Pending Rule – Vulnerability Assessments

Last week I wrote about three pending TSA rules that were listed on the Office of Management and Budget web site under the Fall 2008 Regulatory Agenda. Today I will take a closer look at what the rule on railroad vulnerability assessments and security plans could look like. This will be based on the material provided on the OMB web site and the referenced sections of the Implementing Recommendations of the 9/11 Commission Act of 2007 (PL 110-53). How the Obama Administration will actually implement the 9/11 Commission requirements remains to be seen. Section 1512 of the 9/11 Commission Act requires the Secretary of DHS to issue regulations that require railroads that are designated as high-risk to conduct vulnerability assessments (VA) and develop a security plan (SP) based on that assessment. The Secretary will develop standards and guidelines for the VA’s and SP’s in accordance with the National Strategy for Railroad Transportation Security (NSRTS) outlined in § 1511 (NOTE: it is not clear to me that the NSRTS has yet been developed, but that is a separate issue for another day). The deadline established in § 1512(a) for the publication of this regulation passed in August of last year. Tier Assignments Section 1512(h) requires that the Secretary assign “each railroad carrier to a risk-based tier established by the Secretary”. The tiers, and the methodology used to assign rail carriers to those tiers, will be established using the criteria established in the NSRTS. At least on of those tiers will be a ‘high-risk’ tier. The regulations prepared under the §1512 requirements may require rail carriers to provide the “information necessary for the Secretary to assign a railroad carrier to the appropriate tier” {§ 1512(h)(1)} Vulnerability Assessment Section 1512(d) details the requirements for the vulnerability assessments that will be required by these regulations. The VA must identify critical assets and infrastructure, vulnerabilities to those assets and infrastructure, and strengths and weaknesses related to those vulnerabilities. Those critical assets and infrastructure will include platforms, stations, intermodal terminals, tunnels, bridges, switching and storage areas, and information systems as appropriate. The strength and weaknesses required to be identified in the vulnerability assessment must address eight specific areas listed in § 1512(d)(1)(c). Those areas are:

Physical security; Passenger and cargo security; Programmable electronic devices, computers, or other automated systems; Alarms, cameras, and other protection systems; Communications systems and utilities needed for railroad security purposes; Emergency response planning; Employee training; and Such other matters as the Secretary determines appropriate.

Additionally, the VA must identify those backup systems and system redundancies that are necessary to allow the railroad carrier to continue operations in the event of a terrorist attack or other incident. Systems specifically identified in § 1512(d)(1)(D) include “disruption of commercial electric power or communications network”. Security Plan Section 1512(e) requires that the Secretary provide ‘technical assistance and guidance’ on the development and implementation of the security plans required to be included in this regulation. The section goes on to detail nine specific areas that those plans should address. Only two of those nine areas actually deal with classical security measures and those only address security for ‘security-sensitive materials’ and the additional security measures to be applied “when the Secretary declares a period of heightened security risk” {§ 1512(e)(1)(F)} One of the required components of the security plan is the appointment of a ‘security coordinator’. This is very similar to the Rail Security Coordinator established in last fall’s freight rail security rule. There are some differences. In this legislation the security coordinator must have the authority to “to implement security actions under the plan” {§ 1512(e)(1)(A)}; there is no such requirement for an RSC. Section 1512(e)(2) also requires that the security coordinator is a US citizen, though the Secretary can waive this requirement after conducting a “background check of the individual and a review of the consolidated terrorist watchlist”. Consultation It appears that one of the most common components of the requirements included in the 9/11 Commission Act was the requirement for coordinating actions. Section 1512(m) establishes that requirement in this case. It requires the Secretary to consult with “railroad carriers, nonprofit employee labor organizations representation railroad employees, and public safety and law enforcement officials” in preparing this regulation. Interestingly there is no requirement to coordinate with shippers or other customers of the railroads. The Way Forward TSA has tried to work with the railroad industry to get them to voluntarily comply with requirements to conduct vulnerability assessments and establish security plans. The lack of specificity in the requirements for that voluntary effort and the inability of TSA to enforce compliance ensures that most of the security efforts will fall short of the requirements of § 1512. This rule will be much more complex than the CFATS regulations. TSA would do well, though, to look at the implementation scheme used for CFATS. A computer based system for providing pre-tiering information, as well as vulnerability assessment and security plan filing will go a long way to making the implementation of these requirements easier for both the regulated community and the regulators.