TSA Publishes Surface Transport Security Training Rule

Last week the Transportation Security Agency published a final rule in the Federal Register (85 FR 16456-16517) on “Security Training for Surface Transportation Employees”. The NPRM for this rule was published in January 2017. The rule requires owner/operators of higher-risk freight railroad carriers, public transportation agencies, passenger railroad carriers, and over-the-road bus companies, to provide TSA-approved security training to employees performing security-sensitive functions.

The Rule

The rule would:

• Require security training for employees of higher-risk freight railroad carriers, public transportation agencies (including rail mass transit and bus systems), passenger railroad carriers, and over-the-road bus (OTRB) companies;

• Owner/operators of these higher-risk railroads, systems, and companies would be required to train employees performing security-sensitive functions, using a curriculum addressing preparedness and how to observe, assess, and respond to terrorist-related threats and/or incidents;

• Require affected owner/operators to submit their training programs to TSA for approval;

• Expand current requirements for rail security coordinators and reporting of significant security concerns (currently limited to freight railroads, passenger railroads, and the rail operations of public transportation systems) to include the bus components of higher-risk public transportation systems and higher-risk OTRB companies;

• Make the maritime and land transportation provisions of TSA's regulations consistent with other TSA regulations by codifying general responsibility to comply with security requirements; compliance, inspection, and enforcement; and procedures to request alternate measures for compliance;

• Add a definition for Transportation Security-Sensitive Materials (TSSM); and

• Other provisions are being amended or added, as necessary, to implement these additional requirements.

Changes made from the proposed language in the NPRM include:

• TSA is modifying the recurrent security training schedule to a three-year cycle rather than annual.

• Changes to security programs and plans may require training certain employees within 90 days of the changes.

• The final rule includes a specific list of the types of changes that would trigger the need to update the security training program.

• The final rule requires an amendment to the approved security training program to be requested no later than 65 days after the change to the security program/measures/plans takes effect.

• Final rule limits the scope of the security coordinator requirement to rail operations of public transportation agencies and the bus-only operations of those determined by TSA to be higher-risk.

• Final rule limits the scope of the reporting security issues requirement to rail operations of public transportation agencies and the bus-only operations of those determined by TSA to be higher-risk.

Effective Date

The effective date for this rulemaking is June 22^nd, 2020. Effective dates for specific provisions include:

• Deadline for notifying TSA of applicability determination (1570.105) – July 22^nd, 2020;

• Deadline for providing security coordinator information to TSA (1570.201) – July 29^th, 2020;

• Deadline for submission of security training program to TSA for approval (1570.109(b)) – October 28^th, 2020;

• TSA approval or notification of required modification (1570.109(c)) – 60-days from receipt;

• Initial training of security-sensitive employees (1570.111(a)) – 1-year from TSA approval;

• Recurrent training of security-sensitive employees (1570.111(b)) – 3-years from initial training.

Cybersecurity

There is an interesting mention of cybersecurity in the preamble to the bill. In response to a commenters question about whether a ‘cyber-expert’ would be considered an ‘employee in a security-sensitive position’, the TSA responded:

“A cyber-expert may be considered a security-sensitive employee based upon specific job functions, such as functions involving control or movement of trains, or because of other cyber-security responsibilities related to the owner/operators security measures in its security plan to protect the integrity of its information systems.”

Commentary

It is interesting that the TSA used the congressional mandate for this rulemaking as a response/justification to several commenters’ questions and objections in the formulation of this final rule. The fact that TSA’s hands were tied in a lot instances by the congressional mandate was grandly ignored in one specific instance. In 6 USC 1137(c)(6) (and similarly in §1167 and §1184) Congress required as one of the elements of the mandated training:

“Training related to behavioral and psychological understanding of, and responses to, terrorist incidents, including the ability to cope with hijacker behavior, and passenger responses.”

That training requirement is conspicuously absent from the requirements in this rulemaking. To be sure, this requirement would have been difficult and time consuming to have been adequately, much less effectively, addressed in a training program, but it was a ‘congressional mandate’; no matter how inappropriate. If that one could be ignored, so could have all of the others.