The requirements of this subpart address general security program requirements applicable to each owner/operator required to have a security program under subpart B to 49 CFR parts 1580, 1582, and 1584.

(a) Security program. Except as otherwise approved by TSA, each owner/operator required to have a security program must address each of the security program requirements identified in subpart B to 49 CFR parts 1580, 1582, and 1584.

(b) Use of appendices. The owner/operator may comply with the requirements referenced in paragraph (a) of this section by including in its security program, as an appendix, any document that contains the information required by the applicable subpart B, including procedures, protocols or memorandums of understanding related to external agency response to security incidents or events. The appendix must be referenced in the corresponding section(s) of the security program.

(a) Higher-risk operations. While TSA has determined the criteria for applicability of the requirements in subpart B to 49 CFR parts 1580, 1582, and 1584 based on risk-assessments for freight railroad, public transportation system, passenger railroad, or over-the-road (OTRB) owner/operators are required to determine if the applicability criteria identified in subpart B to parts 1580, 1582, and 1584 apply to their operations. Owner/operators are required to notify TSA of applicability within 30 days of June 22, 2020.

(b) New or modified operations. If an owner/operator commences new operations or modifies existing operations after June 22, 2020, that person is responsible for determining whether the new or modified operations would meet the applicability criteria in subpart B to 49 CFR part 1580, 1582, or 1584 and must notify TSA no later than 90 calendar days before commencing operations or implementing modifications.

Previously provided security training may be credited towards satisfying the requirements of this subchapter provided the owner/operator—

(a) Obtains a complete record of such training and validates the training meets requirements of § 1580.115, § 1582.115, or § 1584.115 of this subchapter as it relates to the function of the individual security-sensitive employee and the training was provided within the schedule required for recurrent training.

(b) Retains a record of such training in compliance with the requirements of § 1570.121 of this part.

(a) Submission of security program. Each owner/operator required under parts 1580, 1582, or 1584 of this subchapter to adopt and carry out a security program must submit it to TSA for approval in a form and manner prescribed by TSA.

(b) Security training deadlines. Except as otherwise directed by TSA, each owner/operator required under subpart B to part 1580, 1582, or 1584 of this subchapter to develop a security training program must—

(1) Submit its program to TSA for approval no later than June 21, 2021.

(2) If commencing or modifying operations so as to be subject to the requirements of subpart B to 49 CFR parts 1580, 1582, or 1584 after June 21, 2021, submit a training program to TSA no later than 90 calendar days before commencing new or modified operations.

(c) TSA approval. (1) No later than 60 calendar days after receiving the proposed security program required by subpart B to 49 CFR parts 1580, 1582, and 1584, TSA will either approve the program or provide the owner/operator with written notice to modify the program to comply with the applicable requirements of this subchapter. TSA will notify the owner/operator if it needs an extension of time to approve the program or provide the owner/operator with written notice to modify the program to comply with the applicable requirements of this subchapter.

(2) Notice to modify. If TSA provides the owner/operator with written notice to modify the security program to comply with the applicable requirements of this subchapter, the owner/operator must provide a modified security program to TSA for approval within the timeframe specified by TSA.

(3) TSA may request additional information, and the owner/operator must provide the information within the time period TSA prescribes. The 60-day period for TSA approval or modification will begin when the owner/operator provides the additional information.

(g) Petition for reconsideration. Within 30 days of receiving the notice to modify, the owner/operator may file a petition for reconsideration under § 1570.119 of this part.

(a) Initial security training. Each owner/operator required under parts 1580, 1582, or 1584 of this subchapter to adopt and carry out a security program must provide initial security training to security-sensitive employees, using the curriculum approved by TSA and in compliance with the following schedule.

(1) For security training programs submitted to TSA for approval on or before March 22, 2021, if the employee is employed to perform a security-sensitive function on the date TSA approves the program, then initial training must be provided no later than fifteen months after the date that TSA approves the owner/operator's security training program.

(2) For security training programs submitted to TSA for approval after March 22, 2021, if the employee is employed to perform a security-sensitive function on the date TSA approves the program, then initial training must be provided no later than twelve months after the date that TSA approves the owner/operator's security training program.

(3) If performance of a security-sensitive job function is initiated after TSA approves the owner/operator's security training program, then initial training must be provided no later than 60 calendar days after the employee first performs the security-sensitive job function.

(4) If the security-sensitive job function is performed intermittently, then no later than the 60th calendar day of employment performing a security-sensitive function, aggregated over a consecutive 12-month period.

(b) Recurrent security training. (1) Except as provided in paragraph (b)(2) of this section, a security-sensitive employee required to receive training under part 1580, 1582, or 1584 of this subchapter must receive the required training at least once every three years.

(2) If an owner/operator modifies a security program or security plan for which training is required under § 1580.203(b), § 1582.115(b), or § 1584.115(b) of this subchapter, the owner/operator must ensure each security-sensitive employee with position- or function-specific responsibilities related to the revised plan or program changes receives training on the revisions within 90 days of implementation of the revised plan or program changes. All other employees must receive training that reflects the changes to the operating security requirements as part of their regularly scheduled recurrent training.

(3) The three-year recurrent training cycle is based on the anniversary calendar month of the employee's initial security training. If the owner/operator provides the recurrent security training in the month of, the month before, or the month after it is due, the employee is considered to have taken the training in the month it is due.

(c) Extensions of time. TSA may grant an extension of time for implementing a security program identified in subpart B to parts 1580, 1582, and 1584 of this subchapter upon a showing of good cause. The owner/operator must request the extension of time in writing and TSA must receive the request within a reasonable time before the due date to be extended; an owner/operator may request an extension after the expiration of a due date by sending a written request describing why the failure to meet the due date was excusable. TSA will respond to the request in writing.

(a) Changes to ownership or control of operations. Each owner/operator required under part 1580, 1582, or 1584 of this subchapter to adopt and carry out a security program must submit a request to amend its security program if, after approval, there are any changes to the ownership or control of the operation.

(b) Changes to conditions affecting security. Each owner/operator required under part 1580, 1582, or 1584 of this subchapter to adopt and carry out a security program must submit a request to amend its security program if, after approval, the owner/operator makes, or intends to make, permanent changes to any of the following procedures, measures, or other aspects of security or emergency response planning implemented by the owner/operator to address:

(1) Specific procedures implemented or used to prevent and detect unauthorized access to restricted areas designated by the owner/operator;

(2) Measures to be implemented in response to a period of heightened security risk, communicated through a DHS enhanced security notification, including the process used to notify all employees of changes in alert level status or requirements to implement specific elements of the security plan and verify that appropriate enhanced security measures have been implemented at all relevant locations.

(3) Emergency response plans, including:

(i) Coordinated response plans establishing procedures for appropriate interaction with State, local, and tribal law enforcement agencies, emergency responders, and Federal officials in order to coordinate security measures and plans for response in the event of a terrorist threat, attack, or other transportation security-related incident;

(ii) Specific procedures to be implemented or used by the owner/operator in response to a terrorist attack, including evacuation and communication plans that include individuals with disabilities; and

(iii) Additional measures to be adopted to address weaknesses in emergency response procedures identified during regular drills or exercises that test corporate capabilities to direct, coordinate, and execute prevention and response activities for terrorist attacks or other security threats, including tunnel evacuation procedures, if applicable.

(iv) Redundant and backup systems to ensure the continuity of operations of critical assets and infrastructure system in the event of a terrorist attack or other transportation security-related incident.

(c) Changes to security training curriculum. Each owner/operator required under part 1580, 1582, or 1584 of this subchapter to adopt and carry out a security program must submit a request to amend its security program if, after approval, the owner/operator makes, or intends to make, permanent changes to its security training curriculum required under part 1580, 1582, or 1584, including changes to address:

(1) Determinations that the security training program is ineffective based on the approved method for evaluating effectiveness in the security training program approved by TSA under subpart B of parts 1580, 1582, and 1584; or

(2) Development of recurrent training material for purposes of meeting the requirements in § 1570.111(b) of this part or other alternative training materials not previously approved by TSA.

(d) Permanent change. For purposes of this section, a “permanent change” is one intended to be in effect for 60 or more calendar days.

(e) Schedule for requesting amendment. The owner/operator must file the request for an amendment with TSA no later than 65 calendar days after the change in subsection (b) takes effect, unless TSA allows a shorter time period.

(f) TSA approval. (1) Within 30 calendar days after receiving a proposed amendment, TSA will, in writing, either approve or deny the request to amend. TSA will notify the owner/operator if it needs an extension of time to consider the proposed amendment.

(2) TSA may approve—

(i) An amendment to a security program if TSA determines that it is in the interest of the public and transportation security and the proposed amendment provides the level of security required under this subchapter.

(ii) Modification to security training curriculum, including alternative training for purposes of meeting the recurrent training requirement, if all the required training elements are addressed and the material is consistent with the most recent iteration of the security program submitted to, and approved by, TSA (including amendments made to reflect relevant changes to operations and/or security measures and response plans).

(iii) TSA may request additional information from the owner/operator before rendering a decision.

(g) Petition for reconsideration. No later than 30 calendar days after receiving a denial, the owner/operator may file a petition for reconsideration under § 1570.119 of this part.

(a) Notification of requirement to amend. TSA may require amendments to a security program in the interest of the public and transportation security, including any new information about emerging threats, or methods for addressing emerging threats, as follows:

(1) TSA will notify the owner/operator of the proposed amendment, fixing a period of not less than 30 calendar days within which the owner/operator may submit written information, views, and arguments on the amendment.

(2) After TSA considers all relevant material received, TSA will notify the owner/operator of any amendment adopted or rescind the notice.

(b) Effective date of amendment. If TSA adopts the amendment, it becomes effective not less than 30 calendar days after the owner/operator receives the notice of amendment, unless the owner/operator disagrees with the proposed amendment and files a petition for reconsideration under § 1570.119 of this part no later than 15 calendar days before the effective date of the amendment. A timely petition for reconsideration stays the effective date of the amendment.

(c) Emergency amendments. If TSA determines that there is an emergency requiring immediate action in the interest of the public or transportation security, TSA may issue an amendment, without the prior notice and comment procedures in paragraph (a) of this section, effective without stay on the date the covered owner/operator receives notice of it. In such a case, TSA will incorporate in the notice a brief statement of the reasons and findings for the amendment to be adopted. The owner/operator may file a petition for reconsideration under § 1570.119 of this part; however, this does not stay the effective date of the emergency amendment.

(a) If in TSA's judgment, the overall security of transportation provided by an owner/operator subject to the requirements of 49 CFR part 1580, 1582, or 1584 are not diminished, TSA may approve alternative measures.

(b) Each owner/operator requesting alternative measures must file the request for approval in a form and manner prescribed by TSA. The filing of such a request does not affect the owner/operator's responsibility for compliance while the request is being considered.

(c) TSA may request additional information, and the owner/operator must provide the information within the time period TSA prescribes. Within 30 calendar days after receiving a request for alternative measures and all requested information, TSA will, in writing, either approve or deny the request.

(d) If TSA finds that the use of the alternative measures is in the interest of the public and transportation security, it may grant the request subject to any conditions TSA deems necessary. In considering the request for alternative measures, TSA will review all relevant factors including—

(1) The risks associated with the type of operation, for example, whether the owner/operator transports hazardous materials or passengers within a high threat urban area, whether the owner/operator transports passengers and the volume of passengers transported, or whether the owner/operator hosts a passenger operation.

(2) Any relevant threat information.

(3) Other circumstances concerning potential risk to the public and transportation security.

(e) No later than 30 calendar days after receiving a denial, the owner/operator may petition for reconsideration under § 1570.119 of this part.

(a) If an owner/operator seeks to petition for reconsideration of a determination, required modification, denial of a request for amendment by the owner/operator, denial to rescind a TSA-required amendment, or denial of an alternative measure, the owner/operator must submit a written petition for reconsideration that includes a statement and any supporting documentation explaining why the owner/operator believes TSA's decision is incorrect.

(b) Upon review of the petition for reconsideration, the Administrator or designee will dispose of the petition by affirming, modifying, or rescinding its previous decision. This is considered a final agency action.

(a) Retention. Each owner/operator required to have a security program under subpart B to parts 1580, 1582, and 1584 of this subchapter must—

(1) Retain security training records for each individual required to receive security training under §§ 1580.115, 1582.115, and 1584.115 that, at a minimum—

(i) Includes employee's full name, job title or function, date of hire, and date of initial and recurrent security training; and

(ii) Identifies the date, course name, course length, and list of topics addressed for the security training most recently provided in each of the areas required under §§ 1580.115, 1582.115, and 1584.115 of this subchapter.

(2) Retain records of initial and recurrent security training for no less than five (5) years from the date of training.

(3) Provide records to current and former employees upon request and at no charge as necessary to provide proof of training.

(b) Electronic records. Each owner/operator required to retain records under this section may keep them in electronic form. An owner/operator may maintain and transfer records through electronic transmission, storage, and retrieval provided that the electronic system provides for the maintenance of records as originally submitted without corruption, loss of data, or tampering.

(c) Protection of SSI. Each owner/operator must restrict the distribution, disclosure, and availability of security sensitive information, as identified in part 1520 of this chapter, to persons with a need to know. The owner/operator must refer requests for such information by other persons to TSA.

(d) Availability. Each owner/operator must make the records available to TSA upon request for inspection and copying.