Federal Register, Volume 68 Issue 57 (Tuesday, March 25, 2003)

[Federal Register Volume 68, Number 57 (Tuesday, March 25, 2003)]
[Rules and Regulations]
[Pages 14510-14521]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-7080]

[[Page 14509]]

-----------------------------------------------------------------------

Part IV

Department of Transportation

-----------------------------------------------------------------------

Research and Special Programs Administration

-----------------------------------------------------------------------

49 CFR Part 172

Hazardous Materials: Security Requirements for Offerors and
Transporters of Hazardous Materials; Final Rule

Federal Register / Vol. 68, No. 57 / Tuesday, March 25, 2003 / Rules
and Regulations

[[Page 14510]]

-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Research and Special Programs Administration

49 CFR Part 172

[Docket No. RSPA-02-12064 (HM-232)]
RIN 2137-AD67

Hazardous Materials: Security Requirements for Offerors and
Transporters of Hazardous Materials

AGENCY: Research and Special Programs Administration (RSPA), DOT.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Research and Special Programs Administration is
establishing new requirements to enhance the security of hazardous
materials transported in commerce. Shippers and carriers of certain
highly hazardous materials must develop and implement security plans.
In addition, all shippers and carriers of hazardous materials must
assure that their employee training includes a security component.

EFFECTIVE DATE: This final rule is effective March 25, 2003.

FOR FURTHER INFORMATION CONTACT: Susan Gorsky, (202) 366-8553, Office
of Hazardous Materials Standards, Research and Special Programs
Administration.

SUPPLEMENTARY INFORMATION:

I. Background

On May 2, 2002, the Research and Special Programs Administration
(RSPA, we) published a notice of proposed rulemaking (NPRM) to enhance
the security of hazardous materials in transportation (67 FR 22028).
Proposals for amending the Hazardous Materials Regulations (HMR; 49 CFR
parts 171-180) included a requirement for motor carriers registered
with the agency to maintain a copy of their current registration
certificate on each motor vehicle. We further proposed to require
shipping papers to include the name and address of the consignor and
consignee and the shipper's DOT Hazmat Registration number, if
applicable. In addition, we proposed to require shippers and carriers
of certain highly hazardous materials to develop and implement security
plans. We also proposed to require hazardous materials shippers and
carriers to assure that their employee training includes a security
component. The NPRM provided a 30-day comment period.
On May 23, 2002, in response to a number of requests, we extended
the comment period for the NPRM an additional 30 days (67 FR 36138).
The comment period closed July 3, 2002.
In addition, on July 16, 2002, RSPA and the Federal Motor Carrier
Safety Administration (FMCSA) published an advance notice of proposed
rulemaking (ANPRM) to examine the need for enhanced security
requirements for hazardous materials transported by motor carriers (67
FR 46622). The two agencies are seeking comments on the feasibility of
specific security enhancements and the potential costs and benefits of
deploying such enhancements. Security measures addressed in the ANPRM
include escorts, vehicle tracking and monitoring systems, emergency
warning systems, remote shut-offs, direct short-range communications,
notification to State and local authorities, and operational measures.
The comment period for the ANPRM was extended until November 15, 2002.
Late-filed comments will be considered to the extent feasible.
In this final rule, we are adopting the following revisions to the
HMR to enhance the security of hazardous materials transported in
commerce:

--Shippers and carriers subject to the registration requirements in 49
CFR part 107 or who offer or transport select agents and toxins
regulated by the Centers for Disease Control and Prevention (CDC) must
develop and implement security plans.
--Hazmat employers must provide security training to their hazmat
employees. Hazmat employees of companies required to have a security
plan under this final rule must be trained in the plan's specifics. All
hazmat employees must receive training that provides an awareness of
the security issues associated with hazardous materials transportation
and possible methods to enhance transportation security. This training
must also include a component covering how to recognize and respond to
possible security threats.

When conducting inspections at shipper and other facilities, DOT
inspectors will be looking for security plans and training records
related to security. If violations are found, appropriate penalty
action will be initiated. Baseline penalties for these violations will
be provided in a civil penalty rulemaking that we expect to issue in
the near future.

II. Analysis of Comments

We received over 270 comments on the May 3, 2002, NPRM from
hazardous materials shippers, carriers, industry associations, and
State and local government agencies. Commenters unanimously support the
NPRM's goal of enhancing the secure transportation of hazardous
materials. However, most commenters have significant concerns about
some or all of the specific proposals in the NPRM. For example, some
commenters suggest that the NPRM proposals do not provide an
appropriate balance between security and economic goals. In addition,
some commenters oppose some or all of the proposed security
requirements because they would not have prevented the September 11,
2001, terrorist attacks. Several commenters also suggest that we should
defer to the Transportation Security Administration (TSA) or the
proposed Department of Homeland Security on security issues. Further,
many commenters express reservations about the scope of the NPRM and
the applicability of some of its provisions to most shipments of
hazardous materials. As well, a significant proportion of commenters
oppose some or all of the proposals concerning registration numbers and
certificates, shipping documentation requirements, security plans, and
security training. Finally, many commenters suggest that we seriously
underestimated the potential cost impacts of the proposals in the NPRM.
These comments are discussed in detail below.

A. Security Versus Economic Efficiency

Several commenters express concern that the NPRM proposals in the
aggregate will result in unacceptable economic burdens on the industry
and will adversely affect the efficiency with which hazardous materials
are routinely transported. ``We also are concerned that the proposed
measures will be expensive to implement and will introduce
inefficiencies to the manner in which hazardous materials are
transported. In responding to the events of September 11th, we must not
compromise our ability to move large amounts of hazardous materials in
an efficient, cost-effective manner. Introducing inefficiencies to our
freight transportation system helps further the terrorists' goals of
disrupting the American way of life.'' (American Trucking Associations)
As we stated in the NPRM, hazardous materials are essential to the
economy of the United States and the well-being of its people. Our goal
in this rulemaking is to implement security requirements that will be
effective in preventing hazardous materials from being used as tools of
destruction and terror while permitting continued transportation of
these essential products. We applaud those in the industry who have
recognized their responsibility for

[[Page 14511]]

enhanced security for the products they manufacture and transport and
have developed and implemented thorough and detailed security programs.
We do not agree that the imposition of prudent, common-sense security
measures will cause massive disruptions in the movement of hazardous
materials. We recognize that the provisions proposed in the NPRM and
adopted, with modifications, in this final rule, will impose new costs
of doing business on both hazardous materials shippers and carriers. As
discussed in the following sections, in this final rule we revised
certain proposals in response to comments on the NPRM to increase the
effectiveness and reduce potential costs impacts of the new security
provisions.
Several commenters note that the security measures proposed in the
NPRM would not have prevented the September 11th terrorist attacks, the
1993 attack on the World Trade Center, or the 1995 attack on the Murrah
Building in Oklahoma City. Nowhere in the NPRM do we state that the
proposed security requirements would have prevented past attacks.
Rather, we discussed the September 11th terrorist atrocities to
indicate the heightened risk of terrorism with which we all now live
and the need to reassess and address security vulnerabilities in all
areas of our public and private lives. The discussion of the attack on
the Murrah Building was intended as an illustration of the devastating
consequences that can result from a criminal or terrorist act involving
hazardous materials and to provide an estimate of the economic costs of
such an act. We cannot limit our actions on security to efforts to
prevent terrorist attacks that have already occurred. It is incumbent
on everyone responsible for the safety and security of the United
States to proactively assess future terrorist threats and take actions
to try to prevent future attacks. We believe that the new requirements
in this final rule will enhance the security of hazardous materials in
transportation and, thus, help to deter and prevent terrorists from
using hazardous materials in the transportation system as weapons of
destruction or intimidation.

B. Security Authority

Some commenters question whether RSPA is the appropriate agency to
issue transportation security regulations. These commenters suggest
that the Transportation Security Agency (TSA) or the proposed
Department of Homeland Security would be better suited to issue
transportation security-related regulations. One commenter points out
that TSA has been given the responsibility for security in all modes of
transportation, and that TSA has been authorized to issue, rescind and
revise such regulations as are necessary to carry out the functions of
the Administration.
The HMR are promulgated under the mandate in Sec. 5103(b) of
Federal hazardous materials transportation law (Federal hazmat law; 49
U.S.C. 5101 et seq., as amended by Sec. 1711 of the Homeland Security
Act of 2002, Pub. L. 107-296) that the Secretary of Transportation
``prescribe regulations for the safe transportation, including
security, of hazardous material in intrastate, interstate, and foreign
commerce.'' Section 5103(b)(1)(B) provides that the HMR ``shall govern
safety aspects, including security, of the transportation of hazardous
material the Secretary considers appropriate.''
Hazardous materials shippers and carriers should be aware that this
final rule is the first step in what may be a series of rulemakings to
address the security of hazardous materials shipments. The joint RSPA-
FMCSA ANPRM described above may result in one or more proposals to
require specific security measures for hazardous materials that pose a
significant security risk in transportation. In addition, TSA is
developing regulations that are likely to impose additional
requirements beyond those established in this final rule. We consult
and coordinate with TSA concerning security-related hazardous materials
transportation regulations and will continue to do so after TSA becomes
part of the new Department of Homeland Security.

C. Industry Consensus Standards

One commenter suggests that we should work with the hazardous
materials industry to develop consensus standards for hazardous
materials transportation security. ``Instead of implementing its
proposals, RSPA should hold one or more public meetings to solicit
recommendations from shippers, carriers, and other members of the
interested public as to security enhancements, and as to regulatory
approaches, that will accomplish more, and do so more efficiently.''
(National Small Shipments Traffic Conference, Inc., and the Health and
Personal Care Logistics Conference, Inc.) We appreciate this
suggestion; indeed, we are aware that a number of industry associations
have developed and disseminated recommendations for enhancing the
security of hazardous materials and expect that they will form the
basis for many individual company plans. However, we do not agree that
a consensus-standards approach is appropriate for this rulemaking.
Consensus standards generally are specification standards; that is,
they set forth specific requirements for achieving a regulatory goal.
One of the goals of this final rule is to establish a performance
standard for hazardous materials transportation security plans.
Performance standards generally permit a regulated entity to determine
the specific measures necessary to achieve compliance with the
established performance goal. In the case of hazardous materials
transportation security, the flexibility provided by a performance
standard permits a company to implement a security plan that is
tailored to its specific circumstances and operations.
A consensus-standards process is a lengthy process. It can take
many months or even years for the parties developing such a standard to
reach consensus on the appropriate measures to be implemented. The
security threat is real and ongoing. We do not have the time to spend
on development of a consensus standard for hazardous materials
transportation security.

D. Registration Certificates

Currently, each motor carrier transporting certain classes or
divisions of hazardous materials is required to file with RSPA a
registration statement and pay an annual fee (49 CFR part 107). A
Certificate of Registration (certificate), which includes a U.S. DOT
Hazmat Registration Number, is then issued by RSPA to the carrier. A
carrier must display its registration number on a document carried on
each motor vehicle, but need not maintain a copy of the certificate
itself on each vehicle. The NPRM proposed to require each motor carrier
registered with RSPA to maintain a copy of its current registration
certificate on each motor vehicle used to transport hazardous
materials. We suggested that the actual certificate could assist State
and local law enforcement personnel to determine whether a carrier is a
legitimate transporter of hazardous materials.
Commenters overwhelmingly oppose this proposal, primarily because
the registration system as currently structured is not designed to make
determinations as to the legitimacy of registrants. ``[A] valid
registration certificate is no indication that a transporter is
`legitimate.' It is not an endorsement of regulatory compliance. It is
simply proof of payment.'' (Institute of Makers of Explosives)
Commenters also note that the registration system has no relevance to
transportation security. ``[T]he act of registering and obtaining a DOT
registration certificate and number * * * does nothing to ensure that
the

[[Page 14512]]

registrant is not a potential risk to transport security. * * * In no
case is any background investigation conducted before registering an
applicant, or even investigation to ensure that the applicant is a bona
fide company legitimately engaged in the offering for transport and/or
transport of hazardous materials.'' (The Conference on the Safe
Transportation of Hazardous Articles, Inc.) In addition, commenters
suggest that a registration certificate can easily be copied or
falsified. Even those commenters who support the proposal for motor
carriers to maintain a copy of their registration certificates on
transport vehicles state that the proposal will not enhance
transportation security.
We have reconsidered this issue in light of the overwhelming
opposition expressed by commenters to this proposal, and it is not
adopted in this final rule. We agree with commenters that, absent
significant changes to the current registration system, the mere
presence of a registration certificate in a motor vehicle transporting
hazardous materials will do little to enhance transportation security
or to assist enforcement personnel to verify the legitimacy of
hazardous materials carriers.

E. Shipping Papers

Currently, the HMR generally require each person who offers a
hazardous material for transportation to describe the material on a
shipping paper. However, there is no requirement for a shipping paper
to include the name and address of the person offering the shipment or
the person to whom the shipment will be delivered. The NPRM proposed to
require each shipping paper to include the name of the shipment
consignor and the address from which the shipment originates and the
name and address of each person to whom the shipment will be delivered.
In addition, we proposed to require each shipping paper to include the
U.S. DOT Hazmat Registration Number, if applicable, of the person
offering the shipment for transportation. The proposal was intended to
assure that shipping papers included information to assist law
enforcement personnel to promptly ascertain the legitimacy of hazardous
materials shipments during routine or random roadside inspections and
to identify suspicious or questionable situations where additional
investigation may be necessary.
As with the proposal to require motor carriers to maintain copies
of registration certificates in vehicles transporting hazardous
materials, commenters overwhelmingly oppose the proposal to require
shippers to include registration numbers on shipping papers. Commenters
say that the registration program is not designed to determine whether
shippers are ``legitimate'' and that the proposed requirement will not
enhance shipment security. In addition, commenters suggest that a
requirement to include registration numbers on shipping papers would be
expensive to implement because many shippers would have to modify
computer systems and shipping paper forms to include the new
information. ``Configuring computer systems to provide new data on
shipping documents will cause significant problems for shippers,
carriers, freight forwarders, brokers, agents, and others. Available
display fields are limited and companies will need to redirect their
limited Information Technology (IT) resources to reprogram their
information management systems.'' (Dangerous Goods Advisory Council)
While we believe that commenters have overstated the costs that might
be incurred to modify information systems to accommodate the proposed
registration number requirement, we agree that the paperwork burden is
not justified by the limited security benefits that might result.
Therefore, the registration number proposal is not adopted in this
final rule.
A number of commenters support the proposal to include the names
and addresses of consignors and consignees on shipping papers. ``This
provision, to include the name of the shipment consignor and the
address of the person to whom the shipment will be delivered, is
already widely in use by most companies that ship hazardous materials
and therefore is readily acceptable.'' (Dow Chemical Company)
Similarly, ``[i]ndustry routinely prepares thousands of shipping papers
each year and the requirement that the addresses of the consignor and
consignee appear on such documents should not pose a problem or
burden.'' (Nuclear Energy Institute)
Other commenters, however, express serious reservations about the
proposal to require consignor and consignee names and addresses on
shipping papers. Most commenters question whether such a requirement
would actually make it easier to identify suspicious shipments, as
stated in the NPRM, without a system in place to verify the consignor
and consignee information provided. ``Establishing the legitimacy of
any consignor or consignee, and their respective addresses, requires
knowledge and information not `promptly ascertainable' from the
roadside more than a thousand miles from the consignor and consignee as
indicated in the shipping paper.'' (The Conference on the Safe
Transportation of Hazardous Articles, Inc.) As well, commenters suggest
that the proposal is unnecessarily broad and would apply to shipments
of hazardous materials that pose little or no security threat. In
addition, commenters say that, while the proposed requirement for
consignor/consignee names and addresses on shipping papers may have
some security benefit for motor carrier operations, it is not
appropriate for all modes of transportation. Rail carriers, for
example, suggest that the proposal would result in little or no
security benefit for rail car transportation. ``Adding information to
the shipping papers might be useful to a law enforcement officer
stopping a truck on the highway * * * but would add nothing to rail
security. * * * The carload rail network is a fixed network that serves
only those shippers connecting to it. The identity and location of
every rail car shipper is known and only specific destinations can be
reached by rail. The security issues addressed by the proposed street
address requirement are simply not present in rail transportation.''
(CSX Transportation)
Further, shippers and carriers of specific classes and types of
materials cite operational difficulties that they say will make it
difficult to comply with the proposed new requirement. Hazardous waste
generators suggest that the proposed requirement to include consignor
and consignee names and addresses on shipping papers is redundant for
hazardous waste shipments because the EPA hazardous waste manifest
already includes sufficient information for tracking hazardous wastes
from origin to destination. Other commenters are concerned that the
NPRM proposal concerning shipping papers did not consider the positive
security implications of electronic tracking systems that are utilized
by a number of shippers and carriers to monitor shipments. ``[There
are] superior technology and tracking systems in place that not only
track all shipments but also the vehicle or container used to transport
the freight. Unfortunately, RSPA does not give indication that it has
considered the advanced or enhanced security benefits gained from
having such a system in place. RSPA should recognize and waive any
proposed requirements for carriers and companies with these type
information

[[Page 14513]]

systems in place * * * '' (FedEx Express)
Commenters representing shippers and carriers of hazardous
materials used in agricultural applications note that many of the
locations to which they deliver do not have street addresses, making it
difficult to complete a shipping paper as proposed in the NPRM.
``[Agricultural retailers] often deliver their product to farm fields
that don't have addresses, or to farms with rural addresses, and in
some cases in one State, no addresses. * * * Many applicators
intimately know the customer's fields they are delivering to and thus
don't need addresses. Some use maps or air photos that show the fields
or sections of fields that need the products applied.'' (Agricultural
Retailers Association) Representatives of shippers and carriers of
hazardous materials used at construction sites have similar concerns.
Shippers and carriers of compressed gas cylinders used in medical care
and heating oil, diesel fuel, propane, gasoline, and similar materials
that use individual motor vehicles to deliver product to multiple
locations point out that drivers frequently make changes to their
delivery schedules or make emergency or unscheduled deliveries in the
course of a single day, so that a shipping paper with a list of
delivery locations completed in the morning would have to be
significantly altered by the driver during the course of the day as his
delivery schedule is modified. ``It is common practice to have multiple
deliveries of fuel throughout the day. The shipment locations may be
known for some deliveries, but there are numerous instances where the
location of a particular delivery is not known until the truck has
already begun its route. In other words, not every gallon of petroleum
is accounted for when loaded at the bulk plant.'' (BOC Oil Company and
others) Finally, shippers of so-called ``blind shipments'' of hazardous
materials suggest that they would be adversely affected by the
proposal. Blind shipments are transported under product trading
transactions in which the receiving person is not provided information
about the true origin of the shipments delivered to them and the
shipper may not know the true destination of the shipment. ``Thousands
of shipments are made from unnamed locations or from shippers acting as
agents for suppliers who do not wish to be identified for business
reasons. Perhaps an equal number of shipments are made to unnamed
consignees. This NPRM would eliminate this practice resulting in the
loss of millions of dollars in revenue annually for shippers with no
increase in security.'' (Compressed Gas Association)
We do not agree with commenters that the proposed requirement for
consignor and consignee names on shipping papers would provide little
or no security benefit. In the absence of requirements for route plans
or electronic tracking, the name and address of the shipment consignor
and consignee can help law enforcement personnel determine whether a
shipment has been unreasonably diverted and, thus, whether further
investigation is warranted. However, having considered the adverse
comments received on this proposal, we are not adopting it in this
final rule. Instead, we are considering modified procedures for making
consignor and consignee information available to law enforcement
personnel. A modified procedure may be proposed in a future rulemaking.
We note in this regard that the UN Recommendations on the Transport of
Dangerous Goods require the name and address of both the shipment
consignor and consignee to be included on shipping papers (chapter
5.4.1.3). A similar requirement is also in the International Civil
Aviation Organization's Technical Instructions for the Safe Transport
of Dangerous Goods by Air (chapter 4.1.6). Moreover, a provision to
require the consignor and consignee name and address has been adopted
by the International Maritime Organization for inclusion in Amendment
3.1 of the International Maritime Dangerous Goods Code. We also note
that the U.S. Customs Service has issued a final rule to require
consignor/consignee information on bills of lading for all cargoes
entering the United States (67 FR 66318; October 31, 2002).

F. Security Plans

The NPRM proposed a new subpart I in part 172 to require persons
subject to the registration requirements in subpart G of part 107 and
persons who offer or transport select agents and toxins regulated by
CDC in 42 CFR part 73 to develop and implement written security plans.
Those persons required to register under subpart G of part 107 include
persons who offer for transportation or transport: (1) A highway route-
controlled quantity of a Class 7 (radioactive) material; (2) more than
25 kg (55 lbs) of a Division 1.1, 1.2, or 1.3 (explosive) material; (3)
more than 1 L (1.06 qt) per package of a material poisonous by
inhalation in Hazard Zone A; (4) a shipment in a bulk packaging with a
capacity equal to or greater than 13,248 L (3,500 gal) for liquids or
gases or greater than 13.24 cubic meters (468 cubic feet) for solids;
(5) a shipment in a non-bulk packaging of 2,268 kg (5,000 pounds) gross
weight or more of one class of hazardous materials for which placarding
is required; and (6) a shipment that requires placarding. Select agents
and toxins are materials regulated by CDC because they have the
potential to pose a severe threat to the public health and safety. We
suggested that a security plan should focus not only on the potential
threats posed by the material being transported, but on personnel,
facility, and en route security issues, as well. The NPRM did not
include a prescriptive list of actions that must be included in a
security plan. Rather, we proposed that a company should implement a
plan that is appropriate to its individual circumstances, considering
the types and amounts of hazardous materials shipped or transported and
the modes used for transportation.
Commenters generally support the proposed requirement. However,
commenters are concerned about certain details of the proposal. A major
concern for many commenters is the language used in the NPRM to
describe the security plan and its purpose. In the words of one
commenter, ``The written plan requirement is too strongly worded. [We
are] deeply concerned with much of the language in the security plan
component of the NPRM. The purpose of any planning, whether for
security or safety, is to reduce and mitigate risks. However, the NPRM
as worded mandates `assurance' of 100% risk-free operations. This is
not possible.'' (National Propane Gas Association) Other commenters
express similar reservations. ``The security plan should `address'
various subjects, but no requirement of the regulations should require
that the plan `assure' that unauthorized or unlawful actions will not
take place. The word `assure' has a strong legal content, and would
serve to impose undue strict liability on anyone who had the misfortune
to experience a security incident, no matter how unavoidable that
incident was.'' (Sulfur Dioxide Mutual Assistance Response Team) We
agree that the term ``assure,'' as used in the NPRM to describe the
purposes and goals of a security plan, was inappropriate. No plan, no
matter how comprehensive and detailed, can provide absolute assurance
that each shipment of hazardous materials to which it applies will be
transported without incident. In this final rule, we are modifying
subpart I, as suggested by commenters, to more properly

[[Page 14514]]

characterize a security plan in terms of addressing and reducing
security risks presented by the transportation of certain hazardous
materials in commerce.
Related to the liability concern, commenters ask how the proposed
security plan requirement would be enforced. ``Any measurement of a
security plan would be entirely subjective. * * * If our products were
somehow involved in a terrorist act, does this mean our security plan
failed? And if so, what enforcement action will be taken?'' (Airgas,
Inc.) Other commenters ask what standard will be used to determine
whether security plans comply with regulatory requirements.
Each security plan will differ because each security plan will be
based on a company's assessment of the security risks associated with
the materials it ships or transports. There is no ``one-size-fits-all''
security plan that will be appropriate for each company's individual
circumstances; similarly, there is no ``one-size-fits-all'' enforcement
standard that can be applied to individual companies. We will examine a
company's security plans, including the vulnerability assessment on
which the security plan is based, as necessary to ascertain that a
company has a plan in place, that it includes the components specified
in this final rule, and that its personnel have been trained concerning
the plan's specific components.
The fact that a product is used in a terrorist, criminal, or
destructive action does not automatically mean that the security plan
failed or that Federal security requirements are inadequate. A security
plan should represent a company's best, good-faith effort to address
identified security risks. However, plans must be updated as new
information and technology become available. Compliance with Federal
regulatory standards may constitute an effective defense in private
litigation. However, failure to comply with those standards can be
argued to constitute negligence.
Several commenters suggest that the requirement for security plans
should be applied more narrowly than proposed in the NPRM. For example,
shipments of bulk packagings that contain residues of certain hazardous
materials must be placarded and, thus, would be subject to the proposed
security plan requirement. Similarly, shipments of certain corrosive or
flammable materials in Packing Groups II or III, such as institutional
cleaning products, must be placarded in some circumstances and, thus,
would be subject to the proposed security plan requirement. Commenters
suggest that ``the requirement for an offeror or transporter to develop
and implement a security plan should more appropriately be predicated
upon the types (in terms of hazard) and/or quantities of hazardous
materials offered or transported by the person, rather than on whether
that person is required to register. * * * [S]ecurity plans should only
be required for offerors and transporters of hazardous materials that
have the potential to pose a significant threat from a security
perspective if those hazardous materials were to fall into the wrong
hands.'' (Conference on Safe Transportation of Hazardous Articles,
Inc.) We agree that a requirement for security plans should apply only
to those materials that present significant security threats. The
registration and select agent and toxins lists cover the materials that
present the most significant security threats in transportation and
provide a relatively straightforward way to distinguish materials that
may present a significant security threat from materials that do not.
Further, the requirements for security plans proposed in the NPRM and
adopted in this final rule permit a shipper or carrier to develop a
security plan that assesses the specific security risks of the
materials to be transported and put into place measures that are
commensurate with the assessed risks. If a shipper or carrier
determines that the security risks of the materials it handles are
relatively small, then its security plan may well be limited in scope
and complexity.
One commenter suggests that materials such as propane do not
present a security risk sufficient to require development of shipper
and carrier security plans. ``Propane has an excellent safety record
both at the storage site and in transit. Propane's narrow range of
flammability, its tendency to disperse rapidly if released, and the
robust, Federally-regulated systems used to contain the product all
support the assertion that propane should not be considered a weapon of
mass destruction.'' (National Propane Gas Association) We disagree.
Propane is among the liquefied compressed gases most commonly
transported throughout the nation. When liquid propane is released into
the atmosphere, it quickly vaporizes into the gaseous form that is its
normal state at atmospheric pressure. This happens very rapidly, and in
the process, the propane combines readily with air to form fuel-air
mixtures that are ignitable over a range of 2.2 to 9.5 percent propane
by volume. If an ignition source is present in the vicinity of a highly
flammable mixture, the vapor cloud ignites and burns very rapidly
(characterized by some experts as ``explosively''). Based on these
characteristics and the frequency with which propane is transported in
this country, we believe that propane presents a sufficient security
risk to warrant the imposition of security plan and security training
requirements.
Another commenter requests an exception from the proposed security
plan requirements for petroleum marketer transporters ``given the
already heightened level of security practiced by this unique branch of
hazardous materials transporters.'' (Ohio Petroleum Marketers
Association) In support of this request, the commenter cites
regulations such as State fire codes, workers compensation laws, and
Federal transportation safety laws ``that reduce the potential for
certain hazardous materials to be targets for terrorists, and that
maintain a high level of security awareness for hazardous materials
employees.'' Again, we disagree. The regulations cited by the commenter
are focused on safety, not security. Products transported by petroleum
marketers, such as fuel oil and motor fuel, can potentially be used as
weapons of opportunity or can be combined with other materials to
construct weapons of mass destruction. Indeed, trucks loaded with
petroleum products have been used in terrorist attacks on at least two
occasions in recent months overseas. In addition, on June 21, 2002, the
Federal Bureau of Investigation disclosed that it had information that
terrorists using fuel tanker trucks might try to attack fuel depots or
Jewish schools or synagogues. The warning was based on interviews with
captured al Qaeda fighters and other sources. Therefore, we reject the
requested exceptions.
A number of commenters note that, as drafted, the NPRM suggests
that the proposed security plan requirements apply to every shipment
offered for transportation or transported in commerce by a person
required to register by subpart G of part 107. For example, one
commenter says, ``A corporation subject to the hazmat registration
requirements may easily have more than one facility--some of which
might perform operations that would benefit from a security plan,
others of which might not. It would be patently unreasonable to require
each facility operated by the same corporation subject to hazmat
registration requirements * * * develop and implement a security plan
regardless of whether the particular facility transports hazardous
materials

[[Page 14515]]

subject to those requirements.'' (Utility Solid Waste Activities Group)
We agree. Our intention in the NPRM was for those shipments that are
listed as triggering the registration requirements in subpart G of part
107 to be subject to security plan requirements, not for every shipment
transported by a registered entity or every facility operated by a
registered entity. This final rule clarifies that persons who offer for
transportation or transport any of the materials listed in subpart G of
part 107 or a select agent or toxin regulated by CDC must develop and
adhere to security plans applicable to the listed materials.
The NPRM proposed that a security plan address the security of
shipments stored incidental to movement in transportation. Several
commenters are concerned about the applicability of the security plan
requirement to persons that do not offer or transport hazardous
materials in commerce, but who may operate facilities at which
hazardous materials are stored during transportation. One commenter
notes that ``[i]n many situations, HAZMAT are delivered to or through
facilities operated by entities that are not subject to the security
plan requirements because they may not be legally required to
register.'' (Dangerous Goods Advisory Council) We agree that the final
rule should clarify responsibility for security plans applicable to
hazardous materials stored incidental to movement in transportation.
Generally, these hazardous materials will be stored at a shipper or
carrier-owned or -operated facilities, and the shipper or carrier will
be responsible for developing a security plan. In this final rule, the
requirement for developing and adhering to a security plan applies to
persons who offer for transportation or transport hazardous materials
in commerce, including loading, unloading, or storage operations
incidental to the movement of hazardous materials in commerce.
Another commenter proposes that we adopt a definition for ``storage
incidental to movement'' to distinguish storage that is part of
transportation, and therefore subject to security plan requirements,
from storage that is not part of transportation. For purposes of this
final rule, storage incidental to movement of a hazardous material in
commerce is storage that takes place between the time that a hazardous
material is offered for transportation to a carrier and the time it
reaches its destination. This definition is consistent with long-
standing administrative determinations and letters of interpretation
concerning the applicability of the HMR to materials stored incidental
to their movement in commerce. We note in this regard that this agency
is currently engaged in a rulemaking to clarify the applicability of
the HMR to specific functions and activities, including storage of
hazardous materials during transportation (HM-223; RSPA-98-4952). The
NPRM issued under HM-223 proposed to define ``storage incidental to
movement'' to mean ``storage of a transport vehicle, freight container,
or package containing a hazardous material between the time that a
carrier takes physical possession of the hazardous material for the
purpose of transporting it until the package containing the hazardous
material is delivered to the destination indicated on a shipping
document, package marking, or other medium, or, in the case of a
private motor carrier, between the time that a motor vehicle driver
takes physical possession of the hazardous material for the purpose of
transporting it until the driver relinquishes possession of the package
containing the hazardous material at its destination and is no longer
responsible for performing functions subject to the HMR.'' We are
currently in the process of evaluating comments to the HM-223 NPRM. If
a final rule issued under docket HM-223 revises the definition of
``storage incidental to movement'' in a way that affects the
applicability to such storage of the security plan requirements in this
final rule, we will address such revision, including its implications
for security plans and any transition time necessary to implement
changes, in the HM-223 final rule.
Most commenters support ``the flexibility RSPA provides in [the]
proposal to regulated entities in how they go about meeting [the
security plan] requirement.'' (National Association of Chemical
Distributors) These commenters agree that ``the regulated community
needs the flexibility to select those elements [of a security plan]
that are consistent with their methods of operation.'' (Independent
Fuel Terminal Operators Association) Other commenters, however, are
concerned that the elements suggested in the NPRM for possible
inclusion in a security plan are ``extremely general. In fact, they are
so general as to be either unenforceable, or worse, subject to widely
varying interpretations by field inspectors and adjudicators. The
security plans and codes that have been developed by industry and are
being further refined at the current time are far more specific and
useful in addressing the security issues facing the various hazardous
materials moving in commerce. If it is RSPA's purpose simply to require
security plans for transporters and offerors without specifying the
nature or content of those plans, [we] have no objection. If on the
other hand, RSPA intends to somehow oversee the substance of such
plans, the proposed requirements are too vague to be enforced.'' (The
Chlorine Institute) Similarly, other commenters do not agree with the
NPRM approach to list non-mandatory items in the regulatory text for
security plans, such as the specific elements listed in the NPRM for
possible inclusion in a security plan to address en route shipment
security issues. These commenters suggest that recommendations should
not be made part of regulatory text because of enforcement and
liability concerns. Additionally, commenters are concerned that
establishing specific requirements for security plans could be counter-
productive. One commenter cites as an example the proposal in the NPRM
that a security plan must include a process to verify information
provided by job applicants. ``While a natural temptation would be to
specify exactly the kind of checks to be applied, doing so would merely
lay out a road map for the potential terrorist seeking employment with
a carrier. If a check of X, Y, and Z is required, the terrorist
organization will select operatives who can pass a check of X, Y, and
Z, but perhaps not A or B. The essence of security is
unpredictability--concept in conflict with regulatory precision.'' (CSX
Transportation)
We carefully considered the comments offered concerning the
security plan requirements proposed in the NPRM. We continue to believe
that, if it is to be effective, a regulation mandating development and
implementation of a security plan must provide sufficient flexibility
so that a shipper or carrier can adapt its requirements to individual
circumstances. Thus, the requirement for a security plan adopted in
this final rule sets forth general requirements for a security plan's
components rather than a prescriptive list of specific items that must
be included. In this final rule, the proposed security plan
requirements are modified as follows:
Applicability. The security plan requirement applies to persons who
offer for transportation or transport in commerce one or more of the
hazardous materials listed in subpart G of 49 CFR part 107 or a select
agent or toxin regulated by CDC. The security plan requirement also
applies to persons who operate facilities at which one or more

[[Page 14516]]

of the hazardous materials listed in subpart G of 49 CFR part 107 or
select agent or toxin regulated by CDC is stored incidental to the
movement of the hazardous material(s) in commerce. As indicated above,
for purposes of this final rule, ``storage incidental to movement'' is
storage that takes place between the time that a hazardous material is
offered for transportation to a carrier and the time it reaches its
destination. The security plan requirement applies only to shipments of
the specified hazardous materials and to facilities at which the
specified hazardous materials are prepared for transportation or stored
during transportation.
Security plan components. A security plan must address risks
related to the transportation of hazardous materials in commerce. Thus,
this final rule requires persons subject to the security plan
requirement to perform an assessment of the transportation security
risks associated with the materials they handle. As we stated in the
preamble to the NPRM, we have developed a security template to
illustrate how risk management methodology can be used to identify
points in the transportation process where security procedures should
be enhanced within the context of an overall risk management strategy.
The security template is posted on our website at http://hazmat.dot.gov/rmsef.htm. Other risk assessment tools are equally
valid, however. This final rule does not require persons subject to the
security plan requirement to use a specific risk assessment tool to
meet the risk assessment requirement.
Using risk assessment methodology, a company will select an
appropriate level of detail for its security plan based on the assessed
risks identified for such material or materials. Factors that may be
considered are the type or types of materials transported, the quantity
of material transported, the area from or to which the material is
shipped, and the mode of transportation used.
A security plan must include a method or methods for confirming
information provided by applicants for jobs that involve access to or
handling of the hazardous materials covered by the plan. In response to
commenters' concerns, we revised this aspect of the security plan to
substitute the term ``confirm'' for the term ``verify.'' Commenters are
concerned that the standard implied by the term ``verify'' may be
impossible to meet. In addition, this final rule requires employers to
confirm information provided by job applicants who are hired to perform
jobs that involve access to or handling of the hazardous materials
covered by the plan. Read literally, the NPRM language would have
required employers to confirm information provided by all job
applicants.
Also in response to commenters, we have added language to indicate
those persons to whom the requirement applies. Some commenters suggest
that we should specify that the requirement applies to hazmat
employees, as defined in Sec. 171.8 of the HMR. We do not believe that
this is necessary, although an employer may decide to include all
hazmat employees. The requirement in this final rule is limited to
applicants for hazmat employee positions that involve access to or
handling of the hazardous materials covered by the security plan. We do
not believe it necessary to include persons whose sole responsibility
is preparing shipping documentation, for example, nor do we believe it
necessary to include persons who manufacture, maintain, or requalify
packagings.
We do not expect companies to confirm all of the information that a
job applicant may provide as part of the application process. However,
employers should make an effort to check information related to an
applicant's recent employment history, references, and citizenship
status. In short, we expect companies to take reasonable and prudent
measures to address personnel security issues. In response to
commenters, in this final rule we added a requirement that efforts to
confirm information provided by job applicants must be consistent with
applicable Federal and State laws concerning employment practices and
individual privacy.
A security plan must also include methods to address the
possibility that unauthorized persons may attempt to gain access to
hazardous materials or transport vehicles being prepared for
transportation. Some commenters suggest that we include a definition of
``unauthorized persons'' in this final rule. The term ``unauthorized
persons'' as used in this final rule includes persons who are not
employed by the company or members of the general public, unless such
persons are specifically authorized by the company to have access to
hazardous materials or transport vehicles being prepared for
transportation. Beyond these persons, however, each entity to whom the
security plan requirement applies will need to define the universe of
unauthorized persons to account for the nature of the facility and the
type of activity that takes place there. An unauthorized person is any
person who is not authorized by the shipper or carrier to have access
to hazardous materials or transport conveyances being prepared for
transportation.
The third element of a security plan is a method or methods to
address en route security risks. As noted above, commenters express a
number of concerns about this provision of the NPRM. Many commenters
address the shared responsibility of shippers and carriers for reducing
security risks related to the transportation of hazardous materials in
commerce. In particular, some commenters suggest that
``[r]esponsibility for the security of a shipment in transit should in
the final analysis rest with the transporter. The shipper does not
ultimately determine the routes for movement of cargo or the locations
for incidental stops or storage. This responsibility appropriately
rests with the carrier.'' (Boeing Company) Other commenters agree that
en route security should primarily be the responsibility of the
carrier. ``[T]o a great extent, shippers must rely on the carriers to
generate en route security plans. This may mean that in some cases
there would be two separate plans instead of a joint shipper and
carrier plan. * * * [We] believe that shippers and carriers should have
the flexibility to determine the best way to address en route
security.'' (American Chemistry Council) Other commenters suggest that
the proposal places ``too much emphasis on the shipper and recipient,
and effectively absolves the transporter of responsibility for
security. The carrier has control of the HM for the majority of any
shipment, and should also bear the responsibility for ensuring an
adequate safety plan and implementation of same.'' (CF Industries)
We agree that a hazardous materials transporter's security plan
will address en route security issues in some detail. However, we do
not agree that shippers need not address this aspect of transportation
security. As one commenter suggests, ``[C]arrier `security plans' must
involve considerable input from the shipper community. It is the
shipper who has best access to information relative to the hazardous
properties of the commodity. It is the shipper who controls: Carrier
selection and order entry; loading; time and method of dispatch; and,
destination.'' (National Tank Truck Carriers) At the same time, we
recognize that ``the carrier has the best information relative to the
route taken and the security along that route. This includes driving
time, route deviations, and rest stop selection.'' (American Chemistry
Council) We expect shippers to work with carriers to address en route
security risks of the materials covered

[[Page 14517]]

by their security plans. In some cases, a shipper and carrier may have
a joint plan; in others, a shipper and carrier may have two separate
security plans. This final rule provides shippers and carriers with the
flexibility necessary to determine the best methods for addressing en
route security issues.
A number of commenters object to the NPRM language that a security
plan should include a system for verifying that a carrier has an on-
going transportation security program. ``In effect, this aspect of the
proposal would require that customers of carriers take an active role
in ensuring that carriers are in compliance with the security plan
requirements proposed by RSPA. In effect, RSPA is deputizing offerors
of hazmat to police their carrier's compliance efforts.''
(International Sanitary Supply Association) We are not requiring
shippers to compel compliance by carriers. At a minimum, however, a
shipper should satisfy itself that the carrier that will be
transporting its material has a security plan in place that adequately
addresses the assessed security risks of the material to be
transported, including risks related to storage of the material during
transportation.
Relationship to other requirements. The NPRM included a provision
permitting security plans that conform to regulations of other Federal
or international agencies to be used to satisfy the requirement
proposed for the HMR. All commenters support this provision. Several
suggest that we specify that plans that conform to requirements of the
Department of Defense or the Nuclear Regulatory Commission are
acceptable. We do not think it is necessary to specifically list in the
regulation Federal or international agencies that have now or may in
the future impose security plan requirements on persons who handle
hazardous materials. A security plan that conforms to regulations
issued by any other Federal agency is acceptable, so long as it
includes the requirements for security plans in this final rule. Other
commenters request that we include plans developed by industry
associations, such as the American Chemistry Council or the Association
of American Railroads. Certainly, we expect that many companies will
develop security plans using guidance and recommendations developed by
the industry. In fact, we encourage companies to take advantage of
existing guidance, model security plans, and the like when developing
security plans tailored to their own operations. This includes
industry-developed protocols or guidelines and recommendations issued
by other Federal or international agencies. This provision is modified
in this final rule to clarify that regulations, protocols, guidelines,
or standards developed by other Federal agencies, international
organizations, or industry are acceptable, provided such regulations or
guidelines address the specific security vulnerabilities of the
company.
We note in this regard that, while a security plan developed in
conformance with regulations issued by another Federal agency may
suffice to meet the requirements of this final rule, the reverse is not
necessarily true. For example, air cargo security requirements
promulgated by TSA are more stringent than the security requirements in
this final rule. Similarly, requirements promulgated by NRC to address
the transportation security of radioactive materials may be more
stringent than the requirements in this final rule. Shippers and
carriers should be aware that they may be subject to additional, more
stringent security requirements promulgated by other Federal agencies,
depending on the materials they transport and the mode of
transportation.
Availability to the public. Several commenters express concern
about the possibility that security plans may become publicly
available. ``It is critical that carrier and shipper plans remain
confidential; not subject to public disclosure and Freedom of
Information Act requests.'' (CSX Transportation) Commenters are
particularly concerned about plans that may be obtained by enforcement
personnel during a compliance inspection.
Generally, RSPA will not collect or retain security plans. With
regard to security plans, our enforcement focus during the compliance
inspection is to ensure that companies have developed a security plan.
Inspectors will review the existing plan on site and generally will not
take copies with them or require companies to submit security plans.
In the rare instance that RSPA enforcement personnel identify a
need to collect a copy of a security plan, or if a company voluntarily
submits a copy of its security plan, we will analyze all applicable
laws and Freedom of Information Act exemptions to determine whether the
information or portions of information in the security plan can be
withheld from release. Prior to submission of a security plan to DOT in
these unusual instances, companies should follow the procedures
described in 49 CFR 105.30 for requesting confidentiality. Under those
procedures, a company should identify and mark the information it
believes is confidential and explain why. We will then determine
whether the information may be released or protected under the law.
Timing of implementation. Commenters are concerned that the final
rule provide sufficient time for development and implementation of
security plans. The NPRM did not specify a transition period. We agree
that a transition period is necessary. Therefore, in this final rule,
we provide persons subject to the security plan requirement 6 months
from the effective date of the final rule to develop and implement
security plans.

G. Training

The HMR currently require hazmat employees to be trained so they
are: (1) Familiar with the general provisions of the HMR and can
recognize and identify hazardous materials; (2) knowledgeable about
specific HMR requirements applicable to functions performed; and (3)
knowledgeable about emergency response information, self-protection
measures, and accident prevention methods. A hazmat employee is one who
directly affects hazardous materials transportation safety (Sec.
171.8). Hazmat employers must ensure that their hazmat employees are
trained. For new employees, training must be completed within 90 days
after employment or a change in job function. All hazmat employees must
receive recurrent training every three years.
The safety training provided by hazmat employers may include the
physical security of hazardous materials and ways to prevent vandalism
and theft. However, such training may not be adequate to meet current
threats. Because many hazardous materials transported in commerce may
potentially be used as weapons of mass destruction or weapons of
convenience, it is critical to the assurance of public safety that
training for persons who offer and transport hazardous materials in
commerce include a security component. Therefore, in the May 2, 2002
NPRM, we proposed to add a provision to Sec. 172.704 to require the
training of each hazmat employee to include a security component. We
proposed that hazmat employees of persons required to have a security
plan must be trained in the plan's specifics. In addition, we proposed
that all hazmat employees must receive training that provides an
awareness of the security issues associated with hazardous materials
transportation and possible methods to enhance transportation security.
As proposed in the NPRM, all hazmat employees would be required to

[[Page 14518]]

be trained within three months of issuance of a final rule.
Commenters generally support the proposal to require hazmat
employee training to include a security component. However, commenters
suggest that three months is not sufficient to implement and conduct
training programs, particularly for hazmat employees of companies
subject to the requirement for security plans. ARequiring security
training for each hazmat employee within three months of the final rule
effective date will be very difficult to implement. Once the
requirements are published by DOT, companies will then be able to
finalize development of their security training by combining components
of the final rule with other requirement[s] of the hazmat employer's
circumstances. Subsequently, training must be approved, disseminated
within the company, trainers educated on the module's requirements, and
hazmat employees scheduled for training.'' (Air Products) Some
commenters suggest that security training should be required on a
schedule consistent with current 3-year training cycles for hazmat
employees. Others request implementation periods ranging from 6 months
to one year.
We do not agree with commenters that development and implementation
of transportation security awareness training will require a lengthy
period for development and implementation. As we stated in the NPRM, to
assist hazmat employers to meet any new security training requirements,
we are developing a Hazardous Materials Transportation Security
Awareness Training Module directed at law enforcement, industry, and
hazmat personnel. Imminently, this training module will be available
for distribution and use, free of charge. The module takes one hour to
complete. This training module or similar training programs that may be
developed by commercial vendors or hazmat employers will be sufficient
to meet the security awareness training requirement in this final rule.
However, we are sympathetic to the industry's concerns about the time
required to complete training for all affected hazmat employees.
Therefore, this final rule permits hazmat employers to provide security
awareness training on the same 3-year schedule as other types of
required hazmat training; thus, security awareness training must be
provided an at employee's next scheduled retraining at or within the 3-
year training cycle. However, we strongly encourage hazmat employers to
provide security awareness training to hazmat employees on an
accelerated schedule wherever possible.
We agree with commenters that 3 months from the effective date of a
final rule does not provide sufficient time for training of hazmat
employees by hazmat employers who are subject to the new requirement
for security plans. However, once a security plan is implemented, we
believe that employee training about its provisions should be completed
no later than 3 months after the plan's implementation. Therefore, in
this final rule, we are providing up to 9 months (6 months to develop
and implement a security plan plus 3 months to train employees) for
completion of training for these hazmat employees. As with the new
requirement for security awareness training, it is not necessary to
test or retain records concerning this new security plan training
requirement until an employee's next scheduled retraining at or within
the 3-year training cycle.

III. Regulatory Analyses and Notices

A. Executive Order 12866 and DOT Regulatory Policies and Procedures

This final rule is a significant regulatory action under Executive
Order 12866 and the regulatory policies and procedures of the
Department of Transportation (44 FR 11034) because of substantial
public interest. The Office of Management and Budget reviewed this
final rule.
Compliance costs resulting from this final rule are associated with
the new requirements for certain shippers and carriers to implement
security plans and for hazmat employee training to include a security
component. An analysis of the costs and benefits of this final rule is
included in the rulemaking docket. The cost-benefit analysis also
addresses comments we received on the estimates included in the May 2,
2002 NPRM.
Costs. We estimate that companies subject to the security plan
requirement in this final rule will incur first-year compliance costs
totaling about $54.3 million to develop and implement security plans
and subsequent-year costs totaling about $11 million/year for annual
updates to the plans. Each security plan will be unique; thus, it is
difficult to develop cost estimates for the measures that companies may
implement to enhance hazardous materials transportation security.
Ultimately, we expect each company to make reasonable decisions on
measures it can take to improve security. Because companies will set
security priorities and factor costs into their decisions, we believe
the measures they choose will be cost-effective. Accordingly, we have
not attempted separately to cost out or justify these actions as part
of this rulemaking.
For the security training mandated in this final rule, we estimate
that companies will incur first-year compliance costs totaling about
$34 million, with subsequent-year costs totaling about $18 million/year
for recurrent training.
Benefits. Safety benefits of regulatory changes frequently can be
estimated with some degree of precision. Incident and accident history
often provide a basis for estimating fatality, injury, property damage,
environmental damage, and similar costs to society that can be avoided
by the implementation of new requirements. Models can even estimate the
costs to society of high consequence, low probability accidents.
Benefit estimates can then be balanced against the estimated costs of
new requirements to determine whether the changes are justified.
Estimating the security benefits of new requirements is much more
challenging. Accident causation probabilities, based on previous
accident histories and analysis, can be estimated in a way that the
chances of a criminal or terrorist act cannot. Indeed, the threat of
attack is virtually impossible to assess from a quantitative
standpoint. That hazardous materials in transportation are a possible
target of terrorism or sabotage is undeniable; the probability that
hazardous materials in transportation will be targeted is, at best, a
guess. Similarly, the projected outcome of a terrorist attack cannot be
precisely estimated. Given a decision to attack the system, one must
assume that choices will be made to maximize consequences and damage.
It is possible to envision scenarios where hazardous materials in
transportation could be used to inflict hundreds or even thousands of
fatalities. Direct costs and those attributable to transportation
system disruption that would surely result could easily total in the
billions of dollars. We are operating under the premise that, in
today's environment, it is necessary to take reasonable measures to
reduce the likelihood that such events will be successful. The presence
of such measures should, in fact, help deter potential attacks. The
provisions we are adopting have been crafted with this in mind.
If the measures adopted by this rule have the potential of reducing
the likelihood of success of such an attack, we believe they are
worthwhile. Moreover, the American public has an expectation that
reasonable measures will be taken to help ensure the security

[[Page 14519]]

of chemicals and substances present in our society so that they are not
used for nefarious purposes. We believe many, if not most, companies
are taking or have already taken steps to develop systematic security
plans and security awareness training. These requirements will help
ensure a consistent approach in the area while permitting flexibilities
that are important in keeping costs at reasonable levels.
In the end, when security measures are evaluated, an element of
judgment is required to determine whether the costs of the measures are
justified by the benefits that will accrue. We believe that the
relatively small costs imposed on individual companies by the new
security requirements in this final rule are more than offset by the
potential benefits if there is a finite chance that these measures
might avert a successful attack. The new requirements are not onerous.
They are prudent, common-sense security measures that are in line with
public expectations about the need to take action to protect hazardous
materials shipments from terrorist acts.

B. Regulatory Flexibility Act

The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires an
agency to review regulations to assess their impact on small entities
unless the agency determines that a rule is not expected to have a
significant impact on a substantial number of small entities. A
complete analysis of the small business impacts of this final rule is
available in the rulemaking docket. I hereby certify that, while the
requirements in this final rule apply to a substantial number of small
entities, there will not be a significant economic impact on those
small entities.

C. Executive Order 13132

This final rule has been analyzed in accordance with the principles
and criteria contained in Executive Order 13132 (``Federalism''). This
final rule preempts State, local, and Indian tribe requirements but
does not impose any regulation with substantial direct effects on the
States, the relationship between the National government and the
States, or the distribution of power and responsibilities among the
various levels of government. Therefore, the consultation and funding
requirements of Executive Order 13132 do not apply.
In the NPRM, we invited comments on whether, and to what extent,
State or local governments or Indian tribes should be permitted to
impose similar additional requirements to those proposed in the NPRM.
Commenters who address this issue unanimously agree that State, local,
or tribal governments should not be permitted to impose hazardous
materials transportation security requirements that differ from or are
in addition to those adopted in this final rule. We agree. Therefore,
in the absence of a waiver of preemption by the Secretary under 49
U.S.C. 5125(e) or unless it is authorized by another Federal law, a
hazardous materials transportation security requirement of a State,
political subdivision of a State, or Indian tribe is explicitly
preempted if: (1) Complying with a requirement of the State, political
subdivision or Indian tribe and a requirement of this chapter or a
regulation issued under this chapter is not possible; or (2) the
requirement of the State, political subdivision, or Indian tribe, as
applied or enforced, is an obstacle to accomplishing and carrying out
this chapter or a regulation prescribed under this chapter.

D. Executive Order 13175

This final rule has been analyzed in accordance with the principles
and criteria contained in Executive Order 13175 (``Consultation and
Coordination with Indian Tribal Governments''). Because this final rule
does not significantly or uniquely affect the communities of the Indian
tribal governments and does not impose substantial direct compliance
costs, the funding and consultation requirements of Executive Order
13175 do not apply.

E. Unfunded Mandates Reform Act of 1995

This final rule does not impose unfunded mandates under the
Unfunded Mandates Reform Act of 1995. It does not result in annual
costs of $100 million or more, in the aggregate, to any of the
following: State, local, or Indian tribal governments, or the private
sector. This rule is the least burdensome alternative to achieve the
objective of the rule.

F. Paperwork Reduction Act

We submitted the information collection and recordkeeping
requirements contained in this final rule to the Office of Management
and Budget (OMB) for approval under the provisions of the Paperwork
Reduction Act of 1995, section 1320.8(d). Title 5, Code of Federal
Regulations requires us to provide interested members of the public and
affected agencies an opportunity to comment on information collection
and recordkeeping requests. Under the Paperwork Reduction Act, no
person is required to respond to an information collection unless it
has been approved by OMB and displays a valid OMB control number.
The May 2, 2002, NPRM included the following estimate for the
information and recordkeeping burden resulting from the development and
maintenance of security plans:
Hazardous Materials Security Plans
OMB No. 2137-xxxx
First Year Burden:
Total Annual Number of Respondents: 44,000.
Total Annual Responses: 44,000.
Total Annual Burden Hours: 880,000.
Total Annual Burden Cost: $26,400,000.
Subsequent Year Burden:
Total Annual Number of Respondents: 44,200.
Total Annual Responses: 44,200.
Total Annual Burden Hours: 48,000.
Total Annual Burden Cost: $1,440,000.

In the NPRM, we estimated that most companies would require about
20 hours to develop and implement a security plan conforming to the new
regulatory requirements. This estimate was based on our understanding,
confirmed by commenters to the NPRM, that many industry groups have
developed guidance and model security plans for use by their members.
Further, to assist persons to perform the risk management analysis
required by this final rule, we designed a security template for the
Risk Management Self-Evaluation Framework (RMSEF), developed to assist
regulators, shippers, carriers, and emergency response personnel to
examine their operations and consider how they assess and manage risk.
The security template illustrates how risk management methodology can
be used to identify points in the transportation process where security
procedures should be enhanced within the context of an overall risk
management strategy. Because of the widespread availability of tools to
assist persons to develop and implement security plans, we concluded
that the cost to an individual company to comply with the security plan
requirement would average about $600 per affected entity.
Commenters who address security plan costs disagree with our
conclusion. For example, one commenter estimates that, ``[f]or the 6000
(15% of the total registrants) large HAZMAT registrants, [we] estimate
that it will take a minimum of 200 hours to develop a comprehensive
security plan (estimated cost for the 6000 registrants: $100 per hour x
200 hours = $120 million).'' (Dangerous Goods Advisory Council) Other
commenters offered similar cost estimates.

[[Page 14520]]

As commenters themselves point out, a number of industry
associations have developed guidelines and model security plans that
can be readily adapted to meet a company=s individual circumstances,
thereby reducing individual company costs. Indeed, on June 5, 2002, the
American Chemistry Council (ACC) made enhanced security activities
mandatory for its members, to help assure the public that all member
facilities are involved in making their neighbors and America more
secure. The ACC Board approved a new Security Code under Responsible
Care [reg], the industry's initiative for improving performance, that
consists of increased specific commitments to further safeguard
chemical operations from potential terrorist attacks. The Security Code
includes measures to enhance chemical transportation security. Over 200
chemical companies are ACC members; in addition, nearly 40 industry
associations are Responsible Care [reg] Partner Associations.
Further, the Association of American Railroads has developed a
``comprehensive Terrorism Risk Analysis and Security Management Plan.
The industry formed a security task force * * * Outside consultants
with expertise in intelligence and counter-terrorism were retained to
provide advice on best practices. * * * The task force undertook a
comprehensive risk analysis which identified critical assets,
vulnerabilities, and threats, and assessed the overall risk to people,
national security, and the nation's economy. The task force then
proceeded to identify over fifty countermeasures. The Terrorism Risk
Analysis and Security Management Plan * * * is now in effect. * * *''
The Association of American Railroads includes 14 Class I railroads and
10 non-Class I railroads.
Many companies will not need to perform sophisticated analyses or
develop complicated security plans in order to comply with the new
requirement. Companies that only occasionally transport one of the
hazardous materials to which the security plan requirement applies may
be able to utilize one of the off-the-shelf security manuals now being
marketed by several vendors. These manuals include information and
guidelines that assist companies to identify and address areas of
concern, including concerns related to personnel safety and security,
site security, en route security, and training. One such security
manual sells for $165, with regular updates available under an annual
subscription costing about $80.
Because there is such a wealth of information and assistance
available to companies subject to the security plan requirements of
this final rule, we do not agree with commenters who suggest that our
cost estimate for developing hazardous materials transportation
security plans in the May 2 NPRM was ``greatly under-estimated.''
Actual per-company costs will vary, depending on the nature of the
materials transported and the size and complexity of a company's
operations. We estimate that the time necessary to develop a security
plan will range between our initial estimate of 20 hours per company
and the industry estimate of 200 hours per company. For purposes of
this analysis, we believe that, on average, a large company, using
information available from RSPA, industry associations, or vendors,
will require about 50 hours to develop a security plan that meets the
requirements of this final rule. A smaller company, on average, will
require about 25 hours to develop a security plan that meets the
requirements of this final rule. Using Bureau of Labor Statistics
information on employee compensation (March 2001), we estimate that the
cost per hour of developing a security plan is $45.00 (one professional
plus one administrative support staff). Thus, for the large companies
subject to the security plan requirements of this final rule, we
estimate that the costs to develop a security plan will total
$14,512,500 (6,450 large entities x 50 hours/entity x $45/hour) or
$2,250 per entity. For the small companies subject to the security plan
requirements of this final rule, we estimate that the costs to develop
a security plan will total $41,118,750 (36,550 small entities x 25
hours/entity x $45/hour) or $1,125 per entity.
This final rule requires companies to update security plans as
necessary to account for changing circumstances. We expect that most
companies will update their security plans at least once a year. We
estimate the hours required to update a security plan will average 10
hours for a large company and 5 hours for a small entity. Thus, for
large companies, we estimate the costs to update a security plan will
total $2,902,500/year (6,450 large entities x 10 hours/entity x $45/
hour), or $450 per entity. For small companies, we estimate the costs
to update a security plan will total $8,223,650/year (36,550 small
entities x 5 hours/entity x $45/hour), or $225 per entity.
Our revised estimate of the information collection and
recordkeeping burden related to the security plan requirements in this
final rule is shown below. This new information collection, ``Hazardous
Materials Security Plans'', will be assigned an OMB control number
after review and approval by OMB. We estimate that the new total
information collection and recordkeeping burden resulting from the
development and maintenance of security plans under this rule is as
follows.
Hazardous Materials Security Plans
OMB No. 2137-xxxx
First Year Annual Burden:
Total Annual Number of Respondents: 42,000.
Total Annual Responses: 42,000.
Total Annual Burden Hours: 1,207,500.
Total Annual Burden Cost: $54,337,500.
Subsequent Year Burden:
Total Annual Number of Respondents: 42,200.
Total Annual Responses: 42,200.
Total Annual Burden Hours: 247,250.
Total Annual Burden Cost: $11,126,250.
Requests for a copy of this information collection should be
directed to Deborah Boothe, Office of Hazardous Materials Standards
(DHM-10), Research and Special Programs Administration, Room 8422, 400
Seventh Street, SW., Washington, DC 20590-0001. Telephone (202) 366-
8553. We will publish a notice advising interested parties of the OMB
control number for this information collection when assigned by OMB.

G. Regulation Identifier Number (RIN)

A regulation identifier number (RIN) is assigned to each regulatory
action listed in the Unified Agenda of Federal Regulations. The
Regulatory Information Service Center publishes the Unified Agenda in
April and October of each year. The RIN contained in the heading of
this document can be used to cross-reference this action with the
Unified Agenda.

H. Environmental Assessment

There are no significant environmental impacts associated with this
final rule. An environmental assessment is available in the docket for
this rulemaking.

List of Subjects in 49 CFR Part 172

Hazardous materials transportation, Hazardous waste, Labeling,
Packaging and containers, Reporting and recordkeeping requirements.

In consideration of the foregoing, we are amending title 49,
chapter I, subchapter C, as follows:

[[Page 14521]]

PART 172--HAZARDOUS MATERIALS TABLE, SPECIAL PROVISIONS, HAZARDOUS
MATERIALS COMMUNICATIONS, EMERGENCY RESPONSE INFORMATION, AND
TRAINING REQUIREMENTS

1. The authority citation for part 172 continues to read as
follows:

Authority: 49 U.S.C. 5101-5127; 49 CFR 1.53.

2. In Sec. 172.704, paragraph (a) introductory text is revised,
paragraphs (a)(4) and (a)(5) are added, and paragraph (b) is revised to
read as follows:

Sec. 172.704 Training requirements.

(a) Hazmat employee training must include the following:
* * * * *
(4) Security awareness training. No later than the date of the
first scheduled recurrent training after March 25, 2003, and in no case
later than March 24, 2006, each hazmat employee must receive training
that provides an awareness of security risks associated with hazardous
materials transportation and methods designed to enhance transportation
security. This training must also include a component covering how to
recognize and respond to possible security threats. After March 25,
2003, new hazmat employees must receive the security awareness training
required by this paragraph within 90 days after employment.
(5) In-depth security training. By December 22, 2003, each hazmat
employee of a person required to have a security plan in accordance
with subpart I of this part must be trained concerning the security
plan and its implementation. Security training must include company
security objectives, specific security procedures, employee
responsibilities, actions to take in the event of a security breach,
and the organizational security structure.
(b) OSHA, EPA, and other training. Training conducted by employers
to comply with the hazard communication programs required by the
Occupational Safety and Health Administration of the Department of
Labor (29 CFR 1910.120 or 1910.1200) or the Environmental Protection
Agency (40 CFR 311.1), or training conducted by employers to comply
with security training programs required by other Federal or
international agencies, may be used to satisfy the training
requirements in paragraph (a) of this section to the extent that such
training addresses the training components specified in paragraph (a)
of this section.
* * * * *

3. Subpart I is added to read as follows:

Subpart I--Security Plans

Sec.
172.800 Purpose and applicability.
172.802 Components of a security plan.
172.804 Relationship to other Federal requirements.

172.800 Purpose and applicability.

(a) Purpose. This subpart prescribes requirements for development
and implementation of plans to address security risks related to the
transportation of hazardous materials in commerce.
(b) Applicability. By September 25, 2003, each person who offers
for transportation in commerce or transports in commerce one or more of
the following hazardous materials must develop and adhere to a security
plan for hazardous materials that conforms to the requirements of this
subpart:
(1) A highway route-controlled quantity of a Class 7 (radioactive)
material, as defined in Sec. 173.403 of this subchapter, in a motor
vehicle, rail car, or freight container;
(2) More than 25 kg (55 pounds) of a Division 1.1, 1.2, or 1.3
(explosive) material in a motor vehicle, rail car, or freight
container;
(3) More than one L (1.06 qt) per package of a material poisonous
by inhalation, as defined in Sec. 171.8 of this subchapter, that meets
the criteria for Hazard Zone A, as specified in Sec. Sec. 173.116(a)
or 173.133(a) of this subchapter;
(4) A shipment of a quantity of hazardous materials in a bulk
packaging having a capacity equal to or greater than 13,248 L (3,500
gallons) for liquids or gases or more than 13.24 cubic meters (468
cubic feet) for solids;
(5) A shipment in other than a bulk packaging of 2,268 kg (5,000
pounds) gross weight or more of one class of hazardous materials for
which placarding of a vehicle, rail car, or freight container is
required for that class under the provisions of subpart F of this part;
(6) A select agent or toxin regulated by the Centers for Disease
Control and Prevention under 42 CFR part 73; or
(7) A quantity of hazardous material that requires placarding under
the provisions of subpart F of this part.

Sec. 172.802 Components of a security plan.

(a) The security plan must include an assessment of possible
transportation security risks for shipments of the hazardous materials
listed in Sec. 172.800 and appropriate measures to address the
assessed risks. Specific measures put into place by the plan may vary
commensurate with the level of threat at a particular time. At a
minimum, a security plan must include the following elements:
(1) Personnel security. Measures to confirm information provided by
job applicants hired for positions that involve access to and handling
of the hazardous materials covered by the security plan. Such
confirmation system must be consistent with applicable Federal and
State laws and requirements concerning employment practices and
individual privacy.
(2) Unauthorized access. Measures to address the assessed risk that
unauthorized persons may gain access to the hazardous materials covered
by the security plan or transport conveyances being prepared for
transportation of the hazardous materials covered by the security plan.
(3) En route security. Measures to address the assessed security
risks of shipments of hazardous materials covered by the security plan
en route from origin to destination, including shipments stored
incidental to movement.
(b) The security plan must be in writing and must be retained for
as long as it remains in effect. Copies of the security plan, or
portions thereof, must be available to the employees who are
responsible for implementing it, consistent with personnel security
clearance or background investigation restrictions and a demonstrated
need to know. The security plan must be revised and updated as
necessary to reflect changing circumstances. When the security plan is
updated or revised, all copies of the plan must be maintained as of the
date of the most recent revision.

Sec. 172.804 Relationship to other Federal requirements.

To avoid unnecessary duplication of security requirements, security
plans that conform to regulations, standards, protocols, or guidelines
issued by other Federal agencies, international organizations, or
industry organizations may be used to satisfy the requirements in this
subpart, provided such security plans address the requirements
specified in this subpart.

Issued in Washington DC on March 19, 2003, under authority
delegated in 49 CFR part 1.
Ellen G. Engleman,
Administrator, Research and Special Programs Administration.
[FR Doc. 03-7080 Filed 3-24-03; 8:45 am]
BILLING CODE 4910-60-P