Security Training for Surface Transportation Employees, 91336-91401 [2016-28298]
Download as PDFAgencies
[Federal Register Volume 81, Number 242 (Friday, December 16, 2016)] [Proposed Rules] [Pages 91336-91401] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2016-28298] [[Page 91335]] Vol. 81 Friday, No. 242 December 16, 2016 Part III Book 2 of 2 Books Pages 91335-91642 Department of Homeland Security ----------------------------------------------------------------------- Transportation Security Administration ----------------------------------------------------------------------- 49 CFR Ch. XII and Parts 1500, 1520, et al. Security Training for Surface Transportation Employees and Surface Transportation Vulnerability Assessments and Security Plans (VASP); Proposed Rules ��Federal Register / Vol. 81 , No. 242 / Friday, December 16, 2016 / Proposed Rules�� [[Page 91336]] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY Transportation Security Administration 49 CFR Parts 1500, 1520, 1570, 1580, 1582, and 1584 [Docket No. TSA-2015-0001] RIN 1652-AA55 Security Training for Surface Transportation Employees AGENCY: Transportation Security Administration, DHS. ACTION: Notice of proposed rulemaking (NPRM). ----------------------------------------------------------------------- SUMMARY: The Transportation Security Administration (TSA) is proposing to require security training for employees of higher-risk freight railroad carriers, public transportation agencies (including rail mass transit and bus systems), passenger railroad carriers, and over-the- road bus (OTRB) companies. Owner/operators of these higher-risk railroads, systems, and companies would be required to train employees performing security-sensitive functions, using a curriculum addressing preparedness and how to observe, assess, and respond to terrorist- related threats and/or incidents. As part of this rulemaking, TSA would also expand its current requirements for rail security coordinators and reporting of significant security concerns (currently limited to freight railroads, passenger railroads, and the rail operations of public transportation systems) to include the bus components of higher- risk public transportation systems and higher-risk OTRB companies. TSA also proposes to make the maritime and land transportation provisions of TSA's regulations consistent with other TSA regulations by codifying general responsibility to comply with security requirements; compliance, inspection, and enforcement; and procedures to request alternate measures for compliance. Finally, TSA is adding a definition for Transportation Security-Sensitive Materials (TSSM). Other provisions are being amended or added, as necessary, to implement these additional requirements. While TSA will review and consider all comments submitted, TSA invites responses to a number of specific questions posed in the preamble of the NPRM. See the Comments Invited section under SUPPLEMENTARY INFORMATION that follows. DATES: Submit comments by March 16, 2017. ADDRESSES: You may submit comments, identified by the TSA docket number to this rulemaking, to the Federal Docket Management System (FDMS), a government-wide, electronic docket management system, using any one of the following methods: Electronically: You may submit comments through the Federal eRulemaking portal at https://www.regulations.gov. Follow the online instructions for submitting comments. Mail, In Person, or Fax: Address, hand-deliver, or fax your written comments to the Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12-140, Washington, DC 20590-0001; Fax 202-493-2251. The Department of Transportation (DOT), which maintains and processes TSA's official regulatory dockets, will scan the submission and post it to FDMS. See SUPPLEMENTARY INFORMATION for format and other information about comment submissions. FOR FURTHER INFORMATION CONTACT: Harry Schultz (TSA Office of Security Policy and Industry Engagement) or Traci Klemm (TSA Office of the Chief Counsel) at telephone (571) 227-5563 or email to SecurityTrainingPolicy@tsa.dhs.gov. SUPPLEMENTARY INFORMATION: Comments Invited TSA invites interested persons to participate in this rulemaking by submitting written comments, data, or views. We also invite comments relating to the economic, environmental, energy, or federalism impacts that might result from this rulemaking action. See ADDRESSES above for information on where to submit comments. With each comment, please identify the docket number at the beginning of your comments. TSA encourages commenters to provide their names and addresses. The most helpful comments reference a specific portion of the rulemaking, explain the reason for any recommended change, and include supporting data. You may submit comments and material electronically, in person, by mail, or fax as provided under ADDRESSES, but please submit your comments and material by only one means. If you submit comments by mail or delivery, submit them in an unbound format, no larger than 8.5 by 11 inches, suitable for copying and electronic filing. If you want TSA to acknowledge receipt of comments submitted by mail, include with your comments a self-addressed, stamped postcard on which the docket number appears. We will stamp the date on the postcard and mail it to you. TSA will file in the public docket all comments TSA receives, except for comments containing confidential information and Sensitive Security Information (SSI).\1\ TSA will consider all comments received on or before the closing date for comments and will consider comments filed late to the extent practicable. The docket is available for public inspection before and after the comment closing date. --------------------------------------------------------------------------- \1\ ``Sensitive Security Information'' or ``SSI'' is information obtained or developed in the conduct of security activities, the disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. The protection of SSI is governed by 49 CFR parts 15 and 1520. --------------------------------------------------------------------------- NPRM Specific Questions While TSA will review and consider all comments submitted, TSA invites responses to the following five specific questions: (1) The preferred avenue to submit security training programs to TSA, such as through email, secure Web site, or mailing address. (2) TSA is proposing to use accumulated days of employment as one of the factors triggering whether an employee must be trained and requests comment specifically on how to calculate accumulated days and to ensure contractors are not used to avoid the requirements of this proposed rule. (3) The use of previous training to satisfy requirements in the proposed rule. (4) Options for harmonizing the proposed training schedule with existing training schedules and for adding efficiencies with other relevant regulatory requirements, including identification of any laws, regulations, or orders not identified by TSA that commenters believe would conflict with the provisions of the proposed rule. (5) Options for ensuring training is effective in the absence of proficiency standards. For example, the proposed rule does not prescribe conditions for a pass/fail policy that may be associated with post-training testing, nor recommending a specified maximum number of times that an individual may take a test or evaluation to demonstrate knowledge and competency. Handling of Confidential or Proprietary Information and Sensitive Security Information (SSI) Submitted in Public Comments Do not submit comments that include trade secrets, confidential commercial [[Page 91337]] or financial information, or SSI to the public regulatory docket. Please submit such comments separately from other comments on the rulemaking. Comments containing this type of information must be appropriately marked as containing such information and submitted by mail to the address listed in FOR FURTHER INFORMATION CONTACT section. TSA will not place comments containing SSI in the public docket, but will handle them in accordance with applicable safeguards and restrictions on access. TSA will hold documents containing SSI, confidential business information, or trade secrets in a separate file to which the public does not have access, and place a note in the public docket that TSA has received such materials from the commenter. If TSA determines, however, that portions of these comments may be made publicly available, TSA may include a redacted version of the comment in the public docket. If TSA receives a request to examine or copy information that is not in the public docket, TSA will treat it as any other request under the Freedom of Information Act (FOIA) (5 U.S.C. 552) and FOIA regulation of the Department of Homeland Security (DHS) found in 6 CFR part 5. Reviewing Comments in the Docket Please be aware that anyone is able to search the electronic form of all comments in any of our dockets by the name of the individual who submitted the comment (or signed the comment, if submitted on behalf of an association, business, labor union, etc.). You may review the applicable Privacy Act Statement published in the Federal Register on April 11, 2000 (65 FR 19477) and modified on January 17, 2008 (73 FR 3316), or you may visit https://DocketsInfo.dot.gov. You may review TSA's electronic public docket on the Internet at https://www.regulations.gov. In addition, DOT's Docket Management Facility provides a physical facility, staff, equipment, and assistance to the public. To obtain assistance or to review comments in TSA's public docket, you may visit this facility between 9:00 a.m. and 5:00 p.m., Monday through Friday, excluding legal holidays, or call (202) 366-9826. This docket operations facility is located in the West Building Ground Floor, Room W12-140 at 1200 New Jersey Avenue SE., Washington, DC 20590. Availability of Rulemaking Document An electronic copy can be obtained using the Internet by-- (1) Searching the electronic Federal Docket Management System (FDMS) Web page at https://www.regulations.gov; (2) Accessing the Government Printing Office's Web page at https://www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR to view the daily published Federal Register edition; or accessing the ``Search the Federal Register by Citation'' in the ``Related Resources'' column on the left, if you need to do a Simple or Advanced search for information, such as a type of document that crosses multiple agencies or dates. In addition, copies are available by writing or calling the individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this rulemaking. Abbreviations and Terms Used in This Document AAR--Association of American Railroads ABA--American Bus Association Amtrak--National Railroad Passenger Corporation APTA--American Public Transportation Association CD--Compact Disc CCTV--Closed-Circuit Television CFATS--Chemical Facility Anti-Terrorism Standards CFATS EAP--Expedited Approval Program for the CFATS program CFATS RBPS--Risk-Based Performance Standards of the CFATS program CFATS SSP--Site Specific Plans part of the CFATS program DHS--Department of Homeland Security DIF--Difficulty-Importance-Frequency EOD--Explosives Ordinance Disposal FMCSA--Federal Motor Carrier Safety Administration FRA--Federal Railroad Administration FTA--Federal Transit Administration GAO--U.S. Government Accountability Office GCC--Government Coordinating Council HMR--Hazardous Materials Regulations HSA--Homeland Security Act of 2002 HTUA--High Threat Urban Area IED--Improvised Explosive Device IFR--Interim Final Rule IRFA--Initial Regulatory Flexibility Analysis MOU--Memorandum of Understanding NCTC--National Counterterrorism Center NSI--Nationwide Suspicious Activity Reporting (SAR) Initiative OAs--Oversight Agencies OMB--Office of Management and Budget OTRB--Over-the-Road Bus PAG--Transit Policing and Security Peer Advisory Group PHMSA--Pipeline and Hazardous Materials Safety Administration PRA--Paperwork Reduction Act of 1995 PTPR--Public Transportation and Passenger Railroads RFA--Regulatory Flexibility Act of 1980 RIA--Regulatory Impact Analysis RSC--Rail Security Coordinator RSSM--Rail Security-Sensitive Material SBA--Small Business Administration SCC--Sector Coordinating Council SMS--Safety Management System SSI--Sensitive Security Information TIH--Toxic Inhalation Hazard TSA--Transportation Security Administration TSGP--Transit Security Grant Program TSSM--Transportation Security Sensitive Material UASI--Urban Area Security Initiative UMRA--Unfunded Mandates Reform Act of 1995 VBIED--Vehicle-Borne Improvised Explosive Device Table of Contents I. Executive Summary II. Background A. Context and Purpose B. Statutory Authorities C. Rule Organization III. Proposed Rule A. Amendments to Part 1500 1. General Terms 2. Transportation Security-Sensitive Materials B. Amendments to Part 1503 C. Amendments to Part 1520 D. Amendments to Part 1570 1. Overview of changes and structure 2. Subpart A--General 3. Subpart B--Security Programs 4. Subpart C--Operations 5. Subpart D--Security Threat Assessments E. Security-Sensitive Employees (Sec. Sec. 1580.3, 1582.3, and 1584.3) F. Security Programs--Applicability (Sec. Sec. 1580.301, 1582.301, and 1584.301) 1. Freight Railroads 2. Public Transportation and Passenger Railroads 3. Over-the-Road Buses 4. Foreign Owner/Operators 5. Preemption G. Security Program General Requirements (Sec. Sec. 1580.113, 1582.113, and 1584.113) 1. Information About the Owner/Operator 2. Information on How Training Will Be Provided 3. Ensuring Supervision of Untrained Employees and Providing Notice of Changes Affecting Training 4. Methods for Determining Effectiveness of Training 5. Relation to Other Training H. Security Training and Knowledge for Security-Sensitive Employees (Sec. Sec. 1580.115, 1582.115 and 1584.115) 1. Training Required for Security-Sensitive Employees 2. Limits on Use of Untrained Employees 3. Knowledge Required I. Other Security Training Programs 1. Federal Railroad Administration Safety Training Requirements 2. Federal Transit Administration Safety Requirements 3. OTRB Safety Requirements 4. Hazardous Materials Regulations a. Overlap With DOT Regulations Regarding Transportation of Hazardous Materials b. Inspections and Enforcement c. Overlap With Other DHS Regulations J. Training Resources K. Programmatic Alternatives [[Page 91338]] IV. Stakeholder Consultations A. Multi-Modal Outreach B. Freight Rail C. Public Transportation and Passenger Rail D. Over-the-Road Buses E. Labor Unions V. Rulemaking Analyses and Notices A. Paperwork Reduction Act B. Economic Impact Analyses 1. Regulatory Impact Analysis Summary 2. Executive Orders 12866 and 13563 Assessments 3. OMB A-4 Statement 4. Alternatives Considered 5. Regulatory Flexibility Assessment 6. International Trade Impact Assessment 7. Unfunded Mandates Assessment C. Executive Order 13132, Federalism D. Environmental Analysis E. Energy Impact Analysis I. Executive Summary Purpose of the Regulatory Action The purpose of this proposed rule is to solidify the enhanced baseline of security for higher-risk surface transportation operations by improving and sustaining the capability of employees to observe, assess, and respond to security risks and potential security breaches. These critical capabilities include identifying, reporting, and appropriately reacting to suspicious activity, suspicious items, dangerous substances, and security incidents that may be associated with terrorist reconnaissance, preparation, or action. The proposed requirements specifically apply to training employees performing security-sensitive job functions for higher-risk public transportation systems, railroad carriers (passenger and freight), and OTRB owner/ operators. Preparing and training these employees to observe, assess, and respond to anomalies, threats, and incidents within their unique working environment may be the critical point for preventing a terrorist act and mitigating the consequences. Since its creation following the attacks of September 11, 2001, TSA has had statutory authority to assess a security risk for any mode of transportation, develop security measures for dealing with that risk, and enforce compliance with those measures.\2\ This includes broad regulatory authority, which enables TSA to issue, rescind, and revise regulations as necessary to carry out its transportation security functions.\3\ As part of the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act),\4\ Congress mandated that DHS use its authority to issue regulations and included in the statute minimum requirements for employees to be trained, subjects of training, and procedures for the submission and approval of training programs.\5\ As part of this mandate, the 9/11 Act also requires higher-risk railroads and OTRBs to appoint security coordinators.\6\ This NPRM would propose to implement those provisions. --------------------------------------------------------------------------- \2\ See Section 101 of the Aviation and Transportation Security Act (ATSA), Public Law 107-71, 115 Stat. 597 (Nov. 19, 2001), codified at 49 U.S.C. 114 (ATSA created TSA and established the agency's primary federal role to enhance security for all modes of transportation). Section 403(2) of the Homeland Security Act of 2002 (HSA), Public Law 107-296, 116 Stat. 2135 (Nov. 25, 2002), transferred all functions related to transportation security, including those of the Secretary of Transportation and the Under Secretary of Transportation for Security, to the Secretary of Homeland Security. Pursuant to DHS Delegation Number 7060.2, the Secretary delegated to the Administrator, subject to the Secretary's guidance and control, the authority vested in the Secretary with respect to TSA, including that in sec. 403(2) of the HSA. \3\ 49 U.S.C. 114(l)(1). \4\ Public Law 110-53, 121 Stat. 266 (Aug. 3, 2007). \5\ See secs. 1408, 1517, and 1534 of the 9/11 Act, codified at 6 U.S.C. 1137, 1167, and 1184, respectively. For the remainder of this NPRM, TSA will refer to the codified section numbers. \6\ See secs. 1512 and 1181 of the 9/11 Act, codified at 6 U.S.C. 1162 and 1181, respectively. TSA addresses 6 U.S.C 1162(e)(1)(A) and 1181(e)(1)(A) in this rulemaking. TSA intends to address the other regulatory requirements of these provisions in separate rulemakings. --------------------------------------------------------------------------- Summary of the Major Provisions As discussed in section III.F. of this NPRM, TSA is proposing to apply the requirements to higher-risk operations, based on mode- specific assessments of risk. Based on these assessments, the requirements would apply to:Class I freight railroad carriers, railroads transporting Rail Security-Sensitive Materials (RSSMs) through identified High Threat Urban Areas (HTUAs) (applying those terms as defined in current 49 CFR 1580.3), and railroads that host other higher-risk rail operations. This would cover approximately 36 railroads. Public transportation and passenger railroads (PTPRs) operating in the eight regions with the highest transit-specific risk. This would cover approximately 46 systems. The National Railroad Passenger Corporation (Amtrak), an intercity passenger railroad. OTRB owner/operators providing fixed-route service (also referred to as regular route or scheduled service) to/through/from the highest-risk urban areas. This would cover approximately 202 OTRB owner/operators. This NPRM proposes requiring the entities listed above to: Develop security training programs to enhance and sustain the capability of their security-sensitive employees to observe, assess, and respond to security incidents as well as to have the training necessary to implement their specific responsibilities in the event of a security incident. Submit the required security training program to TSA for review and approval. Implement the security training program and ensure all existing and new security-sensitive employees complete the required security training within the specified timeframes for initial and recurrent training. Maintain records demonstrating compliance and make the records available to TSA upon request for inspection and copying. Appoint security coordinators and alternates-who will be accessible to TSA 24 hours per day, 7 days per week-and transmit contact information for those individuals to TSA (an extension of current 49 CFR part 1580 requirements). Report significant security incidents or concerns to TSA (an extension of current 49 CFR part 1580 requirements). Review and update security training programs as necessary to address changing security measures or conditions. The proposed rule would also amend 49 CFR part 1500 to streamline definitions for TSA's regulation and would add a definition of Transportation Security-Sensitive Materials (TSSMs). Proposed revisions to 49 CFR parts 1503 and 1520 would conform references and provisions related to enforcement and handling of SSI to the expanded scope of security requirements in the proposed rule. The most significant proposed revisions are found in subchapter D of chapter XII of title 49. This subchapter would be retitled ``Maritime and Surface Transportation Security,'' reorganized, and expanded to include the proposed security program requirements. The general rules for subchapter D would continue to be in part 1570, but reorganized and expanded to address the new requirements proposed in this rule. This NPRM also proposes to add a new section (1570.7) to make it clear that owner/operators, employees, contractors, and other persons can be held liable for violating TSA's regulations. A similar provision is part of TSA's aviation-related regulations and adding it to subchapter D ensures consistency in enforcement across all modes of transportation. This provision is further discussed in section III.D.2 of this NPRM. Some provisions currently limited to railroads under part 1580 would be [[Page 91339]] moved and revised to address the additional modes, such as provisions related to ``compliance, inspection, and enforcement.'' This necessitates reorganization and minor revisions to current part 1580. The impact of the proposed rule on the organization and scope of current 49 CFR part 1580 is discussed in section II.C. of this NPRM. The following table (Table 1) provides a summary of the requirements and their applicability (distinguishing between current requirements/ applicability and proposed requirements/applicability). Table 1--Summary of Proposed Requirements [Current 49 CFR part 1580 requirements incorporated into this NPRM are indicated with an ``X''; proposed requirements are indicated with a ``P''] -------------------------------------------------------------------------------------------------------------------------------------------------------- Protecting Reporting Inspection sensitive Security security authority (Sec. security coordinator incidents (Sec. Security 1570.9) information (Sec. 1570.203) training \1\ (part 1520) 1570.201) -------------------------------------------------------------------------------------------------------------------------------------------------------- Freight railroad carriers.......................................... X X X X P Rail hazardous materials shippers.................................. X X X X ............... Rail hazardous materials receivers in HTUAs........................ X X X X ............... Owner/operators of private rail cars............................... X X X X ............... Host railroads of freight or PTPR rail operations within scope of X X X X P rule.............................................................. PTPR operating rail transit systems on general railroad system, X X X X \2\ P intercity passenger train service, and commuter train services.... PTPR operating rail transit systems not part of general railroad X X X X \2\ P system............................................................ Tourist, scenic, historic, and excursion rail owner/operators...... X X X X ............... PTPR operating bus transit or commuter bus systems in designated P P P P P areas............................................................. OTRB owner/operators providing fixed-route service in designated P P P P P areas............................................................. -------------------------------------------------------------------------------------------------------------------------------------------------------- \1\ 49 CFR part 1570, Subpart B (Security Programs); 49 CFR part 1580, Subpart B--Employee Security Training (freight railroads); 49 CFR part 1582, Subpart B--Employee Security Training (PTPR); and 49 CFR part 1584, Subpart B--Employee Security Training (OTRBs). \2\ If Amtrak, or listed in proposed part 1582, Appendix A (a public transportation system, or part of a public transportation system). Costs and Benefits TSA estimates the overall cost of this proposed rule is $157.27 million over 10 years discounted at 7 percent. TSA estimates the cost of this proposed rule by the 4 affected parties (all costs are 10 years at 7 percent): For freight railroads the rule would cost a total of $90.74 million, for PTPR the cost is $53.14 million, for OTRB the cost is $12.08 million, and for TSA the cost is $1.31 million. The proposed rule, if finalized, would enhance surface transportation security by reducing vulnerability to terrorist attacks in four different ways. First, the surface transportation employees in each of the three covered modes would be trained to identify security vulnerabilities. Second, these surface transportation employees would be better trained to recognize potentially threatening behavior and properly report that information. Third, these surface employees would be trained to respond to incidents, thereby mitigating the consequences of an attack. Finally, the covered surface transportation owner/ operators would be required to report significant security concerns to TSA so that TSA can analyze potential threats across all modes. This analysis reflects information obtained through a Notice published in the Federal Register in 2013 \7\ (2013 Notice). Through that Notice, TSA requested data needed to provide a more accurate understanding of the existing baseline and potential costs associated with the proposed rule. In particular, TSA requested information regarding programs currently implemented--whether as a result of regulatory requirements, grant requirements, in anticipation of a rule, voluntary, or otherwise--and the costs associated with those training programs. --------------------------------------------------------------------------- \7\ 78 FR 35945 (June 14, 2013). --------------------------------------------------------------------------- II. Background A. Context and Purpose Surface transportation systems--including public transportation systems, intercity and commuter passenger railroads, freight railroads, intercity buses, and related infrastructure--are vital to our economy and essential to national security.\8\ The potential for a terrorist attack exists at each stage of moving people, goods, and services throughout the Nation. --------------------------------------------------------------------------- \8\ Surface Transportation and Rail Security Act of 2007, report of the Senate Committee on Commerce, Science, and Transportation at 2 (S. Rept. 110-29, Mar. 1, 2007), quoting Executive Order (E.O.) 13416 (Dec. 5, 2006), published at 71 FR 71033 (Dec. 7, 2006). --------------------------------------------------------------------------- Recent attacks indicate the risk of terrorist attack to surface transportation. On August 21, 2015, there was an attempted mass shooting on a packed high-speed train bound for Paris from Amsterdam.\9\ Metropolitan Police treated a December 5, 2015, knife attack in a London public transportation station as a terrorist incident.\10\ There have been other documented terrorist attacks targeting surface transportation, including the attack in Madrid, Spain, on March 11, 2004, in which terrorists attacked four commuter trains using 10 improvised explosive devices (IED) that exploded near- simultaneously and resulted in the deaths of 191 people and injury to more than 1,800 people.\11\ In July 2005, four coordinated suicide bombings occurred, three on separate trains through London Underground stations and the fourth on a double- [[Page 91340]] decker bus, killed 52 people.\12\ In July 2008, a group linked to Lashkar-e-Tayyiba attacked Mumbai's Western Railway Line with seven IEDs during evening commute hours, killing 183 people.\13\ In November 2008, this group committed another coordinated attack that included shooting and bombing operations at several targets--including a train station--and killed a total of 164 people.\14\ More recently, U.S. news media reported that the Federal Bureau of Investigation (FBI) uncovered a plot to attack the PATH commuter rail system serving New York and New Jersey in mid-2006.\15\ These previous events highlight the magnitude of the deadly consequences that an attack on surface transportation could have. --------------------------------------------------------------------------- \9\ See Michael Birnbaum, ``A change of seats for 3 Americans led to saved lives on Paris-bound train,'' Washington Post (Aug. 24, 2015), available at https://www.washingtonpost.com/world/as-french-train-suspect-is-interrogated-questions-mount-on-europes-security/2015/08/23/088ff2fe-4923-11e5-9f53-d1e3ddfd0cda_story.html. \10\ See BBC, ``Leytonstone Tube station stabbing a `terrorist incident' '' (Dec. 6, 2015), available at https://www.bbc.com/news/uk-35018789. \11\ Encyclopedia Britannica, ``Madrid train bombings of 2004'' (May 19, 2013), available at https://www.britannica.com/event/Madrid-train-bombings-of-2004. \12\ CNN, ``July 7 2005 London Bombings Fast Facts'' (updated June 29, 2016, 9:44 a.m.), available at https://www.cnn.com/2013/11/06/world/europe/july-7-2005-london-bombings-fast-facts/. \13\ Bureau of Diplomatic Security, ``India 2013 Crime and Safety Report: Mumbai'' (March 5, 2013), available at https://www.osac.gov/pages/ContentReportDetails.aspx?cid=13701. \14\ CNN, ``Mumbai Terror Attacks Fast Facts'' (updated Nov. 4, 2015, 11:57 a.m.), available at https://www.cnn.com/2013/09/18/world/asia/mumbai-terror-attacks/. \15\ Mary Frost, ``NYC subways targeted in ISIS terror plot-- NYPD, FBI evaluating threat level,'' Brooklyn Daily Eagle (Sept. 25, 2014), available at https://www.brooklyneagle.com/articles/2014/9/25/nyc-subways-targeted-isis-terror-plot-nypd-fbi-evaluating-threat-level. --------------------------------------------------------------------------- As part of its ongoing communications with stakeholders, TSA has alerted owner/operators affected by this proposed rule to transportation-related threats and has worked with many of them to review and recognize potential vulnerabilities to their operations. The impact that security training can have on these operations was recognized by Congress when it mandated, and provided detailed requirements for, security training regulations as part of the 9/11 Act.\16\ --------------------------------------------------------------------------- \16\ Public Law 110-53, 121 Stat. 266 (Aug. 3, 2007). --------------------------------------------------------------------------- TSA recognizes that the owner/operators of surface transportations systems, both public and private, are principally responsible for the safety and security of the people using their services. As noted in Presidential Policy Directive/PPD-21, ``Critical Infrastructure Security and Resilience:'' The Nation's critical infrastructure is diverse and complex. It includes distributed networks, varied organizational structures and operating models (including multinational ownership), interdependent functions and systems in both the physical space and cyberspace, and governance constructs that involve multi-level authorities, responsibilities, and regulations. Critical infrastructure owners and operators are uniquely positioned to manage risks to their individual operations and assets, and to determine effective strategies to make them more secure and resilient.\17\ --------------------------------------------------------------------------- \17\ PPD-21 (Feb. 12, 2013) (emphasis added). Surface transportation employees--the people who provide and support these services--are a critical resource for protecting passengers and the transportation infrastructure. As a result of TSA's programmatic efforts, as well as awareness of the requirements of the 9/11 Act, many owner/operators of higher-risk surface transportation operations have voluntarily implemented security training programs that address some of the requirements of this proposed rule. As noted in the economic analysis for this rulemaking, however, the private market may not provide adequate incentives for owner/operators to make a socially optimal investment in the full range of measures that would reduce the probability of a successful terrorist attack based on the economics of externalities. (Externalities are costs or benefits from an economic transaction experienced by parties ``external'' to the transaction.) Specifically, for surface mode owner/ operators, the total consequences of an attack or other security incident to society may be greater than what would be suffered by the individual owner/operator of the infrastructure or facility. Without ignoring the voluntary efforts of owner/operators to increase the baseline of their security, including by providing security training, TSA also recognizes a firm normally would not choose to make an investment in security over its privately optimal amount in a competitive market place, since such an investment would increase the firm's cost of production, placing it at a disadvantage when competing with companies that have not chosen to make a similar investment in security. Focusing on the higher-risk operations and frontline employees (defined in the rule as those performing security-sensitive functions), this proposed rule would close gaps in the scope or breadth of training provided as part of voluntary efforts. To the extent resource and economic considerations could cause this voluntary commitment to abate in the future, this proposed rule, when finalized, should solidify these efforts and commitment to security training. Thus, the purpose of this proposed rule is to solidify a baseline of security training for surface transportation by enhancing and sustaining the capability of frontline employees for higher-risk public transportation systems, railroad carriers (passenger and freight), and OTRB owner/operators to observe, assess, and respond to security risks and potential security breaches. These critical capabilities include identifying, reporting, and appropriately reacting to suspicious activity, suspicious items, dangerous substances, and security incidents that may be associated with terrorist reconnaissance, preparation, or action. An employee who is prepared and trained to observe, assess, and respond may be the critical point for preventing a terrorist act. Security awareness training is an important and effective tool to enhance an employee's ability to detect and deter attacks by terrorists or others--particularly those with malicious intent to target surface transportation or use vehicles as delivery systems for weapons of mass destruction. Well-trained employees can serve as security force- multipliers. Their familiarity with the facilities and operating environments of their specific transportation systems makes them especially effective at recognizing situations and conditions that may pose a threat to the safety and security of passengers, cargo, and transportation infrastructure. Employees who are prepared to execute their security-related responsibilities and trained to observe, assess, and respond bring an informed vigilance to their daily responsibilities. They are more capable of identifying and making timely reports to support inquiry by law enforcement and security personnel, increasing the potential for detection or disruption of terrorist planning, preparations, and observations. In the event an incident does occur, employees who understand their roles and responsibilities under the owner/operator's security planning and response documents are better prepared to initiate timely responsive actions to mitigate consequences and work with first responders. This rulemaking is part of TSA's commitment to risk-based security and how it implicates policy decisions, resource commitments, and expectations. Passengers traveling through a higher-risk area or system (whether by bus or train) should be able to expect the same level of security regardless of the carrier. Communities in HTUAs should expect that the freight trains carrying RSSM \18\ are operated by employees with a common baseline of security training, regardless of who owns or operates the train. The result is [[Page 91341]] a proposed rule that bases applicability primarily on the location where the transportation is operated (rather than constructs of ownership) and scope of employees to be trained on the functions they perform (rather than titles in position descriptions). --------------------------------------------------------------------------- \18\ As previously noted, TSA is not proposing to modify these terms as defined in current 49 CFR 1580.3. --------------------------------------------------------------------------- For these reasons, TSA proposes this regulation requiring owner/ operators to implement employee security training programs for employees serving in security-sensitive positions in higher-risk operations. TSA explains aspects of the proposed rule more fully in section III of this NPRM. B. Statutory Authorities The security of the Nation's transportation systems is vital to the economic health and security of the United States. Ensuring transportation security while promoting the movement of legitimate travelers and commerce is a critical counter-terrorism mission assigned to TSA. Since its creation following the attacks of September 11, 2001, TSA has had broad statutory authority to assess a security risk for any mode of transportation, develop security measures for dealing with that risk, and enforce compliance with those measures.\19\ This includes broad regulatory authority, which enables TSA to issue, rescind, and revise regulations as necessary to carry out its transportation security functions.\20\ --------------------------------------------------------------------------- \19\ See supra, n. 2. \20\ 49 U.S.C. 114(l)(1). --------------------------------------------------------------------------- Congress has determined that a regulation is necessary for owner/ operators of public transportation systems, passenger railroads, freight railroads, and OTRBs to provide security training to their frontline employees. As part of the 9/11 Act,\21\ Congress mandated that DHS use its authority to issue regulations and included in the statute minimum requirements for employees to be trained, subjects of training, and procedures for the submission and approval of training programs.\22\ This NPRM proposes to implement these provisions. --------------------------------------------------------------------------- \21\ Public Law 110-53, 121 Stat. 266 (Aug. 3, 2007). \22\ See 6 U.S.C. 1137, 1167, and 1184. --------------------------------------------------------------------------- The 9/11 Act includes a requirement to include ``[l]ive situational training exercises'' as part of its security training regulations.\23\ As part of the Homeland Security Exercise and Evaluation Program (HSEEP), DHS describes the benefit of exercises ``to test and validate plans and capabilities.'' \24\ While testing the effectiveness of training is important, the HSEEP focuses on the need to test effectiveness of the overall plan--a process that reveals any weaknesses in training. TSA has determined the intent of requiring exercises would be better met if owner/operators were required to test the effectiveness of their security plans--which would include testing employee understanding and capabilities related to their roles, responsibilities, protocols, and procedures. Therefore, TSA has decided to address this element in a separate rulemaking that will meet related 9/11 Act provisions for security planning.\25\ --------------------------------------------------------------------------- \23\ See 6 U.S.C. 1137(c)(7), 1167(c)(8), and 1184(c)(8). \24\ See DHS, ``Homeland Security Exercise and Evaluation Program (HSEEP)'' (April 2013), available at https://www.fema.gov/media-library-data/20130726-1914-25045-8890/hseep_apr13_.pdf. \25\ See requirements in 6 U.S.C. 1134 (public transportation), 1162 (railroads), and 1181 (OTRBs). --------------------------------------------------------------------------- Finally, the 9/11 Act also requires DHS to define the term ``security-sensitive material'' as it relates to materials transported in commerce that pose ``a significant risk to national security . . . due to the potential use of the material in an act of terrorism.'' \26\ The 9/11 Act states that the term must include specific, identified materials.\27\ TSA has previously identified ``security-sensitive materials'' transported by freight railroad carriers as ``Rail Security-Sensitive Materials'' (RSSM).\28\ As further discussed in section III.A.2 of this NPRM, TSA is proposing materials to be identified as ``Transportation Security-Sensitive Materials (TSSM).'' --------------------------------------------------------------------------- \26\ 6 U.S.C. 1151(13). \27\ Materials to be included are Class 7 radioactive materials, Division 1.1, 1.2, or 1.3 explosives, materials poisonous or toxic by inhalation, including Division 2.3 gases and Division 6.1 materials, and select agents or toxins regulated by the Centers for Disease Control and Prevention under 42 CFR part 73. \28\ See 49 CFR 1580.3 and 1580.100(b). --------------------------------------------------------------------------- C. Rule Organization Implementing requirements in the 9/11 Act for surface transportation regulations necessitates making other changes to TSA's regulations found in title 49 of the CFR. Some of these changes are technical revisions or additions, such as consolidating definitions used in multiple parts of TSA's regulations into part 1500 and adding cross-references to the new regulatory requirements as relevant for investigations (part 1503) and protection of SSI (part 1520). The most significant changes are to subchapter D, which TSA proposes to rename ``Maritime and Surface Transportation Security.'' Subchapter D currently contains requirements related to security threat assessments (STAs) (parts 1570 and 1572) and rail security (1580). TSA is proposing to significantly reorganize and augment parts 1570 and 1580, and add parts 1582 (PTPR) and 1584 (Highway and Motor Carriers). Many portions of the proposed rule are common to PTPR, freight, and OTRB operations. These are included in 49 CFR part 1570. Eliminating duplication of these requirements across multiple sections of TSA's regulations reduces unintended inconsistencies, both now and over time to the extent there are any amendments made to these regulations in the future. Because of these modifications, other organizational changes are being made to part 1570--including moving definitions that have applicability across multiple parts of TSA's regulations to part 1500 (discussed more fully in part III.A of this NPRM) and consolidating provisions related to security threat assessments into a new subpart D. The STA provisions are being moved but are otherwise unmodified. As a result, the substance of these provisions is not part of this notice and comment rulemaking. TSA includes proposed requirements adapted to reflect the unique aspects of each mode in mode-specific parts of 49 CFR Chapter XII, Subchapter D--Maritime and Surface Transportation Security. Part 1580 would be revised to focus on freight railroads. Sections in current part 1580 applicable to PTPR systems would be moved to a new part 1582. TSA also proposes creating a new part 1584, which would include the requirements for OTRB. With the exception of the following, provisions of current 49 CFR part 1580, Rail Transportation Security, applicable to freight railroads would be reorganized without substantive change. TSA proposes to move some provisions to part 1570--this revision would include the security coordinator and reporting requirements (which are being updated and clarified, and extended to include higher-risk buses).\29\ Other provisions, such as ``chain of custody'' provisions for RSSMs, would be reorganized within part 1580 because of this proposed rule. Finally, current Appendix A to part 1580 would be modified to remove outdated references. Table 2 provides a distribution table for changes to current 49 CFR part 1580. To the extent sections are being moved, but not revised, they are not part of this notice and comment rulemaking. --------------------------------------------------------------------------- \29\ These modifications are discussed in section III.C. of this NPRM. [[Page 91342]] Table 2--49 CFR Part 1580 Distribution Table ------------------------------------------------------------------------ Former section New section(s) ------------------------------------------------------------------------ 1580.1.................................... 1570.1, 1580.1, and 1582.1. 1580.3.................................... 1570.3, 1580.3, and 1582.3. 1580.5.................................... 1570.9. 1580.100.................................. 1500.3, 1580.101. 1580.101.................................. 1570.201. 1580.103.................................. 1580.203. 1580.105.................................. 1570.203. 1580.107.................................. 1580.205. 1580.109.................................. 1580.5 and 1582.5. 1580.111.................................. 1580.207. 1580.200.................................. 1582.101. 1580.201.................................. 1570.201. 1580.203.................................. 1570.203. ------------------------------------------------------------------------ III. Proposed Rule A. Amendments to Part 1500 1. General Terms Consistent with the proposed rule's organization, TSA includes proposed definitions for terms relevant to several subchapters of TSA regulations, beyond the requirements of subchapter D, in part 1500. Terms relevant to several parts of subchapter D would be added to Sec. 1570.3. Terms uniquely relevant to each mode would be included in the relevant parts (part 1580 (freight), part 1582 (PTPR), and part 1584 (OTRB)). Many of the proposed definitions are identical, or nearly identical, to definitions codified in current 49 CFR part 1580. Some definitions are taken from the 9/11 Act. Other definitions are derived from existing Federal regulatory programs, particularly programs administered by DOT. A few definitions are based on industry sources. TSA's purpose is to use existing definitions that regulated parties are familiar with to the extent that the definitions are consistent with the 9/11 Act and the purposes of this NPRM. Where no existing definition is appropriate, TSA's subject matter experts developed the definition based upon the generally accepted and known use of terms within each of the modes subject to this proposed regulation. Table 3 provides additional information on the terms that would be added to part 1500. Table 3--Explanation of Proposed Terms and Definitions ------------------------------------------------------------------------ Summary of change Explanation ------------------------------------------------------------------------ Propose modifying definition of This term is used in proposed ``Administrator''. sections regarding procedures for requesting alternative measures or challenges to required modifications. The definition is being updated to reflect TSA's transition to a DHS component. Propose adding a definition for This term is used in the ``Authorized representative''. definition of ``Employee.'' It is intended to ensure that any ``authorized representatives'' performing security-sensitive functions for an owner/ operator receives the required security training, even if they are not considered a direct employee. More information can be found in the discussion of employees required to be trained in preamble section III.E. Propose adding a definition for ``Bus'' This term is used in several other terms defined in this proposed rule. TSA's review of DOT regulations identified several definitions for this term. The definition developed by TSA for the purposes of subchapter D is a composite of DOT's definitions adopted for TSA's purposes. While it is a broad definition on its own, the other terms in which it is used limit its application. Propose adding a definition of ``Bus This term is used as part of transit system''. the scope of what is intended by, and included within, the definition of public transportation. Consistent with the scope of other commuter transit systems, the definition is based upon an explanation of what constitutes ``urban rapid transit service'' in 49 CFR part 209, Appendix A. Propose adding a definition for This term is used as part of ``Commuter bus system''. the scope of what is intended by, and included within, the definition of public transportation. Consistent with the scope of other commuter transit systems, the definition is based upon the Federal Railroad Administration's (FRA's) explanation of ``commuter service'' for rail in 49 CFR part 209, and the Federal Motor Carrier Safety Administration's (FMCSA's) definition of ``commuter service'' in 49 CFR 374.303(g). As part of reorganization of current 49 This term is used as part of CFR part 1580, propose moving the scope of what is intended definition of ``Commuter passenger by, and included within, the train service'' from 49 CFR 1580.3. definition of public transportation. Propose moving definition of ``DHS'' This term has general from 49 CFR 1520.3. applicability to several parts of TSA's regulations beyond the provisions in 49 CFR part 1520. Propose moving definition of ``DOT'' This term has general from 49 CFR 1520.3. applicability to several parts of TSA's regulations beyond the provisions in 49 CFR part 1520. Proposed adding definition for ``Fixed- Used within the scope of OTRB route service''. owner/operators subject to the proposed regulation (see proposed 49 CFR 1570.101 and 1584.1), this term is based on the definition of a fixed- route system found in 49 CFR 37.3. Propose moving definition of ``General Part of reorganization of railroad system of transportation'' current 49 CFR part 1580. This from 49 CFR 1580.3. proposed rule does not change the definition. Propose moving definition of Part of reorganization of ``Hazardous Material'' from 49 CFR current 49 CFR part 1580. This 1580.3. proposed rule does not change the definition. Propose moving definition of ``Heavy Part of reorganization of rail transit'' from 49 CFR 1580.3. current 49 CFR part 1580. This proposed rule does not change the definition. Propose adding a definition of ``Host This term, which is consistent railroad''. with the definition in 49 CFR 236.1003, is used within the scope of this proposed rule relating to operations by railroad carriers. More information can be found in the preamble discussion in section III.F.1. [[Page 91343]] Propose moving definition of Part of reorganization of ``Improvised explosive device (IED)'' current 49 CFR part 1580. This from 49 CFR 1580.3. proposed rule does not change the definition. Propose moving definition of Part of reorganization of ``Intercity passenger train service'' current 49 CFR part 1580. This from 49 CFR 1580.3. proposed rule does not change the definition. Propose moving definition of ``Light Part of reorganization of rail transit'' from 49 CFR 1580.3. current 49 CFR part 1580. This proposed rule does not change the definition. Propose adding a definition of ``Motor Used throughout this proposed vehicle''. rule, TSA has determined that there is no consistent definition of ``motor vehicle'' within federal regulations. TSA has reviewed various DOT regulations and relies primarily on 49 CFR 390.5 for this definition as most applicable to this proposed regulation, choosing a definition that is inclusive with limitations provided in the relevant applicability sections. Propose adding a definition for ``Over- This term, the definition of the-Road Bus (OTRB)''. which is consistent with 6 U.S.C. 1151(4), is used within other definitions and the scope of this proposed rule relating to over-the-road bus owners. More information can be found in the preamble discussion in section III.F.3. Propose moving definition of ``owner/ Used in other definitions and operator'' from 49 CFR 1570.3 and throughout the proposed rule, modifying to eliminate cross-reference the definition of this term is to title 33 of the CFR. a modification of the current definition of ``owner/ operator'' that affects 49 CFR, subchapter D. The modifications remove outdated references to make it the term appropriate for the broader scope of transportation regulated by TSA. Propose moving definition of Part of reorganization of ``Passenger car'' from 49 CFR 1580.3 current 49 CFR part 1580. TSA and adding ``rail'' to the term to is proposing to insert the read, ``passenger rail car''. word ``rail'' between ``passenger'' and ``car'' to avoid any confusion between rail and motor vehicle conveyances. Propose adding a definition of Used both in the scope of ``Passenger railroad carrier''. proposed subpart B of 49 CFR part 1570 (Security Coordinator and Reporting Requirements) and the scope of the training rule (proposed 49 CFR part 1582), this term is also used in the context of host railroad operations. More information can be found in the discussion in III.F.2. The definition is based on the definition for this term found in 49 CFR 239.7. Propose moving definition of Part of reorganization of ``Passenger train'' from 49 CFR 1580.3. current 49 CFR part 1580. This proposed rule does not change the definition. Propose moving definition of ``Private Part of reorganization of rail car'' from 49 CFR 1580.3. current 49 CFR part 1580. This proposed rule does not change the definition. Propose adding a definition of ``Public Used within other terms, this transportation''. definition is based primarily on 49 U.S.C. 5302(14). Where the statute uses a definition that is characterized by what is excluded, TSA's definition focuses on what is included. Propose adding a definition of ``Public This term is used to define the transportation agency''. scope of owner/operators subject to the proposed rule. See proposed subpart B to 49 CFR parts 1570 and 1582. See also the preamble discussion in section III.F.2 for more information. (The 9/11 Act defines a ``public transportation agency'' as a publicly owned operator of public transportation eligible to receive Federal assistance under Chapter 53 of Title 49, United States Code.''). TSA reviewed the requirements of that statute in developing this definition. As noted above, the definition of ``public transportation'' is based on 49 U.S.C. 5302(14). Propose moving definition of ``Rail Part of reorganization of hazardous materials receiver'' from 49 current 49 CFR part 1580. This CFR 1580.3. proposed rule does not change the definition. Propose moving definition of ``Rail Part of reorganization of hazardous materials shipper'' from 49 current 49 CFR part 1580. As CFR 1580.3, with a non-significant proposed, the definition of amendment. ``offers or offeror'' in 49 CFR 1580.3 would be deleted and a reference to the DOT definition for ``person who offers or offeror'' would be incorporated into the definition of ``rail security- sensitive material.'' Propose moving definition of ``Rail Part of reorganization of secure area'' from 49 CFR 1580.3. current 49 CFR part 1580. This proposed rule does not change the definition. Propose moving definition of ``Rail This term has general transit facility'' from 49 CFR 1520.3 applicability to several parts and 1580.3. of TSA's regulations beyond the provisions in 49 CFR part 1520. Propose moving definition of ``Rail Part of reorganization of transit system or `Rail Fixed Guideway current 49 CFR part 1580. This System' '' from 49 CFR 1580.3 to proposed rule does not change proposed 1570.3. the definition. Propose moving definition of ``Railroad Part of reorganization of carrier'' from 49 CFR 1580.3. current 49 CFR part 1580. This proposed rule does not change the definition. Propose moving definition of Part of reorganization of ``Railroad'' from 49 CFR 1580.3 and current 49 CFR part 1580. This modifying it to define ``Railroad proposed rule does not transportation''. significantly change the definition. Propose moving definition of ``Record'' This term has general from 49 CFR 1520.3. applicability to several parts of TSA's regulations beyond the provisions in 49 CFR part 1520. Propose adding definition of This term has general ``Sensitive Security Information applicability to several parts consistent with 49 CFR 1520.3 to of TSA's regulations beyond 1570.3. the provisions in 49 CFR parts 1520 and 1570. Propose moving definition of ``State'' This term has general from 49 CFR 1570.3. applicability to several parts of TSA's regulations beyond the provisions in 49 CFR parts 1520 and 1570. [[Page 91344]] Propose adding definition of The term is used in the context ``Transportation security equipment of the proposed requirement and systems''. for security-sensitive employees to be trained on use of security equipment and systems. See for example, proposed 49 CFR 1580.155(c)(1). TSA's subject matter experts have developed this definition based on their work with the modes in conducting assessments and developing voluntary security action items. Propose moving definition of ``Tourist, Part of the reorganization of scenic, historic, or excursion current 49 CFR part 1580. This operation'' from 49 CFR 1580.3. proposed rule does not change the definition. Propose moving definition of Part of the reorganization of ``Transit'' from 49 CFR 1580.3 with current 49 CFR part 1580. TSA modifications to reflect broader scope proposes modifying this term of this proposed rule. to reflect the multimodal scope of the proposed training rule and have the term apply across all the modes. Propose moving definition of Part of the reorganization of ``Transportation or transport'' from current 49 CFR part 1580. TSA 49 CFR 1580.3 with modifications to proposes modifying this term reflect broader scope of this proposed to reflect the multimodal rule. scope of the proposed training rule and have the term apply across all the modes. Propose moving definition of Part of the reorganization of ``Transportation facility'' from 49 current 49 CFR part 1580. TSA CFR 1580.3 with modifications to proposes modifying this term reflect broader scope of this proposed to reflect the multimodal rule. scope of the proposed training rule and have the term apply across all the modes. Propose adding definition of The definition is included to ``Transportation Security-Sensitive satisfy 9/11 Act requirements. Materials (TSSM)''. See 6 U.S.C. 1151(13). The term is defined in proposed 49 CFR 1570.3. More information can be found in the preamble discussion of the TSSM list in section III.A.2. Propose moving definition of ``TSA'' This term has general from 49 CFR 1520.3. applicability to several parts of TSA's regulations beyond the provisions in 49 CFR part 1520. Propose moving definition of This term is being modified to ``vulnerability assessment'' from 49 streamline terminology rather CFR 1520.3. than enumerating subcategories within each mode. It is being moved to 49 CFR part 1500 as it has relevance beyond the provisions in part 1520. ------------------------------------------------------------------------ 2. Transportation Security-Sensitive Materials The 9/11 Act included a requirement for DHS to define ``security- sensitive material.'' ``Security-sensitive material'' is defined as ``a material, or group or class of material, in a particular amount and form that the Secretary [of Homeland Security], in consultation with the Secretary of Transportation, determines, through rulemaking with opportunity for public comment, poses a significant risk to national security while being transported in commerce due to the potential use of the material in an act of terrorism.'' \30\ TSA has met the requirements of the 9/11 Act related to rail through its definition of RSSMs under current 49 CFR part 1580.\31\ --------------------------------------------------------------------------- \30\ 6 U.S.C. 1151(13). \31\ See 49 CFR 1580.3 and 1580.100(b). See also discussion in 73 FR 72130 at 72134 (Nov. 26, 2008). --------------------------------------------------------------------------- In March of 2010, DOT's Pipeline and Hazardous Materials Safety Administration (PHMSA) issued a final rule: ``Hazardous Materials: Risk-Based Adjustment of Transportation Security Plan Requirements.'' \32\ This PHMSA final rule amended PHMSA's security requirements for hazardous material (hazmat) transportation under 49 CFR part 172 of the Hazardous Material Regulations (HMR),\33\ applicable to freight railroad carriers, motor carriers, and shippers and receivers of hazmat. In addition to amendments to security planning requirements, the PHMSA final rule provided a revised list of hazardous materials for which a security plan is required. DOT worked closely with TSA to align the proposed lists of materials subject to their security programs with ongoing efforts by TSA. The materials considered included certain explosives, compressed gases and flammable liquids, poisonous gases and materials, corrosive materials, radioactive materials, and chemicals listed by the Chemical Weapons Convention. There were also requests to PHMSA to harmonize the list of materials for which security plans are required with the list of materials designated as high consequence dangerous goods for which enhanced security measures are recommended in the United Nations Model Regulations on the Transport of Dangerous Goods (UN Recommendations). Discussions regarding the materials identified in the PHMSA regulations can be found in the preambles to their relevant rulemakings.\34\ --------------------------------------------------------------------------- \32\ 75 FR 10974 (Mar. 9, 2010). Additional information is included in the preamble to the related NPRM. See 73 FR 52558 (Sept. 9, 2008). \33\ These regulations are also referred to as HM-232. \34\ See supra, n. 32. --------------------------------------------------------------------------- TSA proposes to adopt the PHMSA list for purposes of defining TSSM. This approach avoids unnecessary duplication and ensures consistent alignment of the materials meeting this standard in Federal regulations. A discussion regarding the materials in the list can be found in the preamble to PHMSA's final rule.\35\ --------------------------------------------------------------------------- \35\ 75 FR at 10977. --------------------------------------------------------------------------- B. Amendments to Part 1503 TSA is proposing minor amendments to part 1503 (Investigative and Enforcement Procedures) as necessary to conform these regulations to changes made by the proposed rule. In Sec. 1503.101(b), the scope of statutory provisions is amended to add authorities in title 6 U.S.C. that are administered by the TSA Administrator--which are relevant to this proposed rule. These are conforming amendments with no cost impact. C. Amendments to Part 1520 TSA is also proposing to modify part 1520 (Protection of Sensitive Security Information). TSA is required to promulgate regulations governing the protection of information obtained or developed in carrying out security under the authority of ATSA \36\ if public disclosure of that information could be detrimental to transportation security. TSA's current SSI regulation, 49 CFR part 1520, establishes certain requirements for the recognition, identification, handling, and dissemination of SSI, including restrictions on disclosure and civil [[Page 91345]] penalties for violations of those restrictions. DOT has nearly identical SSI authority (49 U.S.C. 40119) and a nearly identical SSI regulation (49 CFR part 15).\37\ --------------------------------------------------------------------------- \36\ See 49 U.S.C. 114(r). \37\ For more information on these regulations, see 69 FR 28078 (May 18, 2004). --------------------------------------------------------------------------- Because TSA is expanding the scope of its regulatory requirements in order to fulfill the mandates of the 9/11 Act, it is necessary to conform the SSI provisions to include these transportation security- related requirements. The proposed amendments are limited to: (1) Eliminating unnecessary terms from part 1520 that are added to part 1500 and (2) replacing the limiting term ``rail transportation security requirement'' with ``surface transportation security requirement.'' In some places, such as the definition of ``vulnerability assessment'' in Sec. 1520.3, TSA is proposing to streamline a lengthy description of types of transportation to simply state ``aviation, maritime, or surface transportation.'' The impact of these minor revisions should also be minimal. Under Sec. 1520.7(j), any person who has access to SSI is required to protect it according to the requirements of the regulation. While some of the proposed population that would be affected by this rule has not previously been subject to TSA regulations, most of them have previously received SSI information from TSA, as well as training on the proper handling of SSI, and have procedures in place to ensure the requirements of the regulation are met.\38\ --------------------------------------------------------------------------- \38\ Publicly available information on proper handling of SSI is available on TSA's Web site at www.tsa.gov. --------------------------------------------------------------------------- TSA's regulations for SSI have a counterpart in DOT regulations under 49 CFR part 15. Any comments received on these proposed amendments will be shared with DOT. As these are parallel rules, assuming there are changes to part 1520 adopted as part of this notice and comment rulemaking, DOT may subsequently make similar changes to part 15. We invite comments on the proposed changes to part 1520, and we will share with DOT any comments received on potential changes to part 15. We also invite comments on this process for making changes to both parts. D. Amendments to Part 1570 1. Overview of Changes and Structure TSA is proposing to divide part 1570 into four subparts: (1) Subpart A would cover general requirements applicable to all aspects of subchapter D to chapter XII of title 49; (2) subpart B provides the general framework for security programs; (3) subpart C covers operational requirements; and (4) subpart D would move and consolidate general provisions related to security threat assessments (STAs) which are more specifically addressed in part 1572. As previously discussed, mode--specific requirements are contained in subsequent parts. Because of the significant restructuring of part 1570, the proposed rule text includes the entirety of the revision--not just the parts that would be added because of this rulemaking. This includes terms applicable to the STAs required by part 1572, as well as related STA provisions that TSA proposes moving to new subpart D. 2. Subpart A--General Terms and Definitions (Sec. 1570.3) As previously indicated, TSA is proposing to move several terms from Sec. 1570.3 to Sec. 1500.3 as part of a general effort to streamline TSA's regulations by consolidating terms used in multiple parts. In addition, TSA is proposing to add the terms identified in Table 4 to Sec. 1570.3 as they are used in multiple sections of subchapter D to chapter XII of title 49. Table 4--Explanation of Proposed Terms and Definitions ------------------------------------------------------------------------ Summary of change Explanation ------------------------------------------------------------------------ Propose adding definition of This term is used in the ``Contractor''. definition of ``employee'' for purposes of this subchapter and is based on a definition of contractor used in DOT regulations, see, e.g., 49 CFR 655.4. Propose adding definition for This term is used in several ``Employee''. definitions, most notably, the definition of ``security- sensitive employee,'' which is the term used to define the scope of individuals who must be trained under the proposed rule (see discussion in III.E) and the requirements of the training program. See proposed definition of ``security- sensitive employee'' in 49 CFR 1580.3, 1582.3, and 1584.3. It is also used in sections regarding responsibility for compliance (proposed 49 CFR 1570.13), and terms used for ``chain of custody'' requirements in proposed 49 CFR 1580.3 (currently 49 CFR 1580.107). Propose adding definition of This term is used in the ``Immediate supervisor''. definition of ``Employee.'' It is intended to ensure that any ``immediate supervisors'' performing security-sensitive functions for an owner/ operator receive the required security training. It is also intended to limit the layers of management that must receive security training to those who have an actual nexus to transportation security. More information can be found in the discussion of employees required to be trained in preamble section III.E. Propose adding definition of ``Security- This term is used in provisions sensitive employee''. of part 1570 as part of the proposed security training requirements. The definition provides a signal to find the appropriate mode-specific definitions in 49 CFR parts 1580, 1582, and 1584. Propose adding definition of ``Security- This term is used in provisions sensitive job function''. of part 1570 as part of the proposed security training requirements. The definition provides a signal to find the appropriate mode-specific definitions in 49 CFR parts 1580, 1582 and 1584. ------------------------------------------------------------------------ [[Page 91346]] Security Responsibilities for Employees and Other Persons (Sec. 1570.7) In proposed Sec. 1570.7, TSA is seeking to make its regulations regarding the responsibility for compliance consistent for all modes. Under 49 U.S.C. 114(f), TSA is required to enforce security related regulations and requirements and oversee the implementation of security measures for all modes of transportation.\39\ As with the similar aviation regulation, the obligation for compliance is not limited to owner/operators specifically referenced under applicability provisions. Any person may be held to have violated these proposed rules, including contractors who provide service to owner/operators and the employees of such contractors. For example, a contractor who is authorized by an owner/operator to provide security training to individuals performing security-sensitive functions on the owner/operator's behalf would be expected to fulfill all of the responsibilities under these three parts with respect to such training. Similarly, contractors would also be subject to inspection for compliance with this proposed rule and enforcement actions when appropriate (see following discussion on proposed Sec. 1570.9 for more information on TSA's investigatory and enforcement authority). --------------------------------------------------------------------------- \39\ See 49 U.S.C. 114(f)(7) and (11). A similar provision applicable to aviation employees and other related persons is in 49 CFR 1540.105(a)(1) and (b). --------------------------------------------------------------------------- Compliance, Inspection, and Enforcement (Sec. 1570.9) TSA is mandated to: (1) Enforce its regulations and requirements; (2) oversee the implementation and ensure the adequacy of security measures; and (3) inspect, maintain, and test security facilities, equipment, and systems for all modes of transportation.\40\ This mandate applies even in the absence of regulations stating the authority, but TSA has chosen to include a restatement of its authority in its regulations. The statute specifically requires TSA to-- --------------------------------------------------------------------------- \40\ See 49 U.S.C. 114(f). --------------------------------------------------------------------------- Assess threats to transportation; Enforce security-related regulations and requirements; Inspect, maintain, and test security of facilities, equipment, and systems; Ensure the adequacy of security measures for the transportation of cargo; Oversee the implementation, and ensure the adequacy, of security measures at airports and other transportation facilities; Require background checks for airport security screening personnel, individuals with access to secure areas of airports, and other transportation security personnel; and Carry out such other duties, and exercise such other powers, relating to transportation security as the Administrator considers appropriate, to the extent authorized by law. While current part 1570 includes a provision stating TSA's compliance, inspection, and enforcement authority, it is not as detailed as what TSA has promulgated in more recent regulations.\41\ Therefore, TSA is proposing to transfer the text of current Sec. 1580.5 to subpart A as proposed Sec. 1570.9, with minor modifications to reflect the addition of certain bus operations that have previously been unregulated by TSA.\42\ --------------------------------------------------------------------------- \41\ Compare current Sec. 1570.11 with current Sec. 1580.5. The provision in part 1580 is also consistent with 49 CFR 1542.5, 1544.3. 1546.3, 1548.3, and 1549.3. \42\ A more detailed discussion of current Sec. 1580.5, still relevant to the proposed section, can be found in the preamble for current part 1580. See 71 FR 76852 (Dec. 12, 2006) (NPRM) and 73 FR 72130 (Nov. 26, 2008) (Final Rule). --------------------------------------------------------------------------- 3. Subpart B--Security Programs As previously noted, TSA intends to consolidate and avoid duplication of requirements in its regulations by placing all of the security program requirements that are consistent across all modes in subpart B. These include: (1) Submission, review, and approval of the program; (2) procedures for amending the program; (3) the training schedule (including initial and recurrent training, previous training, relation to other training, and failure to train); and (4) recordkeeping. Proposed requirements for which employees must be trained and content of the program are found in the proposed revisions to part 1580 (freight rail) and new parts 1582 (PTPR) and 1584 (OTRB). Program Content (Sec. 1570.103) Under the statutory requirements, TSA must issue regulations mandating security training for owner/operators of public transportation agencies, railroads, and OTRBs.\43\ In proposing these regulations, TSA assumes that Congress intended the requirement to provide for the use of ``existing procedures, protocols, and standards to satisfy the regulatory requirements'' for vulnerability assessments and security plans apply equally to security training.\44\ Proposed Sec. 1570.3 implements these requirements by stating that each owner/ operator required to have a security program under proposed parts 1580, 1582, and 1584 must address all of the identified requirements. In addition, the proposed section implements the requirement to allow for use of existing programs by allowing the owner/operators to include these existing programs as an appendix. The owner/operators would be required to cross-reference the relevant portions of the appendix or TSA could assume it is all part of the security program and enforce it as such. --------------------------------------------------------------------------- \43\ See 6 U.S.C. 1137, 1167, and 1184. \44\ See 6 U.S.C. 1162(j) and 1181(i) (use of existing procedures, protocols, and standards to satisfy regulatory requirements). --------------------------------------------------------------------------- To minimize costs of compliance, TSA may identify pre-existing or widely-available training programs that meet some or all of this proposed rule's requirements. If owner/operators decide to use a program already determined by TSA to meet the proposed rules requirements, the owner/operator must notify TSA of the program name, presenter, modifications made to the training material since the program was approved by TSA, and the last date of modification. If TSA has already determined the program meets some or all of the requirements for the proposed rule and is applicable to the owner/ operator's operations, it would be unnecessary for the owner/operator to submit a copy of the program to TSA for approval or include it in the appendix. Responsibility for Determinations (Sec. 1570.105) As part of this rulemaking, TSA is proposing to apply the requirements to the highest-risk operations within the three modes identified by the 9/11 Act. As part of the surface security requirements in the 9/11 Act, TSA is required to develop risk tiers.\45\ The criteria used for determining the highest-risk tier for each mode is discussed in more detail in section III.F of this NPRM. The text of proposed Sec. 1570.105(a) informs owner/operators that TSA has determined the applicability criteria, but it is the owner/ operator's responsibility to determine whether their operations meet the criteria. --------------------------------------------------------------------------- \45\ For public transportation, 6 U.S.C. 1137(e) states that any public transportation agency that receives a grant under 6 U.S.C. 1135 shall be required to develop and implement a training program pursuant to this section. The grant program implemented under sec. 1135 relies on high-risk determinations. See also 6 U.S.C. 1162(a) and (h) and 1181(a) and (h) (Secretary shall identify risk tiers for freight railroads and OTRB and apply regulatory requirements to those at the highest-risk). --------------------------------------------------------------------------- The proposed rule would require owner/operators to notify TSA within 30 days of the effective date of the final rule if they meet the criteria for applicability. In addition to publishing the regulatory requirements in the Federal Register, TSA will work with [[Page 91347]] the relevant associations for each of the modes to ensure their memberships are apprised of the requirements. TSA will identify the form and manner of notification in the final rule consistent with cost- effective methodologies at that time. Because the proposed rule would require owner/operators to determine whether the criteria apply, TSA could bring an enforcement action against an owner/operator that meets the criteria, but has failed to comply with the requirements. The obligation to self-determine applicability also applies to new and existing operations (those commencing after publication of the final rule). They would be required to notify TSA no later than 90 calendar days before commencing operations or implementing modifications that would put them within the applicability of the requirements. Recognition of Previous Training (Sec. 1570.107) As previously noted, TSA is required to allow use of existing programs to satisfy the security program requirements implemented as a result of 9/11 Act's provisions.\46\ Under proposed Sec. 1570.107, an owner/operator could rely on previous training that occurred within the identified periods for initial or recurrent training. In order to use previous training, the owner/operator would need to validate the training provided satisfies the requirements of this proposed rule-- including records of training, curriculum, and appropriateness for the employee and owner/operator's operations. --------------------------------------------------------------------------- \46\ See 6 U.S.C. 1162(j) and 1181(i) (use of existing procedures, protocols, and standards to satisfy regulatory requirements). --------------------------------------------------------------------------- Security Training Program Submission, Review, and Approval (Sec. 1570.109) The 9/11 Act's requirements include specific deadlines for submission of programs and TSA's review.\47\ Proposed Sec. 1570.109 identifies the required deadlines for submitting security training programs and TSA approval. --------------------------------------------------------------------------- \47\ See 6 U.S.C. 1137(d)(1) and (2), 1167(d)(1) and (2), and 1184(d)(1) and (2) (must submit program 90 days from effective date, TSA must approve within 60 days of receipt or notify of need for revisions). --------------------------------------------------------------------------- In general, not later than 90 days from the effective date of the final rule, owner/operators would be required to submit programs to TSA in a form and manner prescribed by TSA. Owner/operators commencing new businesses or operations that would make them subject to this proposed rule would be required to submit their security training programs to TSA no less than 60 days before commencing operations. In the final rule, TSA will provide details for submission (encouraging use of a secure Web site or other electronic submissions). TSA assumes submission would likely be by email or mail service, but requests comments on preferences. Consistent with requirements of the 9/11 Act, TSA would review the programs within 60 days of receipt and either approve them or specify changes that would be needed for approval.\48\ If TSA requires changes, the owner/operator would be required to submit a modified training program that meets TSA's specifications within 30 days of notification by TSA of the needed changes. The section includes the availability to request reconsideration of any TSA-required modifications. TSA provides an analysis of burden and estimated costs associated with this information collection in section V.A. of this preamble and the draft OMB 83-I Supporting Statement for its information collection request, which is available in the docket for this rulemaking. --------------------------------------------------------------------------- \48\ See 6 U.S.C. 1137(d)(1) and (2), 1167(d)(1) and (2), and 1184(d)(1) and (2) (TSA must approve within 60 days of receipt or notify of need for revisions). --------------------------------------------------------------------------- Initial training (Sec. 1570.111(a)) Consistent with the 9/11 Act's requirements, TSA proposes that existing employees must be trained within one year of TSA's approval of the program.\49\ As further required by the 9/11 Act, initial training for new employees or those transitioning to a covered job function (as identified in proposed Appendix B to parts 1580 (freight rail), 1582 (PTPR), and 1584 (OTRB), must occur within the first 60 days of the date an employee begins to perform a security-sensitive function.\50\ --------------------------------------------------------------------------- \49\ See 6 U.S.C. 1137(d)(3), 1167(d)(3), and 1184(d)(3) (no later than 1 year after approval of security training program, owner/operator must have trained all covered employees). \50\ This is a mandatory requirement for railroads and OTRB companies. See 6 U.S.C. 1167(d)(3) and 1184(d)(3) (New employees must be trained within first 60 days of employment). --------------------------------------------------------------------------- During the consultation process at the initial stages of this rulemaking, some stakeholders objected to a one-year deadline for completion of initial training. While the 9/11 Act does not provide for flexibility on the initial training schedule, TSA has attempted to address these concerns through provisions on recurrent and previous training (as discussed in section III.D.3 of this NPRM). In addition, TSA is proposing to include a section allowing regulated parties to request an extension if they cannot meet the required training schedule.\51\ --------------------------------------------------------------------------- \51\ See Sec. 1570.115(c) of this proposed rule. --------------------------------------------------------------------------- Proposed Sec. 1570.111(a)(3) is included to address the situation of non-permanent employees. TSA recognizes that some individuals may be intermittently employed as contractors or representatives to perform security-sensitive functions; they might not perform these functions for 60 or more consecutive calendar days. For example, an employee may function as a maintenance worker for a 30-day period and then, at a later date, perform that function for another period of 30 days or longer. This may also include individuals who are employed by multiple owner/operators, such as multiple-employer drivers.\52\ The proposed rule would require that such individuals receive training within 60 calendar days after employment that meets the definition of a security- sensitive employee.\53\ --------------------------------------------------------------------------- \52\ Such as individuals meeting the definition of ``multiple- employer driver'' in the Federal Motor Carrier Safety Administration (FMCSA) regulations at 49 CFR 390.5. \53\ See discussion of ``security-sensitive employees'' in section III.E. of this NPRM. --------------------------------------------------------------------------- In general, this means that an employee would need to be trained within 60 days of beginning permanent employment in a position that may perform a security-sensitive function, whether full or part-time. If, however, an individual is employed on an intermittent or non-permanent basis, such as a contractor who is employed in a position that may perform a security-sensitive function for short durations, then the training would need to take place before the individual's total time of employment by the owner/operator equals sixty calendar days within a consecutive twelve-month period. TSA recognizes that some owner/ operators may address this requirement by requiring training for all regular contractors or other individuals employed for short, but regular durations. TSA requests comments on other options for determining accumulated days of employment and for ensuring owner/ operators do not engage in employment practices or use of contractors to avoid the requirements of this proposed rule. As previously noted, the proposed rule includes a provision regarding use of previous training (see discussion on proposed Sec. 1570.107). TSA is aware of stakeholder concerns regarding the schedule for initial training, but TSA is also aware that many of the affected owner/operators have already implemented initial employee security training--frequently through the use of [[Page 91348]] grant funds provided by DHS for that purpose.\54\ TSA invites comments on these requirements as they appear in the proposed rule. --------------------------------------------------------------------------- \54\ Congressional appropriations to FTA fund course offerings to public transportation agencies that meet some of the requirements in this proposed rule. Similarly, appropriations through DHS fund the provision of courses in prevention and response that are available to PTPR agencies. Further, FTA and FEMA courses that may meet portions of this proposed rule are listed among the approved vendors and programs for use of TSGP awards. --------------------------------------------------------------------------- In meeting the initial training schedule, TSA expects that many owner/operators will rely on the provisions in proposed Sec. 1570.107, which provides standards for accepting previous training. Under this section of the proposed rule, TSA would allow ``training credit'' to be given for employees who received training that satisfies the requirements of the proposed rule within one year before its effective date. This may include emergency preparedness plans that railroads connected with the operation of passenger trains must implement to address such subjects as communication, employee training and qualification, joint operations, tunnel safety, liaison with emergency responders, on-board emergency equipment, and passenger safety information, as well as policies that transit agencies implement to ensure safety promotion to support the execution of the Transit Agency Safety Plan by all employees, agents, and contractors for the rail fixed guideway public transportation system.\55\ See discussion of these training programs in section III.I. of this NPRM. Similarly, public transportation agencies may have been providing training through funds granted under the TSGP. --------------------------------------------------------------------------- \55\ Id. --------------------------------------------------------------------------- The recordkeeping provisions of the proposed rule require an owner/ operator to provide current and former employees with documentation upon request of any training completed to meet the requirements of this rule.\56\ Options for compliance with this requirement could include providing employees with certificates to validate completed training. --------------------------------------------------------------------------- \56\ See Sec. 1570.121 of the proposed rule. --------------------------------------------------------------------------- This proposed requirement anticipates situations where an employee may have received training from a previous owner/operator, as well as industry practices where employees may work for multiple owner/ operators (such as commercial drivers operating OTRBs). If an owner/ operator can validate that an employee has received the required training within the specified timeframe, the training would not need to be repeated. Because it would be the obligation of the current owner/ operator to ensure that all training requirements are met, that owner/ operator would be responsible for ensuring that any previous training courses satisfy the proposed rule's requirements and documenting that the training was received within the required timeframe. Finally, there may be situations where ``dual-hatted'' or other specific-function employees are required to receive security training from other sources as part of their jobs, such as railroad police officers employed by the owner/operator. As indicated above, it is the obligation of the owner/operator to ensure and document the training, including training received under these circumstances. Recurrent Training (Sec. 1570.111(b)) Recurrent training is essential for maintaining a high level of security awareness. The 9/11 Act recognizes this by requiring routine and ongoing training for public transportation employees.\57\ Congress has left it to the discretion of TSA to determine the appropriate schedule for recurrent training and to require a similar schedule for railroad and OTRB employees.\58\ --------------------------------------------------------------------------- \57\ See 6 U.S.C. 1137(f). \58\ See 6 U.S.C. 1137(c)(11), 1167(c)(12), and 1184(c)(12). --------------------------------------------------------------------------- TSA believes annual recurrent training is essential for transportation employees to maintain a high level of awareness, competency, and currency with overall changes in security posture within the surface transportation environment. TSA's decision is consistent with several key considerations, including: (1) Other TSA regulations requiring training, as well as similar training required for TSA employees; (2) the difficulty of learning, developing, and demonstrating security awareness in the dynamic aspects of the surface transportation environment, and (3) industry recommended guidelines for security awareness training. TSA requires annual training for aviation workers. For example, regulations applicable to Ground Security Coordinators used by aircraft operators specifically require annual training.\59\ Other aviation workers are required to receive annual recurrent training as part of the approved security program (including aircraft operators, indirect air carriers, air cargo, etc.).\60\ --------------------------------------------------------------------------- \59\ See 49 CFR 1544.233. \60\ The relevant security program requirements are under 49 CFR 1544.233, 1544.235, 1544.407, 1548.5, and 1549.103. --------------------------------------------------------------------------- TSA's decision to require annual training is supported by the Difficulty-Importance-Frequency (DIF) model \61\ that TSA uses for determining training requirements for its own employees.\62\ The DIF model uses three design criteria: Difficulty, importance, and frequency. --------------------------------------------------------------------------- \61\ Bill Melton & J. Bahlis, ``ADVISOR Enterprise Difficulty- Importance-Frequency (DIF) Model Fact Sheet'', BNH Expert Software Inc. (February 23, 2011), available at https://www.bnhexpertsoft.com/english/products/advent/ADVISOR_DIF_Model.pdf. DIF is a standard instructional design tool used by a variety of users including the Department of Defense (DOD), the Department of Energy (DOE), and private sector education and healthcare providers, to determine training priority and frequency of training. \62\ The proposed schedule is consistent with TSA's security awareness training for its own employees--including annual training on operational security (OPSEC), responding to active shooter incidents, and social engineering that could undermine security of information systems. --------------------------------------------------------------------------- TSA's subject matter experts responsible for TSA-related training determined that measuring the proposed security training program against these standards supports annual training as: (1) The difficulty of learning surface transportation security awareness related information is at the medium/moderately difficult range because it requires decision making when applying what one has learned; (2) the importance of conducting this security training is at the high/very important range because the cost of failure is high and would cause damage and losses in the event of an attack; and (3) the frequency of how often the task would be performed is within medium range. TSA's decision is also supported by the American Public Transportation Association (APTA) and their recommendations for security training: Security Awareness Training for Transit Employees.\63\ Developed in collaboration and consultation with TSA and transportation industry stakeholders, the recommended practice provides minimum guidelines for security awareness training for all transit employees to strengthen transit system security. APTA ``recommends that all transit employees be refreshed on transit security awareness objectives annually, in an abbreviated method at least . . . to reflect advancements or modifications to criminal and terrorist activities and reinforce the security awareness training that employees received initially.'' --------------------------------------------------------------------------- \63\ APTA Security Risk Management Working Group., ``Security Awareness Training for Transit Employees'' (March 2012), APTA-SS- SRM-RP-005-12. --------------------------------------------------------------------------- TSA does not find it necessary to include the ``abbreviated method'' option used by APTA as part of the proposed rule for two reasons. First, the [[Page 91349]] First ObserverTM program, discussed more fully in section III.J. of this NPRM, will meet most of the training requirements in approximately one hour. Having reviewed a wide variety of programs that could be used to meet elements of the 9/11 Act's requirements, TSA is not aware of any other existing material that could meet all of the proposed requirements in such an abbreviated period.\64\ To the extent owner/operators intend to continue to use their existing training program to meet the regulatory requirements, they may want to consider using First ObserverTM as an abbreviated form of recurrent training. --------------------------------------------------------------------------- \64\ As part of the 2013 Notice, TSA included a matrix in the docket of training programs that meet elements of the 9/11 Act's requirements. The matrix is available in the docket for the 2013 Notice at: https://www.regulations.gov/ (search for ''TSA-2013-0005- 0084''). Of the 20 programs listed, none of them addressed all of the 9/11 Act requirements. --------------------------------------------------------------------------- Second, owner/operators could request to use some other type of abbreviated security training as an alternative measure for compliance. Owner/operators may request to use alternative measures as part of the interactive and iterative process TSA intends to use for approval and review of required security programs, as detailed in proposed 49 CFR 1570.117. Under this proposed section, the owner/operator must establish that the alternative is in the best interest of the public and transportation security. When applied to recurrent training, TSA may require validation that the expected baseline of security awareness is reached and maintained with the abbreviated program. For example, the owner/operator may propose abbreviated training for employees who can pass a pre-test. TSA is aware that an annual recurrent training requirement could present challenges for owner/operators who must also meet other regulatory training requirements. For example, FRA requires a two-year recurrent training schedule for the emergency preparedness training required under 49 CFR part 239 (emergency response and evacuation for rail passengers). The security training required by PHMSA under 49 CFR part 172 (securing transportation of hazardous materials) is on a three-year recurrent training cycle. As TSA does not control these training schedules, we cannot harmonize all of them through this rulemaking. To the extent, however, that owner/operators must comply with these other training requirements, they may be able to use them as part of their program to meet the meet recurrent training requirements. TSA is interested in comments regarding options for harmonizing training schedules and for adding efficiencies with other relevant regulatory requirements. While TSA is proposing annual recurrent training, a three-year recurrent cycle is included as a programmatic alternative. The results of the cost analysis for this alternative can be found in chapter III section K of the Regulatory Impact Analysis (RIA) for this rulemaking, which is included in the public docket. Amendments to the Security Program (Sec. Sec. 1570.113 and 1570.115) Allowing owner/operators to revise or amend their programs, as proposed in Sec. 1570.113, is a subset of addressing the 9/11 Act's requirements for implementation and submission or programs.\65\ It is also consistent with TSA's statutory authority to allow exemptions from regulatory requirements.\66\ Proposed Sec. 1570.113 includes procedures allowing an owner/operator to submit a request to TSA to amend its program and the standard for TSA's approval of that request. The proposed section identifies appropriate reasons for amending programs, such as changes to an operating environment that could include new equipment or changes in station construction. If the operating environment changes, it is reasonable to expect that some aspects of the security training program would also need to be revised. TSA may approve an amendment if it is in the interest of public and transportation security and meets the required security standards. TSA could ask for additional information or time in order to makes its determination. --------------------------------------------------------------------------- \65\ See 6 U.S.C. 1137(d) (public transportation), 1167(d) (railroads), and 1184(d) (OTRB). \66\ See 49 U.S.C. 114(q) (Under Secretary may grant exemptions from regulatory requirements). --------------------------------------------------------------------------- Similarly, TSA may need to require amendments in the interest of the public and transportation security. The 9/11 Act specifically provides that TSA must update the requirements, as appropriate, ``to reflect new or changing security threats'' and owner/operators shall change their programs and retrain employees as necessary within a reasonable time.\67\ As indicated in proposed Sec. 1570.115, TSA could require owner/operators to revise their training based on emerging threats or methods for addressing emerging threats. For example, the curriculum requirements identified in the 9/11 Act do not address training to respond to active shooter incidents. Following several active shooter incidents, including one that resulted in the death of a Transportation Security Officer in Los Angeles, Congress prioritized the need for this type of training.\68\ As with other requirements imposed by TSA, the owner/operator could request a petition for reconsideration of TSA-required amendments. --------------------------------------------------------------------------- \67\ See 6 U.S.C. 1137(d)(4) and 1167(d)(4) and 1184(d)(4). \68\ See Gerardo Hernandez Airport Security Act of 2015, Public Law 114-50, 159 Stat. 490 (Sept. 24, 2015). --------------------------------------------------------------------------- Alternative Measures (Sec. 1570.117) The proposed rule includes procedures allowing for an owner/ operator to submit a request to use alternative measures to satisfy all of some of the requirements of subchapter D and the standard for TSA to approve such a request. For example, the owner/operator could request to extend the time periods for submitting its training program or for training all of its security-sensitive employees. In reviewing such a request, TSA would expect the owner/operator to demonstrate good cause for the extension. Under this provision, an owner/operator could request a waiver from some or all of the regulatory requirements. TSA could grant such a request under the authority 49 U.S.C. 114(q), which provides the TSA Administrator with authority to consider and grant requests from an owner/operator for a waiver from all or some of the regulatory requirements. For example, a freight railroad may meet the criteria for applicability, but the operations that trigger applicability may be a de minimis part of its overall business operations. In such a situation, the owner/operator might consider requesting either a complete waiver or an alternative that limits the requirements to a more discrete part of its business. Proposed Sec. 1570.117 would include the procedures for requesting such a waiver, procedures for requesting the use of alternative measures, and identification of the types of information TSA would need in order to make a decision to grant such requests. In general, TSA would need to consider factors, such as risk associated with the type of operation, any relevant threat information, and any other factors relevant to potential risk to the public and transportation security. Petitions for Reconsideration (Sec. 1570.119) Proposed Sec. 1570.119 describes the review and petition process for TSA's reconsideration when it denies a request for amendment, waiver, or alternative measures--as well as a TSA requirement to modify or amend a [[Page 91350]] program. If an owner/operator challenges the decision, the owner/ operator would be required to submit a written petition for reconsideration within the time frame identified in the applicable section.\69\ The petition would need to include a statement, with supporting documentation, explaining why the owner/operator believes the reason for the denial or for the amendment, as applicable, is incorrect. If the owner/operator requested the amendment, the results of the reconsideration could be confirmation of TSA's previous denial or approval of the proposed amendment. If the issue involves a TSA required amendment, the results of the reconsideration could be withdrawal, affirmation, or modification of the amendment. TSA would consider whether a disposition pursuant to proposed 49 CFR 1570.119 would constitute a final agency action for purposes of review under 49 U.S.C. 46110. --------------------------------------------------------------------------- \69\ The proposed rule would require petitions for reconsideration to be submitted no later than 30 days of a TSA requirement to modify under Sec. 1570.109, denial of an owner/ operator-requested amendment under Sec. 1570.111, or denial of a request for waiver or alternative measures under Sec. 1570.117; submission would be required within 15 days for a TSA-required amendment under Sec. 1570.113. --------------------------------------------------------------------------- Recordkeeping Requirements (Sec. 1570.121) TSA proposes that owner/operators create and maintain lists of their security-sensitive employees and when they received training that meets the requirements of the proposed rule. Specifically, records would need to include each trained employee's name, job title or function, date of hiring, and date and course information on the most recent security training that each employee received. Records for individual employees would need to reflect the training courses completed and date of completion. Training records for each employee of initial and recurrent training would need to be maintained by owner/ operators for no less than five years from the date of the training and available at any location(s) specified in the security training program approved by TSA. The proposed rule provides flexibility to owner/operators to decide whether to maintain the records in electronic format provided that (1) any electronic records system used is designed to prevent tampering, loss of data, or corruption of records, and (2) paper copies of records, and any amendments to those records, would be made available to TSA upon request for inspection or copying. Whether the records are kept in electronic or other form, the employee must be provided with proof of training upon request, at any time during the five-year recordkeeping period without regard to the requestor's current status as an employee of that entity. As discussed above in ``Initial training (Sec. 1570.111(a)),'' owner/operators may meet this requirement to provide proof of training by providing a certificate or other similar documentation to the employee upon completion of training. In order for TSA to allow any owner/operator to rely upon previous security training to satisfy the requirements of this proposed rule, it is critical that employees be able to validate whether they received previous training. TSA assumes training records are unlikely to include SSI, but nonetheless provides a reminder in the proposed section that any SSI maintained as a result of these recordkeeping requirements must be maintained consistent with the standards in 49 CFR part 1520. For example, an owner/operator may decide to keep a copy of the content of the training program with the employee files (which is not required by the proposed rule), if the curriculum contains SSI information, any file it is in would need to be stored as required by the SSI regulations. Owner/operators needing additional information about appropriately maintaining SSI may contact TSA for assistance and/or find information on TSA's Web site.\70\ --------------------------------------------------------------------------- \70\ See https://www.tsa.gov/for-industry/sensitive-security-information. --------------------------------------------------------------------------- 4. Subpart C--Operations Under current regulations (49 CFR part 1580), TSA requires freight and passenger railroad carriers, rail transit systems, rail hazardous materials shippers, and certain rail hazardous materials receivers to appoint ``rail security coordinators'' \71\ (RSCs) and report significant security concerns to TSA.\72\ The RSC, serve as the security liaisons to TSA, providing a single point of contact for receiving communications and inquiries from TSA concerning threat information or security procedures, and coordinating responses with appropriate law enforcement and emergency response agencies. The information reported to TSA provides information from the frontline of rail transportation that can be used to identify developing threats based on consolidated reporting and trend analysis. Because of the benefits of this requirement to transportation security, TSA is proposing to extend these requirements to the modes of transportation covered by this proposed rule that are not currently subject to the requirements of 49 CFR part 1580. --------------------------------------------------------------------------- \71\ See 49 CFR 1580.101 and 1580.201. \72\ See 49 CFR 1580. 105 and 1580.203. --------------------------------------------------------------------------- Security Coordinator Requirements (Sec. 1570.201) As previously noted, TSA currently requires security coordinators for rail operations including freight, passenger, and public transportation. In addition to mandating security coordinators for railroads, the 9/11 Act also requires security coordinators for OTRB companies.\73\ Consistent with this mandate, TSA proposes to extend the requirement to appoint a primary and at least one alternate security coordinator for OTRB companies and the bus operations of PTPR owner/ operators (with a limited impact as most public transportation bus agencies are part of a larger system that is required to have a security coordinator under current 49 CFR part 1580). This would be accomplished by moving the provision from part 1580 to subpart C of the proposed rule and eliminating rail-specific terms from the text. --------------------------------------------------------------------------- \73\ See 6 U.S.C. 1162(e)(1)(A) (``Identification of a security coordinator having authority--(i) to implement security actions under the plan; (ii) to coordinate security improvements; (iii) to receive immediate communications from appropriate Federal officials regarding railroad security''). --------------------------------------------------------------------------- Security coordinators are a vital part of transportation security, providing TSA and other government agencies with an identified point of contact with access to company leadership and knowledge of the owner/ operators operations, in the event it is necessary to convey extremely time-sensitive information about threats or security procedures to an owner/operator, particularly in situations requiring frequent information updates. The security coordinator and alternate provide TSA with a contact in a position to understand security problems; immediately raise issues with, or transmit information to, corporate or system leadership; and recognize when emergency response action is appropriate. The individuals must be accessible to TSA 24 hours per day, 7 days per week. The proposed rule does not change the expectation that the security coordinator and alternate be appointed at the headquarters level. This proposed rule does not require the security coordinator or alternate to be a dedicated position staffed by an individual who has no other primary or additional duties. This proposed rule, however, does require that the owner/operator have a designated individual [[Page 91351]] that TSA may reach at all times. The proposed rule would require the following information for both the security coordinator and alternate: Name, title, telephone number(s), and email address. Any change in this information would have to be provided to TSA within seven days of the change taking effect. As previously noted, this is not a new requirement for owner/ operators of railroads, including the rail transit operations of PTPR owner/operators. If an owner/operator subject to this proposed rule has provided the required information for primary and alternate RSCs to TSA in the past, it would not have to take further action to meet the requirement.\74\ This is the case for passenger rail carriers, freight railroad carriers, and rail transit systems operated by public transportation agencies. --------------------------------------------------------------------------- \74\ The requirement to inform TSA of any changes is not modified by this proposed rulemaking. Therefore, those currently covered by the security coordinator and reporting requirements under current 49 CFR part 1580 must report information regarding changes to the names, titles, telephone numbers, and email addresses of the RSCs and alternate RSCs to TSA within seven calendar days of the change taking effect. --------------------------------------------------------------------------- Extension and Modification of Requirement To Report Security Concerns (Sec. 1570.203) TSA is proposing to make two changes to its existing requirements in part 1580 to report security concerns to TSA.\75\ As with the security coordinator requirement, TSA proposes to move and consolidate the requirement into proposed Sec. 1570.203 and extend it to bus operations.\76\ --------------------------------------------------------------------------- \75\ See current 49 CFR 1580.105 and 1580.203. \76\ This extension is within TSA's discretion to require other actions or procedures determined to be appropriate to address the security of public transportation and OTRB operations. See 6 U.S.C. 1134(c)(2)(I) and 1181(e)(1)(H). --------------------------------------------------------------------------- TSA is also proposing to modify the security concerns to be reported to address a need for clarification and align with other relevant standards. Since publication of 49 CFR part 1580, some stakeholders have asked TSA for clarification of the events they are required to report pursuant to 49 CFR 1580.105 and 1580.203. Additionally, in December 2012, the U.S. Government Accountability Office (GAO) published a report on passenger rail security.\77\ In the report, GAO stated that TSA has inconsistently overseen and enforced its rail security incident reporting requirement because the agency does not have guidance published, leading to considerable variation in the types and number of incidents reported. The GAO recommended that the agency develop guidance on the types of incidents that should be reported and this guidance should be disseminated to TSA inspectors and regulated entities, including rail and transit agencies. Pending this rulemaking, TSA provided information to the railroads and transit agencies subject to the requirements of part 1580 to provide more examples about the types of incidents that should be reported. --------------------------------------------------------------------------- \77\ See GAO, ``Passenger Rail Security, Consistent Incident Reporting and Analysis Needed to Achieve Program Objectives,'' GAO- 13-20 (December 2012). --------------------------------------------------------------------------- TSA is also modifying the list of reportable significant security concerns to be more consistent with the Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI). The NSI is a partnership between Federal, State, local, tribal, and territorial law enforcement that ``establishes a national capacity for gathering, documenting, processing, analyzing and sharing SAR information . . . in a manner that rigorously protects the privacy and civil liberties of Americans.'' \78\ The NSI defines ``suspicious activity'' as ``observed behavior reasonably indicative of pre-operational planning associated with terrorism or other criminal activity.'' \79\ --------------------------------------------------------------------------- \78\ See Nationwide SAR Initiative (NSI), ``About the NSI'' (accessed Nov. 3, 2016), available at https://nsi.ncirc.gov/about_nsi.aspx. \79\ Id. --------------------------------------------------------------------------- The NSI implements a standardized, integrated approach to gathering, documenting, processing, analyzing, and sharing information about suspicious activity that is potentially terrorism-related. In applying this approach, standards have been developed, setting criteria for the types of activities that warrant reporting as suspicious and potentially terrorism-related. These criteria recognize the capability of law enforcement and security professionals to apply their experience and expertise to identify significant security concerns by focusing on the nature of the incidents and the context in which they occur. The standardized approach among law enforcement officers and security officials with surface transportation entities produces more informative reports that can more effectively focus investigative efforts and intelligence analysis for potential trends and indicators of terrorism-related activity. Thus, TSA intends to ensure clarity by incorporating the examples previously provided to industry and consistency by aligning its regulations with the concepts of the NSI. The proposed list of reportable incidents can be found in proposed Appendix A to part 1570 and includes not only a list of incidents, but descriptions and examples to assist regulated parties in making a determination of whether an incident fits within the reporting requirements. Finally, TSA is proposing to modify the schedule for reporting incidents. Currently the regulation requires immediate reporting to TSA. If, however, there is an immediate threat, the first priority is to notify and work with first responders. Therefore, TSA is proposing to remove the necessity for immediacy and, instead, require notification within 24 hours of the incident (see proposed 49 CFR 1570.203(a)). This will enable TSA to obtain timely information without undermining the ability of the owner/operator to appropriately handle a situation requiring their full attention. Examples for Reporting Information (Sec. 1570.203(b)) As previously noted, TSA has almost a decade of experience with incidents reported by railroads under current 49 CFR part 1580. Based on this experience, TSA recognizes that its ability to analyze the data and improve the quality of information disseminated back to its stakeholders is proportional to the quality of information it receives. Proposed Sec. 1570.203(b) is consistent with the previous reporting requirements, which reflected the need for detailed and verified information from individual owner/operators to enhance TSA's ability to provide timely and useful information products to all of the relevant stakeholders. While not included in the rule text, Table 5 is being provided to assist security coordinators and other responsible officials to understand TSA's expectations for the types of information that are needed in order to meet the standards of Sec. 1570.203(b). [[Page 91352]] Table 5--Examples of Reporting Information Required by Proposed Sec. 1570.203(c) ------------------------------------------------------------------------ Reporting requirements in proposed Sec. 1570.203(c) Examples ------------------------------------------------------------------------ (1) The name of the reporting Company individual and contact information, Representative: Joe BLOGGS. including a telephone number or e-mail Company: ABC Rail Road address. Company. Address: XXXXX, XX (Street), XXXXX (City), XX (State), XXXXX (ZIP). Phone: (111) 123-1234. POC Email: Reporting.Official@ABCRR.com. (2) The affected freight or passenger Locomotive: ABCRR, train, transit vehicle, motor vehicle, Reporting Marks. station, terminal, rail hazardous Locomotive Number materials facility, or other facility 1234. or infrastructure, including Rail Car: ABCRR identifying information and current Railcar Number XXXX 001234. location. Train: ABCRR Train Number XXX of XX, etc. Facility: ABCRR (Rail Yard, Subway Station, Passenger Station, Storage Yard, Repair Facility, etc.) and facility physical address. Right of Way: Mile Post Marker, Sub-division, and physical address (as much as known). (3) Scheduled origination and ABCRR, Northern termination locations for the affected Corridor Express-Boston to New freight or passenger train, transit York, XYZ Line, via X, Y and Z vehicle, or motor vehicle, including Cities. Train Number XXX of XX departure and designation city and is currently located at: MP route. 123.12, XXX Sub-division, XXXX (City), XX (State). Transit Vehicle: ABCRR LRV Number XXXXX etc. Route: XXX North Corridor. Is currently located at XXXX Line Section or XXX Station, Street, City, State, ZIP. (4) Description of the threat, At XXXX hours, January incident, or activity, including who 01, 2020. has been notified and what action has ABCRR Police Sergeant, been taken. Joe BLOGGS, badge number XXXX, ABCRR Police Department (ABCPD) reported the following: At WWWW hours, January 01, 2020, a suspicious person (described as a white male, approximately 6'0'' tall, 190 lbs., blonde hair, approximately 35 to 40 years of age, wearing a long black knee[dash]length coat, blue jeans, red sneakers, and a XXXX ball club baseball hat) was detected adjacent to the ticket vending machine at the street level entrance to the XXst Street and YYYYY Avenue, Station, XXXX (City), XX (State). The person was deemed suspicious because although the temperature at the time was 85 degrees, he was wearing a knee[dash]length heavy black coat. The individual was sweating and exhibited nervousness when security officials were present (the individual looked away every time a security official appeared, so as to not reveal his face). The individual had a black ``Traveler,'' ``Expandable'' suitcase with him (estimated measurements: 36'' W X 24''H X 12'' D) with a red piece of ribbon tied to the handle. At WWW5 hours, the individual rapidly departed the area when a security official began to approach him, leaving the black suitcase behind. A review of the Closed-circuit television (CCTV) surveillance system determined the individual had arrived at the station at VV30 hours in a Red, 4-door, Land Rover, VA License Plate XX123XXXX, which was parked adjacent to the XXXXX. Closed- circuit television revealed the vehicle was being driven by a white female with shoulder length blonde hair, approximately 35 years of age. A check of the VA DOT License registry revealed the vehicle is registered to Joe DOE, DOB: XX/XX/XXXX, POB: XXXXX (City), XX (State) and Jane (NEE: SMITH) DOE, DOB: XX/XX/XXXX, POB: XXXXX (City), XX (State) of 1234 West Disobedience Street, Anytown, VA 202XX, Phone Number: (XXX) XXX-XXXX. A check of the VA driver's license registry revealed similar/matching descriptions of Joe and Jane DOE to those persons identified during the incident. At ZZZZ hours, a XXXX City Police Explosive Ordnance Demolition (EOD) team conducted an examination of the black suitcase with x-ray equipment and determined the suitcase contained an unknown device comprised of wiring and circuitry. Explosive Ordinance Disposal (EOD) disrupted the suitcase, which yielded negative secondary results. EOD's examination of the suitcase's contents revealed limited amounts of women's clothing and what appeared to be the inner workings of a radio. At ZZZ1 hours, the scene was cleared by XXXX City Police EOD Sergeant Jeff BOMBGARTEN, badge number XXXX who secured the suitcase and its contents and transported them away from the facility. (5) The names and other available Witness: Joe SMITH, biographical data, and/or descriptions DOB: XX/XX/XXXX, POB: XXXX (including vehicle or license plate City, XX State. Address: information) of individuals or XXXXX, XX Street, XXXX City, vehicles known or suspected to be XX State, Phone Number (XXX) involved in the threat, incident, or XXX-XXXX, ABCRR, XXXX activity. (Address), (XXX) XXX-XXXX. Security: Fred ARRESTER, Sergeant, XXXX (City) Police Department, Badge # XXXX, Phone Number: (XXX) XXX-XXXX. Suspected Associate: Mrs. Jane DOE. [[Page 91353]] DOB: XX/XX/XXXX, POB: XXXX City, XX State. Address: XXXXX, XX (Street), XXXX (City), XX (State), Phone Number (XXX) XXX-XXXX, ABCRR, XXXX (Address), (XXX) XXX- XXXX. (6) The source of any threat Jane DOE, DOB: XX/XX/ information. XXXX, POB: XXXX (City), XX (State). Address: XXXXX, XX (Street), XXXX (City), XX (State), Phone Number (XXX) XXX-XXXX, ABCRR, XXXX (Address), (XXX) XXX-XXXX. ------------------------------------------------------------------------ 5. Subpart D--Security Threat Assessments As previously noted, TSA is including the full text of revised part 1570 as it would look with the proposed changes--including three sections related to STAs generally unaffected by this rulemaking. As part of this rulemaking, TSA would move all sections of current part 1570 limited to STAs to a new subpart D, to consist of Sec. Sec. 1570.301 (formerly Sec. 1570.7--fraudulent use or manufacture; responsibilities of persons), 1570.303 (formerly Sec. 1570.9-- inspection of credential); and 1570.305 (formerly Sec. 1570.13--false statements regarding security background checks by public transportation agency or railroad carrier). Only the last provision (Sec. 1570.305) has been revised, with revisions limited to removing definitions for terms that have been added elsewhere as part of this rulemaking. E. Security-Sensitive Employees (Sec. Sec. 1580.3, 1582.3, and 1584.3) As part of requiring security training for frontline employees of railroads, PTPR, and OTRB owner/operators-the 9/11 Act provided definitions for ``frontline employee'' within each mode of transportation.\80\ For the reasons discussed below, TSA is proposing to use the term ``security-sensitive employees,'' with specific definitions of the term for freight rail, PTPR, and OTRB operations. These proposed definitions, which would appear in Sec. Sec. 1580.3 (freight rail), 1582.3 (PTPR), and 1584.3 (OTRB), would need to be used by owner/operators to determine which employees must receive security training. --------------------------------------------------------------------------- \80\ See 6 U.S.C. 1151(6) (railroads), 6 U.S.C. 1131(4) (public transportation), and 6 U.S.C. 1151(5) (OTRB and railroad frontline employees, respectively). --------------------------------------------------------------------------- TSA's proposed definition began with an analysis of the employees listed in the 9/11 Act's definitions of ``frontline employees'' and whether there are any other employees who may be in a position to spot suspicious activity because of where they work, their interaction with the public, or their access to information (such as cleaning the restrooms, selling tickets and providing assistance to passengers, maintaining equipment and operations in vulnerable areas, or operating a train or bus). TSA also considered who would need to know how to report or respond to these potential threats. The only gap identified between the employees stipulated in the 9/11 Act and those that would fall under the discretionary category are those who have specific responsibilities under any security plan the organization may have. While most of these individuals are likely identified in other categories, from a security perspective it is essential that there are no gaps, particularly where individuals may have responsibility for responding to a terrorist-related emergency. As a result of this analysis, TSA proposes that employees who perform functions with a direct nexus to, or impact on, transportation security be designated as ``security-sensitive employees'' based on their job functions. While TSA has proposed a specific list of job functions relevant to the mode, these roughly fall into similar categories. Table 6 aligns these categories with the definitions of frontline employee in the 9/11 Act. Table 6--Comparison of Security Training NPRM Proposed Categories for ``Security-Sensitive Employees'' to 9/11 Act Definitions of ``Frontline Employees'' Who Must Be Trained ---------------------------------------------------------------------------------------------------------------- 9/11 Act--Definitions of frontline employees -------------------------------------------------------------------------- Proposed rule--security-sensitive job 6 U.S.C. 1151(6) 6 U.S.C. 1131(4) Public functions Railroad frontline transportation 6 U.S.C. 1151(5) OTRB employees frontline employees * frontline employees ---------------------------------------------------------------------------------------------------------------- A. Operating a vehicle............... Locomotive engineers, Transit vehicle driver Drivers. conductors, trainmen, or operator. and other onboard employees. B. Inspecting and maintaining Maintenance and Maintenance and Maintenance and vehicles. maintenance support maintenance support maintenance support personnel, and bridge employee. personnel. tenders. C. Inspecting or maintaining building ....................... ....................... ....................... or transportation infrastructure. D. Controlling dispatch or movement Dispatchers............ Dispatchers............ Dispatchers. of a vehicle. E. Providing security of the owner/ Security personnel..... Security employee, or Security personnel. operator's equipment and property. transit police. [[Page 91354]] F. Loading or unloading cargo or Locomotive engineers, Station attendant, Ticket agents [and] baggage and/or. conductors, and other customer service other terminal G. Interacting with travelling public onboard employees. employee, and any employees. (on board a vehicle or within a other employee who has transportation facility). direct contact with riders on a regular basis. H. Complying with security programs Any other employees of Any other employee of a Other employees of an or measures, including those railroad carriers that public transportation over-the-road bus required by federal law (a catch-all the Secretary agency that the operator or terminal category that would include a small determines should Secretary determines owner or operator that number of employees such as security receive security should receive the Secretary coordinators and any other training. security training. determines should individuals who may have receive security responsibility for carrying out training. aspects of the owner/operator's security program or measures who are not otherwise identified in the previous categories). ---------------------------------------------------------------------------------------------------------------- * Definition of 1151(6) applies to passenger rail operations. In general, TSA proposes to define mode-specific ``security- sensitive employees'' as employees performing one of the security- sensitive job functions identified in a proposed appendix for each part. The definition of ``employee'' in proposed Sec. 1570.3 includes immediate supervisors, contractors, and other authorized representatives. The intent is that anyone who performs a security- sensitive function must have the training, including managers, supervisors, or others who perform the function or who so directly supervise the performance of a function that their nexus to the job function is equivalent to the employee. For example, a yardmaster in freight railroad operations would be considered a security-sensitive employee because he or she directs security-sensitive functions, even if not in the direct management chain of all individuals performing those functions. At the same time, individuals within a corporate structure who neither perform a security-sensitive function nor have direct management responsibilities over individuals who do are unlikely to have a position within the corporation with a significant nexus to transportation. To the extent there are such individuals in the management structure, they would not be considered ``security- sensitive'' employees. In choosing the term ``security-sensitive employee,'' TSA recognized the relationship of this proposed rule to other regulatory requirements applicable to the population covered by this proposed rule. The Department of Transportation uses the terms ``safety- sensitive function'' and ``safety-sensitive employees'' in its regulations to identify employees whose functions require special measures to ensure (emphasis added) safety, such as drug and alcohol testing and rules governing hours of service.\81\ TSA proposes using the term ``security-sensitive'' to identify employees whose job functions require special measures to enhance (emphasis added) security. --------------------------------------------------------------------------- \81\ See 49 CFR 40.1; see also 49 U.S.C. 20140, 21101-21108, 49 CFR parts 219 and 228, 49 CFR 382.107 (motor carriers), and 49 CFR 655.4 (public transportation). --------------------------------------------------------------------------- The scope of security-sensitive employees is broader than safety- sensitive employees. In other words, having analyzed the job functions that are regulated as safety-sensitive, TSA has determined that while there are some security-sensitive employees that may not be in safety- sensitive employees, there are no safety-sensitive employees that are not also security-sensitive employees. In the rail context, owner/ operators have already identified employees in safety-sensitive positions because they are covered by the Federal hours of service laws \82\ during a duty tour. Therefore, TSA proposes to include any rail employee subject to the Federal hours of service laws (49 U.S.C. 211) in the designation of security-sensitive employees to reduce the regulatory impact of identifying these individuals. To further reduce the impact of these proposed training requirements, TSA and DOT anticipate that owner/operators will provide training sessions that meet the requirements of DOT and the proposed requirements of TSA. --------------------------------------------------------------------------- \82\ 49 U.S.C. 21101 et seq. The relevant definitions are included in 49 U.S.C. 21101. --------------------------------------------------------------------------- TSA also recognizes that each mode covered by the NPRM has unique operating environments and functions. To address unique aspects of each mode, the security-sensitive functions are identified in mode-specific tables within the proposed rule.\83\ These tables provide general categories and accompanying modal-specific security-sensitive functions. All employees performing ``security-sensitive functions'' as described in the appendices must be trained. The table in proposed part 1580 Appendix B is unique in that it includes examples of the job titles related to these functions based on historic use of these terms for railroads. The job titles, however, are provided solely as a resource to help understand the functions described; whether an employee must be trained is based upon the function, not the job title. --------------------------------------------------------------------------- \83\ See proposed Appendices B to parts 1580 (freight railroad), 1582 (passenger railroad and public transportation), and 1584 (OTRB). --------------------------------------------------------------------------- TSA encourages owner/operators to consider other employees within a corporate structure who may not be performing a security-sensitive function as identified in the proposed rule, but who could provide an additional layer of security if they received security training. Furthermore, if an owner/operator identifies positions or functions not listed by TSA as security-sensitive, but which have the nexus to transportation security that is intended to be covered by the proposed rule, TSA would encourage the owner/operator to identify and include those employees within its security training program. Finally, TSA is aware that some freight rail employees identified as [[Page 91355]] ``security-sensitive'' may also be considered ``hazmat employees'' and, therefore, subject to security training under 49 CFR 172.704 (these provisions are part of the hazardous materials regulations promulgated by PHMSA). It is not, however, a one-to-one correlation as determining which employees should be identified as ``security-sensitive'' for purposes of receiving training under this proposed rule is not the same analysis as that conducted for determining if an individual meets the definition of ``hazmat employees'' who must receive training under the PHMSA rule. As a result, there may be some overlap, but the group of individual employees that must be trained under the separate rules is unlikely to be identical. The effect of the overlap on training requirements is further discussed in section III.G of this NPRM. F. Security Programs--Applicability (Sec. Sec. 1580.301, 1582.301, and 1584.301) As previously noted, the 9/11 Act mandates regulations requiring security training for frontline employees of public transportation agencies (6 U.S.C. 1137); railroads (6 U.S.C. 1167); and OTRBs (6 U.S.C. 1184). In implementing these requirements, TSA considered the operations and security risks associated with each mode identified in the 9/11 Act. This analysis determined risk consistent with DHS's official definition of risk as the ``potential for an adverse outcome assessed as a function of threats, vulnerabilities, and consequences associated with an incident, event, or occurrence.'' \84\ As TSA focuses on the risk associated with acts of terrorism, this analysis considers threat as informed by intelligence, potential consequences of a terrorist attack, and inherent vulnerabilities in transportation systems and operations. --------------------------------------------------------------------------- \84\ DHS Risk Lexicon, 2010 Edition, at 27. --------------------------------------------------------------------------- In general, the security training requirements of this proposed rule would apply to owner/operators \85\ with operations that meet the criteria identified in Sec. Sec. 1580.301, 1582.301, and 1584.301. From a counter-terrorism perspective, TSA has determined that less than 300 out of approximately 10,000 surface transportation operations meet this criteria. Consistent with its commitment to a risk-based approach to transportation security, the proposed rule would only apply to these higher-risk operations. Nonetheless, TSA also encourages lower-risk operations to implement security training programs consistent with the requirements in this proposed rule. --------------------------------------------------------------------------- \85\ See proposed definition of ``owner/operator'' in Sec. 1500.3 and discussion of terms in section III.A.1, Table 3, of this NPRM. --------------------------------------------------------------------------- While the proposed criteria assume general similarities for operations within each mode, TSA recognizes that not all owner/ operators have similar corporate structures and that there are many considerations affecting organizational decisions. TSA considered an applicability determination that would require a parent corporation to provide security training to its employees if one subsidiary triggered the requirements. But there may be some owner/operators that are subsidiaries of subsidiaries to a parent company that have no other transportation-related assets. Recognizing these variations in corporate structure, TSA is proposing to limit the requirements to the level of the subsidiary whose operations would trigger applicability. During the review and approval process, TSA would work with owner/ operators in an effort to address any compliance issues based on corporate structure. For example, owner/operator A may be organized to make each regional area a separate subsidiary. As such, only the subsidiary that meets the applicability requirements would be required to develop a security training program. Owner/operator B may be a single entity for purposes of corporate-legal structure, with branches rather than subsidiaries providing service on specific routes. Under the rule, the entire corporation would be subject to the requirements based on the operations of one route. In this situation, owner/operator A could choose to submit a proposed alternative that would apply the requirements to branches and a handful of headquarters or other regional employees that provide them operational support. The submission requirements and procedures for requesting alternative measures are discussed in section III.D.3 of this NPRM. The following section describes how TSA considered each of these risk elements in determining applicability for the proposed rule. 1. Freight Railroad Approximately 574 freight railroads operate on the general railroad system of transportation in the United States.\86\ The general railroad system of transportation is a shared rail network in which multiple railroad operators may use the same tracks for multiple purposes. Thus, a very small railroad operator may be using the same tracks as a large operator, and a freight railroad will often operate on the same tracks as a passenger rail operator. The geographic scope of this mode includes railroads operating on nearly 140,000 miles of track throughout North America.\87\ The freight rail system transports 40 percent of intercity freight volume and approximately one-third of U.S. exports to ports and other distribution centers.\88\ Commodities and products include consumer goods, agriculture and food products, motor vehicles, coal, chemicals, paper and lumber, and other commodities including ores, petroleum, and minerals.\89\ In addition, freight rail lines are used for the operation of most of the commuter and intercity passenger railroads outside of the northeast corridor and freight rail personnel are sometimes used, on a contractual basis, to operate passenger trains. --------------------------------------------------------------------------- \86\ Under 49 CFR part 209, Appendix A, the ``general railroad system of transportation'' is defined as ``the network of standard gage track over which goods may be transported throughout the nation and passengers may travel between cities and within metropolitan and suburban areas.'' \87\ Association of American Railroads (AAR), ``Railroad Facts, 2014 Edition'' at pgs. 3 and 5 (2014). \88\ Id. \89\ Id. --------------------------------------------------------------------------- Class I railroads \90\ account for 69 percent of U.S. freight rail mileage and 90 percent of the employees. They are the only providers of intercity freight rail transportation, supporting major economic sectors in 44 states. Outside of the Northeast Corridor, Amtrak is dependent on Class I railroads for its operations--over 70 percent of Amtrak's routes operate on track owned by other railroads.\91\ --------------------------------------------------------------------------- \90\ TSA is not modifying the definition of ``Class I'' in current 49 CFR part 1580, which incorporates by reference the Surface Transportation Board's classification of railroads based on annual operating revenues. The following are currently designated as Class I railroads: BNSF Railway, CSX Transportation, Grand Trunk Corporation, Kansas City Southern Railway, Norfolk Southern Combined Railroad Subsidiaries, Soo Line Corporation, and Union Pacific Railroad. \91\ See DeGood, Kevin, ``Understanding Amtrak and the Importance of Passenger Rail in the United States'' (posted June 4, 2015), available at https://www.americanprogress.org/issues/economy/report/2015/06/04/114298/understanding-amtrak-and-the-importance-of-passenger-rail-in-the-united-states/. See also Amtrak, ``A Message from Amtrak Regarding On-Time Performance'' (posted Feb. 8, 2015), available at https://blog.amtrak.com/2015/02/message-amtrak-regarding-time-performance/. --------------------------------------------------------------------------- Threat Intelligence reviews of various attacks worldwide, as well as analysis of seized documents and the interrogation of captured and arrested suspects, reveal historic interest in carrying out attacks on railroad systems. For freight rail, the threat is greatest for shipments of RSSM, such as poison or toxic inhalation hazards (TIH), which could be directly [[Page 91356]] targeted or used as a weapon of mass effect with devastating physical and psychological consequences. Materials designated as RSSM are a subset of hazardous materials designated by PHMSA under 49 CFR 172.800(b).\92\ --------------------------------------------------------------------------- \92\ TSA is proposing to adopt the list in 49 CFR 172.800(b) for purposes of meeting the requirement in sec. 1501 of the 9/11 Act to define transportation-related security-sensitive materials. This definition is discussed in section III.A.2 of this NPRM. --------------------------------------------------------------------------- Vulnerability The diversity and expanse of the North American railroad system presents a unique preparedness challenge related to preventing, responding to, and recovering from potentially devastating effects. The rail network is vast and the owner/operators vary in size and communities served. Numerous passenger and commuter rail systems throughout the country operate at least partially over tracks or rights-of-way owned by freight railroads. Consequences The interdependency of the railroad infrastructure--bridges, tunnels, dispatch and control centers, tracks, signals, and switches-- means that threats and incidents affecting one railroad could impact many others on the general railroad system of transportation. A successful terrorist attack on the U.S. rail system could affect the functioning of private businesses and the government, and cause cascading effects far beyond the targeted physical location. Such an attack could result in significant losses in terms of human casualties, property destruction, and economic effects, as well as damage to public morale and confidence. Disruption or delay of rail service would also have adverse impacts on other sectors. For example, freight railroads have a critical role in the support of the energy sector and are responsible for the transportation of more than 70 percent of all U.S. coal shipments. They are also a critical part of the supply chain for military weapons and supplies. While railroads have been able to quickly respond to delays caused by natural disasters, such as the 2013 flooding in Colorado that washed-out tracks and delayed coal shipments and Amtrak service, this requires rerouting and can cause significant over-crowding and delays on lines used to move passengers and cargo pending restoration of damaged infrastructure.\93\ Similarly, the release of TIH or other materials designated as RSSM could be catastrophic if it occurs in a metropolitan area or near critical resources that could be contaminated by the release. --------------------------------------------------------------------------- \93\ See ``Colorado floods wash out tracks, delay coal shipments, Amtrak service,'' The Denver Post (Sept. 16, 2013), available at https://www.denverpost.com/2013/09/16/colorado-floods-wash-out-tracks-delay-coal-shipments-amtrak-service/. --------------------------------------------------------------------------- Risk Determination TSA has determined that the highest-risk freight railroads are those designated as Class I based on their revenue (over $72.9 billion in 2013) and the Nation's dependence on these systems to move both freight in support of critical sectors and passengers. Similarly, there are other shortlines (also known as Class II or Class III railroads) that are also higher-risk because they transport RSSM through HTUAs. Finally, to the extent the preceding does not capture freight railroads hosting higher-risk passenger railroads, the hosting relationship and dual use of infrastructure puts such railroads into the higher-risk category. Proposed Applicability Based on this risk determination, TSA is proposing to cover a railroad if it is designated as Class I, transports RSSM in one or more of the areas listed in current Appendix A to 49 CFR part 1580, or hosts a higher-risk rail operation (including freight railroads and the intercity or commuter systems identified in proposed Sec. 1582.101). This would cover approximately 36 freight railroads. In proposing this applicability, TSA recognizes that joint operations are common within this industry and include agreements such as allowing another railroad carrier to operate over track it does not own.\94\ In these situations, the ``host railroad'' that owns the track exercises operational control of the movement of trains of the other railroads (the ``tenant'' railroads) while they are using that track.\95\ Under the proposed rule, both the host and tenant railroads would be required to have a training program that appropriately addresses the ramifications of the hosting relationship. For example, the host railroad's training program would need to address the operational considerations of the hosting relationship, such as training dispatchers on their role and responsibilities in halting the tenant railroad's operations over a segment of track that has just been destroyed by an IED. Similarly, a tenant railroad subject to the security training requirements of proposed 49 CFR part 1582 (PTPR), would need to address the operational considerations of the hosting relationship, such as instructing its train and engine employees on the proper communication procedures to follow when informing the host railroad of a suspicious package blocking the track. Under either example, the host and tenant railroad owner/operators would only be responsible for training their own employees. --------------------------------------------------------------------------- \94\ TSA's use of this term in this proposed rule is consistent with industry's general understanding of its meaning and 49 CFR 239.7, which defines ``joint operations'' as ``rail operations conducted by more than one railroad on the same track, except as necessary for the purpose of interchange, regardless of whether such operations are the result of: (1) Contractual arrangements between the railroads; (2) Order of a government agency or a court of law: or (3) Any other legally binding directive.'' \95\ In recognition of these situations, TSA is proposing to add a definition of the term ``host railroad'' to 49 CFR 1500.3. The term ``host railroad'' is defined to mean ``a railroad that has effective control over a segment of track.'' --------------------------------------------------------------------------- TSA also understands that some commuter passenger train services are owned by public transportation agencies, but operated by private companies (such as freight railroad carriers). This is not a hosting relationship. In this situation, TSA would consider the freight railroad carrier (the private company) to be a contractor of the PTPR owner/operator (the owner/operator of the passenger train service). TSA would hold the PTPR owner/operator primarily responsible for compliance and for ensuring that all security-sensitive employees receive the required training, whether they are employed directly by the PTPR owner/operator or contractor. In other words, the PTPR owner/operator would have the obligation to train the freight railroad carrier's employees that are performing security-sensitive functions related to the passenger train service. To the extent the contract between the PTPR owner/operator and the freight railroad includes a provision for the freight railroad to train its own employees, such training would need to be documented in the PTPR owner/operator's security training program. TSA would expect the passenger operation to clearly state in its security training program, as part of the submission process under proposed 49 CFR 1570.109, that the freight railroad carrier would conduct the training and provide the required information on that training. Alternative Considered TSA considered expanding the applicability of the proposed rule to a broader scope of owner/operators that would be responsible for developing their own security training program. The parameters for this alternative population include all freight railroad owner/operators operating within, or through, any geographic areas [[Page 91357]] designated for purposes of the FY 2015 Urban Area Security Initiative (UASI) Program regions. TSA estimates that this alternative would cover a total of 69 freight railroads in 26 metropolitan areas. TSA estimates that this alternative would have a cost of approximately $91.99 million for freight railroad owner/operators over a 10-year period (at a 7 percent discount rate). The basis for the estimates of benefits and costs are included in the RIA for this rulemaking, which is included in the public docket. TSA rejected this alternative because the agency has determined that the proposed applicability aligns with its commitment to risk- based security policy and outcomes-based regulation. TSA has consistently recognized the security risks associated with transport of RSSM through the areas identified in Appendix A to current 49 CFR part 1580. The security basis for identifying these areas has not changed. Furthermore, expanding beyond the proposed applicability was unnecessary to gain the intended security benefits as it would not represent a corresponding expansion of employees trained since 90 percent of railroad employees would receive training as a result of the proposed rule's applicability. Additionally, when compared to the ten- year costs of the proposed applicability rule for freight railroad owner/operators ($90.74 million at 7 percent), this alternative would result in $1.25 million in additional costs. 2. Public Transportation and Passenger Railroads There are more than 7,000 PTPR systems operating in the United States.\96\ As part of an intermodal system of transportation, commuter passenger railroads provide critical regional services, such as between a central city and adjacent suburbs during morning and evening peak periods, as well as connecting to other modes of transportation through multimodal systems and within multimodal infrastructures. Since 1995, public transit ridership is up 39 percent, outpacing population growth, which is up 21 percent, and vehicle miles traveled (VMT), which is up 25 percent.\97\ While passenger railroads primarily operate on the same track as freight railroads, they have many similarities to public transportation because of the operational concerns related to transporting people. Amtrak operates the Nation's primary intercity passenger rail service over a 22,000-mile network (primarily over leased, freight railroad tracks), serving more than 500 stations in 46 states and the District of Columbia. Many of these stations are multimodal transportation facilities located in higher-risk areas. --------------------------------------------------------------------------- \96\ APTA, ``2014 Public Transportation Fact Book,'' 65th Edition, at 6, (Nov. 2014), available at https://www.apta.com/resources/statistics/Documents/FactBook/2014-APTA-Fact-Book.pdf. \97\ See ``Quick Facts'' on APTA's Web site as of Jan. 27, 2016, available at https://www.apta.com/mediacenter/ptbenefits/Pages/default.aspx. --------------------------------------------------------------------------- Threat Based on incidents in other countries, TSA assesses that terrorists view PTPR systems as attractive targets because they carry large numbers of people, are open and easily accessible to the public, are critical to regional transportation systems, and are vital to local economies. Terrorists have targeted rail and bus systems overseas. Notable incidents include the sarin gas attacks on the Tokyo subway system in April 1995; the multiple detonations of IEDs left on commuter trains in Madrid in March 2004; the multiple suicide attacks employing IEDs on the London Underground and a double-decker bus in London in July 2005; the multiple detonations of IEDs on commuter trains in the greater Mumbai area in July 2006; and, the double suicide attacks and two incidents of IED detonations in Dagestan and Moscow, respectively, in March, June, and August 2010. TSA's Office of Intelligence and Analysis assesses with high confidence that terrorists remain intent on perpetrating attacks against this mode. In the period between January 1 and December 31, 2014, there were 144 reported attacks on mass transit systems overseas. Of these attacks, 76 targeted buses and associated infrastructure and 68 targeted mass transit and passenger rail systems and associated infrastructure. Vulnerability Attributes of PTPR systems essential to their efficiency also create potential security vulnerabilities that terrorists seek to exploit. Unlike strict access controls applicable to air transport, the public transportation system's multiple stops and interchanges lead to high passenger turnover, which is difficult to monitor effectively. In addition, the broad geographical coverage of passenger rail networks provides numerous options for access and getaway and affords the ability to use the system itself as the means to reach the location to conduct the attack. Consequences A potential terrorist attack on a public transportation center in a major metropolitan area can result in a large number of victims, both killed and wounded, as well as significant infrastructure damage. Rail system bombings in Madrid, London, and Mumbai--all involving use of multiple IEDs--are tragic reminders of this reality. Attacks could be isolated, having minimal effect on the total operating system, or could result in a major impact that has national implications: an attack on an intercity passenger railroad operating on the general system of transportation could potentially shut down railroad operation support for specific sectors. The disruption of any portion of the operation can confuse the public, directly affect businesses, and lead to panic. Attacks on multiple portions of a PTPR system exacerbate these impacts. Risk Determination In the context of resource allocations under the Transit Security Grant Program (TSGP), DHS has determined the highest transit-specific risk areas and transit systems using a model approved by the Secretary and vetted by Congress.\98\ DHS has consistently considered several factors when determining risk for PTPR, including credible and specific international and domestic terrorist threats based on information provided by the intelligence community, system and infrastructure vulnerabilities, and consequences primarily in terms of the impact on the mission. As the mission of PTPR systems is to transport people, the consequences include the potential for devastating casualties.\99\ TSA believes this model is an appropriate method for determining applicability for purposes of this rulemaking. --------------------------------------------------------------------------- \98\ Federal Emergency Management Agency (FEMA) Grant Programs Directorate, ``Risk Methodology, Fiscal Year 2015 Report to Congress, Calculating Risk for the FY 2015 DHS Preparedness Grant Programs'' (December 21, 2015). \99\ Id. at 25-26. --------------------------------------------------------------------------- An analysis of the transit-specific risk scores developed using the DHS method indicates a natural and significant break in the risk curve (delta between risk scores of one urban area to the next) between the top eight regions with the highest transit-specific risk and the others.\100\ When combined, these areas represent over 94 percent of the total transit-specific risk to all urban areas across the Nation. Within each of these areas, DHS has identified the systems with the highest-risk based on considerations related to ridership, location of services provided (use of the same stations and stops), and [[Page 91358]] relationship between feeder and primary systems. --------------------------------------------------------------------------- \100\ This analysis is based on SSI and/or classified intelligence information. As a result, TSA may not share details of the information or the analysis. --------------------------------------------------------------------------- Proposed Applicability Using this criteria, TSA is proposing to apply the requirements of this proposed rule to the systems identified in proposed 49 CFR part 1582, Appendix A. These 47 PTPR systems (46 PTPR plus Amtrak) are the systems with the highest risk operating in the eight regions with the highest transit-specific risk. Applying the rule's requirements to these 47 PTPR systems, corresponds to enhanced security for more than 80 percent of all PTPR passengers. TSA is also proposing to apply the requirements to any PTPR owner/ operator that hosts a high-risk freight railroad as identified in proposed Sec. 1580.101. The reasons previously discussed for the parallel applicability to freight railroads in a hosting relationship with a high-risk passenger railroad apply equally to passenger railroads hosting high-risk freight railroads. Alternative Considered TSA considered expanding the applicability of a security training program to a broader scope of owner/operators. The parameters for this alternative population include all PTPR operations within or through a UASI region. TSA estimates that this alternative would cover a total of 253 PTPR owner/operators in 26 metropolitan areas. TSA estimates that this alternative would have a cost of approximately $127.88 million for PTPR owner/operators over a 10-year period (at a 7 percent discount rate). The basis for the estimates of benefits and costs are included in the RIA for this rulemaking, which is included in the public docket. TSA rejected this alternative because the agency has determined that the proposed applicability aligns with its commitment to risk- based security policy and outcomes-based regulation. The risk analysis used for developing the TSGP funding allocations begins with identification of the UASI regions and then takes into consideration unique aspects of PTPR operations within that UASI in light of known risks. To adopt the UASI designations for applicability would ignore the second, critical step of the analysis used for TSGP allocations. By linking applicability to those agencies that have historically and consistently been designated as highest-risk for purposes of TSGP funding allocation, the proposed applicability links the greatest regulatory burden to those systems that the Federal government has determined merit the greatest funding allocations to address security. The majority of the funding under the TSGP goes to the highest-risk regions to ensure the greater risk is being addressed (94 percent in FY 15 and 95 percent in FY 14). Based on these considerations, the negative impact of a broader regulatory requirement would not have a corresponding benefit to security--especially recognizing that the systems covered under the proposed applicability transport 80 percent of the PTPR ridership. Additionally, when compared to the ten-year costs of the proposed applicability rule for PTPR owner/operators ($53.14 million at 7%), this alternative would result in $74.74 million in additional costs. 3. Over-the-Road Buses Highways are the largest and most prevalent component of the Nation's transportation network. Virtually every location within the continental United States is accessible by highway. The system today encompasses more than four million miles of roadway on which more than 600,000 bridges and 650 tunnels offer possible chokepoints. Within that system, commercial buses offer the most cost-effective intercity transportation to thousands of communities. For many people, fixed- route, intercity bus service is the only alternative to private vehicles. It is estimated that there are over 3,300 private OTRB owner/ operators operating approximately 29,000 buses and employing over 118,000 people in full and part-time jobs within the United States.\101\ These owner/operators primarily conduct interstate operations that include wholly-owned bus terminals, shared terminals with other transportation modes (such as passenger rail), or pre- determined pick-up and drop-off locations (which may not be on the owner/operator's property). --------------------------------------------------------------------------- \101\ For purposes of this discussion, an OTRB is considered the same as a motorcoach, which is consistent with the industry's interchangeable use of this term. For example, the Motorcoach Census 2015, commissioned by the American Bus Association (ABA), states: ``a motorcoach, or over-the-road bus (OTRB), is defined as a vehicle designed for long-distance transportation of passengers, characterized by integral construction with an elevated passenger deck located over a baggage compartment. It is at least 35 feet in length with a capacity of more than 30 passengers . . . . This definition of a motorcoach excludes the typical city transit bus city sightseeing buses, such as double-decker buses and trolleys.'' See ABA, ``Motorcoach Census 2015,'' at 7 (Feb. 11, 2016), available at https://www.buses.org/assets/images/uploads/general/Motorcoach%20Census%202015.pdf. --------------------------------------------------------------------------- In general, OTRBs have an average capacity of 55-60 passengers per bus and carry approximately 751 million passengers annually to thousands of destinations within the United States and to/from Canada and Mexico. Destinations include urban areas and passenger transfer points with close proximity to many of the most iconic and valuable sites in the Nation. Threat According to TSA's intelligence analysts and subject matter experts, buses represent attractive targets for terrorists, especially as it relates to hijacking, because they can be used as a vehicle-borne improvised explosive device (VBIED), provide the potential for large numbers of casualties, or could serve as a source for hostages. While there has not been a terrorist attack against a bus in the United States, threats and terrorist actions against motor coaches have occurred in other nations, including Israel, Spain, and the United Kingdom. As the Volpe National Transportation Systems Center noted, the industry provides terrorists with a ``physically dispersed, easily accessed, high volume, target rich environment with potential for mass casualties.'' \102\ Over-the-Road Buses ``serve all large metropolitan areas and travel in close proximity to some of the nation's most visible and populated sites, such as sporting events, major tourist attractions, and national landmarks.'' \103\ --------------------------------------------------------------------------- \102\ Volpe National Transportation Systems Center, ``Security Enhancement Study for the U.S. Motorcoach Industry,'' at vii (May 2003), available at https://ntl.bts.gov/lib/55000/55200/55204/Security_enhancement_motorcoach_industry_exec_summ.pdf. \103\ Id. --------------------------------------------------------------------------- TSA identifies that the most likely threat would be represented by an IED brought aboard by a passenger or delivered by another vehicle in close proximity to the OTRB. There is also the potential threat of an attacker intent on capturing control of the bus and using it as a delivery system for a weapon of mass destruction against a high-value destination. Terrorists with access to this type of vehicle could use its capacity to transport as much as 12 tons of explosives. Coupled with the use of such vehicles in urban centers and in daily proximity to high-value buildings or venues, an OTRB could serve as a VBIED. Vulnerability Over-the-Road Buses travel on open roads, often on scheduled and predictable routes, with only a driver and passengers. While OTRBs are used to transport large volumes of passengers and baggage (either in the under-floor storage area or accessible to the [[Page 91359]] passenger), most owner/operators do not screen passengers and baggage for threats. Furthermore, OTRBs generally have large cargo compartments that can be reached without boarding the bus. As previously noted, a high number of OTRBs operate in urban settings and have the ability to gain close proximity to high-profile targets and highly-populated areas. These operations are vulnerable to a potential terrorist-- providing frequent and predictable access to a vehicle that could either be targeted or exploited by an individual with malicious intent: It is relatively easy to perform reconnaissance, purchase a ticket, and travel anonymously with baggage that does not undergo screening. Consequences The consequence of a successful attack on an individual OTRB in a remote location is assumed to be the loss of the vehicle and many of its passengers. The same vehicle as a VBIED aimed at a high-value target is much greater. The National Counterterrorism Center (NCTC) states that one VBIED containing 4,000 kg of homemade explosives is equivalent to 200 pipe bombs or 20 suicide vests.\104\ --------------------------------------------------------------------------- \104\ See ``TNT EQUIVALENTS'' at https://www.nctc.gov/site/methods.html#sarin. --------------------------------------------------------------------------- Risk Determination While it is possible an OTRB could be the target of a terrorist attack, it is more likely that an OTRB would be used to deliver an IED, making the bus a VBIED that could be used to target an urban area. This risk determination reflects that a terrorist could obtain access to a large vehicle by simply purchasing a ticket for a fixed-route OTRB travelling to the target region (with specific knowledge of where the bus would transfer passengers and any close proximity that could provide to other targets). Because the risk involving an OTRB as a VBIED is primarily to the targeted urban area, TSA relied on a risk model developed by DHS to determine highest-risk urban areas for the UASI grant program.\105\ This model has been approved by the Secretary of Homeland Security and vetted by Congress as an appropriate method to determine risk to an individual city or urban area. As with PTPR, there is a natural and significant break in the risk curve (delta of risk scores or one urban area to the next). --------------------------------------------------------------------------- \105\ The UASI program is intended to assist ``high-threat, high-density Urban Areas in efforts to build and sustain the capabilities necessary to prevent, protect against, mitigate, respond to, and recover from acts of terrorism.'' See DHS, ``Notice of Funding Opportunity: Fiscal Year 2015 Homeland Security Grant Program,'' at 2 (FY 15 UASI Allocations), available at https://www.fema.gov/media-library-data/1429291822887-7f203c9296fde6160b727475532c7796/FY2015HSGP_NOFO_v3.pdf. See also supra, at n. 98. --------------------------------------------------------------------------- Proposed Applicability TSA proposes to apply the requirements of this rule to owner/ operators providing fixed-route service in the 10 areas identified in proposed 49 CFR part 1584, Appendix A.\106\ These 10 areas are those that receive the highest funding allocation under the FY 2015 UASI grant program. UASI funds are allocated based on a risk methodology employed by DHS and Federal Emergency Management Agency (FEMA). Together, these 10 urban areas were allocated 88 percent of total UASI funds based on risk to these 10 regions.\107\ --------------------------------------------------------------------------- \106\ ``Fixed-route service'' is defined in proposed Sec. 1500.3 to mean, ``the provision of transportation service by private entities operated a long a prescribed route according to a fixed schedule.'' \107\ See FY 2015 UASI Allocations, supra n.105. --------------------------------------------------------------------------- The determining factor for whether a fixed-route OTRB owner/ operator is within the scope of the proposed rule is not where they are headquartered, but where they provide service. In proposing this applicability, TSA considered factors that could make an OTRB a potential target for a terrorist attack, including its visibility (the size of its operations), the extent to which its schedule is publicly available, whether or not it is relatively easy for unknown individuals to board the bus, and whether the bus would have ease of access to high-consequence locations. TSA is aware that some private companies provide commuter services that may trigger applicability of the proposed rule. Diagram A provides a flowchart to assist with determining if the proposed rule would apply. [[Page 91360]] [GRAPHIC] [TIFF OMITTED] TP16DE16.013 TSA estimates that the applicability of the proposed rule would apply to approximately 202 OTRB owner/operators. Alternative Considered TSA considered expanding the applicability of a security training program to OTRB owner/operators operating within or through one or more of the UASI regions. TSA estimates that this alternative would cover a total of 403 owner/operators in 26 metropolitan areas in year one of the regulation. TSA estimates that this alternative would have a cost of approximately $22.09 million for OTRB owner/operators over a 10-year period (at a 7 percent discount rate). The basis for the estimates of benefits and costs are included in the RIA for this rulemaking, which is included in the public docket. TSA rejected this alternative because the agency has determined that the proposed rule better aligns with its commitment to risk-based security policy and outcomes-based regulation. As previously noted, while it is possible an OTRB could be the target of a terrorist attack, it is more likely that an OTRB would be used to deliver an IED-making the bus a VBIED that could be used to target an urban area. While there are more UASI regions than those covered by the proposed rule, the areas identified in proposed Appendix A to part 1584 represent those with the highest-risk. Additionally, when compared to the ten-year costs of the proposed applicability rule for OTRB owner/operators ($12.08 million at 7 percent), this alternative would result in $10.01 million in additional costs. 4. Foreign Owner/Operators While the proposed applicability provisions for security training do not specifically reference foreign owner/operators,\108\ the employees who must be trained include any employee performing a security-sensitive function ``in the United States or in direct support of the common carriage of persons or property between a place in the United States and any place outside the United States.'' \109\ Therefore, the training requirements of this proposed rule would apply equally to domestic owner/operators and foreign owner/operators with employees performing covered functions within the United States or in support of operations within the United States. For example, if a Canadian OTRB owner/operator has fixed-route service that begins at a point in Canada and transits through an area identified in proposed part 1584, Appendix A before concluding at a point in Mexico, any employees operating that bus providing maintenance or inspection services, providing dispatch information, or performing any other security-sensitive function for that bus affecting its operations within the United States would need to be trained and the owner/ operator would need to submit a training plan to TSA for approval. Where the function is being performed, in essence whether the employee is performing the security-sensitive function at a location in Canada or along the route in the United States, is irrelevant. --------------------------------------------------------------------------- \108\ See proposed Sec. Sec. 1580.101 (freight railroads), 1582.101 (PTPR), and 1584.101 (OTRBs). \109\ See proposed Sec. Sec. 1580.3 (freight railroads), 1582.3 (PTPR), and 1584.3 (OTRBs). --------------------------------------------------------------------------- In addition, while foreign owner/operators providing service in the United States would be required to have a security coordinator and alternate, foreign owner/operators would only be required to report potential threats and significant security concerns for operations in the United States or transportation to, from, or within the [[Page 91361]] United States. Foreign freight railroad owner/operators currently meet this requirement under the requirements of current 49 CFR part 1580. This approach is also consistent with that taken by the FRA. 5. Preemption While current 49 CFR part 1580 includes a preemption provision, which will be carried over to the proposed revisions of part 1580 and addition of part 1582, that provision is based upon the specific statutory preemption in 49 U.S.C. 20106. There is no similar statutory provision for the other modes of transportation covered by this proposed rule. Therefore, TSA has not included preemption provisions for the other modes. Furthermore, based on TSA's experience with the implementation of 49 CFR part 1580 since it was finalized in 2008, it has not become aware of any State, local, or tribal laws, regulations, or orders that would be inconsistent with the provisions of this NPRM nor were any concerns raised during the consultations discussed in section IV of this NPRM. TSA invites comments about specific laws, regulations, or orders that commenters believe would conflict with the provisions of the proposed rule. G. Security Program General Requirements (Sec. Sec. 1580.113, 1582.113, and 1584.113) Under proposed Sec. Sec. 1580.113, 1582.113, and 1584.113 owner/ operators identified in Sec. Sec. 1580.101, 1582.101, and 1584.101 would be required to adopt and implement a security training program that meets the requirements of the relevant subparts. TSA is deliberately proposing that owner/operators be required to ``adopt and implement'' rather than ``develop and implement'' training programs because TSA is aware that relevant training curriculum may already exist that aligns with most, if not all, of the curriculum requirements--including resources developed by TSA (which will be further discussed in section III.I and J. of this NPRM). 1. Information About the Owner/Operator This section includes proposed requirements for the content of the program to be submitted to TSA, including information regarding the owner/operator (paragraphs (b)(1) and (2)), scope of training (for example, number of employees to be trained by job function) (paragraph (b)(3)), implementation schedule for the training program (paragraph (b)(4)) consistent with the requirements of proposed Sec. 1570.111, and location of training records (paragraph (b)(5)) consistent with the requirements in proposed Sec. 1570.121. 2. Information on How Training Will Be Provided Proposed paragraphs (b)(6) through (9) require general information on the curriculum to be used to meet the training requirements, such as lesson plans, objectives, and modes of delivery. As previously noted, TSA is aware that some owner/operators would seek approval to use existing training programs, implemented to comply with other Federal requirements or other standards, to satisfy some or all of the requirements of this NPRM. Under proposed paragraph (b)(6), the curriculum or lesson plan for that program would need to be included in the training program submitted for TSA approval. For example, an owner/operator may have provided training on topics similar to those in the proposed rule to meet programs implemented to fulfill the HMR, such as those in 49 CFR part 172, or FRA safety/ evacuation training.\110\ In the training program submitted to TSA for approval, owner/operators using any of these training programs to meet the requirements of the proposed rule would also need to explain how the training programs selected meet TSA's requirements and are appropriate for the particular owner/operator. During review, TSA may need to request additional information from the owner/operator in order to determine if the courses selected meet this rule's requirements. --------------------------------------------------------------------------- \110\ See 49 CFR part 239. --------------------------------------------------------------------------- 3. Ensuring Supervision of Untrained Employees and Providing Notice of Changes Affecting Training Proposed paragraphs (b)(7) and (8) would require owner/operators to provide information on their plans for addressing specific requirements in Sec. Sec. 1580.115, 1582.115, and 1584.115. These include plans for ensuring untrained employees are properly supervised (as required by proposed Sec. Sec. 1580.115(a), 1582.115(a), and 1584.115(a)) and notifying employees of any changes that affect their training. For example, under proposed Sec. 1580.115(c) (similar provisions exist in Sec. Sec. 1582.115(c) and 1584.115(c)), employees must be trained on their responsibilities under the owner/operator's security plans and/or programs. If the security plans and/or programs change, the employee must be notified of how that change would affect the information they were provided during previously provided training. This would not affect the timing of recurrent training unless affected employees are required to participate in training courses as part of updates to the security program. 4. Methods for Determining Effectiveness of Training Proposed paragraph (b)(9) would require owner/operators to include in their training program a method for measuring the effectiveness of their training program. TSA would afford flexibility to each individual owner/operator to measure effectiveness of their security training program using methods and criteria appropriate for their operations. TSA does not prescribe the method in the proposed rule, but does propose that every training program specify the manner and method by which the effectiveness of the training program would be evaluated by the owner/operator. For example, TSA expects that some owner/operators would choose to administer a form of written test or evaluation to gauge their employees' level of knowledge, while others may rely upon operational tests conducted by supervisors to determine employees are being trained effectively. Similarly, TSA is not proposing to prescribe conditions for a pass/ fail policy that may be associated with post-training testing. While individual companies may elect to enforce pass/fail criteria with associated personnel actions, TSA is neither requiring this nor recommending a specified maximum number of times that an individual may take a test or evaluation to demonstrate knowledge and competency. As previously noted, the standards proposed by an owner/operator for determining training efficacy may affect TSA's approval of any alternative measures for compliance. TSA requests comments on this issue to further inform a final rule. 5. Relation to Other Training TSA is proposing paragraph (c) in recognition that many owner/ operators covered by this proposed rule are subject to training requirements under regulations of DOT that overlap with the training content identified in the 9/11 Act's requirements. For example, an owner/operator may have provided training on topics similar to those in the proposed rule to meet programs implemented under DOT hazardous material regulations,\111\ FRA safety/ [[Page 91362]] evacuation training,\112\ or Federal Transit Administration (FTA) Safety Management System training provided under a rail fixed guideway public transportation system's Transit Agency Safety Plan.\113\ Other training programs are addressed in section III.I of this NPRM. --------------------------------------------------------------------------- \111\ See, e.g., 49 CFR part 172. \112\ See 49 CFR part 239. \113\ See 49 CFR 674.29 and Appendix A to part 674. --------------------------------------------------------------------------- TSA does not expect owner/operators to duplicate training. If they are already subject to requirements to provide similar training, they can use that training to satisfy TSA's requirements. To the extent that an owner/operator intends to use existing training programs implemented to comply with other Federal requirements or other standards in order to satisfy some or all of the requirements of this NPRM, the program submitted to TSA for approval would need to identify how the other training would be used to satisfy TSA's requirements, such as the curriculum or lesson plan for that program. Proposed paragraph (c)(2) requires an index to be provided if the owner/operator chooses to submit all or part of an existing security training program to TSA for approval. The index would need to be organized in the same sequence as the content requirements in Sec. Sec. 1580.115, 1582.115, and 1584.115. Indexing is a necessary requirement if TSA is to provide flexibility for owner/operators to use existing training programs to satisfy this proposed rule. TSA may request additional information on the program through the review and approval process. H. Security Training and Knowledge for Security-Sensitive Employees (Sec. Sec. 1580.115, 1582.115, and 1584.115) 1. Training Required for Security-Sensitive Employees Any owner/operator required to have a security training program under Sec. Sec. 1580.101, 1582.101, or 1584.101, must provide security training to its security-sensitive employees. Consistent with the definition of employee in Sec. 1570.3, this requirement applies to any direct employee, contractor, employee of a contractor, or other authorized person who is compensated for performing a security- sensitive function on behalf of or for the benefit of the owner/ operator. For example, if an OTRB owner/operator does not employ any drivers directly, but uses drivers under contract, those drivers would need to be trained. Similarly, if an owner/operator has chosen to combine dispatch services with two affiliates of its parent corporation, the owner/operator required to provide security training to its direct employees would also be required to provide security training to any dispatchers providing services for its fleet. In some circumstances, security-sensitive functions may be performed by individuals not within the definition of ``employee'' for purposes of this NPRM. For example, police officers employed by a local law enforcement agency may be routinely patrolling the owner/operator's premises and/or operations. They would not be subject to the proposed rule unless there is a contractual relationship for the law enforcement agency to provide that service and the law enforcement officer is assigned to that location. In situations where the owner/operator has a dedicated police or security force, the members of that force assigned to work at the facility would need to have security training consistent with that required for other employees. For those situations where those personnel are not required to be trained, TSA would encourage law enforcement personnel regularly assigned to patrols at that location to receive the same training as the employees to enhance communication and cooperation in response to potential threats. 2. Limits on Use of Untrained Employees If a security-sensitive employee does not receive the required security training, under the proposed rule, that employee would be prohibited from performing a security-sensitive function unless he or she is under the direct supervision of a security-sensitive employee who has met the training requirements. While TSA is not defining the word ``direct,'' TSA would expect the supervisor to be located in reasonable proximity to the employee to supervise actions and provide the necessary level of security awareness and response capabilities. Further, even if an employee is directly supervised, TSA proposes to impose a 60-day limit for the amount of time that an employee may perform a security-sensitive function without receiving training. After 60 days, the proposed rule would require the owner/operator to remove the employee from a security-sensitive function; the owner/operator would, of course, retain the discretion to reassign the individual to other non-security-sensitive job functions. 3. Knowledge Required Consistent with other TSA regulations,\114\ TSA is proposing to require a training program that focuses on the specific knowledge provided to security-sensitive employees. The proposed rule affords flexibility for owner/operators to develop and implement a program that addresses the required components of the security training program in the context of their operational environments. --------------------------------------------------------------------------- \114\ See, e.g., 49 CFR 1548.11 (Training and knowledge for individuals with security-related duties) applicable to indirect air carriers). --------------------------------------------------------------------------- In developing the requirements, TSA considered the specifically enumerated subjects in the 9/11 Act, other Federal regulatory requirements, and curriculum elements already being provided by owner/ operators (based on information obtained as part of TSA's ongoing interaction with its stakeholders). TSA has organized these requirements into four broad categories: prepare, observe, assess, and respond. As noted in Diagram B below, all statutorily required program elements are included within these broad categories. For purposes of this discussion and Diagram B, the statutory requirements will be referenced as PT # (``PT'' aligns to 6 U.S.C. 1137 and the # with the relevant section in 1137(c)--for example, PT # 1 corresponds to 6 U.S.C. 1137(c)(1)); RR # (``RR'' aligns with requirements in 6 U.S.C. 1167 and the # with the relevant sections of 1167(c)); and OTRB # (``OTRB'' aligns with requirements in 6 U.S.C. 1184 and the # with the relevant section in 1184(c)). Other existing training that could be relevant to each of the categories is also identified in Diagram B as it could be useful to owner/operators in identifying existing training that could be used to satisfy the proposed regulatory requirements. The ``prepare'' category is intended to address training that may be specifically relevant to a particular job function. For example, an appropriate method for self-defense (as required by PT 3, RR 3, and OTRB 3) could vary based upon an employee's job and extent to which he or she interacts with the public. Similarly, an employee's role in operating and maintaining security equipment (as required by PT 10, RR 11, and OTRB 11) varies based upon the responsibilities of the employee. The ``prepare'' category would also address training on discharging any security responsibilities that security-sensitive employees may have under a security plan or measure. This proposed rule does not require any owner/operator to adopt or implement a [[Page 91363]] security plan or measures. TSA is aware, however, that many owner/ operators have security plans or measures that they developed voluntarily, to comply with federal requirements, or to qualify for Federal grants. To the extent these plans or procedures exist, employees must be trained in order to ensure these plans or measures are effective. Similar to the threat and incident prevention and response training, this portion of the training program would need to be tailored to the specific operation. TSA intends for training provided under this category to satisfy requirements for in-depth security training for ``hazmat employees'' as required by 49 CFR 172.704(a)(5). For freight railroads, the requirements in proposed Sec. 1580.115(c) include providing training on chain of custody and control requirements, as appropriate. This additional training is relevant to ensuring appropriate procedures are followed to comply with the security requirements in proposed subpart C to part 1580 (which contains the requirements in current Sec. Sec. 1580.103 and 1580.107). The ``observe'' category is intended to provide knowledge to increase a security-sensitive employee's observational skills. This category would address behavior recognition requirements of the 9/11 Act (PT 6, RR 6 and OTRB 6)--encompassing an understanding of unusual or abnormal behavior that should trigger a response by employees because of the potential that the behavior may indicate a threat to transportation security. It also addresses a requirement to be able to recognize dangerous or suspicious items, behavior, or situations (required by PT 8, RR 9, and OTRB 9). In general, this training focuses on recognizing the difference between what is normal for the operational environment and abnormalities that could indicate terrorist planning or imminent attack. Training delivered should teach the employees that suspicious activity is a combination of actions and individual behaviors that appear strange, inconsistent, or out of the ordinary for the employee's work environment. In most instances, it will not be a single factor, but a combination of factors taking place at a particular time and place, that will accurately identify a suspicious individual or act. The ``assess'' category requires providing knowledge of how to determine if what is observed requires a response and what those appropriate responses may be. TSA is aware that some stakeholders provide training that includes tools to help employees assess the seriousness of a threat. This category addresses requirements in the 9/ 11 Act (PT 1, RR1, and OTRB 1) as well as the security awareness training required for ``hazmat employees'' under 49 CFR 172.704(e)(4). The ``respond'' category includes training on security incident responses--including how to appropriately report a security threat, interact with the public and first responders at the scene of threat or incident, applicable uses of self-defense devices or protective equipment, and communication with passengers. This category addresses several elements of the 9/11 Act relating to communication and coordination (PT 2, RR 2, and OTRB 2), use of personal protective devices or equipment (PT 4, RR 4, and OTRB 4), evacuation procedures (PT 5, RR 5, and OTRB 5), responses to terrorist threats or incidents (PT 6, RR 7, and OTRB 7), and understanding procedures for interacting with responders (PT 9, RR 10, and OTRB 10). This category also addresses elements of security awareness training required by 49 CFR 172.704(a)(4). To the extent owner/operators need to provide training on specific self-defense devices or protective equipment, TSA has not calculated these costs as it assumes this is a standard part of any operation before providing such devices or equipment to individuals and would not be a cost of this rule. Based on feedback received in consultation with stakeholders, TSA considered whether to tailor particular training requirements to specific job functions. It may be argued, for example, that training elements relevant to employees who encounter the public are not necessary for mechanics or other employees performing non-public functions. TSA believes, however, that there should be a common level of proficiency among security-sensitive employees of the covered entities; training in security awareness and behavior recognition is appropriate for all employees. At the same time, security-sensitive employees must be aware of their particular responsibility in preventing or responding to a threat or incident prevention and response and adequately trained to fulfill their roles. TSA recognizes that owner/operators may integrate into their required security training programs varying levels of training for particular categories of employees or job functions to meet the objectives of their overall security strategy or plan. TSA encourages continuation of these practices as long as the security training program meets the core requirements proposed in this rulemaking. Diagram B identifies the type of training covered within each of these categories by reference to the considerations that led to their development. [[Page 91364]] [GRAPHIC] [TIFF OMITTED] TP16DE16.014 I. Other Security Training Programs The 9/11 Act includes requirements for TSA to consider ``any current security training requirements or best practices'' before issuing security training regulations.\115\ As discussed above and indicated in Diagram B, TSA has taken current Federal regulations, guidance, and other practices affecting transportation security into consideration and has crafted this proposed rule to be consistent with those regulations and practices where they meet the requirements of the 9/11 Act and the objectives of this rulemaking. In addition, TSA has been consulting with DOT to avoid potential inconsistencies and unnecessary duplication as a result of this proposed rule. --------------------------------------------------------------------------- \115\ See 6 U.S.C. 1167(a) and 1184(a). --------------------------------------------------------------------------- Many of the owner/operators required to provide security training under this regulation have been providing security training either under the requirements of training programs discussed in this section or using materials developed and/or approved by TSA for other purposes. A range of courses including those sponsored by TSA and other Federal agencies, such as FTA, Federal Emergency Management Agency (FEMA), and PHMSA, provide a means for covered entities to coordinate training for their employees in many of the elements stipulated in the proposed rule. For example, the training program this proposed rule would require is consistent with, and builds upon, security training programs that PTPR owner/operators have implemented through courses sponsored by FTA, TSA, and FEMA, including guidance provided to PTPR owner/operators to fast track grant applications for security training funding. In many cases, agencies have secured third-party training through funds awarded on projects approved under the TSGP administered by DHS. These government-sponsored and third-party courses would remain as approved options to the extent they adequately address the elements required in the final rule. As in the past, TSA would provide lists of approved courses to PTPR owner/operators subject to the regulatory requirements. As discussed in section III.D.3 (recognition of previous training) of this NPRM, an owner/operator may rely on this training to satisfy the training requirements of the proposed rule to the extent the training program they submit includes the curriculum and an explanation of how the previous training meets TSA's requirements and is appropriate for the particular owner/operator. TSA anticipates that for many owner/operators, the training discussed above would meet most of the requirements. It is likely, however, that additional training would be needed for some of the knowledge required by the ``prepare'' category of training in proposed Sec. Sec. 1580.115(c), 1582.115(c), and 1584.115(c). The following section discusses some of the programs and requirements that are relevant to these considerations. 1. Federal Railroad Administration Safety Training Requirements Passenger railroad employee training programs already comply with FRA safety standards requiring the preparation, adoption, and implementation of emergency preparedness plans by railroads connected with the operation of passenger trains (including freight carriers hosting passenger rail [[Page 91365]] operations).\116\ The FRA defines an ``emergency'' as an unexpected event related to the operation of passenger train service involving a significant threat to the safety or health of one or more persons requiring immediate action, and includes a security situation.\117\ Under the regulations in 49 CFR part 239, each affected railroad is required to instruct its employees on the provisions of its plan. Emergency preparedness plans must address such subjects as communication (including on-board crewmember notification of the control center and passengers about the nature of the emergency and control center personnel notification of outside emergency responders and adjacent rail modes of transportation), passenger evacuation in emergency situations, employee training and qualification, joint operations, tunnel safety, liaison with emergency responders, on-board emergency equipment, and passenger safety information. FRA also requires full-scale emergency simulations for passenger trains. In general, the FRA has found few failures to provide the required training. In FY 2014, there was a single recommended violation for failure to meet the requirements of 49 CFR 239.7.\118\ --------------------------------------------------------------------------- \116\ See 49 CFR part 239. \117\ See 49 CFR 239.7. \118\ See FRA, ``Fiscal Year 2014 Enforcement Report,'' at 3. This is an annual report published by FRA summarizing settled claims for civil penalty violations of Federal railroad safety and hazardous materials statues, regulations and orders during Federal Fiscal Year 2014 and is available is available under Enforcement & Litigation on FRA's Web site at https://www.fra.dot.gov/eLib. --------------------------------------------------------------------------- As stated in Sec. Sec. 1580.113(c) and 1582.113(c) of the proposed rule, TSA recognizes that the training required by 49 CFR 239.7 may be combined with other training to partially or fully meet or exceed requirements under proposed Sec. Sec. 1580.115(f) or 1582.115(f) and would not expect owner/operators to duplicate this training. TSA would work in cooperation with the FRA to validate that the owner/operators have provided the training as represented in any programs submitted to TSA for approval. As previously noted, the training program required under this proposed rule would need to clearly describe and identify the training and how it is being used to satisfy the requirements of the TSA regulation. 2. Federal Transit Administration Safety Requirements Under 49 CFR part 659, the FTA manages State Safety Oversight for Rail Fixed Guideway Systems.\119\ Currently, part 659 requires States to oversee the safety and security of rail fixed guideway systems operating in their jurisdictions through designated Oversight Agencies (OAs). The OAs must require the operator of the rail fixed guideway system to develop and implement a written system safety program plan and a written system security plan as separate products. Each covered system must base its Transit Agency Safety Plan on an adequate Safety Management System (SMS), and include an adequate means of safety promotion to support the execution of the plan by all employees, agents, and contractors.\120\ --------------------------------------------------------------------------- \119\ On March 16, 2016, the FTA published a final rule for State safety oversight of rail fixed guideway public transportation systems not regulated by the FRA that replaces the current State Safety Oversight (SSO) rule in 49 CFR part 659. See State Safety Oversight; Final Rule, 81 FR 14229 (Mar. 16, 2016) (adding part 674 to title 49 of the CFR). The FTA will rescind the current SSO rule no later than April 15, 2019. SSO Agencies and rail transit agencies (RTAs) will continue to comply with the current SSO rule until they come into compliance with the new regulations. The FTA omitted System Security Plans from its final rule, noting, ``TSA . . . has the prerogative and responsibility for all rulemakings on security in public transportation.'' Id. at 14233. \120\ See 49 CFR 674.29 and Appendix A to part 674. --------------------------------------------------------------------------- The Safety Promotion component of the SMS includes safety communication, which requires a combination of training and communication of safety information to employees to heighten the efficiency and effectiveness of the transit agency's SMS, and typically includes training on the mechanism for employees to report safety concerns.\121\ Safety communication is intended to ensure that personnel are aware of the SMS and their role within it, and receive safety-critical information in an effective and timely manner.\122\ --------------------------------------------------------------------------- \121\ Id. \122\ Id. --------------------------------------------------------------------------- Additionally, the OAs must require covered transit agencies to conduct annual reviews of both their system safety program plans and system security plans. Further, the OAs must require covered agencies to develop and document a process for the performance of on-going internal safety and security reviews in their system safety program plans. Finally, the OAs themselves must conduct on-site reviews of system safety program plan and system security plan implementation. 3. OTRB Safety Requirements The FMCSA has not issued regulations regarding OTRB owner/operators to provide training to their employees on evacuation procedures. In its 2012 update to the ``Motorcoach Safety Action Plan,'' FMCSA noted its commitment to examining ``ways to convey safety information to passengers and improve evacuation for a diverse population.'' It is important to recognize that in the OTRB environment, the only employee of the owner/operator on the bus may be the driver. Focusing on what the driver can do, FMCSA published guidance in 2007 to the industry recommending providing pre-trip safety information to passengers. FMCSA also distributed safety brochures, posters, and an audio compact disc (CD) based on the guidance that contains safety announcements regarding emergency egress that can be broadcast. The original CD was in English and FMCSA subsequently translated it in six other languages.\123\ To the extent an owner/operator has provided training related to this issue pursuant to FMCSA recommendations, they could provide information on this training and their use of it to TSA as part its security training program submission. --------------------------------------------------------------------------- \123\ U.S. Department of Transportation, ``Motorcoach Safety Action Plan:2012 Update,'' at 29 (Dec. 2012), FMCSA-ADO-13-001. See id. at 42-43 for additional information on ongoing initiatives of FMCSA on this issue. --------------------------------------------------------------------------- 4. Hazardous Materials Regulations a. Overlap With DOT Regulations Regarding Transportation of Hazardous Materials Both DOT and DHS have responsibility regarding the transportation of hazardous materials. TSA is the lead Federal entity for transportation security, including hazardous materials and pipeline security, while PHMSA has responsibility for promulgating and enforcing regulations and administering a national program of safety, including security, in multimodal hazmat transportation.\124\ As part of a Memorandum of Understanding (MOU) between these agencies to coordinate on activities related to their respective missions, TSA and PHMSA agreed to coordinate in the development of standards, regulations, guidelines, or directives and to build on existing standards when it is determined that the adequacy of existing standards needs to be addressed.\125\ Consistent with that agreement, TSA and PHMSA have coordinated regarding PHMSA's security regulations and on this NPRM. [[Page 91366]] A copy of the MOU is available in the docket for this rulemaking. --------------------------------------------------------------------------- \124\ See ``Annex to the Memorandum of Understanding Between the Department of Homeland Security and the Department of Transportation Concerning Transportation Security Administration and Pipeline and Hazardous Materials Safety Administration Cooperation on Pipeline and Hazardous Materials Transportation Security,'' at secs. III.b. and III.c. (August 2006). \125\ Id. at sec. II. --------------------------------------------------------------------------- For the purposes of this rulemaking, it is important to recognize that PHMSA's security requirements for hazmat transportation apply to freight railroad carriers, motor carriers, and shippers and receivers of hazmat. Within these populations, PHMSA regulations require all individuals within the definition of ``hazmat employee'' to receive training in security awareness.\126\ The HMR also requires hazmat employers who offer for transportation or who transport a subset of hazardous materials in specific quantities to develop security plans.\127\ In addition, any hazmat employer required to have a security plan must provide in-depth security training to its employees.\128\ --------------------------------------------------------------------------- \126\ 49 CFR 172.704(a)(4). See 49 CFR 171.8 for definition of ``hazmat employee.'' \127\ 49 CFR 172.800 and 172.802. \128\ Whether a hazmat employer is required to have a security plan, and therefore provide in-depth security training, is determined by whether they transport any of the materials identified in 49 CFR 172.800. --------------------------------------------------------------------------- Specifically, the HMR require training of hazmat employees in: (1) Familiarity with the general provisions of the HMR and recognizing and identifying hazardous materials; (2) knowledge of specific HMR requirements applicable to functions performed; and (3) knowledge of emergency response information, self-protection measures, and accident prevention methods. The in-depth security training requirements include training on: (1) Awareness of the security issues associated with hazardous materials transportation and possible methods to enhance transportation security; and (2) the owner/operator's security objectives, specific security procedures, employee responsibilities, actions to be taken in the event of a security breach, and the organizational security structure.\129\ --------------------------------------------------------------------------- \129\ Id. --------------------------------------------------------------------------- TSA's proposed rule would apply to a subset of those entities required to have security training programs under the HMR. Within the population subject to both the HMR and TSA's proposed rule, employees to be trained also differs. PHMSA applies the definition of ``hazmat employee'' used for their safety regulations,\130\ while TSA's proposed rule applies to employees whose functions are determined by TSA to be ``security-sensitive.'' Data is not available to precisely determine the extent of overlap. For the subset of the HMR population also within the scope of TSA's proposed rule, TSA's proposed training requirements go beyond the baseline required by PHMSA. Diagram B includes references to the HMR requirements. --------------------------------------------------------------------------- \130\ 49 CFR 171.8. --------------------------------------------------------------------------- PHMSA has reviewed TSA's proposed requirements and agrees that owner/operators subject to its rule who meet TSA's proposed requirements would also satisfy the corresponding provisions in PHMSA's security training requirements. PHMSA's regulations state that training conducted by owner/operators to comply with security training programs required by other Federal agencies may be used to satisfy their hazmat employee training to the extent that such training addresses the training components specified for hazmat employee training.\131\ --------------------------------------------------------------------------- \131\ 49 CFR 172.704(b). --------------------------------------------------------------------------- b. Inspections and Enforcement TSA recognizes that stakeholders may be concerned about the potential overlap between PHMSA's regulations and TSA's proposed regulations. For example, under its Secure Contact Review program, the FRA audits railroads and evaluates their compliance with security plans and security training as mandated by the PHMSA regulations. Federal Railroad Administration inspectors are given authority to write citations for an owner/operator's failure to properly comply with the requirements. PHMSA also conducts periodic compliance investigations and its inspectors are given authority to write citations for failure to properly comply with the requirements.\132\ --------------------------------------------------------------------------- \132\ See 75 FR 10974 (Mar. 9, 2010). See also 49 CFR 107.301 et seq. --------------------------------------------------------------------------- PHMSA recognizes TSA's lead role and regulatory responsibilities in the secure transport of hazmat. After summarizing TSA's authorities in its preamble to the final rule amending the HMR, PHMSA stated: When PHMSA adopted its security regulations, it was stated that these regulations were `the first step in what may be a series of rulemakings to address the security of hazardous materials shipments.' 68 FR 14511. PHMSA noted in the NPRM that TSA `is developing regulations that are likely to impose additional requirements beyond those established in this final rule' and stated that it would `consult and coordinate with TSA concerning security-related hazardous materials transportation regulations . . . .TSA intends to promulgate additional regulations for railroad carriers and other modes of surface transportation that will require them to submit vulnerability assessments and security plans to DHS for review and approval, as well as to develop and implement security training programs for employees performing security-sensitive functions to prepare for potential security threats and conditions. The security plan requirements established by the HMR are to be used as a baseline for security planning. When TSA regulations are issued, the PHMSA security plan and security training requirements for regulated parties that will be subject to the TSA regulations will be reevaluated and revised as appropriate.\133\ --------------------------------------------------------------------------- \133\ 75 FR at 10976. DHS and DOT are committed to coordinating on the oversight of security-related training for carriers of RSSM. Consistent with the MOU previously discussed, PHMSA's Final Rule revising the HMR acknowledged --------------------------------------------------------------------------- the agreement between the agencies: If, in the course of an inspection of a railroad or motor carrier or a rail or highway hazardous material shipper or receiver, TSA identifies evidence of non-compliance with a DOT safety or security regulation, TSA will provide the information to FRA (for rail) or FMCSA (for motor carriers) and PHMSA for appropriate action. Similarly, since DOT does not have the authority to enforce TSA security requirements, if a DOT inspector identifies evidence of non-compliance with a TSA security regulation or identifies other security deficiencies, DOT will provide the information to TSA for appropriate action.\134\ --------------------------------------------------------------------------- \134\ Id. at 10977. TSA has committed to DOT to do the same. c. Overlap With Other DHS Regulations Parts of TSA's current regulations for rail security include requirements applicable to certain shippers and receivers of hazardous materials.\135\ While TSA is not modifying its existing requirements for shippers and receivers as part of this proposed rule, it is also not proposing to apply the security training requirements to shippers and receivers. --------------------------------------------------------------------------- \135\ See scope identified in current Sec. 1580.1. --------------------------------------------------------------------------- This is consistent with TSA's intent to avoid any overlap with regulations promulgated by the National Protection and Programs Directorate (NPPD) of DHS for the security of certain high-risk chemical facilities in the United States.\136\ NPPD has previously recognized that certain aspects of its authorities \137\ are concurrent and overlapping with TSA due to the transportation of these chemicals by rail, but stated that it does not presently plan to screen railroad facilities for inclusion in the CFATS program (although the Department reserved the right to reevaluate possible scope at a [[Page 91367]] future date).\138\ TSA and NPPD, continue to work closely together to ensure that the efforts directed at these facilities are coordinated and consistent. --------------------------------------------------------------------------- \136\ Promulgated under the authority of sec. 550 of the Department of Homeland Security Appropriations Act, 2007 (2007 DHS Appropriations Act), Public Law 109-295, 120 Stat. 1355 (Oct. 4, 2006). \137\ See id. \138\ See 72 FR 17729, 17698-17699 (Apr. 9, 2007) (IFR for CFATS). --------------------------------------------------------------------------- While facility security training and transportation security training have unique differences and shall be considered as separate issues, TSA's subject matter experts have reviewed the training requirements of CFATS RBPS 11 and determined that they meet or exceed the requirements considered necessary by TSA for secure transportation of the identified chemicals. There would be no additional security benefit from extending the training requirements of this proposed rule to entities subject to CFATS. This determination was considered as part of TSA's decision not to include shippers and receivers of hazardous materials within the scope of this proposed rule. J. Training Resources As previously discussed, TSA is aware that many owner/operators that would be subject to this proposed rule already provide security training to their employees that may meet the proposed requirements. To further reduce the burden to owner/operators who do not have an existing training program or whose program does not include all of the required content, TSA is expanding existing resources that will be made available to owner/operators at no cost. Owner/operators would be able to use these expanded resources, described below, to meet the content requirements of Sec. Sec. 1580.115, 1582.115, and 1584.115 of the proposed rule. First ObserverTM First ObserverTM is a national training program initially created through a grant from DHS to raise security awareness for highway modes.\139\ It was designed to provide transportation professionals with information that will enable them to observe effectively, assess and report suspicious individuals, vehicles, packages, and/or objects. The program has been used to teach thousands of highway transportation professionals to actively participate in recognizing suspicious activities and reporting them through appropriate mechanisms. --------------------------------------------------------------------------- \139\ ``First ObserverTM'' refers to the current program and any future expansion or changes to the program. --------------------------------------------------------------------------- TSA is expanding the program to be relevant to other modes of surface transportation, including freight railroads, passenger railroads, and public transportation systems. The First ObserverTM Program is undergoing extensive revision and TSA is ensuring the content of all revised First ObserverTM products will ultimately meet the security training requirements set forth in a final rule. At this time, TSA does not anticipate that First ObserverTM will satisfy the requirement to provide employer specific training to security-sensitive employees with responsibility under their employer's specific security programs or measures-- addressed under the ``Prepare'' component of training--as this is company-specific training. TSA does, however, anticipate that the SMARToolbox, discussed below, may provide resources needed to reduce costs for this aspect of the proposed training. To ensure the expanded program is relevant to all of the modes of transportation covered by this proposed rule, TSA sought to obtain input from its stakeholders and will continue with this effort. For example, while this rulemaking was under development, a meeting of the joint industry-government panel operating as the Transit Policing and Security Peer Advisory Group (PAG) \140\ looked at available training programs in light of what the 9/11 Act specified as required training for public transportation.\141\ For purposes of the discussion on the 9/11 Act's requirements, the FTA's representatives included a course curriculum developer. The group produced a comprehensive matrix that included standards and criteria needed to meet the training elements required by the 9/11 Act as well as suggested learning objectives to assist in the creation of lesson plans. The intent was to provide a resource that could be used by transit agencies to: (1) Review their existing training programs and close any gaps; (2) develop new programs; or (3) evaluate commercial courses. The panel also pre- screened a selection of available courses that could be used for training that met all of the elements identified in the 9/11 Act. The standards and criteria developed by this group feeds into the considerations identified in Diagram B. This exercise also supports TSA's assumption that most of the owner/operators that would be affected by this proposed rule already have training programs in place that would substantially comply with the proposed rule's requirements. --------------------------------------------------------------------------- \140\ The PAG shares expertise and guidance among TSA, transit police chiefs, and security directors. The group meets by teleconference with TSA at least once a month to discuss relevant issues involving transit security and anti-terrorism approaches. \141\ See 6 U.S.C. 1137(c). --------------------------------------------------------------------------- SMARToolbox As with the general security training content, TSA is aware that many owner/operators already provide training to prepare security- sensitive employees for their specific responsibilities under their company's security plan as required by proposed Sec. Sec. 1580.115(c), 1582.115(c), and 1584.115(c). For example, any owner/operator subject to the security training requirements of 49 CFR part 172 is required to provide in-depth training on company-specific measures under 49 CFR 172.704(a)(5). This population overlaps with most of the freight railroad population that would be subject to this proposed rule. For those that do not currently provide this type of training, TSA has resources available to reduce the burden. In particular, TSA encourages owner/operators to use the SMARToolbox--an industry-led initiative supported by TSA--as a resource presenting a broad range of security measures that peer agencies have identified as valuable to their organization. A searchable, modifiable database allows for various specified searches--making it easy for the users to find information relevant to their specific needs. SMARToolbox includes measures gathered from publically available sources as well as from discussions amongst industry representatives at a variety of stakeholder events. As part of this rulemaking effort, TSA has ensured the SMARToolbox includes information relevant to this training requirement. K. Programmatic Alternatives In addition to the applicability alternatives discussed in section III.F. of this NPRM, TSA has also considered other programmatic alternatives. In general, these alternatives eliminated aspects of the proposed rule that are within TSA's discretion, or even necessary parts of implementing the statutory requirements, but not directly mandated by the 9/11 Act. Table 7 identifies these provisions relevant to each mode. [[Page 91368]] Table 7--Identification of Programmatic Requirements Eliminated or Modified in Alternative Analysis ---------------------------------------------------------------------------------------------------------------- Freight rail PTPR (Rail) PTPR (Bus) OTRB) ---------------------------------------------------------------------------------------------------------------- Recordkeeping............................... X X X X Training on chain of custody requirements... X ............... ............... ............... Security coordinators and alternates........ ............... ............... X ............... Reporting security incidents................ ............... ............... X X Annual recurrent training (replaced with 3 X X X X year cycle)................................ ---------------------------------------------------------------------------------------------------------------- In determining the implications of these alternatives, TSA continues to assume that owner/operators would use First ObserverTM to meet the requirements--or to fill any gaps in their current training programs. In most cases, the programmatic alternatives assume elimination of the requirement. For recurrent training, the alternative assumes recurrent training would occur every three years rather than annually (since there is not a statutory requirement for how often covered security sensitive employees must be trained, TSA sets the minimum interval of recurrent training to once every three years as opposed to the annual training TSA is requiring in the proposed rule). Based on these assumptions, these alternatives would have an estimated cost of approximately-- $25.27 million for freight railroad owner/operators over a 10-year period (at a 7 percent discount rate). $18.50 million for PTPR owner/operators over a 10-year period (at a 7 percent discount rate). $5.85 million for OTRB owner/operators over a 10-year period (at a 7 percent discount rate). The basis for the estimates of benefits and costs is set forth in the RIA for this rulemaking, which is included in the public docket. TSA rejected these alternatives because the agency has determined that the proposed rule better aligns with its commitment to risk-based security policy and outcomes-based regulation. While recordkeeping is not specifically stated as a requirement in the 9/11 Act, it is a necessary part of enforcing any regulatory requirement. TSA also believes requiring owner/operators to maintain records of training and provide proof of training to current and former employees upon request can reduce costs of training based upon the recognition given to prior training. Chain of custody is a critical requirement for freight railroads to ensure security during the transportation of RSSM. TSA believes it is essential for employees with responsibility to perform requirements identified in part 1580 related to chain of custody be trained on how to perform those requirements as part of their security training curriculum. To inconsistently apply the requirement for security coordinators and reporting of security incidents for high-risk entities could create significant gaps in the information obtained and shared--creating unnecessary security vulnerabilities. TSA discusses its basis for requiring annual training in section III.D.3 of this NPRM. IV. Stakeholder Consultations The 9/11 Act directed TSA to consult with major stakeholders during the development of this NPRM.\142\ The categories of stakeholders to be included in these consultations consist of industry representatives, first responders, terrorism experts, and, nonprofit employee labor organizations. As discussed below, TSA has complied with these requirements through meetings with stakeholders before drafting of this proposed rule began, requests for comments submitted through associations, as well as a targeted request for additional input through a Notice published in the Federal Register. --------------------------------------------------------------------------- \142\ See 6 U.S.C. 1137(b), 1167(b), and 1184(b). --------------------------------------------------------------------------- As noted, TSA published a notice in the Federal Register requesting the public to provide comments and data on employee security training programs and planned security training exercises currently provided by owner/operators of freight railroads, passenger railroads, public transportation systems (excluding ferries), and OTRBs.\143\ TSA received a few responsive comments from trade associations, public agencies, and private companies that helped TSA to understand the current ``baseline'' training environment for freight rail, PTPR, and OTRB employees. As the limited information received provided data relevant to the economic impact of this proposed rule, it is discussed more fully in the RIA for this rulemaking, which can be found in the docket. --------------------------------------------------------------------------- \143\ See 78 FR 35945 (June 14, 2013). --------------------------------------------------------------------------- TSA has taken stakeholder comments into consideration in developing the NPRM. The text below describes stakeholder outreach TSA has conducted. A. Multi-Modal Outreach In September and October of 2009, TSA reached out to representatives of the constituencies mandated by 6 U.S.C. 1137, 1167, and 1184. These stakeholders included representatives of State, local, and tribal governmental authorities; first responders; security and terrorism experts; appropriate labor organizations; and organizations representing the elderly and disabled. On September 14, 2009, TSA reached out to representatives of the following stakeholder groups by transmitting a letter and summary document outlining the key statutory requirements of the NPRM and requesting their comments: TSA/Office of Civil Rights and Liberties; Homeland Security Institute; Mineta Transportation Institute; FEMA/ United States Fire Administration/National Fire Programs; International Association of Chiefs of Police; National Sheriffs Association; National Emergency Medical Services Association; Commercial Vehicle Safety Alliance; State, Local, Tribal, and Territorial Government Coordinating Council (GCC); and DHS/National Protection and Programs Directorate/Intergovernmental Programs. B. Freight Rail TSA conducted meetings and conference calls with representatives of the freight railroad industry, including trade associations representing railroad carriers and shippers of hazardous materials. Class I carriers as well as short line and regional railroads participated in these consultations. TSA also met with representatives from two rail labor organizations. In addition, TSA met with members of the AAR in November 2009 to discuss the proposed security training. The AAR has stated that ``TSA regulation of security training for railroad employees is unnecessary'' \144\ [[Page 91369]] because most freight rail hazmat employees already receive training in compliance with the PHMSA, which requires freight rail employees who perform HAZMAT functions to ``receive training that provides an awareness of security risks associated with hazardous materials transportation . . . this training must also include a component covering how to recognize and respond to possible security threats.'' \145\ The AAR affirms this and explicitly states in its comments that ``railroads provide security awareness training to their front line employees and have done so for many years'' and employees have to take recurrent training every three years, at minimum.\146\ The American Short Line and Regional Railroad Association also submitted comments and stated that, with regards to its members, the current level of ``[t]raining involves looking for suspicious persons, items[, w]hat IEDs may look like[, and h]ow to handle different situations . . . .'' \147\ --------------------------------------------------------------------------- \144\ ``Comments of the Association of American Railroads'' (Docket ID: TSA-2013-0005-0116), available at https://www.regulations.gov/. Input the Docket ID ``TSA-2013-0005-0116'' into the blue ``Search'' field. \145\ 49 CFR 172.704(a)(4). \146\ Id. (citing 49 CFR 172.704(a)(4)). \147\ ``Comments of the American Short Line and Regional Railroad Association'' (Docket ID: TSA-2013-0005-0124), available at https://www.regulations.gov/. Input the Docket ID ``TSA-2013-0005- 0124'' into the blue ``Search'' field. --------------------------------------------------------------------------- TSA's freight rail subject matter experts confirmed that higher- risk freight railroad owner/operators currently provide training to their security-sensitive employees on the procedures on chain of custody control requirements-based on the compliance rates for current 49 CFR 1580.107. This information leads TSA to conclude that all freight rail owner/operators affected by the proposed rule that transport RSSM provide training to their employees on, at minimum, security awareness; employee- and company-specific security program and measures; and chain of custody and control requirements. C. Public Transportation and Passenger Rail TSA consulted with industry representatives, governmental authorities, security experts, first responders, and employee representatives through the Transit, Commuter and Long Distance Rail GCC,\148\ the Mass Transit Sector Coordinating Council (SCC),\149\ and PAG.\150\ --------------------------------------------------------------------------- \148\ The Commuter and Long Distance Rail GCC includes representatives from TSA, other DHS components, the FTA, and the FBI. \149\ The Mass Transit SCC is a representative group for the mass transit and passenger rail community formed in accordance with the National Infrastructure Protection Plan to advance the public- private partnership for mass transit and passenger rail security. Its membership includes senior executives, law enforcement chiefs, and security directors for mass transit and passenger rail agencies of varying sizes, locations, and system types as well as representatives of APTA, the Community Transportation Association of America, and the Amalgamated Transit Union. \150\ As previously noted, see supra, n. 140, the PAG brings together the expertise of some 15 law enforcement chiefs and security directors from mass transit and passenger rail systems across the Nation of varying location, size, and system type as a consultative forum with extensive experience to facilitate development and implementation of effective security programs. To advance these purposes, the Group, which formed in November 2006, convenes with TSA officials in monthly teleconferences. Membership in the PAG consists of the law enforcement chiefs or security directors of public transportation agencies in large metropolitan areas, as well as Amtrak. In addition to Amtrak, the following agencies are members of the PAG: Metro Transit of Harris County, Texas (Houston Area), Massachusetts Bay Transportation Authority; New York Metropolitan Transportation Authority; New York Police Department--Transit Bureau; New Jersey Transit; Southeast Pennsylvania Transportation Authority; Washington Metropolitan Area Transit Authority; Metropolitan Atlanta Rapid Transit Authority; Chicago Transit Authority; Dallas Area Rapid Transit; Denver Regional Transportation District; King County Metro Transit (Seattle Area); Bay Area Rapid Transit; and Los Angeles County Sheriff's Department. --------------------------------------------------------------------------- TSA initiated consultations in October 2007 by explaining the planned approach in a joint meeting with the SCC and via a teleconference with the PAG. Participants at both forums were advised that a summary of the developing concepts and considerations for the security training program rulemaking would be prepared and provided to them for review and feedback. In preparing the summary, TSA coordinated with the membership of the GCC. The summary was completed in November 2007. Dissemination to the SCC and PAG for review and comment occurred in December 2007 and January 2008. TSA received feedback in February and March 2008. A second round of consultations with the SCC and PAG occurred during October and November 2009. At that time, the consultations expanded to include additional law enforcement chiefs and security directors, specifically those not previously consulted to participate in the semi-annual Transit Safety and Security Roundtables.\151\ --------------------------------------------------------------------------- \151\ TSA, FTA, and FEMA host semi-annual Transit Safety and Security Roundtables with the law enforcement chiefs and security directors of the largest 50 mass transit and passenger rail systems (by passenger volume) and Amtrak. These agencies account for more than 80 percent of all users of public transportation services nationally. The three-day sessions employ a workshop format to address specific issues pertaining to terrorism prevention and response. The collective expertise fosters the development of collaborative security solutions, informs setting of priorities for security programs, and advances the strategic priority of elevating the baseline level of security throughout the mass transit and passenger rail mode. --------------------------------------------------------------------------- In its general comments in response to the 2013 Notice, APTA asserted that ``the elements of the 9/11 Act are already addressed within the scope of security training programs throughout the public transportation industry.'' \152\ The American Public Transportation Association cited training required by 49 CFR 239.101 as evidence that they meet certain portions of the 9/11 Act. As noted in section III.G.1 of this NPRM, 49 CFR part 239 (also known as the ``Passenger Train Emergency Preparedness Rule'') has a training requirement for rail equipment familiarization, situational awareness, coordination of functions, and `hands-on' instruction concerning the location, function, and operation of on-board emergency equipment.\153\ These requirements, which align with some of those in TSA's proposed rule, apply to many of the public transportation modes affected by the proposed rule (intercity passenger rail and commuter rail). Individual public transportation agencies--including a few that would be affected by the proposed rule-also provided comments on the type of training they currently implement for frontline employees. This training includes programs on security awareness and employee- and company- specific training on their own security programs and measures (which employees have to take every two years). All of this information has led TSA to conclude that some PTPR owner/operators, either in compliance with other security rules or because the owner/operator makes security a priority, invest in security training for their frontline employees and, at minimum, cover the topics of security awareness, and employee- and company-specific security program and measures. --------------------------------------------------------------------------- \152\ APTA, ``RE: Docket No. TSA-2013-0005'' (Docket ID: TSA- 2013-0005-0114), available at https://www.regulations.gov/. Input the Docket ID ``TSA-2013-0005-0114'' into the blue ``Search'' field. \153\ Id. --------------------------------------------------------------------------- D. Over-the-Road Buses TSA conducted a meeting with industry stakeholders in November 2007. In July 2009, TSA met again with industry representatives. During the 2007 consultations, industry stakeholders included large motorcoach [[Page 91370]] operators and trade associations representing both large and small operators. In July 2009, TSA again met with representatives of the OTRB community and presented a series of issues on which TSA sought their individual opinions. In its response to the 2013 Notice, the American Bus Association (ABA) \154\ described the importance of the OTRB Security Grant Program in providing financial assistance to the industry for implementing security measures, such as equipment and training.\155\ According to the ABA, nearly 10 percent of the funding from the OTRB Security Grant Program went to security training. The OTRB Security Grant Program has since been discontinued and the ABA states that some security upgrades were not enacted because: --------------------------------------------------------------------------- \154\ The ABA describes itself as a trade association that is ``home to some 850 bus operating companies and over 3,000 other companies, organizations and partnerships involved in providing transportation, tour and travel services to the traveling public.'' See ``Comments of the American Bus Association'' (Docket ID: TSA- 2013-0005-0119), available at https://www.regulations.gov/. Input the Docket ID ``TSA-2013-0005-0119'' into the blue ``Search'' field. \155\ Id. [T]he private bus industry was largely unable to pay for such upgrades. The inability to pay is a function of the small business nature of the industry, the huge number of bus operators with few resources and the inability of bus passengers to absorb any fare increases that could be used to pay for security upgrades.\156\ --------------------------------------------------------------------------- \156\ Id. The ABA states that despite this loss in funding, two of the major private OTRB companies currently use ``Operation Secure Transport''--an OTRB-specific version of First ObserverTM--to train their ``front line'' employees. This is validated by the comments provided by the private companies themselves. Additionally, according to comments from the OTRB Working Group of the Highway Motor Carrier SCC, ``all [of its] PAG members have supplied training to front line employees using Highway Watch, First ObserverTM, or Cat Eyes training.'' \157\ This group includes a third, major OTRB company. All of this information has led TSA to conclude that, at minimum, three of the larger OTRB companies currently use First ObserverTM to train their ``front line'' employees. --------------------------------------------------------------------------- \157\ Id. --------------------------------------------------------------------------- E. Labor Unions In addition to inviting participation of labor union representatives in many of the mode-specific meetings, TSA also met specifically with labor unions as part of its stakeholder consultation process. In December 2007, TSA met with representatives of several labor unions. On November 3, 2009, TSA met with representatives from the Transportation Trades Department of the American Federation of Labor and Congress of Industrial Organizations, the International Brotherhood of Teamsters, the Brotherhood of Locomotive Engineers and the Amalgamated Transit Union to discuss the surface training issues. V. Rulemaking Analyses and Notices A. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (PRA) \158\ requires that TSA consider the impact of paperwork and other information collection burdens imposed on the public and, under the provisions of PRA sec. 3507(d), obtain approval from the OMB for each collection of information it conducts, sponsors, or requires through regulations. --------------------------------------------------------------------------- \158\ 44 U.S.C. 3501 et seq. --------------------------------------------------------------------------- Under OMB Control No. 1652-0051, OMB has approved a related information collection request for contact information for RSCs and alternate RSCs, as well as the reporting of significant security concerns by freight railroad carriers, passenger rail road carriers, and rail transit systems. This proposed rule contains new information collection activities subject to the PRA. Accordingly, TSA has submitted the following information requirements to OMB for its review. The OMB 83-I Supporting Statement for this information collection request is available in the docket for this rulemaking. Title: Security Training Programs for Surface Mode Employees. Summary: This proposed rule would require the following information collections: First, owner/operators identified in 49 CFR 1580.101, 1582.101, and 1584.101 would be required to submit to TSA for approval a security training program for security-sensitive employees that meets the requirements of subpart B of 49 CFR part 1580, subpart B of 49 CFR part 1582, and subpart B of 49 CFR part 1584. Second, respondents would be required to retain individual training records on security-sensitive employees at the location(s) specified in each respondent's respective security training program, and make such records available to TSA upon request. Third, the public transportation bus systems and OTRB owner/ operators to whom the proposed rule applies would be required to report significant security concerns, which includes incidents, suspicious activities, and/or threat information. Finally, the owner/operators to whom the proposed rule applies would be required to make their operations and records available for announced or unannounced inspections that would assess compliance with the NPRM. Use of: This proposal would support the information needs to evaluate security training programs against requirements set forth in the NPRM. Recordkeeping requirements would be used to verify employee training is in compliance with the proposed rule. Security coordinator information would support respondent communications with TSA concerning intelligence information, security related activities, and incident or threat response with appropriate law enforcement and emergency response agencies. The reporting of significant security concerns would support the analysis of trends and indicators of developing threats and potential terrorist activity. Finally, information collected through inspections would be used to enforce compliance with the proposed requirements. Respondents (including number of): The likely respondents to this information collection are the owners and/or operators of covered surface modes, which are estimated to incur approximately 1,374,501 responses over the next 3 years (including 449,067 freight railroad responses; 673,033 PTPR responses; and 252,401 OTRB company responses), which amounts to an average annual cost of $657,370. Frequency: TSA estimates that following initial submission, security training programs would need to be periodically updated as appropriate. Security training records would need to be updated after each training occurrence. Security coordinator information would need to be updated as appropriate. Significant security concerns would be reported as they occur. TSA estimates inspections for compliance would occur at a rate of one inspection per year per owner/operator. Annual Burden Estimate: The average yearly burden for security training program development and submission, security coordinator submission, employee training documentation recordkeeping, and incident reporting is estimated to be 1,518 hours for freight railroads; 2,147 hours for PTPRs; and 4,247 hours for OTRB companies. The total average annual time burden estimate is approximately 7,912 hours. Table 8 shows the information collections and corresponding hour [[Page 91371]] burdens for entities falling under the requirements of the proposed rule. Table 8--PRA Hours of Burden -------------------------------------------------------------------------------------------------------------------------------------------------------- Time per Number of responses Average Collection response ------------------------------------------------ 3-Year time annual time (hours) Year 1 Year 2 Year 3 burden burden -------------------------------------------------------------------------------------------------------------------------------------------------------- Initial Security Training Program Development and Submission -------------------------------------------------------------------------------------------------------------------------------------------------------- Freight Rail............................................ 52 36 0 0 1,872 624 PTPR.................................................... 52 47 0 0 2,444 815 OTRB (Large to Medium).................................. 32 28 0 1 928 309 OTRB (Small)............................................ 16 174 3 3 2,883 961 -------------------------------------------------------------------------------------------------------------------------------------------------------- Modified Security Training Program Development and Submission -------------------------------------------------------------------------------------------------------------------------------------------------------- Freight Rail............................................ 25 32 0 0 810 270 PTPR.................................................... 25 21 0 0 518 173 OTRB (Large to Medium).................................. 16 25 0 0 418 139 OTRB (Small)............................................ 8 157 3 3 1,297 432 -------------------------------------------------------------------------------------------------------------------------------------------------------- Security Coordinator Information Submission -------------------------------------------------------------------------------------------------------------------------------------------------------- PTPR.................................................... 0.5 52 8 8 35 12 OTRB.................................................... 0.5 459 178 181 409 136 -------------------------------------------------------------------------------------------------------------------------------------------------------- Employee Training Documentation Recordkeeping -------------------------------------------------------------------------------------------------------------------------------------------------------- Freight Rail............................................ 0.004 148,992 149,665 150,341 1,871 624 PTPR.................................................... 0.004 219,437 219,646 219,856 2,746 915 OTRB.................................................... 0.004 41,300 41,824 42,355 523 174 -------------------------------------------------------------------------------------------------------------------------------------------------------- Incident Reporting -------------------------------------------------------------------------------------------------------------------------------------------------------- PTPR.................................................... 0.05 4,652 4,652 4,652 698 233 OTRB.................................................... 0.05 41,173 41,898 42,635 6,285 2,095 ----------------------------------------------------------------------------------------------- Total Burden (responses)............................ .............. .............. .............. .............. 1,374,501 .............. ----------------------------------------------------------------------------------------------- Total Burden (hours)................................ .............. .............. .............. .............. 23,735 7,912 -------------------------------------------------------------------------------------------------------------------------------------------------------- TSA is soliciting comments to-- (1) Evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information would have practical utility; (2) Evaluate the accuracy of the agency's estimate of the burden; (3) Enhance the quality, utility, and clarity of the information to be collected; and (4) Minimize the burden of the collection of information on those who are to respond, including using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology. Individuals and organizations may submit comments on the information collection requirements by February 14, 2017. Direct the comments to the address listed in the ADDRESSES section of this document, and email your comments to OMB using the following address: OIRA_submission@omb.eop.gov. A comment to OMB is most effective if OMB receives it within 30 days of publication. TSA will publish the OMB control number for this information collection in the Federal Register after OMB approves it. As provided by the PRA, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. B. Economic Impact Analyses 1. Regulatory Impact Analysis Summary Changes to Federal regulations must undergo several economic analyses. First, Executive Order (E.O.) 12866, Regulatory Planning and Review,\159\ as supplemented by E.O. 13563, Improving Regulation and Regulatory Review,\160\ directs each Federal agency to propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 (RFA) \161\ requires agencies to consider the economic impact of regulatory changes on small entities. Third, the Trade Agreement Act of 1979 \162\ prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. Fourth, the Unfunded Mandates Reform Act of 1995 \163\ (UMRA) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation). --------------------------------------------------------------------------- \159\ 58 FR 51735 (Oct. 4, 1993). \160\ 76 FR 3821 (Jan. 21, 2011). \161\ Public Law 96-354, 94 Stat. 1164 (Sept. 19, 1980) (codified at 5 U.S.C. 601 et seq., as amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA)). \162\ Public Law 96-39, 93 Stat. 144 (July 26, 1979) (codified at 19 U.S.C. 2531-2533). \163\ Public Law 104-4, 109 Stat. 66 (Mar. 22, 1995) (codified at 2 U.S.C. 1181-1538). --------------------------------------------------------------------------- [[Page 91372]] 2. Executive Orders 12866 and 13563 Assessments Executive Orders 12866 and 13563 direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. In conducting these analyses, TSA has determined: 1. This rulemaking is a ``significant regulatory action,'' although not an economically significant regulatory action, under sec. 3(f) of E.O. 12866. Accordingly, the Office of Management and Budget (OMB) has reviewed this NPRM. 2. TSA has prepared an Initial Regulatory Flexibility Analysis (IRFA), which suggests this rulemaking would have a significant impact on a substantial number of small entities. 3. This rulemaking would not constitute a barrier to international trade. 4. This rulemaking does not impose an unfunded mandate on State, local, or tribal governments, or on the private sector under UMRA. TSA has prepared an analysis of its estimated costs and benefits, summarized in the following paragraphs. The OMB Circular A-4 Accounting Statement for this proposed rule is in section V.C. When estimating the cost of a rulemaking, agencies typically estimate future expected costs imposed by a regulation over a period of analysis. For this rule's period of analysis, TSA uses a 10-year period of analysis to estimate the initial and recurring costs of the regulated surface mode owner/ operators and new owner/operators that are expected due to industry growth. TSA concluded the following about the current, or baseline, training environment for freight rail, public transportation and passenger railroad (PTPR), and OTRB employees (see section 1.9 of the RIA placed in the docket for further detailed information on the current baseline): There are 574 U.S. freight rail owners/operators and are composed of 7 Class I, 21 Class II, and 546 Class III railroads.\164\ A total of 36 (7 Class I, 8 Class II, and 21 Class III) out of the 574 U.S. freight rail owner/operators carry RSSM through an HTUA and would be affected by the proposed rule.\165\ These 36 freight rail owner/ operators provide security awareness \166\ and chain of custody and control \167\ trainings to their employees. These trainings address two of the required elements of security training required by the proposed rule in Sec. 1580.115 (Security training and knowledge for security- sensitive employees: Prepare and Assess). Additionally, freight rail owner/operators are already required to comply with the requirements to assign security coordinators and report significant security concerns to TSA under current 49 CFR 1580. Table 9 below displays the requirements of the proposed rule for freight rail. The check marked items in the table represent existing requirements under PHMSA 49 CFR 172.704 and 1580.107, therefore do not represent additional burden to the freight rail owners/operators. --------------------------------------------------------------------------- \164\ AAR, ``Railroad Facts, 2015 Edition,'' at 3 (2015). \165\ TSA used its railcar tracking system that monitors toxic inhalant hazard cars, the Toxic Inhalation Hazard Risk Reduction Verification System, (TIHRRVS) to identify freight rail owner/ operators. \166\ As required by PHMSA 49 CFR 172.704. \167\ In place because of the chain of custody requirement in 49 CFR 1580.107. [GRAPHIC] [TIFF OMITTED] TP16DE16.015 There are more than 7,100 public transportation organizations.\168\ Of these, 47 PTPR owner/operators \169\ fall within the applicability of the proposed rule. Twenty-four of these 47 PTPR owner/operators effectively provide training to their employees on security awareness and employee- and company-specific security programs and measures.\170\ These trainings address two of the required elements of security training required by the proposed rule in Sec. 1582.115 (Security training and knowledge for security-sensitive employees: Prepare and Assess). Additionally, 23 PTPR owner/operators are already required to comply with the requirements to assign security coordinators and report significant security concerns to TSA under current 49 CFR 1580. Table 10 below displays the requirements of the proposed rule for PTPRs. The check marked items in the table represent existing requirements under 49 CFR 1580 and, therefore do not represent additional burden to the freight rail owners/operators. --------------------------------------------------------------------------- \168\ APTA, ``2014 Public Transportation Fact Book'' (Nov. 2014), available at https://www.apta.com/resources/statistics/Documents/FactBook/2014-APTA-Fact-Book.pdf. \169\ TSA elicited and used input from SMEs in its Surface Division, combined with data from the Federal Transit Administration's (FTA) National Transit Database (NTD) to identify the 47 PTPR owner/operators. \170\ Agencies identified using latest evaluation from TSA's BASE assessment. Information on BASE assessment can be found here: https://www.tsa.gov/news/top-stories/2015/09/21/transit-agencies-earn-high-ratings-through-base-program. --------------------------------------------------------------------------- [[Page 91373]] [GRAPHIC] [TIFF OMITTED] TP16DE16.016 There are 3,741 U.S. companies in the motorcoach industry.\171\ Of these, 202 of them \172\ fall within the applicability of the proposed rule. Three of the 202 are large OTRB companies that currently use the TSA-supplied First ObserverTM program, which covers a majority of the 9/11 Act security training requirements, to train their employees. This training addresses three of the security training elements of this proposed rule Sec. 1584.115 (Security training and knowledge for security-sensitive employees: Observe, Assess, and Respond). Table 11 displays the requirements of this proposed rule for OTRB owner/operators. The check marked items in the table represent the training components already covered by the First ObserverTM program and, therefore do not represent additional burden to the ORTB owners/operators currently using this program compared to the ``no- action'' baseline.\173\ In Appendix A of the RIA, however, TSA has also monetized the cost of their current participation in First ObserverTM. TSA estimated this cost at $0.36 million to these owner/operators over 10 years (discounted at 7 percent).\174\ --------------------------------------------------------------------------- \171\ American Bus Association Foundation, ``Motorcoach Census 2014'' (Mar. 12, 2015), available at https://www.buses.org/assets/images/uploads/general/Report%20-%20Census2013data.pdf. \172\ TSA relied on a variety of sources to identify the 202 owner/operators: TSA Intercity Bus Security Grant Program (IBSGP) applications, the American Intercity Bus Riders Association (AIBRA) intercity bus service operator list, consultations with ABA, and Internet research of Web sites like GotoBus.com and other publicly available sources of information. \173\ OMB, ``Circular A-4,'' at 2 (Sept. 17, 2003), available at https://www.whitehouse.gov/sites/default/files/omb/assets/regulatory_matters_pdf/a-4.pdf (``Benefits and costs are defined in comparison with a clearly stated alternative. This normally will be a `no action' baseline: What the world will be like if the proposed rule is not adopted.''). \174\ OMB also requires TSA to consider a ``pre-statute'' baseline. Id. at 16. Costs of First ObserverTM have accrued since passage of the 9/11 Act and are part of this ``pre- statute'' baseline. [GRAPHIC] [TIFF OMITTED] TP16DE16.017 TSA summarizes the costs of the proposed rule to be borne by four affected parties: Freight railroad owner/operators, PTPR owner/ operators, OTRB owner/operators, and TSA. As displayed in Table 12, TSA estimates [[Page 91374]] the 10-year total cost of this proposed rule to be $222.80 million undiscounted, $190.45 million discounted at 3 percent, and $157.27 million discounted at 7 percent. The costs to industry (all three surface modes) comprise approximately 99 percent of the total costs of the rule; and the remaining costs are incurred by TSA. Table 12--Total Cost of the Proposed Rule by Entity [$ millions] -------------------------------------------------------------------------------------------------------------------------------------------------------- Total proposed rule cost ----------------------------------------------- Year Freight rail PTPR OTRB TSA Discounted at Discounted at Undiscounted 3% 7% -------------------------------------------------------------------------------------------------------------------------------------------------------- 1....................................... $14.51 $9.29 $2.04 $0.52 $26.35 $25.59 $24.63 2....................................... 14.37 5.84 1.62 0.12 21.95 20.69 19.17 3....................................... 8.68 9.06 1.47 0.13 19.33 17.69 15.78 4....................................... 14.50 5.85 1.66 0.13 22.13 19.67 16.89 5....................................... 14.56 9.08 1.68 0.13 25.45 21.95 18.15 6....................................... 8.93 6.00 1.82 0.18 16.93 14.18 11.28 7....................................... 14.69 9.10 1.73 0.13 25.65 20.86 15.98 8....................................... 14.76 5.87 1.76 0.14 22.66 17.78 13.11 9....................................... 8.92 9.11 1.60 0.14 19.76 15.15 10.75 10...................................... 14.89 5.88 1.80 0.14 22.71 16.91 11.55 --------------------------------------------------------------------------------------------------------------- Total............................... 128.80 75.08 17.17 1.75 222.80 190.45 157.27 Annualized.......................... .............. .............. .............. .............. .............. 22.33 22.39 -------------------------------------------------------------------------------------------------------------------------------------------------------- Note: Totals may not add due to rounding. TSA estimates the 10-year costs to the freight railroad industry to be $128.80 million undiscounted, $110.00 million discounted at 3 percent, and $90.74 million discounted at 7 percent, as displayed by cost categories in Table 13. [GRAPHIC] [TIFF OMITTED] TP16DE16.018 TSA estimates the 10-year costs to the PTPR industry to be $75.08 million undiscounted, $64.26 million discounted at 3 percent, and $53.14 million discounted at 7 percent, as displayed by cost categories in Table 14. [[Page 91375]] [GRAPHIC] [TIFF OMITTED] TP16DE16.019 TSA estimates the 10-year costs to the OTRB industry to be $17.17 million undiscounted, $14.65 million discounted at 3 percent, and $12.08 million discounted at 7 percent, as displayed by cost categories in Table 15. [GRAPHIC] [TIFF OMITTED] TP16DE16.020 TSA estimates the 10-year costs to TSA to be $1.75 million undiscounted, $1.54 million discounted at 3 percent, and $1.31 million discounted at 7 percent, as displayed by cost categories in Table 16. [[Page 91376]] [GRAPHIC] [TIFF OMITTED] TP16DE16.021 The proposed rule would enhance surface transportation security by reducing vulnerability to terrorist attacks in four different ways. First, the surface transportation employees in each of the three covered modes would be trained to identify security vulnerabilities. Second, these surface transportation employees would be better trained to recognize potentially threatening behavior and properly report that information. Third, these surface employees would be trained to respond to incidents, thereby mitigating the consequences of an attack. Finally, the covered surface transportation owner/operators would be required to report significant security concerns to TSA so that TSA can analyze potential threats across all modes. While training is not an absolute deterrent for terrorists intent on carrying out attacks on surface modes of transportation, TSA expects the probability of success for such attacks to decrease if security- sensitive employees within these transportation modes are trained in the elements required under the proposed rule. TSA uses a break-even analysis to frame the relationship between the potential benefits of the proposed rule and the costs of implementing the rule. When it is not possible to quantify or monetize a majority of the incremental benefits of a regulation, OMB recommends conducting a threshold, or ``break-even'' analysis. According to OMB Circular No. A-4, ``Regulatory Analysis,'' such an analysis answers the question ``How small could the value of the non-qualified benefits be (or how large would the value of the non-quantified costs need to be) before the rule would yield zero net benefits?'' \175\ --------------------------------------------------------------------------- \175\ See id. --------------------------------------------------------------------------- To conduct the break-even analysis, TSA evaluates three composite scenarios for each the three modes covered by the proposed rule. For each scenario, TSA calculates a total monetary consequence from an estimated statistical value of the human casualties and capital replacement resulting from the attack (see Section 4.3 of the Surface Training Program for Surface Mode Employees Regulatory Impact Analysis for a more detailed description of these calculations however many assumptions regarding specific terrorist attacks scenarios are SSI and cannot be publically released). Table 17 presents the composite or weighted average of direct consequences from a successful attack on each mode. [[Page 91377]] [GRAPHIC] [TIFF OMITTED] TP16DE16.022 TSA compared the estimated direct monetary costs of an attack to the annualized cost (discounted at 7 percent) to industry and TSA from the proposed rule for each mode to estimate how often an attack of that nature would need to be averted for the expected benefits to equal estimated costs. Table 18 presents the results of the break-even analysis for each mode. For example, Table 18 shows that if the freight rail training requirements in this rule prevents one freight rail terrorist attack every 96 years, this rule ``breaks-even'' (the benefits equal the costs). --------------------------------------------------------------------------- \176\ As explained in the RIA in the docket, to monetize injuries, TSA used two approaches (depending on whether the injury was due to exposure to hazardous chemicals). To monetize ``non- chemical'' injuries, TSA uses guidance from the Department of Transportation for valuing injuries based on the Abbreviated Injury Scale. To monetize chemical-related injuries, TSA obtained information on the cost of medical treatment for poisoning injuries. \177\ Total Direct Consequences = (Deaths x $9.1 million VSL) + (Severe injuries x $2.42 million) + (Moderate injuries x $0.43 million) + (Severe chemical injuries x $42,462) + (Moderate chemical injuries x $1,563) + Public property loss + Private property loss + Rescue and clean-up cost. --------------------------------------------------------------------------- The break-even analysis does not include the difficult to quantify indirect costs of an attack or the macroeconomic impacts that could occur due to a major attack. In addition to the direct impacts of a terrorist attack in terms of lost life and property, there are other more indirect impacts that are difficult to measure. As noted by Cass Sunstein in the Laws of Fear, ``. . . fear is a real social cost, and it is likely to lead to other social costs.'' \178\ In addition, Ackerman and Heinzerling state ``. . . terrorism `works' through the fear and demoralization caused by uncontrollable uncertainty.'' \179\ As devastating as the direct impacts of a successful terrorist attack can be in terms of the immediate loss of life and property, avoiding the impacts of the more difficult to measure indirect effects are also substantial benefits of preventing a terrorist attack. --------------------------------------------------------------------------- \178\ Cass R. Sunstein, ``Laws of Fear,'' at 127 (2005). \179\ Frank Ackerman and Lisa Heinzerling, ``Priceless On Knowing the Price of Everything and the Value of Nothing,'' at 136 (2004). Table 18--Break-Even Analysis Results [$ millions] ---------------------------------------------------------------------------------------------------------------- Weighted average direct Annualized Modes costs of a cost of the Breakeven averted attack successful proposed rule frequency c = a / b attack a at 7% b ---------------------------------------------------------------------------------------------------------------- Freight Rail.................................. $1,218.92 $12.94 One attack every 94 years. PTPR.......................................... 613.19 7.60 One attack every 81 years. OTRB.......................................... 679.02 1.86 One attack every 365 years. ---------------------------------------------------------------------------------------------------------------- Note: Totals may not add due to rounding. 3. OMB A-4 Statement The OMB A-4 Accounting Statement (in Table 19) presents annualized costs and qualitative benefits of the proposed rule. [[Page 91378]] Table 19--OMB A-4 $ Accounting Statement [in $ millions, 2015 dollars] ---------------------------------------------------------------------------------------------------------------- Source citation Category Primary estimate Minimum estimate Maximum estimate (final RIA, preamble, etc.) ---------------------------------------------------------------------------------------------------------------- Benefits ($ millions) ---------------------------------------------------------------------------------------------------------------- Annualized monetized benefits .................. .................. .................. NPRM RIA. (discount rate in parentheses). ------------------------------------------------------------ Unquantified benefits........ The requirements proposed in this rule, if finalized, NPRM RIA. produce benefits by reducing security risks through training security-sensitive surface mode employees to identify and/or mitigate an attempted terrorist attack. ---------------------------------------------------------------------------------------------------------------- Costs ($ millions) ---------------------------------------------------------------------------------------------------------------- Annualized monetized costs (7%) $22.39 .................. .................. NPRM RIA. (discount rate in (3%) $22.33 parentheses). Annualized quantified, but 0 0 0 NPRM RIA. unmonetized, costs. ------------------------------------------------------------ Qualitative costs N/A NPRM RIA. (unquantified). ---------------------------------------------------------------------------------------------------------------- Transfers ---------------------------------------------------------------------------------------------------------------- Annualized monetized 0 0 0 NPRM RIA. transfers: ``on budget''. From whom to whom?........... N/A N/A N/A None. Annualized monetized 0 0 0 NPRM RIA. transfers: ``off-budget''. From whom to whom?........... N/A N/A N/A None. ---------------------------------------------------------------------------------------------------------------- Miscellaneous Analyses/ Effects Source Citation (NPRM Category RIA, preamble, etc.). ---------------------------------------------------------------------------------------------------------------- Effects on State, local, and/ None NPRM RIA. or tribal governments. Effects on small businesses.. Prepared IRFA IRFA. Effects on wages............. None None. Effects on growth............ None None. ---------------------------------------------------------------------------------------------------------------- 4. Alternatives Considered In addition to the proposed rule, TSA also considered two alternative policies. As discussed in section III.K of this NPRM, the first alternative (Alternative 1) only includes requirements that are statutory according to the 9/11 Act.\180\ The second alternative (Alternative 2) expands the population of owners/operators to all who operate within the UASI--which includes the entire metropolitan statistical area--and requires them to develop their own training program. This would be the case if First Observer PlusTM were not made available to owner/operators or if the owners/operators would not adopt First Observer PlusTM. This alternative was considered in the early stages of this proposed rule when the First ObserverTM program was still in development. Notionally, an owner/operator-developed training program would provide a marginal increase in effectiveness over a ``one size fits all'' training program because it would be customized to the individual owner/operator and take into account the unique security and structural characteristics inherent in a large and complicated system like a transportation network. --------------------------------------------------------------------------- \180\ Table 59 in the RIA found in the docket provides a section-by section analysis of which regulatory provisions are statutorily required and which provisions are discretionary. --------------------------------------------------------------------------- Though not the least costly option, TSA selects the proposed rule as its preferred alternative because TSA recommends that all surface mode employees be refreshed on their security training objectives annually, in an abbreviated method at the very least. TSA recognizes recurrent training as essential to maintaining a high level of security awareness. The 9/11 Act recognizes this as well by requiring routine and ongoing training for public transportation employees. Congress has left it to the discretion of TSA to determine the appropriate schedule for recurrent training. TSA believes that annual training is essential for maintaining a high level of security awareness among surface transportation employees. TSA's goal is to ensure the expected baseline of security awareness is reached and maintained across the higher-risk systems and will work with the owner/operators as necessary to ensure that goal is accomplished. Additionally, the affected population for the proposed rule (and Alternative 1) is based on a risk assessment on these modes of transportation (for more detail see preamble section III.B.). TSA reviewed the scope of the relevant industries and the security risks associated with each. This assessment considers not only threat (as informed by intelligence), but also the potential consequences of a terrorist attack on a system or vehicle(s) and the vulnerabilities inherent in the design and/or operation of these systems and vehicles. Both the proposed rule and Alternative 1 target higher-risk areas or transportation systems as opposed to Alternative 2, which covers a broader population and sets its parameters by other industry characteristics. The reasons for rejecting Alternative 2 are discussed in section III.D. of this NPRM. For these reasons, TSA has chosen the proposed rule as its preferred alternative. Table 20 presents a [[Page 91379]] comparison of the costs by cost component for industry and TSA for the proposed rule and both alternatives. [GRAPHIC] [TIFF OMITTED] TP16DE16.023 [[Page 91380]] [GRAPHIC] [TIFF OMITTED] TP16DE16.024 5. Regulatory Flexibility Assessment The Regulatory Flexibility Act (RFA) of 1980 requires agencies to consider the impacts of their rules on small entities. TSA performed an Initial Regulatory Flexibility Analysis (IRFA) to analyze the impact to small entities affected by the proposed rule. See the RIA in the docket for the full IRFA. A summary of the RFA is below. Under the RFA, the term ``small entities'' comprises small businesses, not-for-profit organizations that are independently owned and operated and are not dominant in their fields, and small governmental jurisdictions with populations of less than 50,000. Individuals and States are not considered ``small entities'' based on the definitions in the RFA (5 U.S.C. 601). The PTPR owner/operators affected by this proposed rule are not considered small because they are either owned/operated by governmental jurisdictions that exceed the RFA population threshold of 50,000 or a business that exceeds the SBA size threshold. Only freight rail and OTRB owner/operators have small entities that may be affected by the proposed rule. TSA uses the Small Business Administration's (SBA) size standards to identify that 13 freight rail owner/operators affected by the proposed rule are considered a small business. TSA calculates that proposed rule's requirements are estimated to cost $68.78 per employee and $6,068.49 per entity to these freight rail owner/operators. Of these 13 small freight rail owner/operators, TSA estimates that only one of them would have an impact to revenue greater that 1 percent. For OTRBs, TSA uses SBA's threshold to estimate that 174 OTRB owner/ operators affected by the proposed rule are considered a small business. TSA calculates that the proposed rule's requirements are estimated to cost $33.41 per employee and $3,347.67 per entity to these OTRB owner/operators. Of these 174 small OTRB owner/operators, TSA estimates that 20 of them would have an impact to revenue greater than 1 percent. TSA considered two alternative policies in addition to the proposed rule. As discussed in section III.K of this NPRM and section 5.1 of the RIA, the first alternative (Alternative 1) only includes requirements that are statutory according to the 9/11 Act. This alternative would remain applicable to the same population of the proposed rule, but would only require owner/operators to train security-sensitive employees according to statutory guidelines set in the 9/11 Act. In Alternative 1, recurrent training is required only once every three years--similar to other training requirements of transportation modes-- because the 9/11 Act does not require annual recurrent training as TSA does in the proposed rule. As discussed in section III.F(1)(2)(3) of this NPRM (Alternatives Considered) and section 5.2 of the RIA, the second alternative (Alternative 2) expands the population of owners/operators to all who operate within the UASI--which includes the entire metropolitan statistical area-and requires them to develop their own training program. TSA considered Alternative 2 while the First ObserverTM program was still in development. TSA chose the proposed rule as its preferred alternative, thus rejecting Alternative 1, because TSA recommends that all surface mode employees be refreshed on their security training objectives annually. TSA recognizes recurrent training as essential to maintaining a high level of security awareness. TSA's objective is to ensure the expected baseline of security [[Page 91381]] awareness is reached and maintained across the higher-risk systems and will work with the owner/operators as necessary to ensure that goal is accomplished. TSA has met this objective by developing First Observer PlusTM. TSA intends for the training content in First Observer PlusTM to align with most of the regulatory requirements in a final rule. This resource will be provided free to owner/operators so that they may comply with the proposed rule at minimized costs. Additionally, the affected population for the proposed rule (and Alternative 1) is based on a risk assessment on these modes of transportation (for more detail see section III.B of this NPRM). TSA reviewed the scope of the relevant industries and the security risks associated with each. This assessment considers not only threat (as informed by intelligence), but also the potential consequences of a terrorist attack on a system or vehicle(s) and the vulnerabilities inherent in the design and/or operation of these systems and vehicles. Both the proposed rule and Alternative 1 target higher-risk areas or transportation systems as opposed to Alternative 2, which covers a broader population and sets its parameters by other industry characteristics. Alternative 2 leads to higher costs to small entities not necessarily considered higher-risk. TSA rejected Alternative 2 because the agency has determined that the proposed rule better aligns with its commitment to risk-based security policy and outcomes-based regulation and because it would impose a higher cost to small entities outside the higher-risk profile. TSA invites all interested parties to submit data and information regarding the potential economic impact on small entities that would result from the adoption of the proposed requirements in the proposed rule. 6. International Trade Impact Assessment The Trade Agreement Act of 1979 prohibits Federal agencies from establishing any standards or engaging in related activities that create unnecessary obstacles to the foreign commerce of the United States. Legitimate domestic objectives, such as safety, are not considered unnecessary obstacles. The statute also requires consideration of international standards and, where appropriate, that they be the basis for U.S. standards. TSA has assessed the potential effect of this proposed rule and has determined that it would have only a domestic impact and therefore no effect on any trade-sensitive activity. 7. Unfunded Mandates Assessment The Unfunded Mandates Reform Act of 1995 (UMRA) is intended, among other things, to curb the practice of imposing unfunded Federal mandates on State, local, and tribal governments. Title II of the UMRA requires each Federal agency to prepare a written statement assessing the effects of any Federal mandate in a proposed or final agency rule that may result in a $100 million or more expenditure (adjusted annually for inflation) in any one year by State, local, and tribal governments, in the aggregate, or by the private sector; such a mandate is deemed to be a ``significant regulatory action.'' This proposed rule does not contain such a mandate. The requirements of Title II of the UMRA, therefore, do not apply and TSA has not prepared a statement. C. Executive Order 13132, Federalism TSA has analyzed this rulemaking under the principles and criteria of Executive Order 13132, Federalism. We determined that this action would not have a substantial direct effect on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government, and therefore would not have federalism implications. D. Environmental Analysis TSA has reviewed this rulemaking for purposes of the National Environmental Policy Act of 1969 (NEPA) (42 U.S.C. 4321-4347) and has determined that this action will not have a significant effect on the human environment. This action is covered by categorical exclusion (CATEX) number A3(b) in DHS Management Directive 023-01 (formerly Management Directive 5100.1), Environmental Planning Program, which guides TSA compliance with NEPA. E. Energy Impact Analysis The energy impact of this rulemaking has been assessed in accordance with the Energy Policy and Conservation Act (EPCA), Public Law 94-163, as amended (42 U.S.C. 6362). TSA has determined that this rulemaking is not a major regulatory action under the provisions of the EPCA. List of Subjects 49 CFR Part 1500 Air carriers, Air transportation, Aircraft, Airports, Bus transit systems, Commuter bus systems, Law enforcement officer, Maritime carriers, Over-the-Road buses, Public transportation, Rail hazardous materials receivers, Rail hazardous materials shippers, Rail transit systems, Railroad carriers, Railroad safety, Railroads, Reporting and recordkeeping requirements, Security measures, Transportation facility, Vessels. 49 CFR Part 1520 Air carriers, Air transportation, Aircraft, Airports, Bus transit systems, Commuter bus systems, Law enforcement officer, Maritime carriers, Over-the-Road buses, Public transportation, Rail hazardous materials receivers, Rail hazardous materials shippers, Rail transit systems, Railroad carriers, Railroad safety, Railroads, Reporting and recordkeeping requirements, Security measures, Transportation facility, Vessels. 49 CFR Part 1570 Commuter bus systems, Crime, Fraud, Hazardous materials transportation, Motor carriers, Over-the-Road bus safety, Over-the-Road buses, Public transportation, Public transportation safety, Rail hazardous materials receivers, Rail hazardous materials shippers, Rail transit systems, Railroad carriers, Railroad safety, Railroads, Reporting and recordkeeping requirements, Security measures, Transportation facility, Transportation Security-Sensitive Materials. 49 CFR Part 1580 Hazardous materials transportation, Rail hazardous materials receivers, Rail hazardous materials shippers, Railroad carriers, Railroad safety, Railroads, Reporting and recordkeeping requirements, Security measures. 49 CFR Part 1582 Public transportation, Public transportation safety, Railroad carriers, Railroad safety, Railroads, Rail transit systems, Reporting and recordkeeping requirements, Security measures. 49 CFR Part 1584 Over-the-Road bus safety, Over-the-Road buses, Reporting and recordkeeping requirements, Security measures. The Proposed Amendments For the reasons set forth in the preamble, the Transportation Security Administration proposes to amend Chapter XII, of Title 49, Code of Federal Regulations to read as follows: [[Page 91382]] SUBCHAPTER A--ADMINISTRATIVE AND PROCEDURAL RULES PART 1500--APPLICABILITY, TERMS, AND ABBREVIATIONS 0 1. The authority citation for part 1500 is revised to read as follows: Authority: 6 U.S.C. 1137, 1151, 1167, and 1184; 49 U.S.C. 114, 5103, 40113, 44901-44907, 44913-44914, 44916-44918, 44935-44936, 44942, 46105. 0 2. Revise Sec. 1500.3 to read as follows: Sec. 1500.3 Terms and abbreviations used in this chapter. As used in this chapter: Administrator means the Assistant Secretary for Homeland Security, Transportation Security Administration (Assistant Secretary), who is the highest-ranking TSA official, or his or her designee. Administrator also means the Under Secretary of Transportation for Security identified in 49 U.S.C. 114(b). Authorized representative means any individual who is not a direct employee of a person regulated under this title, but is authorized to act on that person's behalf to perform measures required under the Transportation Security Regulations, or a TSA security program. For purposes of this subchapter, the term ``authorized representative'' includes agents, contractors, and subcontractors, and employees of the same. Bus means any of several types of motor vehicles used by public or private entities to provide transportation service for passengers. Bus transit system means a public transportation system providing frequent transportation service (not limited to morning and evening peak travel times) for the primary purpose of moving passengers between bus stops, often through multiple connections (a bus transit system does not become a commuter bus system even if its primary purpose is the transportation of commuters). This term does not include tourist, scenic, historic, or excursion operations. Commuter bus system means a system providing passenger service primarily during morning and evening peak periods, between an urban area and more distant outlying communities in a greater metropolitan area. This term does not include tourist, scenic, historic, or excursion operations. Commuter passenger train service means ``train, commuter'' as defined in 49 CFR 238.5, and includes service provided by diesel or electric powered locomotives and railroad passenger cars to serve an urban area, its suburbs, and more distant outlying communities in the greater metropolitan area. A commuter passenger train service is part of the general railroad system of transportation regardless of whether it is physically connected to other railroads. DHS means the Department of Homeland Security and any directorate, bureau, or other component within the Department of Homeland Security, including the United States Coast Guard. DOT means the Department of Transportation and any operating administration, entity, or office within the Department of Transportation. Fixed-route service means the provision of transportation service by private entities operated along a prescribed route according to a fixed schedule. General railroad system of transportation means ``the network of standard gauge track over which goods may be transported throughout the nation and passengers may travel between cities and within metropolitan and suburban areas'' as defined in Appendix A to 49 CFR part 209. Hazardous material means ``hazardous material'' as defined in 49 CFR 171.8. Heavy rail transit means service provided by self-propelled electric railcars, typically drawing power from a third rail, operating in separate rights-of-way in multiple cars; also referred to as subways, metros or regional rail. Host railroad means a railroad that has effective control over a segment of track. Improvised explosive device (IED) means a device fabricated in an improvised manner that incorporates explosives or destructive, lethal, noxious, pyrotechnic, or incendiary chemicals in its design, and generally includes a power supply, a switch or timer, and a detonator or initiator. Intercity passenger train service means both ``train, long-distance intercity passenger'' and ``train, short-distance intercity passenger'' as defined in 49 CFR 238.5. Light rail transit means service provided by self-propelled electric railcars, typically drawing power from an overhead wire, operating in either exclusive or non-exclusive rights-of-way in single or multiple cars, with shorter distance trips, and frequent stops; also referred to as streetcars, trolleys, and trams. Motor vehicle means a vehicle, machine, tractor, trailer, or semitrailer propelled or drawn by mechanical power and used upon the highways in the transportation of passengers or property, or any combination thereof, but does not include any vehicle, locomotive, or car operated exclusively on a rail or rails, or a trolley bus operated by electric power derived from a fixed overhead wire, furnishing local passenger transportation similar to street-railway service. Over-the-Road Bus (OTRB) means a bus characterized by an elevated passenger deck located over a baggage compartment. Owner/operator means any person that owns, or maintains operational control over, any transportation infrastructure asset, facility, or system regulated under this title, including airport operator, aircraft operator, foreign air carrier, indirect air carrier, certified cargo screening facility, flight school within the meaning of 49 CFR 1552.1(b), motor vehicle, public transportation agency, or railroad carrier. For purposes of a maritime facility or a vessel, owner/ operator has the same meaning as defined in 33 CFR 101.105. Passenger rail car means rail rolling equipment intended to provide transportation for members of the general public and includes a self- propelled rail car designed to carry passengers, baggage, mail, or express. This term includes a rail passenger coach, cab car, and a Multiple Unit (MU) locomotive. In the context of articulated equipment, ``passenger rail car'' means that segment of the rail rolling equipment located between two trucks. This term does not include a private rail car. Passenger railroad carrier means a railroad carrier that provides transportation to persons (other than employees, contractors, or persons riding equipment to observe or monitor railroad operations) by railroad in intercity passenger service or commuter or other short-haul passenger service in a metropolitan or suburban area. Passenger train means a train that transports or is available to transport members of the general public. Person means an individual, corporation, company, association, firm, partnership, society, joint-stock company, or governmental authority. It includes a trustee, receiver, assignee, successor, or similar representative of any of them. Private rail car means rail rolling equipment that is used only for excursion, recreational, or private transportation purposes. A private rail car is not a passenger rail car. Public transportation means transportation provided to the general public by a regular and continuing general or specific transportation vehicle that is owned or operated by a [[Page 91383]] public transportation agency, including providing one or more of the following types of passenger transportation: (1) Intercity or commuter passenger train service or other short- haul railroad passenger service in a metropolitan or suburban area (as described by 49 U.S.C. 20102(1)). (2) Heavy or light rail transit service, whether on or off the general railroad system of transportation. (3) An automated guideway, cable car, inclined plane, funicular, or monorail system. (4) Bus transit or commuter bus service. Public transportation agency means any publicly-owned or operated provider of regular and continuing public transportation. Rail hazardous materials receiver means any owner/operator of a fixed-site facility that has a physical connection to the general railroad system of transportation and receives or unloads from transportation in commerce by rail one or more of the categories and quantities of rail security-sensitive materials identified in 49 CFR 1580.3, but does not include the owner/operator of a facility owned or operated by a department, agency or instrumentality of the Federal government. Rail hazardous materials shipper means the owner/operator of any fixed-site facility that has a physical connection to the general railroad system of transportation and offers (as defined in the definition of ``person who offers or offeror'' in 49 CFR 171.8), prepares or loads for transportation by rail one or more of the categories and quantities of rail security-sensitive materials as identified in 49 CFR 1580.3, but does not include the owner/operator of a facility owned or operated by a department, agency or instrumentality of the Federal government. Rail secure area means a secure location(s) identified by a rail hazardous materials shipper or rail hazardous materials receiver where security-related pre-transportation or transportation functions are performed or rail cars containing the categories and quantities of rail security-sensitive materials are prepared, loaded, stored, and/or unloaded. Rail transit facility means rail transit stations, terminals, and locations at which rail transit infrastructure assets are stored, command and control operations are performed, or maintenance is performed. The term also includes rail yards, crew management centers, dispatching centers, transportation terminals and stations, fueling centers, and telecommunication centers. Rail transit system or ``Rail Fixed Guideway System'' means any light, heavy, or rapid rail system, monorail, inclined plane, funicular, cable car, trolley, or automated guideway that traditionally does not operate on track that is part of the general railroad system of transportation. Railroad carrier means an owner/operator providing railroad transportation. Railroad transportation means any form of non-highway ground transportation that runs on rails or electromagnetic guideways, including (1) commuter or other short-haul rail passenger service in a metropolitan or suburban area and (2) high speed ground transportation systems that connect metropolitan areas, without regard to whether those systems use new technologies not associated with traditional railroads. Such term includes rail transit service operating on track that is part of the general railroad system of transportation but does not include rapid transit operations in an urban area that are not connected to the general railroad system of transportation. Record includes any means by which information is preserved, irrespective of format, including a book, paper, drawing, map, recording, tape, film, photograph, machine-readable material, and any information stored in an electronic format. The term record also includes any draft, proposed, or recommended change to any record. Sensitive security information (SSI) means information that is described in and must be managed in accordance with 49 CFR part 1520. State means a State of the United States and the District of Columbia. Tourist, scenic, historic, or excursion operation means a railroad or bus operation that carries passengers, often using antiquated equipment, with the conveyance of the passengers to a particular destination not being the principal purpose. Train or bus movements of new passenger equipment for demonstration purposes are not tourist, scenic, historic, or excursion operations. Transit means mass transportation by a conveyance that provides regular and continuing general or special transportation to the public, but does not include school bus, charter, or sightseeing transportation. Rail transit may occur on or off the general railroad system of transportation. Transportation or transport means the movement of property including loading, unloading, and storage. Transportation or transport also includes the movement of people, boarding, and disembarking incident to that movement. Transportation facility means a location at which transportation cargo, equipment or infrastructure assets are stored, equipment is transferred between conveyances and/or modes of transportation, transportation command and control operations are performed, or maintenance operations are performed. The term also includes, but is not limited to, passenger stations and terminals (including any fixed facility at which passengers are picked-up or discharged), vehicle storage buildings or yards, crew management centers, dispatching centers, fueling centers, and telecommunication centers. Transportation security equipment and systems means items, both integrated into a system and stand-alone, used by owner/operators to enhance capabilities to detect, deter, prevent, or respond to a threat or incident, including, but not limited to, video surveillance, explosives detection, radiological detection, intrusion detection, motion detection, and security screening. Transportation Security Regulations (TSR) means the regulations issued by the Transportation Security Administration, in title 49 of the Code of Federal Regulations, chapter XII, which includes parts 1500 through 1699. Transportation Security-Sensitive Material (TSSM) means hazardous materials identified in 49 CFR 172.800(b). TSA means the Transportation Security Administration. United States, in a geographical sense, means the States of the United States, the District of Columbia, and territories and possessions of the United States, including the territorial sea and the overlying airspace. Vulnerability assessment includes any review, audit, or other examination of the security of a transportation system, infrastructure asset, or a transportation-related automated system or network to determine its vulnerability to unlawful interference, whether during the conception, planning, design, construction, operation, or decommissioning phase. A vulnerability assessment includes the methodology for the assessment, the results of the assessment, and any proposed, recommended, or directed actions or countermeasures to address security concerns. [[Page 91384]] PART 1503--INVESTIGATIVE AND ENFORCEMENT PROCEDURES 0 3. The authority citation for part 1503 continues to read as follows: Authority: 6 U.S.C. 1142; 18 U.S.C. 6002; 28 U.S.C. 2461 (note); 49 U.S.C. 114, 20109, 31105, 40113-40114, 40119, 44901-44907, 46101- 46107, 46109-46110, 46301, 46305, 46311, 46313-46314. Subpart B--Scope of Investigative and Enforcement Procedures 0 4. In Sec. 1503.101 revise paragraphs (b)(1) and (b)(2), and add paragraph (b)(3) to read as follows: Sec. 1503.101 TSA requirements. * * * * * (b) * * * (1) Those provisions of title 49 U.S.C. administered by the Administrator; (2) 46 U.S.C. chapter 701; and (3) Those provisions of title 6 U.S.C. administered by the Administrator. SUBCHAPTER B--SECURITY RULES FOR ALL MODES OF TRANSPORTATION PART 1520--PROTECTION OF SENSITIVE SECURITY INFORMATION 0 5. The authority citation for part 1520 continues to read as follows: Authority: 46 U.S.C. 70102-70106, 70117; 49 U.S.C. 114, 40113, 44901-44907, 44913-44914, 44916-44918, 44935-44936, 44942, 46105. Sec. 1520.3 [Amended] 0 6. In Sec. 1520.3 remove the definitions for ``DHS, ``DOT'', ``Rail facility'', ``Rail hazardous materials receiver'', ``Rail hazardous materials shipper, ``Rail transit facility'', ``Rail transit system or Rail Fixed Guideway System'', ``Railroad'', ``Record'', and ``Vulnerability assessment''. 0 7. In Sec. 1520.5 revise paragraphs (b)(1), (b)(6)(i), (b)(8) introductory text, (b)(10), (b)(12) introductory text, and (b)(15) to read as follows: Sec. 1520.5 Sensitive security information. * * * * * (b) * * * (1) Security programs, security plans, and contingency plans. Any security program, security plan, or security contingency plan issued, established, required, received, or approved by DHS or DOT, including any comments, instructions, or implementing guidance, including-- (i) Any aircraft operator, airport operator, fixed base operator, or air cargo security program, or security contingency plan under this chapter; (ii) Any vessel, maritime facility, or port area security plan required or directed under Federal law; (iii) Any national or area security plan prepared under 46 U.S.C. 70103; (iv) Any security incident response plan established under 46 U.S.C. 70104, and (v) Any security program or plan required under subchapter D of this title. * * * * * (6) * * * (i) Details of any aviation, maritime, or surface transportation inspection, or any investigation or an alleged violation of aviation, maritime, or surface transportation security requirements of Federal law, that could reveal a security vulnerability, including the identity of the Federal special agent or other Federal employee who conducted the inspection or investigation, and including any recommendations concerning the inspection or investigation. * * * * * (8) Security measures. Specific details of aviation, maritime, or surface transportation security measures, both operational and technical, whether applied directly by the Federal government or another person, including the following: * * * * * (10) Security training materials. Records created or obtained for the purpose of training persons employed by, contracted with, or acting for the Federal government or another person to carry out aviation, maritime, or surface transportation security measures required or recommended by DHS or DOT. * * * * * (12) Critical transportation infrastructure asset information. Any list identifying systems or assets, whether physical or virtual, so vital to the aviation, maritime, or surface transportation that the incapacity or destruction of such assets would have a debilitating impact on transportation security, if the list is-- * * * * * (15) Research and development. Information obtained or developed in the conduct of research related to aviation, maritime, or surface transportation, where such research is approved, accepted, funded, recommended, or directed by DHS or DOT, including research results. * * * * * 0 8. In Sec. 1520.7 revise paragraph (n) to read as follows: Sec. 1520.7 Covered persons. * * * * * (n) Each owner/operator of maritime or surface transportation subject to the requirements of subchapter D of this chapter. 0 9. Revise the heading for subchapter D to read as follows: SUBCHAPTER D--MARITIME AND SURFACE TRANSPORTATION SECURITY 0 10. Revise part 1570 to read as follows: PART 1570--GENERAL RULES Subpart A--General Sec. 1570.1 Scope. 1570.3 Terms used in this subchapter. 1570.5 Fraud and intentional falsification of records. 1570.7 Security responsibilities of employees and other persons. 1570.9 Compliance, inspection, and enforcement. Subpart B--Security Programs Sec. 1570.101 Scope. 1570.103 Content. 1570.105 Responsibility for Determinations. 1570.107 Recognition of prior or established security measures or programs. 1570.109 Submission and approval. 1570.111 Implementation schedules. 1570.113 Amendments requested by owner/operator. 1570.115 Amendments required by TSA. 1570.117 Alternative measures. 1572.119 Petitions for reconsideration. 1570.121 Recordkeeping and availability. Subpart C--Operations Sec. 1570.201 Security Coordinator. 1570.203 Reporting significant security concerns. Subpart D--Security Threat Assessments Sec. 1570.301 Fraudulent use or manufacture; responsibilities of persons. 1570.303 Inspection of credential. 1570.305 False statements regarding security background checks by public transportation agency or railroad carrier. Appendix A to Part 1570--Reporting Of Significant Security Concerns Authority: 6 U.S.C. 469, 1134, 1137, 1143, 1151, 1162, 1167, 1170, 1181 and 1184; 18 U.S.C. 842, 845; 46 U.S.C. 70105; 49 U.S.C. 114, 5103a, 40113, and 46105. Subpart A--General Sec. 1570.1 Scope. This part applies to any person involved in maritime or surface transportation as specified in this subchapter. Sec. 1570.3 Terms used in this subchapter. In addition to the definitions in Sec. Sec. 1500.3, 1500.5, and 1503.202 of subchapter A, the following terms are used in this subchapter: [[Page 91385]] Adjudicate means to make an administrative determination of whether an applicant meets the standards in this subchapter, based on the merits of the issues raised. Alien means any person not a citizen or national of the United States. Alien registration number means the number issued by the U.S. Department of Homeland Security (DHS) to an individual when he or she becomes a lawful permanent resident of the United States or attains other lawful, non-citizen status. Applicant means a person who has applied for one of the security threat assessments identified in this subchapter. Commercial driver's license (CDL) is used as defined in 49 CFR 383.5. Contractor means a person or organization that provides a service for an owner/operator regulated under this subchapter consistent with a specific understanding or arrangement. The understanding can be a written contract or an informal arrangement that reflects an ongoing relationship between the parties. Convicted means any plea of guilty or nolo contendere, or any finding of guilt, except when the finding of guilt is subsequently overturned on appeal, pardoned, or expunged. For purposes of this subchapter, a conviction is expunged when the conviction is removed from the individual's criminal history record and there are no legal disabilities or restrictions associated with the expunged conviction, other than the fact that the conviction may be used for sentencing purposes for subsequent convictions. In addition, where an individual is allowed to withdraw an original plea of guilty or nolo contendere and enter a plea of not guilty and the case is subsequently dismissed, the individual is no longer considered to have a conviction for purposes of this subchapter. Determination of No Security Threat means an administrative determination by TSA that an individual does not pose a security threat warranting denial of an HME or a TWIC. Employee means an individual who is engaged or compensated by an owner/operator regulated under this subchapter, or by a contractor to an owner/operator regulated under this subchapter. The term includes direct employees, contractor employees, authorized representatives, immediate supervisors, and individuals who are self-employed. Federal Maritime Security Coordinator (FMSC) has the same meaning as defined in 46 U.S.C. 70103(a)(2)(G); is the Captain of the Port (COTP) exercising authority for the COTP zones described in 33 CFR part 3, and is the Port Facility Security Officer as described in the International Ship and Port Facility Security (ISPS) Code, part A. Final Determination of Threat Assessment means a final administrative determination by TSA, including the resolution of related appeals, that an individual poses a security threat warranting denial of an HME or a TWIC. Hazardous materials endorsement (HME) means the authorization for an individual to transport hazardous materials in commerce, an indication of which must be on the individual's commercial driver's license, as provided in the Federal Motor Carrier Safety Administration (FMCSA) regulations in 49 CFR part 383. Immediate supervisor means a manager, supervisor, or agent of the owner/operator to the extent the individual (a) performs the work of a security-sensitive employee or (b) supervises and otherwise directs the performance of a security-sensitive employee. Imprisoned or imprisonment means confined to a prison, jail, or institution for the criminally insane, on a full-time basis, pursuant to a sentence imposed as the result of a criminal conviction or finding of not guilty by reason of insanity. Time spent confined or restricted to a half-way house, treatment facility, or similar institution, pursuant to a sentence imposed as the result of a criminal conviction or finding of not guilty by reason of insanity, does not constitute imprisonment for purposes of this rule. Incarceration means confined or otherwise restricted to a jail-type institution, half-way house, treatment facility, or another institution on a full or part-time basis, pursuant to a sentence imposed as the result of a criminal conviction or finding of not guilty by reason of insanity. Initial Determination of Threat Assessment means an initial administrative determination by TSA that an applicant poses a security threat warranting denial of an HME or a TWIC. Initial Determination of Threat Assessment and Immediate Revocation means an initial administrative determination that an individual poses a security threat that warrants immediate revocation of an HME or invalidation of a TWIC. In the case of an HME, the State must immediately revoke the HME if TSA issues an Initial Determination of Threat Assessment and Immediate Revocation. In the case of a TWIC, TSA invalidates the TWIC when TSA issues an Initial Determination of Threat Assessment and Immediate Revocation. Invalidate means the action TSA takes to make a credential inoperative when it is reported as lost, stolen, damaged, no longer needed, or when TSA determines an applicant does not meet the security threat assessment standards of 49 CFR part 1572. Lawful permanent resident means an alien lawfully admitted for permanent residence, as defined in 8 U.S.C. 1101(a)(20). Maritime facility has the same meaning as ``facility'' together with ``OCS facility'' (Outer Continental Shelf facility), as defined in 33 CFR 101.105. Mental health facility means a mental institution, mental hospital, sanitarium, psychiatric facility, and any other facility that provides diagnoses by licensed professionals of mental retardation or mental illness, including a psychiatric ward in a general hospital. National of the United States means a citizen of the United States, or a person who, though not a citizen, owes permanent allegiance to the United States, as defined in 8 U.S.C. 1101(a)(22), and includes American Samoa and Swains Island. Revocation means the termination, deactivation, rescission, invalidation, cancellation, or withdrawal of the privileges and duties conferred by an HME or TWIC, when TSA determines an applicant does not meet the security threat assessment standards of 49 CFR part 1572. Secure area means the area on board a vessel or at a facility or outer continental shelf facility, over which the owner/operator has implemented security measures for access control, as defined by a Coast Guard approved security plan. It does not include passenger access areas or public access areas, as those terms are defined in 33 CFR 104.106 and 105.106 respectively. Vessels operating under the waivers provided for at 46 U.S.C. 8103(b)(3)(A) or (B) have no secure areas. Facilities subject to 33 CFR chapter I, subchapter H, part 105 may, with approval of the Coast Guard, designate only those portions of their facility that are directly connected to maritime transportation or are at risk of being involved in a transportation security incident as their secure areas. Security threat means an individual whom TSA determines or suspects of posing a threat to national security; to transportation security; or of terrorism. Security-sensitive employee, for purposes of this part, means ``security sensitive employee'' as defined in Sec. Sec. 1580.3, 1582.3, or 1584.3 of this title. [[Page 91386]] Security-sensitive job function, for purposes of this part, means a job function identified in Appendix B to part 1580, Appendix B to part 1582, and Appendix B to part 1584 of this title. Transportation Worker Identification Credential (TWIC) means a Federal biometric credential, issued to an individual, when TSA determines that the individual does not pose a security threat. Withdrawal of Initial Determination of Threat Assessment is the document that TSA issues after issuing an Initial Determination of Security Threat, when TSA determines that an individual does not pose a security threat that warrants denial of an HME or TWIC. Sec. 1570.5 Fraud and intentional falsification of records. No person may make, cause to be made, attempt, or cause to attempt any of the following: (a) Any fraudulent or intentionally false statement in any record or report that is kept, made, or used to show compliance with the subchapter, or exercise any privileges under this subchapter. (b) Any reproduction or alteration, for fraudulent purpose, of any record, report, security program, access medium, or identification medium issued under this subchapter or pursuant to standards in this subchapter. Sec. 1570.7 Security responsibilities of employees and other persons. (a) No person may-- (1) Tamper or interfere with, compromise, modify, attempt to circumvent, or cause another person to tamper or interfere with, compromise, modify, or attempt to circumvent any security measure implemented under this subchapter. (2) Enter, or be present within, a secured or restricted area without complying with the security measures applied as required under this subchapter to control access to, or presence or movement in, such areas. (3) Use, allow to be used, or cause to be used, any approved access medium or identification medium that authorizes the access, presence, or movement of persons or vehicles in secured or restricted areas in any other manner than that for which it was issued by the appropriate authority to meet the requirements of this subchapter. (b) The provisions of paragraph (a) of this section do not apply to conducting inspections or tests to determine compliance with this subchapter authorized by-- (1) TSA and DHS officials working with TSA; or (2) The owner/operator when acting in accordance with the procedures described in a security plan and/or program approved by TSA. Sec. 1570.9 Compliance, inspection, and enforcement. (a) Each person subject to any of the requirements of this subchapter, must allow TSA and other authorized DHS officials, at any time and in a reasonable manner, without advance notice, to enter, assess, inspect, and test property, facilities, equipment, and operations; and to view, inspect, and copy records, as necessary to carry out TSA's security-related statutory or regulatory authorities, including its authority to-- (1) Assess threats to transportation. (2) Enforce security-related laws, regulations, directives, and requirements. (3) Inspect, maintain, and test the security of facilities, equipment, and systems. (4) Ensure the adequacy of security measures for the transportation of passengers and cargo. (5) Oversee the implementation, and ensure the adequacy, of security measures for the owner/operator's conveyances and vehicles, at transportation facilities and infrastructure and other assets related to transportation. (6) Review security plans and/or programs. (7) Determine compliance with any requirements in this chapter. (8) Carry out such other duties, and exercise such other powers, relating to transportation security, as the Administrator for TSA considers appropriate, to the extent authorized by law. (b) At the request of TSA, each owner/operator subject to the requirements of this subchapter must provide evidence of compliance with this chapter, including copies of records. (c) TSA and other authorized DHS officials, may enter, without advance notice, and be present within any area or within any vehicle or conveyance, terminal, or other facility covered by this chapter without access media or identification media issued or approved by an owner/ operator covered by this chapter in order to inspect or test compliance, or perform other such duties as TSA may direct. (d) TSA inspectors and other authorized DHS officials working with TSA will, on request, present their credentials for examination, but the credentials may not be photocopied or otherwise reproduced. Subpart B--Security Programs Sec. 1570.101 Scope. The requirements of this subpart address general security program requirements applicable to each owner/operator required to have a security program under subpart B to 49 CFR parts 1580, 1582, and 1584. Sec. 1570.103 Content. (a) Security program. Except as otherwise approved by TSA, each owner/operator required to have a security program must address each of the security program requirements identified in subpart B to 49 CFR parts 1580, 1582, and 1584. (b) Use of appendices. The owner/operator may comply with the requirements referenced in paragraph (a) of this section by including in its security program, as an appendix, any document that contains the information required by the applicable subpart B, including procedures, protocols or memorandums of understanding related to external agency response to security incidents or events. The appendix must be referenced in the corresponding section(s) of the security program. Sec. 1570.105 Responsibility for Determinations. (a) Higher-risk operations. While TSA has determined the criteria for applicability of the requirements in subpart B to 49 CFR parts 1580, 1582, and 1584 based on risk-assessments for freight railroad, public transportation system, passenger railroad, or over-the-road (OTRB) owner/operators are required to determine if the applicability requirements apply to them using the criteria identified in 49 CFR 1580.101, 1582.101, and 1584.101. Owner/operators are required to notify TSA of applicability within 30 days of [Insert effective date of final rule in the Federal Register]. (b) New or modified operations. If an owner/operator commences new operations or modifies existing operations after [Insert date of publication of final rule in the Federal Register], that person is responsible for determining whether the new or modified operations would meet the applicability determinations in subpart B to 49 CFR parts 1580, 1582, or 1584 and must notify TSA no later than 90 calendar days before commencing operations or implementing modifications. Sec. 1570.107 Recognition of prior or established security measures or programs. Previously provided security training may be credited towards satisfying the [[Page 91387]] requirements of this subchapter provided the owner/operator-- (a) Obtains a complete record of such training and validates the training meets requirements of Sec. Sec. 1580.115, 1582.115, or 1584.115 of this subchapter as it relates to the function of the individual security-sensitive employee and the training was provided within the schedule required for recurrent training. (b) Retains a record of such training in compliance with the requirements of Sec. 1570.121 of this part. Sec. 1570.109 Submission and approval. (a) Submission of security program. Each owner/operator required under parts 1580, 1582, or 1584 of this subchapter to adopt and carry out a security program must submit it to TSA for approval in a form and manner prescribed by TSA. (b) Security training deadlines. Except as otherwise directed by TSA, each owner/operator required under subpart B to parts 1580, 1582, or 1584 of this subchapter to develop a security training program must-- (1) Submit its program to TSA for approval no later than 90 calendar days after [insert effective date of final rule in the Federal Register]. (2) If commencing or modifying operations so as to be subject to the requirements of subpart B to 49 CFR parts 1580, 1582, or 1584 after [Insert effective date of final rule in the Federal Register], submit a training program to TSA no later than 90 calendar days before commencing new or modified operations. (c) TSA approval. (1) No later than 60 calendar days after receiving the proposed security program required by subpart B to 49 CFR parts 1580, 1582, and 1584, TSA will either approve the program or provide the owner/operator with written notice to modify the program to comply with the applicable requirements of this subchapter. TSA will notify the owner/operator if it needs an extension of time to approve the program or provide the owner/operator with written notice to modify the program to comply with the applicable requirements of this subchapter. (2) Notice to modify. If TSA provides the owner/operator with written notice to modify the security program to comply with the applicable requirements of this subchapter, the owner/operator must provide a modified security program to TSA for approval within the timeframe specified by TSA. (3) TSA may request additional information, and the owner/operator must provide the information within the time period TSA prescribes. The 60-day period for TSA approval or modification will begin when the owner/operator provides the additional information. (g) Petition for reconsideration. Within 30 days of receiving the notice to modify, the owner/operator may file a petition for reconsideration under Sec. 1570.119 of this part. Sec. 1570.111 Implementation schedules. (a) Initial security training. (1) Once TSA approves an owner/ operator's security training program, the owner/operator must provide initial security training to a security-sensitive employee-- (2) No later than one year after the date of approval if the employee is employed to perform a security-sensitive function on the date TSA approves the program. (3) No later than 60 calendar days after the employee first performs a security-sensitive job function if performance of a security-sensitive job function is initiated after TSA approves the program. (4) No later than the 60th calendar day of employment performing a security-sensitive function, aggregated over a consecutive 12-month period, if the security-sensitive job function is performed intermittently. (b) Recurrent security training. Each owner/operator must provide annual recurrent security training to each employee performing a security-sensitive job function not later than the anniversary calendar month of the employee's initial security training. If the owner/ operator provides the recurrent security training in the month of, the month before, or the month after it is due, the employee is considered to have taken the training in the month it is due. Recurrent training must use the most recent iteration of any training materials submitted to, and approved by, TSA. (c) Extensions of time. TSA may grant an extension of time for implementing a security program identified in subpart B to parts 1580, 1582, and 1584 of this subchapter upon a showing of good cause. The owner/operator must request the extension of time in writing and TSA must receive the request within a reasonable time before the due date to be extended; an owner/operator may request an extension after the expiration of a due date by sending a written request describing why the failure to meet the due date was excusable. TSA will respond to the request in writing. Sec. 1570.113 Amendments requested by owner/operator. (a) Requirement to request amendment. Each owner/operator required under parts 1580, 1582, or 1584 of this subchapter to adopt and carry out a security program must submit a request to amend its security program if, after approval, changes expected to have a duration of 60 calendar days or more have occurred to the-- (1) Ownership or control of the operations; and/or (2) Measures, training, or staffing described in the security program. (b) Schedule for requesting amendment. The owner/operator must file the request for an amendment with TSA no later than 45 calendar days before the proposed amendment takes effect, unless TSA allows a shorter time period. (c) TSA approval. (1) Within 30 calendar days after receiving a proposed amendment, TSA will, in writing, either approve or deny the request to amend. TSA will notify the owner/operator if it needs an extension of time to consider the proposed amendment. (2) TSA may approve an amendment to a security program if TSA determines that it is in the interest of the public and transportation security and the proposed amendment provides the level of security required under this subchapter. TSA may request additional information from the owner/operator before rendering a decision. (d) No later than 30 calendar days after receiving a denial, the owner/operator may file a petition for reconsideration under Sec. 1570.119 of this part. Sec. 1570.115 Amendments required by TSA. (a) Notification of requirement to amend. TSA may require amendments to a security program in the interest of the public and transportation security, including any new information about emerging threats, or methods for addressing emerging threats, as follows: (1) TSA will notify the owner/operator of the proposed amendment, fixing a period of not less than 30 calendar days within which the owner/operator may submit written information, views, and arguments on the amendment. (2) After TSA considers all relevant material received, TSA will notify the owner/operator of any amendment adopted or rescind the notice. (b) Effective date of amendment. If TSA adopts the amendment, it becomes effective not less than 30 calendar days after the owner/ operator receives the notice of amendment, unless the owner/ [[Page 91388]] operator disagrees with the proposed amendment and files a petition for reconsideration under Sec. 1570.119 of this part no later than 15 calendar days before the effective date of the amendment. A timely petition for reconsideration stays the effective date of the amendment. (c) Emergency amendments. If TSA determines that there is an emergency requiring immediate action in the interest of the public or transportation security, TSA may issue an amendment, without the prior notice and comment procedures in paragraph (a) of this section, effective without stay on the date the covered owner/operator receives notice of it. In such a case, TSA will incorporate in the notice a brief statement of the reasons and findings for the amendment to be adopted. The owner/operator may file a petition for reconsideration under Sec. 1570.119 of this part; however, this does not stay the effective date of the emergency amendment. Sec. 1570.117 Alternative measures. (a) If in TSA's judgment, the overall security of transportation provided by an owner/operator subject to the requirements of 49 CFR parts 1580, 1582, or 1584 are not diminished, TSA may approve alternative measures. (b) Each owner/operator requesting alternative measures must file the request for approval in a form and manner prescribed by TSA. The filing of such a request does not affect the owner/operator's responsibility for compliance while the request is being considered. (c) TSA may request additional information, and the owner/operator must provide the information within the time period TSA prescribes. Within 30 calendar days after receiving a request for alternative measures and all requested information, TSA will, in writing, either approve or deny the request. (d) If TSA finds that the use of the alternative measures is in the interest of the public and transportation security, it may grant the request subject to any conditions TSA deems necessary. In considering the request for alternative measures, TSA will review all relevant factors including-- (1) The risks associated with the type of operation, for example, whether the owner/operator transports hazardous materials or passengers within a high threat urban area, whether the owner/operator transports passengers and the volume of passengers transported, or whether the owner/operator hosts a passenger operation. (2) Any relevant threat information. (3) Other circumstances concerning potential risk to the public and transportation security. (e) No later than 30 calendar days after receiving a denial, the owner/operator may petition for reconsideration under Sec. 1570.119 of this part. Sec. 1570.119 Petitions for reconsideration. (1) If an owner/operator seeks to petition for reconsideration of a determination, required modification, denial of a request for amendment by the owner/operator, denial to rescind a TSA-required amendment, or denial of an alternative measure, the owner/operator must submit a written petition for reconsideration that includes a statement and any supporting documentation explaining why the owner/operator believes TSA's decision is incorrect. (2) Upon review of the petition for reconsideration, the Administrator or designee will dispose of the petition by affirming, modifying, or rescinding its previous decision. This is considered a final agency action. Sec. 1570.121 Recordkeeping and availability. (a) Retention. Each owner/operator required to have a security program under subpart B to parts 1580, 1582, and 1584 of this subchapter must-- (1) Retain security training records for each individual trained for no less than five years from the date of training that, at a minimum-- (i) Includes employee's full name, job title or function, date of hire, and date of initial and recurrent security training; and (ii) Identifies the date, course name, course length, and list of topics addressed for the security training most recently provided in each of the areas required under Sec. Sec. 1580.115, 1582.115, and 1584.115 of this subchapter. (2) Retain records of initial and recurrent security training for no less than five years from the date of training. (3) Provide records to current and former employees upon request and at no charge as necessary to provide proof of training. (b) Electronic records. Each owner/operator required to retain records under this section may keep them in electronic form. An owner/ operator may maintain and transfer records through electronic transmission, storage, and retrieval provided that the electronic system provides for the maintenance of records as originally submitted without corruption, loss of data, or tampering. (c) Protection of SSI. Each owner/operator must restrict the distribution, disclosure, and availability of security sensitive information, as identified in part 1520 of this chapter, to persons with a need to know. The owner/operator must refer requests for such information by other persons to TSA. (d) Availability. Each owner/operator must make the records available to TSA upon request for inspection and copying. Subpart C--Operations Sec. 1570.201 Security Coordinator. (a) Except as provided in paragraph (b) of this section, each owner/operator identified in Sec. Sec. 1580.1, 1582.1, and 1584.101 of this subchapter must designate and use a primary and at least one alternate Security Coordinator. (b) An owner/operator described in Sec. 1580.101(a)(5) or Sec. 1582.101(a)(4) of this subchapter must designate and use a primary and at least one alternate Security Coordinator, only if notified by TSA in writing that a threat exists concerning that type of operation. (c) The Security Coordinator and alternate(s) must be appointed at the corporate level. (d) Each owner/operator required to have a Security Coordinator must provide in writing to TSA the names, U.S. citizenship status, titles, phone number(s), and email address(es) of the Security Coordinator and alternate Security Coordinator(s) within 7 calendar days of the effective date of this rule, commencement of operations, or change in any of the information required by this section. (e) Each owner/operator required to have a Security Coordinator must ensure that at least one Security Coordinator-- (1) Serves as the primary contact for intelligence information and security-related activities and communications with TSA. Any individual designated as a Security Coordinator may perform other duties in addition to those described in this section. (2) Is accessible to TSA on a 24-hours a day, 7 days a week basis. (3) Coordinates security practices and procedures internally and with appropriate law enforcement and emergency response agencies. Sec. 1570.203 Reporting significant security concerns. (a) Each owner/operator identified in Sec. Sec. 1580.1, 1582.1, and 1584.101 of this subchapter must report, within 24 hours of initial discovery, any potential threats and significant security concerns involving transportation-related operations in the United States or transportation to, from, or within the United States as soon as possible by the methods prescribed by TSA. [[Page 91389]] (b) Potential threats or significant security concerns encompass incidents, suspicious activities, and threat information including, but not limited to, the categories of reportable events listed in Appendix A to this part. (c) Information reported must include the following, as available and applicable: (1) The name of the reporting individual and contact information, including a telephone number or email address. (2) The affected freight or passenger train, transit vehicle, motor vehicle, station, terminal, rail hazardous materials facility, or other facility or infrastructure, including identifying information and current location. (3) Scheduled origination and termination locations for the affected freight or passenger train, transit vehicle, or motor vehicle--including departure and destination city and route. (4) Description of the threat, incident, or activity, including who has been notified and what action has been taken. (5) The names, other available biographical data, and/or descriptions (including vehicle or license plate information) of individuals or motor vehicles known or suspected to be involved in the threat, incident, or activity. (6) The source of any threat information. Subpart D--Security Threat Assessments Sec. 1570.301 Fraudulent use or manufacture; responsibilities of persons. (a) No person may use or attempt to use a credential, security threat assessment, access control medium, or identification medium issued or conducted under this subchapter that was issued or conducted for another person. (b) No person may make, produce, use or attempt to use a false or fraudulently created access control medium, identification medium or security threat assessment issued or conducted under this subchapter. (c) No person may tamper or interfere with, compromise, modify, attempt to circumvent, or circumvent TWIC access control procedures. (d) No person may cause or attempt to cause another person to violate paragraphs (a)-(c) of this section. Sec. 1570.303 Inspection of credential. (a) Each person who has been issued or possesses a TWIC must present the TWIC for inspection upon a request from TSA, the Coast Guard, or other authorized DHS representative; an authorized representative of the National Transportation Safety Board; or a Federal, State, or local law enforcement officer. (b) Each person who has been issued or who possesses a TWIC must allow his or her TWIC to be read by a reader and must submit his or her reference biometric, such as a fingerprint, and any other required information, such as a PIN, to the reader, upon a request from TSA, the Coast Guard, other authorized DHS representative; or a Federal, State, or local law enforcement officer. Sec. 1570.305 False statements regarding security background checks by public transportation agency or railroad carrier. (a) Scope. This section implements sections 1414(e) (6 U.S.C. 1143) and 1522(e) (6 U.S.C. 1170) of the ``Implementing Recommendations of the 9/11 Commission Act of 2007,'' Public Law 110-53 (121 Stat. 266, Aug. 3, 2007). (b) Definitions. In addition to the terms in Sec. Sec. 1500.3, 1500.5, and 1503.202 of subchapter A and Sec. 1570.3 of subchapter D of this chapter, the following terms apply to this part: Covered individual means an employee of a public transportation agency or a contractor or subcontractor of a public transportation agency or an employee of a railroad carrier or a contractor or subcontractor of a railroad carrier. Security background check means reviewing the following for the purpose of identifying individuals who may pose a threat to transportation security, national security, or of terrorism: (1) Relevant criminal history databases. (2) In the case of an alien (as defined in sec. 101 of the Immigration and Nationality Act (8 U.S.C. 1101(a)(3)), the relevant databases to determine the status of the alien under the immigration laws of the United States. (3) Other relevant information or databases, as determined by the Secretary of Homeland Security. (c) Prohibitions. (1) A public transportation agency or a contractor or subcontractor of a public transportation agency may not knowingly misrepresent to an employee or other relevant person, including an arbiter involved in a labor arbitration, the scope, application, or meaning of any rules, regulations, directives, or guidance issued by the Secretary of Homeland Security related to security background check requirements for covered individuals when conducting a security background check. (2) A railroad carrier or a contractor or subcontractor of a railroad carrier may not knowingly misrepresent to an employee or other relevant person, including an arbiter involved in a labor arbitration, the scope, application, or meaning of any rules, regulations, directives, or guidance issued by the Secretary of Homeland Security related to security background check requirements for covered individuals when conducting a security background check. Appendix A to Part 1570--Reporting of Significant Security Concerns ------------------------------------------------------------------------ Category Description ------------------------------------------------------------------------ Breach, Attempted Intrusion, Unauthorized personnel attempting to or and/or Interference. actually entering a restricted area or secure site relating to a transportation facility or conveyance owned, operated, or used by an owner/operator subject to this part. This includes individuals entering or attempting to enter by impersonation of authorized personnel (for example, police/security, janitor, vehicle owner/operator). Activity that could interfere with the ability of employees to perform duties to the extent that security is threatened. Misrepresentation............ Presenting false, or misusing, insignia, documents, and/or identification, to misrepresent one's affiliation with an owner/operator subject to this part to cover possible illicit activity that may pose a risk to transportation security. Theft, Loss, and/or Diversion Stealing or diverting identification media or badges, uniforms, vehicles, keys, tools capable of compromising track integrity, portable derails, technology, or classified or sensitive security information documents which are proprietary to the facility or conveyance owned, operated, or used by an owner/operator subject to this part. [[Page 91390]] Sabotage, Tampering, and/or Damaging, manipulating, or defeating Vandalism. safety and security appliances in connection with a facility, infrastructure, conveyance, or routing mechanism, resulting in the compromised use or the temporary or permanent loss of use of the facility, infrastructure, conveyance or routing mechanism. Placing or attaching a foreign object to a rail car(s). Cyber Attack................. Compromising, or attempting to compromise or disrupt the information/technology infrastructure of an owner/operator subject to this part. Expressed or Implied Threat.. Communicating a spoken or written threat to damage or compromise a facility/ infrastructure/conveyance owned, operated, or used by an owner/operator subject to this part (for example, a bomb threat or active shooter). Eliciting Information........ Questioning that may pose a risk to transportation or national security, such as asking one or more employees of an owner/operator subject to this part about particular facets of a facility's conveyance's purpose, operations, or security procedures. Testing or Probing of Deliberate interactions with employees of Security. an owner/operator subject to this part or challenges to facilities or systems owned, operated, or used by an owner/ operator subject to this part that reveal physical, personnel, or cyber security capabilities. Photography.................. Taking photographs or video of facilities, conveyances, or infrastructure owned, operated, or used by an owner/operator subject to this part in a manner that may pose a risk to transportation or national security. Examples include taking photographs or video of infrequently used access points, personnel performing security functions (for example, patrols, badge/ vehicle checking), or security-related equipment (for example, perimeter fencing, security cameras). Observation or Surveillance.. Demonstrating unusual interest in facilities or loitering near conveyances, railcar routing appliances or any potentially critical infrastructure owned or operated by an owner/operator subject to this part in a manner that may pose a risk to transportation or national security. Examples include observation through binoculars, taking notes, or attempting to measure distances. Materials Acquisition and/or Acquisition and/or storage by an employee Storage. of an owner/operator subject to this part of materials such as cell phones, pagers, fuel, chemicals, toxic materials, and/or timers that may pose a risk to transportation or national security (for example, storage of chemicals not needed by an employee for the performance of his or her job duties). Weapons Discovery, Discharge, Weapons or explosives in or around a or Seizure. facility, conveyance, or infrastructure of an owner/operator subject to this part that may present a risk to transportation or national security (for example, discovery of weapons inconsistent with the type or quantity traditionally used by company security personnel). Suspicious Items or Activity. Discovery or observation of suspicious items, activity or behavior in or around a facility, conveyance, or infrastructure of an owner/operator subject to this part that results in the disruption or termination of operations (for example, halting the operation of a conveyance while law enforcement personnel investigate a suspicious bag, briefcase, or package). ------------------------------------------------------------------------ 0 11. Revise part 1580 to read as follows: PART 1580--FREIGHT RAIL TRANSPORTATION SECURITY Subpart A--General Sec. 1580.1 Scope. 1580.3 Terms used in this part. 1580.5 Preemptive effect. Subpart B--Security Programs Sec. 1580.101 Applicability. 1580.103 [Reserved] 1580.105 [Reserved] 1580.107 [Reserved] 1580.109 [Reserved] 1580.111 [Reserved] 1580.113 Security training program general requirements. 1580.115 Security training and knowledge for security-sensitive employees. Subpart C--Operations Sec. 1580.201 Applicability. 1580.203 Location and shipping information. 1580.205 Chain of custody and control requirements. 1580.207 Harmonization of federal regulation of nuclear facilities. Subpart D [Reserved] Appendix A to Part 1580--High Threat Urban Areas (HTUAs) Appendix B to Part 1580--Security-Sensitive Job Functions For Freight Rail Authority: 6 U.S.C. 1162 and 1167; 49 U.S.C. 114. Subpart A--General Sec. 1580.1 Scope. (a) Except as provided in paragraph (b) of this section, this part includes requirements for the following persons. Specific sections in this part provide detailed requirements. (1) Each freight railroad carrier that operates rolling equipment on track that is part of the general railroad system of transportation. (2) Each rail hazardous materials shipper. (3) Each rail hazardous materials receiver located within an HTUA. (4) Each freight railroad carrier serving as a host railroad to a freight railroad operation described in paragraph (a)(1) of this section or a passenger operation described in Sec. 1582.1 of this subchapter. (5) Each owner/operator of private rail cars, including business/ office cars and circus trains, on or connected to the general railroad system of transportation. (b) This part does not apply to a freight railroad carrier that operates rolling equipment only on track inside an installation that is not part of the general railroad system of transportation. Sec. 1580.3 Terms used in this part. In addition to the terms in Sec. Sec. 1500.3, 1500.5, and 1503.202 of subchapter A and Sec. 1570.3 of subchapter D of this chapter, the following terms apply to this part: Class I means Class I as assigned by regulations of the Surface Transportation Board (STB) (49 CFR part 1201; General Instructions 1- 1). [[Page 91391]] A rail car is attended if an employee-- (1) Is physically located on-site in reasonable proximity to the rail car; (2) Is capable of promptly responding to unauthorized access or activity at or near the rail car, including immediately contacting law enforcement or other authorities; and (3) Immediately responds to any unauthorized access or activity at or near the rail car either personally or by contacting law enforcement or other authorities. Document the transfer means documentation uniquely identifying that the rail car was attended during the transfer of custody, including: (1) Car initial and number. (2) Identification of individuals who attended the transfer (names or uniquely identifying employee number). (3) Location of transfer. (4) Date and time the transfer was completed. High threat urban area (HTUA) means, for purposes of this part, an area comprising one or more cities and surrounding areas including a 10-mile buffer zone, as listed in Appendix A to this part 1580. Maintains positive control means that the rail hazardous materials receiver and the railroad carrier communicate and cooperate with each other to provide for the security of the rail car during the physical transfer of custody. Attending the rail car is a component of maintaining positive control. Rail security-sensitive materials (RSSM) means-- (1) A rail car containing more than 2,268 kg (5,000 lbs.) of a Division 1.1, 1.2, or 1.3 (explosive) material, as defined in 49 CFR 173.50; (2) A tank car containing a material poisonous by inhalation as defined in 49 CFR 171.8, including anhydrous ammonia, Division 2.3 gases poisonous by inhalation as set forth in 49 CFR 173.115(c), and Division 6.1 liquids meeting the defining criteria in 49 CFR 173.132(a)(1)(iii) and assigned to hazard zone A or hazard zone B in accordance with 49 CFR 173.133(a), excluding residue quantities of these materials; and (3) A rail car containing a highway route-controlled quantity of a Class 7 (radioactive) material, as defined in 49 CFR 173.403. Residue means the hazardous material remaining in a packaging, including a tank car, after its contents have been unloaded to the maximum extent practicable and before the packaging is either refilled or cleaned of hazardous material and purged to remove any hazardous vapors. Security-sensitive employee means an employee who performs-- (1) Service subject to the Federal hours of service laws (49 U.S.C. chapter 211), regardless of whether the employee actually performs such service during a particular duty tour; or (2) One or more of the security-sensitive job functions identified in Appendix B to this part where the security-sensitive function is performed in the United States or in direct support of the common carriage of persons or property between a place in the United States and any place outside of the United States. Sec. 1580.5 Preemptive effect. Under 49 U.S.C. 20106, issuance of the regulations in this subchapter preempts any State law, regulation, or order covering the same subject matter, except an additional or more stringent law, regulation, or order that is necessary to eliminate or reduce an essentially local security hazard; that is not incompatible with a law, regulation, or order of the U.S. Government; and that does not unreasonably burden interstate commerce. For example, under 49 U.S.C. 20106, issuance of 49 CFR 1580.205 preempts any State or tribal law, rule, regulation, order or common law requirement covering the same subject matter. Subpart B--Security Programs Sec. 1580.101 Applicability. This subpart applies to each of the following owner/operators: (a) Described in Sec. 1580.1(a)(1) of this part that is a Class I freight railroad. (b) Described in Sec. 1580.1(a)(1) of this part that transports one or more of the categories and quantities of RSSM in an HTUA. (c) Described in Sec. 1580.1(a)(4) of this part that serves as a host railroad to a freight railroad described in paragraph (a) of (b) of this section or a passenger operation described in Sec. 1582.101 of this subchapter. Sec. 1580.103 [Reserved] Sec. 1580.105 [Reserved] Sec. 1580.107 [Reserved] Sec. 1580.109 [Reserved] Sec. 1580.111 [Reserved] Sec. 1580.113 Security training program general requirements. (a) Security training program required. Each owner/operator identified in Sec. 1580.101 of this part is required to adopt and carry out a security training program under this subpart. (b) General requirements. The security training program must include the following information: (1) Name of owner/operator. (2) Name, title, telephone number, and email address of the primary individual to be contacted with regard to review of the security training program. (3) Number, by specific job function category identified in Appendix B to this part, of security-sensitive employees trained or to be trained. (4) Implementation schedule that identifies a specific date by which initial and recurrent security training required by Sec. 1570.111 of this part will be completed. (5) Location where training program records will be maintained. (6) Curriculum or lesson plan, learning objectives, and method of delivery (such as instructor-led or computer-based training) for each course used to meet the requirements of Sec. 1580.115 of this part. TSA may request additional information regarding the curriculum during the review and approval process. (7) Plan for ensuring supervision of untrained security-sensitive employees performing functions identified in Appendix B to this part. (8) Plan for notifying employees of changes to security measures that could change information provided in previously provided training. (9) Method(s) for evaluating the effectiveness of the security training program in each area required by Sec. 1580.115 of this part. (c) Relation to other training. (1) Training conducted by owner/ operators to comply other requirements or standards, such as emergency preparedness training required by the Department of Transportation (DOT) (49 CFR part 239) or other training for communicating with emergency responders to arrange the evacuation of passengers, may be combined with and used to satisfy elements of the training requirements in this subpart. (2) If the owner/operator submits a security training program that relies on pre-existing or previous training materials to meet the requirements of subpart B, the program submitted for approval must include an index, organized in the same sequence as the requirements in this subpart. (d) Submission and Implementation. The owner/operator must submit and implement the security training program in accordance with the schedules identified in Sec. Sec. 1570.109 and 1570.111 of this subchapter. [[Page 91392]] Sec. 1580.115 Security training and knowledge for security-sensitive employees. (a) Training required for security-sensitive employees. No owner/ operator required to have a security training program under Sec. 1580.101 of this part may use a security-sensitive employee to perform a function identified in Appendix B to this part, unless that individual has received training as part of a security training program approved by TSA under 49 CFR part 1570, subpart B, or is under the direct supervision of a security-sensitive employee who has received the training required by this section. (b) Limits on use of untrained employees. Notwithstanding paragraph (a) of this section, a security-sensitive employee may not perform a security-sensitive function for more than sixty (60) calendar days without receiving security training. (c) Prepare. (1) Each owner/operator must ensure that each of its security-sensitive employees with position- or function-specific responsibilities under the owner/operator's security program has knowledge of how to fulfill those responsibilities in the event of a security threat, breach, or incident to ensure-- (i) Employees with responsibility for transportation security equipment and systems are aware of their responsibilities and can verify the equipment and systems are operating and properly maintained; and (ii) Employees with other duties and responsibilities under the company's security plans and/or programs, including those required by Federal law, know their assignments and the steps or resources needed to fulfill them. (2) Each employee who performs any security-related functions under Sec. 1580.205 of this subpart must be provided training specifically applicable to the functions the employee performs. As applicable, this training must address-- (i) Inspecting rail cars for signs of tampering or compromise, IEDs, suspicious items, and items that do not belong; (ii) Identification of rail cars that contain rail security- sensitive materials, including the owner/operator's procedures for identifying rail security-sensitive material cars on train documents, shipping papers, and in computer train/car management systems; and (iii) Procedures for completing transfer of custody documentation. (d) Observe. Each owner/operator must ensure that each of its security-sensitive employees has knowledge of the observational skills necessary to recognize-- (1) Suspicious and/or dangerous items (such as substances, packages, or conditions (for example, characteristics of an IED and signs of equipment tampering or sabotage); (2) Combinations of actions and individual behaviors that appear suspicious and/or dangerous, inappropriate, inconsistent, or out of the ordinary for the employee's work environment which could indicate a threat to transportation security; and (3) How a terrorist or someone with malicious intent may attempt to gain sensitive information or take advantage of vulnerabilities. (e) Assess. Each owner/operator must ensure that each of its security-sensitive employees has knowledge necessary to-- (1) Determine whether the item, individual, behavior, or situation requires a response as a potential terrorist threat based on the respective transportation environment; and (2) Identify appropriate responses based on observations and context. (f) Respond. Each owner/operator must ensure that each of its security-sensitive employees has knowledge of how to-- (1) Appropriately report a security threat, including knowing how and when to report internally to other employees, supervisors, or management, and externally to local, state, or federal agencies according to the owner/operator's security procedures or other relevant plans; (2) Interact with the public and first responders at the scene of the threat or incident, including communication with passengers on evacuation and any specific procedures for individuals with disabilities and the elderly; and (3) Use any applicable self-defense devices or other protective equipment provided to employees by the owner/operator. Subpart C--Operations Sec. 1580.201 Applicability. This subpart applies to the following: (1) Each owner/operator described in paragraph (a)(1) of Sec. 1580.1 of this part that transports one or more of the categories and quantities of rail security-sensitive materials. (2) Each owner/operator described in paragraphs (a)(2) and (3) of Sec. 1580.1 of this part. Sec. 1580.203 Location and shipping information. (a) General Requirement. Each owner/operator described in Sec. 1580.201 of this part must have procedures in place to determine the location and shipping information for each rail car under its physical custody and control that contains one or more of the categories and quantities of rail security-sensitive materials. (b) Required Information. The location and shipping information must include the following: (1) The rail car's current location by city, county, and state, including, for freight railroad carriers, the railroad milepost, track designation, and the time that the rail car's location was determined. (2) The rail car's routing, if a freight railroad carrier. (3) A list of the total number of rail cars containing rail security-sensitive materials, broken down by-- (i) The shipping name prescribed for the material in column 2 of the table in 49 CFR 172.101; (ii) The hazard class or division number prescribed for the material in column 3 of the table in 49 CFR 172.101; and (iii) The identification number prescribed for the material in column 4 of the table in 49 CFR 172.101. (4) Each rail car's initial and number. (5) Whether the rail car is in a train, rail yard, siding, rail spur, or rail hazardous materials shipper or receiver facility, including the name of the rail yard or siding designation. (c) Timing-Class I Freight Railroad Carriers. Upon request by TSA, each Class I freight railroad carrier described in paragraph (a) of this section must provide the location and shipping information to TSA no later than-- (1) Five minutes if the request applies to a single (one) rail car; and (2) Thirty minutes if the request concerns multiple rail cars or a geographic region. (d) Timing-Other than Class I Freight Railroad Carriers. Upon request by TSA, all owner/operators described in paragraph (a) of this section, other than Class I freight railroad carriers, must provide the location and shipping information to TSA no later than 30 minutes, regardless of the number of cars covered by the request. (e) Method. All owner/operators described in paragraph (a) of this section must provide the requested location and shipping information to TSA by one of the following methods: (1) Electronic data transmission in spreadsheet format. (2) Electronic data transmission in Hyper Text Markup Language (HTML) format. (3) Electronic data transmission in Extensible Markup Language (XML). [[Page 91393]] (4) Facsimile transmission of a hard copy spreadsheet in tabular format. (5) Posting the information to a secure Web site address approved by TSA. (6) Another format approved by TSA. (f) Telephone Number. Each owner/operator described in Sec. 1580.201 of this part must provide a telephone number for use by TSA to request the information required in paragraph (b) of this section. (1) The telephone number must be monitored at all times. (2) A telephone number that requires a call back (such as an answering service, answering machine, or beeper device) does not meet the requirements of this paragraph. Sec. 1580.205 Chain of custody and control requirements. (a) Within or outside of an HTUA, rail hazardous materials shipper transferring to carrier. Except as provided in paragraph (g) of this section, at each location within or outside of an HTUA, a rail hazardous materials shipper transferring custody of a rail car containing one or more of the categories and quantities of rail security-sensitive materials to a freight railroad carrier must do the following: (1) Physically inspect the rail car before loading for signs of tampering, including closures and seals; other signs that the security of the car may have been compromised; and suspicious items or items that do not belong, including the presence of an improvised explosive device. (2) Keep the rail car in a rail secure area from the time the security inspection required by paragraph (a)(1) of this section or by 49 CFR 173.31(d), whichever occurs first, until the freight railroad carrier takes physical custody of the rail car. (3) Document the transfer of custody to the railroad carrier in hard copy or electronically. (b) Within or outside of an HTUA, carrier receiving from a rail hazardous materials shipper. At each location within or outside of an HTUA where a freight railroad carrier receives from a rail hazardous materials shipper custody of a rail car containing one or more of the categories and quantities of rail security-sensitive materials, the freight railroad carrier must document the transfer in hard copy or electronically and perform the required security inspection in accordance with 49 CFR 174.9. (c) Within an HTUA, carrier transferring to carrier. Within an HTUA, whenever a freight railroad carrier transfers a rail car containing one or more of the categories and quantities of rail security-sensitive materials to another freight railroad carrier, each freight railroad carrier must adopt and carry out procedures to ensure that the rail car is not left unattended at any time during the physical transfer of custody. These procedures must include the receiving freight railroad carrier performing the required security inspection in accordance with 49 CFR 174.9. Both the transferring and the receiving railroad carrier must document the transfer of custody in hard copy or electronically. (d) Outside of an HTUA, carrier transferring to carrier. Outside an HTUA, whenever a freight railroad carrier transfers a rail car containing one or more of the categories and quantities of rail security-sensitive materials to another freight railroad carrier, and the rail car containing this hazardous material may subsequently enter an HTUA, each freight railroad carrier must adopt and carry out procedures to ensure that the rail car is not left unattended at any time during the physical transfer of custody. These procedures must include the receiving railroad carrier performing the required security inspection in accordance with 49 CFR 174.9. Both the transferring and the receiving railroad carrier must document the transfer of custody in hard copy or electronically. (e) Within an HTUA, carrier transferring to rail hazardous materials receiver. A freight railroad carrier delivering a rail car containing one or more of the categories and quantities of rail security-sensitive materials to a rail hazardous materials receiver located within an HTUA must not leave the rail car unattended in a non- secure area until the rail hazardous materials receiver accepts custody of the rail car. Both the railroad carrier and the rail hazardous materials receiver must document the transfer of custody in hard copy or electronically. (f) Within an HTUA, rail hazardous materials receiver receiving from carrier. Except as provided in paragraph (j) of this section, a rail hazardous materials receiver located within an HTUA that receives a rail car containing one or more of the categories and quantities of rail security-sensitive materials from a freight railroad carrier must-- (1) Ensure that the rail hazardous materials receiver or railroad carrier maintains positive control of the rail car during the physical transfer of custody of the rail car; (2) Keep the rail car in a rail secure area until the car is unloaded; and (3) Document the transfer of custody from the railroad carrier in hard copy or electronically. (g) Within or outside of an HTUA, rail hazardous materials receiver rejecting car. This section does not apply to a rail hazardous materials receiver that does not routinely offer, prepare, or load for transportation by rail one or more of the categories and quantities of rail security-sensitive materials. If such a receiver rejects and returns a rail car containing one or more of the categories and quantities of rail security-sensitive materials to the originating offeror or shipper, the requirements of this section do not apply to the receiver. The requirements of this section do apply to any railroad carrier to which the receiver transfers custody of the rail car. (h) Document retention. Covered entities must maintain the documents required under this section for at least 60 calendar days and make them available to TSA upon request. (i) Rail secure area. The rail hazardous materials shipper and the rail hazardous materials receiver must use physical security measures to ensure that no unauthorized individual gains access to the rail secure area. (j) Exemption for rail hazardous materials receivers. A rail hazardous materials receiver located within an HTUA may request from TSA an exemption from some or all of the requirements of this section if the receiver demonstrates that the potential risk from its activities is insufficient to warrant compliance with this section. TSA will consider all relevant circumstances, including the following: (1) The amounts and types of all hazardous materials received. (2) The geography of the area surrounding the receiver's facility. (3) Proximity to entities that may be attractive targets, including other businesses, housing, schools, and hospitals. (4) Any information regarding threats to the facility. (5) Other circumstances that indicate the potential risk of the receiver's facility does not warrant compliance with this section. Sec. 1580.207 Harmonization of federal regulation of nuclear facilities. TSA will coordinate activities under this subpart with the Nuclear Regulatory Commission (NRC) and the Department of Energy (DOE) with respect to regulation of rail hazardous materials shippers and receivers that are also licensed or regulated by the NRC or DOE under the Atomic Energy Act of 1954, as amended, to maintain consistency with the requirements imposed by the NRC and DOE. Appendix A to Part 1580--High Threat Urban Areas (HTUAs) [[Page 91394]] ---------------------------------------------------------------------------------------------------------------- State Urban area Geographic areas ---------------------------------------------------------------------------------------------------------------- AZ................................... Phoenix Area........... Chandler, Gilbert, Glendale, Mesa, Peoria, Phoenix, Scottsdale, Tempe, and a 10-mile buffer extending from the border of the combined area. CA................................... Anaheim/Santa Ana Area. Anaheim, Costa Mesa, Garden Grove, Fullerton, Huntington Beach, Irvine, Orange, Santa Ana, and a 10-mile buffer extending from the border of the combined area. Bay Area............... Berkeley, Daly City, Fremont, Hayward, Oakland, Palo Alto, Richmond, San Francisco, San Jose, Santa Clara, Sunnyvale, Vallejo, and a 10-mile buffer extending from the border of the combined area. Los Angeles/Long Beach Burbank, Glendale, Inglewood, Long Beach, Los Area. Angeles, Pasadena, Santa Monica, Santa Clarita, Torrance, Simi Valley, Thousand Oaks, and a 10- mile buffer extending from the border of the combined area. Sacramento Area........ Elk Grove, Sacramento, and a 10-mile buffer extending from the border of the combined area. San Diego Area......... Chula Vista, Escondido, and San Diego, and a 10- mile buffer extending from the border of the combined area. CO................................... Denver Area............ Arvada, Aurora, Denver, Lakewood, Westminster, Thornton, and a 10-mile buffer extending from the border of the combined area. DC................................... National Capital Region National Capital Region and a 10-mile buffer extending from the border of the combined area. FL................................... Fort Lauderdale Area... Fort Lauderdale, Hollywood, Miami Gardens, Miramar, Pembroke Pines, and a 10-mile buffer extending from the border of the combined area. Jacksonville Area...... Jacksonville and a 10-mile buffer extending from the city border. Miami Area............. Hialeah, Miami, and a 10-mile buffer extending from the border of the combined area. Orlando Area........... Orlando and a 10-mile buffer extending from the city border. Tampa Area............. Clearwater, St. Petersburg, Tampa, and a 10-mile buffer extending from the border of the combined area. GA................................... Atlanta Area........... Atlanta and a 10-mile buffer extending from the city border. HI................................... Honolulu Area.......... Honolulu and a 10-mile buffer extending from the city border. IL................................... Chicago Area........... Chicago and a 10-mile buffer extending from the city border. IN................................... Indianapolis Area...... Indianapolis and a 10-mile buffer extending from the city border. KY................................... Louisville Area........ Louisville and a 10-mile buffer extending from the city border. LA................................... Baton Rouge Area....... Baton Rouge and a 10-mile buffer extending from the city border. New Orleans Area....... New Orleans and a 10-mile buffer extending from the city border. MA................................... Boston Area............ Boston, Cambridge, and a 10-mile buffer extending from the border of the combined area. MD................................... Baltimore Area......... Baltimore and a 10-mile buffer extending from the city border. MI................................... Detroit Area........... Detroit, Sterling Heights, Warren, and a 10-mile buffer extending from the border of the combined area. MN................................... Twin Cities Area....... Minneapolis, St. Paul, and a 10-mile buffer extending from the border of the combined entity. MO................................... Kansas City Area....... Independence, Kansas City (MO), Kansas City (KS), Olathe, Overland Park, and a 10-mile buffer extending from the border of the combined area. St. Louis Area......... St. Louis and a 10-mile buffer extending from the city border. NC................................... Charlotte.............. Charlotte and a 10-mile buffer extending from Area................... the city border. NE................................... Omaha Area............. Omaha and a 10-mile buffer extending from the city border. NJ................................... Jersey City/Newark Area Elizabeth, Jersey City, Newark, and a 10-mile buffer extending from the border of the combined area. NV................................... Las Vegas Area......... Las Vegas, North Las Vegas, and a 10-mile buffer extending from the border of the combined entity. NY................................... Buffalo Area........... Buffalo and a 10-mile buffer extending from the city border. New York City Area..... New York City, Yonkers, and a 10-mile buffer extending from the border of the combined area. OH................................... Cincinnati Area........ Cincinnati and a 10-mile buffer extending from the city border. Cleveland Area......... Cleveland and a 10-mile buffer extending from the city border. Columbus Area.......... Columbus and a 10-mile buffer extending from the city border. Toledo Area............ Oregon, Toledo, and a 10-mile buffer extending from the border of the combined area. OK................................... Oklahoma City Area..... Norman, Oklahoma and a 10-mile buffer extending from the border of the combined area. OR................................... Portland Area.......... Portland, Vancouver, and a 10-mile buffer extending from the border of the combined area. PA................................... Philadelphia Area...... Philadelphia and a 10-mile buffer extending from the city border. Pittsburgh Area........ Pittsburgh and a 10-mile buffer extending from the city border. TN................................... Memphis Area........... Memphis and a 10-mile buffer extending from the city border. TX................................... Dallas/Fort Worth/ Arlington, Carrollton, Dallas, Fort Worth, Arlington Area. Garland, Grand Prairie, Irving, Mesquite, Plano, and a 10-mile buffer extending from the border of the combined area. Houston Area........... Houston, Pasadena, and a 10-mile buffer extending from the border of the combined entity. San Antonio Area....... San Antonio and a 10-mile buffer extending from the city border. WA................................... Seattle Area........... Seattle, Bellevue, and a 10-mile buffer extending from the border of the combined area. WI................................... Milwaukee Area......... Milwaukee and a 10-mile buffer extending from the city border. ---------------------------------------------------------------------------------------------------------------- Appendix B to Part 1580--Security-Sensitive Functions for Freight Rail This table identifies security-sensitive job functions for owner/ operators regulated under this part. All employees performing security- sensitive functions are ``security-sensitive employees'' for purposes of this rule and must be trained. [[Page 91395]] ------------------------------------------------------------------------ Examples of job Security-sensitive job titles Categories functions for freight applicable to rail these functions* ------------------------------------------------------------------------ A. Operating a vehicle........ 1. Employees who operate or directly control the movements of locomotives or other self-powered rail vehicles. 2. Train conductor, trainman, brakeman, or utility employee or performs acceptance inspections, couples and uncouples rail cars, applies handbrakes, or similar functions. 3. Employees covered Engineer, under the Federal conductor. hours of service laws as ``train employees.'' See 49 U.S.C. 21101(5) and 21103. B. Inspecting and maintaining Employees who inspect Carman, car vehicles. or repair rail cars repairman, car and locomotives. inspector, engineer, conductor. C. Inspecting or maintaining 1. Employees who--.... Signalman, building or transportation a. Maintain, install, signal infrastructure. or inspect maintainer, communications and trackman, gang signal equipment. foreman, bridge and building laborer, roadmaster, bridge, and building inspector/ operator. b. Maintain, install, or inspect track and structures, including, but not limited to, bridges, trestles, and tunnels. 2. Employees covered under the Federal hours of service laws as ``signal employees.'' See 49 U.S.C. 21101(3) and 21104. D. Controlling dispatch or 1. Employees who--.... Yardmaster, movement of a vehicle. a. Dispatch, direct, dispatcher, or control the block operator, movement of trains.. bridge operator. b. Operate or supervise the operations of moveable bridges.. c. Supervise the activities of train crews, car movements, and switching operations in a yard or terminal.. 2. Employees covered under the Federal hours of service laws as ``dispatching service employees.'' See 49 U.S.C. 21101(2) and 21105. E. Providing security of the Employees who provide Police officer, owner/operator's equipment for the security of special agent; and property. the railroad patrolman; carrier's equipment watchman; and property, guard. including acting as a railroad police officer (as that term is defined in 49 CFR 207.2).. F. Loading or unloading cargo Includes, but is not Service track or baggage. limited to, employees employee. that load or unload hazardous materials. G. Interacting with travelling Employees of a freight Conductor, public (on board a vehicle or railroad operating in engineer, within a transportation passenger service. agent. facility). H. Complying with security 1. Employees who serve Security programs or measures, as security coordinator, including those required by coordinators train master, federal law. designated in Sec. assistant train 1570.201 of this master, subchapter, as well roadmaster, as any designated division alternates or roadmaster. secondary security coordinators. 2. Employees who--.... a. Conduct training and testing of employees when the training or testing is required by TSA's security regulations.. b. Perform inspections or operations required by Sec. 1580.205 of this subchapter.. c. Manage or direct implementation of security plan requirements. ------------------------------------------------------------------------ * These job titles are provided solely as a resource to help understand the functions described; whether an employee must be trained is based upon the function, not the job title. 0 12. Add part 1582 to read as follows: PART 1582--PUBLIC TRANSPORTATION AND PASSENGER RAILROAD SECURITY Subpart A--General Sec. 1582.1 Scope. 1582.3 Terms used in this part. 1582.5 Preemptive effect. Subpart B--Security Programs 1582.101 Applicability. 1582.103 [Reserved] 1582.105 [Reserved] 1582.107 [Reserved] 1582.109 [Reserved] 1582.111 [Reserved] 1582.113 Security training program general requirements. 1582.115 Security training and knowledge for security-sensitive employees. Subpart C--[Reserved] Appendix A to Part 1582--Public Transportation Agencies Appendix B to Part 1582--Security-Sensitive Job Functions For Public Transportation and Passenger Railroads Authority: 6 U.S.C. 1134 and 1137; 49 U.S.C. 114. Subpart A--General Sec. 1582.1 Scope. (a) Except as provided in paragraph (b) of this section, this part includes requirements for the following persons. Specific sections in this part provide detailed requirements. (1) Each passenger railroad carrier. (2) Each public transportation agency. (3) Each operator of a rail transit system that is not operating on track that is part of the general railroad system of transportation, including heavy rail transit, light rail transit, automated guideway, cable car, inclined plane, funicular, and monorail systems. (4) Each tourist, scenic, historic, and excursion rail owner/ operator, whether operating on or off the general railroad system of transportation. (b) This part does not apply to a ferry system required to conduct training pursuant to 46 U.S.C. 70103. Sec. 1582.3 Terms used in this part. In addition to the terms in Sec. Sec. 1500.3, 1500.5, and 1503.202 of subchapter A and Sec. 1570.3 of subchapter D of this chapter, the following term applies to this part. Security-sensitive employee means an employee whose responsibilities for the owner/operator include one or more of the security-sensitive job functions identified in Appendix B to this part if [[Page 91396]] the security-sensitive function is performed in the United States or in direct support of the common carriage of persons or property between a place in the United States and any place outside of the United States. Sec. 1582.5 Preemptive effect. Under 49 U.S.C. 20106, issuance of the passenger railroad and public transportation regulations in this subchapter preempts any State law, regulation, or order covering the same subject matter, except an additional or more stringent law, regulation, or order that is necessary to eliminate or reduce an essentially local security hazard; that is not incompatible with a law, regulation, or order of the U.S. Government; and that does not unreasonably burden interstate commerce. Subpart B--Security Programs Sec. 1582.101 Applicability. The requirements of this subpart apply to the following: (1) Amtrak (also known as the National Railroad Passenger Corporation). (2) Each owner/operator identified in Appendix A to this part. (3) Each owner/operator described in Sec. 1582.1(a)(1) through (3) of this part that serves as a host railroad to a freight operation described in Sec. 1580.301 of this subchapter or to a passenger train operation described in paragraph (a)(1) or (a)(2) of this section. Sec. 1582.103 [Reserved] Sec. 1582.105 [Reserved] Sec. 1582.107 [Reserved] Sec. 1582.109 [Reserved] Sec. 1582.111 [Reserved] Sec. 1582.113 Security training program general requirements. (a) Security training program required. Each owner/operator identified in Sec. 1582.101 of this part is required to adopt and carry out a security training program under this subpart. (b) General requirements. The security training program must include the following information: (1) Name of owner/operator. (2) Name, title, telephone number, and email address of the primary individual to be contacted with regard to review of the security training program. (3) Number, by specific job function category identified in Appendix B to this part, of security-sensitive employees trained or to be trained. (4) Implementation schedule that identifies a specific date by which initial and recurrent security training required by Sec. 1570.111 of this subchapter will be completed. (5) Location where training program records will be maintained. (6) Curriculum or lesson plan, learning objectives, and method of delivery (such as instructor-led or computer-based training) for each course used to meet the requirements of Sec. 1582.115 of this part. TSA may request additional information regarding the curriculum during the review and approval process. (7) Plan for ensuring supervision of untrained security-sensitive employees performing functions identified in Appendix B to this part. (8) Plan for notifying employees of changes to security measures that could change information provided in previously provided training. (9) Method(s) for evaluating the effectiveness of the security training program in each area required by Sec. 1582.115 of this part. (c) Relation to other training. (1) Training conducted by owner/ operators to comply other requirements or standards, such as emergency preparedness training required by the Department of Transportation (DOT) (49 CFR part 239) or other training for communicating with emergency responders to arrange the evacuation of passengers, may be combined with and used to satisfy elements of the training requirements in this subpart. (2) If the owner/operator submits a security training program that relies on pre-existing or previous training materials to meet the requirements of subpart B, the program submitted for approval must include an index, organized in the same sequence as the requirements in this subpart. (d) Submission and Implementation. The owner/operator must submit and implement the security training program in accordance with the schedules identified in Sec. Sec. 1570.109 and 1570.111 of this subchapter. Sec. 1582.115 Security training and knowledge for security-sensitive employees. (a) Training required for security-sensitive employees. No owner/ operator required to have a security training program under Sec. 1582.101 of this part may use a security-sensitive employee to perform a function identified in Appendix B to this part unless that individual has received training as part of a security training program approved by TSA under 49 CFR part 1570, subpart B, or is under the direct supervision of a security-sensitive employee who has received the training required by this section. (b) Limits on use of untrained employees. Notwithstanding paragraph (a) of this section, a security-sensitive employee may not perform a security-sensitive function for more than sixty (60) calendar days without receiving security training. (c) Prepare. Each owner/operator must ensure that each of its security-sensitive employees with position- or function-specific responsibilities under the owner/operator's security program have knowledge of how to fulfill those responsibilities in the event of a security threat, breach, or incident to ensure-- (1) Employees with responsibility for transportation security equipment and systems are aware of their responsibilities and can verify the equipment and systems are operating and properly maintained; and (2) Employees with other duties and responsibilities under the company's security plans and/or programs, including those required by Federal law, know their assignments and the steps or resources needed to fulfill them. (d) Observe. Each owner/operator must ensure that each of its security-sensitive employees has knowledge of the observational skills necessary to recognize-- (1) Suspicious and/or dangerous items (such as substances, packages, or conditions (for example, characteristics of an IED and signs of equipment tampering or sabotage); (2) Combinations of actions and individual behaviors that appear suspicious and/or dangerous, inappropriate, inconsistent, or out of the ordinary for the employee's work environment which could indicate a threat to transportation security; and (3) How a terrorist or someone with malicious intent may attempt to gain sensitive information or take advantage of vulnerabilities. (e) Assess. Each owner/operator must ensure that each of its security-sensitive employees has knowledge necessary to-- (1) Determine whether the item, individual, behavior, or situation requires a response as a potential terrorist threat based on the respective transportation environment; and (2) Identify appropriate responses based on observations and context. (f) Respond. Each owner/operator must ensure that each of its security-sensitive employees has knowledge of how to-- (1) Appropriately report a security threat, including knowing how and when to report internally to other [[Page 91397]] employees, supervisors, or management, and externally to local, state, or federal agencies according to the owner/operator's security procedures or other relevant plans; (2) Interact with the public and first responders at the scene of the threat or incident, including communication with passengers on evacuation and any specific procedures for individuals with disabilities and the elderly; and (3) Use any applicable self-defense devices or other protective equipment provided to employees by the owner/operator. Subpart C [Reserved] Appendix A to Part 1582--Determinations for Public Transportation and Passenger Railroads ------------------------------------------------------------------------ State Urban area Systems ------------------------------------------------------------------------ CA............................ Bay Area......... Alameda-Contra Costa Transit District (AC Transit). Altamont Commuter Express (ACE). ................. San Francisco Bay Area Rapid Transit District (BART). ................. Central Contra Costa Transit Authority. ................. Golden Gate Bridge, Highway and Transportation District (GGBHTD). ................. Peninsula Corridor Joint Powers Board (PCJPB) (Caltrain). ................. San Francisco Municipal Railway (MUNI) (San Francisco Municipal Transportation Agency). ................. San Mateo County Transit Authority (SamTrans). ................. Santa Clara Valley Transportation Authority (VTA). ................. Transbay Joint Powers Authority. Greater Los City of Los Angeles Angeles Area Department of (Los Angeles/ Transportation Long Beach and (LADOT). Anaheim/Santa Foothill Transit. Ana UASI Areas). Long Beach Transit (LBT). ................. Los Angeles County Metropolitan Transportation Authority (LACMTA). ................. Montebello Bus Lines (MBL). ................. Omnitrans (OMNI). ................. Orange County Transportation Authority (OCTA). ................. Santa Monica's Big Blue Bus (Big Blue Bus). ................. Southern California Regional Rail Authority (Metrolink). DC/MD/VA...................... Greater National Arlington Rapid Capital Region Transit. (National City of Alexandria Capital Region (Alexandria Transit and Baltimore Company) (Dash). UASI Areas). ................. Fairfax County Department of Transportation--Fair fax Connector Bus System. ................. Maryland Transit Administration (MTA). ................. Montgomery County Department of Transportation (Ride- On Montgomery County Transit). ................. Potomac and Rappahannock Transportation Commission. ................. Prince George's County Department of Public Works and Transportation (The Bus). ................. Virginia Railway Express (VRE). ................. Washington Metropolitan Area Transit Authority (WMATA). GA............................ Atlanta Area..... Georgia Regional Transportation Authority (GRTA). Metropolitan Atlanta Rapid Transit Authority (MARTA). IL/IN......................... Chicago Area..... Chicago Transit Authority (CTA). ................. Northeast Illinois Commuter Railroad Corporation (Metra/ NIRCRC). ................. Northern Indiana Commuter Transportation District (NICTD). ................. PACE Suburban Bus Company. MA............................ Boston Area...... Massachusetts Bay Transportation Authority (MBTA). NY/NJ/CT...................... New York City/ Connecticut Northern New Department of Jersey Area (New Transportation York City and (CDOT). Jersey City/ Newark UASI Areas). ................. Connecticut Transit (Hartford Division and New Haven Divisions of CTTransit). ................. Metropolitan Transportation Authority (All Agencies). ................. New Jersey Transit Corp. (NJT). ................. New York City Department of Transportation. ................. Port Authority of New York and New Jersey (PANYNJ) (excluding ferry). ................. Westchester County Department of Transportation Bee- Line System (The Bee- Line System). PA/NJ......................... Philadelphia Area Delaware River Port Authority (DRPA)-- Port Authority Transit Corporation (PATCO). ................. Delaware Transit Corporation (DTC). ................. New Jersey Transit Corp. (NJT) (covered under NY). ................. Pennsylvania Department of Transportation. ................. Southeastern Pennsylvania Transportation Authority (SEPTA). ------------------------------------------------------------------------ [[Page 91398]] Appendix B to Part 1582--Security-Sensitive Job Functions For Public Transportation and Passenger Railroads This table identifies security-sensitive job functions for owner/ operators regulated under this part. All employees performing security- sensitive functions are ``security-sensitive employees'' for purposes of this rule and must be trained. ------------------------------------------------------------------------ Security-sensitive job functions for Categories public transportation and passenger railroads (PTPR) ------------------------------------------------------------------------ A. Operating a vehicle....... 1. Employees who-- a. Operate or control the movements of trains, other rail vehicles, or transit buses. b. Act as train conductor, trainman, brakeman, or utility employee or performs acceptance inspections, couples and uncouples rail cars, applies handbrakes, or similar functions. 2. Employees covered under the Federal hours of service laws as ``train employees.'' See 49 U.S.C. 21101(5) and 21103. B. Inspecting and maintaining Employees who-- vehicles. 1. Perform activities related to the diagnosis, inspection, maintenance, adjustment, repair, or overhaul of electrical or mechanical equipment relating to vehicles, including functions performed by mechanics and automotive technicians. 2. Provide cleaning services to vehicles owned, operated, or controlled by an owner/operator regulated under this subchapter. C. Inspecting or maintaining Employees who-- building or transportation 1. Maintain, install, or inspect infrastructure. communication systems and signal equipment related to the delivery of transportation services. 2. Maintain, install, or inspect track and structures, including, but not limited to, bridges, trestles, and tunnels. 3. Provide cleaning services to stations and terminals owned, operated, or controlled by an owner/operator regulated under this subchapter that are accessible to the general public or passengers. 4. Provide maintenance services to stations, terminals, yards, tunnels, bridges, and operation control centers owned, operated, or controlled by an owner/operator regulated under this subchapter. 5. Employees covered under the Federal hours of service laws as ``signal employees.'' See 49 U.S.C. 21101(4) and 21104. D. Controlling dispatch or Employees who-- movement of a vehicle. 1. Dispatch, report, transport, receive or deliver orders pertaining to specific vehicles, coordination of transportation schedules, tracking of vehicles and equipment. 2. Manage day-to-day management delivery of transportation services and the prevention of, response to, and redress of service disruptions. 3. Supervise the activities of train crews, car movements, and switching operations in a yard or terminal. 4. Dispatch, direct, or control the movement of trains or buses. 5. Operate or supervise the operations of moveable bridges. 6. Employees covered under the Federal hours of service laws as ``dispatching service employees.'' See 49 U.S.C. 21101(2) and 21105. E. Providing security of the Employees who-- owner/operator's equipment 1. Provide for the security of PTPR and property. equipment and property, including acting as a police officer. 2. Patrol and inspect property of an owner/operator regulated under this subchapter to protect the property, personnel, passengers and/or cargo. F. Loading or unloading cargo Employees who load, or oversee loading or baggage. of, property tendered by or on behalf of a passenger on or off of a portion of a train that will be inaccessible to the passenger while the train is in operation. G. Interacting with Employees who provide services to travelling public (on board passengers on-board a train or bus, a vehicle or within a including collecting tickets or cash for transportation facility). fares, providing information, and other similar services. Including: 1. On-board food or beverage employees. 2. Functions on behalf of an owner/ operator regulated under this subchapter that require regular interaction with travelling public within a transportation facility, such as ticket agents. H. Complying with security 1. Employees who serve as security programs or measures, coordinators designated in Sec. including those required by 1570.201 of this subchapter, as well as federal law. any designated alternates or secondary security coordinators. 2. Employees who-- a. Conduct training and testing of employees when the training or testing is required by TSA's security regulations. b. Manage or direct implementation of security plan requirements. ------------------------------------------------------------------------ 0 13. Add part 1584 to read as follows: PART 1584--HIGHWAY AND MOTOR CARRIERS Subpart A--General Sec. 1584.1 Scope. 1584.3 Terms used in this part. Subpart B--Security Programs 1584.101 Applicability. 1584.103 [Reserved] 1584.105 [Reserved] 1584.107 [Reserved] [[Page 91399]] 1584.109 [Reserved] 1584.111 [Reserved] 1584.113 Security training program general requirements. 1584.115 Security training and knowledge for security-sensitive employees. Subpart C [Reserved] Appendix A to Part 1584--Urban Area Determinations for Over-The-Road Buses Appendix B to Part 1584--Security-Sensitive Job Functions For Over-the- Road Buses Authority: 6 U.S.C. 1181 and 1184; 49 U.S.C. 114. Subpart A--General Sec. 1584.1 Scope. This part includes requirements for persons providing transportation by an over-the-road bus (OTRB). Specific sections in this part provide detailed requirements. Sec. 1584.3 Terms used in this part. In addition to the terms in Sec. Sec. 1500.3, 1500.5, and 1503.202 of subchapter A and Sec. 1570.3 of subchapter D of this chapter, the following term applies to this part. Security-sensitive employee means an employee whose responsibilities for the owner/operator include one or more of the security-sensitive job functions identified in Appendix B to this part where the security-sensitive function is performed in the United States or in direct support of the common carriage of persons or property between a place in the United States and any place outside of the United States. Subpart B--Security Programs Sec. 1584.101 Applicability. The requirements of this subpart apply to each OTRB owner/operator providing fixed-route service that originates, travels through, or ends in a geographic location identified in Appendix A to this part. Sec. 1584.103 [Reserved] Sec. 1584.105 [Reserved] Sec. 1584.107 [Reserved] Sec. 1584.109 [Reserved] Sec. 1584.111 [Reserved] Sec. 1584.113 Security training program general requirements. (a) Security training program required. Each owner/operator identified in Sec. 1584.101 of this part is required to adopt and carry out a security training program under this subpart. (b) General requirements. The security training program must include the following information: (1) Name of owner/operator. (2) Name, title, telephone number, and email address of the primary individual to be contacted with regard to review of the security training program. (3) Number, by specific job function category identified in Appendix B to this part, of security-sensitive employees trained or to be trained. (4) Implementation schedule that identifies a specific date by which initial and recurrent security training required by Sec. 1570.111 of this subchapter will be completed. (5) Location where training program records will be maintained. (6) Curriculum or lesson plan, learning objectives, and method of delivery (such as instructor-led or computer-based training) for each course used to meet the requirements of Sec. 1584.115 of this part. TSA may request additional information regarding the curriculum during the review and approval process. (7) Plan for ensuring supervision of untrained security-sensitive employees performing functions identified in Appendix B to this part. (8) Plan for notifying employees of changes to security measures that could change information provided in previously provided training. (9) Method(s) for evaluating the effectiveness of the security training program in each area required by Sec. 1584.115 of this part. (c) Relation to other training. (1) Training conducted by owner/ operators to comply other requirements or standards may be combined with and used to satisfy elements of the training requirements in this subpart. (2) If the owner/operator submits a security training program that relies on pre-existing or previous training materials to meet the requirements of subpart B, the program submitted for approval must include an index, organized in the same sequence as the requirements in this subpart. (d) Submission and Implementation. The owner/operator must submit and implement the security training program in accordance with the schedules identified in Sec. Sec. 1570.109 and 1570.111 of this subchapter. Sec. 1584.115 Security training and knowledge for security-sensitive employees. (a) Training required for security-sensitive employees. No owner/ operator required to have a security training program under Sec. 1584.101 of this part may use a security-sensitive employee to perform a function identified in Appendix B to this part unless that individual has received training as part of a security training program approved by TSA under 49 CFR part 1570, subpart B, or is under the direct supervision of a security-sensitive employee who has received the training required by this section. (b) Limits on use of untrained employees. Notwithstanding paragraph (a) of this section, a security-sensitive employee may not perform a security-sensitive function for more than sixty (60) calendar days without receiving security training. (c) Prepare. Each owner/operator must ensure that each of its security-sensitive employees with position- or function-specific responsibilities under the owner/operator's security program have knowledge of how to fulfill those responsibilities in the event of a security threat, breach, or incident to ensure-- (1) Employees with responsibility for transportation security equipment and systems are aware of their responsibilities and can verify the equipment and systems are operating and properly maintained; and (2) Employees with other duties and responsibilities under the company's security plans and/or programs, including those required by Federal law, know their assignments and the steps or resources needed to fulfill them. (d) Observe. Each owner/operator must ensure that each of its security-sensitive employees has knowledge of the observational skills necessary to recognize-- (1) Suspicious and/or dangerous items (such as substances, packages, or conditions (for example, characteristics of an IED and signs of equipment tampering or sabotage); (2) Combinations of actions and individual behaviors that appear suspicious and/or dangerous, inappropriate, inconsistent, or out of the ordinary for the employee's work environment which could indicate a threat to transportation security; and (3) How a terrorist or someone with malicious intent may attempt to gain sensitive information or take advantage of vulnerabilities. (e) Assess. Each owner/operator must ensure that each of its security-sensitive employees has knowledge necessary to-- (1) Determine whether the item, individual, behavior, or situation requires a response as a potential terrorist threat based on the respective transportation environment; and (2) Identify appropriate responses based on observations and context. (f) Respond. Each owner/operator must ensure that each of its security- [[Page 91400]] sensitive employees has knowledge of how to-- (1) Appropriately report a security threat, including knowing how and when to report internally to other employees, supervisors, or management, and externally to local, state, or federal agencies according to the owner/operator's security procedures or other relevant plans; (2) Interact with the public and first responders at the scene of the threat or incident, including communication with passengers on evacuation and any specific procedures for individuals with disabilities and the elderly; and (3) Use any applicable self-defense devices or other protective equipment provided to employees by the owner/operator. Subpart C [Reserved] Appendix A to Part 1584--Urban Area Determinations for Over-the-Road Buses ---------------------------------------------------------------------------------------------------------------- State Urban area Geographic areas ---------------------------------------------------------------------------------------------------------------- CA...................................... Anaheim/Los Angeles/Long Los Angeles and Orange Counties. Beach/Santa Ana Areas. San Diego Area............. San Diego County. San Francisco Bay Area..... Alameda, Contra Costa, Marin, San Francisco, and San Mateo Counties. DC (VA, MD, and WV)..................... National Capital Region.... District of Columbia; Counties of Calvert, Charles, Frederick, Montgomery, and Prince George's, MD; Counties of Arlington, Clarke, Fairfax, Fauquier, Loudoun, Prince William, Spotsylvania, Stafford, and Warren County, VA; Cities of Alexandria, Fairfax, Falls Church, Fredericksburg, Manassas, and Manassas Park City, VA; Jefferson County, WV. IL/IN................................... Chicago.................... Counties of Cook, DeKalb, DuPage, Grundy, Area....................... Kane, Kendall, Lake, McHenry, and Will, IL; Counties of Jasper, Lake, Newton, and Porter, IN; Kenosha County, WI. MA...................................... Boston..................... Counties of Essex, Norfolk, Plymouth, Area....................... Suffolk, Middlesex, MA; Counties of Rockingham and Strafford, NH. NY (NJ and PA).......................... New York City/Jersey City/ Counties of Bronx, Kings, Nassau, New Newark Area. York, Putnam, Queens, Richmond, Rockland, Suffolk, and Westchester, NY; Counties of Bergen, Essex, Hudson, Hunterdon, Ocean, Middlesex, Monmouth, Morris, Passaic, Somerset, Sussex, and Union, NJ; Pike County, PA. PA (DE and NJ).......................... Philadelphia Area/Southern Counties of Burlington, Camden, and New Jersey. Gloucester, NJ; Counties of Bucks, Area....................... Chester, Delaware, Montgomery, and Philadelphia, PA; New Castle County, DE; Cecil County, MD; Salem County, NJ. TX...................................... Dallas Fort Worth/Arlington Collin, Dallas, Delta, Denton, Ellis, Area. Hunt, Kaufman, Rockwall, Johnson, Parker, Tarrant, and Wise Counties, TX. Houston Area............... Austin, Brazoria, Chambers, Fort Bend, Galveston, Harris, Liberty, Montgomery, San Jacinto, and Waller Counties, TX. ---------------------------------------------------------------------------------------------------------------- Appendix B to Part 1584--Security-Sensitive Job Functions For Over-the- Road Buses This table identifies security-sensitive job functions for owner/ operators regulated under this part. All employees performing security- sensitive functions are ``security-sensitive employees'' for purposes of this rule and must be trained. ------------------------------------------------------------------------ Security-sensitive job functions for over- Categories the-road buses ------------------------------------------------------------------------ A. Operating a vehicle....... Employees who have a commercial driver's license (CDL) and operate an OTRB. B. Inspecting and maintaining Employees who-- vehicles. 1. Perform activities related to the diagnosis, inspection, maintenance, adjustment, repair, or overhaul of electrical or mechanical equipment relating to vehicles, including functions performed by mechanics and automotive technicians. 2. Does not include cleaning or janitorial activities. C. Inspecting or maintaining Employees who-- building or transportation 1. Provide cleaning services to areas of infrastructure. facilities owned, operated, or controlled by an owner/operator regulated under this subchapter that are accessible to the general public or passengers. 2. Provide cleaning services to vehicles owned, operated, or controlled by an owner/operator regulated under this part (does not include vehicle maintenance). 3. Provide general building maintenance services to buildings owned, operated, or controlled by an owner/operator regulated under this part. D. Controlling dispatch or Employees who-- movement of a vehicle. 1. Dispatch, report, transport, receive or deliver orders pertaining to specific vehicles, coordination of transportation schedules, tracking of vehicles and equipment. 2. Manage day-to-day delivery of transportation services and the prevention of, response to, and redress of disruptions to those services. 3. Perform tasks requiring access to or knowledge of specific route information. E. Providing security of the Employees who patrol and inspect property owner/operator's equipment of an owner/operator regulated under and property. this part to protect the property, personnel, passengers and/or cargo. F. Loading or unloading cargo Employees who load, or oversee loading or baggage. of, property tendered by or on behalf of a passenger on or off of a portion of a bus that will be inaccessible to the passenger while the vehicle is in operation. [[Page 91401]] G. Interacting with Employees who-- travelling public (on board 1. Provide services to passengers on- a vehicle or within a board a bus, including collecting transportation facility). tickets or cash for fares, providing information, and other similar services. 2. Includes food or beverage employees, tour guides, and functions on behalf of an owner/operator regulated under this part that require regular interaction with travelling public within a transportation facility, such as ticket agents. H. Complying with security 1. Employees who serve as security programs or measures, coordinators designated in Sec. including those required by 1570.201 of this subchapter, as well as federal law. any designated alternates or secondary security coordinators. 2. Employees who-- a. Conduct training and testing of employees when the training or testing is required by TSA's security regulations. b. Manage or direct implementation of security plan requirements. ------------------------------------------------------------------------ Dated: November 18, 2016. Huban A. Gowadia, Deputy Administrator. [FR Doc. 2016-28298 Filed 12-15-16; 8:45 am] BILLING CODE 9110-05-P
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
