Surface Transportation Vulnerability Assessments and Security Plans (VASP)

As Enacted ( Federal Register)

Cited authorities 13

Cited in

Federal Register, Volume 81 Issue 242 (Friday, December 16, 2016)

Federal Register Volume 81, Number 242 (Friday, December 16, 2016)

Proposed Rules

Pages 91401-91416

From the Federal Register Online via the Government Publishing Office www.gpo.gov

FR Doc No: 2016-28300

-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

49 CFR Chapter XII

Docket No. TSA-2016-0002

RIN 1652-AA56

Surface Transportation Vulnerability Assessments and Security Plans (VASP)

AGENCY: Transportation Security Administration, DHS.

ACTION: Advance notice of proposed rulemaking (ANPRM).

-----------------------------------------------------------------------

SUMMARY: The Transportation Security Administration (TSA) is issuing this ANPRM to request public comments on several topics relevant to the development of surface transportation vulnerability assessment and security plan regulations mandated by the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act). Based on its regular interaction with stakeholders, TSA assumes many higher-risk railroads (freight and passenger), public transportation agencies, and over-the-

road buses (OTRBs) have implemented security programs with security measures similar to those identified by the 9/11 Act's regulatory requirements. In general, TSA is requesting information on three types of issues. First, existing practices, standards, tools, or other resources used or available for conducting vulnerability assessments and developing security plans. Second, information on existing security measures, including whether implemented voluntarily or in response to other regulatory requirements, and the potential impact of additional requirements on operations. Third, information on the scope/cost of current security systems and other measures used to provide security and mitigate vulnerabilities. This information is necessary for TSA to establish the current baseline, estimate cost of implementing the statutory mandate, and develop appropriate performance standards.

While TSA will review and consider all comments submitted, TSA invites responses to a number of specific questions posed in the ANPRM. See the Comments Invited section under SUPPLEMENTARY INFORMATION that follows.

DATES: Submit comments by February 14, 2017.

ADDRESSES: You may submit comments, identified by the TSA docket number to this rulemaking, to the Federal Docket Management System (FDMS), a government-wide, electronic docket management system, using any one of the following methods:

Electronically: You may submit comments through the Federal eRulemaking portal at http://www.regulations.gov. Follow the online instructions for submitting comments.

Mail, In Person, or Fax: Address, hand-deliver, or fax your written comments to the Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Avenue SE., West Building Ground Floor, Room W12-140, Washington, DC 20590-0001; fax (202) 493-2251. The Department of Transportation (DOT), which maintains and processes TSA's official regulatory dockets, will scan the submission and post it to FDMS.

See SUPPLEMENTARY INFORMATION for format and other information about comment submissions.

FOR FURTHER INFORMATION CONTACT: Harry Schultz (TSA Office of Security Policy and Industry Engagement) or Traci Klemm (TSA Office of the Chief Counsel) at telephone (571) 227-3531 or email to VASPPOLICY@tsa.dhs.gov.

SUPPLEMENTARY INFORMATION:

Comments Invited

TSA invites interested persons to participate in this rulemaking by submitting written comments, data, or views. We also invite comments relating to the economic, environmental, energy, or federalism impacts that might result from this rulemaking action. See ADDRESSES above for information on where to submit comments.

With each comment, please identify the docket number at the beginning of your comments. You may submit comments and material electronically, in person, by mail, or fax as provided under ADDRESSES, but please submit your comments and material by only one means. If you submit comments by mail or delivery, submit them in an unbound format, no larger than 8.5 by 11 inches, suitable for copying and electronic filing.

If you would like TSA to acknowledge receipt of comments submitted by mail, include with your comments a self-addressed, stamped postcard on which the docket number appears. TSA will stamp the date on the postcard and mail it to you.

TSA will file all comments to our docket address, as well as items sent to the address or email under FOR FURTHER INFORMATION CONTACT, in the public docket, except for comments containing confidential information and sensitive security information (SSI).\1\ Should you wish your personally identifiable information redacted prior to filing in the docket, please so state. TSA will consider all comments that are in the docket on or before the closing date for

Page 91402

comments and will consider comments filed late to the extent practicable. The docket is available for public inspection before and after the comment closing date.

---------------------------------------------------------------------------

\1\ ``Sensitive Security Information'' or ``SSI'' is information obtained or developed in the conduct of security activities, the disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. The protection of SSI is governed by 49 CFR part 1520.

---------------------------------------------------------------------------

Specific Questions

In general, TSA seeks comments on the broad areas outlined within this ANPRM and approaches TSA can take to integrate existing requirements and voluntarily initiated programs to enhance security as intended by the statutory requirements this rulemaking will fulfill. TSA also seeks comments on how this rulemaking could be implemented to meet the requirements of the law in a manner that maximizes benefits without imposing excessive, unjustified, or unnecessary costs.

Specific questions are included in this ANPRM immediately following the discussion of the relevant issues. TSA asks that commenters provide as much information as possible. In some areas, TSA requests very specific information. Whenever possible, please provide citations and copies of any relevant studies or reports on which you rely, as well as any additional data which supports your comment. It is also helpful to explain the basis and reasoning underlying your comment. TSA appreciates any information provided. While complete answers are preferable, TSA recognizes that providing detailed comments on every question could be burdensome and will consider all comments, regardless of whether the response is complete. Each commenting party should include the identifying number of the specific question(s) to which it is responding. To assist commenters, a fillable template with all of the questions in sequential order is included in the docket. Commenters can download the template, complete it, and then upload it to the docket or submit a hard copy as directed under ADDRESSES.

TSA will use comments to make decisions regarding the content and direction of the notice of proposed rulemaking (NPRM). TSA also requests additional comments and information not addressed by these questions that would promote an understanding of the implications of imposing a VASP regulatory requirement. TSA does not expect that every commenter will be able to answer every question. Please respond to those questions you feel able to answer or that address your particular issue.

TSA encourages responses from all interested entities, not just the transportation sectors to which this rulemaking would apply. Each comment filed by a party, other than public transportation agencies, railroads, or OTRB companies, or their representatives, should explain the commenter's interest in this rulemaking and how their comments may assist in TSA's development of the regulation.

Handling of Confidential or Proprietary Information and SSI Submitted in Public Comments

Do not submit comments that include trade secrets, confidential commercial or financial information, or SSI to the public regulatory docket. Please submit such comments separately from other comments on the rulemaking. Comments containing this type of information should be appropriately marked as containing such information and submitted by mail to the address listed in the FOR FURTHER INFORMATION CONTACT section.

TSA will not place comments containing SSI in the public docket and will handle them in accordance with applicable safeguards and restrictions on access. TSA will hold documents containing SSI, confidential business information, or trade secrets in a separate file to which the public does not have access, and place a note in the public docket explaining that commenters have submitted such documents. TSA may include a redacted version of the comment in the public docket. If an individual requests to examine or copy information that is not in the public docket, TSA will treat it as any other request under the Freedom of Information Act (FOIA) (5 U.S.C. 552) and the Department of Homeland Security's (DHS') FOIA regulation found in 6 CFR part 5.

Reviewing Comments in the Docket

Please be aware that anyone is able to search the electronic form of all comments in any of our dockets by the name of the individual who submitted the comment (or signed the comment, if an association, business, labor union, etc., submitted the comment). You may review the applicable Privacy Act Statement published in the Federal Register on April 11, 2000 (65 FR 19477), and modified on January 17, 2008 (73 FR 3316).

You may review TSA's electronic public docket on the Internet at http://www.regulations.gov. In addition, DOT's Docket Management Facility provides a physical facility, staff, equipment, and assistance to the public. To obtain assistance or to review comments in TSA's public docket, you may visit this facility between 9:00 a.m. and 5:00 p.m., Monday through Friday, excluding legal holidays, or call (202) 366-9826. This docket operations facility is located in the West Building Ground Floor, Room W12-140 at 1200 New Jersey Avenue SE., Washington, DC 20590.

Availability of Rulemaking Document

You can get an electronic copy using the Internet by--

(1) Searching the electronic FDMS Web page at http://www.regulations.gov; or

(2) Accessing the Government Printing Office's Web page at http://www.gpo.gov/fdsys/browse/collection.action?collectionCode=FR to view the daily published Federal Register edition; or accessing the ``Search the Federal Register by Citation'' in the ``Related Resources'' column on the left, if you need to do a Simple or Advanced search for information, such as a type of document that crosses multiple agencies or dates.

In addition, copies are available by writing or calling the individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this rulemaking.

Abbreviations and Terms Used in This Document

17 SAIs--17 Security and Emergency Preparedness Action Items for Transit Agencies

AAR--Association of American Railroads

AMTRAK--National Railroad Passenger Corporation

ANPRM--Advance Notice of Proposed Rulemaking

APTA--American Public Transportation Association

BASE--Baseline Assessment for Security Enhancement

CSRs--Corporate Security Reviews

DOT--Department of Transportation

DHS--Department of Homeland Security

EXIS--Exercise Information System

FEMA--Federal Emergency Management Agency

FMCSA--Federal Motor Carrier Safety Administration

FRA--Federal Railroad Administration

FTA--Federal Transit Administration

HMR--Hazardous Materials Regulations

HSA--Homeland Security Act of 2002

HSAS--Homeland Security Advisory System

HSEEP--Homeland Security Exercise and Evaluation Program

HTUA--High-Threat Urban Area

I-STEP--Intermodal Security Training and Exercise Program

NCIPP--National Critical Infrastructure Prioritization Program

NPRM--Notice of Proposed Rulemaking

NTAS--National Terrorism Advisory System

NY MTA--New York Metropolitan Transportation Authority

OMB--Office of Management and Budget

OTRB--Over-the-Road Bus

OAs--Oversight Agencies

PHMSA--Pipeline and Hazardous Materials Safety Administration

PPD--Presidential Policy Directive

PRA--Paperwork Reduction Act of 1995

Page 91403

PTPR--Public Transportation and Passenger Railroads

RSSM--Rail Security-Sensitive Materials

RTAs--Rail Transit Agencies

SMARToolbox--Security Measures and Resources Toolbox

SSI--Sensitive Security Information

SSO--State Safety Oversight

STB--Surface Transportation Board

TSA--Transportation Security Administration

TSGP--Transit Security Grant Program

T-START--Transportation Security Template and Assessment Review Toolkit

TWIC--Transportation Worker Identification Credential

UASI--Urban Area Security Initiative

VASP--Vulnerability Assessments and Security Plans

Table of Contents

Introduction
Background
1. Surface Transportation
2. TSA's Role and Responsibility
3. The 9/11 Act
4. Applicability
Rulemaking Context
1. Grant Programs
2. Intermodal Security Training and Exercise Program
3. Department of Transportation Regulations
  1. Hazardous Material Regulations
  2. Transit Safety and Security
  3. Emergency Preparedness Plans
4. 17 Security and Emergency Action Items
5. Baseline Assessment for Security Enhancement Program
6. Transportation Security Template and Assessment Review Toolkit
7. Security Measures and Resources Toolbox
8. Terrorism Risk Analysis and Security Management Plan Developed by the Association of American Railroads
Best Practices Developed by the American Public Transportation Association
1. Security and Emergency Preparedness Plans
Assessments
1. General
2. Assessments of Security Systems and Operations
3. Identifying Performance Standards for Assessments of Security Systems and Operations
4. Determination of Critical Assets and Infrastructure
5. Identifying Performance Standards for Assessments of Critical Assets and Infrastructure
Security Plans
1. Identifying Performance Standards for Security Plans
2. Tools and Other Resources
3. Risk-Reduction or Mitigation Measures
Drills and Exercises
Updates
Accountable Executive
Considerations for Small Owner/Operators
Estimating the Benefits and Costs of Requirements
Next Steps and Public Participation
Introduction

This ANPRM is part of a series of rulemakings applicable to public transportation and passenger railroads (PTPR) systems, freight railroads, and OTRBs to comply with requirements of the 9/11 Act.\2\ The 9/11 Act requires TSA to promulgate regulations involving: (1) Security training of frontline employees,\3\ (2) vulnerability assessments and security plans,\4\ and (3) employee vetting.\5\

---------------------------------------------------------------------------

\2\ Public Law 110-53, 121 Stat. 266 (Aug. 3, 2007).

\3\ Id. secs. 1408, 1517, and 1534. For a discussion regarding the applicability of the 9/11 Act to these proposed rules, see Section II of this ANPRM.

\4\ 9/11 Act secs. 1405, 1512, and 1531. See also Section II of this ANPRM.

\5\ 9/11 Act secs. 1411, 1520, and 1531(e)(2). See also Section II of this ANPRM.

---------------------------------------------------------------------------

This ANPRM is limited to the requirements for VASP regulations. Through this ANPRM, TSA is seeking comments on: (1) Requirements for vulnerability assessments of security systems and operations and critical assets/infrastructure, (2) requirements for security plans, and (3) resources or other required programs that TSA should consider as relevant for meeting these requirements. Knowledgeable and constructive input from railroads, public transportation agencies, OTRB operators, their representative associations, labor unions, state and local governments, and the general public who rely on these systems is critical for developing a regulation with the proper balance between costs and benefits.

By imposing VASP requirements on higher-risk railroads, public transportation agencies, and OTRBs, this rulemaking should establish a uniform base of vulnerability assessments and security plans for security systems and operations, as well as critical assets and/or infrastructure that these owner/operators may own or control.

TSA believes the VASP regulations should consider current voluntarily implemented security measures and operational issues in establishing performance standards for compliance. To that end, TSA is seeking specific information to assist in developing effective regulatory policies, resources for implementation, and valid cost estimates. To provide context for the questions, this ANPRM is organized to include requests for comment immediately following discussions of the relevant issues.

TSA is requesting public comment and data to assist in identifying the current baseline in order to determine the incremental cost of compliance with the assessment and planning elements required by the 9/

11 Act. In general, TSA is particularly interested in data from surface transportation owner/operators who currently have security plans specifically based on a vulnerability or similar assessment. For example, TSA needs data on the cost of conducting an assessment (if not conducted by TSA), cost of developing a security plan, and the types and cost of risk-reduction or mitigation measures. While TSA has gathered significant information in these areas as part of its ongoing rulemaking efforts, there are some areas where it would be helpful to validate cost elements and ensure our understanding of the existing baseline is current. The requests for comment seek information to close these information gaps.

As discussed below, TSA is concerned about the impact of this regulation based on the diversity of surface transportation owner/

operators, which could include large (national) companies, publicly owned systems, and small businesses. While not required, TSA asks commenters to include information regarding the nature and size of the business. Information on the nature of the business operation of the person commenting will help TSA better understand and analyze the information provided. Failure to include this specific information will not preclude the agency's consideration of the information submitted.
Background
1. Surface Transportation
  
  The surface transportation rules required by the 9/11 Act must address a decentralized, diffuse, complex, and evolving terrorist threat in the context of an inherently open and diverse transportation system. The U.S. surface transportation network is immense, consisting of public transportation systems, passenger and freight railroads, highways, motor carrier operators, pipelines, and maritime facilities. The New York Metropolitan Transportation Authority (NY MTA) alone transports over 11 million passengers daily and represents just one of the more than 6,800 U.S. public transit agencies for which TSA has oversight, ranging from very small bus-only systems in rural areas to very large multi-modal systems in urban areas like the NY MTA. More than 500 individual freight railroads operate on nearly 140 thousand miles of track carrying essential goods. Eight million large capacity commercial trucks and almost 4 thousand commercial bus companies travel on the
  
  Page 91404
  
  4 million miles of roadway in the United States and on more than 600 thousand highway bridges and through 350 tunnels greater than 300 feet in length. Surface transportation operators carry approximately 750 million intercity bus passengers and 10 billion passenger trips on public transportation each year. Securing such diverse surface transportation systems in a society that depends upon the free movement of people and commerce is a complex undertaking that requires extensive collaboration with surface transportation operators.
  
  Unlike the aviation mode of transportation, direct responsibility to secure surface transportation systems falls primarily on the system owners and operators. In further contrast to aviation, surface transportation systems are, by nature, open systems. Surface transportation systems can be national and privately held companies, public transportation systems owned and operated by the government, or a family-owned business with two buses. Regardless of the size of the business, surface transportation owner/operators are in the best position to know their facilities and their operational challenges. As a whole, these owner/operators have spent billions of dollars of their own funds to secure critical infrastructure, provide uniformed law enforcement and specialty security teams, and conduct operational activities and deterrence efforts.
  
  Security and emergency response planning is not new to surface transportation owner/operators; they have been working under DOT \6\ and DHS \7\ regulations. Although DOT's regulations relate primarily to safety, many safety activities and programs also benefit security and help to reduce risk. In the surface environment, TSA has built upon these standards to improve security programs with minimal regulations.
  
  ---------------------------------------------------------------------------
  
  \6\ For example, the Pipeline and Hazardous Materials Safety Administration regulates the transportation of hazardous materials in commerce, including requirements for safety and security training and for security planning (49 CFR parts 171-180); the Federal Railroad Administration regulates passenger train emergency preparedness (49 CFR parts 200-299); and the Federal Transit Administration requires system safety programs for rail transit agencies (49 CFR part 659).
  
  \7\ For example, the Transportation Worker Identification Credential (TWIC) program is a TSA and U.S. Coast Guard initiative in the United States. For more information, see http://www.tsa.gov/for-industry/twic. A TWIC is required for workers who need access to secure areas of the nation's maritime facilities and vessels. TSA conducts a security threat assessment (background check) to determine a person's eligibility and issues the credential. U.S. citizens and immigrants in certain immigration categories may apply for the credential. Most mariners licensed by the U.S. Coast Guard also require a credential. See 49 CFR part 1572. The National Protection and Programs Directorate of DHS regulates the security of certain high-risk chemical facilities in the United States. See 6 CFR part 27.
  
  ---------------------------------------------------------------------------
2. TSA's Role and Responsibility
  
  TSA is responsible for assessing security risks for any mode of transportation, developing appropriate security measures for dealing with those risks, and ensuring implementation of those measures.\8\ Assessments include analysis of intelligence information and on-site reviews of transportation systems and operations. TSA works collaboratively with its surface stakeholders to enhance information sharing and develop security measures and best practices appropriate for the operational environment. DHS provides funding to support information sharing and implementation of security measures. This funding supports information sharing and analysis centers (ISACs) that facilitate threat warning and incident reporting for railroads, public transportation systems, and over-the-road buses. In addition, TSA works with DHS to develop and implement a risk-based determination for allocation of Federal grant funds. Eligible surface transportation owner/operators can supplement their own investment in security, using this funding to identify and mitigate operational vulnerabilities.
  
  ---------------------------------------------------------------------------
  
  \8\ See 49 U.S.C. 114(d) and (f), codifying provisions of the Aviation and Transportation Security Act (ATSA), Public Law 107-71, 115 Stat. 597 (Nov. 19, 2001). ATSA created TSA and made it the primary federal agency responsible to enhance security for all modes of transportation. Section 403(2) of the Homeland Security Act of 2002 (HSA), Public Law 107-296, 116 Stat. 2135 (Nov. 25, 2002), transferred all functions related to transportation security, including those of the Secretary of Transportation and the Under Secretary of Transportation for Security related to TSA, to the Secretary of Homeland Security. Pursuant to DHS, ``Delegation to the Administrator of the Transportation Security Administration,'' Delegation Number 7060.2 (Nov. 5, 2003), the Secretary delegated to the Administrator, subject to the Secretary's guidance and control, the authority vested in the Secretary with respect to TSA, including that in sec. 403(2) of the HSA.
  
  ---------------------------------------------------------------------------
  
  TSA can also ensure implementation through promulgation of regulations.\9\ For example, the Rail Transportation Security regulation (published in 2008 and codified at 49 CFR part 1580) requires all rail systems (freight, passenger, and public transportation) to appoint rail security coordinators \10\ and report significant security concerns to TSA through the Transportation Security Operations Center (located at the ``Freedom Center'').\11\ In addition, freight railroads are required to report (upon request by TSA) the location and shipping information for rail cars containing certain hazardous materials and provide ``chain of custody'' to ensure security of those materials when transported through high-risk areas.\12\
  
  ---------------------------------------------------------------------------
  
  \9\ 49 U.S.C. 114(l)(1).
  
  \10\ 49 CFR 1580.101 and 1580.201.
  
  \11\ 49 CFR 1580.105 and 1580.203.
  
  \12\ 49 CFR 1580.107.
  
  ---------------------------------------------------------------------------
3. The 9/11 Act
  
  The 9/11 Act includes numerous mandates related to surface transportation security. These requirements include development of security strategies, reporting on implementation, information sharing, civil penalties, Visible Intermodal Prevention and Response teams, security assessments, grant programs for security enhancements, a national security exercise program, background check programs, protection for employees reporting security violations, public outreach campaigns, and studies on particular hazards and threats.\13\
  
  ---------------------------------------------------------------------------
  
  \13\ See 9/11 Act, at Title XII (Transportation Security Planning and Information Sharing), Title XIII (Transportation Security Enhancements), Title XIV (Public Transportation Security), and Title XV (Surface Transportation Security).
  
  ---------------------------------------------------------------------------
  
  As previously noted, the 9/11 Act also mandates that TSA require VASP for higher-risk public transportation agencies, railroads, and OTRBs; security training of their frontline employees; and, employee background checks.\14\ TSA is addressing these requirements in three separate, but related, rulemakings.\15\ The docket for this ANPRM includes a table aligning the statutory provisions for VASP across the three modes (public transportation, railroads, and OTRBs).
  
  ---------------------------------------------------------------------------
  
  \14\ See 9/11 Act secs. 1405, 1512, and 1531 for VASP requirements; secs. 1408, 1517, and 1534 for employee security training requirements; and secs. 1411 and 1520 for employee vetting requirements. The statutory mandates for VASP in secs. 1512, and 1531 also include a requirement to conduct security threat assessments of security coordinators.
  
  \15\ TSA published an NPRM to implement requirements related to employee security training, titled ``Security Training Programs for Surface Transportation Employees,'' published elsewhere in this issue of the Federal Register. TSA will address requirements for employee vetting in a separate NPRM. See Fall 2016 Unified Agenda, RIN 1652-AA69.
  
  ---------------------------------------------------------------------------
4. Applicability
  
  For purposes of this ANPRM, TSA is limiting the scope of its request for comments related to applicability. As previously noted, the VASP rulemaking is part of a series of rulemakings to implement requirements of the 9/11 Act. As the first of these rulemakings published by TSA, the Security Training NPRM provides the general structure, including proposed applicability and the framework for a regulatory program. TSA intends for the applicability proposed in the Security Training NPRM to apply generally to the three
  
  Page 91405
  
  related rulemakings.\16\ In other words, the higher-risk PTPR, freight railroad, and OTRB owner/operators required to have a security-training program (surface owner/operators) would also be required to conduct vulnerability assessments, implement security plans, and implement requirements for employee vetting (security threat assessments).
  
  ---------------------------------------------------------------------------
  
  \16\ The Security Training NPRM incorporates all of requirements in current 49 CFR part 1580. The rail operations subject to the requirements in current part 1580 is broader than the proposed applicability for rail operations in the Security Training NPRM. To the extent an owner/operator must comply with requirements in current part 1580, applicability proposed in the Security Training NPRM would not affect that obligation. For example, if a railroad is required to have a security coordinator under current part 1580, but is not within the scope of proposed applicability for security training, they must still have a security coordinator. TSA anticipates capturing this additional security coordinator population in the related rulemaking for vetting requirements, consistent with the 9/11 Act's requirement to conduct security threat assessments of all security coordinators. See 9/11 Act secs. 1512(e)(2) and 1531(e)(2).
  
  ---------------------------------------------------------------------------
  
  Consistent with the proposed applicability for the Security Training NPRM, TSA assumes the VASP requirements would apply to--
  
  Class 1 railroads (as assigned by regulations of the Surface Transportation Board (STB) (49 CFR part 1201; General Instructions 1-1);
  
  Railroads transporting rail security-sensitive materials (RSSM) \17\ in a high-threat urban area (HTUA);
  
  ---------------------------------------------------------------------------
  
  \17\ See definition in proposed 49 CFR 1580.3 of the Security Training NPRM, which is consistent with the definition in current 49 CFR 1580.100(b).
  
  ---------------------------------------------------------------------------
  
  Railroads hosting higher-risk rail operations (including freight railroads and the intercity or commuter systems);
  
  PTPR systems identified as higher-risk operating in one of the following eight regions (geographically consistent with designations under the Urban Area Security Initiative (UASI)): San Francisco Bay area, Los Angeles/Long Beach and Anaheim/Santa Ana areas, National Capital Region and Baltimore areas, Atlanta area, Chicago area, Boston area, New York City and Jersey City/Newark areas, and Philadelphia area;
  
  Amtrak (the Security Training NPRM includes a list of systems); and
  
  OTRB owner/operators providing fixed-route service to, through, or from one of the following areas (geographically consistent with designations under the UASI): Anaheim/Los Angeles/Long Beach/Santa Ana areas, San Diego area, San Francisco Bay area, National Capital Region, Boston area, New York City/Jersey City/Newark area, Philadelphia area/Southern New Jersey area, Dallas/Fort Worth/Arlington area, Chicago area, and Houston area.
  
  As TSA has included a full discussion of the proposed and alternative applicability options in the Security Training NPRM, as well as an opportunity to comment, that discussion is not duplicated as part of this ANPRM. Later in this ANPRM, however, a specific request for comments is included for the impact on small businesses. TSA will consider all comments received on this ANPRM.
Rulemaking Context

The baseline of security for surface transportation has been substantially enhanced since the 9/11 Act was enacted through programs (including some required by the 9/11 Act), and the cooperative and collaborative relationship between TSA and the surface transportation industry. These relationships have led to enhanced security through development of best practices, sharing of information (both reporting of security-related incidents by the industry, intelligence sharing by the government, and other efforts such as the ISACs), and security programs and measures to strengthen and enhance the security of surface transportation networks.

The VASP regulations will be part of this broad and sustained effort to develop and maintain an enhanced security baseline for surface transportation as well as strengthening the security of nationally significant critical assets. Understanding the scope of these efforts is essential to this rulemaking as the 9/11 Act specifically authorizes TSA to recognize existing procedures, protocols, and standards that can be used to meet all or part of the regulatory requirements for assessments and planning.\18\ Additional information on a few of these programs is provided below.

---------------------------------------------------------------------------

\18\ See 9/11 Act secs. 1405(i), 1512(j), and 1531(i).

---------------------------------------------------------------------------
1. Grant Programs
  
  The 9/11 Act authorized funding for surface security enhancements specifically for PTPR, freight railroads, and OTRB owner/operators.\19\ To the extent funds are appropriated for this purpose, TSA provides the Federal Emergency Management Agency (FEMA) with subject matter expertise, assisting in the development of risk determinations, review of investment justifications, and other aspects of the surface transportation security grant programs. These grants support surface transportation risk-reduction or mitigation measures by applying Federal funding to critical security projects. Between fiscal years (FYs) 2006 and 2016, DHS awarded more than $2.4 billion in transportation security grant funding to freight railroad carriers and operators, OTRB operators, the trucking community, and public mass transit owners and operators, including Amtrak, and their dedicated law enforcement providers. Congress appropriated $100 million in FY 2016, from which DHS awarded $87 million for mass transit, $10 million for passenger rail, and $3 million for motor coach security grants.
  
  ---------------------------------------------------------------------------
  
  \19\ See 9/11 Act secs. 1406(a)(2) (public transportation security assistance), 1513(a)(2) (railroads), 1514(b) (Amtrak), and 1532(f)(1) (OTRBs).
  
  ---------------------------------------------------------------------------
  
  TSA assumes surface transportation owner/operators will incorporate security measures and other security enhancements funded by these grant programs into security programs complying with the regulatory requirements mandated by the 9/11 Act. This assumption recognizes requirements in the authorizing statutes for these grant programs, which all prioritized funding for meeting 9/11 Act requirements for security training, assessments, and planning.
2. Intermodal Security Training and Exercise Program
  
  The 9/11 Act also required development of a security exercise program to ``assess and improve the capabilities'' of surface modes ``to prevent, prepare for, mitigate against, respond to, and recover from acts of terrorism.'' \20\ TSA implemented this requirement through the Intermodal Security Training and Exercise Program (I-STEP). I-STEP brings public and private sector partners together to exercise, train, share information, and address transportation security issues to protect travelers, commerce, and infrastructure. Through the program, TSA facilitates modal and intermodal exercises and workshops throughout the country. The program also provides training support to help modal operators meet their training objectives. The Exercise Information System (EXIS) is an online tool developed by TSA, which leverages the concept of I-STEP in support of all operators, but particularly those operators that may be less competitive for I-STEP exercises because they are lower risk systems.
  
  ---------------------------------------------------------------------------
  
  \20\ See 9/11 Act secs. 1407, 1516 and 1533. See also sec. 114 of the Security and Accountability for Every Port Act of 2006 (SAFE Port Act), Public Law 109-347, 120 Stat. 1884, 1896-97 (Oct. 13, 2006).
  
  ---------------------------------------------------------------------------
3. Department of Transportation Regulations
  1. Hazardous Material Regulations
    
    DOT modes also have regulatory programs that may be relevant to
    
    Page 91406
    
    meeting VASP requirements. For example, every freight railroad transporting at least one of the hazardous materials that trigger applicability under 49 CFR part 172 (known as the Hazardous Materials Regulations (HMR)) is required to have and adhere to a security plan. While the security plan requirements of the HMR may not be identical to the requirements in the 9/11 Act, TSA anticipates that freight railroad owner/operators may be able to use plans developed and implemented under the HMR to satisfy a portion of TSA's VASP regulations.
  2. Transit Safety and Security
    
    The Federal Transit Administration (FTA) has responsibility for managing State oversight for rail transit agencies (RTAs). Under 49 CFR part 659, State Oversight Agencies (SOAs) must require the rail transit agencies to develop and implement a written system safety program plan and system security plan that complies with requirements in 49 CFR part 659.
    
    Part 659 requires SOAs to approve and annually review the rail transit agency system safety and security plans. Moreover, the SOAs must require covered agencies to develop and document a process for the performance of ongoing internal safety and security reviews as part of their plans. Finally, the SOAs themselves must conduct on-site reviews of system safety program plan and system security plan implementation.
    
    The FTA has announced its intent to rescind part 659.\21\ On March 16, 2016, the FTA published a safety-focused final rule, adding part 674 to their regulations to supersede part 659.\22\ The safety requirements of part 674 took effect April 15, 2016. The FTA has stated its intent to rescind the security requirements in part 659 no later than April 15, 2019,\23\ noting TSA's responsibility for rulemakings related to security of public transportation.\24\ It also noted that RTAs may continue to implement measures to secure their operations and assets, but it is no longer the requirement of the SOAs to oversee those measures.\25\
    
    ---------------------------------------------------------------------------
    
    \21\ See 81 FR 14230 (Mar. 16, 2016) (adding part 674 to title 49 of the CFR).
    
    \22\ Id.
    
    \23\ Id.
    
    \24\ Id. at 14233.
    
    \25\ Id.
    
    ---------------------------------------------------------------------------
    
    The security measures that RTAs have implemented because of requirements under part 659 may be similar to what TSA proposes within the parameters set by the 9/11 Act. As with freight rail, TSA anticipates that PTPR owner/operators may be able to use plans developed and implemented under these DOT regulatory requirements to satisfy a portion of TSA's VASP regulations.
  3. Emergency Preparedness Plans
    
    The Federal Railroad Administration (FRA) safety standards require emergency preparedness plans by railroads connected with the operation of passenger trains (including freight carriers hosting passenger rail operations). Under 49 CFR part 239, these railroads must implement emergency preparedness plans that include: Communication measures (including notification to on-board crewmembers and passengers about the nature of the emergency and control center personnel of outside emergency responders and adjacent rail modes of transportation); passenger evacuation in emergency situations; employee training and qualification; joint operations; tunnel safety; liaison with emergency responders; on-board emergency equipment; and, passenger safety information. In the Security Training NPRM, TSA proposes to allow training required by 49 CFR 239.101(a)(2) to be combined with other training in order to partially or fully meet requirements under Sec. 1580.115(f) or Sec. 1582.115(f) of that NPRM.\26\ TSA expects that portions of the emergency response plans developed under part 239 could be equally relevant for satisfying some of the VASP requirements.
    
    ---------------------------------------------------------------------------
    
    \26\ Titled ``Security Training Programs for Surface Transportation Employees,'' published elsewhere in this issue of the Federal Register.
    
    ---------------------------------------------------------------------------
4. 17 Security and Emergency Action Items
  
  Following the events of September 11, 2001, FTA developed security and emergency preparedness resources and provided technical assistance to transit agencies across the United States, including the ``Top 20 Security and Emergency Preparedness Action Items for Transit Agencies'' (published in 2003). In 2006, FTA and TSA collaborated to update and consolidate the FTA list into 17 Security and Emergency Preparedness Action Items for Transit Agencies (17 SAIs).
  
  In 2012, FTA and TSA revised the 17 SAIs to ensure alignment with changes TSA was implementing in its assessment program. These changes added cyber-security as a topic, replaced the color-coded Homeland Security Advisory System (HSAS) with the National Terrorism Advisory System (NTAS), and revised and highlighted the priorities of risk management and risk information gathering and analysis. All changes reflected consultation with the industry through TSA's Mass Transit Sector Coordinating Council, chaired by the American Public Transportation Association (APTA).
  
  The 17 SAIs reflect the high-level priority topics included in a security and emergency preparedness program, appropriately scaled to risk environment and operations. Table 1 identifies the current 17 SAIs.
  
  Table 1--17 Security and Emergency Preparedness Action Items
  
  ------------------------------------------------------------------------
  
  ------------------------------------------------------------------------
  
  Management and Accountability.......... 1. Establish written system
  
  security programs (SSPs) and
  
  emergency management
  
  operations/response plans.
  1. Define roles and
    
    responsibilities for security
    
    and emergency preparedness.
  2. Ensure that operations and
    
    maintenance supervisors,
    
    forepersons, and managers are
    
    held accountable for security
    
    issues under their control.
  3. Coordinate security and
    
    emergency operations/response
    
    plan(s) with local and
    
    regional agencies.
    
    Security and Emergency Response 5. Establish and maintain a
    
    Training. security and emergency
    
    training program.
    
    National Terrorism Advisory System 6. Establish plans and
    
    (NTAS). protocols to respond to the
    
    NTAS alert levels.
    
    Public Awareness....................... 7. Implement and reinforce a
    
    public security and emergency
    
    awareness program.
    
    Risk Management and Information Sharing 8. Establish and use a risk
    
    management process.
    
    Risk Information Collection and Sharing 9. Establish and use an
    
    information sharing process
    
    for threat and intelligence
    
    information.
    
    Drills and Exercises................... 10. Conduct tabletop exercises
    
    and functional drills.
    
    Page 91407
    
    Cybersecurity.......................... 11. Develop a comprehensive
    
    cyber-security strategy.
    
    Facility Security, Access Controls, and 12. Control access to security
    
    Background Investigations. critical facilities with
    
    identification (ID) badges for
    
    all visitors, employees, and
    
    contractors.
  4. Conduct physical security
    
    inspections.
  5. Conduct background
    
    investigations of employees
    
    and contractors.
    
    Document Control....................... 15. Control access to documents
    
    of security critical systems
    
    and facilities.
  6. Process for handling and
    
    access to SSI.
    
    Security Program Audits................ 17. Establish and conduct
    
    security program audits.
    
    ------------------------------------------------------------------------
5. Baseline Assessment for Security Enhancement Program
  
  In 2006, TSA established the BASE program, through which TSA inspectors conduct a thorough security assessment of public transportation agencies, passenger railroads, bus companies, and trucking companies. To conduct an assessment, inspectors ask a series of questions to develop a ``snapshot'' of current security measures (questions are slightly different for each mode). Within the relevant SAI categories, TSA applies numerical values to the level of implementation of an effective security measure. Final SAI scores quantify the entity's comprehensive transportation security posture.
  
  TSA collaborates with owner/operators to develop options that could help mitigate a security-related vulnerability relative to the industry standard and identifies resources that TSA or other areas of the Federal government can provide to support raising the security baseline. The results of these assessments inform TSA policies and development of best practices to align such policy and program priorities with industry-wide security weaknesses. For example, during the interaction with owner/operators as part of a BASE assessment, TSA obtains information about whether specific measures for addressing identified issues are feasible within the specific-type of operation. TSA uses this information to develop alternative tools to enhance security. As TSA identifies industry-wide security weaknesses, the information informs priorities, policies, and programs. For example, TSA has used BASE statistics to recommend funding priorities to FEMA in an effort to ensure allocation priorities are consistent with identified industry-wide security weaknesses in light of current risks. In 2007, TSA's review of the industry-wide scores in the training category of the BASE assessments indicated deficiencies. Based on this information, DHS prioritized frontline employee training within the Transit Security Grant Program (TSGP).
  
  In FY 2011, TSA's review of BASE scores and discussions with industry revealed deficiencies at nationally critical infrastructure assets that were not being addressed at all, or as quickly as they could be. TSA worked with FEMA to overhaul the TSGP framework to prioritize these assets (``Top Transit Asset List'') for funding through a wholly competitive process.\27\ DHS subsequently awarded over $565 million to protect critical infrastructure assets. This funding resulted in increased preventive security for over 80 percent of nationally critical infrastructure assets.
  
  ---------------------------------------------------------------------------
  
  \27\ See FEMA, ``FY 2012 Transit Security Grant Program,'' available at http://www.fema.gov/fy-2012-transit-security-grant-program.
  
  ---------------------------------------------------------------------------
  
  In addition, as an initial requirement for grant eligibility, applicants must validate they have an updated security plan based on a security assessment, such as the BASE. They then must align all requests for funding (investment justifications) with items identified in the security assessment or security plan.
  
  In FY 2015, TSA Inspectors completed 92 BASE assessments on mass transit and passenger rail agencies, of which 13 resulted in Gold Standard Awards for those entities achieving overall excellence in security program management. In 2012, TSA expanded the BASE program to the highway and motor carrier \28\ mode and has since conducted over 400 reviews of highway and motor carrier operators, with 98 reviews conducted in FY 2015. On average, TSA conducts approximately 150 reviews on mass transit and highway and motor carrier operators each year, with numerous reviews in various stages of completion for FY 2016.
  
  ---------------------------------------------------------------------------
  
  \28\ See 77 FR 31632 (May 29, 2012) (60-day notice for Information Collection Request (ICR) for more information on expanding the BASE to highway and motor carrier transportation).
  
  ---------------------------------------------------------------------------
6. Transportation Security Template and Assessment Review Toolkit
  
  The Transportation Security Template and Assessment Review Toolkit (T-START) is a resource created by TSA to assist owner/operators in developing effective security practices and in the construction of a security plan. The current version of T-START incorporates the BASE assessment for the highway mode. It is available for small companies, political subdivisions, or governmental entities having ownership or control over large systems (such as school buses), and large companies with national coverage. T-START currently includes five modules that walk the owner/operator's representative through the process of understanding security management and risk, a tool for conducting assessments, identification of risk-reduction, or mitigation options through awareness of industry ``best practices'' and other options developed by TSA, and a template for developing a security plan, the final crucial step toward an effective security program. T-START is currently scoped to address highway transportation security issues.
7. Security Measures and Resources Toolbox
  
  The Security Measures and Resources Toolbox (SMARToolbox) is a resource to help surface transportation professionals identify relevant insights, security measures, and smart practices to increase their security baseline. The SMARToolbox is not a set of standards, rules, or regulations; rather, it is a compilation of smart security practices developed by industry, for industry across all modes of surface transportation. The heart of the SMARToolbox is a searchable, modifiable database of security measures identified by surface transportation professionals as valuable to their organization's operations. The SMARToolbox aligns security measures with category filters to allow for various searches by, among other things, mode, threat scenario, and core capability. TSA intends this database to be a resource for the industry to assess the value of implementing various security measures into transportation systems. To augment the usefulness of the security measures database, the SMARToolbox also offers resources designed to facilitate implementation of the measures (for example, implementation checklists and self-assessment functions).
  
  Page 91408
8. Terrorism Risk Analysis and Security Management Plan Developed by the Association of American Railroads
  
  As an industry, the railroads have undertaken efforts to enhance the security and resiliency of the freight rail transportation system. In the aftermath of the 9/11 terrorist attacks, the railroad industry worked closely with local, State, and Federal officials and used their own police forces; the railroads increased inspections and patrols, restricted access to key facilities, briefly suspended freight traffic in the New York City area, and changed certain operational practices as anti-terrorist measures.
  
  The Association of American Railroads (AAR) developed the Railroad Risk Analysis and Security Plan (AAR Plan) in April 2003 in response to the terrorist attacks, and as a proactive measure in collaboration with DHS to address perceived security vulnerabilities within the freight rail system. TSA anticipates that freight railroad owner/operators who have participated in this AAR initiative would use the results of those security assessments to expedite their compliance with the proposed requirements in the VASP regulations.
  
  The AAR created five critical action teams, each for a specific area of concern within the rail industry.\29\ The critical action teams examined and prioritized all railroad assets, vulnerabilities, and threats, and identified countermeasures. As part of the AAR Plan, the industry developed four threat-based alert levels, laying out progressively higher levels of action for the industry to implement in the event of certain security situations.
  
  ---------------------------------------------------------------------------
  
  \29\ These action teams focus on critical security issues for railroad systems, including hazardous materials, information technology, communications, and military movements.
  
  ---------------------------------------------------------------------------
  
  The AAR Plan provides an overall framework for industry-wide security measures while leaving the actual implementation up to each individual railroad carrier. Carriers used the plan as a guidance document to create security management plans for their respective company addressing their unique security concerns. The industry sees the AAR Plan as a living document reflecting changes in risk. As appropriate based on a continuous risk assessment process, they update and revise the plan.
Best Practices Developed by the American Public Transportation Association

APTA has instituted a Standards Development Program. Four working groups within the program have developed security oriented recommended practices for use by public transit agencies. The four working groups are focused on the following issues:

Control and Communications Security;

Emergency Management;

Enterprise Cybersecurity; and

Infrastructure & Systems Security.

Through these working groups, APTA has published white papers and recommended practices.\30\

---------------------------------------------------------------------------

\30\ More information on these standards can be found at http://www.apta.com/resources/standards/Pages/default.aspx.

---------------------------------------------------------------------------
1. Security and Emergency Preparedness Plans
Both the commercial bus industry and public transportation agencies have created documents, which they named ``Security and Emergency Preparedness Plans (SEPP).'' Commercial OTRB companies created and distributed the OTRB SEPP in 2005. This document contained a proposed security assessment matrix and a template for creation of a company-

wide security plan. TSA used the SEPP as the foundation for the T-

START, discussed in section III.F.

In 2008, APTA released a SEPP with recommended security practices for public transit agencies and guidance for the creation of agency security assessments and protective plans. Both of these resources optimize--within the constraints of time, cost, and operational effectiveness--the protection of employees and passengers.

The SEPP meets several objectives: (1) Achieving a level of security performance and emergency readiness that meets or exceeds the needs of similarly-sized operations; (2) increasing and strengthening a company's involvement in safety and security; (3) developing and implementing an assessment program focused on improving physical security and emergency response; (4) expanding security awareness and emergency management training for employees, volunteers, first responders, and contractors, and (5) enhancing security and emergency preparedness coordination with applicable local, State, and Federal agencies.
Assessments
1. General
  
  The 9/11 Act's requirements for ``vulnerability assessments'' address both operations and assets. As shown in Diagram A, conducting such an assessment is a two-step process: (1) Assessments of security systems and operations and (2) assessments of critical assets.
  
  BILLING CODE 9110-05-P
  
  Page 91409
  
  GRAPHIC TIFF OMITTED TP16DE16.011
  
  TSA understands that submitting information about weaknesses in security systems/operations and critical asset protection may raise concerns regarding the public availability of the information. Under TSA's regulations for SSI,\31\ all vulnerability assessments ``directed, created, held, funded, or approved by'' TSA are SSI.\32\ Similar provisions apply to security programs or contingency plans ``issued, established, required, received, or approved'' by TSA.\33\ Generally, access to SSI is strictly limited to those persons with a need to know, as defined in 49 CFR 1520.11, and to those persons to whom TSA grants specific access authorization under 49 CFR 1520.15. Pursuant to statute,\34\ there is limited access to specific SSI in Federal district court proceedings to civil litigants who do not otherwise have a need to know under part 1520. This requirement only affects TSA's application of its non-disclosure policy in civil proceedings in Federal district court; it does not affect TSA administrative, State, or other Federal proceedings.
  
  ---------------------------------------------------------------------------
  
  \31\ See 49 CFR part 1520.
  
  \32\ Id. at 1520.5(b)(5).
  
  \33\ Id. at 1520.5(b)(1).
  
  \34\ See Department of Homeland Security Appropriations Act, 2007, Public Law 109-295, sec. 525(d), 120 Stat. 1355 (Oct. 4, 2006). Section 525 is uncodified, but Congress has reenacted the provisions in sec. 525(d) in each subsequent Department of Homeland Security Appropriations Act. Currently, the provision can be found at Public Law 114-113, div. F, sec. 510(a), 129 Stat. 2242, 2513 (Dec. 18, 2015, continued to December 9, 2016), by the Continuing Appropriations and Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2017, and Zika Response and Preparedness Act, Public Law 114-223, sec. 101(6) (Sept. 30, 2016).
  
  ---------------------------------------------------------------------------
2. Assessments of Security Systems and Operations
  
  A vulnerability assessment of security systems and operations is the foundation for an effective security program, including understanding the threat, identification of risk-reduction or mitigation measures, resource allocation decisions, employee training, drills and/or exercises to test preparedness and planning, and reassessments to determine areas for change or improvement. As noted in Diagram B, assessment is part of a cyclical process.
  
  Page 91410
  
  GRAPHIC TIFF OMITTED TP16DE16.012
  
  BILLING CODE 9110-05-C
  
  Collecting and analyzing information on deficiencies and weaknesses is a critical first step in managing and mitigating risks as it enables surface owner/operators to detect and manage security vulnerabilities. As assessment results, current intelligence/threat and other relevant information, and after-action reports of drills/exercises is fed into the planning cycle, surface owner/operators can better direct resources towards effective risk management.
3. Identifying Performance Standards for Assessments of Security Systems and Operations
  
  TSA considers the BASE to be an important resource for developing the VASP regulations. The scope of the BASE program is fundamentally consistent with the 9/11 Act's requirements for assessments of security systems and operations.\35\ Using the categories identified in Table 1 for the 17 SAIs, Table 2 crosswalks the categories for the 17 SAIs with the 9/11 Act's requirements for security assessments. In addition, the program and the assessment questions are familiar to many of the owner/
  
  operators who may be subject to these regulations.\36\
  
  ---------------------------------------------------------------------------
  
  \35\ The current PTPR BASE is based on the 17 SAIs developed jointly by FTA and TSA. The highway BASE has 20 SAIs. In the past, TSA conducted Corporate Security Reviews (CSRs) for freight railroads, which were similar to the BASE. The CSR had fewer items. While the numbers may vary, the issues are generally the same (with the exception of some issues unique to a particular mode). Therefore, for purposes of this ANPRM, TSA will use 17 SAIs as a generic term for all of them.
  
  \36\ TSA is providing an appropriately detailed sample of questions in the docket for this rulemaking for commenters who are not familiar with the BASE.
  
  Table 2--Crosswalk Between 9/11 Act Assessment Requirements and 17 SAIs
  
  ------------------------------------------------------------------------
  
  9/11 Act requirement 17 SAIs category
  
  ------------------------------------------------------------------------
  
  Identification and evaluation of Risk Management and Information
  
  emergency response planning and other Sharing.
  
  vulnerabilities related to passenger/
  
  cargo security.
  
  Identify weaknesses in emergency Management and Accountability.
  
  response planning related to passenger/ National Terrorism Advisory
  
  cargo security. System (NTAS).
  
  Public Awareness Risk
  
  Information Collection and
  
  Sharing.
  
  Identify weaknesses in employee Security and Emergency Response
  
  training and emergency response Training.
  
  planning. Drills and Exercises.
  
  Identification of weaknesses in the Cybersecurity.
  
  security of programmable electronic
  
  devices, computers, or other automated
  
  systems; alarms, cameras, and other
  
  protection systems; and communication
  
  systems and utilities needed for
  
  security purposes.
  
  Page 91411
  
  Identification of vulnerabilities to Facility Security, Access
  
  critical assets and infrastructure and Controls, and Background
  
  weaknesses in physical security. Investigations.
  
  ------------------------------------------------------------------------
  
  While the questions used for a BASE assessment do not establish or identify performance standards, they could be the starting point for developing appropriate performance standards. For example, the 9/11 Act requires an assessment of strengths and weaknesses in emergency response planning. Currently, the BASE includes the following ``yes'' or ``no'' questions relevant to this requirement:
  
  Does the plan address personnel security, facility security, vehicle security, and Threat/Vulnerability Management?
  
  Does the plan include methods to identify and actively monitor the goals and objectives for the security program?
  
  Does the plan include a written policy statement that endorses and adopts the policies and procedures of the plan? Does top management, such as the agency's chief executive, approve and sign the plan?
  
  Does the plan address protection and response for critical systems?
  
  Does the plan clearly identify responsibilities (or reference other documents establishing procedures) for the management of security incidents by the operations control center (or dispatch center) or other formal process?
  
  Does the plan clearly identify (or reference other documents establishing) plans, procedures, or protocols for responding to security events with external agencies (such as law enforcement, local EMA, fire departments, etc.)?
  
  Has the owner/operator partnered with local law enforcement/first responders to develop active shooter procedures or protocols?
  
  Does the security plan contain or reference other documents that establish procedures or protocols for responding to active shooter events?
  
  Does the security plan contain or reference other documents that establish protocols addressing specific threats from: (1) Improvised Explosive Devices (IED), and (2) Weapons of Mass Destruction (chemical, biological, radiological hazards)?
  
  Does the security plan integrate visible, random security measures, based on employee-type, to introduce unpredictability into security activities for deterrent effect?
  
  Does the security plan require consideration of security before implementation of extensions, major projects, new vehicles and equipment procurement, and other capital projects?
  
  Does the security plan include or reference other documents adopting Crime Prevention Through Environmental Design (CPTED) or similar security-focused preventive principles as part of the agency's engineering practices?
  
  Does the security plan require an annual review?
  
  Does the owner/operator produce periodic reports reviewing its progress in meeting its security plan goals and objectives?
  
  Has the company conducted, and documented, an annual review of the security plan within the preceding 12 months?
  
  Does the security plan outline a process for securing review for updates and necessary approval of updates to the security plan?
  
  Beginning with these ``yes'' or ``no'' questions, TSA could develop qualitative standards to help a surface owner/operator determine whether its security measure is weak, adequate, or strong based on how effective it is. Answers to those questions would help the surface owner/operator identify weaknesses in its security measures and inform development and prioritization of risk-reduction measures.
  
  For surface owner/operators that have conducted vulnerability assessments of security systems/operations, TSA seeks comment on the following questions:
  1. Have you conducted a vulnerability assessment of your security system/operations within the last three (3) years?
  2. If yes, did TSA conduct the assessment as part of the BASE program? If not TSA, did an independent auditor or company employees conduct the audit? How long did it to take to perform this assessment? How many individuals were involved in conducting the assessments (please provide information on the time and personnel costs for those essential to the assessment process, such as man-hours, permanent employees or contractor cost, etc.)?
  3. How frequently do you update assessments of security systems/
    
    operations? Do you have internal or other requirements to update assessments? Are these requirements based on a schedule or changes to operations, assets and infrastructure, or threat information? How much time do these updates take?
  4. Was the assessment of security systems/operations site-specific, system-wide, or both?
  5. What resources or tools did you use for conducting your assessment?
  6. What features of those resources or tools were most useful?
  7. If the evaluation assesses operational security processes, such as training and operations, what methodologies or criteria are used to evaluate these processes?
  8. What types of questions or other criteria were used to help identify strengths and weaknesses? Which of these were most relevant to your operations?
  9. Do you use the results of the assessment for developing security plans, or emergency response plans, continuity of operations plans, etc.? Please describe how the assessment is used.
  10. Was the assessment conducted in order to meet other Federal requirements (such as grant eligibility) or other standards? If so, please provide a description or source for those requirements or standards?
  11. How can other required assessments addressing security systems/
    
    operations be used to satisfy TSA's regulatory requirements? For example, how relevant are FRA emergency preparedness requirements, PHMSA security plan requirements, and FTA's requirements? What standards should TSA use to determine if those plans meet TSA's requirements?
  12. How could TSA ensure a surface owner/operator is in compliance with other agency requirements if it permits those measures to satisfy the requirements of TSA's regulation?
  13. What barriers and/or challenges to conducting this assessment did you encounter?
4. Determination of Critical Assets and Infrastructure
  
  As previously noted, the 9/11 Act requires a vulnerability assessment of critical assets/infrastructure. The statute does not provide criteria for determining whether an asset is
  
  Page 91412
  
  ``critical.'' \37\ Depending on the criteria, TSA could either require surface owner/operators to self-determine critical assets/
  
  infrastructure or inform surface owner/operators of a TSA-determination of criticality. The different approaches have significant impacts on the cost/benefits of vulnerability assessments, as well as the scope of required risk-reduction measures implemented as part of a security plan.
  
  ---------------------------------------------------------------------------
  
  \37\ The 9/11 Act includes a list of critical asset types to be considered, as appropriate, but does not describe the criteria that would make them ``critical.'' See 9/11 Act secs. 1405(a)(3)(A), 1512(d)(1)(A), and 1531(d)(1)(A).
  
  ---------------------------------------------------------------------------
  
  Self-determination of critical assets would require surface owner/
  
  operators to determine whether an asset is critical. Such a process would likely require owner/operators to first identify all of their assets (at least in the categories identified by the 9/11 Act) then use TSA-provided criteria to determine if any of those assets are critical. TSA would need to provide a tool or other measures to ensure consistent application of the criteria across all regulated parties.
  
  A self-determination approach to criticality is likely to capture assets that may be critical from a business perspective, but not necessarily critical from the perspective of national security. This is a significant cost issue as identification of critical assets carries with it the regulatory burden to conduct a vulnerability assessment of the asset and implement appropriate risk-reduction measures to address any identified vulnerabilities, even if the asset is not critical from a national security perspective.
  
  To address this concern, TSA could limit the requirement to ``nationally critical assets and infrastructure'' as determined by TSA. This determination would begin with a definition of national criticality. While there have been many efforts to define critical infrastructure and refine lists of critical assets in order to apply the appropriate protective measures since the terrorist attacks of 9/
  1. TSA finds the definition in Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 \38\ has particular resonance as it was developed within the context of protecting assets from terrorist attack:
    
    ---------------------------------------------------------------------------
    
    \38\ Public Law 107-56, 115 Stat. 272 (Oct. 26, 2001).
    
    In this section, the term ``critical infrastructure'' means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.\39\
    
    ---------------------------------------------------------------------------
    
    \39\ Id. at sec. 1016(e) (codified at 42 U.S.C. 5195c(e)).
    
    This definition was adopted by reference in the Homeland Security Act of 2002 \40\ and is used for the definition of ``critical infrastructure'' in the Presidential Policy Directive (PPD) on ``Critical Infrastructure Security and Resilience'' (PPD-21, issued Feb. 12, 2013) which replaces Homeland Security Presidential Directive 7.
    
    ---------------------------------------------------------------------------
    
    \40\ Public Law 107-296, sec. 2(4), 116 Stat. 2135, 2140 (Nov. 25, 2002) (codified at 6 U.S.C. 101(4)).
    
    ---------------------------------------------------------------------------
    
    Within the scope of such a definition, TSA would need to consider the criteria necessary for identifying nationally critical assets. For purposes of identifying a list of ``nationally significant surface critical infrastructure,'' TSA has developed similar criteria in consultation with intelligence analysts and the industry. Such criteria consider location of the asset and the direct consequences of an act that incapacitates or destroys the asset.
    
    Other possible criteria for consideration include those developed under the National Critical Infrastructure Prioritization Program (NCIPP). Identification and prioritization of critical infrastructure for purposes of the NCIPP consider the destruction or disruption of infrastructure that could have catastrophic national or regional consequences. This determination provides the foundation for infrastructure protection and risk reduction programs and activities executed by DHS and its public and private sector partners. Table 3 provides the considerations for Level 1 and Level 2 under the NCIPP.
    
    Table 3--NCIPP Categories
    
    ------------------------------------------------------------------------
    
    Level 2 (all
    
    Level 1 (all sectors excluding
    
    Impact sectors) agriculture and
    
    food)
    
    ------------------------------------------------------------------------
    
    Casualties...................... Greater than 5000 Greater than 2500
    
    prompt fatalities. prompt
    
    fatalities.
    
    Economic Consequences........... Greater than $75 Greater than $25
    
    billion in first billion in first
    
    year. year.
    
    Mass evacuations................ Prolonged absence Prolonged absence
    
    of greater than 3 of greater than 1
    
    months. month.
    
    ---------------------------------------
    
    Security capabilities........... Severe degradation of Nation's
    
    national security capabilities
    
    including intelligence and defense
    
    functions, but excluding military
    
    facilities.
    
    ------------------------------------------------------------------------
    
    For purposes of this rulemaking, surface owner/operators would only be notified if they owned or controlled an asset identified by TSA as nationally significant. For example, surface owner/operators may not own or have any operational control over the stations, terminals, or bridges they use for their operations.\41\
    
    ---------------------------------------------------------------------------
    
    \41\ Notwithstanding its authority to regulate all aspects of the transportation system, there are no current plans to apply the requirements to entities not identified as surface owner/operators in the Security Training NPRM.
    
    ---------------------------------------------------------------------------
    
    But TSA also recognizes that lack of ownership or control does not obviate the need to consider security. Operations of a surface owner/
    
    operator may rely on transportation infrastructure at risk based on its iconic significance. That risk could also apply to those who use it. While the surface owner/operator may not be able to reduce the risk for the asset, it can take measures to reduce the risk for its system when using that asset.
    
    TSA seeks comments on the following questions:
  2. Should TSA use other standards to determine criticality? If so, please provide alternative standards.
  3. If alternative standards were provided in response to Question 14, what types of assets or infrastructure would be determined as critical using the alternative standards? Answers containing SSI should be submitted according to the directions under SUPPLEMENTARY INFORMATION.
  4. Would the alternative standards provided in response to Question 14 result in a criticality designation for any or all of the assets and infrastructure identified in secs. 1512(d)(1)(A) and 1531(d)(1(A) of the 9/11 Act? See docket for this rulemaking for a table that aligns
    
    Page 91413
    
    the 9/11 Act's requirements across the three modes.
  5. If TSA were to adopt a broader list of assets and infrastructure--such as all of those identified in secs. 1512(d)(1)(A) or 1531(d)(1)(A) of the 9/11 Act--are some inappropriate for inclusion because the cost associated with assessments and planning would result in a corresponding benefit to surface transportation security? Are there some that are rarely, if ever, under the ownership or control of the owner/operators that would be subject to the rule's requirements?
  6. What type of information and technical assistance would you need from TSA to facilitate conducting a vulnerability assessment?
    
    For entities currently conducting self-determinations of critical assets and infrastructure, TSA seeks comments on the following questions:
  7. How do you make the determination of criticality? For example, should TSA use criteria such as traffic volume (such as ton-miles over or through, passenger trains, daily ridership, and/or number of shipments) or some other criteria associated with network criticality?
  8. What is the cost of this process (how many hours, permanent employee or contractor, are required, etc.)?
  9. Do you use the determination of criticality for development of general continuity of operations plans?
5. Identifying Performance Standards for Assessments of Critical Assets and Infrastructure
  
  While there are many ways to complete an intelligence driven, risk-
  
  based vulnerability assessment for critical assets, they all rely on some form of subjective ranking system to identify and evaluate specified strengths and weaknesses. For example, a surface owner/
  
  operator could prioritize the threats relative to the asset as highly likely, somewhat likely, possible, unlikely, or improbable. Such owner/
  
  operator could then rate vulnerabilities (perhaps on a scale from very low to high), based on subjective decisions regarding how easy it would be to exploit that vulnerability given current operations. The owner/
  
  operator could also rate the consequence based on the type of threat. Combining all three ratings into an overall risk score helps identify the greatest risks in order to focus energies and limited resources on related vulnerabilities.
  
  TSA is seeking information on appropriate resources that can inform development of performance standards for vulnerability assessments. Known resources include DHS tools, such as the framework of the Integrated Rapid Visual Screening (IRVS); issues addressed in questions related to asset protection that are part of a BASE assessment; and standards developed by the American Public Transportation Association (APTA).
  
  For surface owner/operators that have conducted vulnerability assessments of critical assets and infrastructure, TSA seeks comments on the following questions:
  1. Did you perform the vulnerability assessment on specific assets? If so, what assets? What criteria did you use to determine which assets to assess?
  2. How long did it to take to perform this assessment? How many individuals were involved in conducting the assessments? Please provide information on the time and personnel costs for those essential to the assessment process, such as man-hours, permanent employees or contractor cost, etc.
  3. Do you use the results of the vulnerability assessment for developing security plans, or emergency response plans, continuity of operations plans, etc.? Please describe how the assessment is used.
  4. How frequently do you update vulnerability assessments? Do you have internal or other requirements to update assessments? Are these requirements based on a schedule or changes to operations, assets and infrastructure, or threat information?
  5. Did you perform the vulnerability assessment in order to meet other Federal requirements (such as grant eligibility) or other standards? If so, please provide a description or source for those requirements or standards.
  6. How can other required assessments be used to satisfy TSA's regulatory requirements? For example, how relevant are FRA emergency preparedness requirements or other DOT-modal requirements? What standards should TSA use to determine if that assessment meets TSA's requirements?
  7. How could TSA ensure a surface owner/operator is complying with other regulatory requirements if it permits actions taken under those requirements to satisfy a TSA regulation? For example, if a passenger railroad is required to develop and implement emergency evacuation planning under 49 CFR part 239 and wants to use that planning to satisfy a requirement that may be in the final VASP rule, how would TSA know whether the railroad is, in fact, complying with requirements imposed by the FRA? The fact that the FRA has not penalized an owner/
    
    operator for non-compliance is not a guarantee that the owner/operator is complying with the FRA requirements.
  8. What barriers and/or challenges to conducting this assessment did you encounter?
Security Plans

Regulations imposing security plan requirements have a direct impact on operations. Thus, any rulemaking effort must recognize that measures beneficial to security may have a negative impact on operations. The purpose of this ANPRM is to solicit the input and data necessary for TSA to develop a proposed rule that ensures the level of security intended by the 9/11 Act without having an unintended impact on operations.
1. Identifying Performance Standards for Security Plans
  
  For purposes of this ANPRM, TSA has grouped the 9/11 Act's specific requirements for security plans into the following categories:
  
  Results of security and vulnerability assessments and list of capital and operational improvements necessary to address identified vulnerabilities.
  
  Specific procedures to be implemented or used to prevent and detect unauthorized access to restricted areas designated by the owner/operator.
  
  Identification of measures to be implemented in response to emergencies or periods of heightened security, including--
  
  cir A coordinated response plan that establishes procedures for appropriate interaction with State, local, and tribal law enforcement agencies, emergency responders, and Federal officials in order to coordinate security measures and plans for response in the event of a terrorist threat, attack, or other transportation security-related incident;
  
  cir Specific procedures to be implemented or used by the owner/
  
  operator in response to a terrorist attack, including evacuation and communication plans that include individuals with disabilities; and
  
  cir Additional measures to be adopted to address weaknesses in incident management identified during reviews, drills, or exercises testing emergency response.
  
  Identification of any redundant and backup systems that the owner/operator will use to ensure the continuity of operations of critical assets and infrastructure in the event of a terrorist attack or other transportation security-related incident.
  
  As previously noted in Table 2, there is a correlation between the 17 SAIs and the 9/11 Act's requirements. As with the security assessment (covering security
  
  Page 91414
  
  systems and operations), the quantitative questions used in the BASE could be used as a starting point for developing qualitative performance standards for security plans.
  
  For surface owner/operators that have security plans, TSA seeks comments on the following questions:
  1. Does your security plan address the issues discussed at the beginning of this section?
  2. Is your security plan site-specific, system or corporate-wide, or both?
  3. Did you use a vulnerability or similar assessment (BASE or other) to develop a security plan? If not BASE, please describe the assessment. If so, what is the process for incorporating the results into your planning process and development of risk-reduction or mitigation measures (or investment justifications for grant purposes)? What levels of management are involved in reviewing the results of the assessment and making decisions regarding security planning related to those results?
  4. How long did it to take to develop the security plan? How many individuals were involved in the planning process? Please provide information on the time and personnel costs for those essential to the planning process, including man-hours, permanent employee and/or contractor cost, etc.
  5. How frequently do you update your security plan? Do you have internal requirements to update plans based on a schedule or changes to operations, assets and infrastructure, or threat information?
  6. Does your security plan exist in order to meet other Federal requirements (such as grant eligibility) or other standards? If so, please provide a description or source for those requirements or standards.
  7. How can other required plans be used to satisfy TSA regulatory requirements? For example, how relevant are FRA emergency preparedness requirements, PHMSA security plan requirements, and FTA's requirements? What standards should TSA use to determine if those plans meet TSA's requirements?
  8. How could TSA ensure a surface owner/operator is in compliance with other agency requirements if it permits those measures to satisfy the requirements of TSA's regulation?
  9. What barriers or challenges to developing and implementing a security plan did you encounter?
2. Tools and Other Resources
  
  TSA is considering modifying T-START to provide a resource to owner/operators subject to the VASP regulations. As discussed in section III.F of this ANPRM, T-START currently includes several modules that cover the assessment and planning cycle for the highway mode. The revised T-START would include modules consistent with requirements TSA incorporates into a final VASP rule and be applicable to PTPR and freight railroads, with modules that are relevant to the specific type of operation. TSA would provide this tool at no cost to surface owner/
  
  operators. For those not within the scope of applicability, T-START would provide guidance to them for conducting assessments and developing plans.\42\
  
  ---------------------------------------------------------------------------
  
  \42\ The 9/11 Act requires TSA to provide guidance to owner/
  
  operators not within the high-risk tier. See 9/11 Act secs. 1512(b)(1) and 1531(b)(1).
  
  ---------------------------------------------------------------------------
  
  TSA seeks comments on the following questions:
  1. Have you used T-START to conduct assessments or develop a security plan?
  2. What features of T-START or other resources or tools were most useful?
  3. Did the availability of T-START or other similar resources reduce the time necessary to conduct assessments or develop security plans? If so, please provide an estimate of the savings in time and personnel.
  4. What other types of information, tools, and/or technical assistance could TSA provide to facilitate compliance with the VASP regulation? If you identified barriers or challenges in conducting vulnerability assessments or developing/implementing security plans in response to questions 13, 29, and/or 38, please provide specific suggestions on how TSA could provide information, tools, or other technical assistance in overcoming those barriers and/or challenges.
  5. If you have not used T-START, please describe the programs, tools, or resources you have used.
  6. Are there assessment/planning tools or resources that TSA should consider as relevant for developing the VASP proposed rule? If so, please provide names and sources.
3. Risk-Reduction or Mitigation Measures
  
  As previously noted, the 9/11 Act specifies that security plans must include results of security and vulnerability assessments and list of capital and operational improvements necessary to address identified vulnerabilities.
  
  TSA seeks comments on the following questions:
  1. What security measures have owner/operators implemented to address weaknesses in either security of systems/operations or security of critical assets relevant to the requirements of the 9/11 Act (for example, measures to strengthen security of systems/operations and equipment).
    
    Table 4--List of Possible Risk-Reduction or Mitigation Measures
    
    ------------------------------------------------------------------------
    
    ------------------------------------------------------------------------
    
    Cameras (please provide information on Speakers (public address
    
    the brand, model, requirement, etc.). systems or emergency
    
    communication systems).
    
    Employee background checks............. Access control (such as Jersey
    
    barriers, automated gates,
    
    etc.).
    
    Lighting............................... Dedicated law enforcement or
    
    other security personnel.
    
    ID card reader/badging systems......... Signage.
    
    Screening technologies (such as metal Intrusion detection systems.
    
    detectors, random baggage checks,
    
    etc.).
    
    Canine teams........................... Other (specify measure).
    
    ------------------------------------------------------------------------
  2. What data can you provide on the cost of purchase, implementation, and on-going maintenance of these measures, as appropriate? If possible, for each of the types of possible risk-
    
    reduction or mitigation measures identified in Table 4, please provide information on--
    
    (a) Whether the company has installed this type of measure;
    
    (b) How does the company use this measure (is it used randomly, in specific locations based on risk, or system-wide); and
    
    (c) What are the costs associated with implementing this measure (purchase cost, installation, on-going maintenance, replacement, monitoring, etc.)?
  3. Do your security measures include provisions for adding contracted security services in the event of elevated alert levels?
  4. For those that have implemented security measures, can you provide data regarding implementation schedules (time between identification of the need, commitment to addressing it as part of planning, and actual full implementation or installation)?
  5. What data sources are available for identifying industry standards relevant to implementation of risk-reduction or mitigation measures?
    
    Page 91415
Drills and Exercises

The 9/11 Act includes ``live situational training exercises . . .'' as a program element of the Security Training NPRM.\43\ TSA decided not to include this requirement in the Security Training NPRM because it is inconsistent with the DHS methodology for exercises. The Homeland Security Exercise and Evaluation Program (HSEEP)--an exercise support program that focuses on the need to test planning and preparedness--

focuses on the need to test effectiveness of the overall plan. By testing planning and preparedness, the drills and/or exercises reveal any weaknesses in training. Furthermore, the HSEEP does not require every exercise to be full-scale, live, and situational in order to be an effective test of the security plan. Many resources and methods are available to test the effectiveness of the plan and the preparedness of the organization and its employees to implement it other than full-

scale, live, situational exercises. These range from seminars and workshops to basic or advanced tabletop exercises.

---------------------------------------------------------------------------

\43\ See secs. 1408(c)(7) (public transportation), 1517(c)(8) (freight rail), and 1534(c)(8) (OTRB).

---------------------------------------------------------------------------

TSA is also concerned that a requirement to conduct live, situational exercises would impose a regulatory burden that owner/

operators could not meet because they do not control all of the resources necessary for a live situational exercise, such as first responders, medical support, and other local and State government participation.

TSA seeks comments on the following questions:
1. To what extent do you have access to EXIS or other resources for conducting drills and/or exercises?
2. Have you participated in an I-STEP exercise?
3. Have you used EXIS as a resource for conducting drills and/or exercises?
4. If not through I-STEP or EXIS, how often do you conduct or participate in drills and/or exercises, what job positions participate, and what are the costs (development, implementation, after-action analysis, and reports)?
5. Based upon your experience with drills and exercises, are they an adequate method for assessing effectiveness of employee training, or are additional assessment tools needed for assessments?
6. Based on your experience, what are the most effective types of drills and/or exercises for testing preparedness, including identifying weaknesses in training?
7. Do you regularly use ``after action reports'' to modify security measures and procedures or make other operational or capital changes to improve security?
Updates

The 9/11 Act specifies that owner/operators must update assessments and security plans on a regular basis. For public transportation, the 9/11 Act stipulates annual updates, including updates to assessments, improvement priorities, and security plans as appropriate. Eligibility for funding under the TSGP requires: (1) An assessment within three years before the request for funding, and (2) all requests for funding must be consistent with addressing vulnerabilities identified in that assessment. For railroads and OTRB owner/operators, the 9/11 Act requires updates to the assessment no later than three years after initial approval of the assessments or plans required in the regulation and at least once every five years after that date.

In a provision applicable to all aspects of the regulatory security program, the Security Training NPRM proposes requiring surface owner/

operators to request amendments to their programs (training, assessment, or planning) whenever there are changes to their operations, measures, training, or staffing. TSA would also be able to require updates if, for example, new threat information indicates the necessity of review and modification of security measures. TSA also anticipates the necessity for updates if there are significant changes to operations or assets, such as expanding operations, changes to routes, or modifications to hazardous materials designated as high-risk for transport.

TSA requests comments on the following questions:
1. How often do surface owner/operators update their assessments (either security systems/operations or critical assets)? Please include in your response information on the time and personnel costs for those essential to the updating process, such as man-hours, permanent employees or contractor cost, etc.
2. How frequently do these updates of assessments require changes to emergency response, safety, or security plans? If there are changes required, what types of changes do you typically make?
3. Are these updates required by other Federal or State regulations? If so, please provide a citation and any other relevant information regarding the requirement.
Accountable Executive

Every transportation system, whether plane, train, or bus, must make decisions for budgeting, allocating funds, and planning for the future. Recognizing the diversity of business organization and ownership represented by the scope of this rulemaking, TSA anticipates that the need to identify a decision-maker who has responsibility over the process for approving assessments and plans within the context of making decisions regarding organization, operations, and allocation of resources. This ``accountable executive,'' and any relevant boards or equivalent entities with which this individual may work, needs to have awareness of the risks (threats, vulnerabilities, and potential consequences) relevant to its security systems/operations and critical assets. Having responsibility to approve assessments submitted to TSA ensures this information can be used as part of informed, deliberate, and transparent decisions regarding the commitments made in the security plan.

Based on a review of how the term ``accountable executive'' is defined within various business contexts, TSA anticipates defining the term as a person responsible for implementation and security-related decisions, including allocation of corporate resources related to security. The ``accountable executive'' should be a single, identifiable person who has ultimate responsibility for the owner/

operator's compliance with the security plan requirements, including obtaining written validation that the plan has been reviewed and approved by senior management (board of directors or equivalent entity). TSA also expects that this person will serve as the primary point of contact for TSA during the review and approval process of the security plan.

TSA seeks comment on the following questions:
1. Should the ``accountable executive'' be a chief executive officer or equivalent rather than an executive designated for this purpose?
2. For entities within the applicability proposed in the Security Training NPRM, do you have an accountable executive? What level is this person within the corporate structure? What other responsibilities does this person have? Do you have some other process for ensuring senior management is made aware of the results of the assessment, approves its transmittal to TSA, and approves the security plan?
Page 91416
Considerations for Small Owner/Operators

While TSA recognizes the administrative burden on small owner/

operators,\44\ the statute requires TSA to apply the requirements based on risk, not size of the operations. As a result, small PTPR systems that feed into larger systems covered by the applicability could be required to conduct assessments, develop a security plan, and implement related security measures. Similarly, the requirements could affect small OTRB owner/operators.

---------------------------------------------------------------------------

\44\ The Small Business Administration (SBA) sets a threshold of $15.0 million in annual receipts for bus systems and mixed-mode transit systems, and 1,500 employees for short line railroads. See 13 CFR 121.201.

---------------------------------------------------------------------------

TSA anticipates that owner/operators of larger systems or fleets would develop an organization-wide approach for their assessments and plans, addressing different perspectives of operations, safety, planning, engineering, budget, and information technology along with the need to enhance and sustain security. TSA is considering whether owner/operators of smaller systems or operations would need to take a simpler approach in developing an assessment and plan and implementing security measures. If so, the regulation would need to consider owner/

operators of smaller systems or operations could use information that is already largely on-hand or readily available to meet the same performance standards applied to larger companies.

TSA seeks comments on the following questions:
1. As TSA has determined that the higher-risk is associated with where the transportation occurs, not size of the company providing the transportation, what options are there for minimizing the burden on small owner/operators without reducing the intended security benefit?
2. How should the VASP requirements apply to owner/operators who rely on the security of an asset or infrastructure owned by a third party?
3. What are the barriers for surface owner/operators with a smaller scope of operation--other than costs--to develop and implement a more comprehensive security program or plan with specific security measures, training, and assets?
4. How can TSA ensure consistent application of the standards or performance criteria of its rulemaking in light of the dynamic population to which the requirements would apply--large, small, publicly owned, small budgets, large tax-based budgets, etc.?
Estimating the Benefits and Cost of Requirements

Executive Orders 12866 and 13563 direct agencies to propose or adopt a regulation only upon a reasoned determination that its benefits justify its costs, tailor a regulation to impose the least burden on society consistent with obtaining the regulatory objectives, and in choosing among alternative regulatory approaches, select those approaches that maximize net benefits.

Consistent with the requirements in these executive orders, TSA seeks comment on the following questions:
1. For those who are already conducting vulnerability assessments and developing/implementing security plans, what are the security benefits? What would be the security benefits of a consistent, national standard for VASP?
2. TSA seeks information from the public in order to assist it in assessing the cost of alternative regulatory approaches for implementing the VASP regulations. For example, for commenters who suggest that TSA consider adopting certain security performance criteria or objective standards for measuring the security of assets and infrastructure or security systems/operations, what information do you have to assist TSA in assessing the incremental cost of adopting your suggestion? TSA is interested in information to assist it in assessing the full cost of the suggestion, such as the cost for owner/
  
  operators to collect and assess information and the cost to take action based on the information.
3. Likewise, TSA seeks information from the public to assist TSA in assessing the potential benefits of alternative regulatory approaches for implementing the VASP regulations. For example, for commenters who suggest that TSA consider adopting certain security performance criteria or objective standards for measuring the security of assets and infrastructure or security systems/operations, what information do you have to assist TSA in assessing the incremental benefit \45\ from adopting your suggestion?
  
  ---------------------------------------------------------------------------
  
  \45\ When requesting the assessment of an incremental benefit, TSA is referring to the additional benefits of the alternative the commenter is proposing compared to what TSA is proposing and compared to not taking any action at all.
  
  ---------------------------------------------------------------------------
4. What resources (for example, people, Web sites, organizations, companies) could be useful if TSA has difficulty obtaining accurate and timely data on public transportation systems, railroads, or OTRB modes necessary for developing a valid estimate of potential costs for compliance with a proposed VASP regulation? TSA specifically seeks data on employee wages, cost of equipment, and population data on companies within an industry or transportation mode.
Next Steps and Public Participation

This ANPRM seeks input from the public on these topics to ensure that the NPRM to follow addresses all relevant information, provides the explanations necessary to understand the proposed requirements, and appropriately estimates costs. It is important that freight railroad, PTPR, and OTRB owner/operators, other organizations, as well as interested members of the public potentially affected by a final rule, take this opportunity to share thoughts, concerns, ideas, and general comments on the topics presented.

After TSA reviews the comments collected through this ANPRM, TSA will prepare and publish an NPRM that reflects TSA's analysis of the statutory requirements and relevant issues, as well as comments received from the public through this ANPRM. Once TSA publishes the NPRM, stakeholders and the public will have another opportunity to provide comments that TSA will take into consideration before issuing a final rule.

Dated: November 18, 2016.

Huban A. Gowadia,

Deputy Administrator.

FR Doc. 2016-28300 Filed 12-15-16; 8:45 am

BILLING CODE 9110-05-P

Subscribers can access the reported version of this case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a list of all the cited cases and legislation of a document.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a list of all the documents that have cited the case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see the revised versions of legislation with amendments.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see any amendments made to the case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a visualisation of a case and its relationships to other cases. An alternative to lists of cases, the Precedent Map makes it easier to establish which ones may be of most relevance to your research and prioritise further reading. You also get a useful overview of how the case was received.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see the list of results connected to your document through the topics and citations Vincent found.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Surface Transportation Vulnerability Assessments and Security Plans (VASP)

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users