Any recipient of Urbanized Area Formula Grant Program funds must annually certify that it is spending one percent of such funds for transit security projects or that such expenditures for security systems are not necessary.
Under the safety authority provisions of the Federal transit laws,
the Secretary has the authority to investigate the operations of the
grantee for any conditions that appear to create a serious hazard of
death or injury, especially to patrons of the transit service. However,
FTA has no specific requirements for transit safety. States are
required to oversee the safety of rail fixed guideway systems through a
designated oversight agency. Under security, FTA has adopted the “Top
20 Security Program Action Items for Transit Agencies.” The action
items are measures recommended by FTA for immediate consideration and
implementation by transit agencies to improve both security and
emergency preparedness (see “FTA Top 20 Security Program Action Items for Transit Agencies: Self-Assessment Checklist“ on the Volpe Centers’ website).
The goal of FTA’s Safety and Security Program is to achieve the
highest practical level of safety and security in all modes of transit.
To this end, FTA continuously promotes the awareness of safety and
security throughout the transit community by establishing programs to
collect and disseminate information on safety/security concepts and
practices. In addition, FTA develops guidelines that transit systems
can apply in the design of their procedures and by which to compare
local actions. As such, many of the questions in this review area are
designed to determine what efforts grantees have made to develop and
implement safety, security, and emergency management plans. While there
may not be specific requirements associated with all of the questions,
grantees are encouraged to implement the plans, procedures, and
programs referenced in these questions. For this reason, findings in
this area will most often result in advisory comments rather than
deficiencies.
Part A. Safety
- Does the grantee have a written policy on safety? Has it been signed by the CEO?
- Does the grantee have a written system safety
program plan (SSPP) for its transit services? Does the SSPP address
management of the safety function?
- How is the safety function managed? Are there
staff safety personnel? If so, are responsibilities and authorities
clear? To whom do they report?
Explanation
FTA is concerned about the safety of both transit passengers and transit workers. FTA can conduct safety investigations when conditions of any facility, equipment, or manner of operation appear to create a serious hazard of death or injury.
Recognizing that safety is an integral part of transit operations, grantees are encouraged to have a written safety policy and safety plan. The safety plan should assign responsibilities for safety management from the most senior executive to the first-line supervisory level. Endorsement by the CEO conveys this importance. At a minimum, a grantee’s safety plan should address compliance with applicable legal requirements. Striving for continual improvement to achieve a high level of safety performance should be a program goal. Guidance on the development of a written bus transit system safety program plan is available in an APTA publication entitled, Manual for the Development of Bus Transit System Safety Program Plans (1998). Note that the grantee may have a safety plan developed from another source, which responds to specific state or local requirements.
These questions are intended to provide an overall understanding of how safety is incorporated into the organization, what kind of emphasis is placed on safety, how the safety program is managed, and how various responsibilities are communicated to personnel at all levels.
Reason for the Question
Suggested Practice
Sources of Information
If the grantee has a written safety policy or system safety program plan, it should be examined at the site visit. Reviewers should discuss with the grantee the reporting relationships in regard to safety to ensure that the safety function is managed adequately.
Determination
If the grantee has a safety policy and safety plan, signed by the CEO, no advisory comment is made. If the grantee does not have a safety policy or safety plan, an advisory comment is made. If the safety plan does not address the management of the safety function, if staff responsibilities are not clearly delineated, or the CEO has not signed it, an advisory comment is made.
Suggested Corrective Action
If the grantee does not have a written safety policy or system safety program plan, the grantee should be encouraged to prepare a plan. If the safety plan does not adequately address management of the safety function, the grantee should revise the plan to correct any deficiencies.
Back to Questions
- What are the investigation procedures for
major incidents? What circumstances and conditions determine which
incidents will be investigated? Who does the investigation? To whom do
reports go? What follow-up action is taken and by whom?
- What key safety issues have been identified and how are they being addressed?
- Is there a process for hazard identification
and resolution? When corrective action is needed, how is it initiated
and followed up?
Explanation
Safety issues include more than vehicle and passenger accidents and workplace injuries. As such, the grantee’s safety-related responsibilities may be numerous. They may include, for example:
- investigating major incidents;
- identifying workplace hazards;
- proper handling of hazardous materials
- emergency preparedness.
Reviewers should ensure that the grantee has established procedures to investigate, identify, and address safety issues. The process should be both reactive in terms of investigating incidents and proactive in terms of identifying and responding to key safety issues and potential hazardous conditions. Note: Procedures related to emergency preparedness are addressed in Part C of this review area.
Reason for the Question
Suggested Practice
Sources of Information
The minutes from safety committee and/or accident/incident review committee meetings should be made available during the site visit. Emergency management plans and procedures should be requested. The grantee should be able to provide safety statistics for the past three years for major incidents involving passengers, property damage, and work-related accidents. Insurance companies also conduct assessments of their clients. Such reports are another source of information. Claims records and insurance costs identified in financial reports also provide information. Both costs and the actual number of incidents should be examined.
Procedures manuals and employee handbooks may contain information related to safety. Copies of these documents should be examined on site to determine if safety procedures are addressed for various functions (e.g., transportation, maintenance, procurement, and stores). Determine who is responsible for maintaining safety information, handbooks, procedures manuals, and materials safety data sheets (MSDS).
Determination
If the grantee has procedures to investigate incidents and accidents, no advisory comment is made. If incident and accident investigation procedures appear to be lacking, an advisory comment is made. If the grantee has procedures in place to identify and resolve workplace hazards, no advisory comment is made. If hazard identification and resolution procedures are lacking, an advisory comment is made.
Suggested Corrective Action
If procedures for investigating incidents appear to be lacking, the grantee should be encouraged to develop and implement adequate procedures. If procedures for dealing with workplace hazards, safe materials handling, etc. appear to be lacking, the grantee should be encouraged to establish appropriate procedures.
Back to Questions
- Does management hold line personnel
accountable for safety? Do line personnel job descriptions (senior
level to first-line supervisors) include a provision for safety
accountability? Are safety responsibilities clearly defined? Do annual
evaluations include an appraisal of safety performance?
- Is there safety training for employees
performing safety sensitive functions? Who performs the training? How
is it done? Do supervisors receive formal safety training? If so,
please describe.
Explanation
Grantees are encouraged to clearly define the safety responsibilities for all employees and establish a comprehensive safety training program. By providing training to the appropriate personnel, grantees can enhance safety performance in all areas (e.g., accidents, workplace hazards, and emergency preparedness). Training may consist of initial training to new hires as well as recurrent training to all employees. Additional training may be provided on a case-by-case basis, if employees have a high number of incidents in a particular area of concern.
Reason for the Question
Suggested Practice
Sources of Information
Ask the grantee to provide an overview of its training program for drivers, mechanics, supervisors, and other line personnel. Job descriptions and requirements for safety sensitive positions and supervisory personnel should be discussed with the grantee. The grantee should provide training records of its employees (line personnel and supervisors) to be examined on site. Additionally, training manuals, safety handouts, safety postings and other materials should be made available.
Determination
If the grantee has clearly defined safety responsibilities for safety-sensitive and supervisory personnel and provided adequate training, no advisory comment is made. If safety responsibilities have not been clearly defined, an advisory comment is made. If safety-sensitive and supervisory personnel have not received adequate safety training, an advisory comment is made.
Suggested Corrective Action
If the grantee has not clearly defined safety responsibilities, it should be advised to do so. If the grantee does not have an adequate safety training program, the grantee should be encouraged to develop one.
Back to Questions
- Has the grantee submitted transit safety data in NTD for the past year in a timely manner?
Explanation
All transit agencies, regardless of the number of vehicles operated, are required to provide information by mode and type of service in the Safety & Security Module of NTD on a monthly. If a grantee operates nine or fewer vehicles and has been granted a waiver, it is exempt from the safety and security reporting requirements.
The NTD Safety & Security Module has three components: Major Incident Reporting, Non-Major Incident Safety, and Non-Major Incident Security reporting. Grantees are required to submit information for each component and for all modes except commuter rail. Agencies that operate commuter rail service do not have to report Major Safety Incident and Non-Major Incident Safety data to FTA since these data are available from FRA. However, agencies operating commuter rail service must complete the NTD Major Security Incident and Non-Major Incident Security reports. Major Incident forms are due thirty days after the major incident occurred.
A Major Incident is defined as an event involving a transit vehicle or transit-controlled property, involving one or more of the following:
- A fatality
- Injuries requiring immediate medical attention away from the scene for two or more persons
- Property damage equal to or exceeding $25,000
- An evacuation due to life safety reasons
- A collision at a grade crossing
- A main-line derailment
- A collision with person(s) on a rail right of way resulting in injuries
that require immediate medical attention away from the scene for one or
more persons
- A collision between a rail transit vehicle and
another rail transit vehicle or a transit non-revenue vehicle resulting
in injuries that require immediate medical attention away from the
scene for one or more persons.
- Forcible rape
- Confirmed terrorist/security events
- Bombings
- Chemical/biological/radiological/other release
- Cyber incident
- Hijacking
- Sabotage
Non-Major Incident Safety data include any incident not reported as
a Major Incident and meeting one or more of the following criteria:
- Injuries requiring immediate medical attention away from the scene for one person
- Property damage equal to or exceeding $7,500, but less than $25,000
- All non-arson fires not qualifying as a Major Incident.
Reason for the Question
49 CFR Part 630
Sources of Information
Ask the grantee to provide a summary of its Major Incidents for the past year. Verify that this information is being reported into NTD as required.
Examine three months of Non-Major Incident (Safety) data and ensure that the grantee is reporting information as required.
Determination
If the grantee has submitted the safety data for the past year, the grantee is not deficient. If the grantee has not submitted Major Incident data for the past year or is not submitting information for the current year, the grantee is deficient in the NTD requirements. If the grantee has not submitted Non-Major Incident Safety data, the grantee is deficient in the NTD requirements.
Suggested Corrective Action
The grantee needs to submit information in the NTD as required.
Back to Questions
Part B. Security and Emergency Preparedness
- Does the grantee utilize the one percent expenditure of its Urbanized Area Formula Grant funds for transit security?
- If yes, how did the grantee utilize the one percent expenditure over the last three years?
- If no, why does the grantee consider that existing security measures meet agency needs?
Provide project and expenditure information for the last three years in Exhibit 19.1 for both FTA and locally funded projects.
Explanation
The grantee is required to certify that it is spending at least one percent of the Urbanized Area Formula Grant (UAFG) Program funds it receives annually for transit security projects or that such expenditures are not necessary. This certification is part of the annual certifications and assurances.
For grantees that spend the one percent, examples of appropriate security expenditures include increased lighting in or adjacent to a transit system (including bus stops, subway stations, parking lots, and garages), increased camera surveillance of an area in or adjacent to that system, emergency telephone line or lines to contact law enforcement or security personnel in an area in or adjacent to that system, and any other project intended to increase the security and safety of an existing or planned transit system. Grantees should provide detail on how these funds were spent during the review period.
There are a variety of reasons that grantees may have for considering the one percent security expenditure to be unnecessary. For example, a grantee in a small urban area may determine that existing security measures meet their needs, or that the level of security-related incidents and potential threats do not warrant further expense in this area. Another example may be that a grantee spends sufficient local funds on security projects and therefore, does not need to spend formula grant funds on security projects. Regardless of their reasons for deciding not to spend FTA formula funds on transit-related security, grantees should provide information and documentation that supports this decision.
Reason for the Question
5302(a)(1)and 5307 (d)(1)(J) (i) and (ii))
Sources of Information
If a grantee is spending one percent of its formula funds on security projects, the grantee should provide the detail of these expenditures for each year of the review period in the requested format as well as documentation that supports these expenditures.
If the grantee has decided that it is not necessary to expend one percent of its UAFG funds, the grantee should provide a written explanation and any information that supports this decision. Such information may include an inventory of existing security measures (facilities and personnel) and threat assessments. If the grantee indicates that it spends local funds on security, the grantee should provide expense detail in the requested format as well as documentation that supports these expenditures.
Determination
If the grantee has been spending at least one percent of its Urbanized Area Formula Grant Program funds on transit security projects, the grantee is not deficient. If the grantee has decided that the expenditure is not necessary and can provide an explanation and adequate documentation, the grantee is not deficient. If the grantee decides that expenditures for security are necessary but cannot document the expenditures, the grantee is deficient. If a grantee decides that expenditures for security are necessary but expenditures fall short of the one percent requirement, the grantee is deficient. If the grantee cannot provide adequate documentation of its security expenditures using formula funds, the grantee is deficient. If the grantee decides that expenditures for security are not necessary but cannot explain or provide adequate documentation to support its decision, the grantee is deficient.
Suggested Corrective Action
The grantee needs to provide a plan for meeting the one percent expenditure requirement and report on implementation of this plan to the FTA. The grantee needs to provide a plan for documenting the amount of formula funds spent on transit security. The grantee should provide an explanation and adequate documentation on why the expenditure is not necessary.
Back to Questions
Management and Accountability
- Does the grantee have a written system security program plan and emergency management plan for all modes of operation?
- Have the security and emergency management plans been updated to reflect anti-terrorist measures?
- Has the grantee reviewed and updated its emergency management plan in light of Hurricane Katrina?
- Are there provisions in the
emergency management plan establishing requirements for “essential
personnel” in the event that a mandatory evacuation is declared by
local, state or federal government officials?
Explanation
FTA has specific requirements for a written system security plan for rail fixed guideway systems (RFGS). FTA encourages all transit systems, particularly those in areas with populations of 200,000 or more, to develop and implement a transit system security program plan and emergency management plans that cover passengers, employees, vehicles, and facilities, including the planning, design, and construction of new facilities. Guidance on the development and implementation of system security program plans is available in a report entitled, The Public Transportation System Security and Emergency Preparedness Planning Guide (DOT-VNTSC-FTA-03-01), dated January 2003.
In order to respond quickly and appropriately during security and emergency events, it is advisable that grantees also have an emergency management plan that includes all modes of operation. An effective plan will include the following elements:
- definition of an emergency event
- personnel roles and responsibilities
- emergency response procedures
- evacuation procedures (if necessary)
- procedures to restore normal operations.
The types of emergencies addressed by the plan should include fires, major incidents, power failures, bomb threats, acts of terrorism, natural disasters (e.g., earthquake, flood, or tornado), and hazardous material spills or intrusions. Emergency events can originate within a transit system or may be caused by external factors. As such, it is important that an emergency management plan include procedures to coordinate with other organizations when applicable.
Emergency management plans should also include procedures to conduct evacuations of affected areas, both prior to a known threat (e.g., hurricane or flood) as well as after a sudden incident (e.g., toxic chemical spill or release). Transit employees considered to be essential for responding to the event and assisting in the evacuation should be clearly identified in the plans and the information should be coordinated with local, regional, state and federal emergency planners as necessary.
Note: Security plans must be examined on-site. Security plans must not be removed from the grantee’s premises.
Reason for the Question
49 CFR 659.31
Security Program Action Item No. 1
Security Program Action Item No. 2
Sources of Information
If the grantee has a written system security plan, it should be examined at the site visit. The grantee should provide a copy of its emergency management plan. The emergency management plan may not be a stand-alone document, but may be a chapter or section of a more comprehensive safety/security plan, such as a System Safety Program Plan for a Rail Fixed Guideway System. The plan should cover all modes the contractor operates, including contracted services.
Determination
If the grantee has a system security program plan for all modes, no advisory comment is made. If a grantee does not have a system security plan for all modes, an advisory comment is made. If a grantee has a security plan for each mode, but it does not include anti-terrorist measures, procedures to address threat conditions, or procedures to conduct evacuations, an advisory comment is made.
If the grantee has an emergency management plan, no advisory comment is made. If the grantee does not have an emergency management plan or if the plan does not cover all modes, an advisory comment is made.
If the grantee’s emergency management plan identifies essential emergency response personnel, no advisory comment is made. If the emergency management plan does not identify essential personnel, an advisory comment is made.
Suggested Corrective Action
If the grantee does not have a written system security program plan for all modes, the grantee should be encouraged to prepare and implement one. If the grantee’s plan does not include anti-terrorism measures or procedures to address threat conditions, the grantee should be encouraged to update its plan according to FTA guidelines.
Advise the grantee to develop an emergency management plan.
Back to Questions
- Are the security and emergency management
plans an integrated system program, including regional coordination
with other agencies, security design criteria in procurements, and
organizational charts for incident command and management systems?
Explanation
A grantee’s security and emergency management plans should be an integrated system program with procedures modeled on FTA’s recommended procedures including responses to a chem/bio incident. The security procedures should address such specifics as incident reporting, evacuating passengers and personnel, establishing a command center, isolating affected areas and/or vehicles, restoring power and/or communications, and notifying the appropriate law enforcement agencies. More information is available in FTA’s The Public Transportation System Security and Emergency Preparedness Planning Guide.
Furthermore, a grantee needs to coordinate its own security and emergency response procedures with that of outside agencies such as local law enforcement, fire departments/rescue squads, emergency medical services, and emergency management agencies. As such, it is important to establish these relationships beforehand. These relationships are most often the product of formal agreements between the agencies involved. Agreements between agencies should establish a chain of command and define roles and responsibilities, as well as financial obligations. There should be a list of personnel involved along with telephone numbers, radio frequencies, and call codes.
Reason for the Question
Security Program Action Item No. 3
Sources of Information
The grantee should provide copies of security procedures. Also, the grantee should provide copies of any inter-agency agreements that outline a coordinated emergency response. If no formal agreements exist, ask if the grantee has met with representatives of other agencies to discuss and/or plan emergency response coordination.
Determination
If the grantee has security procedures, no advisory comment is made. If the grantee has no written security procedures, an advisory comment is made. If procedures do not include procedures to address a chem/bio incident, an advisory comment is made. If the grantee is a party to an agreement that outlines emergency response coordination, no advisory comment is made. If no agreement exists, but the grantee has taken steps to establish coordinated emergency response procedures with other agencies, no advisory comment is made. If the grantee has not made efforts to coordinate emergency response procedures with other agencies, an advisory comment is made.
Suggested Corrective Action
If the grantee does not have written procedures for handling security incidents, it should be encouraged to develop them. If the procedures do not include managing a chem/bio incident, the grantee should be encouraged to revise them to address these incidents. Advise the grantee to establish contacts with other agencies and begin developing coordinated emergency response procedures.
Back to Questions
- Have the security and emergency management plans been signed, endorsed, and approved by top management?
Explanation
Similar to safety plans, security and emergency management plans should be endorsed by the agency’s highest official (e.g., CEO, Executive Director, or General Manager). The endorsement should include a policy statement that emphasizes the importance of the plans, which is communicated throughout the entire organization.
Reason for the Question
Security Program Action Item No. 4
Sources of Information
The grantee’s security and emergency management plans should be examined at the site visit. Reviewers should discuss with the grantee the reporting relationships in regard to security and emergency management to ensure that these functions are managed adequately.
Determination
If the grantee’s security and emergency management plans are signed by the top official, no advisory comment is made. If the plans do not have an endorsement from the top official, an advisory comment is made.
Suggested Corrective Action
If the grantee’s security and/or emergency management plans are not adequately endorsed, the grantee should be encouraged to revise the plans as necessary. If the plans do not adequately address management of the security and emergency management functions, the grantee should revise the plans to correct any deficiencies.
Back to Questions
- Have the security and emergency management programs been assigned to a senior level manager?
- Have security responsibilities been defined and delegated from management?
- Are all operations and maintenance
supervisors, forepersons, and managers held accountable for security
and emergency management issues under their control?
Explanation
Grantees are encouraged to clearly define the lines of responsibility for the security and emergency management programs. These responsibilities should be clearly defined from the most senior managers to the front line employees. The grantee’s organization chart should reflect the lines of responsibility. All employees should know what their duties are in the event of a security breach or emergency event. The duties should include reporting procedures. Furthermore, lines of delegated authority and succession of responsibilities should be established in order to ensure adequate control and operation of the transit system throughout the course of the incident or event.
Adequate management of the security and emergency management programs should include regular meetings and updates involving appropriate department and staff. Also, continuous monitoring and briefings should be performed to ensure that all systems and personnel are at the appropriate level of alert.
Reason for the Question
Security Program Action Item No. 5
Security Program Action Item No. 6
Security Program Action Item No. 7
Sources of Information
The grantee should provide an overview of its organizational structure as it relates to security and emergency management programs. Job descriptions and requirements for safety sensitive positions and supervisory personnel should be discussed with the grantee.
Determination
If the grantee has clearly defined security and emergency management responsibilities for its personnel, no advisory comment is made. If responsibilities have not been clearly defined, an advisory comment is made.
Back to Questions
Security Problem Identification
- Has a threat and vulnerability assessment resolution process been established and is it used?
Explanation
In order to gauge the effectiveness of a security program plan, it is advisable for grantees to conduct periodic threat and vulnerability assessments. Such assessments may include mock incidents in which the response of transit agency personnel is observed to determine adequacy. Assessments should be designed to reveal areas of potential security risks for criminal activity (e.g., assaults, vandalism, or drug dealing) as well as for acts of terrorism. Threat and vulnerability assessments should cover all aspects of the transit operations -- personnel, passengers, facilities, and vehicles. FTA has developed guidelines for conducting these assessments. The guidelines can be found in The Public Transportation System Security and Emergency Preparedness Planning Guide.
Reason for the Question
Security Program Action Item No. 8
Sources of Information
Determine if the grantee has performed a threat and vulnerability assessment. When applicable, the grantee should provide copies of any recent assessments that can be reviewed during the site visit. If no formal assessments have been conducted, check whether the grantee’s security staff have performed informal assessments or have identified weaknesses in existing procedures or potential problem areas within the system.
Determination
If the grantee has conducted a threat and vulnerability assessment of security risks, no advisory comment is made. If no assessment has been conducted, an advisory comment is made. If an assessment of potential acts of terrorism has not been performed, an advisory comment is made.
Suggested Corrective Action
If the grantee has not conducted a threat and vulnerability assessment, the grantee should be encouraged to do so. If a grantee has conducted an assessment, but did not include an assessment of potential acts of terrorism, the grantee should be encouraged to conduct an assessment of these threats.
Back to Questions
- Has the grantee joined the FBI’s Joint
Terrorism Task Force (JTTF) or other regional anti-terrorism task force
and/or the Surface Transportation Intelligence Sharing & Analysis
Center (ST-ISAC)?
Explanation
Grantees are encouraged to join the JTTF (if they have their own law enforcement personnel) or ST-ISAC in order to facilitate coordination on regional security matters throughout the area and share intelligence with law enforcement and other agencies. The ST-ISAC is a clearinghouse of security threats, vulnerabilities and solutions. Members report and receive information through the ST-ISAC to assist them and other members in preparing for and responding to threats. APTA is the public transportation sector coordinator for the ST-ISAC.
Reason for the Question
Security Program Action Item No. 9
Sources of Information
Ask the grantee if it has joined the JTTF, ST-ISAC, or other agency to share intelligence on potential threats.
Determination
If the grantee has joined the JTTF, ST-ISAC, or another agency for the purpose of sharing intelligence on potential threats, no advisory comment is made. If the grantee has not joined the JTTF, ST-ISAC, or another agency, an advisory comment is made.
Suggested Corrective Action
IIf the grantee is not participating in a regional task force, advise the grantee to join the JTTF, ST-ISAC or other regional task force in order to share intelligence on potential threats.
Back to Questions
- Is security information reported through the National Transit Database (NTD)?
Explanation
All grantees, regardless of the size of their urbanized areas, are required to report security data as part of their National Transit Database (NTD) report. Transit agencies are required to provide information by mode and type of service in the Safety & Security Module of NTD on a monthly basis. If a grantee operates nine or fewer vehicles and has been granted a waiver, it is exempt from the safety and security reporting requirements.
The NTD Safety & Security Module has three components: Major Incident Reporting, Non-Major Incident Safety, and Non-Major Incident Security reporting. Grantees are required to submit information for each component and for all modes except commuter rail. Agencies that operate commuter rail service do not have to report Major Safety Incident and Summary Safety data to FTA since these data are available from FRA. However, agencies operating commuter rail service must complete the NTD Major Security Incident and Non-Major Incident Security reports. Major Incident forms are due thirty days after the major incident occurred.
Non-Major Incident Security data include any incident not reported as a Major Incident and meeting one or more of the following criteria:
Occurrence of Part I Offenses (except homicide):
- Robbery
- Aggravated assault
- Burglary
- Larceny/theft
- Motor vehicle theft
- Arson.
Arrest/Citation for Part II Offenses:
- Other assaults
- Vandalism
- Trespassing
- Fare evasion.
Occurrence of Other Security Issues:
- Bomb threat
- Non-violent civil disturbance
Occurrence of Suicides and Attempts.
Reason for the Question
Security Program Action Item No. 9
49 CFR 630
Sources of Information
The grantee should provide a summary of its Major Incidents for the past year. Verify that this information is being reported to NTD as required (see Question 9). Examine three months of Non-Major Incident Security data and ensure that the grantee is reporting information as required.
Determination
If the grantee has submitted the security data for the past year, the grantee is not deficient. If the grantee has not submitted the required security data for the past year or is not making current-year submissions as required, the grantee is deficient in the NTD requirements.
Suggested Corrective Action
If the grantee is not reporting NTD information, the grantee should submit information in the NTD as required.
Back to Questions
Employee Selection
- Have background investigations been conducted on all new front-line operations and maintenance employees?
- Have criteria for background investigations been established?
Explanation
Operating personnel have a responsibility for the safety of the public that they serve. As such, it is imperative that grantees take all available precautions in the hiring process to ensure the public’s safety and security. Criminal background checks can be used to identify individuals that may pose a potential threat to the public safety and security. Although the focus of background checks is on new hires, grantees are encouraged to conduct checks for all operating employees, particularly those with access to safety and/or security critical systems (e.g., revenue vehicle operations and maintenance, signal rooms, and control centers). Grantees should establish specific criteria for background checks by employee type (e.g., operator, maintenance employees, safety/security sensitive, and contractors). These criteria should be documented.
Reason for the Question
Security Program Action Item No. 10
Security Program Action Item No. 11
Sources of Information
The grantee should describe criminal background checks performed on applicants for operating positions. If available, examine recent job applications (blank) or descriptions of application requirements. An individual’s criminal background information is strictly confidential. Under no circumstances should a reviewer request to see individual records. Answers to these questions should be discussed in general terms within the context of the grantee’s hiring practices.
Determination
If the grantee conducts criminal background checks on applicants for operating positions, no advisory comment is made. If criminal background checks are not conducted for new hires, an advisory comment is made. If the grantee conducts background checks for new hires, but has not done so for existing employees, no advisory comment is made. However, grantees should be encouraged to check the criminal backgrounds of all operating employees, particularly those with access to safety and/or security critical systems.
Suggested Corrective Action
The grantee should be encouraged to implement a program to conduct criminal background checks on all applicants for operating positions and for existing operating employees.
Back to Questions
Training
- Is security orientation or awareness material provided to all front-line employees?
- Are there ongoing training programs on security and emergency procedures by work area?
Explanation
Operating personnel are the first line of defense against security incidents originating from outside the agency. Bus drivers, rail crews, ticket agents, and passenger attendants should be trained in identifying suspicious and illegal activity. Operating personnel should be trained to respond appropriately to such activity in order to prevent or mitigate security incidents in a manner that ensures the safety of the riding public and transit employees.
Non-operating personnel also should be trained to identify suspicious activity. Of particular concern for non-operating personnel is suspicious activity occurring in the workplace (e.g., unauthorized personnel in secure areas, suspicious packages left in corridors, threatening speech or actions by co-workers). All employees should be trained to identify potential threats and to respond appropriately For example, suspicious persons loitering in corridors, waiting areas, or receiving areas should be reported to security. Co-workers who engage in threatening behaviors should be reported to the appropriate supervisors. The goal of identifying such activities is, at best, to prevent incidents from occurring or, at a minimum, prevent incidents from escalating beyond the control of security or law enforcement personnel who are on-site.
A grantee’s emergency management plan should include emergency response procedures. Furthermore, each type of emergency (e.g., fire, bomb threat, flood, or hazardous materials) should have its own unique set of procedures. Each set of procedures should identify which personnel will be involved in the response and what their roles and responsibilities will be. All personnel involved in responding to emergencies should be trained in their proper role and periodic drills should be performed.
Reason for the Question
Security Program Action Item No. 12
Security Program Action Item No. 13
Sources of Information
Procedure manuals, employee handbooks, and training materials may provide information on the grantee’s efforts to assist employees in identifying suspicious and illegal activity. Check if security training seminars or workshops have been conducted for all employees.
Review the grantee’s emergency management plan to determine if procedures exist for various types of emergency events. Review standard operating procedures manuals or employee handbooks to determine if these contain references to emergency procedures.
Determination
If the grantee has provided training to operating and non-operating personnel, no advisory comment is made. If training has not been provided to operating personnel, an advisory comment is made. If training has not been provided to non-operating personnel, an advisory comment is made. If the grantee has procedures to respond to different types of emergencies, no advisory comment is made. If procedures do not exist, an advisory comment is made.
Suggested Corrective Action
If the grantee has not provided training on recognizing and reporting suspicious or illegal activity to either operating or non-operating personnel, the grantee should be encouraged to do so. If the grantee has not conducted training for emergency response procedures, the grantee should be encouraged to do so.
Back to Questions
Public Awareness
- Have public awareness materials been developed and distributed on a systemwide basis?
Explanation
The grantee should disseminate information to the riding public on identifying and reporting suspicious or illegal activity. Public service announcements, billboards, and brochures are effective mechanisms to provide security information to passengers. Grantees also should consider implementing FTA’s Transit Watch program at their agency.
Reason for the Question
Security Program Action Item No. 14
Sources of Information
The grantee should provide any information related to security that has been disseminated to passengers.
Determination
If passengers have received information on recognizing and reporting suspicious or illegal activity, the grantee is not deficient. If security information has not been provided to passengers, an advisory comment is made.
Suggested Corrective Action
If information on recognizing and reporting suspicious or illegal activity has not been provided to the riding public, the grantee should be encouraged to do so.
Back to Questions
Audits and Drills
- Has the grantee conducted periodic audits of security policies and procedures?
- Are tabletop and functional drills
conducted at least once every six months, and are full-scale exercises,
coordinated with regional emergency response providers, performed at
least annually?
Explanation
It is important for grantees to audit security and emergency response procedures and to take all necessary steps to identify potential security and emergency events. In determining the likelihood of security and emergency scenarios, a grantee can take actions to reduce the chances of an event occurring or, at a minimum, lessen its effects. For example, identifying fire hazards and implementing measures to address them can reduce or even eliminate the risk of fires from potential sources. Some events, such as natural disasters, are not preventable. However, with proper planning, the effects of these events can be mitigated.
Reason for the Question
Security Program Action Item No. 15
Security Program Action Item No. 16
Sources of Information
The grantee should describe what audits, drills, exercises, and/or assessments of potential emergency events have been conducted. Review any reports or memoranda that contain assessment information. Determine if the grantee has included all probable emergency events. For example, if the grantee is in an area prone to tornadoes, an assessment of the grantee’s response to a tornado emergency should be conducted. Likewise, if part of its service area is on a floodplain, the grantee’s assessment should include flood emergency response procedures. Ask the grantee if any after-action reports were prepared. If so, determine if the grantee has taken the necessary corrective actions to address the reports findings.
Determination
If the grantee has conducted an audit of its security policies and procedures, no advisory comment is made. If the grantee has not conducted an audit of its security policies and procedures, an advisory comment is made. If the grantee has conducted assessments of potential emergency events, no advisory comment is made. If the grantee has not conducted assessments of potential emergency events or if assessments have not included all probable emergencies, an advisory comment is made.
Suggested Corrective Action
Advise the grantee to conduct periodic audits and/or assessments of potential security/emergency events, including man-made and natural disasters as well as terrorism.
Back to Questions
Document Control
- Is access to documents of security critical systems and facilities controlled?
- Is access to security sensitive documents controlled?
Explanation
Controlling access to documents of security critical systems safeguards the public, transit employees and transit assets from potential sabotage and security risks. Grantees should ensure that an appropriate level of security is provided around the plans and designs of its operating and maintenance facilities and its infrastructure (e.g., tunnels, bridges, electrical substations, etc.). Also, measures to protect documentation for security detection systems also should be tightly controlled. The grantee should develop document control procedures to ensure that such documents are identified and that a person or department is made responsible for administering the document control program.
Reason for the Question
Security Program Action Item No. 17
Security Program Action Item No. 18
Sources of Information
Check if there are adequate document control procedures to safeguard security sensitive materials and documentation of security critical systems. Policies and procedures also should be reviewed.
Determination
If the grantee has procedures to control access to documentation of security critical systems and facilities and security sensitive documents, no advisory comment is made. If the grantee does not have procedures to control access to documentation of security critical systems and facilities and security sensitive documents, an advisory comment is made.
Suggested Corrective Action
Advise the grantee to develop procedures to control access to documentation for security critical systems and security sensitive documents.
Back to Questions
Access Control
- Have background investigations been conducted of contractors or others who require access to security critical facilities?
- Are ID badges used for all visitors, employees, and contractors to control access to key critical facilities?
Explanation
Some grantee’s rely on contractors to operate and maintain their transit assets and facilities. As such, contractor personnel often have access to security critical systems and facilities. Grantees having contractors who perform work that is security sensitive should provide the same level of scrutiny in granting these personnel access to security critical systems as they would their own employees. Background checks should be conducted an all contractor personnel with access to security critical systems and facilities. Also, grantees should take steps to ensure that visitors and others who may be granted access to certain security critical facilities be appropriately screened.
Reason for the Question
Security Program Action Item No. 19
Sources of Information
Review the grantee’s policies and procedures that pertain to granting access to security critical systems and facilities.
Determination
If the grantee has policies and procedures for granting access to security critical systems and facilities, no advisory comment is made. If the grantee does not have policies and procedures for granting access to security critical systems and facilities, an advisory comment is made.
Suggested Corrective Action
Advise the grantee to develop procedures for access control for security critical systems and facilities.
Back to Questions
Homeland Security
- Have protocols been established to respond to the Department of Homeland Security Threat Advisory Levels?
Explanation
FTA recommends that all grantees have an updated security plan that addresses terrorism as well as procedures to respond to the different levels of threat conditions that are issued by the Department of Homeland Security.
Reason for the Question
Security Program Action Item No. 20
Sources of Information
The grantee’s security plan and/or procedures should be examined to ensure that there are protocols for responding to the Department of Homeland Security’s threat advisory levels.
Determination
If the grantee has protocols for responding to threat advisory levels, no advisory comment is made. If the grantee does not have protocols for responding to threat advisory levels, an advisory comment is made.
Suggested Corrective Action
The grantee should be encouraged to develop protocols to respond to Department of Homeland Security threat advisory levels.
Back to Questions
