB owner/operators, respectively.
---------------------------------------------------------------------------
TSA is committed to mitigating the costs of training for all owner/
operators through several initiatives. For example, TSA has, and will
continue, to identify existing training materials that address the
curriculum content requirements identified in the rule and will make
this information available to regulated parties.\26\ TSA is also
developing training materials that meet specific training requirements
in this rule. TSA will notify regulated parties as the relevant
training materials are completed.
---------------------------------------------------------------------------
\26\ See, e.g., Example of Security Training Matrix (TSA-2013-
0005-0084) available in the docket to this rulemaking at
www.regulations.gov.
---------------------------------------------------------------------------
H. Can owner/operators use pre-existing material or other third-party
material? (Sec. 1570.103)
This rule does not require the owner/operator to create their own
material or impose limits on the use of third-party material. If,
however, owner/operators choose to rely on previously prepared training
material, including material developed to satisfy other regulatory
requirements, or third-party material, they must incorporate that
material into an appendix to their security training program and
reference that appendix in the corresponding portions of their security
program, as discussed below.
I. How do these requirements relate to other security training required
by other Federal or State agencies? (Sec. Sec. 1580.115(c),
1582.115(c), and 1584.115(c))
TSA recognizes that many owner/operators covered by this rule are
subject to training requirements under regulations of the Department of
Transportation (DOT) that overlap with the training content required in
the 9/11 Act.\27\ TSA does not expect owner/operators to duplicate
training. To the extent that an owner/operator intends to use existing
training programs
[[Page 16464]]
implemented to comply with other Federal requirements or other
standards in order to satisfy some or all of the requirements of this
rule, the program submitted to TSA for approval must identify how the
owner/operators intends to use the other training to satisfy TSA's
requirements, such as the curriculum or lesson plan for that program.
TSA intends to maintain an iterative list available to regulated owner/
operators of training programs that have been approved by TSA for use
in meeting this rule's requirements.
---------------------------------------------------------------------------
\27\ See sections III.G.5 and I of NPRM for a discussion of
other related training. 81 FR at 91361-91362 and 91364 et seq.
---------------------------------------------------------------------------
Paragraph (c)(2) requires an index to be provided if the owner/
operator chooses to submit all or part of an existing security training
program to TSA for approval. The index must be organized in the same
sequence as the content requirements in Sec. Sec. 1580.115, 1582.115,
and 1584.115. Indexing is a necessary requirement if TSA is to provide
flexibility for owner/operators to use existing training programs to
satisfy this rule. TSA may request additional information on the
program through the review and approval process.
J. What is the required schedule for providing training? (Sec.
1570.111)
1. Initial Training (Sec. 1570.111(a))
Current employees must be trained within one year of TSA's approval
of the security training program. Initial training for new employees or
those transitioning to a covered job function (as identified in
Appendix B to parts 1580 (freight rail), 1582 (PTPR), and 1584 (OTRB)),
must occur within the first 60 days of the date an employee begins to
perform a security-sensitive function. In general, this means that an
employee must be trained within 60 days of starting in a permanent-
employment position that may require performance of a security-
sensitive function, whether full or part-time.\28\
---------------------------------------------------------------------------
\28\ These deadlines are set by secs. 1408(d)(3), 1517(d)(3),
1534(d)3 of the 9/11 Act, codified at 6 U.S.C. 1137, 1167, and 1184.
---------------------------------------------------------------------------
Section 1570.111(a)(3) addresses non-permanent employees. Non-
permanent employees must receive training within 60 calendar days after
employment that meets the definition of a security-sensitive employee.
If an individual is employed on an intermittent or non-permanent basis,
such as a contractor hired to perform a security-sensitive function for
short durations, then the training must take place before the
individual's aggregated length of employment by the owner/operator
equals 60 calendar days within a consecutive twelve-month period.
Training is not required if an individual is employed to perform a
security-sensitive function one time for less than 60 days. Training is
required if an individual performs a security-sensitive function for
short but repeated durations and the aggregated period of time equals
60 days. TSA recognizes that some owner/operators may choose to train
all regular contractors or other individuals employed for short but
regular durations rather than having to monitor aggregated days of
employment.
In meeting the initial training schedule, TSA expects that many
owner/operators will rely on the provisions in Sec. 1570.107, which
provide standards for accepting previous training. TSA may allow
``training credit'' to be given for employees who received equivalent
security training within one year before the rule's effective date.
This training credit may include the following:
Training on emergency preparedness plans that railroads
connected with the operation of passenger trains must implement to
address subjects such as communication, employee training and
qualification, joint operations, tunnel safety, liaison with emergency
responders, on-board emergency equipment, and passenger safety
information.
Training on policies that public transportation agencies
implement to ensure safety promotion to support the execution of the
Public Transportation Agency Safety Plan required under 49 CFR part 673
for all employees, agents, and contractors of any State, local
government authority, or other operator of a public transportation
system that receives Federal financial assistance under 49 U.S.C.
Chapter 53.
Training provided through funds granted under the Transit
Security Grant Program or other grant programs.
The recordkeeping provisions, discussed below, require an owner/
operator to provide current and former employees with documentation
upon request of any training completed to meet the requirements of this
rule. Options for compliance with this requirement could include
providing employees with certificates to validate completed training.
Providing employees with documentation of training is particularly
relevant for operations such as those in the OTRB industry, where
employees (for example, commercial drivers) may work for multiple
owner/operators. If an owner/operator can validate an employee has
received the required training within the specified timeframe, the
training does not need to be repeated. Because of its obligation to
ensure all training requirements are met, the current owner/operator is
responsible for ensuring that any previous training courses satisfy the
rule's requirements and documenting that the training was received
within the required timeframe.
Finally, there may be situations where ``dual-hatted'' or other
specific-function employees are required to receive security training
from other sources as part of their jobs, such as railroad police
officers employed by the owner/operator. As indicated above, it is the
obligation of the owner/operator to ensure and document the training,
including training received under these circumstances.
2. Recurrent Training (Sec. 1570.111(b))
TSA believes regular recurrent training is essential for
transportation employees to maintain a high level of awareness and
competency. To ensure this need is met, this rule requires owner/
operators to provide the TSA-approved security training curriculum to
their security-sensitive employees at least once every three years.
This frequency is consistent with the requirements for security
training imposed by the Pipeline and Hazardous Material Safety
Administration (PHMSA) for hazardous materials employees under 49 CFR
part 172.
In addition, consistent with 49 CFR 172.704, if the owner/operator
modifies a security program or security plan for which training is
required under this rule, the owner/operator must ensure that each
security-sensitive employee with position- or function-specific
responsibilities related to the revised plan or program changes
receives training on the revisions within 90 days of implementation of
the revised plan or program changes. This requirement ensures employees
responsible for implementing the security program or plan will be
trained in a timely manner concerning any changes or revisions to the
security plan or program as necessary to reflect changes in security
affecting their specific operating environment or the surface
transportation system.
3. Previous Training (Sec. 1570.107)
While there is no specific requirement in the 9/11 Act for TSA to
allow use of existing training programs to satisfy the security
training regulatory requirements, this rule provides an opportunity for
owner/operators to seek recognition of previously provided training.
Under Sec. 1570.107, an owner/operator may rely on previous training
that occurred within the identified periods for initial or recurrent
training.
[[Page 16465]]
In order to use previous training, the owner/operator must validate
that the previous training satisfies the requirements of this rule (for
example, reviewing records of training and curriculum), is relevant to
the employee's job function, and appropriate for owner/operator's
operations. As part of its inspection and compliance authority, TSA may
require the owner/operator to provide the documentation used to
determine the previous training met the requirements of this rule.
K. Do employees have to pass a test? ((Sec. Sec. 1580.113(b)(9),
1582.113(b)(9), and 1584.113(b)(9))
TSA is not requiring security training programs to include employee
testing, with prescribed pass/fail rates. The security training
programs submitted to TSA, however, must include how the owner/operator
will measure the effectiveness of the training program. TSA will afford
flexibility to each individual owner/operator to identify measures for
determining the effectiveness of their security training program using
methods and criteria appropriate for their operations. For example, TSA
expects that some owner/operators will choose to administer a written
test or evaluation to gauge their employees' level of knowledge in
order to assess the overall effectiveness of training, while others may
rely upon operational tests conducted by supervisors to determine
whether employees are being trained effectively. Some may use the
results of drills and exercises to measure effectiveness and identify
areas where modifications are needed.
Similarly, TSA is not prescribing conditions for a pass/fail policy
that may be associated with post-training testing. While individual
companies may elect to enforce pass/fail criteria with associated
personnel actions, TSA is neither requiring nor recommending a
specified maximum number of times that an individual may take a test or
evaluation to demonstrate knowledge and competency. As previously
noted, however, the methods submitted by an owner/operator for
determining training efficacy may affect TSA's approval of any
alternative measures for compliance. In reviewing security training
programs, TSA's focus is on whether the program includes measures for
the effectiveness of the training program, not an individual employee's
performance.
III. Operational Requirements (Subpart D)
TSA requires freight and passenger railroad carriers, rail transit
systems, rail hazardous materials shippers, and certain rail hazardous
materials receivers, to appoint ``rail security coordinators'' \29\
(RSCs) and report significant security concerns to TSA.\30\ The RSCs
are security liaisons to TSA, providing a single point of contact for
receiving communications and inquiries from TSA concerning threat
information or security procedures, and coordinating responses with
appropriate law enforcement and emergency response agencies. This
information, reported to TSA from the frontline of rail operations, is
consolidated and analyzed by TSA to identify developing threats and
trend analysis.
---------------------------------------------------------------------------
\29\ These requirements were promulgated in 2008, see supra n.
8, codified at 49 CFR 1580.101 and 1580.201 (before changes made by
this rule).
\30\ See id. at 49 CFR 1580.105 and 1580.203 (before changes
made by this rule).
---------------------------------------------------------------------------
TSA is expanding applicability of these requirements to the owner/
operators subject to the security training requirements. As a result,
the scope of the requirement applies to:
All rail operations subject to the security coordinator
and reporting requirements under previous 1580.101, 1580.105, 1580.201,
and 1580.203 (now located in sections 1570.201 and 1570.203);
Any bus operations of a public transportation owner/
operator required to provide security training under this rule; and
Any OTRB owner/operator required to provide security
training under this rule.\31\
---------------------------------------------------------------------------
\31\ As previously noted, TSA currently requires security
coordinators for rail operations, including freight railroads,
passenger railroads, and public transportation rail operations. In
addition to mandating security coordinators for railroads, the 9/11
Act also requires security coordinators for bus operations. See 9/11
Act sec. 1531, codified at 6 U.S.C. 1181(e)(1)(A) (``Identification
of a security coordinator having authority--(i) to implement
security actions under the plan; (ii) to coordinate security
improvements; (iii) to receive immediate communications from
appropriate Federal officials regarding over-the-road bus
security''). See 9/11 Act sec. 1512, codified at 6 U.S.C.
1162(e)(1)(A). For a similar provision applicable to railroads.
Consistent with this mandate, TSA is extending the requirement to
appoint a primary and at least one alternate security coordinator
for OTRB companies and bus operations of PTPR owner/operators
identified as higher-risk through this rulemaking. This will have a
limited impact on the PTPR mode as most public transportation bus
agencies covered by this rule are part of a larger system that is
already required to have a security coordinator under current 49 CFR
part 1580. See sec. III.D.4 of the NPRM for more discussion
regarding the security coordinator and reporting requirements (81 FR
at 91350 et seq.).
---------------------------------------------------------------------------
As proposed in the NPRM, the rule text for applicability of the
security coordinator requirements erroneously included all bus-only
public transportation systems, TSA intended, however, to limit
applicability to the bus-only public transportation systems within the
scope of the security training requirements, that is, the higher-risk
bus-only systems.\32\ To be consistent with TSA's intent as explained
above and in the preamble of the NPRM, TSA is clarifying the
requirement in the final rule text.
---------------------------------------------------------------------------
\32\ See 81 FR at 91350: ``Because of the benefits of [the
security coordinator and reporting requirements] to transportation
security, TSA is proposing to extend these requirements to the modes
of transportation covered by this proposed rule that are not
currently subject to the requirements of 49 CFR part 1580. . . . TSA
proposes to extend the requirement to appoint a primary and at least
one alternate security coordinator for OTRB companies and the bus
operations of PTPR owner/operators (with a limited impact as most
public transportation bus agencies are part of a larger system that
is required to have a security coordinator under current 49 CFR part
1580).''
---------------------------------------------------------------------------
Table 2 compares applicability scope of the previous requirement
with the expanded applicability. The cost estimate for this requirement
in the NPRM is consistent with TSA's intent and the corrected rule
text.
Table 2--Comparison of Applicability for Security Coordinator and
Reporting Requirements
------------------------------------------------------------------------
Previous Sec.
Sec. New Sec.
1580.101/103 Sec.
and 1580.201/ 1570.201/203
203
------------------------------------------------------------------------
Freight railroad carriers............... X X
Rail hazardous materials shippers....... X X
Rail hazardous materials receivers in X X
High Threat Urban Areas (HTUAs)........
Owner/operators of private rail cars*... X X
Railroads hosting freight or PTPR rail X X
operations.............................
[[Page 16466]]
PTPR operating rail transit systems on X X
general railroad system, intercity
passenger train service, and commuter
train services.........................
PTPR operating rail transit systems not X X
part of general railroad system........
PTPR operating bus transit or commuter .............. X
bus systems in designated areas........
Tourist, scenic, historic, and excursion X X
rail owner/operators*..................
OTRB owner/operators providing fixed- .............. X
route service in designated areas......
------------------------------------------------------------------------
* Security Coordinator only required if notified by TSA in writing that
a threat exists. Requirement to report significant security concerns
always applies.
A. Security Coordinator Requirements (Sec. 1570.201)
Security coordinators are a vital part of transportation security,
providing TSA and other government agencies with an identified point of
contact with access to company leadership and knowledge of the owner/
operators' operations, in the event it is necessary to convey extremely
time-sensitive information about threats or security procedures to an
owner/operator, particularly in situations requiring frequent
information updates. The security coordinator and alternate provide TSA
with a contact in a position to understand security problems;
immediately raise issues with, or transmit information to, corporate or
system leadership; and help recognize when emergency response action is
appropriate. The individuals must be accessible to TSA 24 hours per
day, 7 days per week.
The rule does not change the expectation that the security
coordinator and alternate be appointed at the headquarters level. Nor
does the rule require the security coordinator or alternate to be a
dedicated position who has no other primary or additional duties. As
with the previous part 1580 requirements, TSA's primary concern is
having a designated point of contact available to TSA at all times.
The rule also requires the owner/operator to submit contact
information for both the security coordinator and alternate and to
update this information within 7 days if it changes. As previously
noted, this is not a new requirement for owner/operators of railroads,
including the rail transit operations of PTPR owner/operators. If an
owner/operator subject to this rule has provided current information
for primary and alternate RSCs to TSA, it will not have to take further
action to meet the requirement.\33\ TSA assumes this is true for
passenger rail carriers, freight railroad carriers, and rail transit
systems operated by public transportation agencies. Owner/operators
required to appoint security coordinators for the first time under this
rule must provide this information to TSA by July 29, 2020. TSA will
also use this contact for communications related to requirements in
this rule.
---------------------------------------------------------------------------
\33\ Any changes to the information must, as previously
required, be reported within seven calendar days of the change
taking effect.
---------------------------------------------------------------------------
B. Requirement To Report Security Concerns (Sec. 1570.203)
As with the security coordinator requirement, TSA is moving and
consolidating the requirement to report security concerns from part
1580 into Sec. 1570.203 and extending it to higher-risk bus
operations.\34\ The list of reportable incidents can be found in
Appendix A to part 1570 and includes not only a list of incidents, but
descriptions and examples to assist regulated parties in making a
determination of whether an incident must be reported based on its
similarity to one of the examples.
---------------------------------------------------------------------------
\34\ This extension is within TSA's discretion to require other
actions or procedures determined to be appropriate to address the
security of public transportation and OTRB operations. See 9/11 Act
sections. 1405(c)(2)(I) and 1531(e)(1)(H), as codified at 6 U.S.C.
1134 and 1181, respectively.
---------------------------------------------------------------------------
This list of reportable significant security concerns is consistent
with the Nationwide Suspicious Activity Reporting (SAR) Initiative
(NSI). The NSI is a partnership between Federal, State, local, tribal,
and territorial law enforcement that ``establishes a national capacity
for gathering, documenting, processing, analyzing and sharing SAR
information . . . in a manner that rigorously protects the privacy and
civil liberties of Americans.'' \35\ The NSI defines ``suspicious
activity'' as ``observed behavior reasonably indicative of pre-
operational planning associated with terrorism or other criminal
activity.'' \36\ The standardized approach among law enforcement
officers and security officials with surface transportation entities
produces more informative reports that can, more effectively, focus
investigative efforts and intelligence analysis for potential trends
and indicators of terrorism-related activity.
---------------------------------------------------------------------------
\35\ See Nationwide SAR Initiative (NSI), ``About the NSI''
(accessed Nov. 3, 2016), available at http://nsi.ncirc.gov/about_nsi.aspx.
\36\ Id.
---------------------------------------------------------------------------
Finally, consistent with TSA's purpose in requiring submission of
the information, the rule requires notification within 24-hours of the
initial discovery of the incident by the owner/operator (see 49 CFR
1570.203(a)).\37\ This schedule will enable TSA to obtain timely
information, without undermining the ability of the owner/operator to
appropriately handle a situation. If there is an immediate threat,
owner/operators and/or their employees should prioritize notifying and
working with first responders. The notification to TSA should occur
after the immediate crisis is addressed, but within a timeframe that
allows TSA to assess and share timely information.
---------------------------------------------------------------------------
\37\ This change to reporting is a modification from the
requirement as promulgated in the Rail Security Rule, which required
immediate reporting.
---------------------------------------------------------------------------
For purposes of this requirement, the clock ``starts running'' when
the owner/operator becomes aware of the incident. Awareness of the
owner/operator includes awareness of (or discovery by) employees of the
owner/operator.\38\ TSA recognizes that local law enforcement do not
always immediately notify owner/operators when there is a security-
related incident on the owner/operator's property or affecting their
operations.
---------------------------------------------------------------------------
\38\ One of the required training elements includes how to
appropriately report security issues.
---------------------------------------------------------------------------
C. Methods for Reporting Information and Substance of Information
Provided (Sec. 1570.203 (a) and (c))
As previously noted, TSA has almost a decade of experience with
incidents reported by railroads. Based on this experience, TSA
recognizes that its ability to analyze the data and improve
[[Page 16467]]
the quality of information disseminated back to its stakeholders is
proportional to the quality of information it receives. Section
1570.203(b) is consistent with the reporting requirements as
promulgated in 2008, which reflected the need for detailed and verified
information from individual owner/operators to enhance TSA's ability to
provide timely and useful information products to all of the relevant
stakeholders.
TSA is working on two initiatives that should assist owner/
operators with reporting information. The first is to pilot an
electronic reporting option for significant security concerns.\39\ If
made a permanent capability, TSA intends to develop an online form that
owner/operators, or their designated employees, may use to submit
information to TSA to meet the requirements of this rule. If the pilot
succeeds, TSA may pursue a second initiative to provide an electronic
reporting form on a secure website. TSA will provide updates on
development of these capabilities to owner/operators through the
designated security coordinators as well as appropriate notices in the
Federal Register. Pending completion of these capabilities owner/
operators and their designated employees are generally required to meet
the requirements of this section by contacting the Transportation
Security Operations Center at 1-866-615-5150. There is an exception for
owner/operators participating in the pilot to report electronically.
---------------------------------------------------------------------------
\39\ See OMB Control No. 1652-0051, 30-Day Notice: Revision of
Agency Information Collection Activity Under OMB Review: Rail
Transportation Security, 83 FR 40542 (Aug. 15, 2018), and related
supporting statement available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201809-1652-002.
---------------------------------------------------------------------------
IV. Security Program Procedures
A. Deadlines Related to Submission and Approval of Security Training
Program
Section 1570.109 identifies the required deadlines for submitting
security training programs and the process for TSA approval. In
general, not later than 90 days from the effective date of this final
rule, owner/operators are required to submit programs to TSA in a form
and manner prescribed by TSA. Owner/operators commencing new businesses
or operations triggering applicability are required to submit their
security training programs to TSA no less than 60 days before
commencing operations.
TSA will provide details for submission of security programs
directly to security coordinators identified under section 1570.201,
within 10 business days from the effective date of this final rule.
Consistent with comments received on the NPRM, this information will
include the designated email address and any related information
regarding submission of Sensitive Security Information (SSI).
As required by the 9/11 Act, TSA will review the programs within 60
days of receipt and either approve them or specify changes that are
needed for approval.\40\ If TSA requires changes, the owner/operator
must submit a modified training program that meets TSA's specifications
within 30 days of notification by TSA. TSA provides an analysis of
burden and estimated costs associated with this information collection
in section VIII.A. of this preamble and the Office of Management and
Budget (OMB) 83-I Supporting Statement for its information collection
request, which is available in the docket for this rulemaking.
---------------------------------------------------------------------------
\40\ See 9/11 Act secs. 1137(d)(2), 1167(d)(2), and 1184(d)(2),
codified at 6 U.S.C. 1137, 1167, and 1184.
---------------------------------------------------------------------------
B. Amendments
Procedures related to revision and/or amendment of security
training programs, as described in Sec. Sec. 1570.113, 1570.115, and
1570.117, are necessary as part of developing a regulatory program and
are consistent with the 9/11 Act's requirements for implementation and
submission of programs. These procedures are also consistent with TSA's
statutory authority to allow exemptions from regulatory
requirements.\41\ The rule provides for two types of amendments: (1)
Amendments initiated by owner/operators and (2) amendments initiated by
TSA.
---------------------------------------------------------------------------
\41\ See 49 U.S.C. 114(q).
---------------------------------------------------------------------------
1. Amendments Initiated by Owner/Operator (Sec. 1570.113)
Under section 1570.113, there are three situations which require
owner/operators to submit a request to amend their security training
programs: (1) Changes affecting ownership or control of the operations;
(2) changes to conditions affecting security; and (3) changes to
content in the security training program. Owner/operators must seek an
amendment if any of these changes are expected to have a duration of
more than 60 days.
Amendments related to changes in ownership/control are necessary
for TSA to maintain current information about relevant contacts as well
as for purposes related to enforcement and liability. Amendments
related to the second and third categories are necessary to ensure the
training programs are providing relevant and timely information to
security-sensitive employees.
This final rule revises the NPRM's proposed requirement for seeking
an amendment for any changes relating to ``measures, training, or
staffing described in the security program.'' Since publication of the
NPRM, TSA determined that the scope of this requirement is too broad as
it could capture measures relevant to security in general, such as
theft. As proposed, the requirement could impose an unnecessary burden
on owner/operators and create conflict between the programmatic
requirements. For example, the overly broad requirement for amendments
could result in the need to revise a security training program to
address issues not related to reducing the risk of terrorism-related
incidents.
To narrow the scope of the amendment requirement, the final rule
incorporates a specific list of the types of changes to security that
require an amendment. For purposes of identifying what types of changes
should be included in the list, TSA determined the most appropriate
source is the 9/11 Act's requirements for TSA to issue a vulnerability
assessment and security planning regulation for surface owner/
operators.\42\ The 9/11 Act's provisions are tailored to security
issues related to reducing the risk of terrorism-related incidents.
---------------------------------------------------------------------------
\42\ As previously discussed, the 9/11 Act includes a mandate
for TSA to issue regulations requiring vulnerability assessments and
security plans in addition to the requirements for security
training. See 9/11 Act sections 1405, 1612, and 1531, codified at 6
U.S.C. 1134, 1162, and 1181, respectively. The security planning
requirements include a detailed list of security measures that must
be incorporated into an owner/operator's TSA-approved security plan.
TSA intends to address the vulnerability assessment and security
training requirements through a separate rulemaking.
---------------------------------------------------------------------------
If an owner/operator makes any changes to the security measures
identified in Sec. 1570.113, the owner/operator must request an
amendment to modify the TSA-approved security training program to align
with these changes. In general, the program must be amended if there
are changes to procedures intended to prevent and detect unauthorized
access to restricted areas; measures to be implemented in response to
periods of heightened security risk; and changes to emergency response
plans.
The security program requirements established by this rulemaking
will also be applicable to a future rulemaking to address the 9/11
Act's requirements for
[[Page 16468]]
vulnerability assessments and security planning. As a result,
incorporating the 9/11 Act's list of security measures to be
incorporated in security planning as the basis for determining when an
amendment is necessary to a security training program establishes a
framework that can be consistently applied in the future as the scope
of requirements for higher-risk owner/operators of surface
transportation systems is expanded.\43\
---------------------------------------------------------------------------
\43\ See discussion supra in n. 42
---------------------------------------------------------------------------
Finally, owner/operators must request an amendment if their
security training program is modified, including modifications related
to addressing the effectiveness of the program or development of
recurrent training materials that differ from the initial training.
This provision is intended to ensure an owner/operator is appropriately
addressing the results of its TSA-approved method for determining
effectiveness of security training.\44\ It is TSA's intent that this
specificity will reduce the burden for owner/operators by providing
clarity on the types of changes that may trigger the need for an
amendment. If there are any changes in these areas, it is reasonable to
expect that some aspects of the security training program must be
revised.
---------------------------------------------------------------------------
\44\ See requirements in subpart B to parts 1580, 1582, and
1584.
---------------------------------------------------------------------------
In addition to the preceding issues that require owner/operators to
request an amendment, the same procedures can be used when the owner/
operator seeks to amend its program to address other operation issues.
For example, an owner/operator may choose to seek an amendment to
modify the required training schedule. The same procedural requirements
for seeking an amendment apply.
TSA may approve an amendment if it is in the interest of public and
transportation security and meets the required security standards. As
part of its standard practice for security program administration, TSA
works with owner/operators on amendment requests to develop options
acceptable to both TSA and the requesting owner/operator. TSA may ask
for additional information from the owner/operator or require more time
in order to makes its determination.
If TSA is unable to come to agreement with the owner/operator on
the content or scope of the amendment, TSA may deny the amendment
request. The denial will include a statement of why the request is
denied. The owner/operator can petition for reconsideration under
section 1570.119.
While the rule only requires amendments if the change is to be
permanent (defined as 60 or more calendar days), TSA recognizes that
there are times when a change of short duration could have a
significant impact on training. For example, if a city is hosting a
National Special Security Event (NSSE), the public transportation
system serving that city may implement additional security measures. It
is likely that additional training will be necessary to raise
appropriate awareness of these additional measures. The rule does not
require the owner/operator to request an amendment to provide this
additional training.
TSA is also modifying the schedule for submitting an amendment from
the requirement as proposed in the NPRM. Under the NPRM, an amendment
had to be submitted no later than 45 days before the change takes
effect. This schedule does not work with the provision that allows
changes to security measures to be in effect for 60 days before they
are considered permanent, and only permanent changes require
notification and amendment. To address this inconsistency, TSA is
requiring amendments to be submitted within 65 days of the change. As
the owner/operator controls changes to the security measures identified
in the rule and whether these changes will be permanent, it is presumed
the owner/operator will have sufficient advance notice that an
amendment is needed and can prepare and submit the request within this
timeframe. This specificity is added to provide clarity for compliance.
2. Amendments Initiated by TSA (Sec. 1570.115)
TSA may require amendments in the interest of the public and
transportation security. As indicated in Sec. 1570.115, TSA may
require owner/operators to revise their training based on emerging
threats or methods for addressing emerging threats. This is consistent
with TSA's authorities under 49 U.S.C. 114 and the 9/11 Act, which
specifically provide that TSA must update the requirements, as
appropriate, ``to reflect new or changing security threats.'' \45\ For
example, the curriculum requirements identified in the 9/11 Act do not
address training to respond to active shooter incidents. Following
several active shooter incidents, including one that resulted in the
death of a Transportation Security Officer in Los Angeles, Congress
prioritized the need for this type of training.\46\ TSA could also
require an amendment to provide additional training to address risks
like the NSSE discussed above, in section C. As with other requirements
imposed by TSA, the owner/operator may request a petition for
reconsideration of TSA-required amendments.
---------------------------------------------------------------------------
\45\ See 9/11 Act at 1408(d)(4), 1517(d)(4), and 1534(d)(4),
codified at 6 U.S.C. 1137, 1167, and 1184, respectively. This
provision also requires owner/operators change their programs to
address TSA's requires updates and retrain employees as necessary,
within a reasonable time.
\46\ Section 7 of the Gerardo Hernandez Airport Security Act of
2015 (Pub. L. 114-50), which directed TSA, in consultation with the
Department of Transportation and other relevant agencies, to conduct
outreach to all passenger transportation agencies and providers of
high-risk facilities to verify such agencies and providers have in
place plans to respond to active shooters, acts of terrorism, or
other security-related incidents that target passengers.
---------------------------------------------------------------------------
C. Alternative Measures (Sec. 1570.117)
Section 1570.117 includes the procedures for requesting a waiver,
procedures for requesting the use of alternative measures, and
identification of the types of information TSA will need in order to
make a decision to grant such requests. TSA may grant such a request
under the authority 49 U.S.C. 114(q), based on a determination that the
alternative measure or exemption is in the public interest. In general,
TSA will consider factors such as risk associated with the type of
operation, current threat information, and any other factors relevant
to potential risk to the public and transportation security if the
request is granted.
These procedures can be used by an owner/operator to request
alternative measures to satisfy all of some or all of the requirements
of subchapter D. For example, the owner/operator could request to
extend the time period for submitting its training program or for
training all of its security-sensitive employees. An owner/operator
could also request a waiver from some or all of the regulatory
requirements. For example, a freight railroad may meet the criteria for
applicability, but the operations that trigger applicability may be a
de minimis part of its overall business operations. In such a
situation, the owner/operator might consider requesting either a
complete waiver or an alternative that limits the requirements to a
more discrete part of its business.
D. Petitions for Reconsideration (Sec. 1570.119)
Section 1570.119 describes the review and petition process for
TSA's reconsideration when it denies a request for amendment, waiver,
or alternative measures, as well as a TSA requirement
[[Page 16469]]
to modify or amend a program. If an owner/operator seeks to challenge
the decision, the owner/operator is required to submit a written
petition for reconsideration within the time frame identified in the
applicable section. The petition must include a statement, with
supporting documentation, explaining why the owner/operator believes
the reason for the denial or for the amendment, as applicable, is
incorrect. If the owner/operator requested the amendment, the results
of the reconsideration could be confirmation of TSA's previous denial
or approval of the proposed amendment. If the issue involves a TSA-
required amendment, the results of the reconsideration could be
withdrawal, affirmation, or modification of the amendment. A
disposition pursuant to 49 CFR 1570.119 occurs when the Administrator
or designee has disposed of the petition by affirming, modifying, or
rescinding the previous decision. Such disposition constitutes a final
agency action for purposes of review under 49 U.S.C. 46110.
E. Recordkeeping Requirements (Sec. 1570.121)
The final rule requires owner/operators to create and maintain
lists of their security-sensitive employees and specify when these
employees received the required training. Training records must include
each trained employee's name, job title or function, date of hiring,
and date and course information on the most recent security training
that each employee received. Records for individual employees must
reflect the training courses completed and date of completion. Records
of an employee's initial and recurrent training must be maintained by
owner/operators for no less than five years from the date of the
training and available at the location(s) specified in the security
training program approved by TSA.
The final rule provides flexibility to owner/operators to decide
whether to maintain the records in electronic format provided that (1)
any electronic records system used is designed to prevent tampering,
loss of data, or corruption of records, and (2) paper copies of
records, and any amendments to these records, must be made available to
TSA upon request for inspection or copying. Whether the records are
kept in electronic or other form, the employee must be provided with
proof of training upon request, at any time during the three-year
recordkeeping period, without regard to the requestor's current status
as an employee of that entity. As discussed above in II.J. (Initial
Training), owner/operators may meet the proof-of-training requirement
by providing a certificate, letter, or other similar documentation to
the employee upon completion of training. In order for TSA to allow any
owner/operator to rely upon previous security training to satisfy the
requirements of this rule, it is critical that employees be able to
validate whether they received previous training.
TSA assumes training records are unlikely to include SSI, but
nonetheless provides a reminder in this provision that any SSI
maintained as a result of these recordkeeping requirements must be
maintained consistent with the requirements in 49 CFR part 1520. For
example, an owner/operator may decide to keep a copy of the content of
the training program with the employee files (which is not required by
the rule). If the curriculum contains SSI information, any file it is
in must be stored as required by the SSI regulations. Owner/operators
needing additional information about appropriately maintaining SSI may
contact TSA for assistance and/or find information on TSA's
website.\47\
---------------------------------------------------------------------------
\47\ See https://www.tsa.gov/for-industry/sensitive-security-information.
---------------------------------------------------------------------------
F. Summary of Deadlines
The following table summarizes the deadlines for the preceding
programmatic requirements. The information is provided for operations
that exist on the effective date of this rule and those that may
commence or trigger applicability based on future modifications.
Table 3--Summary of Deadlines for Compliance
----------------------------------------------------------------------------------------------------------------
Dates
--------------------------------------------------------------------------
Requirement New employees (hired
Existing operations New or modified after TSA approves the
operations security program)
----------------------------------------------------------------------------------------------------------------
Effective date of rule............... June 22, 2020..........
Deadline for notifying TSA of July 22, 2020.......... 90 calendar days before
applicability determination commencing new or
(1570.105). modified operations.
Deadline for providing security July 29, 2020.......... 7 calendar days after
coordinator information to TSA commencement of
(1570.201). operations.
Deadline for submission of security 90 calendar days from 90 calendar days after
training program to TSA for approval effective date. commencing new or
(1570.109(b)). modified operations.
TSA approval or notification of 60 calendar days from 60 calendar days from
required modification (1570.109(c)). receipt of security receipt of security
training program. training program.
Initial training of security- 1 year from TSA 1 year from TSA 60 calendar days after
sensitive employees (1570.111(a)). approval of security approval of security employee first
training program. training program. performs a security-
sensitive job function
(60th day, aggregated
over 12-month period,
if intermittent
employee).
Recurrent training of security- Within three-years of Within 90 days of
sensitive employees (1570.111(b)). the date of initial changes to security
training and every program or security
three-years thereafter. plan affecting
employees' security-
related
responsibilities.
----------------------------------------------------------------------------------------------------------------
[[Page 16470]]
V. Miscellaneous Changes
This final rule includes the following changes to other provisions
in TSA's regulations as necessary to implement these requirements.
A. Amendments to Part 1500
Consistent with the rule's organization, TSA includes definitions
for terms relevant to several subchapters of TSA regulations, beyond
the requirements of subchapter D, in part 1500. Terms only relevant to
the provisions in subchapter D are incorporated in Sec. 1570.3. Terms
uniquely relevant to each mode or the other requirements in subchapter
D are incorporated into the relevant parts.
As noted in the NPRM, TSA is meeting a 9/11 mandate to define,
through notice and comment rulemaking, the term ``security-sensitive
material.'' To meet the requirement, TSA is incorporating by reference
the definition of hazardous materials for which a security program is
required under 49 CFR 172.800(b), promulgated by PHMSA through notice
and comment rulemaking and in consultation with TSA.\48\ There are no
current TSA-programmatic requirements linked to this definition. A full
discussion of amendments to the terms in part 1500 is provided in the
NPRM.\49\
---------------------------------------------------------------------------
\48\ See 81 FR at 91344.
\49\ See section III.A. of the NPRM. 81 FR at 91342 et seq.
---------------------------------------------------------------------------
B. Amendments to Part 1503
TSA is making minor amendments to part 1503 (Investigative and
Enforcement Procedures), as necessary, to conform these regulations to
changes made by this final rule. In Sec. 1503.101(b), the scope of
statutory provisions is amended to add authorities from the 9/11 Act
that are administered by the TSA Administrator. These are conforming
amendments with no cost impact.
C. Amendments to Part 1520
TSA is also finalizing proposed modifications to part 1520
(Protection of Sensitive Security Information). As discussed in the
NPRM, these changes are necessary to conform the SSI provisions to
include the transportation security-related requirements in this
rule.\50\ The amendments are limited to: (1) Eliminating unnecessary
terms from part 1520 that are added to part 1500 and (2) replacing the
limiting term ``rail transportation security requirement'' with
``surface transportation security requirement.'' In some places, such
as the definition of ``vulnerability assessment'' in Sec. 1520.3, TSA
is streamlining a lengthy description of types of transportation to
simply state ``aviation, maritime, or surface transportation.''
---------------------------------------------------------------------------
\50\ See id. at 91343-91345.
---------------------------------------------------------------------------
The impact of these revisions should also be minimal. Under Sec.
1520.7(j), any person who has access to SSI is required to protect it
according to the requirements of the regulation. Most of the population
affected by this rule has previously received SSI information from TSA,
as well as training on the proper handling of SSI, and have procedures
in place to ensure the requirements of the regulation are met.\51\
---------------------------------------------------------------------------
\51\ See https://www.tsa.gov/for-industry/sensitive-security-information.
---------------------------------------------------------------------------
D. Amendments to Part 1570
Because of the significant restructuring of part 1570, as discussed
above, the rule text includes the entire part. In addition, TSA is
adding a provision related to security responsibilities and relocating
to this part the provisions related to compliance, inspection, and
enforcement (previously in part 1580).
1. Security Responsibilities for Employees and Other Persons (Sec.
1570.7)
Under Sec. 1570.7, the obligation for compliance is not limited to
owner/operators specifically referenced under applicability provisions.
Rather, any person may be held to have violated these rules, including
contractors who provide service to owner/operators and the employees of
such contractors. This provision in subchapter D ensures a uniform
application of TSA's enforcement policy across all modes of
transportation, consistent with TSA's authority under 49 U.S.C.
114(f).\52\ In addition to violations for failure to comply with
requirements, TSA can also pursue enforcement actions for interfering
with compliance or hiding evidence of non-compliance. Contractors are
also subject to inspection for compliance with this rule and
enforcement actions, as discussed below.
---------------------------------------------------------------------------
\52\ See 49 U.S.C. 114(f)(7) and (11). A similar provision
applicable to aviation employees and other related persons is in 49
CFR 1540.105(a)(1) and (b).
---------------------------------------------------------------------------
2. Compliance, Inspection, and Enforcement (Sec. 1570.9)
TSA is mandated to: (1) Enforce its regulations and requirements;
(2) oversee the implementation and ensure the adequacy of security
measures; and (3) inspect, maintain, and test security facilities,
equipment, and systems for all modes of transportation.\53\ This
mandate applies even in the absence of rulemaking, but TSA has chosen
to include a restatement of its authority in its rules. The statute
specifically requires TSA to--
---------------------------------------------------------------------------
\53\ See 49 U.S.C. 114(f).
---------------------------------------------------------------------------
Assess threats to transportation;
Enforce security-related regulations and requirements;
Inspect, maintain, and test security of facilities,
equipment, and systems;
Ensure the adequacy of security measures for the
transportation of cargo;
Oversee the implementation, and ensure the adequacy, of
security measures at airports and other transportation facilities;
Require background checks for airport security screening
personnel, individuals with access to secure areas of airports, and
other transportation security personnel; and
Carry out such other duties, and exercise such other
powers, relating to transportation security as the Administrator
considers appropriate, to the extent authorized by law.
While current part 1570 includes a provision stating TSA's
compliance, inspection, and enforcement authority, it is not provide
the same detail found in other regulatory provisions.\54\ Therefore,
TSA is transferring the text of current Sec. 1580.5 to subpart A as
Sec. 1570.9, with minor modifications to reflect the addition of
certain bus operations that have previously been unregulated by
TSA.\55\
---------------------------------------------------------------------------
\54\ Compare current Sec. 1570.11 with current Sec. 1580.5.
The provision in part 1580 is also consistent with 49 CFR 1542.5,
1544.3. 1546.3, 1548.3, and 1549.3.
\55\ A more detailed discussion of current Sec. 1580.5, still
relevant to the section, can be found in the preamble for current
part 1580. See 71 FR 76852 (Dec. 21, 2006) and the Rail Security
Rule, see supra n. 8. (Final Rule).
---------------------------------------------------------------------------
3. ``Covered Person'' (Sec. 1570.305)
This final rule includes a technical correction to Sec. 1570.305
(currently Sec. 1570.13) of subchapter D as part of this rulemaking.
This provision prohibits public transportation agencies and rail
carriers from knowingly misrepresenting Federal guidance or regulations
related to security background checks for certain individuals.\56\ The
definitions in the section currently include the term ``covered
individual,'' which may result in confusion as to whether the term has
the same meaning as ``covered person'' in TSA's programs to address
access to SSI.\57\ To eliminate any potential for confusion, this rule
amends Sec. 1570.305
[[Page 16471]]
to delete the definition and consistently use the term ``employee'' (as
defined by this rulemaking in Sec. 1570.3) rather than ``covered
individual.'' This change is for clarification purposes only and has no
substantive impact.
---------------------------------------------------------------------------
\56\ This final rule moves this section from Sec. 1570.13 of
subchapter D to section Sec. 1570.305. The requirement was added to
address another 9/11 Act requirement. See 73 FR 44665 (July 31,
2008) for more information on the rulemaking that added this
provision.
\57\ See 49 CFR 1520.7.
---------------------------------------------------------------------------
VI. Summary of Changes
The following table summarizes changes between the NPRM and final
rule.
Table 4--Summary of Changes Between NPRM and Final Rule
----------------------------------------------------------------------------------------------------------------
Section No. Section title Change from NPRM Implication
----------------------------------------------------------------------------------------------------------------
1570.111(b)....................... Implementation In response to comments, Cost Savings.
schedules (recurrent TSA is modifying the
security training). recurrent security
training schedule to a
three-year cycle rather
than annual. Changes to
security programs and
plans may require
training certain
employees within 90 days
of the changes.
1570.113.......................... Amendments requested NPRM proposed requiring TSA recognizes that some
by owner/operator. owner/operators to owner/operators may have
request an amendment to security programs that
their security training address issues not
programs when there are related to
changes to (a) ownership transportation security,
or control of operations such as theft or
and/or (b) measures, vandalism. TSA is
training, or staffing narrowing the scope of
described in the security the requirement to
program. The final rule reduce the burden. The
includes a specific list final rule identifies
of the types of changes the types of issues that
that would trigger the would require amendment.
need to update the The list of issues used
security training by TSA is consistent
program. The NPRM also with the requirements
proposed to require an for security plans in
amendment to be filed sections 1405, 1512, and
within 45 days before the 1531 of the 9/11 Act.
amendment takes effect. Modifying the deadline
The final rule requires for requesting an
an amendment to be amendment is intended to
requested no later than provide clarity for
65 days after the change compliance and be more
to the security program/ appropriate for the
measures/plans takes types of amendment-
effect. requests TSA expects to
receive.
1570.201.......................... Security coordinator. NPRM proposed requiring The scope of this
all public transportation requirement in the NPRM
agencies to have a was broader than TSA
security coordinator. intended as the result a
Final rule limits the drafting error. TSA
scope of the requirement intended the security
to rail operations of coordinator requirement
public transportation to apply to all of the
agencies and the bus-only rail operations and
operations of those shippers/receivers
determined by TSA to be covered by the Rail
higher-risk. Security Rule, plus bus
operations required to
provide security
training under this
rule.
1570.203.......................... Reporting significant NPRM proposed requiring The scope of this
security concerns. all public transportation requirement in the NPRM
agencies to report was broader than TSA
security issues. Final intended as the result
rule limits the scope of of a drafting error. TSA
the requirement to rail intended the reporting
operations of public requirement to apply to
transportation agencies all of the rail
and the bus-only operations and shippers/
operations of those receivers covered by the
determined by TSA to be Rail Security Rule, plus
higher-risk. bus operations that are
required to provide
security training under
this rule.
1570.305.......................... False statements TSA is making a technical This technical revision
regarding security correction to this eliminates potential
background checks by provision by replacing confusion in the
public the term ``covered terminology.
transportation individual,'' with the
agency or railroad term ``employee,'' which
carrier. is defined by this
rulemaking in Sec.
1570.3.
----------------------------------------------------------------------------------------------------------------
VII. Response to Comments on NPRM
Following TSA's publication of the NRPM on December 16, 2016,
industry associations, unions, and private citizens were among those
who submitted comments in docket TSA 2015-0001. TSA's responses are
organized by topic.
A. General Comments
1. Need for Rule
Comments endorsing the rulemaking and recommending an expanded
scope: A number of submissions included a statement of general support
for TSA to issue this rulemaking. Commenters also endorsed the rule,
noting that proper training could prevent harm to both employees and
passengers. A few commenters suggested expanding the scope of the
rulemaking to include additional training for surface workers, such as
self-defense training, or to provide training to all American citizens
to identify terrorist threats. One commenter supported a ``community of
the whole'' approach, reflecting the collaborative and cooperative
partnership between TSA and industry to detect and deter individuals
seeking to commit acts of terrorism.
TSA response: This rulemaking is intended to solidify a baseline of
security training. Promulgation of this rule does not signal a change
in TSA's commitment to maximize enhancements to surface transportation
security through voluntary cooperation and collaboration. Consistent
with this commitment, TSA does not believe it is necessary to expand
the scope of applicability or requirements, but encourages owner/
operators to provide additional security training as they consider
appropriate to address potential vulnerabilities or threats within
their unique operational environments. As noted in the NPRM, TSA
encourages owner/operators covered by this rule to determine
[[Page 16472]]
whether there are employees not covered by the scope of the security-
sensitive definition who could provide benefits to security if trained.
Regarding the recommended expansion of the rule to cover broader
populations, including the general public, DHS has numerous programs
and initiatives to provide and encourage awareness of terrorist threats
and appropriate responses. These initiatives include ``hometown
security'' and the ``See Something, Say Something'' campaign. More
information on these initiatives and training available to support them
can be found on the DHS website.\58\ TSA also encourages owners/
operators not within the scope of the rule's applicability to
voluntarily provide security training to their employees, using the
curriculum requirements in this rule to guide development of voluntary
security training programs. As noted in section II.A., TSA also intends
to provide resources developed to support this rule to other owner/
operators, as appropriate.
---------------------------------------------------------------------------
\58\ See www.dhs.gov/hometown-security and www.dhs.gov/see-something-say-something.
---------------------------------------------------------------------------
Comments opposing rulemaking: Other commenters opposed the
rulemaking, primarily because they believe certain modes already
conduct training, and asserted these efforts make the rulemaking
unnecessary. Three commenters expressed concern the rule overlaps with
existing State and Federal training requirements, including the FRA's
2014 final rule, which established minimum training standards for all
safety-related railroad employees.\59\ One commenter suggested States
may have different requirements, which should be considered in this
rulemaking. Several commenters advocated for the rule to be voluntary,
and noted voluntary training has so far produced exceptional results.
---------------------------------------------------------------------------
\59\ See 79 FR 66460 (Nov. 7, 2014), codified at 49 CFR part
243.
---------------------------------------------------------------------------
TSA response: As previously discussed, TSA has a statutory mandate
to publish a final rule requiring security training for frontline
employees of public transportation agencies, railroads, and OTRB owner/
operators.\60\ The statutory mandate includes specific requirements for
the content of the required security training. In addition, TSA
determined it is necessary to require security training for employees
of higher-risk surface transportation operations and appropriate to use
its general authority under ATSA to issue a rule including these
requirements.\61\
---------------------------------------------------------------------------
\60\ See discussion in section I.A. of this rule. See also 81 FR
91341 (discussion of statutory authorities and requirements for this
rulemaking).
\61\ See 81 FR 91339-91341 (discussion of purpose and
authorities).
---------------------------------------------------------------------------
The terrorism-related threat to surface transportation modes has
not subsided and Congress has not retreated from its commitment to the
need for this rule. Since enactment of the 9/11 Act, Members of
Congress and the DHS Office of the Inspector General (OIG) have
expressed continued interest in the publication of this rule.
This rulemaking is intended to solidify the baseline for security
training of surface employees. TSA recognizes the substantial efforts
of our stakeholders to enhance their security posture since 9/11 and
seeks to recognize and build upon these efforts. As noted in the NPRM,
owner/operators subject to requirements to provide similar training may
request to use this training to satisfy requirements in this rule. For
example, TSA is aware that many public transportation agencies and
railroads currently provide security training to comply with State or
Federal training requirements. (TSA is not aware of any overlapping
requirements for OTRB owner/operators.) If an owner/operator intends to
use previous training or existing training programs in order to satisfy
some or all of the requirements of this rule, the program submitted to
TSA for approval must identify how the other training satisfies TSA's
requirements. This will likely necessitate submitting the curriculum or
lesson plan for that program and training records, as well as
information on the employees who have completed the training and the
date of the most recent training.
Regarding voluntary training, TSA acknowledges many owner/operators
of higher-risk surface transportation operations have voluntarily
implemented security training programs addressing some of the
requirements in this rule. As noted in the Preliminary Regulatory
Impact Analysis and Initial Regulatory Flexibility Analysis (NPRM RIA),
however, the private market may not provide adequate incentives for
owner/operators to make an optimal investment in the full range of
measures to reduce the probability of a successful terrorist attack
based on the economics of externalities. Mandating security training
for higher-risk operations will solidify the current baseline of
security training established through voluntary measures.\62\
---------------------------------------------------------------------------
\62\ See NPRM RIA at 116-117 (available in the docket to this
rulemaking at www.regulations.gov).
---------------------------------------------------------------------------
2. Cost of Rule
Comments: Some commenters expressed concern that the cost of the
rulemaking is too high, and that the rule is too costly for industry to
implement. Commenters also asserted the estimate of OTRB owner/
operators is too low, and questioned whether TSA's cost-estimate
analysis considers the Unfunded Mandate Reform Act of 1995 (UMRA).\63\
One commenter generally suggested that the expense of providing
security awareness training to surface transportation personnel may not
be justified by the potential benefits. Another commenter, a mass
transit agency in a large metropolitan area, estimated the cost of the
rule to be higher than the estimate TSA provided in the NPRM RIA.
---------------------------------------------------------------------------
\63\ Public Law 104-4, 109 Stat. 48 (Mar. 22, 1995), codified at
2 U.S.C. 1501-1538.
---------------------------------------------------------------------------
TSA response: A full discussion of the cost-benefit analysis is
included in the Final Regulatory Impact Analysis and Regulatory
Flexibility Analysis (Final RIA) \64\ and summarized in section
VIII.B.1. While training and the other requirements of this final rule
are not absolute deterrents for a terrorist intent on carrying out
attacks on surface modes of transportation, TSA expects the probability
of success for such attacks to decrease when the requirements of this
rule are fully implemented.
---------------------------------------------------------------------------
\64\ The Final RIA is available in the docket for this
rulemaking at www.regulations.gov.
---------------------------------------------------------------------------
Regarding the commenters concerns that TSA's estimate of OTRB
owner/operators within the scope of applicability is too low, TSA
acknowledges the inherent uncertainty in this estimate due to the fluid
and opaque nature of the industry. As described in the Final RIA,
``many [OTRB] owner/operators that operate charter and/or tour services
also provide scheduled or fixed-route services, sometimes on an ad hoc
basis, making it difficult for any one source to keep track of those
that may provide scheduled service as part of their non-primary
operation.'' \65\ In response to the issue of disparate data, TSA
consulted multiple sources and databases to build its estimate.' The
commenter who stated the OTRB estimate was too low did not provide any
reason to support the claim that TSA underestimated the number of
affected owner/operators or any source/
[[Page 16473]]
data to back up the assertion. As mentioned in the NPRM RIA, TSA sought
public contribution to refine its estimate, but neither the commenter
nor anyone else provided any data or new information on which to build
a different estimate.
---------------------------------------------------------------------------
\65\ Id. at 40. Note: Under the requirements of this rule, any
owner/operators conducting ad hoc or sub-contracted service for a
regulated person must comply with the requirements of the rule as an
authorized representative. Similarly, an owner/operator not subject
to the requirements of the rule may trigger applicability if they
contract for ad hoc or subcontracted service through an area that
triggers applicability.
---------------------------------------------------------------------------
Title II of UMRA, establishes requirements for Federal Agencies to
assess the effects of their regulatory actions on State, local, and
tribal governments and the private sector.\66\ Agencies must prepare a
written statement, including a cost-benefit analysis, for proposed and
final rules with ``Federal mandates'' that may result in expenditures
by State, local, and tribal governments, in the aggregate, or by the
private sector, of $100 million or more in any one year.\67\ TSA's
analysis for both the NPRM RIA and Final RIA determined this rule does
not contain a Federal mandate that may result in expenditures of $100
million or more either for State, local, and tribal governments in the
aggregate, or for the private sector in any one year.
---------------------------------------------------------------------------
\66\ See supra n. 63.
\67\ Id. at sec. 202, codified at 2 U.S.C. 1532. The $100
million in 1995 dollars is adjusted for inflation to 2017 dollars
using the GDP implicit price deflator for the U.S. economy. Bureau
of Economic Analysis, National Data, Table 1.1.4. Price Indexes for
Gross Domestic Product, Line 1 Gross domestic product. Available at:
https://apps.bea.gov/iTable/iTable.cfm?reqid=19&step=2#reqid=19&step=2&isuri=1&1921=survey.
---------------------------------------------------------------------------
The commenter who stated security awareness training may not be
justified by the potential benefits did not provide data to support
this assertion. Based upon the data available to TSA, as shown in the
Final RIA, TSA disagrees with the commenter. In both the NPRM and Final
RIA, TSA includes a chapter, titled ``Benefits of Employee Security
Training,'' which identifies the security risks to surface
transportation and explained how providing employees with the knowledge
to prepare, observe, assess, and respond to a terrorist related threat
or incident reduces the vulnerability to a terrorist attack. In
addition, TSA conducted a break even analysis that compared the cost of
the surface training program to the direct economic losses that would
be averted by avoiding certain terrorist attack scenarios. Given the
relative small costs of implementing training compared to the
catastrophic costs of a successful terrorist attack, this analysis
found that the rule would only have to deter, at minimum, one attack
every 40 years for the benefits to equal costs for freight rail, a
number that increases to one attack every 166 years for OTRBs.\68\ The
monetized benefits of preventing an attack would likely be greater were
TSA to conduct a break even analysis that accounts for the difficult-
to-estimate macroeconomic and other indirect impacts (avoided indirect
costs) that may be even more significant than the direct impacts of the
attack. Avoided consequences, such as the value of a reduction in fear
felt by the public at large, are not included in the analysis because
they are difficult to measure and quantify. Given these results and the
demonstrated effectiveness of employee training--including security
awareness in mitigating terrorist attacks \69\--TSA believes the
benefits of the rule justify its costs. Finally, as previously
discussed, TSA is under a statutory mandate to publish a final rule
requiring security training for frontline employees of public
transportation agencies, railroads, and OTRB owner/operators.
---------------------------------------------------------------------------
\68\ See Final RIA at Section 4.3.
\69\ See id. at Section 4.1 (full summary of the threat to
surface transportation and an example of security training
effectiveness).
---------------------------------------------------------------------------
One commenter, from a large metropolitan area public transportation
system, provided information to support statements that the costs of
implementing the rule would be higher than TSA estimated in the NPRM
RIA for that commenter. TSA believes there are a number of issues with
the commenter's estimate that result in an overestimation of the rule's
burden. The commenter assumed the duration of training to be three
hours when TSA estimates that training for security-sensitive employees
of a PTPR owner/operator will likely average 1 hour and 20 minutes in
order to address all of the required elements in this rule.\70\ The
commenter appears to base their three hour estimate on an assumption
that a classroom setting and development of original course material is
necessary. As further discussed below in section VII.D., TSA is not
requiring instructor or classroom training and will further mitigate
costs by providing a video, free of charge, to regulated owner/
operators for compliance with the parts of the rule. TSA intends for
this material to cover three of the four PTPR training elements in the
rule and take less than one hour.
---------------------------------------------------------------------------
\70\ See Final RIA at Section 2.4 for an explanation and
rationale to why TSA estimates 1 and 20 minutes needed to train mass
transit agencies' security-sensitive employees on the training
components of the final rule.
---------------------------------------------------------------------------
Finally, the commenter comes from one of the largest metropolitan
areas in the United States with one of highest costs of living. This
leads TSA to believe that the estimate provided by the commenter is
likely higher than the national average of transit agencies. TSA used
national wage data for transit agencies from the Bureau of Labor
Statistics to estimate cost of the rule to PTPR owner/operators. TSA
believes this is a reasonable rate to calculate incurred costs to
regulated PTPR owner/operators because it encompasses the entire
transit industry (which are typically found in cities around the
country). Based on this analysis, TSA believes its cost-assessment for
the final rule is representative of the incremental burden PTPR owner/
operators will incur from implementing the regulatory requirements at a
national level. However, TSA does acknowledge that differences in the
cost of labor among the various cities may contribute to certain
transit agencies having higher or lower costs than the national
average.
3. Stakeholder Consultation
Comments: Several commenters suggested TSA consult with labor
unions in drafting the rulemaking, as required by the 9/11 Act, and
also reach out to international security experts.
TSA response: The 9/11 Act directed TSA to consult with major
stakeholders during the development of the NPRM, including labor
organizations. As noted and summarized in the NPRM, TSA conducted
numerous meetings and conference calls with all necessary parties,
including relevant labor organizations.\71\ In addition to inviting
participation of labor union representatives in many of the mode-
specific meetings, TSA also met directly with labor unions as part of
its stakeholder consultation process, including the Transportation
Trades Department of the American Federation of Labor and Congress of
Industrial Organizations, the International Brotherhood of Teamsters,
the Brotherhood of Locomotive Engineers, and the Amalgamated Transit
Union.\72\
---------------------------------------------------------------------------
\71\ See 81 FR 91336 at 91368-91370.
\72\ See id. at 91370.
---------------------------------------------------------------------------
International outreach is also a key component of TSA's
transportation security mission. TSA surface representatives partner
with the international community through a number of forums, such as
INTERPOL, European Network of Railway Police Forces (RAILPOL), and the
United Nations led International Working Group Land Transport Security
(IWGLTS). These meetings include a regular exchange of lessons learned
in addressing emerging threats within the surface transportation
environment.
4. Terms
Comments on definition of ``transportation security-sensitive
materials (TSSM)'': Several commenters
[[Page 16474]]
asked for clarification regarding how the TSSM definition applies to
motor coaches, and suggested industry aid TSA in determining what
should qualify as TSSM. One commenter asked TSA to provide handling and
storage information regarding TSSM specific to the motor coach
industry.
TSA response: As noted in the NPRM, TSA is satisfying a 9/11 Act
requirement to define TSSM \73\ by incorporating by reference the
hazardous materials identified in 49 CFR 172.800(b). There are no
specific requirements in the rule related to the definition. To the
extent there are requirements associated with the materials identified
in 49 CFR 172.800(b), persons should consult 49 CFR part 172, the
hazardous materials rules promulgated by PHMSA. The PHMSA rules include
security requirements related to these specific materials. The PHMSA
requirements were promulgated through notice and comment rulemaking,
including participation by relevant stakeholders in developing the list
of materials.
---------------------------------------------------------------------------
\73\ Id. at 91344.
---------------------------------------------------------------------------
Comments on definition of ``host railroad'': One commenter asserted
the definition of ``host railroad'' is confusing. Additionally, the
commenter noted TSA's expectations of the railroads responsible for
ensuring training of employees in ``host'' situations are unclear, as
railroads currently train employees under existing training programs.
TSA response: As noted in the NPRM,\74\ TSA is defining ``host
railroad'' consistent with the definition well-established by use for
the rail industry under rules of the FRA.\75\ Under this rule, both the
host and tenant railroads are required to have a training program that
appropriately addresses the ramifications of the hosting relationship.
For example, the host railroad's training program will need to address
the operational considerations of the hosting relationship, such as
training dispatchers on their role and responsibilities in halting the
tenant railroad's operations over a segment of track where there is a
potential threat (such as a suspected IED or tampering with
infrastructure). Similarly, a tenant railroad subject to the security
training requirements of 49 CFR part 1582 (PTPR), will need to address
the operational considerations of the hosting relationship, such as
instructing its train and engine employees on the proper communication
procedures to follow when a potential threat is identified. Under
either example, the host and tenant railroad owner/operators will only
be responsible for training their own employees.
---------------------------------------------------------------------------
\74\ Id. at Table 3, Explanation of Proposed Terms and
Definitions.
\75\ See 49 CFR 236.1003.
---------------------------------------------------------------------------
When inspecting for compliance by regulated parties participating
in a contractual relationship, TSA will consider the freight railroad
carrier (the private company) to be an authorized representative of the
PTPR owner/operator (the owner/operator of the passenger train
service). TSA will hold the PTPR owner/operator primarily responsible
for compliance and for ensuring that all security-sensitive employees
receive the required training, whether they are employed directly by
the PTPR owner/operator or contractor. The PTPR owner/operator must
train the freight railroad carrier's employees performing security-
sensitive functions related to the passenger train service.\76\
---------------------------------------------------------------------------
\76\ See supra, section II.A.4 for more discussion on the
distinction between hosting and contractual relationships and the
ramifications for responsibility of providing security training.
---------------------------------------------------------------------------
B. Investigative and Enforcement Procedures
Comments on penalties and violations under 49 CFR part 1503:
Several commenters requested clarification regarding the exact
penalties for non-compliance, and others asked TSA to explain the basis
of violations.
TSA response: The 9/11 Act included authority for TSA to assess
civil penalties for violations of title 49 of the U.S. Code, including
surface transportation requirements.\77\ TSA posts, and regularly
updates, its sanction policies on its website.\78\ Between this rule's
date of publication and effective date, TSA will update this policy to
address violations of this rule.
---------------------------------------------------------------------------
\77\ See sec. 1302(a) of the 9/11 Act. TSA is issuing this rule
under the authority of 49 U.S.C. 114.
\78\ See https://www.tsa.gov/sites/default/files/enforcement_sanction_guidance_policy.pdf.
---------------------------------------------------------------------------
Comments on compliance, inspection, and enforcement under 49 CFR
1570.9: Several commenters expressed concern regarding how TSA will
enforce the rule. One commenter suggested TSA and relevant DOT
components should develop a cooperative enforcement program allowing
DOT personnel to enforce TSA's security training requirements as they
conduct their safety inspections. Several commenters suggested TSA
coordinate with the owner/operator before an inspection, and one
suggested that TSA provide an audit checklist before arriving on the
owner/operator's property. Another commenter asked TSA inspectors to
undergo safety training before visiting the property. Finally, one
commenter suggested TSA consider an audit program for contractors,
rather than making the owner/operator responsible for ensuring
contractor receives training or otherwise comply with the rule's
requirements.
TSA response: As explained in the NPRM, TSA is mandated to: (1)
Enforce its rules and requirements; (2) oversee the implementation and
ensure the adequacy of security measures; and; (3) inspect, maintain,
and test security facilities, equipment, and systems for all modes of
transportation.\79\ TSA's authority over transportation security is
comprehensive and supported with specific powers related to the
development and enforcement of security-related regulations and other
requirements. Within this broad authority, the agency may assess a
security risk for any mode of transportation and develop security
measures for dealing with this risk.\80\ If TSA identifies
noncompliance with its requirements, TSA may hold the owner/operators
responsible for the violation and subject to enforcement action, which
may result in civil monetary penalties.\81\
---------------------------------------------------------------------------
\79\ See 81 FR 91341, citing 49 U.S.C. 114.
\80\ 49 U.S.C. 114(f) and (l).
\81\ 49 U.S.C. 114(f) and (v).
---------------------------------------------------------------------------
Pursuant to its statutory authority and responsibilities, TSA is
the sole Federal agency with authority to enforce its regulations.
DOT's components do not have authority to enforce TSA's rules and TSA
cannot enforce theirs. DHS and DOT, however, do consult and coordinate
with each other on security-related issues pursuant to various
memoranda of understanding (MOU). To mitigate concerns about
duplication of efforts by inspectors, DHS has entered into an MOU with
DOT with separate annexes between TSA and the modal components of DOT.
These annexes address coordination on regulatory matters.
When appropriate, TSA will coordinate with an owner/operator on
inspections. Notice gives the parties to be inspected the opportunity
to gather evidence of compliance and to arrange to have the appropriate
personnel available to assist TSA. Some inspections, however, can only
be effective if TSA's presence is unannounced. TSA must have the
flexibility to respond to information, operations, and specific
circumstances whenever they exist or develop.
Security concerns are different at different times of the day and
on different days of the week. Terrorists may seek to take advantage of
vulnerabilities whenever they occur.
[[Page 16475]]
TSA has the authority to assess the security of transportation entities
during all times of the day or night and under all operational
situations (including nights, weekends, and holidays). The nature of
any given TSA inspection will depend on the specific circumstances
surrounding a particular owner/operator at a given point in time and
will be considered in conjunction with available threat information.
An audit checklist is unnecessary for this program. Under the rule,
owner/operators are required to submit a security training program to
TSA for approval. As the regulated owner/operators are the original
drafters of the security training program approved by TSA, they should
not need a checklist from TSA to inform them of the program's content
and requirements. The use of TSA-provided training material does not
eliminate the owner/operator's ownership of the program and knowledge
of the program's contents. The security training program developed and
submitted by the owner/operator to TSA for approval is likely to
include additional information provided or developed by the owner/
operator to meet all of the curriculum requirements.
Regarding having TSA inspectors undergo safety training prior to
visiting a property, TSA's inspectors are properly trained regarding
how to safely inspect an owner/operator's property and the importance
of complying with official safety-related requirements while on the
owner/operator's property. For example, TSA puts its inspectors through
a rigorous training program, incorporating classroom and field
training, so inspectors are knowledgeable on all aspects related to
this regulatory program as well as on safety issues. TSA recognizes the
importance of this training to ensure inspectors avoid danger to
themselves, to workers on the inspected property, to travelers, and to
the inspected property.
Finally, concerning the suggestion that TSA consider an audit
program for contractors, in lieu of making the owner/operator
responsible for ensuring contractor receives training, TSA applies two
important regulatory policies related to responsibilities of
contractors. First, contractors performing measures required under
TSA's rules are ``authorized representatives'' of the regulated
party.\82\ As part of its general enforcement policy, TSA consistently
holds regulated parties responsible for the actions of their authorized
representatives.
---------------------------------------------------------------------------
\82\ See the rule's definition of ``authorized representative''
in 49 CFR 1500.3.
---------------------------------------------------------------------------
Second, authorized representatives and other contractors (and their
employees) are also responsible for complying with TSA's regulatory
requirements. Under section 1570.7 of this rule, any person may be
subject to enforcement action for violations of the rule, including
contractors who provide service to owner/operators and the employees of
such contractors. As a result, TSA could pursue an enforcement action
against the regulated party, the regulated party and the contractor as
an authorized representative, or against the contractor.
C. Part 1570--General Rules
1. Terms Used in This Subchapter (Sec. 1570.3)
Comments on definition of ``security-sensitive employees'': In
addition to comments of general support for the definition of security-
sensitive employee, TSA received a few questions about the term. One
commenter sought more information on what defines an employee in a
security-sensitive position, specifically asking whether the definition
includes a cyber-expert or a frontline engineer staffing a commuter
train. Another commenter suggested replacing the term with ``Frontline
Employees'' for consistency with the 9/11 Act, finding the term
``security-sensitive'' to be confusing and therefore subject to
misinterpretation. Further, this commenter found no risk-based
justification for establishing a classification of employees to
determine who should receive security training.
TSA response: As discussed in the NPRM, the definition of
``security-sensitive employees'' includes employees who perform
functions with a direct nexus to, or impact on, transportation security
based on their job functions.\83\ Engineers are specifically covered
within the job functions identified for 49 CFR parts 1580 (freight
railroads) and 1582 (public transportation and passenger railroads). A
cyber-expert may be considered a security-sensitive employee based upon
specific job functions, such as functions involving control or movement
of trains, or because of other cyber-security responsibilities related
to the owner/operators security measures in its security plan to
protect the integrity of its information systems.
---------------------------------------------------------------------------
\83\ 81 FR 91333 et seq.
---------------------------------------------------------------------------
TSA chose the term ``security-sensitive'' for this rule to mirror
the term ``safety-sensitive'' used in rules promulgated by DOT. There
is no statutory requirement for TSA to specifically use the term
``frontline employee,'' as long as the scope of the rule includes the
employees identified in relevant portions of the 9/11 Act, which it
does.
Finally, as discussed in the NPRM,\84\ TSA applied a risk-based
approach to all requirements in this rule, including the definition of
security-sensitive employee. The NPRM explained TSA began with an
analysis of the employees listed in the 9/11 Act's definitions of
``frontline employees'' who must receive training \85\ and then
considered whether other employees may also be in a position to spot
suspicious activity because of where they work, their interaction with
the public, or their access to information. TSA also considered who
needs to know how to report or respond to these potential threats. This
additional group of employees includes managers, supervisors, or others
who perform the function or who so directly supervise the performance
of a function that their nexus to the job function is equivalent to the
employee.
---------------------------------------------------------------------------
\84\ See id. at 61353-61355.
\85\ See id. at Table 6, Comparison of security training NPRM
proposed categories for ``security-sensitive employees'' to 9/11 Act
definitions of ``frontline employees'' who must be trained.
---------------------------------------------------------------------------
2. Recognition of Prior or Established Security Measures or Programs
(Sec. 1570.7)
Comments related to use of existing training: Several commenters
suggested that TSA should allow use of previous training or programs to
satisfy the rule's requirements. The range of these existing programs
include training provided under TSA's First ObserverTM
program and existing railroad security training, which commenters
assert meets the intent of the 9/11 Act. Commenters noted that both
freight and passenger railroads currently maintain effective security
training programs.
Comments on how to use these existing programs varied, including
allowing owner/operators to amend their existing programs to make them
comply with the rule's requirements; letting currently trained
employees be ``grandfathered'' in as long as their training meets the
rule's requirements; and a request that TSA determine these existing
training programs meet the 9/11 Act's requirements without imposing
additional regulatory requirements.
Finally, a commenter expressed concern that owner/operators will be
allowed to fulfill the training requirements in a variety of ways,
creating unique programs for each system. The commenter noted the
[[Page 16476]]
training requirements may become overly burdensome for employees and
employers if an employee must be re-trained every time he or she leaves
one transportation operation and joins another.
TSA response: Consistent with requirements of the 9/11 Act, the
rule specifically provides for recognition of previous training in
Sec. 1570.107.\86\ Under this section, owner/operators can use
previously provided training meeting or exceeding the requirements of
the rule to the extent they can provide documentation of the training
and validation this training satisfies the requirements applicable to
that employee. The rule also provides owner/operators with the
flexibility to use other training programs addressing some or all of
the same topics to satisfy the regulatory requirements in Sec. Sec.
1580.113(c), 1582.113(c), and 1584.113(c).\87\
---------------------------------------------------------------------------
\86\ See id. at 91347 for the discussion on this topic in the
NPRM.
\87\ See id. at 91361-91362.
---------------------------------------------------------------------------
TSA recognizes that many of the owner/operators to be regulated by
this rule have taken voluntary actions to raise their security
baseline. TSA applauds these efforts, but also notes that they do not
negate the benefits of this rulemaking. The purpose of this rule is to
solidify the baseline for those that have already implemented security
training programs, and to raise those who have not to a consistent
standard across higher-risk operations. To the extent owner/operators
established security training programs consistent with the 9/11 Act as
a voluntary initiative or implemented use of TSA's First
ObserverTM program,\88\ and continue to provide regular
training to their employees, these efforts should significantly
mitigate any costs for compliance with the rule.
---------------------------------------------------------------------------
\88\ The First ObserverTM program, previously known
as Operation Secure Transport, has been in use for highway motor
carriers (OTRB owner/operators) and covers the Observe, Assess, and
Respond security training components required by this rulemaking.
TSA credits those OTRB owner/operators who have used the First
ObserverTM program in its RIA (full description in
Section 1.5 of the Final RIA).
---------------------------------------------------------------------------
Finally, the provision on use of previous training, in Sec.
1570.107, also addresses concerns about unique training programs and
the impact on employees who change jobs. If the owner/operator can
validate the content and timing of the previous training, the rule
allows this training to be credited towards satisfying the regulatory
requirements. At most, the new employer may need to supplement portions
of previous training to address unique aspects of its own TSA-approved
security training program. This allows the owner/operator to ensure all
of the security-sensitive employees receive training specific to their
operations in order to best mitigate security risks.
3. Submission and Approval (Sec. 1570.109)
Comments on frequency of submitting security training programs to
TSA: Two commenters suggested companies should be permitted to submit
training plans and curriculum only once to TSA, which TSA would store
and review on a yearly basis and make recommended changes based on the
current threat.
TSA response: The rule does not impose a specific schedule for
owner/operators to submit updates to their security programs, such as
an annual update. It does, however, require owner/operators to request
to amend their programs if necessary to reflect changes in ownership or
permanent changes in operations affecting the security training program
or curriculum.\89\ For example, a program may need to be updated if the
owner/operator replaces equipment resulting in instructions conflicting
with the current security training curriculum, or expands operations
into a new commodity with different risks, changes personnel structures
affecting reporting, or begins operations in a new geographical area.
In addition, the final rule narrows the scope of amendments required
for changes to security measures or plans. Recognizing an owner/
operator's security program may include issues not specifically
relevant to the scope of transportation security this rule is intended
to address, the final rule includes a list of the specific type of
measures and program changes triggering the requirement to request an
amendment. TSA may also require owner/operators to amend their plans in
the interest of the public and transportation security.\90\
---------------------------------------------------------------------------
\89\ See Sec. 1570.113 and discussion in section IV.B.1.
\90\ See Sec. 1570.115 and discussion in section IV.B.2.
---------------------------------------------------------------------------
Comments on methods for submitting security programs to TSA: A
number of commenters supported submitting training programs to TSA via
electronic means, such as in email on a secured password protected
platform. One commenter also expressed support for the proposed initial
security program submission and approval process, as well as the
amendment approval process.
Two commenters, however, raised concerns with this process,
claiming it is too rigid and cumbersome to be effective. Commenters
noted railroad training programs are robust and adaptable, evolving to
address threats and security concerns. To continue to be effective, the
commenters advocated that they be allowed to update their programs as
needed without TSA approval. They also noted the FRA already oversees
railroad security training programs, and TSA inspectors can review the
same materials. They noted that given their current process, the NPRM
lacked adequate justification for the imposition of a prescriptive
process for submission, review, and approval of training programs
already in effect.
TSA response: In response to concerns regarding form of submission,
TSA intends to allow for electronic submission of required
documentation, consistent with SSI requirements. Relating to the need
for updating programs, the final rule requires owner/operators to adapt
their training materials to address specific threats in the various
modes as they emerge. TSA approval is not required for an update unless
the changes stay in effect for more than 60 days. For example, an
owner/operator may provide additional training to address risks
associated with a city hosting a national special security event. If
the changes are to stay in effect for more than 60 days, the owner/
operator must formally request approval to amend their security
program. As the required content for the required security training is
general operation security, TSA does not anticipate the TSA-approved
security training needing to change significantly in response to a
specific threat.
As to the concern about duplication of effort, TSA may accept all
or portions of an owner/operator's existing security training. Under
Sec. 1570.107, an owner/operator may rely on previous training
provided within the stipulated periods for initial or recurrent
training, as validated by TSA (based on information submitted by the
owner/operator). In addition, the rule provides for owner/operators to
rely on training conducted pursuant to other requirements to satisfy
the rule's security training requirements.\91\ In fact, the rule
specifically references training required by FRA.\92\ In reviewing
material prepared for other requirements, TSA will determine whether
the material adequately addresses security training from TSA's
perspective and reduces the risk of a terrorist-related attack on the
transportation. As previously noted, TSA mitigates concerns about
[[Page 16477]]
duplication of inspections, through the annexes to the DHS/DOT MOU.
These annexes address distinctions between TSA's focus on security and
DOT's focus on safety, as well as coordination on regulatory matters
between TSA and the relevant modal components of DOT.
---------------------------------------------------------------------------
\91\ See Sec. Sec. 1580.113(c), 1582.113(c), and 1584.113(c).
\92\ See Sec. Sec. 1580.113(c) and 1582.113(c).
---------------------------------------------------------------------------
Finally, regarding the prescriptive process requirements, TSA
reviewed all requirements in this rule to identify any options to
reduce the burden without undermining the rule's effectiveness or
conflicting with requirements in the 9/11 Act. The 9/11 Act
specifically requires submission of the training programs to DHS for
approval and regular updates.\93\ TSA believes the submission and
approval requirements in Sec. 1570.109 are consistent with this
statutory requirement, provide clear instruction on how this
requirement is to be met, and ensure consistent application of the
rule's requirements.
---------------------------------------------------------------------------
\93\ 9/11 Act sections 1408(d), 1517(d), and 1534(d).
---------------------------------------------------------------------------
4. Implementation Schedule (Sec. 1570.111)
Comments on initial security training: Several commenters advocated
for the proposed accumulated grace periods, ranging from 90 to 180
days, to allow recently hired employees to work before they complete
the training requirements. One commenter suggested abandoning the
accumulated days concept and replacing it with a requirement for all
employees to receive security training no later than 90 days after
beginning employment. One commenter suggested a method for calculating
date: A day should be based on full-time employment, with each 8-hour
period worked counting as one day. Regarding contractors, the same
commenter suggested the training responsibility should rest with the
contracted company.
Comments also addressed how to regulate temporary and/or part-time
employees. One commenter suggested all drivers, whether employees or
contractors, should be trained. Another commenter explained ``pooling
agreements,'' which allow or require employees from other companies to
operate their equipment, and noted these arrangements should be covered
in the final rule.
TSA response: While TSA appreciates concerns regarding the
implementation schedule for initial training, the 60-day requirement is
set by the statute. As noted in the NPRM, the 9/11 Act requires initial
training within the first 60-days of employment for new employees or
for those transitioning to a covered job function (as identified in
Appendix B to parts 1580 (freight rail), 1582 (PTPR), and 1584
(OTRB).\94\ TSA is not adopting the suggestion of a day equaling an
aggregated 8-hour period. TSA's intent with this rule is to ensure
employee's that are regularly positioned to identify and respond to
security threats are prepared to do so. TSA does not believe that this
priority is served by hourly calculations to determine what constitutes
a day.
---------------------------------------------------------------------------
\94\ See 81 FR 91347.
---------------------------------------------------------------------------
As to contractors, TSA consistently applies a policy requiring
regulated parties to accept responsibility for their contractors,
including employees operating under pooling agreements. Any person
working for an owner/operators within the scope of applicability,
performing a security-sensitive position--without regard to primary
employer or full/part-time status--must be trained. In other words, a
pooling agreement does not mitigate the need for security training. The
impact of this policy is more fully discussed under comments related to
49 CFR part 1503.
Finally, TSA is not changing the aggregated employment requirement
in Sec. 1570.111(4) nor the requirement for employees (whether
intermittent or contract) to be trained no later than the 60th day of
aggregated employment performing a security-sensitive function. This
requirement ensures these employees are trained after they are in a
position with a particular owner/operator long enough to gain awareness
of the operations necessary to determine when there is an anomaly that
could constitute a threat.
In response to the comment about all drivers (presumably of OTRBs)
being required to receive training, TSA is limiting it to individuals
with a commercial driver's license to focus on those with a nexus to
security, in other words, those likely to operate a bus to, through, or
from a high-risk location, rather than employees moving a bus across a
yard. While TSA is not currently requiring all drivers to receive the
security training, this does not prevent owner/operators from
voluntarily providing the security training required for security-
sensitive employees to a broader population of employees.
In addition, TSA is developing training materials that can be
consistently used across a particular mode. Use of this material,
coupled with the ability to use previous training, will minimize the
burden of ensuring employees in pooling agreements received adequate
training. Owner/operators can rely on the TSA-provided material to
address most of the requirements and limit their operation-specific
training to procedures unique to their operation, such as points of
contact to report security concerns and emergencies.
Comments on recurrent security training: TSA received a variety of
comments on recurrent training. Some commenters generally supported
annual recurrent training. Other commenters stated they should have
flexibility to self-determine the training schedule for their
employees, as opposed to an adhering to a ``one size fits all''
approach. Some commenters expressed concern with the time frame due to
cost constraints and the practicality of training employees while
simultaneously maintaining service. These commenters suggested longer
time periods between training, such as two or three years. One
commenter highlighted the safety requirements in FRA's rules, which
require training every three years.
TSA response: TSA considered options for recurrent training both
before proposing the requirement in the NPRM and in consideration of
comments submitted on the NPRM. TSA continues to believe in the
importance of recurrent training to meet the purpose of the rule, but
is adjusting the frequency of training in consideration of the
comments. The final rule requires recurrent training once every three
years. If, however, the owner/operator modifies its security program or
plan and those changes affect the responsibilities of specific
security-sensitive employees, based on their position or function in
relation to security program or plan requirements, the affected
employees must receive recurrent training to address the changes within
90 days of implementation of the revisions. This change is consistent
with the requirements for hazardous materials employees under 49 CFR
172.704.\95\ The recurrent training requirements are discussed in more
detail in section II.J.2.
---------------------------------------------------------------------------
\95\ In addition, TSA notes that it may order modifications to a
security program or plan, or order additional training, as
necessary. See, e.g., 49 U.S.C. 114(l).
---------------------------------------------------------------------------
5. Recordkeeping and Availability (Sec. 1570.121)
Comments: Two commenters said the proposed 5-year record-keeping
requirement would be excessive in duration, costly and burdensome in
administration, and unjustified by any risk-based factors. As an
alternative, they suggested owner/operators should only be required to
retain training from
[[Page 16478]]
the past three years (assuming TSA adopts a 3-year training
requirement).
TSA response: Within the context of an annual recurrent training
requirement, TSA considered modifying the record retention period based
on the comments as three years would provide adequate records of
previous training. The change, however, to recurrent training on a
three-year cycle necessitates maintaining the 5-year retention schedule
in order to ensure that the owner/operator can provide adequate
representation of previous training consistent with recurrent training
requirements as well as any training based on modification to the
owner/operator's security program or plan.
6. Security Coordinator (Sec. 1570.201)
Comments on security coordinator availability: Two commenters
suggested changes to the security coordinator requirements specifically
for railroad companies. First, they suggested TSA only require affected
railroads to maintain a 24/7 communications capability to ensure TSA
can reach the rail security coordinators and designated representatives
for the stated purpose of receiving intelligence information and
coordinating on security practices and procedures.
Second, there was one objection to the proposed requirement for
freight railroad operators to name rail security coordinators (RSC)
``accessible to TSA on a 24-hour a day, 7-day a week basis.'' The
commenter suggests modifying this proposal to require the railroad to
``maintain a 24/7 communications capability to ensure TSA can reach the
RSCs and designated representatives for the stated purpose of receiving
intelligence information and coordinating on security practices and
procedures.''
TSA response: First, TSA is reorganizing the location of the RSC
requirements promulgated in 2008, moving the requirements from 49 CFR
part 1580 to part 1570 (Sec. Sec. 1570.201 and 1570.203) and expanding
applicability of the existing RSC requirement to include bus operations
of public transportation systems and OTRB owner/operators within the
scope of the rule's applicability. TSA neither proposed nor is adopting
any modifications to the RSC requirements as they apply to railroads
and the requirement regarding 24/7 accessibility of security
coordinators.
It is critical for security coordinators to be ``accessible to TSA
on a [24/7] basis'' rather than accepting ``a 24/7 communications
capability [that] can reach the RSCs.'' Although most communication
between TSA and security coordinators may be routine, these individuals
are intended to serve key roles in times of heightened and specific
security threat and incident. During such periods, immediate
communication with the security coordinators may be required to prevent
or mitigate loss of life or severe harm to transportation security. TSA
believes the requirement for security coordinators to be accessible to
TSA on a 24-hour a day, 7-day a week basis is amply justified by
commonly accepted principles of emergency and security management. If
TSA needs to convey extremely time-sensitive security information to a
regulated party, particularly in situations requiring frequent
information updates, the information exchange benefits if there is
continuity in participants. The security coordinator must be in a
position to understand security problems, raise issues with corporate
leadership, and recognize when emergency response action is
appropriate. If the contact changes every time TSA makes a call, the
loss of continuity will undermine the effectiveness of the
communication.
Comments on citizenship requirement for security coordinators: Two
commenters stated disclosing citizenship status is unnecessary and
should not be required. One of the two commenters suggests TSA should
recognize Canadian government security clearances in lieu of requiring
RSC to be citizens of the United States.
TSA response: The rule does not require a rail security coordinator
to be a citizen of the United States. It does however, require each
owner/operator to report the citizen status of individuals it intends
to put forward as its RSC under Sec. 1570.201(d). This requirement is
necessary to meet the 9/11 Act requirement that security coordinators
be U.S. citizens unless TSA determines it is appropriate to waive the
requirement ``based on a background check of the individual and a
review of the consolidated terrorist watchlist.'' \96\ By providing
this information up front, TSA can initiate any additional actions
necessary to comply with this requirement.
---------------------------------------------------------------------------
\96\ See 9/11 Act sections 1512(e)(2) and 1531(e)(2).
---------------------------------------------------------------------------
7. Reporting Significant Security Concerns (Sec. 1570.203)
Comments on mandatory reporting requirement, scope of reporting,
and form of reporting: Several commenters opposed a mandatory reporting
requirement. A few argued the requirements would open up their
companies and employees to liability should an incident occur and an
earlier warning action was not observed. Several other commenters
specifically opposed the 24-hour proposed time limit, stating it was
too short, and some transit agencies may not know what the threat is in
that amount of time.
Commenters also suggested TSA authorize electronic reporting of
significant security concerns to meet the reporting requirements in
Sec. 1580.203. These commenters noted the rail industry has developed
an electronic reporting capability and demonstrated its effectiveness
in three industry-wide exercises.
Finally, a few commenters asked for additional clarity regarding
what ``significant security concern'' entails, and one asked for a list
of examples. One commenter specifically suggested TSA harmonize its
definition of ``security threat'' with the FRA's requirement in 49 CFR
part 239. Several commenters suggested streamlining the requirements.
TSA response: As with the security coordinator requirement, TSA is
reorganizing the location of the reporting significant security
concerns requirements promulgated in 2008 (which were at 49 CFR part
1580), placing the requirement in part 1570 to expand its applicability
to OTRBs and bus operations of public transportation system companies
within the scope of the rule's applicability. As proposed in the NPRM,
TSA is making three primary changes to the current requirement through
this final rule. These changes affect all owner/operators required to
report, but results in a reduced burden for rail operators previously
required to report. First, the rule modifies the current requirement to
report immediately, to allow up to 24 hours to report significant
security concerns. TSA is providing a period of up to 24 hours to
report the information for two reasons: (1) If there is an emergency,
the immediate priority is to notify and work with first responders, not
call TS, and (2) TSA is aware the quality of information provided is
improved when owner/operators have an opportunity to review the
information and ensure it constitutes a valid significant security
concern consistent with the description of activities in Appendix A to
part 1570 before it is reported. TSA believes 24 hours is an adequate
period for this process to work effectively. If more time is granted,
the information may be too stale to be of benefit to TSA or its other
stakeholders.
Second, TSA is modifying the existing requirement to allow for
electronic reporting. The current rule requires reporting to be made by
telephone. With
[[Page 16479]]
this final rule, TSA is expanding the requirement to allow for other
methods prescribed by TSA. TSA will communicate these methods directly
to security coordinators to avoid a situation where a phone number or
email address may become outdated based on changes or requirements
beyond the scope of this rulemaking.
Third, as noted in the NPRM and discussed in section III.C, TSA is
including in the final rule a table that identifies categories of
incidents and provides detailed descriptions.\97\ These incidents are
modified from the requirements promulgated in 2008 to align with other
standards, including those mentioned by commenters, and recommendations
from the Government Accountability Officer (GAO).
---------------------------------------------------------------------------
\97\ See Appendix A to part 1570. See also 81 FR 91351-91353.
---------------------------------------------------------------------------
D. Subpart B--Security Programs
1. Security Training Program General Requirements (Sec. Sec. 1580.113,
1582.113, and 1584.113)
Comment on content creation: TSA received several comments
regarding responsibility for creating training content. TSA also
received questions concerning who will conduct training and the
training format, including recommendations for TSA to consider video
training, in-classroom, and/or field training. Another commenter
suggested putting a one-hour cap on course length. One commenter
suggested an outside entity, not TSA, should provide oversight for
compliance with the training. Several commenters also suggested TSA
should require transit systems, rail carriers and OTRB operators to
seek the input of employees and union representatives as they draft
their training plans, which would ensure the plans consider individual
circumstances and are effective in promoting transportation security.
TSA response: Rather than putting limits on curriculum development,
the rule requires owner/operators to submit their security training
programs to TSA for review and approval. While the burden is on owner/
operators to develop and provide the training, the rule neither
prescribes how the content is to be created nor dictates how it is to
be provided. The flexible requirement is an intentional effort to
address the varied operational issues for owner/operators required to
provide training. For example, larger owner/operators may determine it
is more cost-effective to incorporate the training required by this
rule into existing training provided in a classroom. For smaller
operators, web-based training may be easier.
To address this variety, the rule requires owner/operators to
develop and implement a security training program meeting the
requirements of the relevant subparts and ensures the standards are met
by requiring the program to be submitted to TSA for review and approval
of the curriculum (including lesson plans, objectives, and modes of
delivery) and method for measuring effectiveness.\98\ TSA is unwilling
to put a cap on the requirement. Based on the security awareness
training TSA requires for its own employees as well as its work and
discussions with experts on content development, TSA assumes adequately
addressing all of the required elements will take approximately one
hour.
---------------------------------------------------------------------------
\98\ See Sec. Sec. 1580.113(b)(6), 1582.113(b)(6), and
1584.113(b)(6).
---------------------------------------------------------------------------
TSA is committed to providing maximum flexibility within the
constraints of the 9/11 Act's requirements and needs of regulatory
compliance. To support compliance, TSA intends to provide complimentary
training material satisfying many of the rule's requirements. If owner/
operators choose not to use this material, they will need to develop a
full curriculum to be approved by TSA. If they do use it, they may
still need to submit additional material for any portion of the
required training (based on their unique operations) not covered by the
TSA materials. As a result, the rule provides a process balancing
flexibility (for owner/operators to develop a program specific to their
operational environment) and TSA's need to ensure training programs
meet the rule's purpose.
TSA does not agree with suggestions for third-parties (not TSA) to
oversee the curriculum development and training. In light of the
flexibility given for curriculum development, TSA must ensure the
minimum requirements of the rule are met in order to satisfy both the
mandate of the 9/11 Act and TSA's intent for this rule to provide a
consistent baseline of security training across higher-risk operations.
TSA's subject matter experts for the modes of operation covered by this
rule will lead this review and approval process.
TSA agrees the materials should be relevant to the operational
environment and the employees who work within that environment. Like
other aspects of curriculum development, the rule gives owner/operators
the flexibility necessary to meet this objective without imposing a
prescriptive requirement. Similarly, the rule does not prohibit owner/
operators from consulting with relevant parties or developing programs
appropriate for their operational environment.
Comment on size of train crew: One commenter noted that a two-
person minimum crew in train cabs is vital to defending national
security. Their concerns reflected current operational requirements,
such as monitoring of computer screens rather than monitoring
conditions outside of the train (such as the track).
TSA response: The purpose of this regulation is to ensure employees
performing security-sensitive functions receive adequate training.
Staffing requirements for train operation are beyond the scope of this
rulemaking.
Comments on effectiveness of security training: The rule requires
owner/operators to include in their security training programs a method
for evaluating the effectiveness of the program.\99\ A few commenters
suggested ways to ensure the training is effective and applicable to
real-world situations. Suggestions included having businesses put up a
poster as a general reminder of the material covered in the class,
creating incentives (monetary or time-off awards) to completing
training, and ensuring class is engaging and not only a lecture in a
classroom. Another suggestion was to integrate randomized written tests
or drills of the covered material, of which successful completion could
warrant an award. Comments included suggestions for training to be
conducted in a classroom, citing two benefits of classroom training:
(1) Allows employees to ask questions and learn from questions and
discussions and (2) allows instructors to work with employees through a
variety of scenarios, which would include teaching how to look out for
and spot various security threat and explain the various roles each
employee serves in responding to these threats. One commenter asked
whether the training could be incorporated into ``Entry Level Driver''-
training, and also suggested an online ``train the trainer'' course.
---------------------------------------------------------------------------
\99\ See Sec. Sec. 1580.113(b)(9), 1582.113(b)(9), and
1584.113(b)(9). See also discussion at II.K.
---------------------------------------------------------------------------
Commenters were divided on the question of whether the training's
effectiveness should be documented through testing. Several commenters
stated that classroom testing should be augmented by field testing.
Others suggested no testing should be required. Several commenters
suggested that TSA incorporate efficacy standards or incentives for
public transportation agency employees. As an alternative, a number of
commenters opposed any kind of proficiency testing on the training
course material.
[[Page 16480]]
TSA response: TSA is requiring the owner/operator to describe the
method to be used for measuring effectiveness of security training and
will conduct inspections to ensure the approved method is being used,
as part of implementing the TSA-approved security training program.
While TSA appreciates the information provided by commenters for
measuring the effectiveness of training, TSA has decided not to dictate
which method must be used. As part of its commitment to recognizing the
many unique operational environments for owner/operators subject to
this regulation, as well as the commitment to balance maximum
flexibility with effective security, TSA is not requiring a specific
method for measuring effectiveness.\100\
---------------------------------------------------------------------------
\100\ For further discussion, see 81 FR at 91361.
---------------------------------------------------------------------------
TSA recognizes that pre- and post-testing in a classroom setting is
an efficient way to determine the effectiveness of training. TSA also
acknowledges, however, that, other methods of documenting the
effectiveness of training exist, which may be preferable for some
employees and/or circumstances. Therefore, TSA is not specifying a
particular type of testing or other method for determining
effectiveness, but will use the owner/operator's TSA-approved standard
for measuring effectiveness when inspecting an owner/operator's
training documentation to verify that each employee who must be trained
has received the required training and that the owner/operator has
determined that the training is effective.
2. Security Training and Knowledge for Security-Sensitive Employees
(Sec. Sec. 1580.115, 1582.115, and 1584.115)
Comments on security training knowledge requirements: TSA received
varied comments on the required security training curriculum content
requirements. The comments ranged from asserting that the scope of the
training content is overly broad to proposing additional training
requirements to be added to the rule.
One commenter, concerned that the scope is too broad, suggested
training beyond awareness observation and reporting may be excessive
and counterproductive to the safety and convenience of passengers. The
commenter recommended that security training requirements not exceed
the parameters of the employee's unique tasks or working environment.
Finally, some commenters wanted topics added to the curriculum. Two
commenters suggested the training focus on civil liberties, and
integrate community policing principles. Other proposed topics included
how to respond to an attack, high-jacking, and/or kidnapping scenario;
self-defense training; specified training on high-risk events; training
on accessing and interpreting situations; and development of
communication skills.
Commenters suggested the training address issue of civil rights and
liberties, expressing concerns about training employees to identify
individuals as threats based on their socioeconomic status. One
commenter specifically cautioned against enabling transit security
personnel to profile riders based on race or religion, and suggested
personnel should first be trained to respect rights of all individuals,
and should also be trained in effective measures not involving ``stop
and frisk,'' or similar measures.
TSA response: TSA believes the required security-training topics
(covering prepare, observe, assess, and response) will provide a
baseline of security awareness to enhance the overall safety and
security of passenger and cargo transported by rail and highway. This
type of security awareness does not inconvenience passengers or
undermine their safety. It does, however, enhance passenger security.
Furthermore, nothing in the rule empowers employees to engage in racial
profiling or conduct police operations. TSA will not approve a training
curriculum encouraging employees to conduct racial profiling or report
threats based on socioeconomic status.
Finally, the regulatory requirements for training content provide
flexibility to owner/operators to develop programs appropriate to their
operational environment, including known threats and vulnerabilities.
As a result, training may include how to identify threats such as a
potential hijackers and how to prepare and use the required training
during high-profile events (including appropriate communications with
the public and first responders). The requirements of this rule will
enhance such targeted, optional training. The rule's requirements will
result in employees possessing an understanding of the norm for their
operational environment, the skills and knowledge necessary to identify
anomalies indicating a potential threat, and the capability to respond
appropriately.
Comments on training to satisfy regulatory requirements: Several
commenters requested more specificity regarding what type of training
will satisfy the curriculum requirements, including a list of examples.
One commenter asked for guidance on what type of training will satisfy
the curriculum requirement concerning ``defending oneself.''
TSA response: In the past, TSA has worked with the relevant
associations and FEMA to identify training to address specific security
needs and anticipates continuing to do so as it relates to the
requirements in this rule. In addition, TSA has partnered with national
associations and industry to cooperatively develop security training
curriculum and programs. While TSA does not intend to endorse specific
third-party training programs owner/operators may submit these programs
to TSA as part of their security training programs. TSA will assess all
submitted programs to ensure compliance with the rule's requirements
before approving the training program. As to the comment on providing
more information on ``defending oneself,'' the rule does not require
training on how to use self-defense devices or other protective
equipment provided by the employer. TSA assumes the employer's standard
employee training will address these issues at the time the equipment
is provided (one commenter noted the Occupational Health and Safety
Administration (OSHA) requires employees to receive training in the use
of (PPE) required by their job functions).
Comments on impact of TSA-developed security training materials:
One commenter suggested that TSA develop an annual course based on
current threat and intelligence rather than requiring companies to
create annual plans for TSA approval. Similarly, several commenters
suggested that TSA create a baseline curriculum, such as a video, that
would meet the regulatory requirements. One commenter suggested that
companies could voluntarily submit supplemental training that exceeds
the recommended baseline training that is specific to their mode. One
commenter, however, specifically stated that TSA's First
ObserverTM training materials are inadequate.
TSA response: This rule does not require owner/operators to submit
updated plans every year. Updates, or amendments, are only required for
specific reasons, as discussed in section IV.B.
In regard to the comments regarding use of First
ObserverTM, TSA notes that the First ObserverTM
program most familiar to regulated parties was created primarily for
highway and motor carrier professionals. While TSA assessed that First
ObserverTM covers three of the required training elements
for OTRB owner/operators, the program was not created to specifically
address this rule
[[Page 16481]]
nor was it meant to be applicable to all surface modes of
transportation.
At the time the NPRM was published, TSA anticipated expanding the
First ObserverTM program to incorporate additional training
material. Since publication of the NPRM, however, TSA initiated
development of new materials to address three of the required training
program components (Observe, Assess, and Respond) that are relevant to
all owner/operators within the three covered modes.\101\ While these
videos are a new product intended to specifically align with the rule's
requirements, they build upon previous training developed by TSA under
First ObserverTM and other transportation security-related
training programs. TSA adapted this previously developed information,
and supplemented it as necessary, to ensure the videos address as many
of the required training elements as can be met through a one-size fits
all training video. These materials may eventually be placed under the
First ObserverTM umbrella, but will not be the same as the
original program.
---------------------------------------------------------------------------
\101\ The ``Prepare'' element of the required training
curriculum is, by its nature, specific to each the operations of
each owner/operator covered by the rule. As such, this element
cannot be addressed in material intended to be applicable to
multiple owner/operators.
---------------------------------------------------------------------------
As noted in the NPRM, use of TSA-developed and provided material is
optional. TSA developed these materials to further reduce the burden of
compliance to owner/operators with a resource they may use to meet a
majority of the security training requirements under this rule. These
videos will be made available to all of TSA's surface stakeholders.
TSA is aware that not all owner/operators will choose to use TSA-
provided material, particularly if they are incorporating their
training into existing training programs to meet other Federal, state,
or local training requirements. Owner/operators may need to develop
and/or provide supplemental material to ensure the training provided
meets all of the training requirements, specifically reflecting nuances
within the operations of a particular owner/operator or a particular
sub-set or location of these operations. This additional information
must be identified and included in the security training program
submitted to TSA. As the videos use is not mandatory, the economic
analysis does not account for them when estimating costs of compliance.
E. Freight Rail Specific Issues
1. Applicability of Security Training Requirements (Sec. 1580.101)
Comments: Several commenters expressed concern related to the
designated list of HTUAs in Appendix A to part 1580. One commenter
believed the training is necessary for all frontline employees, not
just those employed by higher-risk operations. Another noted that
improving security at some locations may result in terrorists
redirecting their operations to softer targets not covered under the
rule. The commenter suggested the rule should require security training
at all transportation locations. The commenter specifically recommended
that the rule cover freight, passenger rail, and public transit
systems.
TSA response: As discussed in the NPRM, TSA's risk-based
determinations for applicability are consistent with the focus of the
9/11 Act's requirements on higher-risk operations.\102\ This risk-based
focus is reflected in the statutory requirement for the training to be
provided to frontline employees, not all employees, and placing the
security training requirements within the context of a broader security
program focusing on higher-risk operations.
---------------------------------------------------------------------------
\102\ See 81 FR 91355 et seq.
---------------------------------------------------------------------------
While hardening one target could make those with nefarious intent
believe that other targets are more vulnerable, the threat (an
adversary's intent and capability) is only one of the critical factors
affecting risk (which also includes vulnerabilities and consequences).
The risk analysis underlying the applicability for freight railroad is
heavily weighted to address concerns regarding the vulnerabilities and
consequences. TSA determined the highest risk freight railroads are
those designated as Class I, based on their revenue and the Nation's
dependence on these systems to move both freight in support of critical
sectors and passengers. All Class I railroads must provide security
training. Similarly, some shortlines (also known as Class II or Class
III railroads) are higher-risk because of what they transport and where
they transport it. As noted above, and in the NPRM, certain materials
have a higher-risk associated with them based on the potential
consequences should they be released.\103\ The likelihood of
catastrophic consequences is greater in HTUAs. By reducing the
vulnerability through increased security training, the rule's
applicability is intended to reduce the risk for these systems without
increasing the risk for others. Finally, TSA encourages owner/operators
not within the scope of the rule's applicability to use the regulatory
requirements as guidance for voluntarily implementing a security
training program for its security-sensitive and other employees,
whether by using TSA-developed programs or through its own training.
These owner/operators may contact TSA through the numbers and addressed
identified in under FOR FURTHER INFORMATION CONTACT, or through modal
associations (with whom TSA regularly interacts).
---------------------------------------------------------------------------
\103\ See id.
---------------------------------------------------------------------------
2. Chain of Custody and Control Requirements (Sec. 1580.205)
Comments: Two commenters asserted threat assessments indicate
freight railroads face a lower terrorist threat. The commenters
concluded the transfer of custody procedures should only apply at
elevated or imminent terrorism levels.
TSA response: TSA understands this comment to be about the chain of
custody requirements currently required by 49 CFR 1580.107 and not this
rule's requirements to provide training on the chain of custody
procedures employed by the railroad. For the underlying chain of
custody requirements, this rule merely relocates the requirement within
the CFR; TSA did not propose modifying them. TSA thus considers these
comments pertaining to substantive changes to the chain of custody
requirements as beyond the scope of this rulemaking. Consistent,
however, with the requirements of Executive Order 13777, Enforcing the
Regulatory Reform Agenda (Feb. 24, 2017), TSA is addressing this
comment as a suggested revision to existing regulations.
Under 49 U.S.C. 114(l)(3), TSA is required to consider the
potential impact on security before it rescinds or revises a regulatory
requirement. Transfer of custody requirements are intended to prevent
access by unauthorized persons to railcars loaded with certain
chemicals or materials may constitute an immediate threat to life or
health if released into the environment. TSA does not agree that
transfer of custody procedures should only apply to elevated or
immediate threat risk. The state of the terrorism alert level is not
related to the need to deny unauthorized persons access to railcars
loaded with hazardous materials; unauthorized persons must be denied
access to such railcars at all times. Terrorism alert levels are
increased when there is reason to believe a heightened threat of an
attack exists or may exist. Accessible freight cars containing
hazardous materials may be
[[Page 16482]]
used to mount an attack spontaneously, without elaborate planning or
premeditation on the part of the attacker, and therefore without
warning or reason to elevate the threat level in advance of the attack.
Current ``chain of custody'' requirements accomplish this objective and
are retained in the final rule.
F. Public Transportation and Passenger Railroad Specific Issues
Comments: Several commenters questioned the scope of the rulemaking
in relation to PTPR. Commenters specifically questioned TSA's criteria
for identifying the current PTPR systems, and asked whether TSA will
identify additional PTPR systems in the future. One commenter urged TSA
to reconsider limiting the applicability to 46 systems rather than all
PTPR systems, as the cost-savings is far outweighed by the cost-
effectiveness achieved by meaningful training of all frontline transit
employees in security-sensitive positions. One commenter asked if the
Federal Transit Administration's (FTA's) impending repeal of 49 CFR
part 659 would mean only TSA's identified ``higher risk'' PTPR systems
will have security training requirements, vulnerability assessments,
and security planning requirements after April 15, 2019.
TSA response: As noted above, TSA's risk-based determinations for
applicability are consistent with the 9/11 Act's requirements regarding
higher-risk operations. This focus on risk is reflected in the
statutory requirement for training frontline employees, not all
employees, and placement of the security training requirements within
the context of a broader security program required to focus on higher-
risk operations. In questioning TSA's criteria for its determination,
the commenter provided no specific information regarding TSA's
perceived failures nor provided alternatives. If TSA decides to expand
the rule's applicability to additional systems, it would do so through
appropriate rulemaking procedures consistent with TSA's statutory
authorities and rulemaking requirements.
TSA cannot confirm the rule will continue to be as cost-effective
if the number of PTPR systems is expanded. In the NPRM and Final RIA,
TSA performed an alternatives analysis (Section 5.2 of the Final RIA),
in which one of the alternatives expanded the scope of affected PTPR
owner/operators from 47 (46 PTPR systems + Amtrak) to 253. This
alternative would result in the costs of compliance for the PTPR
industry to increase from $2.44 million to $14.93 million (both
annualized and discounted at 7 percent).\104\ It seems unlikely that
expanding security training to an additional 206 owner/operators, to
include operations not considered higher-risk, will yield a
corresponding reduction in risk. As previously noted, TSA encourages
owner/operators not covered by the rule's applicability to use the
regulatory requirements as guidance for voluntarily implementing a
security training program for its frontline employees, whether by using
TSA-developed programs or through its own training.
---------------------------------------------------------------------------
\104\ See Final Rule RIA, tables 40 and 91 for total costs to
PTPR in the preferred alternative and Alternative 2 (expanded
population), respectively.
---------------------------------------------------------------------------
Finally, the nexus between the FTA's requirements and this rule are
more fully discussed in the NPRM.\105\
---------------------------------------------------------------------------
\105\ See 81 FR at 91365.
---------------------------------------------------------------------------
G. OTRB Specific Issues
1. Definition of Security-Sensitive Employees (Sec. 1584.3 and
Appendix B to Part 1584)
Comments: Two commenters expressed concern that bus companies do
not always know in advance exactly which buses will be used for which
service. One of the commenters suggested it would be easiest for their
company if all drivers take part in mandatory training, regardless of
their normal scheduled route, as there is potential for a driver to be
transferred to a different assignment at the last minute. Another
commenter cautioned the rule may cause confusion as to which employees
of an operation should be trained, and asked for clarification whether
an operator should only train front line employees servicing identified
destinations. The commenter explained a scheduled service operator may
offer charter, shuttle bus, or other transportation services, in
addition to fixed-route service to areas that are outside the UASI
areas.
TSA response: To address the request for clarity, TSA recommends
owner/operators first determine whether they have operations placing
them within the scope of the rule's applicability, i.e., whether the
owner/operator provides fixed-route service to, through, or from one of
the areas identified in Appendix A to part 1584. If so, the owner/
operator must provide security training to all of its security-
sensitive employees. The question of which employees receive training
is not based on where the employee's job takes them, but what their job
requires them to do. Thus, all employees who have a commercial driver's
license and operate an OTRB for the owner/operator must receive
security training, not just those who drive an OTRB to, through, or
from an identified area.
The comments provided conflicting opinions on whether requiring all
security-sensitive employees to receive the training, regardless of
where the individual operates, is necessary. TSA is requiring that all
security-sensitive employees must be trained, but notes that owner/
operators may request alternative measures under the procedures in
Sec. 1570.117.
2. Applicability (Sec. 1584.101)
Comments on threat: One commenter disagreed that vehicle borne
improvised explosive devices (VBIED) are the greatest and most likely
attack risk, citing recent terrorism-related incidents involving
vehicle ramming.
TSA response: Within the context of the 9/11 Act's mandate for TSA
to require OTRB owner/operators to provide security training to their
employees, TSA's risk analysis focused on what risks were greatest for
OTRB, not all forms of motor vehicles. To the extent the commenter is
suggesting use of an OTRB for vehicle ramming is greater than the risk
of using an OTRB as a VBIED, the distinction would have no impact on
how TSA uses its risk analysis to determine applicability as the
vulnerabilities and consequences for OTRBs are similar. To the extent
the commenter is referring to other types of motor carrier-related
threats, TSA notes that security awareness training is a valuable
countermeasure against vehicle ramming attacks. Because large
commercial vehicles can do more damage in a ramming attack, teaching
large vehicle operators to be more sensitive to and aware of possible
hijacking or other attempts to procure their vehicle can mitigate
losses and damages.
Comments on applicability: Several commenters expressed concern
with the scope and applicability of the rule. One commenter agreed with
the definition of ``higher risk'' and their application to the rule,
but urged TSA to ensure DHS provides consistency throughout all its
components regarding ``the factors that could make an OTRB a potential
target.'' One commenter suggested that UASI may be ``over kill,'' and
suggested only 10 areas. Another expressed concern that as UASI areas
are re-determined annually, the prioritized locations could change
frequently, which would result in an undue burden on operators and
foster soft targets as resources are shifted to address new threats.
Finally, commenters expressed concern that the rule may create ``soft
targets'' which could be exploited by terrorists.
[[Page 16483]]
TSA response: As discussed in the NPRM,\106\ TSA's risk-based
determinations for applicability are consistent with the focus of the
9/11 Act's requirements on higher-risk operations. This is reflected in
the statutory requirement for the training to be provided to frontline
employees, not all employees, and placing the security training
requirements within the context of a broader security program that
focuses on higher-risk operations.
---------------------------------------------------------------------------
\106\ See general discussion on applicability, id. at 91355 et
seq. See also OTRB specific discussion, id. at 91358 et seq.
---------------------------------------------------------------------------
While hardening one target could make those with nefarious intent
believe that other targets are more vulnerable, the threat (an
adversary's intent and capability) is only one of the critical factors
affecting risk (which also includes vulnerabilities and consequences).
The risk analysis underlying the applicability for OTRB is heavily
weighted to address concerns regarding the vulnerabilities and
consequences, including the vulnerability associated with scheduled
service and the consequences should an attack occur in highly populated
urban areas.
Because the risk involving an OTRB as a VBIED is primarily to the
targeted urban area, TSA relied on a risk model developed by DHS to
determine highest risk urban areas for the UASI grant program. This
model has been approved by the Secretary of Homeland Security for
calculating the relative risk of urban areas in order to inform UASI
allocation determinations.\107\ As with PTPR, TSA drew the line for
applicability where there is a natural and significant break in the
funding allocations as informed by the risk methodology.
---------------------------------------------------------------------------
\107\ As the risk methodology relies upon SSI, it is not
available to the public.
---------------------------------------------------------------------------
As to concern about the impact of future changes to UASI
designations, that concern is misplaced. While TSA used the UASI
designations to develop its applicability determination, the term UASI
is not used in the applicability. Instead, the rule applies to those
providing fixed-route service to, through, or from one of the areas
identified in Appendix A to part 1584. The table in this appendix
includes specific counties to avoid any potential confusion regarding
applicability.
Finally, TSA does not believe the regulation creates soft targets.
By reducing the vulnerability through increased security training, the
rule's applicability is intended to reduce the risk for these systems
without increasing the risk for others. Finally, TSA notes that it
encourages owner/operators not covered by the rule's applicability to
use the regulatory requirements as guidance for voluntarily
implementing a security training program for its frontline employees,
whether by using TSA-developed programs or through its own training.
H. Comments Beyond Scope of Rulemaking
TSA received several comments regarding issuance of self-defense
devices, such as tasers and mace, ranging from suggesting that we
require employers to issue them to suggesting that we prohibit it.
Either suggestion is beyond the scope of this rulemaking. The comment
indicating that OSHA mandates employee training in the use of PPE, if
required by their job functions, has already been noted.
VIII. Rulemaking Analyses and Notices
A. Paperwork Reduction Act
The Paperwork Reduction Act of 1995 (PRA) requires Federal agencies
to consider the impact of paperwork and other information collection
burdens imposed on the public and, under the provisions of PRA sec.
3507(d), obtain approval from the OMB for each collection of
information it conducts, sponsors, or requires through
regulations.\108\
---------------------------------------------------------------------------
\108\ Public Law 96-511, 94 Stat. 2812 (Dec. 11, 1980), as
codified at 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------
OMB has approved a related information collection request for
contact information for RSCs and alternate RSCs, as well as the
reporting of significant security concerns by freight railroad
carriers, passenger railroad carriers, and rail transit systems.\109\
---------------------------------------------------------------------------
\109\ See OMB Control No. 1652-0051.
---------------------------------------------------------------------------
This final rule, however, contains new information-collection
activities subject to the PRA. Accordingly, TSA has submitted the
following information requirements to OMB for its review. The
Supporting Statement for this information collection request is
available in the docket for this rulemaking.
Title: Security Training Programs for Surface Mode Employees.
Summary: This final rule requires the following information
collections:
First, owner/operators identified in 49 CFR 1580.101, 1582.101, and
1584.101 are required to submit a security training program for
security-sensitive employees that meets the requirements of subpart B
of 49 CFR part 1580, subpart B of 49 CFR part 1582, and subpart B of 49
CFR part 1584. Additionally, they are required to submit a request to
amend their security training program if certain changes are made to
their operations or if notified by TSA that an amendment is necessary.
For purposes of its burden estimates, TSA assumes such modification
will occur every three years.
Second, the public transportation bus systems and OTRB owner/
operators to whom the final rule applies would be required to obtain
personal and contact information from their designated security
coordinator, and alternate, and submit such records to TSA.
Third, respondents would be required to retain individual training
records on security-sensitive employees at the location(s) specified in
each respondent's respective security training program, and make such
records available to TSA upon request.
Fourth, the public transportation bus systems and OTRB owner/
operators to whom the final rule applies would be required to report
significant security concerns, which includes incidents, suspicious
activities, and/or threat information.
Use of: This information will be used to support the implementation
of this final rule, including to TSA determinations that security
training programs satisfy the requirements in this final rule.
Recordkeeping requirements are necessary for TSA to verify employee
training is in compliance with the final rule. Security coordinator
information supports respondent communications with TSA concerning
intelligence information, security related activities, and incident or
threat response with appropriate law enforcement and emergency response
agencies. The reporting of significant security concerns supports the
analysis of trends and indicators of developing threats and potential
terrorist activity.
Respondents (including number of): The likely respondents to this
information collection are the owner/operators of covered surface
modes, which are estimated to incur approximately 579,070 responses
over the next 3 years (including 145,731 freight railroad responses;
254,754 PTPR responses; and 178,586 OTRB company responses), which
amounts to an average annual cost of $0.93 million.
Frequency: TSA estimates that following initial submission,
security training programs would need to be periodically updated as
appropriate. Security training records would need to be updated after
each training occurrence. Security coordinator information would need
to be updated as appropriate. Significant security concerns would be
reported as they occur. TSA estimates inspections for
[[Page 16484]]
compliance would occur at a rate of one inspection per year per owner/
operator.
Annual Burden Estimate: The average yearly burden for security
training program development and submission, security coordinator
submission, employee training documentation recordkeeping, and incident
reporting is estimated to be 2,729 hours for freight railroads; 3,311
hours for PTPRs; and 6,278 hours for OTRB companies. The total average
annual time burden estimate is approximately 12,318 hours. Table 5
shows the information collections and corresponding hour burdens for
entities falling under the requirements of the final rule.
Table 5--PRA Hours of Burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
Time per Number of responses Average
Collection response ------------------------------------------------ 3-Year time annual time
(hours) Year 1 Year 2 Year 3 burden burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
Initial Security Training Program Development and Submission
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................ 152 33 0 0 5,016 1,672
PTPR.................................................... 88 47 0 0 4,136 1,379
OTRB (Large to Medium).................................. 44 31 1 1 1,439 480
OTRB (Small)............................................ 28 174 3 3 5,062 1,687
--------------------------------------------------------------------------------------------------------------------------------------------------------
Modified Security Training Program Development and Submission
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................ 25 30 0 0 743 248
PTPR.................................................... 25 42 0 0 1,058 353
OTRB (Large to Medium).................................. 25 28 1 1 736 245
OTRB (Small)............................................ 25 157 3 3 4,068 1,356
--------------------------------------------------------------------------------------------------------------------------------------------------------
Security Coordinator Information Submission
--------------------------------------------------------------------------------------------------------------------------------------------------------
PTPR.................................................... 0.5 52 6 6 32 11
OTRB.................................................... 0.5 467 65 66 299 100
--------------------------------------------------------------------------------------------------------------------------------------------------------
Employee Training Documentation Recordkeeping
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................ 0.017 136,155 4,750 4,764 2,428 809
PTPR.................................................... 0.017 194,219 23,173 23,251 4,011 1,337
OTRB.................................................... 0.017 39,147 5,142 5,206 825 275
--------------------------------------------------------------------------------------------------------------------------------------------------------
Incident Reporting
--------------------------------------------------------------------------------------------------------------------------------------------------------
PTPR.................................................... 0.05 4,652 4,652 4,652 698 233
OTRB.................................................... 0.05 41,881 42,691 43,516 6,404 2,135
-----------------------------------------------------------------------------------------------
Total Burden (responses)............................ .............. .............. .............. .............. 579,070 193,023
-----------------------------------------------------------------------------------------------
Total Burden (hours)................................ .............. .............. .............. .............. 36,953 12,318
--------------------------------------------------------------------------------------------------------------------------------------------------------
B. Economic Impact Analyses
1. Regulatory Impact Analysis Summary
Changes to Federal regulations must undergo several economic
analyses. First, Executive Order 12866, Regulatory Planning and
Review,\110\ as supplemented by Executive Order 13563, Improving
Regulation and Regulatory Review,\111\ directs each Federal agency to
propose or adopt a regulation only upon a reasoned determination that
the benefits of the intended regulation justify its costs. Second, E.O.
13771, Reducing Regulation and Controlling Regulatory Costs,\112\
requires agencies to identify at least two regulations to be eliminated
for every new regulation, and also requires that the cost of planned
regulations be prudently managed and controlled through a budgeting
process. Third, the Regulatory Flexibility Act of 1980 \113\ requires
agencies to consider the economic impact of regulatory changes on small
entities. Fourth, the Trade Agreement Act of 1979 \114\ prohibits
agencies from setting standards that create unnecessary obstacles to
the foreign commerce of the United States. Fifth, UMRA requires
agencies to prepare a written assessment of the costs, benefits, and
other effects of proposed or final rules that include a Federal mandate
likely to result in the expenditure by State, local, or tribal
governments, in the aggregate, or by the private sector, of $100
million or more annually (adjusted for inflation).\115\
---------------------------------------------------------------------------
\110\ 58 FR 51735 (Oct. 4, 1993).
\111\ 76 FR 3821 (Jan. 21, 2011).
\112\ 82 FR 9339 (Feb. 3, 2017).
\113\ Public Law 96-354, 94 Stat. 1164 (Sept. 19, 1980) as
codified at 5 U.S.C. 601 et seq.
\114\ Public Law 96-39, 93 Stat. 144 (July 26, 1979), codified
at 19 U.S.C. 2531-2533.
\115\ Supra n. 63.
---------------------------------------------------------------------------
2. Executive Orders 12866, 13563, and 13711 Assessments
Under the requirements of Executive Orders 12866 and 13563,
agencies must assess the costs and benefits of available regulatory
alternatives and, if regulation is necessary, select regulatory
approaches that maximize net benefits (including potential economic,
environmental, public health and safety effects, distributive impacts,
and equity). These requirements were supplemented by Executive Order
13563, which emphasizes the importance of quantifying both costs and
benefits, of reducing costs, of harmonizing rules, and of promoting
flexibility. Under Executive Order 13711, Reducing Regulation and
Controlling Regulatory Costs,\116\ agencies must identify whether a
[[Page 16485]]
rulemaking is a regulatory or deregulatory action.
---------------------------------------------------------------------------
\116\ 82 FR 9339 (Feb. 3, 2017).
---------------------------------------------------------------------------
In conducting these analyses, TSA has determined:
1. This rulemaking is a significant regulatory action within the
meaning of Executive Order 12866 and a regulatory action under
Executive Order 13771. TSA has determined that this rulemaking is not
economically significant. The rule will not result in an effect on the
economy of $100 million or more in any year of the analysis. The total
annualized costs of the final rule over a perpetual time period using a
7 percent discount rate, in 2016 dollars, and discounted back to 2016
is $5.28 million. The rule will not adversely affect the economy,
interfere with actions taken or planned by other agencies, or generally
alter the budgetary impact of any entitlements.
2. TSA prepared a Final Regulatory Flexibility Analysis (FRFA),
which finds that this rulemaking would likely have a regulatory cost
that exceeds one percent of revenue for 47 small entities--1 freight
rail and 46 OTRB owner/operators--of the total 200 small entities that
would be regulated by the final rule.
3. This rulemaking would not constitute a barrier to international
trade.
4. This rulemaking does not impose an unfunded mandate on State,
local, or tribal governments, or on the private sector under UMRA.
In the NPRM RIA, TSA estimated that the rule would cost $157.27
million over ten years, discounted at 7 percent. In the Final RIA, TSA
updated its benefit-cost analysis and estimated this regulation will
cost $52.30 million over ten years, discounted at 7 percent. The change
in cost estimate from the NPRM RIA to the Final RIA is due to the
following:
The final rule will require affected surface mode
employees to undergo security training at least once every three years,
which is a change in frequency from the annual training requirement in
the NPRM. TSA updated training burden cost estimates to reflect the
final rule's triennial training cycle.
TSA updated employee population estimates in each of the
three industries regulated by this final rule. In all three modes, the
final rule employee population estimates decreased from the estimates
in the NPRM: (1) The population of impacted freight rail employees
decreased based on an updated source.\117\ (2) The population of
impacted PTPR employees decreased as a result of TSA using more
detailed population data in this Final RIA, as well as an update in the
percentage of employees performing security-sensitive roles. (3) The
population of impacted OTRB employees decreased as a result of
reevaluating the population of impacted OTRB owner/operators from the
NPRM dataset. TSA made revisions based on new information about the
owner/operator's operations (such as the lack of scheduled services),
as well as the consolidation and closure of owner/operators within the
industry. This re-evaluation resulted in eight fewer OTRB owner/
operators than previously estimated in the NPRM, which in turn meant
fewer employees were impacted.
---------------------------------------------------------------------------
\117\ The Final RIA used the 2017 version of ``AAR Railroad
Facts'' versus the 2014 version used in the NPRM.
---------------------------------------------------------------------------
TSA updated its estimates of compensation rates, employee
turnover rates, and various other inputs. TSA has reviewed all the
inputs used in the NPRM RIA and updated them to ensure that the Final
RIA uses the most recently available data.
TSA added the cost for owner/operators to develop their
own training programs in its primary cost analysis; in the NPRM RIA,
only Alternative 2 made this assumption. In the primary cost analysis
of the NPRM RIA, TSA assumed owner/operators would use a video provided
by TSA, free of charge, to meet a majority of the training
requirements. TSA still plans to make this video available, however for
the purpose of presenting the full range of possible costs for owner/
operators from the final rule, TSA decided to include the cost of
developing a custom training program in the Final RIA. Because of this
change, TSA increased the time burden for owner/operators to develop a
training program. TSA also increased the time burden for TSA to review,
modify, and re-review these programs. Lastly, TSA increased its
estimate of hours spent per inspection because TSA believes
Transportation Security Inspectors will need more time to inspect
owner/operators on the particulars of their unique training program.
TSA revised its assumption that owner/operators will, on
average, update their training program every five years (as assumed in
the NPRM RIA) to every three years. TSA made this change because it
better aligns with the new assumption that owner/operators would create
their own training program. TSA assumes a custom training program would
involve more owner/operator-specific circumstantial changes and those
would occur, on average, more often. This change increased the
estimated cost to owner/operators and TSA because they will,
respectively, submit and review training programs more frequently
within a ten-year period.
TSA added the cost for a name check of new security
coordinators against its Terrorist Screening Database. This cost is
absorbed by TSA, not owner/operators nor the security coordinators.
TSA revised its time burden estimate for recordkeeping
from 15 seconds to 1 minute. This more closely aligns to previous
estimates TSA has made for other employee-specific recordkeeping
requirements.
Table 6 shows the cost components that TSA expects industry and
Government will incur from implementing the final rule. This table
compares these cost components to their respective estimates in the
NPRM and describes the changes made from the original analysis.
[[Page 16486]]
Table 6--10-Year Total Cost of NPRM vs Final Rule
[Discounted at 7 percent, in $ thousands]
--------------------------------------------------------------------------------------------------------------------------------------------------------
NPRM and FR comparison Significant change
Requirements Section ------------------------------------------------ Description from NPRM to final
NPRM Final rule Difference rule
--------------------------------------------------------------------------------------------------------------------------------------------------------
Training Cost...................... 1580.113, 1582.113, $152,277 $43,429 ($108,848) Requirement to train Changed cost estimate
and 1584.113. security-sensitive to reflect three-
employees on year training cycle.
required elements Updated and refined
(one of the elements population data of
is expanded for security-sensitive
freight rail) of employees. Overall
security training. estimate of affected
employees decreased
from the NPRM.
Training Plan...................... 1570.109............. 1,653 4,372 2,718 Requirement to submit Added the cost for
a training program creating custom
to TSA. Costs training plans; TSA
include planning, previously, assumed
drafting, review and they would use the
submission. TSA-provided video.
Security Coordinator............... 1570.201............. 77 48 (29) Requirement to assign Added the TSA cost to
a security perform a name check
coordinator and an of new security
alternate to serve coordinators against
as a security the Terrorist
liaison with TSA. Screening Database.
Costs include
initial and updated
submissions from
security coordinator
turnover.
Incident Reporting................. 1570.203............. 2,052 2,404 353 Requirement to report Included additional
significant security post-call
concerns within 24 administrative costs
hours of initial for TSA.
discovery. TSA
assumes incident
reporting will occur
telephonically.
Recordkeeping...................... 1570.121............. 592 875 283 Requirement to (1) Decreased cost
maintain security associated with
training records for number of records
each individual due to reduced
trained. These frequency of
records may be training and (2)
stored either increased the time
electronically or burden per record
printed on paper and from 15 seconds to 1
filed. minute. This
estimate is also
more aligned with
previous estimates
TSA made for
recordkeeping of
other vetting
programs.
Inspections........................ 1570.9............... 622 1,175 553 Availability for No significant
inspection by TSA changes. Cost
for compliance with difference due to
the final rule. updates in wages and
Costs assume annual population
inspections for each estimates.
owner/operator;
industry cost to
prepare for and host
TSA inspections. and
presentation of
training records and
program curriculum
when requested by
TSA during
inspection.
--------------------------------------------------------------------------------------------------------------------
Total Costs.................... ..................... 157,274 52,303 (104,971)
--------------------------------------------------------------------------------------------------------------------------------------------------------
TSA has prepared an analysis of its estimated costs and benefits,
summarized in the following paragraphs. The OMB Circular A-4 Accounting
Statement for this final rule is in section VIII.B.3. When estimating
the cost of a rulemaking, agencies typically estimate future expected
costs imposed by a regulation over a period of analysis. For this
rule's period of analysis, TSA uses a 10-year period of analysis to
estimate the initial and recurring costs of the regulated surface mode
owner/operators and new owner/operators that are expected due to
industry growth.
TSA concluded the following about the current, or baseline,
training
[[Page 16487]]
environment for freight rail, public transportation and passenger
railroad (PTPR), and OTRB employees (see section 1.8 of the RIA placed
in the docket for further detailed information on the current
baseline):
There are 574 U.S. freight rail owners/operators and are composed
of 7 Class I, 21 Class II, and 546 Class III railroads.\118\ A total of
33 (7 Class I, 8 Class II, and 18 Class III) out of the 574 U.S.
freight rail owner/operators carry RSSM through an HTUA and would be
affected by the final rule.\119\ These 33 freight rail owner/operators
provide security awareness \120\ and chain of custody and control \121\
trainings to their employees. These trainings address two of the
required elements of security training required by the final rule in
Sec. 1580.115 (Security training and knowledge for security-sensitive
employees: Prepare and Assess). Additionally, freight rail owner/
operators are already required to comply with the requirements to
assign security coordinators and report significant security concerns
to TSA under current 49 CFR 1580. Table 7 below identifies the
requirements of the final rule implemented by freight rail owner/
operators. The check marked items in the table represent existing
requirements under PHMSA's regulations (see 49 CFR 172.704 and
1580.107) and, therefore, do not represent additional burden to the
freight rail owners/operators.
---------------------------------------------------------------------------
\118\ AAR, ``Railroad Facts, 2017 Edition,'' at pg.3 (2017).
\119\ TSA used its railcar tracking system that monitors toxic
inhalant hazard cars, the Rail Asset Integrated Logistics System,
(RAILS), to identify freight rail owner/operators that transported
one or more shipments of RSSM during the period in calendar year
2017.
\120\ As required by PHMSA. See 49 CFR 172.704.
\121\ In place because of the chain of custody requirement in 49
CFR 1580.107.
[GRAPHIC] [TIFF OMITTED] TR23MR20.002
There are nearly 6,800 public transportation organizations in the
United States.\122\ Of these, 47 PTPR owner/operators \123\ fall within
the applicability of the final rule. Twenty-four of these 47 PTPR
owner/operators effectively provide training to their employees on
security awareness and employee- and company-specific security programs
and measures.\124\ This training address two of the required elements
of security training required by the final rule in Sec. 1582.115
(Prepare and Assess). Additionally, 24 PTPR owner/operators with rail
operations are already required to comply with the requirements to
assign security coordinators and report significant security concerns
to TSA under current 49 CFR part 1580. Table 8 below identifies the
requirements of the final rule already implemented by PTPR owner/
operators. The check marked items in the table represent existing
requirements under 49 CFR part 1580 and, therefore do not represent
additional burden to the freight rail owners/operators.
---------------------------------------------------------------------------
\122\ APTA, ``2016 Public Transportation Fact Book'' (Feb.
2017), available at http://www.apta.com/resources/statistics/Documents/FactBook/2016-APTA-Fact-Book.pdf.
\123\ TSA elicited and used input from SMEs in its Surface
Division, combined with data from the Federal Transit
Administration's (FTA) National Transit Database (NTD) to identify
the 47 PTPR owner/operators.
\124\ Agencies identified using latest evaluation from TSA's
BASE assessment. Information on BASE assessment can be found at:
https://www.tsa.gov/news/top-stories/2015/09/21/transit-agencies-earn-high-ratings-through-base-program.
---------------------------------------------------------------------------
[[Page 16488]]
[GRAPHIC] [TIFF OMITTED] TR23MR20.003
There are 2,990 U.S. companies in the motorcoach industry.\125\ Of
these, 205 \126\ fall within the applicability of the final rule. Three
of the 205 are large OTRB companies that currently use the TSA-supplied
First ObserverTM program, which covers a majority of the 9/
11 Act security training requirements, to train their employees. This
training addresses three of the security training elements of this
final rule (Observe, Assess, and Respond). Table 9 identifies the
requirements of this final rule implemented by OTRB owner/operators.
The check marked items in the table represent the training components
already covered by the First ObserverTM program and,
therefore do not represent additional burden to the OTRB owners/
operators currently using this program compared to the ``no-action''
baseline.\127\ In Appendix A of the RIA, however, TSA has also
monetized the cost of their current participation in First
ObserverTM. TSA estimated this cost at $0.57 million to
these owner/operators over 10 years (discounted at 7 percent).\128\
---------------------------------------------------------------------------
\125\ American Bus Association Foundation, ``Motorcoach Census
2015'' (Oct. 9, 2017), available at https://www.buses.org/assets/images/uploads/pdf/Motorcoach_Census_2015.pdf.
\126\ TSA relied on a variety of sources to identify the 205
owner/operators: Intercity Bus Security Grant Program (IBSGP)
applications submitted to FEMA and reviewed by TSA, the American
Intercity Bus Riders Association (AIBRA) intercity bus service
operator list, consultations with ABA, and internet research of
websites like GotoBus.com and other publicly available sources of
information.
\127\ OMB, ``Circular A-4,'' at 2, available at https://www.whitehouse.gov/sites/default/files/omb/assets/regulatory_matters_pdf/a-4.pdf. (``Benefits and costs are defined in
comparison with a clearly stated alternative. This normally will be
a `no action' baseline: What the world will be like if the proposed
rule is not adopted.'')
\128\ OMB also requires TSA to consider a ``pre-statute''
baseline. Id. at 16. Costs of First ObserverTM have
accrued since passage of the 9/11 Act and are part of this ``pre-
statute'' baseline.
[GRAPHIC] [TIFF OMITTED] TR23MR20.004
TSA summarizes the costs of the final rule to be borne by four
affected parties: freight railroad owner/operators, PTPR owner/
operators, OTRB owner/operators, and TSA. As displayed in Table 10, TSA
estimates the 10-year total cost of this final rule to be $73.17
million undiscounted, $62.82 million discounted at 3 percent, and
$52.30 million discounted at 7 percent. The costs to industry (all
three surface modes) comprise approximately 96.2 percent of the total
costs of the rule; and the remaining costs are incurred by TSA.
Table 10--Total Cost of the Final Rule by Entity
[$ millions]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total final rule cost
-----------------------------------------------
Year Freight rail PTPR OTRB TSA Discounted at Discounted at
Undiscounted 3% 7%
--------------------------------------------------------------------------------------------------------------------------------------------------------
1 $8.82 $5.74 $2.28 $0.63 $17.46 $16.95 $16.32
2 0.31 0.67 0.42 0.21 1.60 1.50 1.39
3 0.31 0.67 0.42 0.21 1.61 1.47 1.31
[[Page 16489]]
4 8.08 4.49 2.02 0.27 14.87 13.21 11.34
5 0.58 1.10 0.56 0.22 2.46 2.12 1.75
6 0.58 1.11 0.57 0.22 2.48 2.07 1.65
7 7.64 3.82 1.91 0.28 13.65 11.10 8.50
8 0.82 1.41 0.68 0.23 3.14 2.48 1.83
9 0.83 1.42 0.69 0.23 3.17 2.43 1.72
10 7.25 3.35 1.85 0.29 12.74 9.48 6.48
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Total 35.21 23.78 11.40 2.78 73.17 62.82 52.30
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Annualized .............. .............. .............. .............. .............. 7.36 7.45
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.
TSA estimates the 10-year costs to the freight railroad industry to
be $35.21 million undiscounted, $30.18 million discounted at 3 percent,
and $25.09 million discounted at 7 percent, as displayed by cost
categories in Table 11.
[GRAPHIC] [TIFF OMITTED] TR23MR20.005
TSA estimates the 10-year costs to the PTPR industry to be $23.78
million undiscounted, $20.48 million discounted at 3 percent, and
$17.12 million discounted at 7 percent, as displayed by cost categories
in Table 12.
[[Page 16490]]
[GRAPHIC] [TIFF OMITTED] TR23MR20.006
TSA estimates the 10-year costs to the OTRB industry to be $11.40
million undiscounted, $9.74 million discounted at 3 percent, and $8.06
million discounted at 7 percent, as displayed by cost categories in
Table 13.
[GRAPHIC] [TIFF OMITTED] TR23MR20.007
TSA estimates the 10-year costs to TSA to be $2.78 million
undiscounted, $2.41 million discounted at 3 percent, and $2.03 million
discounted at 7 percent, as displayed by cost categories in Table 14.
[[Page 16491]]
[GRAPHIC] [TIFF OMITTED] TR23MR20.008
This final rule will enhance surface transportation security by
reducing the risk of terrorist attacks in four ways. First, the rule
ensures employees on the frontline of higher-risk surface
transportation systems and operations (defined as ``security-sensitive
employees'') are trained on how to observe, assess, and respond to a
security threat, enhancing their capabilities to take appropriate
actions and mitigate the consequences of any threat or incident.
Second, security-sensitive employees with responsibilities under their
employer's security plan or for specific security measures will be
prepared through training to perform any actions associated with that
responsibility. Third, there will be more effective communication
between TSA and all higher-risk operations through the designation of
security coordinators by all higher-risk operations. Finally, the
expanded scope of owner/operators required to report significant
security concerns will enhance TSA's ability to identify risks and
recommend appropriate actions based on a more comprehensive picture of
threats to surface transportation security.
While training and the other requirements of this final rule are
not absolute deterrents for terrorists intent on carrying out attacks
on surface modes of transportation, TSA expects the probability of
success for such attacks to decrease when the requirements of this rule
are fully implemented.
TSA uses a break-even analysis to frame the relationship between
the potential benefits of the final rule and the costs of implementing
the rule. When it is not possible to quantify or monetize a majority of
the incremental benefits of a regulation, OMB recommends conducting a
threshold, or ``break-even'' analysis. According to OMB Circular No. A-
4, ``Regulatory Analysis,'' such an analysis answers the question ``How
small could the value of the non-qualified benefits be (or how large
would the value of the non-quantified costs need to be) before the rule
would yield zero net benefits?'' \129\
---------------------------------------------------------------------------
\129\ See id.
---------------------------------------------------------------------------
To conduct the break-even analysis, TSA evaluates three composite
scenarios for each the three modes covered by the final rule. For each
scenario, TSA calculates a total monetary consequence from an estimated
statistical value of the human casualties and capital replacement
resulting from the attack (see Section 4.3 of the Final RIA for a more
detailed description of these calculations; however, many assumptions
regarding specific terrorist attacks scenarios are SSI and cannot be
publicly released).
Table 15 presents the composite or weighted average of direct
consequences from a successful attack on each mode.
---------------------------------------------------------------------------
\130\ As explained in the Final RIA, available in the docket, to
monetize injuries, TSA used two approaches (depending on whether the
injury was due to exposure to hazardous chemicals). To monetize
``non-chemical'' injuries, TSA uses guidance from the Department of
Transportation for valuing injuries based on the Abbreviated Injury
Scale. To monetize chemical-related injuries, TSA obtained
information on the cost of medical treatment for poisoning injuries.
\131\ Total Direct Consequences = (Deaths x $9.6 million VSL) +
(Severe injuries x $2.55 million) + (Moderate injuries x $0.45
million) + (Severe chemical injuries x $43,743) + (Moderate chemical
injuries x $1,687) + Public property loss + Private property loss +
Rescue and clean-up cost.
---------------------------------------------------------------------------
[[Page 16492]]
[GRAPHIC] [TIFF OMITTED] TR23MR20.009
TSA compared the estimated direct monetary costs of an attack to
the annualized cost (discounted at 7 percent) to industry and TSA from
the final rule for each mode to estimate how often an attack of that
nature would need to be averted for the expected benefits to equal
estimated costs. Table 16 presents the results of the break-even
analysis for each mode. For example, Table 16 shows that if the freight
rail training requirements in this rule prevents one freight rail
terrorist attack every 141 years, this rule ``breaks-even'' (the
benefits equal the costs).
The break-even analysis does not include the difficult-to-quantify
indirect costs of an attack or the macroeconomic impacts that could
occur due to a major attack. In addition to the direct impacts of a
terrorist attack in terms of lost life and property, there are other
more indirect impacts that are difficult to measure. As noted by Cass
Sunstein in Laws of Fear, ``. . . fear is a real social cost, and it is
likely to lead to other social costs.'' \132\ In addition, Ackerman and
Heinzerling state ``. . . terrorism `works' through the fear and
demoralization caused by uncontrollable uncertainty.'' \133\ As
devastating as the direct impacts of a successful terrorist attack can
be in terms of the immediate loss of life and property, avoiding the
impacts of the more difficult to measure indirect effects are also
substantial benefits of preventing a terrorist attack.
---------------------------------------------------------------------------
\132\ Cass R. Sunstein, Laws of Fear at 127 (2005).
\133\ Frank Ackerman and Lisa Heinzerling, Priceless On Knowing
the Price of Everything and the Value of Nothing at 136 (2004).
Table 16--Break-Even Analysis Results
[$ millions]
----------------------------------------------------------------------------------------------------------------
Weighted average Annualized cost
Modes direct costs of a of the final rule Breakeven averted attack
successful attack at 7% frequency
a b c = a / b
----------------------------------------------------------------------------------------------------------------
Freight Rail............................... $505.87 $3.60 One attack every 141 years.
PTPR....................................... 487.80 2.48 One attack every 197 years.
OTRB....................................... 371.00 1.37 One attack every 271 years.
----------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.
3. OMB A-4 Statement
The OMB A-4 Accounting Statement (in Table 17) presents annualized
costs and qualitative benefits of the final rule.
[[Page 16493]]
Table 17--OMB A-4 Accounting Statement
[in $ millions, 2017 dollars]
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
Category Primary estimate Minimum Maximum Source citation
estimate estimate (Final RIA,
preamble, etc.)
----------------------------------------------------------------------------------------------------------------
Benefits ($ millions)
----------------------------------------------------------------------------------------------------------------
Annualized monetized benefits N/A N/A N/A N/A Final RIA
(discount rate in
parentheses).
----------------------------------------------------------------------------------------------------------------
Unquantified benefits......... The requirements proposed in this rule produce benefits by Final RIA
reducing security risks through training security-sensitive
surface mode employees to identify and/or mitigate an
attempted terrorist attack.
----------------------------------------------------------------------------------------------------------------
Costs ($ millions)
----------------------------------------------------------------------------------------------------------------
Annualized monetized costs (7%) $7.45 .............. .............. Final RIA
(discount rate in (3%) $7.36
parentheses).
----------------------------------------------------------------------------------------------------------------
Annualized quantified, but 0 0 0 Final RIA
unmonetized, costs.
----------------------------------------------------------------------------------------------------------------
Qualitative costs N/A Final RIA
(unquantified).
----------------------------------------------------------------------------------------------------------------
Transfers
----------------------------------------------------------------------------------------------------------------
Annualized monetized N/A N/A N/A Final RIA
transfers: ``on budget''.
From whom to whom?............ N/A N/A N/A None
Annualized monetized N/A N/A N/A Final RIA
transfers: ``off-budget''.
From whom to whom?............ N/A N/A N/A None
----------------------------------------------------------------------------------------------------------------
Miscellaneous analyses/ Effects Source citation
category. (NPRM RIA,
preamble, etc.)
----------------------------------------------------------------------------------------------------------------
Effects on State, local, and/ None Final RIA
or tribal governments.
Effects on small businesses... Prepared FRFA FRFA (Chapter 6
RIA)
Effects on wages.............. None None
Effects on growth............. None None
----------------------------------------------------------------------------------------------------------------
4. Alternatives Considered
In addition to the final rule, TSA also considered two alternative
policies. In comparison to the final rule, the first alternative
(Alternative 1) removes requirements for recordkeeping, security
incident reporting, and security coordinators for bus-only PTPR owner/
operators. This alternative also removes the requirement to train
freight railroad security-sensitive employees on chain of custody and
control requirements.\134\ The second alternative (Alternative 2)
increases the training frequency to an annual basis and expands the
population of owners/operators to all who operate within any UASI,
which includes the entire metropolitan statistical area.\135\ All other
requirements remain the same.
---------------------------------------------------------------------------
\134\ Table 64 in the RIA found in the docket provides a
section-by section analysis of which regulatory provisions are
statutorily required and which provisions are discretionary.
\135\ As previously noted, see section VII.C.4. of the preamble
to this final rule, TSA proposed an annual recurrent training
requirement in the NPRM. See also 81 FR at 91348. For the NPRM, TSA
also considered an alternative to ``train security-sensitive
employees once every three years using TSA-provided materials. Id.
at 91379. In response to comments, TSA is adopting a three-year
recurrent training cycle for purposes of the final rule, making the
annual recurrent training requirement the alternative considered for
purposes of the alternatives analysis.
---------------------------------------------------------------------------
Though not the least costly option, TSA selects the requirements in
this final rule as the preferred alternative. TSA rejected Alternative
1 because it omitted the following important security measures TSA
proposed in the NPRM: (1) Recordkeeping requirements to ensure TSA can
determine compliance (all modes), (2) expanding security coordinator
requirements to provide a security point of contact for bus-only
operations (PTPR), (3) expanding reporting requirements for security
incidents to ensure TSA has a more complete picture of potential
threats to surface transportation (PTPR and OTRB); and (4) ensuring
freight railroad security-sensitive employees with responsibilities
under TSA's chain of custody and control requirements have the
necessary training to ensure compliance with these security measures in
place since promulgation of TSA's Rail Security Rule.\136\ By including
these security measures, TSA can ensure compliance with the rule,
obtain a complete picture of potential threats to surface
transportation across multiple modes, and enhance compliance with
security measures required for freight railroads.
---------------------------------------------------------------------------
\136\ 73 FR 72129, 72130-72179 (Nov. 26, 2008). ``Rail
Transportation Security; Final Rule.''
---------------------------------------------------------------------------
TSA also rejected Alternative 2. As discussed in the NPRM, TSA
applied a risk-based approach to determining applicability of this
final rule.\137\ Expanding the population would be inconsistent with
TSA's commitment to risk-based security.\138\ TSA is also rejecting
requiring annual recurrent training in response to comments
[[Page 16494]]
received on the NPRM.\139\ In response to these comments which
suggested longer time periods between training, TSA modified the
recurrent training requirement to at least once every three years in
the final rule, and rejected the annual recurrent training requirement
in Alternative 2.
---------------------------------------------------------------------------
\137\ See supra n. 13.
\138\ Id..
\139\ See section VI.C.4 of this final rule.
Table 18--Comparison of Costs Between Alternatives
[in millions]
--------------------------------------------------------------------------------------------------------------------------------------------------------
10-Year costs (in $ millions) at a 7% discount
Initial Affected population rate
(number of owner/operators) Requirements -----------------------------------------------
Industry TSA Total
--------------------------------------------------------------------------------------------------------------------------------------------------------
Final Rule............................... 33 Freight Rails........... 1. Provide security training to $50.28 $2.03 $52.30
47 PTPRs................... security-sensitive employees
205 OTRBs.................. once every three years.
........................... 2. Designate a security
coordinator (expanded
requirement to include bus-only
PTPR and OTRB).
........................... 3. Report significant security
incidents to TSA (expanded
requirement to include bus-only
PTPR and OTRB) Maintain
employee training records and.
........................... 4. Provide access to TSA and
proof of compliance.
Alternative 1............................ ........................... 1. Provide security training to 48.03 0.99 49.02
security-sensitive employees
once every three years (except
for Chain of custody and
control);.
........................... 2. Designate a security
coordinator (expanded
requirement limited to OTRB).
........................... 3. Maintain employee training
records and.
........................... 4. Provide access to TSA and
proof of compliance.
Alternative 2............................ 69 Freight Rails........... 1. Provide annual security 219.54 4.52 224.05
253 PTPRs.................. training to security-sensitive
403 OTRBs.................. employees within expanded
applicability.
........................... 2. Designate a security
coordinator.
........................... 3. Report significant security
incidents to TSA.
........................... 4. Maintain employee training
records and.
........................... 5. Provide access to TSA and
proof of compliance.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.
5. Regulatory Flexibility Assessment
The RFA \140\ requires agencies to consider the impacts of their
rules on small entities. TSA performed a Final Regulatory Flexibility
Analysis (FRFA) to analyze the impact to small entities affected by the
final rule.\141\ The RFA analysis presented below is a summary of the
FRFA, including the six elements in 5 U.S.C. 604.
---------------------------------------------------------------------------
\140\ See supra n. 113.
\141\ See Chapter 6 of the Final RIA in the docket for the full
FRFA.
---------------------------------------------------------------------------
a. A Statement of the Need for, and Objectives of, the Rule.
Sections 1408, 1517, and 1534 of the 9/11 Act require TSA to issue a
security training rule requiring owner/operators of various modes of
surface transportation to provide training to frontline employees of
freight rail, PTPR, and OTRB employees. Owner/operators are required to
submit a training program to TSA for review that will be marked SSI. An
owner/operator must also keep records of whether each employee has
successfully completed their training. Additionally, TSA will collect
security coordinator and alternate coordinator information from
entities covered in the final rule, as well as require reporting of
suspicious activities or incidents by these owner/operators. TSA
requests this information from owner/operators to be better prepared to
respond to emergencies or incidents and to have designated points of
contacts with covered entities when information needs to be shared or
retrieved. TSA requests reporting of security-related incidents and
suspicious activities to assess if there is a new threat or increased
threat to the surface modes of transportation.
b. A Statement of the Significant Issues Raised by Public Comments
in Response to the IRFA, a Statement of the Assessment of the Agency of
Such Issues, and a Statement of Any Changes Made in the Proposed Rule
as a Result of Such Comments. The public did not submit significant
comments during the comment period specifically on the IRFA. However,
elsewhere in in the preamble of the final rule, TSA answered public
comments on the cost estimate of the rule.
c. Description of and an Estimate of the Number of Small Entities
to Which the Rule Will Apply or an Explanation of Why No Such Estimate
is Available. Under the RFA, the term ``small entities'' comprises
small businesses, not-for-profit organizations that are independently
owned and operated and are not dominant in their fields, and small
governmental jurisdictions with populations of less than 50,000.
Individuals and States are not considered ``small entities'' based on
the definitions in the RFA (5 U.S.C. 601).
The PTPR owner/operators affected by this final rule are not
considered small entities because they are either owned/operated by
governmental jurisdictions that exceed the RFA population threshold of
50,000 or a
[[Page 16495]]
business that exceeds the Small Business Administration's (SBA) size
threshold. Only freight rail and OTRB owner/operators have small
entities affected by the final rule.
The final rule requires security training for Class I freight rail
owner/operators and freight rail owner/operators that transport RSSM in
one or more HTUAs \142\ or host high-risk passenger rail operations on
their tracks. TSA identified 33 freight railroad entities affected by
the final rule.
---------------------------------------------------------------------------
\142\ See Appendix A to part 1580 of this final rule for list of
HTUAs.
---------------------------------------------------------------------------
TSA uses the SBA size standards to identify that 18 of the 33
freight rail owner/operators affected by the final rule are considered
a small business. TSA calculates that final rule's requirements are
estimated to cost $61.82 per employee and $18,390.32 per freight rail
owner/operator. Of these 18 small freight rail owner/operators, TSA
estimates that one of these freight rail owner/operators would likely
have a regulatory cost that exceeds one percent of their revenue. Table
19 presents the likely distribution of costs for small freight rail
owner/operators.
Table 19--Costs as a Percent of Revenue for Small Freight Rail Owner/
Operators
------------------------------------------------------------------------
Number of Percent of
Revenue impact range entities entities
------------------------------------------------------------------------
0% < Impact <= 1%....................... 17 94
1% < Impact <= 3%....................... 0 0
3% < Impact <= 5%....................... 1 6
5% < Impact <= 10%...................... 0 0
Above 10%............................... 0 0
-------------------------------
Total............................... 18 100.0
------------------------------------------------------------------------
TSA identified 205 OTRB owner/operators entities affected by the
final rule. Using SBA's size threshold, TSA estimates that 182 OTRB
owner/operators regulated by the final rule are considered a small
business. TSA calculates that the final rule's requirements are
estimated to cost $35.68 per employee and $5,759.94 per entity to these
OTRB owner/operators. Using a relevant sample of these 143 small OTRB
owner/operators, TSA estimates that 32% of them would likely have a
regulatory cost that exceeds one percent of their revenue. Table 20
presents the likely distribution of costs for this sample of small OTRB
owner/operators.
Table 20--Costs as a Percent of Revenue for Small OTRB Owner/Operators
------------------------------------------------------------------------
Number of Percent of
Revenue impact range entities entities
------------------------------------------------------------------------
0% < Impact <= 1%....................... 97 68
1% < Impact <= 3%....................... 36 25
3% < Impact <= 5%....................... 6 4
5% < Impact <= 10%...................... 4 3
Above 10%............................... 0 0
-------------------------------
Total............................... 143 100.0
------------------------------------------------------------------------
d. The Response of the Agency to Any Comments Filed by the Chief
Counsel for Advocacy of the Small Business Administration in Response
to the Proposed Rule, and a Detailed Statement of Any Change Made to
the Proposed Rule in the Final Rule as a Result of the Comments. The
Small Business Administration did not submit any comments during the
comment period for the NPRM.
e. A Description of the Projected Reporting, Recordkeeping, and
Other Compliance Requirements of the Final Rule, Including an Estimate
of the Classes of Small Entities that Will Be Subject to the
Requirement and the Type of Professional Skills Necessary for
Preparation of the Report or Record. This final rule's reporting,
recordkeeping and other compliance requirements will include submission
of security training programs, security coordinator and security
incident information, retention of training records, and availability
for compliance inspections. TSA assumes that any training program,
incident report, security coordinator package, or other information
submitted to TSA will be completed by management-level personnel. TSA
also assumes that owner/operators will have a manager prepare before a
TSA compliance inspection. TSA assumes the recordkeeping requirements
of the final rule will be fulfilled by employees with administrative
and clerical skills.
f. A Description of the Steps the Agency has Taken to Minimize
Significant Economic Impact on Small Entities Consistent with the
Stated Objectives of Applicable Statutes, including a Statement of the
Factual, Policy, and Legal Reasons for Selecting the Alternative
Adopted in the Final Rule and Why Each of the Other Significant
Alternatives to the Rule Considered by the Agency which Affect the
Impact on Small Entities was Rejected. TSA will allow owner/operators
to develop their own training programs (which must receive TSA
approval). TSA will give owner/operators the flexibility to use
different training materials to satisfy the final rule's training
requirements. Additionally, in an effort to create a baseline for
security training and minimize costs on regulated owner/operators, TSA
will provide training videos to incorporate the non-entity-specific
training requirements laid out in the final rule. TSA will make these
training videos available to all owner/operators, including small
entities not
[[Page 16496]]
covered by the high-risk criteria, which could be used on a voluntary
basis by entities seeking to improve their security posture.
TSA considered two other feasible alternatives, detailed in chapter
5 of the Final RIA, in addition to the final rule.
Alternative 1: Requirements Limited to Those Expressly Authorized
by Statute. In comparison to the final rule, the first regulatory
alternative TSA considered would limit the requirements to those
expressly authorized by the 9/11 Act or other relevant statutory
provisions, such as 49 U.S.C. 114. Under this alternative, the
applicability of owner/operators required to comply and employees to be
trained would remain the same and the recurrence of training would be
the same as the final rule (once every three years), but TSA would
remove the following requirements:
Recordkeeping (final rule requires retention of records
necessary to validate compliance);
Training freight rail employees on the chain of custody
procedures required by TSA's regulations (see Sec. 1580.205 for chain
of custody and control requirements relocated from Sec. 1580.107);
Security coordinators and reporting security incidents by
bus-only PTPR owner/operators; and
Reporting security incidents by OTRB owner/operators.
The alternative would still include requirements to provide
security training to security-sensitive employees (with the exception
of chain of custody and control) once every three years, designating
security coordinators for OTRB owner/operators, and providing access to
TSA to inspect for compliance. The narrower scope from this alternative
means the costs to small businesses would be less than the final rule.
TSA rejected this alternative based on the determination that
recordkeeping is implicitly required as it is a necessary component of
enforcing a regulation, and the other measures are necessary for
consistent application of the TSA's requirements imposed to enhance
surface transportation security.
Alternative 2: Increased Population Alternative with Program
Creation Assumptions. TSA considered a second regulatory alternative
that would require annual training and increase the population of
owner/operators required to comply with the final rule. For Alternative
2, TSA considered expanding the scope of applicability to any freight
railroad, PTPR system, or OTRB operator operating fixed-route service
to, through, or from a UASI. Under this alternative, TSA would impose
additional burdens to a significant number of small owner/operators,
including those that TSA has not determined to be higher-risk. This
alternative could have a disproportionate impact upon small entities.
Alternative 2 would increase total costs upon the regulated community
as a whole. Additionally, TSA received comments to the NPRM (section
VI.C.4 of this preamble) that suggested longer time periods between
training, such as two or three years. In response to these comments,
TSA modified the recurrent training requirement to at least once every
three years in the final rule, and rejected the annual recurrent
training requirement in Alternative 2. TSA rejected this alternative as
it is inconsistent with the agency's risk-based security policy
determination to focus on higher-risk owner/operators and commitment to
outcomes-based regulations. TSA also rejected this alternative because
of its annual recurrent training requirement.
6. International Trade Impact Assessment
The Trade Agreement Act of 1979 prohibits Federal agencies from
establishing any standards or engaging in related activities that
create unnecessary obstacles to the foreign commerce of the United
States. Legitimate domestic objectives, such as safety, are not
considered unnecessary obstacles. The statute also requires
consideration of international standards and, where appropriate, that
they be the basis for U.S. standards. TSA has assessed the potential
effect of this final rule and has determined that it would have only a
domestic impact and therefore no effect on any trade-sensitive
activity.
7. Unfunded Mandates Assessment
The Unfunded Mandates Reform Act of 1995 is intended, among other
things, to curb the practice of imposing unfunded Federal mandates on
State, local, and tribal governments. Title II of UMRA requires each
Federal agency to prepare a written statement assessing the effects of
any Federal mandate in a proposed or final agency rule that may result
in a $100 million or more expenditure (adjusted annually for inflation)
in any one year by State, local, and tribal governments, in the
aggregate, or by the private sector; such a mandate is deemed to be a
``significant regulatory action.'' \143\
---------------------------------------------------------------------------
\143\ Supra n. 63 as codified at 2 U.S.C. 1532.
---------------------------------------------------------------------------
This final rule does not contain such a mandate. Therefore, the
requirements in Title II of UMRA do not apply and TSA has not prepared
a statement.
C. Executive Order 13132, Federalism
TSA has analyzed this rulemaking under the principles and criteria
of Executive Order 13132, Federalism. We determined that this action
would not have a substantial direct effect on the States, on the
relationship between the National Government and the States, or on the
distribution of power and responsibilities among the various levels of
government, and therefore would not have federalism implications.
D. Environmental Analysis
TSA has reviewed this rulemaking for purposes of the National
Environmental Policy Act of 1969 (NEPA) (42 U.S.C. 4321-4347) and has
determined that this action will not have a significant effect on the
human environment. This action is covered by categorical exclusion
(CATEX) number A3(b) in DHS Management Directive 023-01 (formerly
Management Directive 5100.1), Environmental Planning Program, which
guides TSA compliance with NEPA.
E. Energy Impact Analysis
The energy impact of this rulemaking has been assessed in
accordance with the Energy Policy and Conservation Act (EPCA), Public
Law 94-163, as amended (42 U.S.C. 6362). TSA has determined that this
rulemaking is not a major regulatory action under the provisions of the
EPCA.
List of Subjects
49 CFR Part 1500
Air carriers, Air transportation, Aircraft, Airports, Bus transit
systems, Commuter bus systems, Law enforcement officer, Maritime
carriers, Over-the-Road buses, Public transportation, Rail hazardous
materials receivers, Rail hazardous materials shippers, Rail transit
systems, Railroad carriers, Railroad safety, Railroads, Reporting and
recordkeeping requirements, Security measures, Transportation facility,
Vessels.
49 CFR Part 1520
Air carriers, Air transportation, Aircraft, Airports, Bus transit
systems, Commuter bus systems, Law enforcement officer, Maritime
carriers, Over-the-Road buses, Public transportation, Rail hazardous
materials receivers, Rail hazardous materials shippers, Rail transit
systems, Railroad carriers, Railroad safety, Railroads, Reporting and
recordkeeping requirements, Security measures, Transportation facility,
Vessels.
[[Page 16497]]
49 CFR Part 1570
Commuter bus systems, Crime, Fraud, Hazardous materials
transportation, Motor carriers, Over-the-Road bus safety, Over-the-Road
buses, Public transportation, Public transportation safety, Rail
hazardous materials receivers, Rail hazardous materials shippers, Rail
transit systems, Railroad carriers, Railroad safety, Railroads,
Reporting and recordkeeping requirements, Security measures,
Transportation facility, Transportation Security-Sensitive Materials.
49 CFR Part 1580
Hazardous materials transportation, Rail hazardous materials
receivers, Rail hazardous materials shippers, Railroad carriers,
Railroad safety, Railroads, Reporting and recordkeeping requirements,
Security measures.
49 CFR Part 1582
Public transportation, Public transportation safety, Railroad
carriers, Railroad safety, Railroads, Rail transit systems, Reporting
and recordkeeping requirements, Security measures.
49 CFR Part 1584
Over-the-Road bus safety, Over-the-Road buses, Reporting and
recordkeeping requirements, Security measures.
The Amendments
For the reasons set forth in the preamble, the Transportation
Security Administration amends chapter XII, of title 49, Code of
Federal Regulations as follows:
Subchapter A--Administrative and Procedural Rules
PART 1500--APPLICABILITY, TERMS, AND ABBREVIATIONS
0
1. The authority citation for part 1500 is revised to read as follows:
Authority: 49 U.S.C. 114, 5103, 40113, 44901-44907, 44913-44914,
44916-44918, 44935-44936, 44942, 46105; Pub. L. 110-53 (121 Stat.
266, Aug. 3, 2007) secs. 1408 (6 U.S.C. 1137), 1501 (6 U.S.C. 1151),
1517 (6 U.S.C. 1167), and 1534 (6 U.S.C. 1184).
0
2. Revise Sec. 1500.3 to read as follows:
Sec. 1500.3 Terms and abbreviations used in this chapter.
As used in this chapter:
Administrator means the Assistant Secretary for Homeland Security,
Transportation Security Administration (Assistant Secretary), who is
the highest-ranking TSA official, or his or her designee. Administrator
also means the Under Secretary of Transportation for Security
identified in 49 U.S.C. 114(b).
Authorized representative means any individual who is not a direct
employee of a person regulated under this title, but is authorized to
act on that person's behalf to perform measures required under the
Transportation Security Regulations, or a TSA security program. For
purposes of this subchapter, the term ``authorized representative''
includes agents, contractors, and subcontractors, and employees of the
same.
Bus means any of several types of motor vehicles used by public or
private entities to provide transportation service for passengers.
Bus transit system means a public transportation system providing
frequent transportation service (not limited to morning and evening
peak travel times) for the primary purpose of moving passengers between
bus stops, often through multiple connections (a bus transit system
does not become a commuter bus system even if its primary purpose is
the transportation of commuters). This term does not include tourist,
scenic, historic, or excursion operations.
Commuter bus system means a system providing passenger service
primarily during morning and evening peak periods, between an urban
area and more distant outlying communities in a greater metropolitan
area. This term does not include tourist, scenic, historic, or
excursion operations.
Commuter passenger train service means ``train, commuter'' as
defined in 49 CFR 238.5, and includes service provided by diesel or
electric powered locomotives and railroad passenger cars to serve an
urban area, its suburbs, and more distant outlying communities in the
greater metropolitan area. A commuter passenger train service is part
of the general railroad system of transportation regardless of whether
it is physically connected to other railroads.
DHS means the Department of Homeland Security and any directorate,
bureau, or other component within the Department of Homeland Security,
including the United States Coast Guard.
DOT means the Department of Transportation and any operating
administration, entity, or office within the Department of
Transportation.
Fixed-route service means the provision of transportation service
by private entities operated along a prescribed route according to a
fixed schedule.
General railroad system of transportation means ``the network of
standard gauge track over which goods may be transported throughout the
nation and passengers may travel between cities and within metropolitan
and suburban areas'' as defined in appendix A to 49 CFR part 209.
Hazardous material means ``hazardous material'' as defined in 49
CFR 171.8.
Heavy rail transit means service provided by self-propelled
electric railcars, typically drawing power from a third rail, operating
in separate rights-of-way in multiple cars; also referred to as
subways, metros or regional rail.
Host railroad means a railroad that has effective control over a
segment of track.
Improvised explosive device (IED) means a device fabricated in an
improvised manner that incorporates explosives or destructive, lethal,
noxious, pyrotechnic, or incendiary chemicals in its design, and
generally includes a power supply, a switch or timer, and a detonator
or initiator.
Intercity passenger train service means both ``train, long-distance
intercity passenger'' and ``train, short-distance intercity passenger''
as defined in 49 CFR 238.5.
Light rail transit means service provided by self-propelled
electric railcars, typically drawing power from an overhead wire,
operating in either exclusive or non-exclusive rights-of-way in single
or multiple cars, with shorter distance trips, and frequent stops; also
referred to as streetcars, trolleys, and trams.
Motor vehicle means a vehicle, machine, tractor, trailer, or
semitrailer propelled or drawn by mechanical power and used upon the
highways in the transportation of passengers or property, or any
combination thereof, but does not include any vehicle, locomotive, or
car operated exclusively on a rail or rails, or a trolley bus operated
by electric power derived from a fixed overhead wire, furnishing local
passenger transportation similar to street-railway service.
Over-the-Road Bus (OTRB) means a bus characterized by an elevated
passenger deck located over a baggage compartment.
Owner/operator means any person that owns, or maintains operational
control over, any transportation infrastructure asset, facility, or
system regulated under this title, including airport operator, aircraft
operator, foreign air carrier, indirect air carrier, certified cargo
screening facility, flight school within the meaning of 49 CFR
1552.1(b), motor vehicle, public transportation agency, or railroad
carrier. For purposes of a maritime facility or a vessel, owner/
operator has
[[Page 16498]]
the same meaning as defined in 33 CFR 101.105.
Passenger rail car means rail rolling equipment intended to provide
transportation for members of the general public and includes a self-
propelled rail car designed to carry passengers, baggage, mail, or
express. This term includes a rail passenger coach, cab car, and a
Multiple Unit (MU) locomotive. In the context of articulated equipment,
``passenger rail car'' means that segment of the rail rolling equipment
located between two trucks. This term does not include a private rail
car.
Passenger railroad carrier means a railroad carrier that provides
transportation to persons (other than employees, contractors, or
persons riding equipment to observe or monitor railroad operations) by
railroad in intercity passenger service or commuter or other short-haul
passenger service in a metropolitan or suburban area.
Passenger train means a train that transports or is available to
transport members of the general public.
Person means an individual, corporation, company, association,
firm, partnership, society, joint-stock company, or governmental
authority. It includes a trustee, receiver, assignee, successor, or
similar representative of any of them.
Private rail car means rail rolling equipment that is used only for
excursion, recreational, or private transportation purposes. A private
rail car is not a passenger rail car.
Public transportation means transportation provided to the general
public by a regular and continuing general or specific transportation
vehicle that is owned or operated by a public transportation agency,
including providing one or more of the following types of passenger
transportation:
(1) Intercity or commuter passenger train service or other short-
haul railroad passenger service in a metropolitan or suburban area (as
described by 49 U.S.C. 20102(1)).
(2) Heavy or light rail transit service, whether on or off the
general railroad system of transportation.
(3) An automated guideway, cable car, inclined plane, funicular, or
monorail system.
(4) Bus transit or commuter bus service.
Public transportation agency means any publicly-owned or operated
provider of regular and continuing public transportation.
Rail hazardous materials receiver means any owner/operator of a
fixed-site facility that has a physical connection to the general
railroad system of transportation and receives or unloads from
transportation in commerce by rail one or more of the categories and
quantities of rail security-sensitive materials identified in 49 CFR
1580.3, but does not include the owner/operator of a facility owned or
operated by a department, agency or instrumentality of the Federal
Government.
Rail hazardous materials shipper means the owner/operator of any
fixed-site facility that has a physical connection to the general
railroad system of transportation and offers (as defined in the
definition of ``person who offers or offeror'' in 49 CFR 171.8),
prepares or loads for transportation by rail one or more of the
categories and quantities of rail security-sensitive materials as
identified in 49 CFR 1580.3, but does not include the owner/operator of
a facility owned or operated by a department, agency or instrumentality
of the Federal Government.
Rail secure area means a secure location(s) identified by a rail
hazardous materials shipper or rail hazardous materials receiver where
security-related pre-transportation or transportation functions are
performed or rail cars containing the categories and quantities of rail
security-sensitive materials are prepared, loaded, stored, and/or
unloaded.
Rail transit facility means rail transit stations, terminals, and
locations at which rail transit infrastructure assets are stored,
command and control operations are performed, or maintenance is
performed. The term also includes rail yards, crew management centers,
dispatching centers, transportation terminals and stations, fueling
centers, and telecommunication centers.
Rail transit system or ``Rail Fixed Guideway System'' means any
light, heavy, or rapid rail system, monorail, inclined plane,
funicular, cable car, trolley, or automated guideway that traditionally
does not operate on track that is part of the general railroad system
of transportation.
Railroad carrier means an owner/operator providing railroad
transportation.
Railroad transportation means:
(1) Any form of non-highway ground transportation that runs on
rails or electromagnetic guideways, including:
(i) Commuter or other short-haul rail passenger service in a
metropolitan or suburban area; and
(ii) High speed ground transportation systems that connect
metropolitan areas, without regard to whether these systems use new
technologies not associated with traditional railroads.
(2) Such term includes rail transit service operating on track that
is part of the general railroad system of transportation but does not
include rapid transit operations in an urban area that are not
connected to the general railroad system of transportation.
Record includes any means by which information is preserved,
irrespective of format, including a book, paper, drawing, map,
recording, tape, film, photograph, machine-readable material, and any
information stored in an electronic format. The term record also
includes any draft, proposed, or recommended change to any record.
Sensitive security information (SSI) means information that is
described in and must be managed in accordance with 49 CFR part 1520.
State means a State of the United States and the District of
Columbia.
Tourist, scenic, historic, or excursion operation means a railroad
or bus operation that carries passengers, often using antiquated
equipment, with the conveyance of the passengers to a particular
destination not being the principal purpose. Train or bus movements of
new passenger equipment for demonstration purposes are not tourist,
scenic, historic, or excursion operations.
Transit means mass transportation by a conveyance that provides
regular and continuing general or special transportation to the public,
but does not include school bus, charter, or sightseeing
transportation. Rail transit may occur on or off the general railroad
system of transportation.
Transportation or transport means the movement of property
including loading, unloading, and storage. Transportation or transport
also includes the movement of people, boarding, and disembarking
incident to that movement.
Transportation facility means a location at which transportation
cargo, equipment or infrastructure assets are stored, equipment is
transferred between conveyances and/or modes of transportation,
transportation command and control operations are performed, or
maintenance operations are performed. The term also includes, but is
not limited to, passenger stations and terminals (including any fixed
facility at which passengers are picked-up or discharged), vehicle
storage buildings or yards, crew management centers, dispatching
centers, fueling centers, and telecommunication centers.
Transportation security equipment and systems means items, both
integrated into a system and stand-alone, used by owner/operators to
enhance capabilities to detect, deter,
[[Page 16499]]
prevent, or respond to a threat or incident, including, but not limited
to, video surveillance, explosives detection, radiological detection,
intrusion detection, motion detection, and security screening.
Transportation Security Regulations (TSR) means the regulations
issued by the Transportation Security Administration, in title 49 of
the Code of Federal Regulations, chapter XII, which includes parts 1500
through 1699.
Transportation Security-Sensitive Material (TSSM) means hazardous
materials identified in 49 CFR 172.800(b).
TSA means the Transportation Security Administration.
United States, in a geographical sense, means the States of the
United States, the District of Columbia, and territories and
possessions of the United States, including the territorial sea and the
overlying airspace.
Vulnerability assessment includes any review, audit, or other
examination of the security of a transportation system, infrastructure
asset, or a transportation-related automated system or network to
determine its vulnerability to unlawful interference, whether during
the conception, planning, design, construction, operation, or
decommissioning phase. A vulnerability assessment includes the
methodology for the assessment, the results of the assessment, and any
proposed, recommended, or directed actions or countermeasures to
address security concerns.
PART 1503--INVESTIGATIVE AND ENFORCEMENT PROCEDURES
0
3. The authority citation for part 1503 continues to read as follows:
Authority: 18 U.S.C. 6002; 28 U.S.C. 2461 (note); 49 U.S.C. 114,
20109, 31105, 40113-40114, 40119, 44901-44907, 46101-46107, 46109-
46110, 46301, 46305, 46311, 46313-46314; Public Law 104-134 (110
Stat. 1321; April 26, 1996), as amended by Pub. L. 114-74 (129 Stat.
584; Nov. 2, 2015); and Pub. L. 110-53 (121 Stat. 266, Aug. 3, 2007)
secs. 1408 (6 U.S.C. 1137), 1413 (6 U.S.C. 1142), 1501 (6 U.S.C.
1151), 1512 (6 U.S.C. 1162), 1517 (6 U.S.C. 1167), 1531 (6 U.S.C.
1181), and 1534 (6 U.S.C. 1184).
Subpart B--Scope of Investigative and Enforcement Procedures
0
4. In Sec. 1503.101 revise paragraphs (b)(1) and (2) and add paragraph
(b)(3) to read as follows:
Sec. 1503.101 TSA requirements.
* * * * *
(b) * * *
(1) Those provisions of title 49 U.S.C. administered by the
Administrator;
(2) 46 U.S.C. chapter 701; and
(3) Provisions of Public Law 110-53 (121 Stat. 266, Aug. 3, 2007)
not codified in title 49 U.S.C. that are administered by the
Administrator.
Subchapter B--Security Rules for all Modes of Transportation
PART 1520--PROTECTION OF SENSITIVE SECURITY INFORMATION
0
5. The authority citation for part 1520 continues to read as follows:
Authority: 46 U.S.C. 114, 40113, 44901-44907, 44913-44914,
44916-44918, 44935-44936, 44942, 46105, 70102-70106, 70117; Pub. L.
110-53 (121 Stat. 266, Aug. 3, 2007) secs. 1408 (6 U.S.C. 1137),
1413 (6 U.S.C. 1142), 1501 (6 U.S.C. 1151), 1512 (6 U.S.C. 1162),
1517 (6 U.S.C. 1167), 1531 (6 U.S.C. 1181), and 1534 (6 U.S.C.
1184).
Sec. 1520.3 [Amended]
0
6. In Sec. 1520.3, remove the definitions of ``DHS, ``DOT'', ``Rail
facility'', ``Rail hazardous materials receiver'', ``Rail hazardous
materials shipper, ``Rail transit facility'', ``Rail transit system or
Rail Fixed Guideway System'', ``Railroad'', ``Record'', and
``Vulnerability assessment''.
0
7. In Sec. 1520.5, revise paragraphs (b)(1), (b)(6)(i), (b)(8)
introductory text, (b)(10), (b)(12) introductory text, and (b)(15) to
read as follows:
Sec. 1520.5 Sensitive security information.
* * * * *
(b) * * *
(1) Security programs, security plans, and contingency plans. Any
security program, security plan, or security contingency plan issued,
established, required, received, or approved by DHS or DOT, including
any comments, instructions, or implementing guidance, including--
(i) Any aircraft operator, airport operator, fixed base operator,
or air cargo security program, or security contingency plan under this
chapter;
(ii) Any vessel, maritime facility, or port area security plan
required or directed under Federal law;
(iii) Any national or area security plan prepared under 46 U.S.C.
70103;
(iv) Any security incident response plan established under 46
U.S.C. 70104, and
(v) Any security program or plan required under subchapter D of
this title.
* * * * *
(6) * * *
(i) Details of any aviation, maritime, or surface transportation
inspection, or any investigation or an alleged violation of aviation,
maritime, or surface transportation security requirements of Federal
law, that could reveal a security vulnerability, including the identity
of the Federal special agent or other Federal employee who conducted
the inspection or investigation, and including any recommendations
concerning the inspection or investigation.
* * * * *
(8) Security measures. Specific details of aviation, maritime, or
surface transportation security measures, both operational and
technical, whether applied directly by the Federal government or
another person, including the following:
* * * * *
(10) Security training materials. Records created or obtained for
the purpose of training persons employed by, contracted with, or acting
for the Federal government or another person to carry out aviation,
maritime, or surface transportation security measures required or
recommended by DHS or DOT.
* * * * *
(12) Critical transportation infrastructure asset information. Any
list identifying systems or assets, whether physical or virtual, so
vital to the aviation, maritime, or surface transportation that the
incapacity or destruction of such assets would have a debilitating
impact on transportation security, if the list is--
* * * * *
(15) Research and development. Information obtained or developed in
the conduct of research related to aviation, maritime, or surface
transportation, where such research is approved, accepted, funded,
recommended, or directed by DHS or DOT, including research results.
* * * * *
0
8. In Sec. 1520.7, revise paragraph (n) to read as follows:
Sec. 1520.7 Covered persons.
* * * * *
(n) Each owner/operator of maritime or surface transportation
subject to the requirements of subchapter D of this chapter.
0
9. Revise the heading for subchapter D to read as follows:
Subchapter D--Maritime and Surface Transportation Security
0
10. Revise part 1570 to read as follows:
[[Page 16500]]
PART 1570--GENERAL RULES
Subpart A--General
Sec.
1570.1 Scope.
1570.3 Terms used in this subchapter.
1570.5 Fraud and intentional falsification of records.
1570.7 Security responsibilities of employees and other persons.
1570.9 Compliance, inspection, and enforcement.
Subpart B--Security Programs
1570.101 Scope.
1570.103 Content.
1570.105 Responsibility for Determinations.
1570.107 Recognition of prior or established security measures or
programs.
1570.109 Submission and approval.
1570.111 Implementation schedules.
1570.113 Amendments requested by owner/operator.
1570.115 Amendments required by TSA.
1570.117 Alternative measures.
1570.119 Petitions for reconsideration.
1570.121 Recordkeeping and availability.
Subpart C--Operations
1570.201 Security Coordinator.
1570.203 Reporting significant security concerns.
Subpart D--Security Threat Assessments
1570.301 Fraudulent use or manufacture; responsibilities of persons.
1570.303 Inspection of credential.
1570.305 False statements regarding security background checks by
public transportation agency or railroad carrier.
Appendix A to Part 1570--Reporting of Significant Security Concerns
Authority: 18 U.S.C. 842, 845; 46 U.S.C. 70105; 49 U.S.C. 114,
5103a, 40113, and 46105; Pub. L. 108-90 (117 Stat. 1156, Oct. 1,
2003), sec. 520 (6 U.S.C. 469), as amended by Pub. L. 110-329 (122
Stat. 3689, Sept. 30, 2008) sec. 543 (6 U.S.C. 469); Pub. L. 110-53
(121 Stat. 266, Aug. 3, 2007) secs. 1402 (6 U.S.C. 1131), 1405 (6
U.S.C. 1134), 1408 (6 U.S.C. 1137), 1413 (6 U.S.C. 1142), 1414 (6
U.S.C. 1143), 1501 (6 U.S.C. 1151), 1512 (6 U.S.C. 1162), 1517 (6
U.S.C. 1167), 1522 (6 U.S.C. 1170), 1531 (6 U.S.C. 1181), and 1534
(6 U.S.C. 1184).
Subpart A--General
Sec. 1570.1 Scope.
This part applies to any person involved in maritime or surface
transportation as specified in this subchapter.
Sec. 1570.3 Terms used in this subchapter.
In addition to the definitions in Sec. Sec. 1500.3, 1500.5, and
1503.202 of subchapter A, the following terms are used in this
subchapter:
Adjudicate means to make an administrative determination of whether
an applicant meets the standards in this subchapter, based on the
merits of the issues raised.
Alien means any person not a citizen or national of the United
States.
Alien registration number means the number issued by the DHS to an
individual when he or she becomes a lawful permanent resident of the
United States or attains other lawful, non-citizen status.
Applicant means a person who has applied for one of the security
threat assessments identified in this subchapter.
Commercial driver's license (CDL) is used as defined in 49 CFR
383.5.
Contractor means a person or organization that provides a service
for an owner/operator regulated under this subchapter consistent with a
specific understanding or arrangement. The understanding can be a
written contract or an informal arrangement that reflects an ongoing
relationship between the parties.
Convicted means any plea of guilty or nolo contendere, or any
finding of guilt, except when the finding of guilt is subsequently
overturned on appeal, pardoned, or expunged. For purposes of this
subchapter, a conviction is expunged when the conviction is removed
from the individual's criminal history record and there are no legal
disabilities or restrictions associated with the expunged conviction,
other than the fact that the conviction may be used for sentencing
purposes for subsequent convictions. In addition, where an individual
is allowed to withdraw an original plea of guilty or nolo contendere
and enter a plea of not guilty and the case is subsequently dismissed,
the individual is no longer considered to have a conviction for
purposes of this subchapter.
Determination of No Security Threat means an administrative
determination by TSA that an individual does not pose a security threat
warranting denial of an HME or a TWIC.
Employee means an individual who is engaged or compensated by an
owner/operator regulated under this subchapter, or by a contractor to
an owner/operator regulated under this subchapter. The term includes
direct employees, contractor employees, authorized representatives,
immediate supervisors, and individuals who are self-employed.
Federal Maritime Security Coordinator (FMSC) has the same meaning
as defined in 46 U.S.C. 70103(a)(2)(G); is the Captain of the Port
(COTP) exercising authority for the COTP zones described in 33 CFR part
3, and is the Port Facility Security Officer as described in the
International Ship and Port Facility Security (ISPS) Code, part A.
Final Determination of Threat Assessment means a final
administrative determination by TSA, including the resolution of
related appeals, that an individual poses a security threat warranting
denial of an HME or a TWIC.
Hazardous materials endorsement (HME) means the authorization for
an individual to transport hazardous materials in commerce, an
indication of which must be on the individual's commercial driver's
license, as provided in the Federal Motor Carrier Safety Administration
regulations in 49 CFR part 383.
Immediate supervisor means a manager, supervisor, or agent of the
owner/operator to the extent the individual:
(1) Performs the work of a security-sensitive employee; or
(2) Supervises and otherwise directs the performance of a security-
sensitive employee.
Imprisoned or imprisonment means confined to a prison, jail, or
institution for the criminally insane, on a full-time basis, pursuant
to a sentence imposed as the result of a criminal conviction or finding
of not guilty by reason of insanity. Time spent confined or restricted
to a half-way house, treatment facility, or similar institution,
pursuant to a sentence imposed as the result of a criminal conviction
or finding of not guilty by reason of insanity, does not constitute
imprisonment for purposes of this rule.
Incarceration means confined or otherwise restricted to a jail-type
institution, half-way house, treatment facility, or another institution
on a full or part-time basis, pursuant to a sentence imposed as the
result of a criminal conviction or finding of not guilty by reason of
insanity.
Initial Determination of Threat Assessment means an initial
administrative determination by TSA that an applicant poses a security
threat warranting denial of an HME or a TWIC.
Initial Determination of Threat Assessment and Immediate Revocation
means an initial administrative determination that an individual poses
a security threat that warrants immediate revocation of an HME or
invalidation of a TWIC. In the case of an HME, the State must
immediately revoke the HME if TSA issues an Initial Determination of
Threat Assessment and Immediate Revocation. In the case of a TWIC, TSA
invalidates the TWIC when TSA issues an Initial Determination of Threat
Assessment and Immediate Revocation.
Invalidate means the action TSA takes to make a credential
inoperative when
[[Page 16501]]
it is reported as lost, stolen, damaged, no longer needed, or when TSA
determines an applicant does not meet the security threat assessment
standards of 49 CFR part 1572.
Lawful permanent resident means an alien lawfully admitted for
permanent residence, as defined in 8 U.S.C. 1101(a)(20).
Maritime facility has the same meaning as ``facility'' together
with ``OCS facility'' (Outer Continental Shelf facility), as defined in
33 CFR 101.105.
Mental health facility means a mental institution, mental hospital,
sanitarium, psychiatric facility, and any other facility that provides
diagnoses by licensed professionals of mental retardation or mental
illness, including a psychiatric ward in a general hospital.
National of the United States means a citizen of the United States,
or a person who, though not a citizen, owes permanent allegiance to the
United States, as defined in 8 U.S.C. 1101(a)(22), and includes
American Samoa and Swains Island.
Revocation means the termination, deactivation, rescission,
invalidation, cancellation, or withdrawal of the privileges and duties
conferred by an HME or TWIC, when TSA determines an applicant does not
meet the security threat assessment standards of 49 CFR part 1572.
Secure area means the area on board a vessel or at a facility or
outer continental shelf facility, over which the owner/operator has
implemented security measures for access control, as defined by a Coast
Guard approved security plan. It does not include passenger access
areas or public access areas, as these terms are defined in 33 CFR
104.106 and 105.106 respectively. Vessels operating under the waivers
provided for at 46 U.S.C. 8103(b)(3)(A) or (B) have no secure areas.
Facilities subject to 33 CFR chapter I, subchapter H, part 105 may,
with approval of the Coast Guard, designate only those portions of
their facility that are directly connected to maritime transportation
or are at risk of being involved in a transportation security incident
as their secure areas.
Security-sensitive employee, for purposes of this part, means
``security sensitive employee'' as defined in Sec. 1580.3, Sec.
1582.3, or Sec. 1584.3 of this title.
Security-sensitive job function, for purposes of this part, means a
job function identified in appendix B to part 1580, appendix B to part
1582, and appendix B to part 1584 of this title.
Security threat means an individual whom TSA determines or suspects
of posing a threat to national security; to transportation security; or
of terrorism.
Transportation Worker Identification Credential (TWIC) means a
Federal biometric credential, issued to an individual, when TSA
determines that the individual does not pose a security threat.
Withdrawal of Initial Determination of Threat Assessment is the
document that TSA issues after issuing an Initial Determination of
Security Threat, when TSA determines that an individual does not pose a
security threat that warrants denial of an HME or TWIC.
Sec. 1570.5 Fraud and intentional falsification of records.
No person may make, cause to be made, attempt, or cause to attempt
any of the following:
(a) Any fraudulent or intentionally false statement in any record
or report that is kept, made, or used to show compliance with the
subchapter, or exercise any privileges under this subchapter.
(b) Any reproduction or alteration, for fraudulent purpose, of any
record, report, security program, access medium, or identification
medium issued under this subchapter or pursuant to standards in this
subchapter.
Sec. 1570.7 Security responsibilities of employees and other
persons.
(a) No person may--
(1) Tamper or interfere with, compromise, modify, attempt to
circumvent, or cause another person to tamper or interfere with,
compromise, modify, or attempt to circumvent any security measure
implemented under this subchapter.
(2) Enter, or be present within, a secured or restricted area
without complying with the security measures applied as required under
this subchapter to control access to, or presence or movement in, such
areas.
(3) Use, allow to be used, or cause to be used, any approved access
medium or identification medium that authorizes the access, presence,
or movement of persons or vehicles in secured or restricted areas in
any other manner than that for which it was issued by the appropriate
authority to meet the requirements of this subchapter.
(b) The provisions of paragraph (a) of this section do not apply to
conducting inspections or tests to determine compliance with this
subchapter authorized by--
(1) TSA and DHS officials working with TSA; or
(2) The owner/operator when acting in accordance with the
procedures described in a security plan and/or program approved by TSA.
Sec. 1570.9 Compliance, inspection, and enforcement.
(a) Each person subject to any of the requirements of this
subchapter, must allow TSA and other authorized DHS officials, at any
time and in a reasonable manner, without advance notice, to enter,
assess, inspect, and test property, facilities, equipment, and
operations; and to view, inspect, and copy records, as necessary to
carry out TSA's security-related statutory or regulatory authorities,
including its authority to--
(1) Assess threats to transportation.
(2) Enforce security-related laws, regulations, directives, and
requirements.
(3) Inspect, maintain, and test the security of facilities,
equipment, and systems.
(4) Ensure the adequacy of security measures for the transportation
of passengers and cargo.
(5) Oversee the implementation, and ensure the adequacy, of
security measures for the owner/operator's conveyances and vehicles, at
transportation facilities and infrastructure and other assets related
to transportation.
(6) Review security plans and/or programs.
(7) Determine compliance with any requirements in this chapter.
(8) Carry out such other duties, and exercise such other powers,
relating to transportation security, as the Administrator for TSA
considers appropriate, to the extent authorized by law.
(b) At the request of TSA, each owner/operator subject to the
requirements of this subchapter must provide evidence of compliance
with this chapter, including copies of records.
(c) TSA and other authorized DHS officials, may enter, without
advance notice, and be present within any area or within any vehicle or
conveyance, terminal, or other facility covered by this chapter without
access media or identification media issued or approved by an owner/
operator covered by this chapter in order to inspect or test
compliance, or perform other such duties as TSA may direct.
(d) TSA inspectors and other authorized DHS officials working with
TSA will, on request, present their credentials for examination, but
the credentials may not be photocopied or otherwise reproduced.
[[Page 16502]]
Subpart B--Security Programs
Sec. 1570.101 Scope.
The requirements of this subpart address general security program
requirements applicable to each owner/operator required to have a
security program under subpart B to 49 CFR parts 1580, 1582, and 1584.
Sec. 1570.103 Content.
(a) Security program. Except as otherwise approved by TSA, each
owner/operator required to have a security program must address each of
the security program requirements identified in subpart B to 49 CFR
parts 1580, 1582, and 1584.
(b) Use of appendices. The owner/operator may comply with the
requirements referenced in paragraph (a) of this section by including
in its security program, as an appendix, any document that contains the
information required by the applicable subpart B, including procedures,
protocols or memorandums of understanding related to external agency
response to security incidents or events. The appendix must be
referenced in the corresponding section(s) of the security program.
Sec. 1570.105 Responsibility for Determinations.
(a) Higher-risk operations. While TSA has determined the criteria
for applicability of the requirements in subpart B to 49 CFR parts
1580, 1582, and 1584 based on risk-assessments for freight railroad,
public transportation system, passenger railroad, or over-the-road
(OTRB) owner/operators are required to determine if the applicability
criteria identified in subpart B to parts 1580, 1582, and 1584 apply to
their operations. Owner/operators are required to notify TSA of
applicability within 30 days of June 22, 2020.
(b) New or modified operations. If an owner/operator commences new
operations or modifies existing operations after June 22, 2020, that
person is responsible for determining whether the new or modified
operations would meet the applicability criteria in subpart B to 49 CFR
part 1580, 1582, or 1584 and must notify TSA no later than 90 calendar
days before commencing operations or implementing modifications.
Sec. 1570.107 Recognition of prior or established security measures
or programs.
Previously provided security training may be credited towards
satisfying the requirements of this subchapter provided the owner/
operator--
(a) Obtains a complete record of such training and validates the
training meets requirements of Sec. 1580.115, Sec. 1582.115, or Sec.
1584.115 of this subchapter as it relates to the function of the
individual security-sensitive employee and the training was provided
within the schedule required for recurrent training.
(b) Retains a record of such training in compliance with the
requirements of Sec. 1570.121 of this part.
Sec. 1570.109 Submission and approval.
(a) Submission of security program. Each owner/operator required
under parts 1580, 1582, or 1584 of this subchapter to adopt and carry
out a security program must submit it to TSA for approval in a form and
manner prescribed by TSA.
(b) Security training deadlines. Except as otherwise directed by
TSA, each owner/operator required under subpart B to part 1580, 1582,
or 1584 of this subchapter to develop a security training program
must--
(1) Submit its program to TSA for approval no later than 90
calendar days after June 22, 2020.
(2) If commencing or modifying operations so as to be subject to
the requirements of subpart B to 49 CFR part 1580, 1582, or 1584 after
June 22, 2020, submit a training program to TSA no later than 90
calendar days before commencing new or modified operations.
(c) TSA approval. (1) No later than 60 calendar days after
receiving the proposed security program required by subpart B to 49 CFR
parts 1580, 1582, and 1584, TSA will either approve the program or
provide the owner/operator with written notice to modify the program to
comply with the applicable requirements of this subchapter. TSA will
notify the owner/operator if it needs an extension of time to approve
the program or provide the owner/operator with written notice to modify
the program to comply with the applicable requirements of this
subchapter.
(2) Notice to modify. If TSA provides the owner/operator with
written notice to modify the security program to comply with the
applicable requirements of this subchapter, the owner/operator must
provide a modified security program to TSA for approval within the
timeframe specified by TSA.
(3) TSA may request additional information, and the owner/operator
must provide the information within the time period TSA prescribes. The
60-day period for TSA approval or modification will begin when the
owner/operator provides the additional information.
(g) Petition for reconsideration. Within 30 days of receiving the
notice to modify, the owner/operator may file a petition for
reconsideration under Sec. 1570.119 of this part.
Sec. 1570.111 Implementation schedules.
(a) Initial security training. Each owner/operator required under
parts 1580, 1582, or 1584 of this subchapter to adopt and carry out a
security program must provide initial security training to security-
sensitive employees, using the curriculum approved by TSA--
(1) No later than one year after the date of TSA-approval of the
owner/operator's security training program if the employee is employed
to perform a security-sensitive function on the date TSA approves the
program.
(2) No later than 60 calendar days after the employee first
performs a security-sensitive job function if performance of a
security-sensitive job function is initiated after TSA approves the
security training program.
(3) No later than the 60th calendar day of employment performing a
security-sensitive function, aggregated over a consecutive 12-month
period, if the security-sensitive job function is performed
intermittently.
(b) Recurrent security training. (1) Except as provided in
paragraph (b)(2) of this section, a security-sensitive employee
required to receive training under part 1580, 1582, or 1584 of this
subchapter must receive the required training at least once every three
years.
(2) If an owner/operator modifies a security program or security
plan for which training is required under Sec. 1580.203(b), Sec.
1582.115(b), or Sec. 1584.115(b) of this subchapter, the owner/
operator must ensure each security-sensitive employee with position- or
function-specific responsibilities related to the revised plan or
program changes receives training on the revisions within 90 days of
implementation of the revised plan or program changes. All other
employees must receive training that reflects the changes to the
operating security requirements as part of their regularly scheduled
recurrent training.
(3) The three-year recurrent training cycle is based on the
anniversary calendar month of the employee's initial security training.
If the owner/operator provides the recurrent security training in the
month of, the month before, or the month after it is due, the employee
is considered to have taken the training in the month it is due.
(c) Extensions of time. TSA may grant an extension of time for
implementing a security program identified in subpart B to parts 1580,
1582, and 1584 of this subchapter upon a showing of good
[[Page 16503]]
cause. The owner/operator must request the extension of time in writing
and TSA must receive the request within a reasonable time before the
due date to be extended; an owner/operator may request an extension
after the expiration of a due date by sending a written request
describing why the failure to meet the due date was excusable. TSA will
respond to the request in writing.
Sec. 1570.113 Amendments requested by owner/operator.
(a) Changes to ownership or control of operations. Each owner/
operator required under part 1580, 1582, or 1584 of this subchapter to
adopt and carry out a security program must submit a request to amend
its security program if, after approval, there are any changes to the
ownership or control of the operation.
(b) Changes to conditions affecting security. Each owner/operator
required under part 1580, 1582, or 1584 of this subchapter to adopt and
carry out a security program must submit a request to amend its
security program if, after approval, the owner/operator makes, or
intends to make, permanent changes to any of the following procedures,
measures, or other aspects of security or emergency response planning
implemented by the owner/operator to address:
(1) Specific procedures implemented or used to prevent and detect
unauthorized access to restricted areas designated by the owner/
operator;
(2) Measures to be implemented in response to a period of
heightened security risk, communicated through a DHS enhanced security
notification, including the process used to notify all employees of
changes in alert level status or requirements to implement specific
elements of the security plan and verify that appropriate enhanced
security measures have been implemented at all relevant locations.
(3) Emergency response plans, including:
(i) Coordinated response plans establishing procedures for
appropriate interaction with State, local, and tribal law enforcement
agencies, emergency responders, and Federal officials in order to
coordinate security measures and plans for response in the event of a
terrorist threat, attack, or other transportation security-related
incident;
(ii) Specific procedures to be implemented or used by the owner/
operator in response to a terrorist attack, including evacuation and
communication plans that include individuals with disabilities; and
(iii) Additional measures to be adopted to address weaknesses in
emergency response procedures identified during regular drills or
exercises that test corporate capabilities to direct, coordinate, and
execute prevention and response activities for terrorist attacks or
other security threats, including tunnel evacuation procedures, if
applicable.
(iv) Redundant and backup systems to ensure the continuity of
operations of critical assets and infrastructure system in the event of
a terrorist attack or other transportation security-related incident.
(c) Changes to security training curriculum. Each owner/operator
required under part 1580, 1582, or 1584 of this subchapter to adopt and
carry out a security program must submit a request to amend its
security program if, after approval, the owner/operator makes, or
intends to make, permanent changes to its security training curriculum
required under part 1580, 1582, or 1584, including changes to address:
(1) Determinations that the security training program is
ineffective based on the approved method for evaluating effectiveness
in the security training program approved by TSA under subpart B of
parts 1580, 1582, and 1584; or
(2) Development of recurrent training material for purposes of
meeting the requirements in Sec. 1570.111(b) of this part or other
alternative training materials not previously approved by TSA.
(d) Permanent change. For purposes of this section, a ``permanent
change'' is one intended to be in effect for 60 or more calendar days.
(e) Schedule for requesting amendment. The owner/operator must file
the request for an amendment with TSA no later than 65 calendar days
after the change in subsection (b) takes effect, unless TSA allows a
shorter time period.
(f) TSA approval. (1) Within 30 calendar days after receiving a
proposed amendment, TSA will, in writing, either approve or deny the
request to amend. TSA will notify the owner/operator if it needs an
extension of time to consider the proposed amendment.
(2) TSA may approve--
(i) An amendment to a security program if TSA determines that it is
in the interest of the public and transportation security and the
proposed amendment provides the level of security required under this
subchapter.
(ii) Modification to security training curriculum, including
alternative training for purposes of meeting the recurrent training
requirement, if all the required training elements are addressed and
the material is consistent with the most recent iteration of the
security program submitted to, and approved by, TSA (including
amendments made to reflect relevant changes to operations and/or
security measures and response plans).
(iii) TSA may request additional information from the owner/
operator before rendering a decision.
(g) Petition for reconsideration. No later than 30 calendar days
after receiving a denial, the owner/operator may file a petition for
reconsideration under Sec. 1570.119 of this part.
Sec. 1570.115 Amendments required by TSA.
(a) Notification of requirement to amend. TSA may require
amendments to a security program in the interest of the public and
transportation security, including any new information about emerging
threats, or methods for addressing emerging threats, as follows:
(1) TSA will notify the owner/operator of the proposed amendment,
fixing a period of not less than 30 calendar days within which the
owner/operator may submit written information, views, and arguments on
the amendment.
(2) After TSA considers all relevant material received, TSA will
notify the owner/operator of any amendment adopted or rescind the
notice.
(b) Effective date of amendment. If TSA adopts the amendment, it
becomes effective not less than 30 calendar days after the owner/
operator receives the notice of amendment, unless the owner/operator
disagrees with the proposed amendment and files a petition for
reconsideration under Sec. 1570.119 of this part no later than 15
calendar days before the effective date of the amendment. A timely
petition for reconsideration stays the effective date of the amendment.
(c) Emergency amendments. If TSA determines that there is an
emergency requiring immediate action in the interest of the public or
transportation security, TSA may issue an amendment, without the prior
notice and comment procedures in paragraph (a) of this section,
effective without stay on the date the covered owner/operator receives
notice of it. In such a case, TSA will incorporate in the notice a
brief statement of the reasons and findings for the amendment to be
adopted. The owner/operator may file a petition for reconsideration
under Sec. 1570.119 of this part; however, this does not stay the
effective date of the emergency amendment.
[[Page 16504]]
Sec. 1570.117 Alternative measures.
(a) If in TSA's judgment, the overall security of transportation
provided by an owner/operator subject to the requirements of 49 CFR
part 1580, 1582, or 1584 are not diminished, TSA may approve
alternative measures.
(b) Each owner/operator requesting alternative measures must file
the request for approval in a form and manner prescribed by TSA. The
filing of such a request does not affect the owner/operator's
responsibility for compliance while the request is being considered.
(c) TSA may request additional information, and the owner/operator
must provide the information within the time period TSA prescribes.
Within 30 calendar days after receiving a request for alternative
measures and all requested information, TSA will, in writing, either
approve or deny the request.
(d) If TSA finds that the use of the alternative measures is in the
interest of the public and transportation security, it may grant the
request subject to any conditions TSA deems necessary. In considering
the request for alternative measures, TSA will review all relevant
factors including--
(1) The risks associated with the type of operation, for example,
whether the owner/operator transports hazardous materials or passengers
within a high threat urban area, whether the owner/operator transports
passengers and the volume of passengers transported, or whether the
owner/operator hosts a passenger operation.
(2) Any relevant threat information.
(3) Other circumstances concerning potential risk to the public and
transportation security.
(e) No later than 30 calendar days after receiving a denial, the
owner/operator may petition for reconsideration under Sec. 1570.119 of
this part.
Sec. 1570.119 Petitions for reconsideration.
(a) If an owner/operator seeks to petition for reconsideration of a
determination, required modification, denial of a request for amendment
by the owner/operator, denial to rescind a TSA-required amendment, or
denial of an alternative measure, the owner/operator must submit a
written petition for reconsideration that includes a statement and any
supporting documentation explaining why the owner/operator believes
TSA's decision is incorrect.
(b) Upon review of the petition for reconsideration, the
Administrator or designee will dispose of the petition by affirming,
modifying, or rescinding its previous decision. This is considered a
final agency action.
Sec. 1570.121 Recordkeeping and availability.
(a) Retention. Each owner/operator required to have a security
program under subpart B to parts 1580, 1582, and 1584 of this
subchapter must--
(1) Retain security training records for each individual required
to receive security training under Sec. Sec. 1580.115, 1582.115, and
1584.115 that, at a minimum--
(i) Includes employee's full name, job title or function, date of
hire, and date of initial and recurrent security training; and
(ii) Identifies the date, course name, course length, and list of
topics addressed for the security training most recently provided in
each of the areas required under Sec. Sec. 1580.115, 1582.115, and
1584.115 of this subchapter.
(2) Retain records of initial and recurrent security training for
no less than five (5) years from the date of training.
(3) Provide records to current and former employees upon request
and at no charge as necessary to provide proof of training.
(b) Electronic records. Each owner/operator required to retain
records under this section may keep them in electronic form. An owner/
operator may maintain and transfer records through electronic
transmission, storage, and retrieval provided that the electronic
system provides for the maintenance of records as originally submitted
without corruption, loss of data, or tampering.
(c) Protection of SSI. Each owner/operator must restrict the
distribution, disclosure, and availability of security sensitive
information, as identified in part 1520 of this chapter, to persons
with a need to know. The owner/operator must refer requests for such
information by other persons to TSA.
(d) Availability. Each owner/operator must make the records
available to TSA upon request for inspection and copying.
Subpart C--Operations
Sec. 1570.201 Security Coordinator.
(a) Except as provided in paragraphs (b) and (c) of this section,
each owner/operator identified in Sec. Sec. 1580.1, 1582.1, and
1584.101 of this subchapter must designate and use a primary and at
least one alternate Security Coordinator.
(b) An owner/operator identified in Sec. 1582.1(a)(2) of this
subchapter (public transportation agency) that owns or operates a bus-
only operation must designate and use a primary and at least one
alternate Security Coordinator only if the owner/operator is identified
in appendix A to part 1582 of this subchapter or is notified by TSA in
writing that a threat exists concerning that operation.
(c) An owner/operator identified in Sec. 1580.1(a)(5) or Sec.
1582.1(a)(4) of this subchapter (private rail car, tourist, scenic,
historic, or excursion rail operations) must designate and use a
primary and at least one alternate Security Coordinator, only if
notified by TSA in writing that a threat exists concerning that type of
operation.
(d) The Security Coordinator and alternate(s) must be appointed at
the corporate level.
(e) Each owner/operator required to have a Security Coordinator
must provide in writing to TSA the names, U.S. citizenship status,
titles, phone number(s), and email address(es) of the Security
Coordinator and alternate Security Coordinator(s) within 37 calendar
days of the effective date of this rule, commencement of operations, or
change in any of the information required by this section.
(f) Each owner/operator required to have a Security Coordinator
must ensure that at least one Security Coordinator--
(1) Serves as the primary contact for intelligence information and
security-related activities and communications with TSA. Any individual
designated as a Security Coordinator may perform other duties in
addition to the duties described in this section.
(2) Is accessible to TSA on a 24 hours a day, 7 days a week basis.
(3) Coordinates security practices and procedures internally and
with appropriate law enforcement and emergency response agencies.
Sec. 1570.203 Reporting significant security concerns.
(a) Each owner/operator identified in Sec. Sec. 1580.1, 1582.1,
and 1584.101 of this subchapter must report, within 24 hours of initial
discovery, any potential threats and significant security concerns
involving transportation-related operations in the United States or
transportation to, from, or within the United States as soon as
possible by the methods prescribed by TSA.
(b) Potential threats or significant security concerns encompass
incidents, suspicious activities, and threat information including, but
not limited to, the categories of reportable events listed in appendix
A to this part.
(c) Information reported must include the following, as available
and applicable:
(1) The name of the reporting individual and contact information,
[[Page 16505]]
including a telephone number or email address.
(2) The affected freight or passenger train, transit vehicle, motor
vehicle, station, terminal, rail hazardous materials facility, or other
facility or infrastructure, including identifying information and
current location.
(3) Scheduled origination and termination locations for the
affected freight or passenger train, transit vehicle, or motor vehicle-
including departure and destination city and route.
(4) Description of the threat, incident, or activity, including who
has been notified and what action has been taken.
(5) The names, other available biographical data, and/or
descriptions (including vehicle or license plate information) of
individuals or motor vehicles known or suspected to be involved in the
threat, incident, or activity.
(6) The source of any threat information.
Subpart D--Security Threat Assessments
Sec. 1570.301 Fraudulent use or manufacture; responsibilities of
persons.
(a) No person may use or attempt to use a credential, security
threat assessment, access control medium, or identification medium
issued or conducted under this subchapter that was issued or conducted
for another person.
(b) No person may make, produce, use or attempt to use a false or
fraudulently created access control medium, identification medium or
security threat assessment issued or conducted under this subchapter.
(c) No person may tamper or interfere with, compromise, modify,
attempt to circumvent, or circumvent TWIC access control procedures.
(d) No person may cause or attempt to cause another person to
violate paragraphs (a) through (c) of this section.
Sec. 1570.303 Inspection of credential.
(a) Each person who has been issued or possesses a TWIC must
present the TWIC for inspection upon a request from TSA, the Coast
Guard, or other authorized DHS representative; an authorized
representative of the National Transportation Safety Board; or a
Federal, State, or local law enforcement officer.
(b) Each person who has been issued or who possesses a TWIC must
allow his or her TWIC to be read by a reader and must submit his or her
reference biometric, such as a fingerprint, and any other required
information, such as a PIN, to the reader, upon a request from TSA, the
Coast Guard, other authorized DHS representative; or a Federal, State,
or local law enforcement officer.
Sec. 1570.305 False statements regarding security background checks
by public transportation agency or railroad carrier.
(a) Scope. This section implements sections 1414(e) (6 U.S.C. 1143)
and 1522(e) (6 U.S.C. 1170) of the ``Implementing Recommendations of
the 9/11 Commission Act of 2007,'' Public Law 110-53 (121 Stat. 266,
Aug. 3, 2007).
(b) Definitions. In addition to the terms in Sec. Sec. 1500.3,
1500.5, and 1503.202 of subchapter A and Sec. 1570.3 of subchapter D
of this chapter, the following term applies to this part:
Security background check means reviewing the following for the
purpose of identifying individuals who may pose a threat to
transportation security, national security, or of terrorism:
(i) Relevant criminal history databases.
(ii) In the case of an alien (as defined in sec. 101 of the
Immigration and Nationality Act (8 U.S.C. 1101(a)(3)), the relevant
databases to determine the status of the alien under the immigration
laws of the United States.
(iii) Other relevant information or databases, as determined by the
Secretary of Homeland Security.
(c) Prohibitions. (1) A public transportation agency or a
contractor or subcontractor of a public transportation agency may not
knowingly misrepresent to an employee or other relevant person,
including an arbiter involved in a labor arbitration, the scope,
application, or meaning of any rules, regulations, directives, or
guidance issued by the Secretary of Homeland Security related to
security background check requirements for employees when conducting a
security background check.
(2) A railroad carrier or a contractor or subcontractor of a
railroad carrier may not knowingly misrepresent to an employee or other
relevant person, including an arbiter involved in a labor arbitration,
the scope, application, or meaning of any rules, regulations,
directives, or guidance issued by the Secretary of Homeland Security
related to security background check requirements for employees when
conducting a security background check.
Appendix A to Part 1570--Reporting of Significant Security Concerns
------------------------------------------------------------------------
Category Description
------------------------------------------------------------------------
Breach, Attempted Intrusion, Unauthorized personnel attempting to or
and/or Interference. actually entering a restricted area or
secure site relating to a transportation
facility or conveyance owned, operated,
or used by an owner/operator subject to
this part. This includes individuals
entering or attempting to enter by
impersonation of authorized personnel
(for example, police/security, janitor,
vehicle owner/operator). Activity that
could interfere with the ability of
employees to perform duties to the
extent that security is threatened.
Misrepresentation............ Presenting false, or misusing, insignia,
documents, and/or identification, to
misrepresent one's affiliation with an
owner/operator subject to this part to
cover possible illicit activity that may
pose a risk to transportation security.
Theft, Loss, and/or Diversion Stealing or diverting identification
media or badges, uniforms, vehicles,
keys, tools capable of compromising
track integrity, portable derails,
technology, or classified or sensitive
security information documents which are
proprietary to the facility or
conveyance owned, operated, or used by
an owner/operator subject to this part.
Sabotage, Tampering, and/or Damaging, manipulating, or defeating
Vandalism. safety and security appliances in
connection with a facility,
infrastructure, conveyance, or routing
mechanism, resulting in the compromised
use or the temporary or permanent loss
of use of the facility, infrastructure,
conveyance or routing mechanism. Placing
or attaching a foreign object to a rail
car(s).
Cyber Attack................. Compromising, or attempting to compromise
or disrupt the information/technology
infrastructure of an owner/operator
subject to this part.
Expressed or Implied Threat.. Communicating a spoken or written threat
to damage or compromise a facility/
infrastructure/conveyance owned,
operated, or used by an owner/operator
subject to this part (for example, a
bomb threat or active shooter).
[[Page 16506]]
Eliciting Information........ Questioning that may pose a risk to
transportation or national security,
such as asking one or more employees of
an owner/operator subject to this part
about particular facets of a facility's
conveyance's purpose, operations, or
security procedures.
Testing or Probing of Deliberate interactions with employees of
Security. an owner/operator subject to this part
or challenges to facilities or systems
owned, operated, or used by an owner/
operator subject to this part that
reveal physical, personnel, or cyber
security capabilities.
Photography.................. Taking photographs or video of
facilities, conveyances, or
infrastructure owned, operated, or used
by an owner/operator subject to this
part in a manner that may pose a risk to
transportation or national security.
Examples include taking photographs or
video of infrequently used access
points, personnel performing security
functions (for example, patrols, badge/
vehicle checking), or security-related
equipment (for example, perimeter
fencing, security cameras).
Observation or Surveillance.. Demonstrating unusual interest in
facilities or loitering near
conveyances, railcar routing appliances
or any potentially critical
infrastructure owned or operated by an
owner/operator subject to this part in a
manner that may pose a risk to
transportation or national security.
Examples include observation through
binoculars, taking notes, or attempting
to measure distances.
Materials Acquisition and/or Acquisition and/or storage by an employee
Storage. of an owner/operator subject to this
part of materials such as cell phones,
pagers, fuel, chemicals, toxic
materials, and/or timers that may pose a
risk to transportation or national
security (for example, storage of
chemicals not needed by an employee for
the performance of his or her job
duties).
Weapons Discovery, Discharge, Weapons or explosives in or around a
or Seizure.. facility, conveyance, or infrastructure
of an owner/operator subject to this
part that may present a risk to
transportation or national security (for
example, discovery of weapons
inconsistent with the type or quantity
traditionally used by company security
personnel).
Suspicious Items or Activity. Discovery or observation of suspicious
items, activity or behavior in or around
a facility, conveyance, or
infrastructure of an owner/operator
subject to this part that results in the
disruption or termination of operations
(for example, halting the operation of a
conveyance while law enforcement
personnel investigate a suspicious bag,
briefcase, or package).
------------------------------------------------------------------------
0
11. Revise part 1580 to read as follows:
PART 1580--FREIGHT RAIL TRANSPORTATION SECURITY
Subpart A--General
Sec.
1580.1 Scope.
1580.3 Terms used in this part.
1580.5 Preemptive effect.
Subpart B--Security Programs
1580.101 Applicability.
1580.103 [Reserved]
1580.105 [Reserved]
1580.107 [Reserved]
1580.109 [Reserved]
1580.111 [Reserved]
1580.113 Security training program general requirements.
1580.115 Security training and knowledge for security-sensitive
employees.
Subpart C--Operations
1580.201 Applicability.
1580.203 Location and shipping information.
1580.205 Chain of custody and control requirements.
1580.207 Harmonization of Federal regulation of nuclear facilities.
Appendix A to Part 1580--High Threat Urban Areas (HTUAS)
Appendix B to Part 1580--Security-Sensitive Job Functions for
Freight Rail
Authority: 49 U.S.C. 114; Pub. L. 110-53 (121 Stat. 266, Aug. 3,
2007) secs. 1501 (6 U.S.C. 1151), 1512 (6 U.S.C. 1162) and 1517 (6
U.S.C. 1167).
Subpart A--General
Sec. 1580.1 Scope.
(a) Except as provided in paragraph (b) of this section, this part
includes requirements for the following persons. Specific sections in
this part provide detailed requirements.
(1) Each freight railroad carrier that operates rolling equipment
on track that is part of the general railroad system of transportation.
(2) Each rail hazardous materials shipper.
(3) Each rail hazardous materials receiver located within an HTUA.
(4) Each freight railroad carrier serving as a host railroad to a
freight railroad operation described in paragraph (a)(1) of this
section or a passenger operation described in Sec. 1582.1 of this
subchapter.
(5) Each owner/operator of private rail cars, including business/
office cars and circus trains, on or connected to the general railroad
system of transportation.
(b) This part does not apply to a freight railroad carrier that
operates rolling equipment only on track inside an installation that is
not part of the general railroad system of transportation.
Sec. 1580.3 Terms used in this part.
In addition to the terms in Sec. Sec. 1500.3, 1500.5, and 1503.202
of subchapter A and Sec. 1570.3 of subchapter D of this chapter, the
following terms apply to this part:
Class I means Class I as assigned by regulations of the Surface
Transportation Board (STB) (49 CFR part 1201; General Instructions 1-
1).
Attended, in reference to a rail car, means an employee--
(1) Is physically located on-site in reasonable proximity to the
rail car;
(2) Is capable of promptly responding to unauthorized access or
activity at or near the rail car, including immediately contacting law
enforcement or other authorities; and
(3) Immediately responds to any unauthorized access or activity at
or near the rail car either personally or by contacting law enforcement
or other authorities.
Document the transfer means documentation uniquely identifying that
the rail car was attended during the transfer of custody, including:
(1) Car initial and number.
(2) Identification of individuals who attended the transfer (names
or uniquely identifying employee number).
(3) Location of transfer.
(4) Date and time the transfer was completed.
High threat urban area (HTUA) means, for purposes of this part, an
area comprising one or more cities and surrounding areas including a
10-mile buffer zone, as listed in appendix A to this part 1580.
Maintains positive control means that the rail hazardous materials
receiver
[[Page 16507]]
and the railroad carrier communicate and cooperate with each other to
provide for the security of the rail car during the physical transfer
of custody. Attending the rail car is a component of maintaining
positive control.
Rail security-sensitive materials (RSSM) means--
(1) A rail car containing more than 2,268 kg (5,000 lbs.) of a
Division 1.1, 1.2, or 1.3 (explosive) material, as defined in 49 CFR
173.50;
(2) A tank car containing a material poisonous by inhalation as
defined in 49 CFR 171.8, including anhydrous ammonia, Division 2.3
gases poisonous by inhalation as set forth in 49 CFR 173.115(c), and
Division 6.1 liquids meeting the defining criteria in 49 CFR
173.132(a)(1)(iii) and assigned to hazard zone A or hazard zone B in
accordance with 49 CFR 173.133(a), excluding residue quantities of
these materials; and
(3) A rail car containing a highway route-controlled quantity of a
Class 7 (radioactive) material, as defined in 49 CFR 173.403.
Residue means the hazardous material remaining in a packaging,
including a tank car, after its contents have been unloaded to the
maximum extent practicable and before the packaging is either refilled
or cleaned of hazardous material and purged to remove any hazardous
vapors.
Security-sensitive employee means an employee who performs--
(1) Service subject to the Federal hours of service laws (49 U.S.C.
chapter 211), regardless of whether the employee actually performs such
service during a particular duty tour; or
(2) One or more of the security-sensitive job functions identified
in Appendix B to this part where the security-sensitive function is
performed in the United States or in direct support of the common
carriage of persons or property between a place in the United States
and any place outside of the United States.
Sec. 1580.5 Preemptive effect.
Under 49 U.S.C. 20106, issuance of the regulations in this
subchapter preempts any State law, regulation, or order covering the
same subject matter, except an additional or more stringent law,
regulation, or order that is necessary to eliminate or reduce an
essentially local security hazard; that is not incompatible with a law,
regulation, or order of the U.S. Government; and that does not
unreasonably burden interstate commerce. For example, under 49 U.S.C.
20106, issuance of 49 CFR 1580.205 preempts any State or tribal law,
rule, regulation, order or common law requirement covering the same
subject matter.
Subpart B--Security Programs
Sec. 1580.101 Applicability.
This subpart applies to each of the following owner/operators:
(a) Described in Sec. 1580.1(a)(1) of this part that is a Class I
freight railroad.
(b) Described in Sec. 1580.1(a)(1) of this part that transports
one or more of the categories and quantities of RSSM in an HTUA.
(c) Described in Sec. 1580.1(a)(4) of this part that serves as a
host railroad to a freight railroad described in paragraph (a) of (b)
of this section or a passenger operation described in Sec. 1582.101 of
this subchapter.
Sec. 1580.103 [Reserved]
Sec. 1580.105 [Reserved]
Sec. 1580.107 [Reserved]
Sec. 1580.109 [Reserved]
Sec. 1580.111 [Reserved]
Sec. 1580.113 Security training program general requirements.
(a) Security training program required. Each owner/operator
identified in Sec. 1580.101 of this part is required to adopt and
carry out a security training program under this subpart.
(b) General requirements. The security training program must
include the following information:
(1) Name of owner/operator.
(2) Name, title, telephone number, and email address of the primary
individual to be contacted with regard to review of the security
training program.
(3) Number, by specific job function category identified in
Appendix B to this part, of security-sensitive employees trained or to
be trained.
(4) Implementation schedule that identifies a specific date by
which initial and recurrent security training required by Sec.
1570.111 of this subchapter will be completed.
(5) Location where training program records will be maintained.
(6) Curriculum or lesson plan, including learning objectives and
method of delivery (such as instructor-led or computer-based training)
for each course used to meet the requirements of Sec. 1580.115 of this
part. TSA may request additional information regarding the curriculum
during the review and approval process. If recurrent training under
Sec. 1570.111 of this subchapter is not the same as initial training,
a curriculum or lesson plan for the recurrent training will need to be
submitted and approved by TSA.
(7) Plan for ensuring supervision of untrained security-sensitive
employees performing functions identified in Appendix B to this part.
(8) Plan for notifying employees of changes to security measures
that could change information provided in previously provided training.
(9) Method(s) for evaluating the effectiveness of the security
training program in each area required by Sec. 1580.115 of this part.
(c) Relation to other training. (1) Training conducted by owner/
operators to comply other requirements or standards, such as emergency
preparedness training required by the Department of Transportation
(DOT) (49 CFR part 239) or other training for communicating with
emergency responders to arrange the evacuation of passengers, may be
combined with and used to satisfy elements of the training requirements
in this subpart.
(2) If the owner/operator submits a security training program that
relies on pre-existing or previous training materials to meet the
requirements of subpart B, the program submitted for approval must
include an index, organized in the same sequence as the requirements in
this subpart.
(d) Submission and implementation. The owner/operator must submit
and implement the security training program in accordance with the
schedules identified in Sec. Sec. 1570.109 and 1570.111 of this
subchapter.
Sec. 1580.115 Security training and knowledge for security-sensitive
employees.
(a) Training required for security-sensitive employees. No owner/
operator required to have a security training program under Sec.
1580.101 of this part may use a security-sensitive employee to perform
a function identified in Appendix B to this part, unless that
individual has received training as part of a security training program
approved by TSA under 49 CFR part 1570, subpart B, or is under the
direct supervision of an employee who has received the training
required by this section as applicable to that security-sensitive
function.
(b) Limits on use of untrained employees. Notwithstanding paragraph
(a) of this section, a security-sensitive employee may not perform a
security-sensitive function for more than sixty (60) calendar days
without receiving security training.
(c) Prepare. (1) Each owner/operator must ensure that each of its
security-sensitive employees with position- or
[[Page 16508]]
function-specific responsibilities under the owner/operator's security
program has knowledge of how to fulfill those responsibilities in the
event of a security threat, breach, or incident to ensure--
(i) Employees with responsibility for transportation security
equipment and systems are aware of their responsibilities and can
verify the equipment and systems are operating and properly maintained;
and
(ii) Employees with other duties and responsibilities under the
company's security plans and/or programs, including those required by
Federal law, know their assignments and the steps or resources needed
to fulfill them.
(2) Each employee who performs any security-related functions under
Sec. 1580.205 of this subpart must be provided training specifically
applicable to the functions the employee performs. As applicable, this
training must address--
(i) Inspecting rail cars for signs of tampering or compromise,
IEDs, suspicious items, and items that do not belong;
(ii) Identification of rail cars that contain rail security-
sensitive materials, including the owner/operator's procedures for
identifying rail security-sensitive material cars on train documents,
shipping papers, and in computer train/car management systems; and
(iii) Procedures for completing transfer of custody documentation.
(d) Observe. Each owner/operator must ensure that each of its
security-sensitive employees has knowledge of the observational skills
necessary to recognize--
(1) Suspicious and/or dangerous items (such as substances,
packages, or conditions (for example, characteristics of an IED and
signs of equipment tampering or sabotage);
(2) Combinations of actions and individual behaviors that appear
suspicious and/or dangerous, inappropriate, inconsistent, or out of the
ordinary for the employee's work environment, which could indicate a
threat to transportation security; and
(3) How a terrorist or someone with malicious intent may attempt to
gain sensitive information or take advantage of vulnerabilities.
(e) Assess. Each owner/operator must ensure that each of its
security-sensitive employees has knowledge necessary to--
(1) Determine whether the item, individual, behavior, or situation
requires a response as a potential terrorist threat based on the
respective transportation environment; and
(2) Identify appropriate responses based on observations and
context.
(f) Respond. Each owner/operator must ensure that each of its
security-sensitive employees has knowledge of how to--
(1) Appropriately report a security threat, including knowing how
and when to report internally to other employees, supervisors, or
management, and externally to local, state, or Federal agencies
according to the owner/operator's security procedures or other relevant
plans;
(2) Interact with the public and first responders at the scene of
the threat or incident, including communication with passengers on
evacuation and any specific procedures for individuals with
disabilities and the elderly; and
(3) Use any applicable self-defense devices or other protective
equipment provided to employees by the owner/operator.
Subpart C--Operations
Sec. 1580.201 Applicability.
This subpart applies to the following:
(1) Each owner/operator described in Sec. 1580.1(a)(1) of this
part that transports one or more of the categories and quantities of
rail security-sensitive materials.
(2) Each owner/operator described in Sec. 1580.1(a)(2) and (3) of
this part.
Sec. 1580.203 Location and shipping information.
(a) General requirement. Each owner/operator described in Sec.
1580.201 of this part must have procedures in place to determine the
location and shipping information for each rail car under its physical
custody and control that contains one or more of the categories and
quantities of rail security-sensitive materials.
(b) Required information. The location and shipping information
must include the following:
(1) The rail car's current location by city, county, and state,
including, for freight railroad carriers, the railroad milepost, track
designation, and the time that the rail car's location was determined.
(2) The rail car's routing, if a freight railroad carrier.
(3) A list of the total number of rail cars containing rail
security-sensitive materials, broken down by--
(i) The shipping name prescribed for the material in column 2 of
the table in 49 CFR 172.101;
(ii) The hazard class or division number prescribed for the
material in column 3 of the table in 49 CFR 172.101; and
(iii) The identification number prescribed for the material in
column 4 of the table in 49 CFR 172.101.
(4) Each rail car's initial and number.
(5) Whether the rail car is in a train, rail yard, siding, rail
spur, or rail hazardous materials shipper or receiver facility,
including the name of the rail yard or siding designation.
(c) Timing-Class I freight railroad carriers. Upon request by TSA,
each Class I freight railroad carrier described in paragraph (a) of
this section must provide the location and shipping information to TSA
no later than--
(1) Five minutes if the request applies to a single (one) rail car;
and
(2) Thirty minutes if the request concerns multiple rail cars or a
geographic region.
(d) Timing-other than Class I freight railroad carriers. Upon
request by TSA, all owner/operators described in paragraph (a) of this
section, other than Class I freight railroad carriers, must provide the
location and shipping information to TSA no later than 30 minutes,
regardless of the number of cars covered by the request.
(e) Method. All owner/operators described in paragraph (a) of this
section must provide the requested location and shipping information to
TSA by one of the following methods:
(1) Electronic data transmission in spreadsheet format.
(2) Electronic data transmission in Hyper Text Markup Language
(HTML) format.
(3) Electronic data transmission in Extensible Markup Language
(XML).
(4) Facsimile transmission of a hard copy spreadsheet in tabular
format.
(5) Posting the information to a secure website address approved by
TSA.
(6) Another format approved by TSA.
(f) Telephone number. Each owner/operator described in Sec.
1580.201 of this part must provide a telephone number for use by TSA to
request the information required in paragraph (b) of this section.
(1) The telephone number must be monitored at all times.
(2) A telephone number that requires a call back (such as an
answering service, answering machine, or beeper device) does not meet
the requirements of this paragraph.
Sec. 1580.205 Chain of custody and control requirements.
(a) Within or outside of an HTUA, rail hazardous materials shipper
transferring to carrier. Except as provided in paragraph (g) of this
section, at each location within or outside of an HTUA, a rail
hazardous materials shipper transferring custody of
[[Page 16509]]
a rail car containing one or more of the categories and quantities of
rail security-sensitive materials to a freight railroad carrier must do
the following:
(1) Physically inspect the rail car before loading for signs of
tampering, including closures and seals; other signs that the security
of the car may have been compromised; and suspicious items or items
that do not belong, including the presence of an improvised explosive
device.
(2) Keep the rail car in a rail secure area from the time the
security inspection required by paragraph (a)(1) of this section or by
49 CFR 173.31(d), whichever occurs first, until the freight railroad
carrier takes physical custody of the rail car.
(3) Document the transfer of custody to the railroad carrier in
hard copy or electronically.
(b) Within or outside of an HTUA, carrier receiving from a rail
hazardous materials shipper. At each location within or outside of an
HTUA where a freight railroad carrier receives from a rail hazardous
materials shipper custody of a rail car containing one or more of the
categories and quantities of rail security-sensitive materials, the
freight railroad carrier must document the transfer in hard copy or
electronically and perform the required security inspection in
accordance with 49 CFR 174.9.
(c) Within an HTUA, carrier transferring to carrier. Within an
HTUA, whenever a freight railroad carrier transfers a rail car
containing one or more of the categories and quantities of rail
security-sensitive materials to another freight railroad carrier, each
freight railroad carrier must adopt and carry out procedures to ensure
that the rail car is not left unattended at any time during the
physical transfer of custody. These procedures must include the
receiving freight railroad carrier performing the required security
inspection in accordance with 49 CFR 174.9. Both the transferring and
the receiving railroad carrier must document the transfer of custody in
hard copy or electronically.
(d) Outside of an HTUA, carrier transferring to carrier. Outside an
HTUA, whenever a freight railroad carrier transfers a rail car
containing one or more of the categories and quantities of rail
security-sensitive materials to another freight railroad carrier, and
the rail car containing this hazardous material may subsequently enter
an HTUA, each freight railroad carrier must adopt and carry out
procedures to ensure that the rail car is not left unattended at any
time during the physical transfer of custody. These procedures must
include the receiving railroad carrier performing the required security
inspection in accordance with 49 CFR 174.9. Both the transferring and
the receiving railroad carrier must document the transfer of custody in
hard copy or electronically.
(e) Within an HTUA, carrier transferring to rail hazardous
materials receiver. A freight railroad carrier delivering a rail car
containing one or more of the categories and quantities of rail
security-sensitive materials to a rail hazardous materials receiver
located within an HTUA must not leave the rail car unattended in a non-
secure area until the rail hazardous materials receiver accepts custody
of the rail car. Both the railroad carrier and the rail hazardous
materials receiver must document the transfer of custody in hard copy
or electronically.
(f) Within an HTUA, rail hazardous materials receiver receiving
from carrier. Except as provided in paragraph (j) of this section, a
rail hazardous materials receiver located within an HTUA that receives
a rail car containing one or more of the categories and quantities of
rail security-sensitive materials from a freight railroad carrier
must--
(1) Ensure that the rail hazardous materials receiver or railroad
carrier maintains positive control of the rail car during the physical
transfer of custody of the rail car;
(2) Keep the rail car in a rail secure area until the car is
unloaded; and
(3) Document the transfer of custody from the railroad carrier in
hard copy or electronically.
(g) Within or outside of an HTUA, rail hazardous materials receiver
rejecting car. This section does not apply to a rail hazardous
materials receiver that does not routinely offer, prepare, or load for
transportation by rail one or more of the categories and quantities of
rail security-sensitive materials. If such a receiver rejects and
returns a rail car containing one or more of the categories and
quantities of rail security-sensitive materials to the originating
offeror or shipper, the requirements of this section do not apply to
the receiver. The requirements of this section do apply to any railroad
carrier to which the receiver transfers custody of the rail car.
(h) Document retention. Covered entities must maintain the
documents required under this section for at least 60 calendar days and
make them available to TSA upon request.
(i) Rail secure area. The rail hazardous materials shipper and the
rail hazardous materials receiver must use physical security measures
to ensure that no unauthorized individual gains access to the rail
secure area.
(j) Exemption for rail hazardous materials receivers. A rail
hazardous materials receiver located within an HTUA may request from
TSA an exemption from some or all of the requirements of this section
if the receiver demonstrates that the potential risk from its
activities is insufficient to warrant compliance with this section. TSA
will consider all relevant circumstances, including the following:
(1) The amounts and types of all hazardous materials received.
(2) The geography of the area surrounding the receiver's facility.
(3) Proximity to entities that may be attractive targets, including
other businesses, housing, schools, and hospitals.
(4) Any information regarding threats to the facility.
(5) Other circumstances that indicate the potential risk of the
receiver's facility does not warrant compliance with this section.
Sec. 1580.207 Harmonization of Federal regulation of nuclear
facilities.
TSA will coordinate activities under this subpart with the Nuclear
Regulatory Commission (NRC) and the Department of Energy (DOE) with
respect to regulation of rail hazardous materials shippers and
receivers that are also licensed or regulated by the NRC or DOE under
the Atomic Energy Act of 1954, as amended, to maintain consistency with
the requirements imposed by the NRC and DOE.
Appendix A to Part 1580--High Threat Urban Areas (HTUAs)
----------------------------------------------------------------------------------------------------------------
State Urban area Geographic areas
----------------------------------------------------------------------------------------------------------------
AZ................................... Phoenix Area........... Chandler, Gilbert, Glendale, Mesa, Peoria,
Phoenix, Scottsdale, Tempe, and a 10-mile
buffer extending from the border of the
combined area.
CA................................... Anaheim/Santa Ana Area. Anaheim, Costa Mesa, Garden Grove, Fullerton,
Huntington Beach, Irvine, Orange, Santa Ana,
and a 10-mile buffer extending from the border
of the combined area.
[[Page 16510]]
Bay Area............... Berkeley, Daly City, Fremont, Hayward, Oakland,
Palo Alto, Richmond, San Francisco, San Jose,
Santa Clara, Sunnyvale, Vallejo, and a 10-mile
buffer extending from the border of the
combined area.
Los Angeles/Long Beach Burbank, Glendale, Inglewood, Long Beach, Los
Area. Angeles, Pasadena, Santa Monica, Santa Clarita,
Torrance, Simi Valley, Thousand Oaks, and a 10-
mile buffer extending from the border of the
combined area.
Sacramento Area........ Elk Grove, Sacramento, and a 10-mile buffer
extending from the border of the combined area.
San Diego Area......... Chula Vista, Escondido, and San Diego, and a 10-
mile buffer extending from the border of the
combined area.
CO................................... Denver................. Arvada, Aurora, Denver, Lakewood, Westminster,
Area................... Thornton, and a 10-mile buffer extending from
the border of the combined area.
DC................................... National Capital Region National Capital Region and a 10-mile buffer
extending from the border of the combined area.
FL................................... Fort Lauderdale Area... Fort Lauderdale, Hollywood, Miami Gardens,
Miramar, Pembroke Pines, and a 10-mile buffer
extending from the border of the combined area.
Jacksonville Area...... Jacksonville and a 10-mile buffer extending from
the city border.
Miami Area............. Hialeah, Miami, and a 10-mile buffer extending
from the border of the combined area.
Orlando Area........... Orlando and a 10-mile buffer extending from the
city border.
Tampa Area............. Clearwater, St. Petersburg, Tampa, and a 10-mile
buffer extending from the border of the
combined area.
GA................................... Atlanta Area........... Atlanta and a 10-mile buffer extending from the
city border.
HI................................... Honolulu Area.......... Honolulu and a 10-mile buffer extending from the
city border.
IL................................... Chicago Area........... Chicago and a 10-mile buffer extending from the
city border.
IN................................... Indianapolis Area...... Indianapolis and a 10-mile buffer extending from
the city border.
KY................................... Louisville Area........ Louisville and a 10-mile buffer extending from
the city border.
LA................................... Baton Rouge Area....... Baton Rouge and a 10-mile buffer extending from
the city border.
New Orleans Area....... New Orleans and a 10-mile buffer extending from
the city border.
MA................................... Boston Area............ Boston, Cambridge, and a 10-mile buffer
extending from the border of the combined area.
MD................................... Baltimore Area......... Baltimore and a 10-mile buffer extending from
the city border.
MI................................... Detroit Area........... Detroit, Sterling Heights, Warren, and a 10-mile
buffer extending from the border of the
combined area.
MN................................... Twin Cities Area....... Minneapolis, St. Paul, and a 10-mile buffer
extending from the border of the combined
entity.
MO................................... Kansas City Area....... Independence, Kansas City (MO), Kansas City
(KS), Olathe, Overland Park, and a 10-mile
buffer extending from the border of the
combined area.
St. Louis Area......... St. Louis and a 10-mile buffer extending from
the city border.
NC................................... Charlotte Area......... Charlotte and a 10-mile buffer extending from
the city border.
NE................................... Omaha Area............. Omaha and a 10-mile buffer extending from the
city border.
NJ................................... Jersey City/Newark Area Elizabeth, Jersey City, Newark, and a 10-mile
buffer extending from the border of the
combined area.
NV................................... Las Vegas Area......... Las Vegas, North Las Vegas, and a 10-mile buffer
extending from the border of the combined
entity.
NY................................... Buffalo Area........... Buffalo and a 10-mile buffer extending from the
city border.
New York City Area..... New York City, Yonkers, and a 10-mile buffer
extending from the border of the combined area.
OH................................... Cincinnati Area........ Cincinnati and a 10-mile buffer extending from
the city border.
Cleveland Area......... Cleveland and a 10-mile buffer extending from
the city border.
Columbus Area.......... Columbus and a 10-mile buffer extending from the
city border.
Toledo Area............ Oregon, Toledo, and a 10-mile buffer extending
from the border of the combined area.
OK................................... Oklahoma City Area..... Norman, Oklahoma and a 10-mile buffer extending
from the border of the combined area.
OR................................... Portland Area.......... Portland, Vancouver, and a 10-mile buffer
extending from the border of the combined area.
PA................................... Philadelphia Area...... Philadelphia and a 10-mile buffer extending from
the city border.
Pittsburgh Area........ Pittsburgh and a 10-mile buffer extending from
the city border.
TN................................... Memphis Area........... Memphis and a 10-mile buffer extending from the
city border.
TX................................... Dallas/Fort Worth/ Arlington, Carrollton, Dallas, Fort Worth,
Arlington Area. Garland, Grand Prairie, Irving, Mesquite,
Plano, and a 10-mile buffer extending from the
border of the combined area.
Houston Area........... Houston, Pasadena, and a 10-mile buffer
extending from the border of the combined
entity.
San Antonio Area....... San Antonio and a 10-mile buffer extending from
the city border.
WA................................... Seattle Area........... Seattle, Bellevue, and a 10-mile buffer
extending from the border of the combined area.
WI................................... Milwaukee Area......... Milwaukee and a 10-mile buffer extending from
the city border.
----------------------------------------------------------------------------------------------------------------
Appendix B to Part 1580--Security-Sensitive Functions for Freight Rail
This table identifies security-sensitive job functions for owner/
operators regulated under this part. All employees performing security-
sensitive functions are ``security-sensitive employees'' for purposes
of this rule and must be trained.
------------------------------------------------------------------------
Examples of job
Security-sensitive titles
Categories job functions for applicable to
freight rail these functions
*
------------------------------------------------------------------------
A. Operating a vehicle........... 1. Employees who Engineer,
operate or directly conductor
control the
movements of
locomotives or
other self-powered
rail vehicles.
[[Page 16511]]
2. Train conductor,
trainman, brakeman,
or utility employee
or performs
acceptance
inspections,
couples and
uncouples rail
cars, applies
handbrakes, or
similar functions.
3. Employees covered
under the Federal
hours of service
laws as ``train
employees.'' See 49
U.S.C. 21101(5) and
21103..
B. Inspecting and maintaining Employees who Carman, car
vehicles. inspect or repair repairman, car
rail cars and inspector,
locomotives. engineer,
conductor.
C. Inspecting or maintaining 1. Employees who--.. Signalman,
building or transportation a. Maintain, signal
infrastructure. install, or inspect maintainer,
communications and track-man,
signal equipment.. gang foreman,
b. Maintain, bridge and
install, or inspect building
track and laborer,
structures, roadmaster,
including, but not bridge, and
limited to, building
bridges, trestles, inspector/
and tunnels.. operator.
2. Employees covered
under the Federal
hours of service
laws as ``signal
employees.'' See 49
U.S.C. 21101(3) and
21104.
D. Controlling dispatch or 1. Employees who--.. Yardmaster,
movement of a vehicle. a. Dispatch, direct, dispatcher,
or control the block
movement of trains.. operator,
b. Operate or bridge
supervise the operator.
operations of
moveable bridges..
c. Supervise the
activities of train
crews, car
movements, and
switching
operations in a
yard or terminal.
2. Employees covered
under the Federal
hours of service
laws as
``dispatching
service
employees.'' See 49
U.S.C. 21101(2) and
21105.
E. Providing security of the Employees who Police officer,
owner/operator's equipment and provide for the special agent;
property. security of the patrolman;
railroad carrier's watchman;
equipment and guard.
property, including
acting as a
railroad police
officer (as that
term is defined in
49 CFR 207.2).
F. Loading or unloading cargo or Includes, but is not Service track
baggage. limited to, employee.
employees that load
or unload hazardous
materials.
G. Interacting with travelling Employees of a Conductor,
public (on board a vehicle or freight railroad engineer,
within a transportation operating in agent.
facility). passenger service.
H. Complying with security 1. Employees who Security
programs or measures, including serve as security coordinator,
those required by Federal law. coordinators train master,
designated in Sec. assistant
1570.201 of this train master,
subchapter, as well roadmaster,
as any designated division
alternates or roadmaster.
secondary security
coordinators.
2. Employees who--..
a. Conduct training
and testing of
employees when the
training or testing
is required by
TSA's security
regulations.
b. Perform
inspections or
operations required
by Sec. 1580.205
of this subchapter..
c. Manage or direct
implementation of
security plan
requirements..
------------------------------------------------------------------------
* These job titles are provided solely as a resource to help understand
the functions described; whether an employee must be trained is based
upon the function, not the job title.
0
12. Add part 1582 to read as follows:
PART 1582--PUBLIC TRANSPORTATION AND PASSENGER RAILROAD SECURITY
Subpart A--General
Sec.
1582.1 Scope.
1582.3 Terms used in this part.
1582.5 Preemptive effect.
Subpart B--Security Programs
1582.101 Applicability.
1582.103 [Reserved]
1582.105 [Reserved]
1582.107 [Reserved]
1582.109 [Reserved]
1582.111 [Reserved]
1582.113 Security training program general requirements.
1582.115 Security training and knowledge for security-sensitive
employees.
Appendix A to Part 1582--Determinations for Public Transportation
and Passenger Railroads
[[Page 16512]]
Appendix B to Part 1582--Security-Sensitive Job Functions For Public
Transportation and Passenger Railroads
Authority: 49 U.S.C. 114; Pub. L. 110-53 (121 Stat. 266, Aug. 3,
2007) secs. 1402 (6 U.S.C. 1131), 1405 (6 U.S.C. 1134), and 1408 (6
U.S.C. 1137).
Subpart A--General
Sec. 1582.1 Scope.
(a) Except as provided in paragraph (b) of this section, this part
includes requirements for the following persons. Specific sections in
this part provide detailed requirements.
(1) Each passenger railroad carrier.
(2) Each public transportation agency.
(3) Each operator of a rail transit system that is not operating on
track that is part of the general railroad system of transportation,
including heavy rail transit, light rail transit, automated guideway,
cable car, inclined plane, funicular, and monorail systems.
(4) Each tourist, scenic, historic, and excursion rail owner/
operator, whether operating on or off the general railroad system of
transportation.
(b) This part does not apply to a ferry system required to conduct
training pursuant to 46 U.S.C. 70103.
Sec. 1582.3 Terms used in this part.
In addition to the terms in Sec. Sec. 1500.3, 1500.5, and 1503.202
of subchapter A and Sec. 1570.3 of subchapter D of this chapter, the
following term applies to this part.
Security-sensitive employee means an employee whose
responsibilities for the owner/operator include one or more of the
security-sensitive job functions identified in appendix B to this part
if the security-sensitive function is performed in the United States or
in direct support of the common carriage of persons or property between
a place in the United States and any place outside of the United
States.
Sec. 1582.5 Preemptive effect.
Under 49 U.S.C. 20106, issuance of the passenger railroad and
public transportation regulations in this subchapter preempts any State
law, regulation, or order covering the same subject matter, except an
additional or more stringent law, regulation, or order that is
necessary to eliminate or reduce an essentially local security hazard;
that is not incompatible with a law, regulation, or order of the U.S.
Government; and that does not unreasonably burden interstate commerce.
Subpart B--Security Programs
Sec. 1582.101 Applicability.
The requirements of this subpart apply to the following:
(a) Amtrak (also known as the National Railroad Passenger
Corporation).
(b) Each owner/operator identified in Appendix A to this part.
(c) Each owner/operator described in Sec. 1582.1(a)(1) through (3)
of this part that serves as a host railroad to a freight operation
described in Sec. 1580.301 of this subchapter or to a passenger train
operation described in paragraph (a)(1) or (a)(2) of this section.
Sec. 1582.103 [Reserved]
Sec. 1582.105 [Reserved]
Sec. 1582.107 [Reserved]
Sec. 1582.109 [Reserved]
Sec. 1582.111 [Reserved]
Sec. 1582.113 Security training program general requirements.
(a) Security training program required. Each owner/operator
identified in Sec. 1582.101 of this part is required to adopt and
carry out a security training program under this subpart.
(b) General requirements. The security training program must
include the following information:
(1) Name of owner/operator.
(2) Name, title, telephone number, and email address of the primary
individual to be contacted with regard to review of the security
training program.
(3) Number, by specific job function category identified in
Appendix B to this part, of security-sensitive employees trained or to
be trained.
(4) Implementation schedule that identifies a specific date by
which initial and recurrent security training required by Sec.
1570.111 of this subchapter will be completed.
(5) Location where training program records will be maintained.
(6) Curriculum or lesson plan, including learning objectives and
method of delivery (such as instructor-led or computer-based training)
for each course used to meet the requirements of Sec. 1582.115 of this
part. TSA may request additional information regarding the curriculum
during the review and approval process. If recurrent training under
Sec. 1570.111 of this subchapter is not the same as initial training,
a curriculum or lesson plan for the recurrent training will need to be
submitted and approved by TSA.
(7) Plan for ensuring supervision of untrained security-sensitive
employees performing functions identified in Appendix B to this part.
(8) Plan for notifying employees of changes to security measures
that could change information provided in previously provided training.
(9) Method(s) for evaluating the effectiveness of the security
training program in each area required by Sec. 1582.115 of this part.
(c) Relation to other training. (1) Training conducted by owner/
operators to comply other requirements or standards, such as emergency
preparedness training required by the Department of Transportation
(DOT) (49 CFR part 239) or other training for communicating with
emergency responders to arrange the evacuation of passengers, may be
combined with and used to satisfy elements of the training requirements
in this subpart.
(2) If the owner/operator submits a security training program that
relies on pre-existing or previous training materials to meet the
requirements of subpart B, the program submitted for approval must
include an index, organized in the same sequence as the requirements in
this subpart.
(d) Submission and implementation. The owner/operator must submit
and implement the security training program in accordance with the
schedules identified in Sec. Sec. 1570.109 and 1570.111 of this
subchapter.
Sec. 1582.115 Security training and knowledge for security-sensitive
employees.
(a) Training required for security-sensitive employees. No owner/
operator required to have a security training program under Sec.
1582.101 of this part may use a security-sensitive employee to perform
a function identified in appendix B to this part unless that individual
has received training as part of a security training program approved
by TSA under 49 CFR part 1570, subpart B, or is under the direct
supervision of an employee who has received the training required by
this section as applicable to that security-sensitive function.
(b) Limits on use of untrained employees. Notwithstanding paragraph
(a) of this section, a security-sensitive employee may not perform a
security-sensitive function for more than sixty (60) calendar days
without receiving security training.
(c) Prepare. Each owner/operator must ensure that each of its
security-sensitive employees with position- or function-specific
responsibilities under the owner/operator's security program have
knowledge of how to fulfill those
[[Page 16513]]
responsibilities in the event of a security threat, breach, or incident
to ensure--
(1) Employees with responsibility for transportation security
equipment and systems are aware of their responsibilities and can
verify the equipment and systems are operating and properly maintained;
and
(2) Employees with other duties and responsibilities under the
company's security plans and/or programs, including those required by
Federal law, know their assignments and the steps or resources needed
to fulfill them.
(d) Observe. Each owner/operator must ensure that each of its
security-sensitive employees has knowledge of the observational skills
necessary to recognize--
(1) Suspicious and/or dangerous items (such as substances,
packages, or conditions (for example, characteristics of an IED and
signs of equipment tampering or sabotage);
(2) Combinations of actions and individual behaviors that appear
suspicious and/or dangerous, inappropriate, inconsistent, or out of the
ordinary for the employee's work environment, which could indicate a
threat to transportation security; and
(3) How a terrorist or someone with malicious intent may attempt to
gain sensitive information or take advantage of vulnerabilities.
(e) Assess. Each owner/operator must ensure that each of its
security-sensitive employees has knowledge necessary to--
(1) Determine whether the item, individual, behavior, or situation
requires a response as a potential terrorist threat based on the
respective transportation environment; and
(2) Identify appropriate responses based on observations and
context.
(f) Respond. Each owner/operator must ensure that each of its
security-sensitive employees has knowledge of how to--
(1) Appropriately report a security threat, including knowing how
and when to report internally to other employees, supervisors, or
management, and externally to local, state, or Federal agencies
according to the owner/operator's security procedures or other relevant
plans;
(2) Interact with the public and first responders at the scene of
the threat or incident, including communication with passengers on
evacuation and any specific procedures for individuals with
disabilities and the elderly; and
(3) Use any applicable self-defense devices or other protective
equipment provided to employees by the owner/operator.
Appendix A to Part 1582--Determinations for Public Transportation and
Passenger Railroads
------------------------------------------------------------------------
State Urban area Systems
------------------------------------------------------------------------
CA Bay Area......... Alameda-Contra Costa Transit
District (AC Transit).
Altamont -Corridor Express
(ACE).
City and County of San
Francisco (San Francisco Bay
Area Rapid Transit District)
(BART).
Central Contra Costa Transit
Authority.
>Golden Gate Bridge, Highway
and Transportation District
(GGBHTD).
Peninsula Corridor Joint Powers
Board (PCJPB) (Caltrain).
San Francisco Municipal Railway
(MUNI) (San Francisco
Municipal Transportation
Agency).
San Mateo County Transit
District (San Mateo County
Transit Authority) (SamTrans).
Santa Clara Valley
Transportation Authority
(VTA).
Transbay Joint Powers
Authority.
Greater Los City of Los Angeles Department
Angeles Area of Transportation (LADOT)
(Los Angeles/ Foothill Transit.
Long Beach and Long Beach Transit (LBT).
Anaheim/Santa Los Angeles County Metropolitan
Ana urban Transportation Authority
Areas).. (LACMTA).
City of Montebello (Montebello
Bus Lines) (MBL).
Omnitrans (OMNI).
Orange County Transportation
Authority (OCTA).
City of Santa Monica (Santa
Monica's Big Blue Bus) (Big
Blue Bus).
Southern California Regional
Rail Authority (Metrolink).
DC/MD/VA Greater National Arlington County, Virginia
Capital Region (Arlington Transit).
(National City of Alexandria (Alexandria
Capital Region Transit Company) (Dash).
and Baltimore Fairfax County Department of
urban Areas).. Transportation--Fairfax
Connector Bus System.
Maryland Transit Administration
(MTA).
Montgomery County Department of
Transportation (Ride-On
Montgomery County Transit).
Potomac and Rappahannock
Transportation Commission.
Prince George's County
Department of Public Works and
Transportation (The Bus).
Virginia Railway Express (VRE).
Washington Metropolitan Area
Transit Authority (WMATA).
GA Atlanta Area..... Georgia Regional Transportation
Authority (GRTA, within State
Road and Tollway Authority
(SRTA)).
Metropolitan Atlanta
Rapid Transit
Authority (MARTA)..
IL/IN Chicago Area..... Chicago Transit Authority
(CTA).
Northeast Illinois Regional
Commuter Railroad Corporation
(Metra/NIRCRC).
Northern Indiana Commuter
Transportation District
(NICTD).
PACE Suburban Bus Company.
MA Boston Area...... Massachusetts Bay
Transportation Authority
(MBTA).
[[Page 16514]]
NY/NJ/CT New York City/ Connecticut Department of
Northern New Transportation (CDOT).
Jersey Area (New Connecticut Transit (Hartford
York City and Division and New Haven
Jersey City/ Divisions of CTTransit).
Newark urban Metropolitan Transportation
Areas). Authority (All Agencies).
New Jersey Transit Corp. (NJT).
New York City Department of
Transportation.
Port Authority Trans-Hudson
Corporation (Port Authority of
New York and New Jersey)
(PANYNJ) (excluding ferry).
Westchester County Department
of Transportation Bee-Line
System (The Bee-Line System).
PA/NJ Philadelphia Area Delaware River Port Authority
(DRPA)--Port Authority Transit
Corporation (PATCO).
Delaware Transit Corporation
(DTC).
New Jersey Transit Corp. (NJT)
(covered under NY).
Pennsylvania Department of
Transportation.
Southeastern Pennsylvania
Transportation Authority
(SEPTA).
------------------------------------------------------------------------
Appendix B to Part 1582--Security-Sensitive Job Functions For Public
Transportation and Passenger Railroads
This table identifies security-sensitive job functions for owner/
operators regulated under this part. All employees performing security-
sensitive functions are ``security-sensitive employees'' for purposes
of this rule and must be trained.
------------------------------------------------------------------------
Security-sensitive job
functions for public
Categories transportation and passenger
railroads (PTPR)
------------------------------------------------------------------------
A. Operating a vehicle 1. Employees who--
a. Operate or control the
movements of trains, other
rail vehicles, or transit
buses.
b. Act as train conductor,
trainman, brakeman, or utility
employee or performs
acceptance inspections,
couples and uncouples rail
cars, applies handbrakes, or
similar functions.
2. Employees covered under the
Federal hours of service laws
as ``train employees.'' See 49
U.S.C. 21101(5) and 21103.
B. Inspecting and maintaining vehicles Employees who--
1. Perform activities related
to the diagnosis, inspection,
maintenance, adjustment,
repair, or overhaul of
electrical or mechanical
equipment relating to
vehicles, including functions
performed by mechanics and
automotive technicians.
2. Provide cleaning services to
vehicles owned, operated, or
controlled by an owner/
operator regulated under this
subchapter.
C. Inspecting or maintaining building Employees who--
or transportation infrastructure. 1. Maintain, install, or
inspect communication systems
and signal equipment related
to the delivery of
transportation services.
2. Maintain, install, or
inspect track and structures,
including, but not limited to,
bridges, trestles, and
tunnels.
3. Provide cleaning services to
stations and terminals owned,
operated, or controlled by an
owner/operator regulated under
this subchapter that are
accessible to the general
public or passengers.
4. Provide maintenance services
to stations, terminals, yards,
tunnels, bridges, and
operation control centers
owned, operated, or controlled
by an owner/operator regulated
under this subchapter.
5. Employees covered under the
Federal hours of service laws
as ``signal employees.'' See
49 U.S.C. 21101(4) and 21104.
D. Controlling dispatch or movement of Employees who--
a vehicle. 1. Dispatch, report, transport,
receive or deliver orders
pertaining to specific
vehicles, coordination of
transportation schedules,
tracking of vehicles and
equipment.
2. Manage day-to-day management
delivery of transportation
services and the prevention
of, response to, and redress
of service disruptions.
3. Supervise the activities of
train crews, car movements,
and switching operations in a
yard or terminal.
4. Dispatch, direct, or control
the movement of trains or
buses.
5. Operate or supervise the
operations of moveable
bridges.
6. Employees covered under the
Federal hours of service laws
as ``dispatching service
employees.'' See 49 U.S.C.
21101(2) and 21105.
E. Providing security of the owner/ Employees who--
operator's equipment and property. 1. Provide for the security of
PTPR equipment and property,
including acting as a police
officer.
[[Page 16515]]
2. Patrol and inspect property
of an owner/operator regulated
under this subchapter to
protect the property,
personnel, passengers and/or
cargo.
F. Loading or unloading cargo or Employees who load, or oversee
baggage loading of, property tendered
by or on behalf of a passenger
on or off of a portion of a
train that will be
inaccessible to the passenger
while the train is in
operation.
G. Interacting with travelling public Employees who provide services
(on board a vehicle or within a to passengers on-board a train
transportation facility). or bus, including collecting
tickets or cash for fares,
providing information, and
other similar services.
Including:
1. On-board food or beverage
employees.
2. Functions on behalf of an
owner/operator regulated under
this subchapter that require
regular interaction with
travelling public within a
transportation facility, such
as ticket agents.
H. Complying with security programs or 1. Employees who serve as
measures, including those required by security coordinators
Federal law. designated in Sec. 1570.201
of this subchapter, as well as
any designated alternates or
secondary security
coordinators.
2. Employees who--
a. Conduct training and testing
of employees when the training
or testing is required by
TSA's security regulations.
b. Manage or direct
implementation of security
plan requirements.
------------------------------------------------------------------------
0
13. Add part 1584 to read as follows:
PART 1584--HIGHWAY AND MOTOR CARRIER SECURITY
Subpart A--General
Sec.
1584.1 Scope.
1584.3 Terms used in this part.
Subpart B--Security Programs
1584.101 Applicability.
1584.103 [Reserved]
1584.105 [Reserved]
1584.107 [Reserved]
1584.109 [Reserved]
1584.111 [Reserved]
1584.113 Security training program general requirements.
1584.115 Security training and knowledge for security-sensitive
employees.
Appendix A to Part 1584--Urban Area Determinations for Over-the-Road
Buses
Appendix B to Part 1584--Security-Sensitive Job Functions For Over-the-
Road Buses
Authority: 49 U.S.C. 114; Pub. L. 110-53 (121 Stat. 266, Aug.
3, 2007) secs. 1501 (6 U.S.C. 1151), 1531 (6 U.S.C. 1181), and 1534
(6 U.S.C. 1184).
Subpart A--General
Sec. 1584.1 Scope.
This part includes requirements for persons providing
transportation by an over-the-road bus (OTRB). Specific sections in
this part provide detailed requirements.
Sec. 1584.3 Terms used in this part.
In addition to the terms in Sec. Sec. 1500.3, 1500.5, and 1503.202
of subchapter A and Sec. 1570.3 of subchapter D of this chapter, the
following term applies to this part.
Security-sensitive employee means an employee whose
responsibilities for the owner/operator include one or more of the
security-sensitive job functions identified in Appendix B to this part
where the security-sensitive function is performed in the United States
or in direct support of the common carriage of persons or property
between a place in the United States and any place outside of the
United States.
Subpart B--Security Programs
Sec. 1584.101 Applicability.
The requirements of this subpart apply to each OTRB owner/operator
providing fixed-route service that originates, travels through, or ends
in a geographic location identified in appendix A to this part.
Sec. 1584.103 [Reserved]
Sec. 1584.105 [Reserved]
Sec. 1584.107 [Reserved]
Sec. 1584.109 [Reserved]
Sec. 1584.111 [Reserved]
Sec. 1584.113 Security training program general requirements.
(a) Security training program required. Each owner/operator
identified in Sec. 1584.101 of this part is required to adopt and
carry out a security training program under this subpart.
(b) General requirements. The security training program must
include the following information:
(1) Name of owner/operator.
(2) Name, title, telephone number, and email address of the primary
individual to be contacted with regard to review of the security
training program.
(3) Number, by specific job function category identified in
Appendix B to this part, of security-sensitive employees trained or to
be trained.
(4) Implementation schedule that identifies a specific date by
which initial and recurrent security training required by Sec.
1570.111 of this subchapter will be completed.
(5) Location where training program records will be maintained.
(6) Curriculum or lesson plan, including learning objectives and
method of delivery (such as instructor-led or computer-based training)
for each course used to meet the requirements of Sec. 1584.115 of this
part. TSA may request additional information regarding the curriculum
during the review and approval process. If recurrent training under
Sec. 1570.111 of this subchapter is not the same as initial training,
a curriculum or lesson plan for the recurrent training will need to be
submitted and approved by TSA.
(7) Plan for ensuring supervision of untrained security-sensitive
employees performing functions identified in Appendix B to this part.
(8) Plan for notifying employees of changes to security measures
that could change information provided in previously provided training.
(9) Method(s) for evaluating the effectiveness of the security
training program in each area required by Sec. 1584.115 of this part.
(c) Relation to other training. (1) Training conducted by owner/
operators to comply other requirements or standards may be combined
with and used to satisfy elements of the training requirements in this
subpart.
[[Page 16516]]
(2) If the owner/operator submits a security training program that
relies on pre-existing or previous training materials to meet the
requirements of subpart B, the program submitted for approval must
include an index, organized in the same sequence as the requirements in
this subpart.
(d) Submission and Implementation. The owner/operator must submit
and implement the security training program in accordance with the
schedules identified in Sec. Sec. 1570.109 and 1570.111 of this
subchapter.
Sec. 1584.115 Security training and knowledge for security-sensitive
employees.
(a) Training required for security-sensitive employees. No owner/
operator required to have a security training program under Sec.
1584.101 of this part may use a security-sensitive employee to perform
a function identified in Appendix B to this part unless that individual
has received training as part of a security training program approved
by TSA under 49 CFR part 1570, subpart B, or is under the direct
supervision of an employee who has received the training required by
this section as applicable to that security-sensitive function.
(b) Limits on use of untrained employees. Notwithstanding paragraph
(a) of this section, a security-sensitive employee may not perform a
security-sensitive function for more than sixty (60) calendar days
without receiving security training.
(c) Prepare. Each owner/operator must ensure that each of its
security-sensitive employees with position- or function-specific
responsibilities under the owner/operator's security program have
knowledge of how to fulfill those responsibilities in the event of a
security threat, breach, or incident to ensure--
(1) Employees with responsibility for transportation security
equipment and systems are aware of their responsibilities and can
verify the equipment and systems are operating and properly maintained;
and
(2) Employees with other duties and responsibilities under the
company's security plans and/or programs, including those required by
Federal law, know their assignments and the steps or resources needed
to fulfill them.
(d) Observe. Each owner/operator must ensure that each of its
security-sensitive employees has knowledge of the observational skills
necessary to recognize--
(1) Suspicious and/or dangerous items (such as substances,
packages, or conditions (for example, characteristics of an IED and
signs of equipment tampering or sabotage);
(2) Combinations of actions and individual behaviors that appear
suspicious and/or dangerous, inappropriate, inconsistent, or out of the
ordinary for the employee's work environment, which could indicate a
threat to transportation security; and
(3) How a terrorist or someone with malicious intent may attempt to
gain sensitive information or take advantage of vulnerabilities.
(e) Assess. Each owner/operator must ensure that each of its
security-sensitive employees has knowledge necessary to--
(1) Determine whether the item, individual, behavior, or situation
requires a response as a potential terrorist threat based on the
respective transportation environment; and
(2) Identify appropriate responses based on observations and
context.
(f) Respond. Each owner/operator must ensure that each of its
security-sensitive employees has knowledge of how to--
(1) Appropriately report a security threat, including knowing how
and when to report internally to other employees, supervisors, or
management, and externally to local, state, or Federal agencies
according to the owner/operator's security procedures or other relevant
plans;
(2) Interact with the public and first responders at the scene of
the threat or incident, including communication with passengers on
evacuation and any specific procedures for individuals with
disabilities and the elderly; and
(3) Use any applicable self-defense devices or other protective
equipment provided to employees by the owner/operator.
Appendix A to Part 1584--Urban Area Determinations for Over-the-Road
Buses
------------------------------------------------------------------------
State Urban area Geographic areas
------------------------------------------------------------------------
CA Anaheim/Los Los Angeles and Orange
Angeles/Long Counties.
Beach/Santa Ana
Areas.
San Diego Area... San Diego County.
San Francisco Bay Alameda, Contra Costa, Marin,
Area. San Francisco, and San Mateo
Counties.
DC (VA, MD, and WV). National Capital District of Columbia; Counties
Region. of Calvert, Charles,
Frederick, Montgomery, and
Prince George's, MD; Counties
of Arlington, Clarke, Fairfax,
Fauquier, Loudoun, Prince
William, Spotsylvania,
Stafford, and Warren County,
VA; Cities of Alexandria,
Fairfax, Falls Church,
Fredericksburg, Manassas, and
Manassas Park City, VA;
Jefferson County, WV.
IL/IN Chicago Area..... Counties of Cook, DeKalb,
DuPage, Grundy, Kane, Kendall,
Lake, McHenry, and Will, IL;
Counties of Jasper, Lake,
Newton, and Porter, IN;
Kenosha County, WI.
MA Boston Area...... Counties of Essex, Norfolk,
Plymouth, Suffolk, Middlesex,
MA; Counties of Rockingham and
Strafford, NH.
NY (NJ and PA)...... New York City/ Counties of Bronx, Kings,
Jersey City/ Nassau, New York, Putnam,
Newark Area. Queens, Richmond, Rockland,
Suffolk, and Westchester, NY;
Counties of Bergen, Essex,
Hudson, Hunterdon, Ocean,
Middlesex, Monmouth, Morris,
Passaic, Somerset, Sussex, and
Union, NJ; Pike County, PA.
PA (DE and NJ)...... Philadelphia Area/ Counties of Burlington, Camden,
Southern New and Gloucester, NJ; Counties
Jersey Area. of Bucks, Chester, Delaware,
Montgomery, and Philadelphia,
PA; New Castle County, DE;
Cecil County, MD; Salem
County, NJ.
TX Dallas Fort Worth/ Collin, Dallas, Delta, Denton,
Arlington Area. Ellis, Hunt, Kaufman,
Rockwall, Johnson, Parker,
Tarrant, and Wise Counties,
TX.
Houston Area..... Austin, Brazoria, Chambers,
Fort Bend, Galveston, Harris,
Liberty, Montgomery, San
Jacinto, and Waller Counties,
TX.
------------------------------------------------------------------------
[[Page 16517]]
Appendix B to Part 1584--Security-Sensitive Job Functions for Over-the-
Road Buses
This table identifies security-sensitive job functions for owner/
operators regulated under this part. All employees performing security-
sensitive functions are ``security-sensitive employees'' for purposes
of this rule and must be trained.
------------------------------------------------------------------------
Security-sensitive job functions for over-
Categories the-road buses
------------------------------------------------------------------------
A. Operating a vehicle Employees who have a CDL and operate an
OTRB.
B. Inspecting and maintaining Employees who--
vehicles.
1. Perform activities related to the
diagnosis, inspection, maintenance,
adjustment, repair, or overhaul of
electrical or mechanical equipment
relating to vehicles, including
functions performed by mechanics and
automotive technicians.
2. Does not include cleaning or
janitorial activities.
C. Inspecting or maintaining Employees who--
building or transportation 1. Provide cleaning services to areas of
infrastructure. facilities owned, operated, or
controlled by an owner/operator
regulated under this subchapter that are
accessible to the general public or
passengers.
2. Provide cleaning services to vehicles
owned, operated, or controlled by an
owner/operator regulated under this part
(does not include vehicle maintenance).
3. Provide general building maintenance
services to buildings owned, operated,
or controlled by an owner/operator
regulated under this part.
D. Controlling dispatch or Employees who--
movement of a vehicle. 1. Dispatch, report, transport, receive
or deliver orders pertaining to specific
vehicles, coordination of transportation
schedules, tracking of vehicles and
equipment.
2. Manage day-to-day delivery of
transportation services and the
prevention of, response to, and redress
of disruptions to these services.
3. Perform tasks requiring access to or
knowledge of specific route information.
E. Providing security of the Employees who patrol and inspect property
owner/operator's equipment of an owner/operator regulated under
and property. this part to protect the property,
personnel, passengers and/or cargo.
F. Loading or unloading cargo Employees who load, or oversee loading
or baggage. of, property tendered by or on behalf of
a passenger on or off of a portion of a
bus that will be inaccessible to the
passenger while the vehicle is in
operation.
G. Interacting with Employees who--
travelling public (on board 1. Provide services to passengers on-
a vehicle or within a board a bus, including collecting
transportation facility). tickets or cash for fares, providing
information, and other similar services.
2. Includes food or beverage employees,
tour guides, and functions on behalf of
an owner/operator regulated under this
part that require regular interaction
with travelling public within a
transportation facility, such as ticket
agents.
H. Complying with security 1. Employees who serve as security
programs or measures, coordinators designated in Sec.
including those required by 1570.201 of this subchapter, as well as
Federal law. any designated alternates or secondary
security coordinators.
2. Employees who--
a. Conduct training and testing of
employees when the training or testing
is required by TSA's security
regulations.
b. Manage or direct implementation of
security plan requirements.
------------------------------------------------------------------------
Dated: February 28, 2020.
David P. Pekoske,
Administrator.
[FR Doc. 2020-05126 Filed 3-20-20; 8:45 am]
BILLING CODE 9110-05-P