Saturday, December 17, 2016

TSA Publishes Security Training NPRM

Yesterday the DHS Transportation Security Administration (TSA) published in the Federal Register (81 FR 91336-91401) their long-awaited rule on security training for surface transportation employees. Not only does this rule provide proposed requirements for training employees of railroads (both passenger and freight) and over-the-road bus (OTRB) companies, but it also makes supporting revisions to several other surface transportation security regulations.

According to the summary in the preamble to this NPRM the proposed rule would:

• Require security training for employees of higher-risk freight railroad carriers, public transportation agencies (including rail mass transit and bus systems), passenger railroad carriers, and over-the-road bus (OTRB) companies;
• Owner/operators of these higher-risk railroads, systems, and companies would be required to train employees performing security-sensitive functions, using a curriculum addressing preparedness and how to observe, assess, and respond to terrorist-related threats and/or incidents;
• Expand current requirements for rail security coordinators and reporting of significant security concerns (currently limited to freight railroads, passenger railroads, and the rail operations of public transportation systems) to include the bus components of higher-risk public transportation systems and higher-risk OTRB companies;
• Make the maritime and land transportation provisions of TSA's regulations consistent with other TSA regulations by codifying general responsibility to comply with security requirements; compliance, inspection, and enforcement; and procedures to request alternate measures for compliance; and
• Add a definition for Transportation Security-Sensitive Materials (TSSM). Other provisions are being amended or added, as necessary, to implement these additional requirements.


In this rulemaking TSA is proposing to add a large number of definitions to 49 CFR 1500. Many of these definitions are being adopted from other places in the CFR. New and revised definitions being added include:

Training Requirements

The general security training requirements are outlined in the new Subpart B of 49 CFR 1570. Modal specific requirements will be found at §1580.115 (freight rail - FR), §1582.115 (public transportation and passenger rail - PT), and §1584.115 (OTRB). The modal specific requirements are all essentially the same with some minor wording variations reflecting some basic differences in type transportation provided.

Owner/operators would be given 90-days from the adoption of the final rule to complete their development of a security training program and to submit that program to TSA for review and approval. TSA would be given 60-days to approve the program or require changes to be made. Existing employees would then have to be trained in accordance with the submitted training program within one year. New employees could work in security-sensitive positions could work up to 60-days under ‘direct supervision’ (not specifically defined) before receiving the required training.

There would be four required components to be covered in the training:

Assess; and

Public Comments

The TSA is soliciting public comments on this NPRM. Written comments may be submitted via the Federal eRulemaking Portal (; Docket # TSA-2015-0001). Comments should be submitted by March 16, 2017.

In addition to comments about the actual proposed rulemaking (much of which is mandated by law), the TSA is also seeking specific feedback on five questions concerning implementation of the rule:

• The preferred avenue to submit security training programs to TSA, such as through email, secure Web site, or mailing address;
• TSA is proposing to use accumulated days of employment as one of the factors triggering whether an employee must be trained and requests comment specifically on how to calculate accumulated days and to ensure contractors are not used to avoid the requirements of this proposed rule;
• The use of previous training to satisfy requirements in the proposed rule;
• Options for harmonizing the proposed training schedule with existing training schedules and for adding efficiencies with other relevant regulatory requirements, including identification of any laws, regulations, or orders not identified by TSA that commenters believe would conflict with the provisions of the proposed rule; and
• Options for ensuring training is effective in the absence of proficiency standards.


TSA is going to be between a rock and a legal hard place when it comes to the bulk of the legitimate (more on ‘legitimate’ below) comments that it receives. Industry is going to complain large and loud about how comprehensive (and over-reaching) the training requirements are in this NPRM and how short the time frame is for them to submit training programs to TSA for approval. Unfortunately for TSA both of these issues are spelled out in detail the Congressional mandate for this training requirement (6 USC 1137 – PT; 6 USC 1167 – FR; and 6 USC 1184 -OTRB).

Two of the Congressional training requirements are going to be particularly difficult to implement:

• Appropriate responses to defend oneself, including using nonlethal defense devices; and
• Training related to behavioral and psychological understanding of, and responses to, terrorist incidents, including the ability to cope with hijacker behavior, and passenger responses.

If the first presupposes that employees have an obligation to defend themselves (as opposed to providing legal cover for their doing so) then there are going to be some legal objections from employers and compensation issues (medical and legal counsel) raised by employees and their representatives.

The second could be a master’s level course in applied psychology and hardly appropriate for first line employees; the vast majority of whom will never see a terrorist attack.

Neither of these requirements is adequately addressed in the proposed language. For example the self-defense language is limited to: “Use any applicable self-defense devices or other protective equipment provided to employees by the owner/operator.” {proposed §1582.115(f)(3)} The second is simply not addressed in the requirement to interact “with the public and first responders at the scene of the threat or incident, including communication with passengers on evacuation and any specific procedures for individuals with disabilities and the elderly” {proposed §1582.115(f)(2)}. There is nothing about understanding and responding to the terrorists involved in the incident.

Legitimate responses – The earlier ANPRM also requested public feedback and it did receive lots of feedback; much of it vitriolic. Reading most of the comments from individuals you can clearly see that many people object to anything that the TSA tries to do based solely on their interactions with TSA screeners at the airports. The ANPRM was issued during the height of the complaints about new TSA pat-downs and the improved screening devices and many of the comments reflected that.

There is nothing in this NPRM (nor was there in the ANPRM) about the use of TSA screeners for surface security applications. While there may have been an increase in concerns about protecting public transportation against the increased number of personal (as opposed to wholesale) terrorist attacks on European public transit, nobody is proposing (for economic reasons if nothing else) to extend airport type passenger screening to public transportation or OTRB operations. Hopefully, commenters on this rule will realize that and limit their comments appropriately.

One last point. In a response to my earlier post about this NPRM being approved by OMB I was told by a colleague in the training community that they had been told by a transportation company that this rulemaking would not go forward under the Trump Administration. I think that it is way too early to tell what the new administration will or will not do with regards to regulatory reform, but I am certain that there will be new regulations promulgated by the Federal government over the next four (eight?) years.

Whether or not this specific rule will move forward remains to be seen. There has been a strong push by congressional committees (all Republican controlled) for TSA to complete this rulemaking. Anyone that declines to raise legitimate issues in the rulemaking process based upon their belief in future inaction upon the part of the TSA is making a potentially big mistake. The only thing that is certain to kill this rulemaking is a general showing that the cost of implementation is too high relative to the potential benefits. That would require that industry provide detailed feedback on the cost of implementation. And, potential providers of the required training owe it to their future business in this area to provide some realistic cost estimates about the development of training packages.

One more last point (really last this time). There is no mention of any cybersecurity aspect in these training requirements. Given the increased and mandated use of positive train control technology, the security of the control systems involved should have been addressed in this rulemaking. But, of course, Congress did not consider it when they established the mandate back in 2007 (nobody did then) so the TSA ignored the issue.

No comments:

/* Use this with templates/template-twocol.html */