This is the second in a continuing series of blog posts
about the recent TSA NPRM on security training for surface transportation
organizations. Earlier posts in the series included:
The current 49 CFR 1570 addresses the General Rules of
Subchapter D, Maritime and Land Transportation. The primary focus has been on
the Transportation Workers Identification Credential (TWIC) enforcement process
by TSA. This NPRM proposes a complete re-write of the section to more broadly
provide the general rules for enforcement of all surface transportation
requirements, current and those proposed in this rule. The only sections that
have not been rewritten is §1570.1, outlining the scope of the section’s
requirements, §1570.5, prohibiting fraud in record keeping under the subchapter.
Definitions
As I mentioned in the earlier post, TSA is making a number
of changes to §1570.3,
Definitions. A large number of the changes are simply moving definitions from
other sections of 49
CFR Chapter XII or referencing other definitions in other portions of the
Code Federal Regulations. TSA is, however, adding five new definitions to help
provide clarity to other specific definitions used in the modal portions of
this rule. Those new definitions are:
• Contractor;
• Employee;
• Security sensitive
employee; and
The
last two are not really defined in §1570.3; they simply refer to the actual
definitions in the modal sections of the proposed rule.
Provisions Moved
The rewrite of §1570
includes moving three of the current provisions of the section to new subparts
of the section. The two TWIC specific sections (§1570.7, Fraudulent use or manufacture;
responsibilities of persons; and §1570.9,
Inspection of credential) have been moved to the new Subpart D, Security Threat
Assessments (to Sections 1570.301 and 1570.303 respectively). Also moved
to this subpart is §1570.13,
False statements [by employers] regarding security background checks. This was
moved to §1570.305.
Security Responsibilities
While most of the rule applies to owner/operators, §1570.7 specifically
clarifies that all individuals are required to comply with the security
requirements established under this rule. Every attempt was made to make the
wording as inclusive as possible in describing the ways that security measures
could be contravened. For example, the proposed §1570.7(a)(1) states
that no person may: “Tamper or interfere with, compromise, modify, attempt to
circumvent, or cause another person to tamper or interfere with, compromise,
modify, or attempt to circumvent any security measure implemented under this
subchapter.”
The problem with such attempts at making all-inclusive
language is that someone slightly more creative can come up with something not
covered. For instance the paragraph does not prevent someone from knowingly
allowing someone ‘to tamper or interfere with…’
After developing the detailed inclusive language described
above, someone realized that the regulation would effectively prohibit TSA, DHS
and corporate inspectors from trying to test security measures. Thus, paragraph
(b) was added to exempt inspectors from the prohibitions listed in paragraph
(a).
Security Programs
Subpart B of §1570
is completely new in the proposed rule. It establishes the general security
program requirements for surface transportation. The requirements in this
section are fairly generic with the details being provided in the new modal
sections being proposed in the NPRM. The three most important parts of this
subpart are found in §1570.105, §1570.109 and §1570.111.
Section
1570.105 establishes the methodology for determining if an organization is
covered by the new rules in the NPRM. First TSA has established the criteria
for determining if an organization would be covered. The detailed requirements
are found in the modal sections {§1580.101 – FR; §1582.101 – PT, and §1584.101 – OTRB). Then organizations are
required to review those requirements and notify the TSA if they are a covered
organization. Organizations would have 90 days to make that notification.
This
self-identification of coverage is almost certainly going to result in the lack
of 100% coverage of the organizations that should report their coverage. The
major players will all self-report within the specified time (30 days after the
final rule effective date), but there will be some number of smaller players
(probably highest in the OTRB category) that, through either negligence or
malfeasance, that will fail to self-identify.
To
overcome this problem, TSA is going to have to have an effective outreach
program to ensure that all of the potentially affected organizations know about
the reporting requirements. As we know from the CFATS program and the
West Fertilizer incident, the agency will be criticized when an incident
happens involving an organization that did not appropriately self-identify and
complete the subsequent regulatory requirements.
Section
1570.109 provides the regulatory time-table for completing the remaining
regulatory requirements of this surface-transportation training program:
• 90-days from the effective date of the regulation to
submit initial training plan for approval for affected organizations in
existence when the final rule becomes effective;
• 90-days from the start of operations or modification of
operations to submit initial or revised training plan
after the effective date of the regulations; and
• 30-days to submit a petition for
reconsideration after receiving from the TSA a notice to modify
the training plan.
Similarly, §1570.111
provides the time-table for the implementation of the training program. Time
limits have been set for initial training under a new/revised training program
(1-year), training of new employees under an existing training program
(60-days), and recurrent training (every year ± one month).
Operations
Subpart C addresses two requirements, both of which were
previously seen in the existing §1580
requirements for freight railroad carriers and passenger railroad carriers. The
proposed rule would make those requirements apply to public transportation
systems and Those requirements are
§1570.201
– Security Coordinator; and
§1570.203
– Reporting significant security concerns
Posts
No comments:
Post a Comment