TSA Oversight of National Passenger Rail System Security IG DHS
Recent global events, such as the August 2015 armed gunman on a passenger train traveling from Amsterdam to Paris, highlighted the vulnerability of rail systems to terrorist attacks and the importance of security for passengers. As a result of this incident, two members of Congress requested that the Transportation Security Administration (TSA) provide an update on the state of domestic rail security, including the progress made on implementing requirements from Public Law 110–53, Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act).
According to the National Railroad Passenger Corporation (Amtrak), it is the sole high-speed intercity passenger railroad provider in the continental United States. Each day, Amtrak operates more than 300 passenger trains, and in fiscal year 2015, carried approximately 31 million passengers throughout 46 states; Washington, DC; and 3 Canadian provinces. Amtrak is funded by passenger ticket revenues, annual Federal appropriations, and Federal and state grants.
Two divisions within Amtrak are primarily responsible for security policies and operations. Amtrak’s Emergency Management and Corporate Security Division develop emergency management and security policies and oversees security training and exercises. Amtrak’s Police Department conducts passenger security operations, performs counter-terrorism and intelligence functions, and responds to incidents and events.
Amtrak and other passenger rail carriers operate in an open infrastructure with multiple access points. Rail stations are designed primarily for easy access, so this open infrastructure provides challenges for rail carriers and law enforcement to control and monitor passengers for security purposes. For example, the number of riders and access points makes it impractical to subject all rail passengers to the type of security that passengers undergo at airports.
TSA is responsible for securing the Nation's transportation systems, including passenger rail systems such as Amtrak. Compared to its responsibilities for aviation security, in which TSA screens passengers, TSA is not a security provider for passenger rail. TSA’s main functions for rail are to assess intelligence, share threat information with industry stakeholders, develop industry best practices, and enforce regulations. In FY 2015, TSA dedicated less than 2 percent of its budget for surface transportation (approximately $123 million).
TSA’s authority for passenger rail security and the oversight of Amtrak comes from two main sources:
Title 49, Section 114 of the United States Code (U.S.C.) gives TSA overall authority for security in all modes of transportation and authorizes TSA to issue and enforce regulations necessary to carry out TSA functions.
The 9/11 Act requires that the Department of Homeland Security, through TSA, create a regulatory framework that addresses the threats facing our passenger rail systems. Examples of requirements include security assessments, background checks for rail employees, security training, and security exercises.
In 2009, the Government Accountability Office (GAO) issued a report on the key actions that TSA needs to take to enhance passenger rail security. In the report, GAO indicated that TSA had only completed one of the key passenger rail requirements from the 9/11 Act (establishing a program for conducting rail security exercises) and the remaining requirements were still in progress. In June 2011, TSA provided GAO with a plan for addressing uncompleted 9/11 Act requirements. The plan contained milestones for each of the remaining 9/11 Act requirements and listed proposed rules occurring in 2011. However, it did not include expected completion dates.
As of FY 2015, three key 9/11 Act passenger rail requirements — a regulation for rail carriers to complete security assessments, a regulation for rail security training, and a program for conducting background checks on rail employees — remained incomplete.
In 2016 the DHS IG conducted an audit to determine the extent to which the Transportation Security Administration (TSA) has the policies, processes, and oversight measures to improve security at the National Railroad Passenger Corporation (Amtrak). It was found that TSA has limited regulatory oversight processes to strengthen passenger security at Amtrak because the component has not fully implemented all requirements from Public Law 110–53, Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act).
Federal regulations require Amtrak to appoint a rail security coordinator and report significant security concerns to TSA. Although the 9/11 Act requires TSA to establish additional passenger rail regulations, the component has not fully implemented those regulations. Specifically, TSA has not issued regulations to assign rail carriers to high-risk tiers; established a rail training program; and conducted security background checks of frontline rail employees. In the absence of formal regulations, TSA relies on outreach programs, voluntary initiatives, and recommended measures to assess and improve rail security for Amtrak. TSA attributes the delays in implementing the rail security requirements from the 9/11 Act primarily to the complex Federal rulemaking process. Although the rulemaking process can be lengthy, TSA has not prioritized the need to implement these rail security requirements. This is evident from TSA’s inability to satisfy these requirements more than 8 years after the legislation was passed.
Without fully implementing and enforcing the requirements from the 9/11 Act, TSA’s ability to strengthen passenger rail security may be diminished. The absence of regulations also impacts TSA’s ability to require Amtrak to make security improvements that may prevent or deter acts of terrorism. DHS concurred with the recommendations.