Passenger Rail Security: Federal Strategy and Enhanced		 
Coordination Needed to Prioritize and Guide Security Efforts	 
(13-FEB-07, GAO-07-459T).					 
                                                                 
The 2005 London subway bombings and 2006 rail attacks in Mumbai, 
India highlighted the vulnerability of passenger rail and other  
surface transportation systems to terrorist attack and		 
demonstrated the need for greater focus on securing these	 
systems. This testimony is based primarily on GAO's September	 
2005 passenger rail security report and selected program updates 
obtained in January 2007. Specifically, it addressees (1) the	 
extent to which the Department of Homeland Security (DHS) has	 
assessed the risks facing the U.S. passenger rail system and	 
developed a strategy based on risk assessments for securing all  
modes of transportation, including passenger rail; (2) the	 
actions that the Transportation Security Administration (TSA) and
other federal agencies have taken to enhance the security of the 
U.S. passenger rail system, improve federal coordination, and	 
develop industry partnerships; and (3) the security practices	 
that domestic and selected foreign passenger rail operators have 
implemented to enhance security.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-459T					        
    ACCNO:   A65884						        
  TITLE:     Passenger Rail Security: Federal Strategy and Enhanced   
Coordination Needed to Prioritize and Guide Security Efforts	 
     DATE:   02/13/2007 
  SUBJECT:   Comparative analysis				 
	     Counterterrorism					 
	     Emergency preparedness				 
	     Foreign governments				 
	     Homeland security					 
	     Interagency relations				 
	     Mass transit					 
	     Passengers 					 
	     Policy evaluation					 
	     Rail security					 
	     Railroad industry					 
	     Railroad safety					 
	     Risk assessment					 
	     Strategic planning 				 
	     Terrorism						 
	     Transportation security				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-459T

   

     * [1]In Summary
     * [2]Background

          * [3]Overview of the Passenger Rail System
          * [4]Passenger Rail Systems Are Inherently Vulnerable to Terroris
          * [5]Multiple Stakeholders Share Responsibility for Securing Pass
          * [6]Assessing and Managing Risks to Rail Infrastructure Using a

     * [7]DHS Has Taken Steps to Assess Risk to Passenger Rail Systems
     * [8]Federal Agencies Have Taken Actions to Enhance Passenger Rai

          * [9]DOT Agencies Led Initial Efforts to Enhance Passenger Rail S
          * [10]TSA Issued Rail Security Directives, but Faces Challenges Re

     * [11]U.S. and Foreign Rail Operators Have Taken Similar Actions t

          * [12]U.S. and Foreign Rail Operators Employ Similar Security Prac
          * [13]Amtrak Faces Challenges Specific to Intercity Passenger Rail
          * [14]Three Foreign Rail Security Practices Were Not Used in the U

     * [15]Conclusions
     * [16]Contact Information
     * [17]GAO's Mission
     * [18]Obtaining Copies of GAO Reports and Testimony

          * [19]Order by Mail or Phone

     * [20]To Report Fraud, Waste, and Abuse in Federal Programs
     * [21]Congressional Relations
     * [22]Public Affairs

Testimony before the Subcommittee on Homeland Security, Committee on
Appropriations, House of Representatives

United States Government Accountability Office

GAO

For Release on Delivery Expected at 2:00 p.m. EST

Tuesday, February 13, 2007

PASSENGER RAIL SECURITY

Federal Strategy and Enhanced Coordination Needed to Prioritize and Guide
Security Efforts

Statement of Cathleen A. Berrick, Director
Homeland Security and Justice Issues

GAO-07-459T

Mr. Chairman and Members of the Subcommittee:

Thank you for inviting me to participate in today's hearing on federal
surface transportation security efforts. Since its creation following the
events of September 11, 2001, TSA has focused much of its efforts and
resources on meeting legislative mandates to strengthen commercial
aviation security. However, TSA has recently placed additional focus on
securing surface modes of transportation, particularly in the area of
passenger rail. Surface modes of transportation, which include passenger
and freight rail, mass transit, highways, including commercial vehicles,
and pipelines, are inherently open and difficult to secure. One of the
critical challenges facing federal agencies and the rail system operators
they oversee or support is finding ways to protect these systems from
potential terrorist attacks without compromising the accessibility and
efficiency of rail travel. The Madrid commuter rail attacks in March 2004,
London rail bombings in July 2005, and Mumbai, India train bombings just
last year, highlight the vulnerabilities of passenger rail and other
surface transportation systems and make clear that even when security
precautions are put into place, these systems remain vulnerable to attack.
Securing rail and surface transportation systems is a daunting task,
requiring that the federal government develop a clearly communicated
strategy, including goals and objectives, for strengthening the security
of these systems. As part of that strategy, it is also critical to assess
the risks facing these systems so that limited resources and security
efforts can be prioritized to the areas of greatest need. Furthermore,
because the responsibility for securing rail and other transportation
modes is shared between federal, state, and local governments and the
private sector, it is critical that the federal government develop
partnerships and coordinate its security efforts with transportation
industry stakeholders.

As we have reported previously, the sheer number of stakeholders involved
in securing surface transportation modes, including passenger rail, can
sometimes lead to communication challenges, duplication of effort, and
confusion about roles and responsibilities. Regarding passenger rail
security, key Department of Homeland Security (DHS) stakeholders with
critical roles include the Transportation Security Administration (TSA),
which is responsible for the security of all modes of transportation,
including developing a national strategy and plan for securing the
transportation sector as well as supporting plans for each transportation
mode. In addition, the DHS Office for Grants and Training (OGT) provides
grant funds to rail operators and conducts risk assessments for passenger
rail agencies. Within the Department of Transportation (DOT), the Federal
Transit Administration (FTA) and Federal Railroad Administration (FRA)
have responsibilities for passenger and freight rail safety and security.
In addition, public and private passenger rail operators are also
responsible for securing their rail systems.

At the federal level, another challenge related to securing passenger rail
systems involves allocating resources based on risk. Within and among all
modes of transportation, there is competition for resources, as federal,
state, and local agencies and transportation operators seek to identify
and invest in appropriate security measures to safeguard these systems
while also investing in other capital and operational improvements.
Moreover, given competing priorities and limited homeland security
resources, difficult policy decisions have to be made by Congress and the
executive branch to prioritize security efforts and direct resources to
the areas of greatest risk within and among transportation modes and
across other nationally critical sectors.

In this regard, to help federal decision makers determine how to best
allocate limited resources, we have advocated, the National Commission on
Terrorist Attacks Upon the United States (the 9/11 Commission) has
recommended, and the Intelligence Reform and Terrorism Prevention Act of
2004 provides that a risk management approach be employed to guide
decision making related to homeland security resources. A risk management
approach entails a continuous process of managing risks through a series
of actions, including setting strategic goals and objectives, assessing
and quantifying three key elements of risk--threat, vulnerability, and
criticality or consequence--evaluating alternative security measures,
selecting which measures to undertake, and implementing and monitoring
those measures.

My testimony today focuses on the progress federal agencies and domestic
passenger rail operators have made in developing and implementing security
strategies and setting security priorities in the wake of September 11,
2001, terrorist attacks, and the security practices implemented by foreign
passenger rail operators. In particular, my testimony highlights three key
areas: (1) the extent to which DHS has assessed the risks facing the U.S.
passenger rail system and developed a strategy based on risk assessments
for securing all modes of transportation, including passenger rail; (2)
the actions that TSA and other federal agencies have taken to enhance the
security of the U.S. passenger rail system, improve federal coordination,
and develop industry partnerships; and (3) the security practices that
domestic and selected foreign passenger rail operators have implemented to
enhance security. My comments today are based on our September 2005 report
addressing the security of the U.S. passenger rail system.1 This report
was based on work conducted at DHS, DOT, and Amtrak, as well as 32
passenger rail operators in the U.S., and 13 passenger rail operators in 7
European and Asian countries. In addition, in January 2007, we obtained
selected updates from DHS regarding its efforts to secure passenger rail
systems. We conducted our work in accordance with generally accepted
government auditing standards.

We have been requested by the Chairman, House Committee on Homeland
Security, to conduct a follow-on review of passenger rail security, which
we expect to initiate in the near future. In addition, we have been
requested to assess the security of other surface modes of
transportation--including freight rail, commercial vehicles, and highway
infrastructure--which we have underway or will initiate later this year.

In Summary

DHS has made progress in assessing the risks facing the U.S. passenger
rail system, but has not issued a plan based on those risk assessments for
securing the entire transportation sector, and supporting plans for each
mode of surface transportation, as required by and in accordance with the
National Infrastructure Protection Plan. The DHS OGT has developed and
conducted risk assessments of passenger rail systems to identify rail
assets that are vulnerable to attack, such as stations and bridges. TSA
has also conducted a threat assessment of mass transit and passenger rail,
and assessments to identify critical rail assets. However, we reported in
September 2005 that while TSA had begun to establish a methodology for
determining how to analyze and characterize the risks identified, the
agency had not completed a comprehensive risk assessment of the passenger
rail system. We concluded that, until TSA completed this effort, the
agency may be limited in its ability to prioritize passenger rail assets
and help guide security investment decisions about protecting them. Since
that time, TSA reported that it is working with rail transit agencies to
update risk assessments that FTA and FRA conducted after September 11. TSA
expects the 50 largest rail transit agencies to complete security self
assessments in early 2007. According to TSA, the agency is using the
results of these assessments to set priorities, and has identified
underground and underwater rail infrastructure and high density passenger
rail stations as assets at highest risk. In addition, at the time of our
report, DHS had begun developing, but had not yet completed, a framework
to help federal agencies and the private sector develop a consistent
approach for analyzing and comparing risks to transportation and other
critical sectors. As part of that framework, TSA is developing, but has
not yet issued, a Transportation Sector Specific Plan (TSSP) and
supporting plans for rail and other modes of surface transportation, as
required by DHS's National Infrastructure Protection Plan and a December
2006 Executive Order. Until TSA issues these plans, the agency lacks a
clearly communicated strategy with goals and objectives for securing the
overall transportation sector, including passenger rail.

1GAO, Passenger Rail Security: Enhanced Federal Leadership Needed to
Prioritize and Guide Security Efforts, [23]GAO-05-851 (Washington, D.C.:
Sept. 9, 2005).

Before and after September 11, 2001, FTA and FRA undertook a number of
initiatives to enhance passenger rail security, including conducting
security readiness assessments, providing grants for emergency response
drills and training, and implementing security awareness programs for rail
passengers and employees. However, we reported in September 2005 that
TSA's coordination efforts with DOT and industry stakeholders related to
passenger rail security could be improved. In March 2004, after terrorist
attacks on the rail system in Madrid, TSA issued security directives for
passenger rail and mass transit. These directives were intended to
establish standard protective measures for all passenger rail operators,
including Amtrak. However, federal and rail industry stakeholders
questioned the extent to which these directives were based on industry
best practices and expressed confusion about how TSA would monitor
compliance with the directives. In the 16 months since the completion of
our work, TSA has reported taking additional actions to strengthen the
security of the passenger rail system. For example, TSA has tested rail
security technologies, developed training tools for rail workers, and
issued a proposed rule in December 2006 regarding passenger and freight
rail security, among other efforts. TSA has also taken steps to better
coordinate with DOT regarding rail security roles and responsibilities and
develop partnerships with industry stakeholders. The memorandum of
understanding between DHS and DOT was updated to include specific
agreements between TSA and FTA in September 2005, and between TSA and FRA
in September 2006, to delineate security-related roles and
responsibilities, among other things, for passenger rail and mass transit.
In addition, TSA established an Office of Transportation Sector Network
Management and offices for each mode of transportation to develop security
policies and partnerships with industry stakeholders, including passenger
rail and other surface transportation modes.

Domestic and foreign passenger rail operators we contacted during our
prior work on passenger rail security had taken a range of actions to
secure their systems. Most had implemented customer awareness programs to
encourage passengers to remain vigilant and report suspicious activities,
increased the number and visibility of security personnel, increased the
use of canine teams to detect explosives, enhanced employee training
programs, upgraded security technology, tightened access controls, and
made rail system design improvements to enhance security. We also observed
security practices among certain foreign passenger rail systems or their
governments that were not used, or used to the same degree, by the
domestic rail operators we contacted or by the U.S. government which could
be considered for use in the U.S. For example, we found that some foreign
rail operators randomly screened passengers or utilized covert testing to
help keep employees alert to security threats, and some foreign
governments maintained centralized clearinghouses on rail security
technologies and best practices. While introducing any of these security
practices into the U.S. rail system may pose political, legal, fiscal, and
cultural challenges, they nevertheless warrant further examination. Since
our report on passenger rail security was issued, TSA has reported taking
steps to coordinate with foreign passenger rail operators and governments
to identify security best practices. In addition, in January 2007, a TSA
official stated that the agency was developing a clearinghouse of
transportation security technologies, but a completion date for this
effort was not currently available.

In our September 2005 report on passenger rail security, we recommended,
among other things, that TSA establish a plan with timelines for
completing its methodology for conducting risk assessments and develop
security standards that reflect industry best practices and can be
measured and enforced. These actions should help ensure that the federal
government has the information it needs to prioritize passenger rail
assets based on risk, and evaluate, select, and implement measures to help
the passenger rail operators protect their systems against terrorism. In
addition, we recommended that the Secretary of DHS, in collaboration with
DOT and the passenger rail industry, determine the feasibility, in a risk
management context, of implementing certain security practices used by
foreign rail operators. DHS, DOT, and Amtrak generally agreed with the
report's recommendations. However, as of February 2007, DHS has not
provided a formal response indicating if or how it has implemented these
recommendations.

Background

Overview of the Passenger Rail System

Each weekday, 11.3 million passengers in 35 metropolitan areas and 22
states use some form of rail transit (commuter, heavy, or light rail).2
Commuter rail systems typically operate on railroad tracks and provide
regional service between a central city and adjacent suburbs. Commuter
rail systems are traditionally associated with older industrial cities,
such as Boston, New York, Philadelphia, and Chicago. Heavy rail
systems--subway systems like New York City's transit system and
Washington, D.C.'s Metro--typically operate on fixed rail lines within a
metropolitan area and have the capacity for a heavy volume of traffic.
Amtrak operates the nation's primary intercity passenger rail service over
a 22,000-mile network, primarily over freight railroad tracks. Amtrak
serves more than 500 stations (240 of which are staffed) in 46 states and
the District of Columbia, and it carried more than 25 million passengers
during FY 2005.

Passenger Rail Systems Are Inherently Vulnerable to Terrorist Attacks

Certain characteristics of domestic and foreign passenger rail systems
make them inherently vulnerable to terrorist attacks and therefore
difficult to secure. By design, passenger rail systems are open, have
multiple access points, are hubs serving multiple carriers, and, in some
cases, have no barriers so that they can move large numbers of people
quickly. In contrast, the U.S. commercial aviation system is housed in
closed and controlled locations with few entry points. The openness of
passenger rail systems can leave them vulnerable because operator
personnel cannot completely monitor or control who enters or leaves the
systems. In addition, other characteristics of some passenger rail
systems--high ridership, expensive infrastructure, economic importance,
and location (large metropolitan areas or tourist destinations)--also make
them attractive targets for terrorists because of the potential for mass
casualties and economic damage and disruption. Moreover, some of these
same characteristics make passenger rail systems difficult to secure. For
example, the numbers of riders that pass through a subway
system--especially during peak hours--may make the sustained use of some
security measures, such as metal detectors, difficult because they could
result in long lines that disrupt scheduled service. In addition, multiple
access points along extended routes could make the cost of securing each
location prohibitive. Balancing the potential economic impact of security
enhancements with the benefits of such measures is a difficult challenge.

2The American Public Transportation Association compiled this fiscal year
2003 ridership data from FTA's National Transit Database. These are the
most current data available. Rail transit systems in the District of
Columbia and Puerto Rico are included in these statistics.

Multiple Stakeholders Share Responsibility for Securing Passenger Rail Systems

Securing the nation's passenger rail systems is a shared responsibility
requiring coordinated action on the part of federal, state, and local
governments; the private sector; and rail passengers who ride these
systems. Since the September 11th attacks, the role of federal agencies in
securing the nation's transportation systems, including passenger rail,
have continued to evolve. Prior to September 11th, FTA and FRA, within
DOT, were the primary federal entities involved in passenger rail security
matters. In response to the attacks of September 11th, Congress passed the
Aviation and Transportation Security Act (ATSA), which created TSA within
DOT and defined its primary responsibility as ensuring the security of all
modes of transportation, although its provisions focus primarily on
aviation security.3 The act also gives TSA regulatory authority for
security over all transportation modes. With the passage of the Homeland
Security Act of 2002, TSA was transferred, along with over 20 other
agencies, to the Department of Homeland Security.4 The Intelligence Reform
and Terrorism Prevention Act of 2004 requires the Secretary of Homeland
Security, working jointly with the Secretary of Transportation, to develop
a National Strategy for Transportation Security and transportation modal
security plans. 5 TSA issued the National Strategy for Transportation
Security in 2005. In addition, the DHS National Infrastructure Protection
Plan (NIPP) required the development of a Transportation Sector Specific
Plan. In accordance with the NIPP, a December 2006 Executive Order
required the Secretary of Homeland Security to develop a TSSP by December
31, 2006, and supporting plans for each mode of surface transportation not
later than 90 days after completion of the TSSP.6 According to the NIPP,
sector specific plans should, among other things, define the goals and
objectives to secure the sector, assess the risks facing the sector,
identify the critical assets and infrastructure and develop programs to
protect them, and develop security partnerships with industry stakeholders
within the sector. As of February 2007, TSA had not yet issued the TSSP or
the supporting plans for each surface transportation mode.

3See Pub. L. No. 107-71, 115 Stat. 597 (2001).

4See Pub. L. No. 107-296 S 403, 116 Stat. 2135, 2178 (2002).

5Pub. L. No. 108-458, S4001, 118 Stat. 3638, 3710-12 (codified at 49
U.S.C. S 114(t)).

6On December 5, 2006, the President issued Executive Order 13416, which
requires among other things, that DHS develop a comprehensive
transportation systems sector specific plan, as defined in the NIPP, not
later than December 31, 2006. See 71 Fed. Reg. 71,033 (Dec. 7, 2006).

Within DHS, OGT, formerly the Office for Domestic Preparedness (ODP), has
become the federal source for security funding of passenger rail systems.
7 OGT is the principal component of DHS responsible for preparing the
United States against acts of terrorism and has primary responsibility
within the executive branch for assisting and supporting DHS, in
coordination with other directorates and entities outside of the
department, in conducting risk analysis and risk management activities of
state and local governments. In carrying out its mission, OGT provides
training, funds for the purchase of equipment, support for the planning
and execution of exercises, technical assistance, and other support to
assist states, local jurisdictions, and the private sector to prevent,
prepare for, and respond to acts of terrorism. OGT created and is
administering two grant programs focused specifically on transportation
security, the Transit Security Grant Program and the Intercity Passenger
Rail Security Grant Program. These programs provide financial assistance
to address security preparedness and enhancements for passenger rail and
transit systems. During fiscal year 2006, OGT provided $110 million to
passenger rail transit agencies through the Transit Security Grant Program
and about $7 million to Amtrak through the Intercity Passenger Rail
Security Grant Program. During fiscal year 2007, OGT plans to distribute
$156 million of for rail and bus security grants and $8 million to Amtrak.

While TSA is the lead federal agency for ensuring the security of all
transportation modes, FTA conducts safety and security activities,
including training, research, technical assistance, and demonstration
projects. In addition, FTA promotes safety and security through its
grant-making authority. FRA has regulatory authority for rail safety over
commuter rail operators and Amtrak, and employs over 400 rail inspectors
that periodically monitor the implementation of safety and security plans
at these systems.8

7OGT originated within the Department of Justice's Office of Justice
Programs in 1998 as the Office for Domestic Preparedness (ODP). Pursuant
to the Homeland Security Act of 2002, ODP was transferred to DHS in March
2003. See Pub. L. No. 107-296, S 403(5), 116 Stat. at 2178 (codified at 6
U.S.C. S 203(5)). In March 2004, the Secretary of Homeland Security
consolidated ODP with the Office of State and Local Government
Coordination to form the Office of State and Local Government Coordination
and Preparedness (SLGCP). SLGCP was created to provide a "one-stop shop"
for the numerous federal preparedness initiatives applicable to state and
local governments. Recently, SLGCP was incorporated under the Preparedness
Directorate as OGT. Pursuant to the Department of Homeland Security
Appropriations Act of 2007, OGT is to be transferred, along with certain
other components of the Preparedness Directorate, into the Federal
Emergency Management Agency effective March 31, 2007. Pub. L. No. 109-295,
S 611(13), 120 Stat. 1355, 1400 (2006).

State and local governments, passenger rail operators, and private
industry are also important stakeholders in the nation's rail security
efforts. State and local governments may own or operate a significant
portion of the passenger rail system. Passenger rail operators, which can
be public or private entities, are responsible for administering and
managing passenger rail activities and services. Passenger rail operators
can directly operate the service provided or contract for all or part of
the total service. Although all levels of government are involved in
passenger rail security, the primary responsibility for securing passenger
rail systems rests with passenger rail operators.

Assessing and Managing Risks to Rail Infrastructure Using a Risk Management
Approach

Risk management is a tool for informing policy makers' decisions about
assessing risks, allocating resources, and taking actions under conditions
of uncertainty. In recent years, the President, through Homeland Security
Presidential Directives (HSPD), and Congress, through the Intelligence
Reform and Terrorism Prevention Act of 2004, provided for federal agencies
with homeland security responsibilities to apply risk-based principles to
inform their decision making regarding allocating limited resources and
prioritizing security activities. The 9/11 Commission recommended that the
U.S. government should identify and evaluate the transportation assets
that need to be protected, set risk-based priorities for defending them,
select the most practical and cost-effective ways of doing so, and then
develop a plan, budget, and funding to implement the effort.9 Further, the
Secretary of DHS has made risk-based decision-making a cornerstone of
departmental policy. We have previously reported that a risk management
approach can help to prioritize and focus the programs designed to combat
terrorism. Risk management, as applied in the homeland security context,
can help federal decision-makers determine where and how to invest limited
resources within and among the various modes of transportation.

8FRA administers and enforces federal laws and regulations that are
designed to promote safety on railroads, such as track maintenance,
inspection standards, equipment standards, and operating practices. FRA
exercises jurisdiction over all areas of railroad safety pursuant to 49
U.S.C. S 20103.

The Homeland Security Act of 2002 also directed the department's
Directorate of Information Analysis and Infrastructure Protection to use
risk management principles in coordinating the nation's critical
infrastructure protection efforts.10 This includes integrating relevant
information, analysis, and vulnerability assessments to identify
priorities for protective and support measures by the department, other
federal agencies, state and local government agencies and authorities, the
private sector, and other entities. Homeland Security Presidential
Directive 7 and the Intelligence Reform and Terrorism Prevention Act of
2004 further define and establish critical infrastructure protection
responsibilities for DHS and those federal agencies given responsibility
for particular industry sectors, such as transportation. In June 2006, DHS
issued the NIPP, which named TSA as the primary federal agency responsible
for coordinating critical infrastructure protection efforts within the
transportation sector.11 In fulfilling its responsibilities under the
NIPP, TSA must conduct and facilitate risk assessments in order to
identify, prioritize, and coordinate the protection of critical
transportation systems infrastructure, as well as develop risk based
priorities for the transportation sector.

9National Commission on Terrorist Attacks upon the United States, The 9/11
Commission Report: Final Report of the National Commission on Terrorist
Attacks upon the United States (Washington, D.C.: 2004). The 9/11
Commission was an independent, bipartisan commission created in late 2002,
to prepare a complete account of the circumstances surrounding the
September 11, 2001 terrorist attacks, including preparedness for and the
immediate response to the attacks. The Commission was also mandated to
provide recommendations designed to guard against future attacks.

10In 2006, DHS reorganized their Information Analysis and Infrastructure
Protection division. The functions of the Directorate of Information
Analysis and Infrastructure Protection were moved to the Office of
Intelligence Analysis and Office of Infrastructure Protection.

11HSPD-7 directed the DOT and DHS to collaborate on all matters relating
to transportation security and transportation infrastructure protection.
In 2003, DHS designated TSA as the lead agency for addressing HSPD-7 as it
relates to securing the nation's transportation sector.

To provide guidance to agency decision makers, we have created a risk
management framework, which is intended to be a starting point for
applying risk based principles. Our risk management framework entails a
continuous process of managing risk through a series of actions, including
setting strategic goals and objectives, assessing risk, evaluating
alternatives, selecting initiatives to undertake, and implementing and
monitoring those initiatives. DHS's NIPP describes a risk management
process that closely mirrors our risk management framework.

Setting strategic goals, objectives, and constraints is a key first step
in applying risk management principles and helps to ensure that management
decisions are focused on achieving a purpose. These decisions should take
place in the context of an agency's strategic plan that includes goals and
objectives that are clear and concise. These goals and objectives should
identify resource issues and external factors to achieving the goals.
Further, the goals and objectives of an agency should link to a
department's overall strategic plan. The ability to achieve strategic
goals depends, in part, on how well an agency manages risk. The agency's
strategic plan should address risk related issues that are central to the
agency's overall mission.

Risk assessment, an important element of a risk based approach, helps
decision makers identify and evaluate potential risks so that
countermeasures can be designed and implemented to prevent or mitigate the
effects of the risks. Risk assessment is a qualitative and/or quantitative
determination of the likelihood of an adverse event occurring and the
severity, or impact, of its consequences. Risk assessment in a homeland
security application often involves assessing three key elements--threat,
vulnerability, and criticality or consequence. A threat assessment
identifies and evaluates potential threats on the basis of factors such as
capabilities, intentions, and past activities. A vulnerability assessment
identifies weaknesses that may be exploited by identified threats and
suggests options to address those weaknesses. A criticality or consequence
assessment evaluates and prioritizes assets and functions in terms of
specific criteria, such as their importance to public safety and the
economy, as a basis for identifying which structures or processes are
relatively more important to protect from attack. Information from these
three assessments contributes to an overall risk assessment that
characterizes risks on a scale such as high, medium, or low and provides
input for evaluating alternatives and management prioritization of
security initiatives. The risk assessment element in the overall risk
management cycle may be the largest change from standard management steps
and can be important to informing the remaining steps of the cycle.

DHS Has Taken Steps to Assess Risk to Passenger Rail Systems, but Has Not Issued
a Strategy for Securing the Transportation Sector

DHS has made progress in assessing the risks facing the U.S. passenger
rail system, but has not issued a plan based on those risk assessments for
securing the entire transportation sector and supporting plans for each
mode of transportation, including passenger rail. The DHS OGT developed
and implemented a risk assessment methodology to help passenger rail
operators better respond to terrorist attacks and prioritize security
measures. Passenger rail operators must have completed a risk assessment
to be eligible for financial assistance through the fiscal year 2007 OGT
Transit Security Grant Program, which includes funding for passenger rail.
To receive grant funding, rail operators are also required to have a
security and emergency preparedness plan that identifies how the operator
intends to respond to security gaps identified by risk assessments. As of
February 2007, OGT had completed or planned to conduct risk assessments of
most passenger rail operators. According to rail operators, OGT's risk
assessment process enabled them to prioritize investments based on risk
and allowed them to target and allocate resources towards security
measures that will have the greatest impact on reducing risk across their
rail systems.

Further, we reported in September 2005 that TSA had not completed a
comprehensive risk assessment of the entire passenger rail system. TSA had
begun to assess risks to the passenger rail system, including completing
an overall threat assessment for both mass transit and passenger and
freight rail modes. TSA also conducted criticality assessments of nearly
700 passenger rail stations and had begun conducting assessments for other
passenger rail assets such as bridges and tunnels. TSA reported that it
planned to rely on asset criticality rankings to prioritize which assets
it would focus on in conducting vulnerability assessments to determine
which passenger rail assets are vulnerable to attack. For assets that are
deemed to be less critical, TSA has developed a software tool that it has
made available to passenger rail and other transportation operators for
them to use on a voluntary basis to assess the vulnerability of their
assets. We reported that, until all three assessments of passenger rail
systems--threat, criticality, and vulnerability--have been completed, and
until TSA determined how to use the results of these assessments to
analyze and characterize the level of risk (high, medium, or low), it will
be difficult to prioritize passenger rail assets and guide investment
decisions about protecting them.

More recently, in January 2007, TSA reported taking additional actions to
assess the risks facing the U.S. passenger rail system. For example, TSA
reported that its surface transportation security inspectors are working
with rail transit agencies to update risk assessments that FTA and FRA
conducted after September 11, and is also conducting additional security
assessments of rail transit agencies. TSA also expected that the 50
largest rail transit agencies would complete security self assessments in
early 2007. According to TSA, the agency is using the results of these
assessments to set priorities and identify baseline security standards for
the passenger rail industry. For example, the agency recently reported
that it has identified underground and underwater rail infrastructure and
high density passenger rail stations as the critical assets most at risk.
According to TSA, the agency prioritized a list of the underwater rail
tunnels deemed to be at highest risk, and plans to conduct assessments of
high-risk rail tunnels.

We also reported in September 2005 that DHS was developing, but had not
yet completed, a framework intended to help TSA, OGT, and other federal
agencies work with their stakeholders to assess risk. This framework is
intended to help the private sector and state and local governments
develop a consistent approach to analyzing risk and vulnerability across
infrastructure types and across entire economic sectors, develop
consistent terminology, and foster consistent results. The framework is
also intended to enable a federal-level assessment of risk in general, and
comparisons among risks, for purposes of resource allocation and response
planning. DHS reported that this framework will provide overarching
guidance to sector-specific agencies on how various risk assessment
methodologies may be used to analyze, normalize, and prioritize risk
within and among sectors. We plan to assess DHS and DOT's progress in
enhancing their risk assessment efforts during our follow-on review of
passenger rail security.

Finalizing a methodology for assessing risk to passenger rail and other
transportation modes and conducting risk assessments to determine the
areas of greatest need are key steps required in developing a strategy for
securing the overall transportation sector and each mode of transportation
individually. However, TSA has not issued the required TSSP and supporting
plans for securing each mode of transportation. According to TSA, the TSSP
and supporting modal plans are in draft, but must be reviewed by DHS and
the White House Homeland Security Council before they can be finalized.
Until TSA issues the TSSP and modal plans, the agency lacks a clearly
communicated strategy with goals and objectives for securing the overall
transportation sector, including passenger rail.

Federal Agencies Have Taken Actions to Enhance Passenger Rail Security, Improve
Federal Coordination, and Develop Industry Partnerships

In addition to ongoing initiatives to enhance passenger rail security
conducted by the FTA and FRA before and after September 11, 2001, TSA
issued security directives to passenger rail operators after the March
2004 terrorist attacks on the rail system in Madrid. However, federal and
rail industry stakeholders have questioned the extent that these
directives were based on industry best practices and expressed confusion
about how TSA would monitor compliance with the directives. Since the
completion of our work on passenger rail security, TSA has reported taking
additional actions to strengthen the security of the passenger rail
system. For example, TSA tested rail security technologies, developed
training tools for rail workers, and issued a proposed rule in December
2006 regarding passenger and freight rail security, among other efforts.
TSA has also taken steps to better coordinate with DOT regarding rail
security roles and responsibilities and has worked to develop more
effective partnerships with industry stakeholders. The memorandum of
understanding between DHS and DOT was updated to include specific
agreements between TSA and FTA in September 2005 and between TSA and FRA
in September 2006 to delineate security-related roles and
responsibilities, among other things, for passenger rail and mass transit.
In addition, TSA established an Office of Transportation Sector Network
Management and offices for each mode of transportation to develop security
policies and partnerships with industry stakeholders, including passenger
rail and other surface modes.

DOT Agencies Led Initial Efforts to Enhance Passenger Rail Security

Prior to the creation of TSA in November 2001, FTA and FRA, within DOT,
were primarily responsible for the security of passenger rail systems.
These agencies undertook a number of initiatives to enhance the security
of passenger rail systems after the September 11th attacks that are still
in place today. Specifically, FTA launched a transit security initiative
in 2002 that included security readiness assessments, technical
assistance, grants for emergency response drills, and training. FTA also
instituted the Transit Watch campaign in 2003--a nationwide safety and
security awareness program designed to encourage the participation of
transit passengers and employees in maintaining a safe transit
environment. The program provides information and instructions to transit
passengers and employees so that they know what to do and whom to contact
in the event of an emergency in a transit setting. FTA plans to continue
this initiative, in partnership with TSA and OGT, and offer additional
security awareness materials that address unattended bags and emergency
evacuation procedures for transit agencies. In addition, in November 2003,
FTA issued its Top 20 Security Program Action Items for Transit Agencies,
which recommended measures for passenger rail operators to include into
their security programs to improve both security and emergency
preparedness. FTA has also used research and development funds to develop
guidance for security design strategies to reduce the vulnerability of
transit systems to acts of terrorism. Further, in November 2004, FTA
provided rail operators with security considerations for transportation
infrastructure. This guidance provides recommendations intended to help
operators deter and minimize attacks against their facilities, riders, and
employees by incorporating security features into the design of rail
infrastructure.

FRA has also taken a number of actions to enhance passenger rail security
since September 11, 2001. For example, it has assisted commuter railroads
in developing security plans, reviewed Amtrak's security plans, and helped
fund FTA security readiness assessments for commuter railroads. In the
wake of the Madrid terrorist bombings in March 2004, nearly 200 FRA
inspectors, in cooperation with TSA, conducted inspections of each of the
18 commuter railroads and Amtrak to determine what additional security
measures had been put into place to prevent a similar occurrence in the
United States. FRA also conducted research and development projects
related to passenger rail security. These projects included rail
infrastructure security and trespasser monitoring systems and passenger
screening and manifest projects, including explosives detection. Although
FTA and FRA now play a supporting role in transportation security matters
since the creation of TSA, they remain important partners in the federal
government's efforts to strengthen rail security, given their role in
funding and regulating the safety of passenger rail systems. Moreover, as
TSA moves ahead with its passenger rail security initiatives, FTA and FRA
are continuing their passenger rail security efforts.

TSA Issued Rail Security Directives, but Faces Challenges Related to Compliance
and Enforcement

In May 2004, TSA issued security directives to the passenger rail industry
to establish standard security measures for all passenger rail operators,
including Amtrak.12 However, as we previously reported, it was unclear how
TSA developed the requirements in the directives, how TSA planned to
monitor and ensure compliance, how rail operators were to implement the
measures, and which entities were responsible for their implementation.
According to TSA, the directives were based upon FTA and American Public
Transportation Association best practices for rail security. Specifically,
TSA stated that it consulted a list of the top 20 actions FTA identified
that rail operators can take to strengthen security. While some of the
directives' requirements correlate to information contained in the FTA
guidance, the source for many of the requirements is unclear. Amtrak and
FRA officials also raised concerns about some of the directives. For
example, FRA officials stated that current FRA safety regulations
requiring engineer compartment doors be kept unlocked to facilitate
emergency escapes13 conflicts with the TSA security directive requirement
that doors equipped with locking mechanisms be kept locked. Other
passenger rail operators we spoke with during our review stated that TSA
did not adequately consult with the rail industry prior to developing and
issuing these directives. In January 2007, TSA stated that it recognizes
the need to closely partner with the passenger rail industry to develop
security standards and directives.

12TSA issues security related regulations and directives pursuant to its
49 U.S.C. S 114(l) rulemaking authority.

As we reported in September 2005, rail operators are required to allow TSA
and DHS to perform inspections, evaluations, or tests based on execution
of the directives at any time or location. However, we reported that some
passenger rail operators have expressed confusion and concern about the
role of TSA's inspectors and the potential that TSA inspections could be
duplicative of other federal and state rail inspections, such as FRA
inspections. Since we issued our report, TSA officials reported that the
agency has hired 100 surface transportation inspectors, whose stated
mission is to, among other duties, monitor and enforce compliance with
TSA's rail security directives. Further, in September 2006, FRA's and
TSA's roles and responsibilities for compliance inspections were outlined
in an annex to the existing memorandum of understanding between DHS and
DOT. The annex provides that when an FRA inspector observes a security
issue during an inspection, this information will be provided to TSA.
Similarly, if a TSA inspector observes a safety issue, this information
will be provided to FRA. According to TSA, since the initial deployment of
surface inspectors, these inspectors have developed relationships with
security officials in passenger rail and transit systems, coordinated
access to operations centers, participated in emergency exercises, and
provided assistance in enhancing security. We will continue to assess
TSA's efforts to enforce compliance with rail security requirements,
including those in the December 2006 proposed rule on rail security,
during our follow-on review of passenger rail security.

13See 49 C.F.R. S 238.235.

TSA Has Reported Taking Additional Actions to Strengthen Passenger Rail
Security, Improve Coordination with DOT, and Develop Industry Partnerships

In January 2007, TSA identified additional actions they had taken to
strengthen passenger rail security. We have not verified or evaluated
these actions. These actions include:

National explosive canine detection teams: Since late 2005, TSA reported
that it has trained and deployed 53 canine teams to 13 mass transit
systems to help detect explosives in the passenger rail system and serve
as a deterrent to potential terrorists.

Visible Intermodal Prevention and Response Teams: This program is intended
to provide teams of law enforcement, canines, and inspection personnel to
mass transit and passenger rail systems to deter and detect potential
terrorist actions. Since the program's inception in December 2005, TSA
reported conducting more than 25 exercises at mass transit and passenger
rail systems throughout the nation.

Mass Transit and Passenger Rail Security Information Sharing Network:
According to TSA, the agency initiated this program in August 2005 to
develop information sharing and dissemination processes regarding
passenger rail and mass transit security across the federal government,
state and local governments, and rail operators.

National Transit Resource Center: TSA officials stated that they are
working with FTA and DHS OGT to develop this center, which will provide
transit agencies nationwide with pertinent information related to transit
security, including recent suspicious activities, promising security
practices, new security technologies, and other information.

National Security Awareness Training Program for Railroad Employees: TSA
officials stated that the agency has contracted to develop and distribute
computer based training for passenger rail, rail transit, and freight rail
employees. The training will include information on identifying security
threats, observing and reporting suspicious activities and objects,
mitigating security incidents, and other related information. According to
TSA, the training will be distributed to all passenger and freight rail
systems.

Transit Terrorist Tool and Tactics: This training course is funded through
the Transit Security Grant Program and teaches transit employees how to
prevent and respond to a chemical, biological, radiological, nuclear, or
explosive attack. According to TSA, this course was offered for the first
time during the fall of 2006.

National Tunnel Security Initiative: This DHS and DOT initiative aims to
identify and assess risks to underwater tunnels, prioritize security
funding to the most critical areas, and develop technologies to better
secure underwater tunnels. According to TSA, this initiative has
identified a list of 29 critical underwater rail transit tunnels.

DHS and TSA have also sought to enhance passenger rail security by
conducting research on technologies related to screening passengers and
checked baggage in the passenger rail environment. For example, TSA
conducted a Transit and Rail Inspection Pilot, a $1.5 million effort to
test the feasibility of using existing and emerging technologies to screen
passengers, carry-on items, checked baggage, cargo, and parcels for
explosives. According to TSA, the agency completed this pilot in July
2004. TSA officials told us that based upon preliminary analyses, the
screening technologies and processes tested would be very difficult to
implement on heavily used passenger rail systems because these systems
carry high volumes of passengers and have multiple points of entry.
However, TSA officials added that the screening processes used in the
pilot may be useful on certain long-distance intercity train routes, which
make fewer stops. Further, TSA officials stated that screening could be
used either randomly or for all passengers during certain high-risk events
or in areas where a particular terrorist threat is known to exist. For
example, screening technology similar to that used in the pilot was used
by TSA to screen certain passengers and belongings in Boston and New York
rail stations during the 2004 Democratic and Republican national
conventions. According to TSA, the agency is also researching and
developing other passenger rail security technologies, including closed
circuit television systems that can detect suspicious behavior, mobile
passenger screening checkpoints to be used at rail stations, bomb
resistant trash cans, and explosive detection equipment for use in the
rail environment. Finally, TSA recently reported that the DHS Science and
Technology (S&T) Directorate conducted a rail security pilot, which tested
the effectiveness of explosive detection technologies in partnership with
the Port Authority of New York and New Jersey.

In December 2006, TSA issued a proposed rule regarding passenger and
freight rail security requirements. TSA's proposed rule would require that
passenger and freight rail operators, certain facilities that ship or
receive hazardous materials by rail, and rail transit systems take the
following actions:

           o Designate a rail security coordinator to be available to TSA on
           a 24 hour, seven day a week basis to serve as the primary contact
           for the receipt of intelligence and other security related
           information.
           o Immediately report incidents, potential threats, and security
           concerns to TSA.
           o Allow TSA and DHS officials to enter and conduct inspections,
           test, and perform other duties within their rail systems.
           o Provide TSA, upon request, with the location and shipping
           information of rail cars that contain a specific category and
           quantity of hazardous materials within one hour of receiving the
           request from TSA.
           o Provide for a secure chain of custody and control of rail cars
           containing a specified quantity and type of hazardous material.

The period for public comment on the proposed rule is scheduled to close
in February 2007. TSA plans to review these comments and issue a final
rule in the future.

With multiple DHS and DOT stakeholders involved in securing the U.S.
passenger rail system and inherent relationships between security and
safety, the need to improve coordination between the two agencies has been
a consistent theme in our prior work in this area. In response to a
previous recommendation we made,14 DHS and DOT signed a memorandum of
understanding (MOU) to develop procedures by which the two departments
could improve their cooperation and coordination for promoting the safe,
secure, and efficient movement of people and goods throughout the
transportation system. The MOU defines broad areas of responsibility for
each department. For example, it states that DHS, in consultation with DOT
and affected stakeholders, will identify, prioritize, and coordinate the
protection of critical infrastructure. The MOU between DHS and DOT
represents an overall framework for cooperation that is to be supplemented
by additional signed agreements, or annexes, between the departments.
These annexes are to delineate the specific security related roles,
responsibilities, resources, and commitments for mass transit, rail,
research and development, and other matters. TSA signed annexes to the MOU
with FRA in September 2006 and FTA in September 2005 describing the roles
and responsibilities of each agency regarding passenger rail security.
These annexes also describe how TSA and these DOT agencies will coordinate
security related efforts, avoid duplicating efforts, and improve
coordination and communication with industry stakeholders.

14Transportation Security: Federal Action Needed to Help Address Security
Challenges, [24]GAO-03-843 (Washington, D.C.: June 2003).

In addition to the federal government, public and private rail operators
share responsibility for securing passenger rail systems. As such, the
need for TSA and other federal agencies to develop partnerships and
coordinate their efforts with these operators is critical. To better
coordinate and develop partnerships with industry stakeholders, TSA has
established an Office of Transportation Sector Network Management (TSNM),
which includes offices for each mode of transportation, such as mass
transit (includes passenger rail), highways, including commercial
vehicles, and pipelines. According to TSA, the TSNM Mass Transit Division
coordinates federal security activities in the mass transit and passenger
rail modes and works to develop partnerships with passenger rail
operators, federal agencies, and industry associations. TSA also reports
that it is working with industry partners to develop baseline security
standards for passenger rail and other surface modes. We will continue to
assess TSA's efforts in strengthening federal and private sector
partnerships during our follow-on work on passenger rail security.

U.S. and Foreign Rail Operators Have Taken Similar Actions to Secure Rail
Systems, and Opportunities for Additional Domestic Security Actions May Exist

U.S. passenger rail operators have taken numerous actions to secure their
rail systems since the terrorist attacks of September 11, 2001, in the
United States, and the March 11, 2004, attacks in Madrid. These actions
included both improvements to system operations and capital enhancements
to a system's facilities, such as tracks, buildings, and train cars. All
of the U.S. passenger rail operators we contacted have implemented some
types of security measures--such as increased numbers and visibility of
security personnel and customer awareness programs--that were generally
consistent with those we observed in select countries in Europe and Asia.
We also identified three rail security practices--covert testing, random
screening of passengers and their baggage, and centralized research and
testing--utilized by foreign operators or their governments that were not
utilized, at the time of our review, by domestic rail operators or the
U.S. government.

U.S. and Foreign Rail Operators Employ Similar Security Practices

Both U.S. and foreign passenger rail operators we contacted have
implemented similar improvements to enhance the security of their systems.
A summary of these efforts follows.

Customer awareness: Customer awareness programs we observed used signage
and announcements to encourage riders to alert train staff if they
observed suspicious packages, persons, or behavior. Of the 32 domestic
rail operators we interviewed, 30 had implemented a customer awareness
program or made enhancements to an existing program. Foreign rail
operators we visited also attempted to enhance customer awareness. For
example, 11 of the 13 operators we interviewed had implemented a customer
awareness program.

Increased number and visibility of security personnel: Of the 32 U.S. rail
operators we interviewed, 23 had increased the number of security
personnel they utilized since September 11th, to provide security
throughout their system or had taken steps to increase the visibility of
their security personnel. Several U.S. and foreign rail operators we spoke
with had instituted policies such as requiring their security staff, in
brightly colored vests, to patrol trains or stations more frequently, so
they were more visible to customers and potential terrorists or criminals.
Operators believed that these policies made it easier for customers to
contact security personnel in the event of an emergency, or if they
spotted a suspicious item or person. At foreign sites we visited, 10 of
the 13 operators had increased the number of their security officers
throughout their systems in recent years because of the perceived increase
in risk of a terrorist attack.

Increased use of canine teams: Of the 32 U.S. passenger rail operators we
contacted, 21 were using canines to patrol their facilities or trains.
Often, these units are used to detect the presence of explosives, and may
be called in when a suspicious package is detected. In foreign countries
we visited, passenger rail operators' use of canines varied. In some Asian
countries, canines were not culturally accepted by the public and thus
were not used for rail security purposes. As in the United States, and in
contrast to Asia, most European passenger rail operators used canines for
explosive detection or as deterrents.

Employee training: All of the domestic and foreign rail operators we
interviewed had provided some type of security training to their staff,
either through in-house personnel or an external provider. In many cases,
this training consisted of ways to identify suspicious items and persons
and how to respond to events once they occur. For example, the London
Underground and the British Transport Police developed the "HOT" method
for its employees to use to identify suspicious items in the rail system.
In the HOT method, employees are trained to look for packages or items
that are Hidden, Obviously suspicious, and not Typical of the environment.

Passenger and baggage screening practices: Some domestic and foreign rail
operators have trained employees to recognize suspicious behavior as a
means of screening passengers. Eight U.S. passenger rail operators we
contacted were utilizing some form of behavioral screening. Abroad, we
found that 4 of 13 operators we interviewed had implemented forms of
behavioral screening. All of the domestic and foreign rail operators we
contacted have ruled out an airport-style screening system for daily use
in heavy traffic, where each passenger and the passenger's baggage are
screened by a magnetometer or X-ray machine, based on cost, staffing, and
customer convenience factors, among other reasons.

Upgrading technology: Many rail operators we interviewed had embarked on
programs designed to upgrade their existing security technology. For
example, we found that 29 of the 32 U.S. operators had implemented a form
of closed circuit television (CCTV) to monitor their stations, yards, or
trains. While these cameras cannot be monitored closely at all times,
because of the large number of staff that would be required, many rail
operators felt that the cameras acted as a deterrent, assisted security
personnel in determining how to respond to incidents that had already
occurred, and could be monitored if an operator had received information
that an incident may occur at a certain time or place in their system.
Abroad, all 13 of the foreign rail operators we visited had CCTV systems
in place. In addition, 18 of the 32 U.S. rail operators we interviewed had
installed new emergency phones or enhanced the visibility of the intercom
systems they already had. As in the United States, a few foreign operators
had implemented chemical or biological detection devices at these rail
stations, but their use was not widespread. Two of the 13 foreign
operators we interviewed had implemented these sensors, and both were
doing so on an experimental basis. In addition, police officers from the
British Transport Police--responsible for policing the rail system in the
United Kingdom--were equipped with pagers to detect chemical, biological,
or radiological elements in the air, allowing them to respond quickly in
case of a terrorist attack using one of these methods.

Access control: Tightening access control procedures at key facilities or
rights-of-way is another way many rail operators have attempted to enhance
security. A majority of domestic and selected foreign passenger rail
operators had invested in enhanced systems to control unauthorized access
at employee facilities and stations. Specifically, 23 of the 32 U.S.
operators had installed a form of access control at key facilities and
stations. All 13 foreign operators had implemented some form of access
control to their critical facilities or rights-of-way.

Rail system design and configuration: In an effort to reduce
vulnerabilities to terrorist attack and increase security, passenger rail
operators in the United States and abroad have been, or are now beginning
to, incorporate security features into the design of new and existing rail
infrastructure, primarily rail stations. Foreign rail operators had taken
steps to remove traditional trash bins from their systems. Of the 13
operators we visited, 8 had either removed their trash bins entirely or
replaced them with blast-resistant cans or transparent receptacles.

Many foreign rail operators are also incorporating aspects of security
into the design of their rail infrastructure. Of the 13 operators we
visited, 11 had attempted to design new facilities with security in mind
and had retrofitted older facilities to incorporate security-related
modifications. For example, one foreign operator we visited was
retrofitting its train cars with windows that passengers could open in the
event of a chemical attack. In addition, the London Underground
incorporates security into the design of all its new stations as well as
when existing stations are modified. We observed several security features
in the design of Underground stations, such as using vending machines that
have no holes that someone could use to hide a bomb, and sloped tops to
reduce the likelihood that a bomb can be placed on top of the machine. In
addition, stations are designed to provide staff with clear lines of sight
to all areas of the station, such as underneath benches or ticket
machines, and station designers try to eliminate or restrict access to any
recessed areas where a bomb could be hidden.

Figure 1 shows a diagram of several security measures that we observed in
passenger rail stations both in the United States and abroad.

Figure 1: Composite of Selected Security Practices in the Passenger Rail
Environment

Amtrak Faces Challenges Specific to Intercity Passenger Rail in Securing Its
System

In our past work, we found that Amtrak faces security challenges unique to
intercity passenger rail systems. First, Amtrak operates over thousands of
miles, often far from large population centers. This makes its route
system more difficult to patrol and monitor than one contained in a
particular metropolitan region, and it causes delays in responding to
incidents when they occur in remote areas. Also, outside the Northeast
Corridor, Amtrak operates almost exclusively on tracks and in stations
owned by freight rail companies. This means that Amtrak often cannot make
security improvements to others' rights-of-way or station facilities and
that it is reliant on the staff of other organizations to patrol their
facilities and respond to incidents that may occur. Furthermore, with over
500 stations, only half of which are staffed, screening even a small
portion of the passengers and baggage boarding Amtrak trains is difficult.
Finally, Amtrak's financial condition has never been strong--Amtrak has
been on the edge of bankruptcy several times.

We reported in September 2005 that Amtrak had taken some actions to
enhance security throughout its intercity passenger rail system. For
example, Amtrak initiated a passenger awareness campaign, began enforcing
restrictions on carry-on luggage that limit passengers to two carry-on
bags, not exceeding 50 pounds; began requiring passengers to show
identification after boarding trains; increased the number of canine units
patrolling its system looking for explosives or narcotics; and assigned
some of its police to ride trains in the Northeast Corridor. Also, Amtrak
instituted a policy of randomly inspecting checked baggage on its trains.
Amtrak was also making improvements to the emergency exits in certain
tunnels to make evacuating trains in the tunnels easier in the event of a
crash or terrorist attack. More recently, in January 2007, FRA reported
that a systematic review of Amtrak's security policies and programs had
been completed. According to FRA, the agency is currently working with
Amtrak to implement the recommendations of this review.

Three Foreign Rail Security Practices Were Not Used in the United States

While many of the security practices we observed in foreign rail systems
are similar to those U.S. passenger rail operators are implementing, we
identified three foreign practices that were not currently in use among
the U.S. passenger rail operators we contacted as of September 2005, nor
were they performed by the U.S. government. These practices are as
follows.

Covert testing: Two of the 13 foreign rail systems we visited utilized
covert testing to keep employees alert about their security
responsibilities. Covert testing involves security staff staging
unannounced events to test the response of railroad staff to incidents
such as suspicious packages or setting off alarms. In one European system,
this covert testing involves security staff placing suspicious items
throughout their system to see how long it takes operating staff to
respond to the item. Similarly, one Asian rail operator's security staff
will break security seals on fire extinguishers and open alarmed emergency
doors randomly to see how long it takes staff to respond. TSA conducts
covert testing of passenger and baggage screening in aviation, but has not
conducted such testing in the rail environment.

Random screening: Of the 13 foreign operators we interviewed, 2 have some
form of random screening of passengers and their baggage in place. Prior
to the July 2005 London bombings, no passenger rail operators in the
United States were practicing random passengers or baggage screening.
However, during the Democratic National Convention in 2004, the
Massachusetts Bay Transportation Authority instituted a system of random
screening of passengers.

National government clearinghouse on technologies and best practices:
According to passenger rail operators in five countries we visited, their
national governments had centralized the process for performing research
and development of passenger rail security technologies and maintained a
clearinghouse of technologies and security best practices for passenger
rail operators. We reported in September 2005 that no U.S. federal agency
had compiled or disseminated information on research and development and
other best practices for U.S. rail operators.

Implementing covert testing, random screening, or a government-sponsored
clearinghouse for technologies and best practices in the U.S. could pose
political, legal, fiscal, and cultural challenges because of the
differences between the U.S. and these foreign nations. Many foreign
nations have dealt with terrorist attacks on their public transportation
systems for decades, compared with the United States, where rail has not
been specifically targeted by terrorists. According to foreign rail
operators, these experiences have resulted in greater acceptance of
certain security practices, such as random searches, which the U.S. public
may view as a violation of their civil liberties or which may discourage
them from using public transportation. The impact of security measures on
passengers is an important consideration for domestic rail operators,
since most passengers could choose another means of transportation, such
as a personal automobile. As such, security measures that limit
accessibility, cause delays, increase fares, or otherwise cause
inconvenience could push people away from rail and into their cars. In
contrast, the citizens of the European and Asian countries we visited are
more dependent on public transportation than most U.S. residents and
therefore may be more willing to accept intrusive security measures.
Nevertheless, in order to identify innovative security measures that could
help further mitigate terrorism- risks to rail assets--especially as part
of a broader risk management approach discussed earlier--it is important
to consider the feasibility and costs and benefits of implementing the
three rail security practices we identified in foreign countries.
Officials from DHS, DOT, passenger rail industry associations, and rail
systems we interviewed told us that operators would benefit from such an
evaluation. Since our report on passenger rail security was issued, TSA
has reported taking steps to coordinate with foreign passenger rail
operators and governments to identify security best practices. For
example, TSA reported working with British rail security officials to
identify best practices for detecting and handling suspicious packages in
rail systems. In addition, in January 2007, a TSA official stated that the
agency was developing a clearinghouse of transportation security
technologies, but a completion date for this effort was not currently
available.

Conclusions

In conclusion, Mr. Chairman, the 2005 London rail bombings and the 2006
rail attacks in Mumbai, India highlight the inherent vulnerability of
passenger rail and other surface transportation systems to terrorist
attack. Moreover, securing rail and other surface transportation systems
is a daunting task, requiring that the federal government develop clear
strategies that are based on an assessment of the risks to the security of
the systems, including goals and objectives, for strengthening the
security of these systems. Since our September 2005 report, DHS components
have taken steps to assess the risks to the passenger rail system, such as
working with rail operators to update prior risk assessments and
facilitating rail operator security self assessments. According to TSA,
the agency plans to use these assessment results to set priorities for
securing rail assets deemed most at risk, such as underground and
underwater rail infrastructure and high density passenger rail stations. A
comprehensive assessment of the risks facing the transportation sector and
each mode, including passenger rail, will be a key component of the TSSP
and supporting plans for each mode of transportation. Until TSA issues
these plans, however, the agency lacks a clearly communicated strategy
with goals and objectives for securing the overall transportation sector
and each mode of transportation, including passenger rail. TSA has also
taken steps improve coordination with federal, state, and local
governments, and has reported taking steps to strengthen partnerships with
passenger rail industry stakeholders to enhance the security of the
passenger rail system. As TSA moves forward to issue the TSSP and
supporting plans for each mode of transportation, it will be important
that the agency articulate its strategy for securing rail and other modes
to those government agencies and industry stakeholders that share the
responsibility for securing these systems. We will continue to assess DHS
and DOT's efforts to secure the U.S. passenger rail system during
follow-on work to be initiated later this year.

Mr. Chairman, this concludes my statement. I would be pleased to answer
any questions that you or other members of the Committee may have at this
time.

Contact Information

For further information on this testimony, please contact Cathleen A.
Berrick at (202) 512- 3404. Individuals making key contributions to this
testimony include John Hansen, Assistant Director, Chris Currie, and Tom
Lombardi.

Related GAO Products Released Since September 11, 2001

Passenger Rail Security: Federal Strategy and Enhanced Coordination Needed
to Prioritize and Guide Security Efforts. [25]GAO-07-442T . Washington,
D.C.: February 6, 2007.

Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize
and Guide Security Efforts. [26]GAO-07-225T . Washington, D.C.: January
18, 2007.

Passenger Rail Security: Evaluating Foreign Security Practices and Risk
Can Help Guide Security Efforts. [27]GAO-06-557T . Washington, D.C.: March
29, 2006.

Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize
and Guide Security Efforts. [28]GAO-06-181T . Washington, D.C.: October
20, 2005.

Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize
and Guide Security Efforts. [29]GAO-05-851 . Washington, D.C.: September 9
2005.

Transportation Security: Systematic Planning Needed to Optimize Resources.
[30]GAO-05-357T . Washington, D.C.: February 15, 2005.

Rail Security: Some Actions Taken to Enhance Passenger and Freight Rail
Security, but Significant Challenges Remain. [31]GAO-04-598T . Washington,
D.C.: March 23, 2004.

Transportation Security: Federal Action Needed to Enhance Security
Efforts. [32]GAO-03-1154T . Washington, D.C.: September 9, 2003.

Transportation Security: Federal Action Needed to Help Address Security
Challenges. [33]GAO-03-843 . Washington, D.C.: June 30, 2003.

Rail Safety and Security: Some Actions Already Taken to Enhance Rail
Security, but Risk-based Plan Needed. [34]GAO-03-435 . Washington, D.C.:
April 30, 2003.

Transportation Security: Post-September 11th Initiatives and Long-term
Challenges. [35]GAO-03-616T . Washington, D.C.: April 1, 2003.

Mass Transit: Federal Action Could Help Transit Agencies Address Security
Challenges. [36]GAO-03-263 . Washington, D.C.: December 13, 2002.

Mass Transit: Challenges in Securing Transit Systems. [37]GAO-02-1075T .
Washington, D.C.: September 18, 2002.

(440589)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
[email protected] Automated answering system: (800) 424-5454 or (202)
512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

www.gao.gov/cgi-bin/getrpt?GAO-07-459T .

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact Cathleen Berrick at (202) 512-3404 or
[email protected].

Highlights of [45]GAO-07-459T , a testimony before the Subcommittee on
Homeland Security, Committee on Appropriations, House of Representatives

February 13, 2007

PASSENGER RAIL SECURITY

Federal Strategy and Enhanced Coordination Needed to Prioritize and Guide
Security Efforts

The 2005 London subway bombings and 2006 rail attacks in Mumbai, India
highlighted the vulnerability of passenger rail and other surface
transportation systems to terrorist attack and demonstrated the need for
greater focus on securing these systems. This testimony is based primarily
on GAO's September 2005 passenger rail security report and selected
program updates obtained in January 2007. Specifically, it addressees (1)
the extent to which the Department of Homeland Security (DHS) has assessed
the risks facing the U.S. passenger rail system and developed a strategy
based on risk assessments for securing all modes of transportation,
including passenger rail; (2) the actions that the Transportation Security
Administration (TSA) and other federal agencies have taken to enhance the
security of the U.S. passenger rail system, improve federal coordination,
and develop industry partnerships; and (3) the security practices that
domestic and selected foreign passenger rail operators have implemented to
enhance security.

[46]What GAO Recommends

We have previously recommended that TSA complete risk assessments, develop
rail security standards based on best practices, and consider implementing
practices used by foreign rail operators. DHS, Department of
Transportation (DOT), and Amtrak generally agreed with these
recommendations.

The DHS Office of Grants and Training and TSA have begun to assess the
risks facing the passenger rail system. However, we reported in September
2005 that TSA had not completed a comprehensive risk assessment of
passenger rail. We found that, until TSA does so, the agency may be
limited in its ability to prioritize passenger rail assets and help guide
security investments. We also reported that DHS had begun, but not yet
completed, a framework to help agencies and the private sector develop a
consistent approach for analyzing and comparing risks among and across
critical sectors. Since that time, TSA has reported taking additional
steps to assess the risks to the passenger rail system. However, TSA has
not yet issued the required Transportation Sector Specific Plan and
supporting plans for passenger rail and other surface transportation
modes, based on risk assessments. Until TSA does so, the agency lacks a
clearly communicated strategy with goals and objectives for securing the
transportation sector, including passenger rail.

After September 11, DOT initiated efforts to strengthen passenger rail
security. TSA has also taken actions to strengthen rail security,
including issuing security directives, testing security technologies, and
issuing a proposed rule for passenger and freight rail security, among
other efforts. However, federal and rail industry stakeholders have
questioned the extent to which TSA's directives were based on industry
best practices. TSA has also taken steps to strengthen coordination with
DOT and develop partnerships with industry stakeholders. DHS and DOT have
updated their memorandum of understanding to clarify their respective
security roles and responsibilities for passenger rail. TSA also
established an Office of Transportation Sector Network Management and
offices for each transportation mode to develop security policies and work
to strengthen industry partnerships for passenger rail and other surface
modes.

U.S. and foreign passenger rail operators GAO visited have also taken
actions to secure their rail systems. Most had implemented customer
security awareness programs, increased security personnel, increased the
use of canines to detect explosives, and enhanced employee training
programs. GAO also observed security practices among foreign passenger
rail systems that are not currently used by U.S. rail operators or by the
U.S. government, which could be considered for use in the U.S. For
example, some foreign rail operators randomly screen passengers or use
covert testing to help keep employees alert to security threats. While
introducing these security practices in the U.S may pose political, legal,
fiscal, and cultural challenges, they warrant further examination. TSA has
also reported taking steps to identify foreign best practices for rail
security and working to develop a clearinghouse of security technologies.

References

Visible links
  23. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-05-851
  24. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-03-843
  25. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/new.items/d07225t.pdf
  26. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/new.items/d07225t.pdf
  27. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-06-557T
  28. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-06-181T
  29. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-05-851
  30. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-05-357T
  31. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-04-598T
  32. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-03-1154T
  33. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-03-843
  34. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-03-435
  35. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-03-616T
  36. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-03-263
  37. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-02-1075T
  38. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/
  39. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/
  40. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/fraudnet/fraudnet.htm
  41. file:///home/webmaster/infomgt/d07459t.htm#mailto:[email protected]
  42. file:///home/webmaster/infomgt/d07459t.htm#mailto:[email protected]
  43. file:///home/webmaster/infomgt/d07459t.htm#mailto:[email protected]
  44. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-07-459T
  45. file:///home/webmaster/infomgt/d07459t.htm#http://www.gao.gov/cgi-bin/getrpt?GAO-07-459T
*** End of document. ***