Saturday, December 24, 2016

TSA Security Training NPRM - §1570 Rewrite

This is the second in a continuing series of blog posts about the recent TSA NPRM on security training for surface transportation organizations. Earlier posts in the series included:


The current 49 CFR 1570 addresses the General Rules of Subchapter D, Maritime and Land Transportation. The primary focus has been on the Transportation Workers Identification Credential (TWIC) enforcement process by TSA. This NPRM proposes a complete re-write of the section to more broadly provide the general rules for enforcement of all surface transportation requirements, current and those proposed in this rule. The only sections that have not been rewritten is §1570.1, outlining the scope of the section’s requirements, §1570.5, prohibiting fraud in record keeping under the subchapter.

Definitions


As I mentioned in the earlier post, TSA is making a number of changes to §1570.3, Definitions. A large number of the changes are simply moving definitions from other sections of 49 CFR Chapter XII or referencing other definitions in other portions of the Code Federal Regulations. TSA is, however, adding five new definitions to help provide clarity to other specific definitions used in the modal portions of this rule. Those new definitions are:

Employee;

The last two are not really defined in §1570.3; they simply refer to the actual definitions in the modal sections of the proposed rule.

Provisions Moved


The rewrite of §1570 includes moving three of the current provisions of the section to new subparts of the section. The two TWIC specific sections (§1570.7, Fraudulent use or manufacture; responsibilities of persons; and §1570.9, Inspection of credential) have been moved to the new Subpart D, Security Threat Assessments (to Sections 1570.301 and 1570.303 respectively). Also moved to this subpart is §1570.13, False statements [by employers] regarding security background checks. This was moved to §1570.305.

Security Responsibilities


While most of the rule applies to owner/operators, §1570.7 specifically clarifies that all individuals are required to comply with the security requirements established under this rule. Every attempt was made to make the wording as inclusive as possible in describing the ways that security measures could be contravened. For example, the proposed §1570.7(a)(1) states that no person may: “Tamper or interfere with, compromise, modify, attempt to circumvent, or cause another person to tamper or interfere with, compromise, modify, or attempt to circumvent any security measure implemented under this subchapter.”

The problem with such attempts at making all-inclusive language is that someone slightly more creative can come up with something not covered. For instance the paragraph does not prevent someone from knowingly allowing someone ‘to tamper or interfere with…’

After developing the detailed inclusive language described above, someone realized that the regulation would effectively prohibit TSA, DHS and corporate inspectors from trying to test security measures. Thus, paragraph (b) was added to exempt inspectors from the prohibitions listed in paragraph (a).

Security Programs


Subpart B of §1570 is completely new in the proposed rule. It establishes the general security program requirements for surface transportation. The requirements in this section are fairly generic with the details being provided in the new modal sections being proposed in the NPRM. The three most important parts of this subpart are found in §1570.105, §1570.109 and §1570.111.

Section 1570.105 establishes the methodology for determining if an organization is covered by the new rules in the NPRM. First TSA has established the criteria for determining if an organization would be covered. The detailed requirements are found in the modal sections {§1580.101 – FR; §1582.101 – PT, and §1584.101 – OTRB). Then organizations are required to review those requirements and notify the TSA if they are a covered organization. Organizations would have 90 days to make that notification.

This self-identification of coverage is almost certainly going to result in the lack of 100% coverage of the organizations that should report their coverage. The major players will all self-report within the specified time (30 days after the final rule effective date), but there will be some number of smaller players (probably highest in the OTRB category) that, through either negligence or malfeasance, that will fail to self-identify.

To overcome this problem, TSA is going to have to have an effective outreach program to ensure that all of the potentially affected organizations know about the reporting requirements. As we know from the CFATS program and the West Fertilizer incident, the agency will be criticized when an incident happens involving an organization that did not appropriately self-identify and complete the subsequent regulatory requirements.

Section 1570.109 provides the regulatory time-table for completing the remaining regulatory requirements of this surface-transportation training program:

• 90-days from the effective date of the regulation to submit initial training plan for approval for affected organizations in existence when the final rule becomes effective;
• 90-days from the start of operations or modification of operations to submit initial or revised training plan after the effective date of the regulations; and
• 30-days to submit a petition for reconsideration after receiving from the TSA a notice to modify the training plan.

Similarly, §1570.111 provides the time-table for the implementation of the training program. Time limits have been set for initial training under a new/revised training program (1-year), training of new employees under an existing training program (60-days), and recurrent training (every year ± one month).

Operations


Subpart C addresses two requirements, both of which were previously seen in the existing §1580 requirements for freight railroad carriers and passenger railroad carriers. The proposed rule would make those requirements apply to public transportation systems and Those requirements are

§1570.201 – Security Coordinator; and

§1570.203 – Reporting significant security concerns

No comments:

 
/* Use this with templates/template-twocol.html */