Mass Transit BASE

Highway Baseline Assessment for Security Enhancement (BASE) Program

Mass Transit BASE FY2015 11-03-14 Public Transportation.xlsm

Public Transportation Review

OMB: 1652-0062

Document [xlsx]
Download: xlsx | pdf

Overview

SSI Cover Sheet
Scoring Guidance
Profile Sheet
Checklist
Additional Information


Sheet 1: SSI Cover Sheet



Sheet 2: Scoring Guidance

Mass Transit BASE Scoring Guidance - Appendix IX
As general guidance , scores are to be assigned on a scale of 0-4 as follows:
“0” Security element should be in place but does not exist. (Equates to total non-adherence – 0%)
“1” Security element exists, but does not include all essential recommended components. (Equates to minimal adherence – 25-50%)
 “2” Security element is in place with all essential components but not fully implemented or practiced. (Equates to partial adherence or implementation – 50-75%)
 “3” Security element is in place and practiced but not monitored or periodically reviewed. (Equates to strong adherence, but not full implementation – 75-99%)
 “4” Security element is in place, fully implemented and regularly reviewed/verified. (Equates to full implementation – 100%)  Also assigned to “yes/no” question having a “Yes” response. 
“N/A” Checked - Security element is not applicable and rational must be given to support the N/A rating.  
Line Element SIDoT Comments Items of Interest Scoring Example
Establish Written System Security Plans (SSPs) and Emergency Response Plans (ERPs)
System Security Plan (SSP)
1.101 Does the transit agency have a System Security Plan (SSP)? Document Review Inspectors should refer to the MT BASE Guidance, Pg12. Policies and procedures related to security--including personnel security, vehicle security, facility security, and threat/vulnerability management. 4 SSP is a well developed plan, complete with detailed policies and procedures related to personnel security, facility security, vehicle security, and threat/vulnerability management. SSP is missing no key elements and has been completely implemented by the agency.
3 SSP is a complete document with polices and procedures that have been appropriately implemented by the agency. Only a few minor security elements are missing. Key concepts are detailed with minimal exceptions.
2 Generic policies and procedures are documented and implemented adequately. Key concepts are documented, but lacking any depth. In fact, the plan simply appears to be a commonly available "template."
1 SSP is a generalized document that is lacking any detailed, agency-specific security elements. Key concepts are missing or not adequately implemented by the agency.
0 There is no SSP in place.
1.102 Does the SSP identify the goals and objectives for the security program? Document Review
Documented method of effectively assessing and monitoring security program's purpose and progress. 4 Goals and objectives are identified, documented and actively monitored to ensure the SSP is fulfilling its purpose.
2 Goals and objectives are identified and documented, but not monitored. Items may be missing or ineffective.
1 Goals and objectives are minimal, lacking any specifics or depth. These items do not effectively assess and monitor the SSP's purpose and progress, respectively.
0 The SSP does not address goals or objectives of the security program.
1.103 Does a written policy statement exist that endorses and adopts the policies and procedures of the SSP that is approved and signed by top management, including the agency's chief executive? Document Review Justification should include at least two management and implementation statements Policy statement including: endorsement statement/signature, applicability, and authority/background of the plan. 4 Policy statement is a well developed written statement (memo, mission statement, etc.) that includes all elements: endorsement statement, applicability, authority establishing the plan, and approval signature from the agencies chief executive.
2 Policy statement a brief endorsement statement by chief executive and a signature.
1 Policy statement only includes a brief endorsement statement. No endorsement signature.
0 There is no policy statement of any sort in place.
1.104 Is the SSP separate from the agency’s System Safety Program Plan (SSPP)? Document Review
"Yes" or "No." 4 SSP is a stand-alone document, separate from the System Safety Plan.
0 System Security Plan is part of another document. (Note: In the past, railroads/agencies would incorporate the Security Plan into the Safety Plan - using the APTA SSPP template, element 17: Security)
1.105
T1
Do the Security and Emergency Response Plans address protection and response for critical underwater tunnels, underground stations/ tunnels and other critical systems, where applicable? Document Review In addition to underwater tunnels, underground stations/ tunnels, this question also applies to other critical systems. Review SSP to determine if items are address effectively. 4 Security plans address specific policies and procedures related to security and emergency response for underwater / underground infrastructure (if system has any) and/or other critical systems.
2 Security plans address policies and procedures with varying degrees of implementation.
0 Security plans do not address items.
1.106 Does the SSP contain or reference other documents establishing procedures for the management of security incidents by the operations control center (or dispatch center)? Document Review
Operation Control Center: managing incidents 4 Procedures for the management of security incidents by the OCC (or dispatch center) is identified in the Security Plan. Specific procedures are in place and documented in the SSP. If documented elsewhere, such as in a stand-alone Emergency Response Plan, the SSP references that document.
3 Plans and procedures are in place and function appropriately. However, minor aspects are missing. SSP includes--or references documents that contain--the procedures.
2 Well organized procedures are in place and contained as part of another document with no reference in the SSP.
1 Procedures are lacking any depth or clarity, plans are scattered between multiple documents with no reference in SSP, or responsibilities are otherwise ineffectively assigned.
0 Procedures are not in place or documented.
1.107 Does the SSP contain or reference other documents establishing plans, procedures, or protocols for responding to security events with external agencies (such as law enforcement, local EMA, fire departments, etc.)? Document Review In Justification, describe plans, procedures or protocols. Documented plans for coordinating with external agencies. 4 Well-developed, specific procedures are in place and documented in the SSP or as part of another document and referenced in the SSP.
2 Procedures are in place with varying degrees of implementation or documentation.
0 Procedures are not in place or documented.
1.108 Does the SSP contain or reference other documents that establish protocols addressing specific threats from (i) Improvised Explosive Devices (IED) and (ii) Weapons of Mass Destruction (chemical, biological, radiological hazards)? Document Review
Protocols for IED and WMD 4 Well-developed, specific protocols are in place that address IED and WMD. These protocols are documented in the SSP or as part of another document, such as a stand-alone Emergency Response Plan, and referenced in the SSP.
2 Protocols are developed with varying degrees of implementation or documentation.
0 Protocols have not been developed.
1.109
T3
Are visible, random security measures integrated into security plans to introduce unpredictability into security activities for deterrent effect? Document Review Agency should strive to implement and document their own unpredictable security measures using their own resources. Random or unpredictable security measures that are documented in security plans. 4 Random, unpredictable measures are well-documented with specific measures assigned by employee-type. Includes both security and non-security personnel.
2 Random, unpredictable measures are documented. Measures are simply general guidance lacking specifics.
1 The agency relies on outside entities to provide random, unpredictable measures. Agency only participates in VIPR or other similar outreach. Participation in program is documented in the SSP.
0 Random, visible measures are not documented in the SSP.
1.110 Does the SSP include provisions requiring that security be addressed in extensions, major projects, new vehicles and equipment procurement and other capital projects, and including integration with the transit agency’s safety certification process? Document Review
Project/procurement planning, engineering, design, construction, and testing. 4 Security plays a role in all new projects and procurements and is part of the safety certification process. This is required by the agency and documented in the SSP. There is a formal process in place for planning and implementing a project with security playing a role in various phases, including: planning, engineering, construction, testing, and final implementation.
3 Security plays a role in all new projects and procurements and is part of the safety certification process. There is a formal process in place for planning and implementing a project with security playing a role in various phases, including: planning, engineering, construction, testing, and final implementation. This is required by the agency and documented in the agency's Safety plan--not the SSP.
2 Specific security concerns are considered for all new projects, but implementation is an informal process and not required (recommended as opposed to required). Process is documented.
1 Security is addressed on an informal basis with only general security guidance considered. Process is documented.
0 There is no documented evidence in place that suggest security is addressed with new projects or procurements.
1.111 Does the SSP include or reference other documents adopting Crime Prevention Through Environmental Design (CPTED) principles as part of the agency's engineering practices? Document Review
Project design, engineering, and construction. 4 CPTED principles are addressed in all facilities and fully implemented. These principles are documented in the SSP or other documents (which are referenced in the SSP).
3 CPTED principles are addressed and implemented in a majority of facilities. This is documented in the SSP or other documents (which are referenced in the SSP). Vulnerabilities have been identified.
2 CPTED principles are addressed with minimal implementation. Principles are documented in the SSP or other documents (which are referenced in the SSP).
1 CPTED adoption is merely a general acknowledgement contained in the SSP or other document (that is referenced in the SSP).
0 CPTED is not adopted by the agency.
1.112 Does the SSP require an annual review? Document Review Reference date of last review in justification. Annual review requirement. A review is focused on written policy and ensuring policies are sufficient. 4 Annual review is a written requirement with verification measures in place (signed and dated)
2 Annual review is a "commonly known" requirement (not documented) or a written requirement with no verification measure in place.
1 SSP is reviewed on an "as-needed" basis, but at least every two years.
0 There are no review requirements in place, and the SSP is not regularly reviewed.
1.113 Does the transit agency produce periodic reports reviewing its progress in meeting its SSP goals and objectives? Document Review
An example of periodic reports reviewing SSP progress 4 Reports are produced once per year at a minimum and are detailed and developed regularly to track the agency's progress in meeting the goals and objectives identified in the SSP.
3 Periodic reports are detailed and developed once in a two-year cycle OR periodic reports are developed once per year but are lacking in detail.
2 Informal reports are developed on an "as-needed" basis.
1 Reports are not documented, per se, but the agency does have an informal, verbal system in place to monitor the agency's progress in fulfilling its goals and objectives.
0 The agency does not monitor its progress in any way.
1.114 Has an annual review of the SSP been performed and documented in the preceding 12 months? Document Review
Documented evidence of a annual review. A review is focused on written policy and ensuring policies are sufficient. 4 Annual review is verifiable by document review.
2 Annual review is only verifiable by interview.
0 SSP has not been reviewed.
1.115 Does the SSP outline a process for securing SSO agency review and approval of updates to the SSP? Document Review 49 CFR PART 659 SSO Only Question "Yes" or "No." Documented process for SSO approval. N/A for entities not regulated under 49 CFR § 659. 4 Documented process for securing SSO review and approval of SSP is included in writing, or directly referenced, in the SSP.
0 Documented process does not exist.
1.116 Has the transit agency submitted and received documentation from the SSO confirming its review and approval of the SSP currently in effect? Document Review 49 CFR PART 659 SSO Only Question
If yes, indicate the approval date in evidence.
Current SSP has been approved by SSO. N/A for entities not regulated under 49 CFR § 659. 4 Approval (including date of approved) is verifiable through document review.
2 SSP has been submitted to the SSO agency, but approval is pending.
0 SSP has not been approved.
Emergency Response Plan (ERP)
1.201 Does the transit agency have an Emergency Response Plan (ERP)? Document Review Inspectors should refer to the MT BASE Guidance, Pg13. Emergency response procedures 4 ERP is a well developed plan, complete with detailed policies and procedures related to emergency response. ERP is missing no key elements and has been completely implemented by the agency.
3 ERP is a complete document with polices and procedures that have been appropriately implemented by the agency. Only a few minor elements are missing. Key concepts are detailed with minimal exceptions.
2 Generic policies and procedures are documented and implemented adequately. Key concepts are documented, but lacking any depth. In fact, the plan simply appears to be a commonly available "template."
1 ERP is a generalized document that is lacking any detailed, agency-specific security elements. Key concepts are missing or not adequately implemented by the agency.
0 There is no ERP in place.
1.202 Does a written policy statement exist that endorses and adopts the policies and procedures of the ERP that is approved and signed by top management, including the agency's chief executive? Document Review
Policy statement including: endorsement statement/signature, applicability, and authority/background of the plan. 4 Policy statement is well developed and includes all elements: endorsement statement, applicability, authority establishing the plan, and approval signature from the agencies chief executive.
3 Includes a brief endorsement statement by chief executive and a signature.
2 Policy statement only includes an endorsement signature.
1 Policy statement only includes a brief endorsement statement. No endorsement signature.
0 There is no policy statement of any sort in place.
1.203 Does the ERP require an annual review to determine if it needs to be updated? Document Review
Documented requirement for annual review. 4 Annual review is a written requirement with verification measures in place (signed and dated).
2 Annual review is a "commonly known" requirement (not documented) or a written requirement with no verification measure in place.
1 ERP is reviewed on an "as-needed" basis, but at least every two years.
0 There are no review requirements in place, and the ERP is not regularly reviewed.
1.204 Has an annual review of the ERP been performed and documented in the preceding 12 months? Document Review Reference date of last review in justification. Documented evidence of a annual review. 4 Annual review is verifiable by document review.
2 Annual review is only verifiable by interview.
0 ERP has not been reviewed.
1.205 Does the ERP include a process or review provision to ensure coordination with the rail transit agency’s SSPP and SSP? Document Review
Emergency response procedures coordinated with security and safety procedures. (Emergency procedures do not hinder safety or security.) 4 ERP includes documented provisions that ensure its coordination with the agency's safety and security plans.
3 ERP includes documented provisions that ensure its coordination with either the agency's security plans or the agency's safety plans--not both.
2 Provisions are in place and clearly implemented, but no documentation established.
1 Coordination is very informal with no specific provisions in place. Documentation includes only vague general statements ("Safety and security should be addressed during emergency situations").
0 There is no coordination between the ERP and SSP/SSPP.
1.206 Has the transit agency received documentation from the SSO confirming its review and approval of the ERP currently in effect? Document Review 49 CFR PART 659 SSO Only Question SSO approval of current ERP. N/A for entities not regulated under 49 CFR § 659. 4 Approval (including date of approval) is verifiable.
2 ERP has been approved, but approval is not verifiable.
0 ERP has not been approved.
1.207 Does the ERP contain or reference other documents establishing plans, procedures, or protocols for responding to emergency events with external agencies (such as law enforcement, local EMA, fire departments, etc.)? Document Review
Documented plans for coordinating with external agencies. 4 Well-developed, specific procedures are in place and documented in the ERP or as part of another document and referenced in the ERP.
2 Procedures are in place with varying degrees of implementation or documentation.
0 Procedures are not in place or documented.
1.208 Does the ERP contain or reference other documents that establish procedures for the management of emergency events, including those to be employed by the operations control center (or dispatch center)? Document Review
Management of emergency events 4 The responsibility for the management of security incidents has been assigned to the Operations Control Center (or dispatch center). Specific procedures are in place and documented in the ERP. If documented elsewhere, the ERP references that document.
3 Plans and procedures are in place and function appropriately. However, minor aspects are missing. ERP includes--or references documents that contains--the procedures.
2 Well organized procedures are in place and contained as part of another document with no reference in the ERP.
1 Procedures are lacking any depth or clarity, plans are scattered between multiple documents with no reference in ERP, or responsibilities are otherwise ineffectively assigned.
0 Procedures are not in place or documented.
1.209 Does the ERP contain or reference other documents to provide for Continuity of Operations while responding to emergency events? Document Review Verify COOP addresses 5 main goals outlined in the MT BASE Guidance, Pg13. Continuity of Operations plan. 4 Continuity of Operations plans exist and are included as part of the ERP (or in another document that is referenced in the ERP).
2 Continuity of Operations plans exist but are not included as part of the ERP or referenced in the ERP.
0 No Continuity of Operations plans exist.
1.210 Does the agency have a written Business Recovery Plan to guide restoration of facilities and services following an emergency event? Document Review
Procedures to recover from an event and resume normal operations. 4 Business Recovery Plan is a comprehensive plan. Essential business functions (HR, IT, etc.) have been identified , and the agency has taken steps to protect vital business information (records, data, etc.). The plan outlines steps to be taken to return the agency to a "normal" operational status in a timely manner. Policies and procedures (including who activates the plan and how the agency transitions from emergency operations to business recovery) are detailed.
3 Business Recovery Plan is a well-developed document, missing only a few elements or details.
2 Business Recovery Plan is a generic plan that appears to be a commonly available "template" with only general procedures.
1 Business Recovery Plan is lacking details and appears incomplete.
0 There is no plan in place to achieve a timely and orderly recovery and resumption of full service.
1.211 Does the agency have a written Business Continuity Plan and COOP to guide restoration of facilities and services following an emergency event? Document Review
Procedures to continue essential operations during emergency. 4 Business Continuity Plan is a comprehensive plan. Essential operations functions (bus operations, security infrastructure) and key facilities have been identified. Policies and procedures are detailed and effective in mitigating any disruption to operations. Continuity responsibilities are identified (including who is responsible for activating the plan). Any resulting SOP changes are documented.
3 Business Continuity Plan is a well-developed document, missing only a few elements or details.
2 Business Continuity Plan is a generic plan that appears to be a commonly available "template" with only general procedures.
1 Business Continuity Plan is lacking details and appears incomplete.
0 There is no plan in place to ensure the continuity of operations.
1.212 Does the agency have a back-up operations control center capability? Document Review indicate last time this was tested (if applicable) in Justification. Secondary site of Operations Control. 4 The agency has identified a back-up location for operations control. This secondary location can quickly become fully operational and is equipped to function in the same capacity as the primary Operation Control Center.
2 There is a back up operations control center, but it cannot fully replicate the primary operations center capabilities.
0 There is no back-up capabilities for the Operations Control Center.
Define Roles and Responsibilities for Security and Emergency Management
System Security Plan (SSP)
2.101 Does the SSP establish and assign responsibility for implementation of the security program to a Senior Manager who is a "direct report" to the agency's Chief Executive Officer? Document Review Inspectors should refer to the MT BASE Guidance, Pg14. Documented evidence assigning implementation of security program in the SSP. 4 The implementation of the security program has been assigned to a Senior Manager who is a "direct report" to the CEO. This responsibility is documented in the SSP.
3 The implementation of the security program has been assigned to a Senior Manager who is a "direct report" to the CEO. This responsibility is not documented in the SSP, but it is a commonly known assignment that is documented elsewhere.
2 The implementation of the security program has been assigned to a manager or leadership position that is not a "direct report" to the CEO. The responsibility is documented in the SSP.
1 The implementation of the security program has been ineffectively assigned to a position that cannot act independently. The responsibility is documented in the SSP.
0 The implementation of the security program is not assigned, or there is no documentation establishing the responsibility of implementation.
2.102 Has the agency established lines of delegated authority/succession of security responsibilities and, if so, has that information been distributed to agency managers? Document Review
Chain of Command and Lines of Succession for security responsibilities. 4 The agency has established comprehensive policies and procedures related to "chain of command" and "lines of succession" for security responsibilities. The policy is well documented, and lines of succession include multiple individuals based on the importance of responsibilities (more important roles have longer, multi-personnel lines of succession). This policy is shared with agency managers.
3 The agency has established basic--yet fully developed--procedures related to "chain of command" and "lines of succession" for security responsibilities. Minor elements are missing or needing further development. Lines of succession may not be in-depth, only identifying one successor for security-critical roles. The policy is documented and shared with agency manager.
2 The agency has established and documented a "chain of command." Informal (or "generally understood") "lines of succession" are in place but not documented.
1 The agency has an informal (not documented) "chain of command" only.
0 The agency has no established "chain of command"
2.103 Are roles and responsibilities for security and/or law enforcement personnel assigned by title and/or position established in the SSP or other documents? Document Review
Security roles and responsibilities of Security Personnel. 4 Roles and responsibilities of security personnel are assigned by position and documented in the SSP or other documents. Roles are comprehensive and detailed for all position-types, from security managers to supervisors to front-line security personnel.
3 Roles and responsibilities of security personnel are assigned by position and documented in the SSP or other documents; however, minor elements are missing or require minor additions.
2 General roles and responsibilities are assigned by position and documented in the SSP or other documents. While assigned by position type, the roles and responsibilities are vague. Position types identified may also be vague or missing key positions.
1 General security roles and responsibilities are documented in the SSP or other documents. These roles and responsibilities are not assigned by position.
0 Roles and responsibilities are not documented.
2.104 Are security-related roles and responsibilities for non-security and/or law enforcement personnel (i.e., operators, conductors, maintenance workers and station attendants) established in the SSP or other documents? Document Review
Security roles and responsibilities of non-security personnel. 4 Specific security-related responsibilities have been established for non-security personnel and assigned based on job function for all (or a majority of) employees. Roles and responsibilities are comprehensive and clearly identify the role non-security personnel play in regards to security. These responsibilities are documented in the SSP or other documents.
3 Security-related responsibilities have been established for non-security personnel. Specific responsibilities are identified and assigned to all non-security personnel, regardless of job function ("blanket statement"). Responsibilities are documented in the SSP or other documents.
2 Specific security responsibilities for non-security personnel encompasses less than half of the applicable workforce, but the responsibilities in place are adequately developed. Responsibilities are documented.
1 Only general security-related responsibilities are documented.
0 No security-related roles have been established or documented for non-security personnel.
2.105
TSF 2
Do senior staff and middle management conduct security meetings to review recommendations for changes to plans and processes? Interview / Document Review Security should be the primary focus of these meetings and briefings Management meetings for security recommendations. Operational. 4 Senior staff and management conduct security meetings on a quarterly basis, at minimum, to review recommendations for changes to plans and processes. Verified by both interview and document review.
2 Senior staff and management conduct security meetings infrequently, but at least annually, to review recommendations for changes to plans and processes. Only verifided through interview.
0 Senior staff and management meet on an infrequent basis, if ever, or meetings related to security are not conducted.
2.106 Does a Security Review Committee (or other designated group) regularly review security incident reports, trends, and program audit findings? Interview Security should be the primary focus of these meetings and briefings Security Review Committee 4 A formal security committee or working group has been established. This group meets multiple times per year at predictable intervals (at least once per quarter) to review security incident reports, trends, and program audit findings. All applicable security items are addressed.
3 A formal security committee or working group has been established. This group meets at least twice per year to review security incident reports, trends, and program audit findings. All applicable security items are addressed.
2 A formal security committee or working group has been established, but it only meets once per year or on an "as needed" basis. This score also applies if the group meets at a higher frequency but doesn't effectively address all applicable security items.
1 Security items are discussed and addressed by a Safety committee.
0 Security review committee does not exist or meets on an infrequent basis.
2.107 Are informational briefings with appropriate personnel held whenever security protocols, threat levels, or protective measures are updated or as security conditions warrant? Interview
Security Briefings (written or verbal), means of acknowledgement. Operational. 4 Policies and procedures are in place to ensure that frontline personnel are made aware of anything relevant to the security of their transit system. Agency utilizes a variety of message delivery systems for security messages based on message importance: face-to-face verbal, electronic dispersal, written-memo system, and bulletin board postings. The agency has also developed a means of tracking/monitoring who has (or has not) received high-importance informational briefings (acknowledgement/signature sheet, email receipt, etc.).
3 Entity has procedures in place to ensure that frontline personnel are made aware of anything relevant to the security of their transit system. Method of delivery is, for the most part, effective, with very little (but possible) chance of employees not receiving critical information. Agency has not developed a means of monitoring or tracking who receives informational briefings.
2 Briefings are only delivered through written-memos or other ineffective means of personal dispersal. For a score of 2, the delivery method might reach a high number of employees, but the message itself is not guaranteed (employees may not understand a message, employees may not actually read the message, and the agency may not be able to accurately gauge who has received the message).
1 Entity only utilizes bulletin board-style briefings.
0 No briefings.
2.108 Have appropriate reference guides or other written instructions or procedures been distributed to transit employees to implement the requirements of the SSP? Document Review
Reference guides for transit personnel 4 Individual written guides or reference material based on job function have been provided to employees to assist employees with the implementation of security procedures. (Example: Driver's manual, SOP, etc.)
3 Individual written guides or reference material with generalized guidance have been provided to employees to assist employees with the implementation of security procedures.
2 Written guides or other written materials have been provided to every department and are available to employees if needed.
1 Written guides or other written materials exist but are not conveniently available to employees.
0 Written materials are not readily available to employees.
2.109 Has the agency appointed a Primary and Alternate Security Coordinator to serve as its primary and immediate 24-hr contact for intelligence and security-related contact with TSA and are the names of those Coordinators on file with TSA OSPIE office correct? Document Review / Interview This question applies to both Regulated and Non-Regulated entities. Security Coordinator 4 The agency has appointed a Primary and Alternate Security Coordinator that meet all criteria established by TSA and provided TSA the names of these individuals.
2 The agency has a Primary and or Alternate Security Coordinator, but their roles are not clearly defined (may not be documented) and/or do not meet all criteria established by TSA (not available 24/7, etc.).
0 The agency has not identified any Security Coordinators.
2.110 Does the agency maintain a record of security related incidents that are reported within the agency? Document Review
Incident recording (may be document retention or summary archives) 4 Agency maintains a record of security related incidents that are reported within the agency. Agency has the ability to review incidents that have occurred over one year earlier.
3 Agency has the ability to review incidents that have occurred up to one year earlier.
2 Agency has the ability to review incidents that have occurred up to six months earlier.
1 Agency has the ability to review incidents that have occurred up to three months earlier.
0 Agency does not maintain a record of security related incidents.
Emergency Response Plan (ERP)
2.201 Does the ERP establish and assign responsibility for implementation of the security program to a Senior Manager who is a "direct report" to the agency's Chief Executive Officer? Document Review Inspectors should refer to the MT BASE Guidance, Pg14. Documented evidence assigning implementation of security program in the ERP. 4 The implementation of the security program has been assigned to a Senior Manager who is a "direct report" to the CEO. This responsibility is documented in the ERP.
3 The implementation of the security program has been assigned to a Senior Manager who is a "direct report" to the CEO. This responsibility is not documented in the ERP, but it is a commonly known assignment that is documented elsewhere.
2 The implementation of the security program has been assigned to a manager or leadership position that is not a "direct report" to the CEO. The responsibility is documented in the ERP.
1 The implementation of the security program has been ineffectively assigned to a position that cannot act independently. The responsibility is documented in the ERP.
0 The implementation of the security program is not assigned, or there is no documentation establishing the responsibility of implementation.
2.202 Are emergency response roles and responsibilities for all departments identified in the ERP or other supporting documents? Document Review
Documented emergency response responsibilities. 4 The agency takes an all-inclusive, system-wide approach to emergency preparedness. Emergency response roles and responsibilities have been developed and are assigned for all departments. Roles are comprehensive, detailed, and documented.
3 Emergency response roles and responsibilities have been developed and assigned to most departments. Not all departments have an assigned role in emergency response. Roles and responsibilities are well-developed and assigned effectively, but there is room for improvement. This is documented.
2 Documented roles and responsibilities have been only assigned to critical departments (security, etc.), may be generalized in nature, or a combination thereof.
1 Documented roles and responsibilities have been assigned as a blanket-statement. Roles may be vague or ineffectively developed.
0 Roles and responsibilities are not documented.
2.203
TSF 5
Are roles and responsibilities for front-line personnel (i.e. system law enforcement, system security officials, train or vehicle operators, conductors, station attendants, maintenance workers) described in the system's Emergency Response Plan (ERP)? Document Review
Frontline Personnel Responsibilities. 4 Roles and responsibilities of frontline personnel are assigned by position and documented in the ERP. Roles are comprehensive and detailed.
3 Roles and responsibilities of frontline personnel are assigned and documented in the ERP. Roles are relatively detailed and effectively assigned, but may be missing minor details.
2 Roles and responsibilities of frontline personnel are developed and documented in the ERP. Roles are general and lack specific details based on job function.
1 General security roles and responsibilities are documented in the SSP or other documents. These roles and responsibilities are not assigned by position.
0 Roles and responsibilities are not documented.
2.204 Has the ERP been distributed to appropriate departments in the organization? Interview
ERP Distribution 4 The agency takes a total approach to emergency response, including all departments in the process. All departments have been provided a copy of the ERP.
3 The agency is proactive with emergency response. The ERP has been provided to departments that are critical to emergency response as well as some departments that would serve a secondary support role during emergency response.
2 The agency has only provided the ERP to departments that are critical to emergency response. Upon request, the ERP is readily available to other departments.
1 ERP distribution is very limited. Departments do not have easy access to the document.
0 The ERP is not distributed.
2.205 Have appropriate reference guides or other written instructions or procedures been distributed to transit employees to implement the requirements of the ERP? Document Review
Reference guides for transit personnel 4 Individual written guides or reference material based on job function have been provided to all employees to assist employees with the implementation of emergency procedures.
3 Individual written guides or reference material with generalized guidance have been provided to all employees to assist employees with the implementation of emergency procedures.
2 Written guides or other written materials have been provided to every department and are available to employees if needed.
1 Written guides or other written materials exist but are not conveniently available to employees.
0 Written materials are not readily available to employees.
2.206 Are senior staff and middle management ERP coordination meetings held on a regular basis? Interview Emergency response should be the primary focus of these meetings and briefings Management meetings for ERP coordination. Operational. 4 Senior staff and management conduct ERP coordination meetings on a monthly basis.
3 Senior staff and management conduct ERP coordination meetings on a quarterly basis.
2 Senior staff and management conduct ERP coordination meetings twice per year.
1 Senior staff and management conduct ERP coordination meetings annually or on an "as needed" basis.
0 Senior staff and management meet on an infrequent basis, if ever, or meetings related to ERP coordination are not conducted.
2.207 Are informational briefings with appropriate personnel held whenever emergency response protocols are substantially changed or updated? Interview
Briefings related to emergency response. Operational. 4 Policies and procedures are in place to ensure that frontline personnel are made aware of anything relevant to the emergency response plan. Agency utilizes a variety of message delivery systems for security messages based on message importance: face-to-face verbal, electronic dispersal, written-memo system, and bulletin board postings. The agency has also developed a means of tracking/monitoring who has (or has not) received high-importance informational briefings (acknowledgement/signature sheet, email receipt, etc.).
3 Entity has procedures in place to ensure that frontline personnel are made aware of anything relevant to the emergency response. Method of delivery is, for the most part, effective, with very little (but possible) chance of employees not receiving critical information. Agency has not developed a means of monitoring or tracking who receives informational briefings.
2 Briefings are only delivered through written-memos or other ineffective means of personal dispersal. For a score of 2, the delivery method might reach a high number of employees, but the message itself is not guaranteed (employees may not understand a message, employees may not actually read the message, and the agency may not be able to accurately gauge who has received the message).
1 Entity only utilizes bulletin board-style briefings.
0 No briefings.
Ensure that operations and maintenance supervisors, forepersons and managers are held accountable for security issues under their control
3.101 Do managers and supervisors routinely provide information to front-line personnel regarding security and emergency response issues? Interview, Frontline Verification,
Document Review
Inspectors should refer to the MT BASE Guidance, Pg16. Frontline Personnel Briefings 4 Frontline employees receive a weekly briefing from their immediate supervisor regarding security and emergency preparedness. Security and emergency response issues are the primary focus of briefings (or equal to that of safety). Verified by Interview, Document review and Frontline employee's
3 Frontline employees receive a monthly briefing from their immediate supervisor regarding security, and emergency preparedness. Security and emergency response issues are the primary focus of briefings (or equal to that of safety).
2 Frontline employees receive a quarterly briefing from their immediate supervisor regarding security, and emergency preparedness. Security and emergency response issues are the primary focus of briefings (or equal to that of safety).
1 Frontline employees are provided information regarding security and emergency response issues on an infrequent or "as needed" basis.
0 Frontline employees are not provided information regarding security and emergency response issues.
3.102 Are regular supervisor, manager, and/or foreperson security review and coordination briefings held? If so, detail frequency and subjects covered in the justification. Interview
Supervisor Briefings 4 Supervisor/management security review and coordination meetings are held on a monthly basis.
3 Supervisor/management security review and coordination meetings are held on a bimonthly basis.
2 Supervisor/management security review and coordination meetings are held on a quarterly basis.
1 Supervisor/management security review and coordination meetings are held on an infrequent or "as-needed" basis.
0 Meetings are not held or do not focus on security.
3.103 Does the agency have a program for confirming that personnel have a working knowledge of security protocols? If so, summarize program in the justification. Interview / Document Review Possible follow-up questions needed. Summarize program in justification. Internal verification of knowledge 4 The agency actively engages its workforce to ensure a high rate of security knowledge. Agency utilizes a formal, measurable and on-going system of verification, such as internal audits, challenge procedures, or qualification testing. The program--or procedures/responsibilities related to it--is documented. Verified by both Interview and Document Review
3 The agency has an on-going, informal system of measuring its workforce's knowledge of security elements. The program may not be documented, but the agency can articulate specific measures it takes to ensure its personnel retain a working knowledge of security. Examples include informal (undocumented or unmeasured) internal testing or auditing.
2 Employees are tested after training, and Supervisors are tasked with ensuring protocols are followed and knowledge is retained.
1 Direct supervision is the only method of ensuring that security knowledge is retained.
0 The agency does not have a program of confirming that personnel have a working knowledge of security protocols.
3.104 Are managers and/or supervisors required to debrief front-line employees regarding their involvement in or management of any security or emergency incidents? Interview / Document Review
Debriefing Requirement 4 There is a written policy that requires leadership to debrief frontline personnel regarding their involvement in or management of any security or emergency incidents. Verified by both Interview and Document Review
3 There isn't a written requirement, but leadership is expected to debrief frontline personnel regarding their involvement in or management of any security or emergency incidents. This expectation is widely known. Verified by both Interview and Document Review.
2 Leadership is expected to debrief frontline personnel only after major incidents regarding their involvement in or management of security or emergency incidents.
1 Debriefing are being held, but the policy is very insufficient and inconsistent.
0 There are no debriefing measures in place.
Coordinate Security and Emergency Management Plan(s) with local and regional agencies
4.101 Have Mutual Aid agreements been established between the transit agency and entities in the area that would be called upon to supplement the agency's resources in the event of an emergency event? Interview / Document Review Inspectors should refer to the MT BASE Guidance, Pg16. MOUs involving law enforcement, other transit agencies, and first responders 4 The agency has taken a comprehensive approach to emergency preparedness and has established mutual aid agreements with all outside entities that the agency may need to coordinate with during an emergency situation. This includes: law enforcement entities, other transit agencies that operate in the same area, and first responders. Verified by both Interview and Document Review
3 The agency has taken a proactive approach to emergency preparedness and has established mutual aid agreements with multiple types of outside entities.
2 The agency has taken a limited approach to emergency preparedness and has established mutual aid agreements with only all local law enforcement entities that operate with the geographical scope of their system.
1 The agency has taken the first steps of establishing mutual aid agreements. Agreements are actively being pursued.
0 Mutual aid agreements are non-existent and not being pursued.
4.102 Does the agency participate in a regional Emergency Management Working Group or similar regional coordinating body for emergency preparedness and response? Interview
Regional Emergency Management Group. "Yes" or "No." 4 The agency participates in a regional security and emergency preparedness/management working group or committee (this is not the same as participation in drills or exercises).
0 The agency does not participate in a security and emergency preparedness/management working group or committee.
4.103 Have regional incident management protocols been shared with the agency and incorporated into the agency's ERP/SSP/SEPP? Document Review / Interview
Regional Incident Management Protocols 4 The agency has received--and is knowledgeable of--regional incident management protocols. These protocols have been completely incorporated into the agency's ERP/SSP/SEPP. Verified by both Interview and Document Review.
3 The agency has received--and is knowledgeable of--regional incident management protocols. These protocols are partially incorporated (or in the process of being incorporated) into the agency's ERP/SSP/SEPP. Verified by both Interview and Document Review.
2 The agency has received--and is knowledgeable of--regional incident management protocols. These protocols are not part of the agency's ERP.
1 The agency is aware of regional protocols and understands how they may obtain them.
0 The agency is completely unfamiliar with regional protocols.
4.104 Have agency resources been appropriately identified and provided to the regional EMA? Interview
Agency Resources. "Yes" or "No." 4 The agency has provided the regional EMA with a detailed list of resources (vehicles, facilities, etc.) that may be utilized in the event of an emergency.
0 Agency resource inventory has not been provided to the regional EMA
4.105 Does the agency have a designated point-of-contact or liaison with the local/regional Emergency Operations Center (EOC)? Interview / Document Review
POC identified from EOC. "Yes" or "No." 4 Agency has established a point-of-contact at the Emergency Operations Center. Must be verified by Document Review.
0 Agency has no identified POC at the EOC.
4.106 Does the agency send a representative to the local/regional EOC, should it be activated? Interview / Document Review
Agency Representative sent to EOC. "Yes" or "No." 4 Agency has officially designated a representative to be sent to the EOC, upon activation. This is documented in SSP/ERP/SEPP. Must be verified by Document Review.
2 The agency has designated a representative to be sent to the EOC, upon activation, although formal policies are not in place.
0 Agency has not designated a representative.


4.107 Does the agency have information sharing capabilities with the regional/local EOC (i.e., contacts, procedures, resource inventories, etc.)? Interview / Document Review
Information Sharing Capabilities 4 The agency has developed a formal method of effectively sharing information with the EOC, information flow is two-way (information can be shared and received), and the method of sharing is known by both entities. Capabilities are documented. Must be verified by Document Review.
2 The agency has developed an informal method of effectively sharing with the EOC, information flow is two-way (information can be shared and received), and the method of sharing is known by both entities. It is clear that the agency has planned for information sharing, but the capabilities are not documented.
1 Information sharing procedures and capabilities exist, but are vague and have received little attention or planning.
0 The agency has no information sharing capabilities or procedures and is not actively pursuing the development of any.
4.108 Has the agency developed internal incident management protocols that comply with the National Response Plan and the National Incident Management System (NIMS)? Document Review / Interview
Internal Incident Management Protocols. "Yes" or "No." 4 The agency's internal emergency response procedures follow the NRP and the NIMS. Must be verified by Document Review.
0 The agency's internal emergency response procedures do not follow the NRP and the NIMS.
4.109 Have the agency's emergency response protocols been shared with the EMA and appropriate first responder agencies? Interview
Internal Emergency Response Protocols. "Yes" or "No." 4 The agency has shared its internal emergency response protocols with the regional EMA and appropriate first response agencies.
2 The agency has shared its internal emergency response protocols with only the regional EMA or only first response agencies.
0 The agency has not shared its emergency response protocols.
4.110
TSF 5
Has the transit system tested its communications systems for interoperability with appropriate emergency response agencies? Interview
Interoperability 4 The agency is very proactive in regards to interoperable communication and ensures that its communication systems can communicate with appropriate external agencies across jurisdictional lines. The agency uses compatible radio systems (800mHz, UHF, VHF, etc.), has developed a plan (either documented or trained personnel) for interoperable communication, and has tested its system for compatibility with appropriate external agencies.
3 The agency has an effective interoperable communications system (800mHz, UHF, VHF, interoperable CAD system), but minor elements are missing. Planning (training or documentation) is missing or the agency has not tested its system for compatibility.
2 The agency has an effective interoperable communications system (800mHz, UHF, VHF, interoperable CAD system). Neither planning (training or documentation) or compatibility testing is in place.
1 The agency's systems are not interoperable, but is in the process of actively implementing such a system (plans established, funds identified).
0 The agency's systems are not interoperable, nor is such a system being currently implemented.
4.111 If the agency's communications systems are NOT inter-operable with appropriate emergency response agencies, have alternate communication protocols been established? Describe the alternate communication protocols in the justification. Interview / Document Review
Interoperability Substitute 4 The agency has developed effective alternatives to interoperable communication (beyond the reliance of standard communication, like telephone). These procedures are documented and shared with appropriate first responder agencies. Must be verified by Document Review.
2 The agency has developed partially effective alternatives to interoperable communication (beyond the reliance of standard communication, like telephone). The procedures are informal and may not be documented and/or shared with first responder agencies.
0 The agency has identified no alternatives for interoperable communication.
Establish and Maintain a Security and Emergency Training Program
5.101
TSF 4
Is initial training provided to all new agency employees regarding security orientation/awareness? Document Review /Frontline Verification Inspectors should refer to the MT BASE Guidance, Pg18. Training records, training material 4 All new employees, regardless of job function, receive initial training, which is focused on general security awareness and orientation. The agency has a well-developed program with an official curriculum and training is provided in a formal environment (classroom or computer-based). Must be verified by Document Review and Frontline Employee's.
2 Initial training is provided with varying degrees of implementation.
0 Security is not addressed in initial training.
5.102
TSF 4
Is annual refresher training provided regarding security orientation/awareness to Senior Management staff, managers and supervisors? Interview / Document Review
Training records, training material 4 Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review.
2 Training is provided with varying degrees of implementation.
0 Refresher training is not provided annually or does not focus on the appropriate subject.
5.103
TSF 4
Is annual refresher training provided regarding security orientation/awareness to managers and supervisors? Interview / Document Review
Training records, training material 4 Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review.
2 Training is provided with varying degrees of implementation.
0 Refresher training is not provided annually or does not focus on the appropriate subject.
5.104
TSF 4
Is annual refresher training provided regarding security orientation/awareness to front-line employees? Document Review / Frontline Verification
Training records, training material 4 Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review and Frontline Employee's.
2 Training is provided with varying degrees of implementation.
0 Refresher training is not provided annually or does not focus on the appropriate subject.
5.105 Is ongoing advanced security training focused on job function provided at least annually? Interview / Frontline Verification
Training records, training material 4 Advanced security training is provided in an ongoing manner, with classes/courses being provided at least once per year. Agency has established an official training curriculum, training is specifically designed based on job function, and training is provided in a formal environment (classroom or computer-based). Must be verified by Document Review and Frontline Employee's.
2 Ongoing advanced security training based on job function is provided with varying degrees of implementation and frequency.
0 Ongoing security training based on job function is not provided.
5.106
TSF 4
Is initial training provided to all new transit employees regarding emergency response? Interview / Frontline Verification General emergency response / awareness training Training records, training material 4 All new employees, regardless of job function, receive initial training, which is focused on emergency response. The agency has a well-developed program with an official curriculum and training is provided in a formal environment (classroom or computer-based). Must be verified by Document Review and Frontline Employee's.
2 Initial training is provided with varying degrees of implementation.
0 Emergency response is not addressed in initial training.
5.107 Is annual refresher training provided regarding emergency response to Senior Management staff, supervisors, and managers? Interview / Document Review
Training records, training material 4 Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review.
2 Training is provided with varying degrees of implementation.
0 Refresher training is not provided annually or does not focus on the appropriate subject.
5.108
TSF 4
Is annual refresher training provided regarding emergency response to Managers and Supervisors? Interview / Document Review
Training records, training material 4 Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review.
2 Training is provided with varying degrees of implementation.
0 Refresher training is not provided annually or does not focus on the appropriate subject.
5.109
TSF 4
Is annual refresher training provided regarding emergency response to front-line Employees? Interview / Frontline Verification
Training records, training material 4 Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review and Frontline Employee's.
2 Training is provided with varying degrees of implementation.
0 Refresher training is not provided annually or does not focus on the appropriate subject.
5.110
TSF 4
Have agency employees received general training on Incident Command System (ICS) procedures in accordance with National Incident Management System at least annually? Interview / Frontline Verification
Training records, training material 4 All employees who may have a role in emergency response--frontline personnel and leadership--have received ICS training in accordance with the NIMS. The agency has a well-developed program with an official curriculum and training is provided annually in a formal environment (classroom or computer-based). Must be verified by Document Review and Frontline Employee's.
2 Training is provided with varying degrees of implementation.
0 ICS training is not provided.
5.111 Has ICS and NIMS training appropriate to the position been provided to Senior Management staff, supervisors, and managers at least annually? Interview / Document Review
Training records, training material 4 Annual ICS and NIMS training based on job function is provided by the agency to all senior leadership. Must be verified by Document Review.
2 Training appropriate to the position has been provided with varying degrees of implementation.
0 Senior leadership only receives basic ICS/NIMS training, or ICS/NIMS training is not provided.
5.112 Has ICS and NIMS training appropriate to the position been provided to managers and supervisors at least annually? Interview / Document Review
Training records, training material 4 Annual ICS and NIMS training based on job function is provided by the agency to all supervisors and managers. Must be verified by Document Review.
2 Training appropriate to the position has been provided with varying degrees of implementation.
0 Supervisors and managers only receive basic ICS/NIMS training, or ICS/NIMS training is not provided.
5.113 Has ICS and NIMS training appropriate to the position been provided to front-line employees at least annually? Interview / Frontline Verification
Training records, training material 4 Annual ICS and NIMS training based on job function is provided by the agency to all frontline personnel. Must be verified by Document Review.
2 Training appropriate to the position has been provided with varying degrees of implementation.
0 ICS/NIMS training is not provided.
5.114 Has the agency developed a program and provided annual training on its own incident response protocols? Document Review / Interview
Training records, training material 4 The agency has developed internal procedures for incident response and a comprehensive training program to support these procedures. Training has an established curriculum, official training materials, and is provided in a formal environment (classroom or computer-based). Training is provided annually. Must be verified by Document Review.
2 Training is provided with varying degrees of implementation.
0 The agency has not established training for its internal incident response procedures.
5.115
TSF 4
Has training on the agency's incident response protocols appropriate to the position been provided to Senior Management staff, managers and supervisors at least annually? Interview / Document Review
Training records, training material 4 Annual training based on job function is provided by the agency to all senior leadership. Must be verified by Document Review.
2 Training appropriate to the position has been provided with varying degrees of implementation.
0 Senior leadership only receives basic training, training appropriate for frontline personnel, or training is not provided.
5.116
TSF 4
Has training on the agency's incident response protocols appropriate to the position been provided to managers and supervisors? Interview / Document Review
Training records, training material 4 Annual training based on job function is provided by the agency to all supervisors and managers. Must be verified by Document Review.
2 Training appropriate to the position has been provided with varying degrees of implementation.
0 Supervisors and managers only receive basic training, training that is appropriate to frontline personnel, or training is not provided.
5.117
TSF 4
Has training on the agency's incident response protocols appropriate to the position been provided to front-line employees at least annually? Document Review / Frontline Verification
Training records, training material 4 Annual training based on job function is provided by the agency to all frontline personnel. Must be verified by Document Review and Frontline Employee's.
2 Training appropriate to the position has been provided with varying degrees of implementation.
0 Training is not provided.
5.118
TSF 4
Has the transit system implemented an annual training program for personnel regarding response to terrorism, including (i) Improvised Explosive Devices and ii) Weapons of Mass Destruction (chemical, biological, radiological, nuclear)? If so, summarize the relevant programs in the justification? Document Review / Interview
Training records, training material 4 Annual training provided regarding response to IEDs and WMD. This is part of an official curriculum, uses effective training materials, and is provided in a formal environment (classroom or computer-based). Must be verified by Document Review.
2 Training has been developed and provided with varying degrees of implementation.
0 The agency has not developed a relevant training program.
5.119 Has training focused on IEDs and WMDs appropriate to the position been provided to Senior Management staff, managers, and supervisors at least annually? Document Review / Interview
Training records, training material 4 Annual training based on job function is provided by the agency to all senior leadership. Must be verified by Document Review.
2 Training appropriate to the position has been provided with varying degrees of implementation.
0 Senior leadership only receives basic training, training is appropriate for frontline personnel, or training is not provided.
5.120 Has training focused on IEDs and WMDs appropriate to the position been provided to manager and supervisors? Document Review / Interview
Training records, training material 4 Annual training based on job function is provided by the agency to all supervisors and managers. Must be verified by Document Review.
2 Training appropriate to the position has been provided with varying degrees of implementation.
0 Supervisors and managers only receive basic training, training is appropriate to frontline personnel, or training is not provided.
5.121 Has training focused on IEDs and WMDs appropriate to the position been provided to front-line employees at least annually? Document Review / Frontline Verification
Training records, training material 4 Annual training based on job function is provided by the agency to all frontline personnel. Must be verified by Document Review and Frontline Employee's.
2 Training appropriate to the position has been provided with varying degrees of implementation.
0 Training is not provided.
5.122 Do law enforcement/security department personnel at the agency receive specialized training in counter-terrorism annually? Summarize program in the justification. Document Review / Interview in justification, provide description of specialized training or provider. Training records, training material 4 All personnel in security-related positions receive annual specialized training focused on counter-terrorism. Training is in addition to general training, with materials developed by or instruction led by subject matter experts. Training is part of an established curriculum and provided in a formal environment (classroom or computer-based). Must be verified by Document Review.
2 Specialized counter-terrorism training is provided with varying degrees of implementation.
0 Specialized counter-terrorism training is provided with varying degrees of implementation.
5.123 Do law enforcement/security department personnel at the agency receive specialized training supporting their incident management and emergency response roles at least annually? Summarize program in the justification. Document Review / Interview in justification, provide description of specialized training or provider. Training records, training material 4 All personnel in security-related positions receive annual specialized training supporting incident response. Training is in addition to general training, with materials developed by or instruction led by subject matter experts. Training is part of an established curriculum and provided in a formal environment (classroom or computer-based). Must be verified by Document Review.
2 Specialized incident response training is provided with varying degrees of implementation.
0 Specialized incident response training is provided with varying degrees of implementation.
5.124
Does the agency have an established program to monitor employee training and to schedule employees for training? Document Review General training review. This does not have to revolve around Security Training but establishes if they have an active system. Training Scheduling (General) 4 The agency has developed a formal system of monitoring employee training and scheduling employee training as needed. This includes retaining training records, having the ability of easily determining employee training status, and having the ability to effectively schedule employee training in an effective manner.
2 A program for monitoring and scheduling training exists with varying degrees of implementation.
0 Such a program does not exist.
5.125
Does the agency have a system that records and tracks personnel training for all security-related courses (including initial, annual, periodic and other)? Document Review This question asks specifically about security-related courses. Training Recording (Security) (ex. 30-day file) 4 The agency has a formal system to record and track personnel training for all security-related training, including initial, annual, and periodic. Records for all employees contain the following: employee name/identifier, training/course identifier, and date of course completion. Must be verified by Document Review.
2 The agency employs a system with varying degrees of implementation.
0 Such a system does not exist, or security training is not specifically addressed.
5.126 Does the transit agency have a system that records and tracks personnel training for emergency response courses (including initial, periodic and other)? Document Review This question asks specifically about emergency response related courses. Training Recording (Emergency Response) (ex. 30-day file) 4 The agency has a formal system to record and track personnel training for all emergency response-related training, including initial, annual, and periodic. Records for all employees contain the following: employee name/identifier, training/course identifier, and date of course completion.
2 The agency employs a system with varying degrees of implementation.
0 Such a system does not exist, or emergency response training is not specifically addressed.
5.127 Does the agency have a program to regularly review and update security awareness and emergency response training materials? Interview / Document Review
Security Review and Updating 4 The agency has developed a formal program of reviewing and updating security and emergency response training materials to ensure they are up-to-date, this program is documented (generally or as a "role/responsibility"), and the program ensures materials are reviewed at least annually. Must be verified by Document Review.
2 The agency has developed a program with varying degrees of implementation.
0 The agency has no established program of reviewing and updating security and emergency response training materials.
5.128
TSF 4
Are all appropriate personnel notified via briefings, email, voicemail, or signage of changes in threat condition, protective measures or the employee watch programs? Interview
Operational Changes 4 Appropriate personnel are notified of operational changes--including those related to threat levels and protective measures. Individuals with a "need to know" have been formally identified, and measures are in place to effectively reach all appropriate employees.
3 Appropriate personnel are notified of operational changes--including those related to threat levels and protective measures. Individuals with a "need to know" have been formally identified, and measures are in place for the agency to confidently reach most of those employees in timely manner..
2 Appropriate personnel are notified of operational changes. Individuals with a "need to know" are informally identified, but measures of communicating information is lacking consistency.
1 The agency notification measures are inconsistent with little to no planning involved whatsoever. Individuals with a "need to know" have not been identified.
0 Operational changes are rarely--if ever--communicated to employees, or no policy exists to support the recommendation.
5.129
TSF 1
Do the agency's security awareness and emergency response training programs cover response and recovery operations in critical facilities and infrastructure? If so, summarize relevant provisions of program in the justification. Document Review
Response and recovery operations in critical facilities and infrastructure. 4 The agency's security and emergency response training covers response and recovery operations in critical facilities and infrastructure (including COOP-related procedures). Training is part of an official curriculum, utilizes effective training materials, and is provided in a formal environment (classroom or computer-based).
2 Security and emergency response training covers response and recovery operations in critical facilities and infrastructure with varying degrees of implementation.
0 Training does not cover response and recovery operations.
5.130
TSF1
Has the agency provided training to regional first responders (law enforcement agencies, firefighters, and emergency medical response teams) to enable them to operate in critical facilities and infrastructure? Interview During interview, dates or frequency of training should be documented to receive full score. Also, describe scope of training. Training program for external agencies. 4 The agency has provided training to regional first responders to enable them to operate in critical facilities and infrastructure. The training is well-developed, and the agency has actively offered it to outside entities.
2 The agency has provided training with varying degrees of implementation.
0 The agency has not provided training to external agencies to enable them to operate effectively in critical facilities and infrastructure.
5.131
TSF 3
Does training of transit system law enforcement and/or security personnel integrate the concept and employment of visible, random security measures? Interview / Document Review
Training program featuring concepts of random and highly visible countermeasures. 4 The concept and employment of visible, unpredictable, and random security measures is included as part of the training curriculum for all personnel in security-related positions. This is documented in training materials. Must be verified by Document Review.
2 Training covers the concept of visible and random security measures with varying degrees of implementation.
0 Training does not cover the concept visible or random security measures.
5.132
TSF 4
Has the agency implemented a program to train or orient first responders (law enforcement, firefighters, emergency medical teams) and other potential supporting assets (e.g., TSA regional personnel for VIPR exercises) on their system vehicle familiarization? Interview / Document Review During interview, dates or frequency of training should be documented to receive full score. Also, describe scope of training. Training program for external agencies. 4 The agency has developed and implemented a program to annually train or orient first responders and other supporting agencies (TSA VIPR teams) on their system vehicle familiarization. Training is well-developed, and the agency has actively offered it to outside entities. Must be verified by Document Review.
2 The program has been developed with varying degrees of implementation.
0 Such a program does not exist.
Establish plans and protocols to respond to the DHS National Terrorism Advisory System (NTAS).
6.101 Does the SSP contain or reference other documents identifying incremental actions (imminent or elevated) to be implemented for a NTAS threat? Document Review Inspectors should refer to the MT BASE Guidance, Pg19. Incremental actions based on NTAS threat 4 The agency has identified incremental actions that correlate with NTAS threat level increases. Incremental actions are identified for all threat conditions, well-developed, effective, and documented.
2 Incremental actions are identified with varying degrees of implementation or documentation.
0 Incremental actions are not documented.
6.102
TSF 2
Does the agency have actionable operational response protocols for the specific threat scenarios from NTAS? Document Review
Response protocols for specific threat scenarios based on NTAS 4 The agency has identified possible NTAS alert scenarios and established detailed procedures and protocols to respond to these scenarios. These procedures are well-developed and documented.
2 Actionable operational response protocols for specific threat scenarios from NTAS have been developed with varying degrees of implementation.
0 Actionable operational response protocols have not been developed or specific threat scenarios haven't been identified.
6.103 Has the agency provided annual training and/or instruction focused on job function regarding the incremental activities to be performed by employees? Interview / Document Review
Job-specific NTAS training 4 Job-specific NTAS training that focuses on incremental activities to be performed by employees has been provided annually by the agency. Training is a well-developed part of an official curriculum, focuses on appropriate individual roles in response to NTAS threats, and is provided in a formal environment (classroom or computer-based). Must be verified by Document Review.
2 Job-specific NTAS training is provided with varying degrees of implementation.
1 General NTAS training is provided to appropriate personnel.
0 The agency does not provide NTAS training.
Implement and reinforce a Public Security and Emergency Awareness program:
7.101 Has the transit agency developed and implemented a public security and emergency awareness program? Interview Inspectors should refer to the MT BASE Guidance, P20. In justification, provide description of agency’s emergency awareness program. Outreach program 4 Agency has implemented a well-developed public awareness program that addresses specific issues of both security and emergency response.
3 Agency has implemented a well-developed public awareness program that addresses specific issues of security. Emergency response material is generalized or missing.
2 Agency has implemented a well-developed public awareness program that address specific issues of emergency response and safety. Security material is generalized or missing.
1 Agency has a public awareness program, but the program is vague or otherwise ineffective.
0 The agency has no public awareness program in place.
7.102
TSF 6
Does the agency provide active public outreach for security awareness and emergency preparedness (e.g., Transit Watch, “If You See Something, Say Something”, message boards, brochures, channel cards, posters, fliers)? Document Review / Onsite Observation
Active outreach, utilizes program materials 4 The agency's public awareness program covers security and emergency response and is communicated effectively. Program materials--brochures, posters, fliers--are widely distributed and highly visible. Must be verified by Document Review and Onsite Observation.
2 Public awareness materials and outreach have been developed and deployed with varying degrees of implementation. Verified by Document Review only.
0 Public awareness materials and outreach have not been developed and/or deployed.
7.103
TSF 6
Is the above consistent with agency's overall announcement program? Document Review / Onsite Observation
Appropriate outreach material. "Yes" or "no." 4 Public awareness material is consistent with the agency's overall announcement program. All information/instruction/guidance is the same. Must be verified by Document Review and Onsite Observation.
0 Public awareness material conflicts with the agency's overall announcement program.
7.104
TSF 6
Are general security awareness and emergency preparedness messages included in public announcement messages at stations and on board vehicles? Onsite Observation
Public announcements (Pre-recorded voice announcements) 4 The agency includes frequent mentions of general security and emergency preparedness items in its pre-recorded announcement messages at all appropriate areas, including at stations and onboard vehicles.
3 The agency includes frequent mentions of general security items (but no emergency preparedness items) in its pre-recorded announcement messages at all appropriate areas, including at stations and onboard vehicles.
2 The agency includes frequent mentions of general emergency preparedness items and infrequent mentions of general security items in its pre-recorded announcement messages at all appropriate areas, including at stations and onboard vehicles;
1 The agency includes infrequent mentions of general security and emergency preparedness items in its pre-recorded announcement messages at all appropriate areas, including at stations and onboard vehicles.
0 Security and emergency preparedness items are not included in the agency's pre-recorded announcement messages.
7.105
TSF 6
Are passengers urged to report unattended property, suspicious behavior, and security concerns to uniformed crew members, law enforcement or security personnel, and/or a contact telephone number? If so, summarize the type of materials used and content in the justification. Document Review / Onsite Observation
Materials specifically mention reporting unattended property, suspicious behavior and security concerns. 4 Passengers are urged to report unattended property, suspicious behavior, and other security concerns to an identified agency representative (uniformed crew member, law enforcement, etc.) or identified contact number. This is documented in awareness material and readily observable. Must be verified by Document Review and Onsite Observation.
2 Passengers are urged to report unattended property, suspicious behavior, and other security concerns with varying degrees of implementation.
0 Passengers are not urged to report unattended property, suspicious behavior, and other security concerns with varying degrees of implementation.
7.106
TSF 6
Does the agency have an appropriate mechanism in place for passengers to communicate an (e.g., 1-800 number, smart phone applications, social media, etc.) that can be called or used to report security concerns? If so, is this information indicated in public awareness materials and messages? Document Review / Onsite Observation
Effective reporting mechanism 4 The agency utilizes an effective mechanism in place that can be used by passengers to report security concerns (phone number, smart phone application, social media, etc.). This mechanism is actively monitored by the agency and widely distributed to passengers as part of the awareness program's materials. Must be verified by Document Review and Onsite Observation.
2 A mechanism is in place with varying degrees of implementation.
0 There is no mechanism in place.
7.107 Does the agency issue public service announcements or press releases to social media (e.g. Twitter/ Facebook/etc., QRC codes, and/or apps for smart phones) regarding security and emergency protocols? Interview / Document Review In justification, provide description of social media utilized. Social Media Announcements for Security and Emergency. "Yes" or "No." 4 The agency utilizes social media to issue public service announcements related to security or emergency response. This method is documented or readily observable.
0 The agency does not issue security-related PSAs or press releases to local media.
7.108
TSF 6
Does the agency issue public service announcements or press releases to local media (e.g. newspaper, radio and/or television) regarding security or emergency protocols? Interview / Document Review In Justification, describe the most recent public announcement or press release to local media. Local Media Announcements for Emergency Response. "Yes" or "No." 4 The agency issues security- and emergency response-related PSAs or press releases to local media. This method is documented or readily observable.
0 The agency does not issue emergency response-related PSAs or press releases to local media.
7.109 Does the transit agency conduct a volunteer training program for non-employees to aid with system evacuations and emergency response? Interview / Document Review
Training for non-employee volunteers for emergency response 4 The agency conducts training of non-employee volunteers to aid with system evacuations an emergency response. This training program has an official curriculum and provided on a semi-frequent basis. Must be verified by Document Review.
2 Training is provided with varying degrees of implementation.
0 Training is not provided.
7.110 Does the transit agency conduct an outreach program to enlist members of the public as security awareness volunteers, similar to Neighborhood Watch programs? Interview / Document Review
Active volunteer program (not the same as "See Something, Say Something") 4 The agency has established a volunteer program to enlist an active security awareness volunteer force. This program (including how passengers can get involved) is documented. Must be verified by Document Review.
2 The agency has established an active volunteer program with varying degrees of implementation.
0 The agency has not established an active volunteer program.
7.111
TSF 1
Do public awareness materials and/or messages inform passengers on the means to evacuate safely from transit vehicles and underwater/underground facilities? Interview / Document Review If agency has no underwater/underground facilities question applies to transit vehicles. Passenger evacuation guidance material 4 The agency has developed awareness material to assist passengers on the means to evacuate safely from transit vehicles and underwater/underground facilities. These materials are readily available or readily visible to passengers. Must be verified by Document Review.
2 The agency has developed awareness material with varying degrees of implementation.
0 The agency has not developed awareness material to assist passengers on the means of safe evacuation.
7.112 Does the agency track and monitor customer complaints reported by passengers? Interview
Customer complaint tracking system 4 The agency has a system in place to actively and effectively monitor and follow up on customer reports.
2 The agency has developed a system with varying degrees of effectiveness or implementation.
0 The agency has not developed a system for tracking and following up on customer reports.
Establish and use a Risk Management Process to assess and manage threats, vulnerabilities and consequences
8.101
TSF 2
Does the agency have a risk assessment process approved by its management, for managing threats and vulnerabilities? If so, summarize the process in the justification. Document Review / Interview Inspectors should refer to the MT BASE Guidance, Pg20. Process of Risk Assessment 4 Risk assessment process is developed, documented, specifically addresses threats and vulnerabilities, and is approved by management. Must be verified by Document Review.
2 Risk assessment process is developed with varying degrees of implementation.
0 Risk assessment process has not been developed.
8.102 Has the agency identified facilities and systems it considers to be its critical assets? Interview / Document Review In Justification, describe the critical assets identified by the agency. Identification of Critical Assets 4 The agency has identified facilities and systems it considers critical assets. This is documented (or clearly implied in documentation/procedures). Must be verified by Document Review.
2 The agency has identified critical assets with varying degrees of documentation or development.
0 The agency has not identified critical assets.
8.103
TSF 2
Has the agency had an internal or external vulnerability assessment on its critical assets within the past 3 years? Specify the dates of the most recent assessments and the entity(ies) that conducted the assessment(s). Interview / Document Review Scoring Justification should list at a minimum: date of assessment, identify critical assets, who conducted the assessment, etc. Date of last vulnerability assessment (General). "Yes" or "no." 4 A vulnerability assessment focused on the agency's critical assets has been conducted within the last 3 years. Must also be verified by Document Review.
2 A vulnerability assessment focused on the agency's critical assets has been conducted within the last 3 years. Only verified by Interview.
0 A security assessment focused on the agency's critical assets has not been conducted within the last 3 years.
8.104
TSF 1
Has the agency had an internal or external Risk Assessment, analyzing threat, vulnerability, & consequence, for critical assets and infrastructure, and systems within the past 3 years? Have management and staff responsible for the risk assessment process been properly trained to manage the process? Interview / Document Review Scoring Justification should list at a minimum: date of assessment, identify critical assets, who conducted the assessment, etc. Recent Risk Assessment (specifically threat, vulnerability, and consequence analyzed), appropriate personnel trained. 4 A risk assessment focused on the agency's critical assets has been conducted within the last 3 years; focuses specifically on threats, vulnerabilities, and consequences; and is documented. The personnel tasked with conducting the assessment have been provided adequate training to effectively conduct such an assessment. Must be verified by Document Review.
2 A risk assessment has been conducted with varying degrees of implementation or training on completing such assessment. Assessment is documented and available for review. Must be verified by Document Review.
0 A risk assessment has not been conducted, or documentation does not exist.
8.105
TSF 2
Has the system implemented procedures to limit and monitor authorized access to underground and underwater tunnels? If so, summarize procedures in the justification. Interview / Document Review
Access to underground and underwater tunnels. N/A if the system does not have underground/underwater tunnels. 4 The system has well-developed, well-documented policies and procedures in place to limit and monitor access to underground and underwater tunnels. Must be verified by Document Review.
2 Documented policies are in place with varying degrees of implementation. Verified only by Interview.
0 Policies and procedures have not been developed or documented.
8.106 Are security investments prioritized using information developed in the risk assessment process? Interview In justification, examples of improvements based off of risk assessment results should be provided. Security Investments, examples of security investment prioritization 4 Risk assessments play a large role in agency policy and procurement. Security investments are prioritized based on information obtained during risk assessments. This is evident based on the agency's recent security investments that corrected items identified in past risk assessments, or is part of a documented policy.
2 Security investments are prioritized based on information obtained during risk assessments; however, this has been implemented or documented with varying degrees of development.
0 Security investments are not prioritized based on information obtained during risk assessments or risk assessments play no role in financial decisions.
8.107
TSF 1
Upon request, has TSA been provided access to the agency's vulnerability assessments, Security Plan and related documents? Document Review
Inspector was able to review all requested documents, including assessments and Security Plans. "Yes" or "no." 4 The agency has provided TSA with all requested documents.
0 The agency has not provided TSA with all requested documents.
Establish and use an information sharing process for threat and intelligence information
9.101 Does the agency have a formalized process and procedures for reporting and exchange of threat and intelligence information with Federal, State, and/or local law enforcement agencies? Document Review Inspectors should refer to the MT BASE Guidance, Pg22. Formalized process of intelligence sharing with Federal, State, and local law enforcement agencies. 4 The entity is actively involved with intelligence sharing and has developed a formalized (documented) method of sharing threat/intel information with multiple entities representing local, State and Federal law enforcement.
2 The entity has a formalized method of sharing information with varying degrees of implementation.
0 The entity does not have a formalized method of sharing information with law enforcement entities.
9.102
TSF 2
Does the system report threat and intelligence information directly to FBI Joint Terrorism Task Force (JTTF) or other regional anti-terrorism task force? Document Review / Interview
Reporting directly to JTTF or regional anti-terrorism body. "Yes" or "no." 4 The agency reports threat/intel information directly to the JTTF or regional anti-terrorism task force. Must be verified by Document Review.
0 The agency does not report threat/intel information directly to the JTTF or regional anti-terrorism task force.
9.103
TSF2
Does the system have a protocol to report threats or significant security concerns to appropriate law enforcement authorities, and TSA's Transportation Security Operations Center (TSOC)? Document Review / Interview This question applies to both Regulated and Non-Regulated entities. Reporting threats and significant security concerns to TSOC and local law enforcement. 4 The agency has detailed policies and protocols in place to report real-time threats/significant security concerns to appropriate law enforcement and TSOC. These protocols are documented and include a "time" element (immediately, within "X" hours, etc.). Must be verified by Document Review.
2 The agency has detailed policies and protocols in place to report real-time threats/significant security concerns to appropriate law enforcement or TSOC. These protocols are documented and include a "time" element (immediately, within "X" hours, etc.).
1 General/vague policies and procedures are in place with varying degrees of implementation.
0 Policies and procedures are not in place.
9.104 Does the agency routinely receive threat and intelligence information directly from any Federal government agency, State Homeland Security Office, Regional or State Intelligence Fusion Center, PT-ISAC, or other transit agencies? Interview
Documented evidence of intel receiving (Daily Report, etc.). 4 The agency receives threat/intel information at least once per week.
3 The agency receives threat/intel information on an every-other-week basis.
2 The agency receives threat/intel information on a monthly basis.
1 The agency receives threat/intel information on a quarterly basis or information is not directly from an appropriate source.
0 The agency does not receive threat/intel information.
9.105 Does the agency report their NTA security data to FTA as required by 49 CFR 659? Interview 49 CFR PART 659 SSO Only Question NTA Security Data (regulation) 4 The agency reports NTA security data to FTA.
0 The agency does not report NTA security data to FTA.
Conduct Tabletop and Functional Drills
10.101 Does the agency’s System Safety Program Plan (SSPP) contain or reference a document describing the process used by the agency to develop an approved, coordinated schedule for all emergency management program activities, including local/regional emergency planning and participation in exercises and drills? Document Review Inspectors should refer to the MT BASE Guidance, P22. In Justification, describe agencies approved coordinated schedule for all emergency management program activities Process for developing/ coordinating/ scheduling emergency management activities. 4 The agency has developed a detailed process of developing an approved, coordinated schedule for all emergency management program activities, including local/regional emergency planning and participation in exercises and drills. This is documented in the System Safety Program Plan (SSPP) or another document which is referenced in the SSPP.
2 The agency has developed a process with varying degrees of implementation or documentation.
0 The agency has not developed such a process.
10.102 Does the agency’s SSPP or SSP describe or reference how the agency performs its emergency planning responsibilities and requirements regarding emergency drills and exercises? Document Review
Emergency planning responsibilities and drills/exercises general requirements 4 The agency has documented roles and responsibilities that detail how it performs its emergency planning activities, including those related to drills and exercises. Furthermore, the agency has established written requirements for emergency drills and exercises (timelines, method of evaluation, personnel required to participate, etc.). All roles, responsibilities, and requirements are documented in the agency's SSPP or SSP--or another documented that is referenced in the SSPP or SSP.
2 Roles, responsibilities and requirements regarding emergency planning are developed with varying degrees of implementation or documentation.
0 Roles, responsibilities and requirements regarding emergency planning are not developed or documented.
10.103
TSF 5
Does the agency evaluate its emergency preparedness by using annual field exercises, tabletop exercises, and/or drills? If so, please summarize the exercise events held in the past year. Interview Agency driven Agency conducting functional drills and exercises. "Yes" or "no." 4 The agency conducts drills and exercises annually with the purpose of evaluating its emergency preparedness procedures.
0 The agency does not conduct drills and exercises annually, or the agency does not use drills/exercises to evaluate emergency preparedness procedures.
10.104 Does the agency's SSPP or a related document include a requirement for annual field exercises, tabletops and drills? Document Review
Annual Requirement. "Yes" or "no." 4 The agency has a documented requirement for drills/exercises to be conducted once per year at a minimum.
0 The agency does not have a documented requirement for drills/exercises to be conducted once per year at a minimum.
10.105 Does the agency’s SSPP or SSP describe or reference how the agency documents the results of its emergency preparedness evaluations (i.e., briefings, after action reports and implementation of findings)? Document Review
Results of drills/ exercises/ evaluations, documentation of results. "Yes" or "no." 4 The process of drill/exercise evaluation is described and documented in the SSPP, SSP, or another document that is referenced by the SSPP/SSP.
0 The process of evaluation is not documented.
10.106 Does the agency’s SSPP or a related document describe or reference its program for providing employee training on emergency response protocols and procedures? Document Review
Documented training. "Yes" or "no." 4 The program for providing employee training on emergency response protocols and procedures is documented.
0 The training program is not documented.
10.107 Does the agency participate as an active player in full-scale, regional exercises held at least annually? Interview Region driven Active-player participation. "Yes" or "no." 4 The agency participates as an active player in full-scale, regional exercises held at least annually.
0 The agency does not participate as an active player in full-scale, regional exercises held at least annually.
10.108
TSF 5
In the last year, has the agency conducted and/or participated in a drill, tabletop exercise, and/or field exercise including scenarios involving (i) IED's and (ii) WMD (chemical, biological, radiological, nuclear) with other transit agencies and first responders (e.g., NTAS scenarios)? Interview In Justification, describe the drill/exercise and include date. Drills: Specific Focus. Participants: other transit agencies, first responders. 4 In the last year, the agency has been involved in drills/exercises that specifically focus on IEDs and WMD with appropriate external entities, to include first responders and other transit agencies that operate in the same environment.
2 Terrorism-specific drills have been conducted/participated in with varying degrees of action.
0 Terrorism-specific drills have not been conducted or participated in.
10.109
TSF 5
In the last year, has the agency reviewed results and prepared after-action reports to assess performance and develop lessons learned for all drills, tabletop, and/or field exercises? Interview / Document Review
Evaluation of results 4 In the last year, the agency has reviewed and prepared after-action reports (or other evaluating report) for all drills and exercises. All evaluations are documented. Must be verified by Document Review.
2 The agency has evaluated drills with varying degrees of implementation or documentation.
0 The agency has not evaluated drills in the past year.
10.110
TSF 5
In the last 12 months, has the agency updated plans, protocols and processes to incorporate after-action report recommendations/findings and corrective actions? If so, summarize the actions taken in the justification. Interview / Document Review In Justification, summarize the actions taken in the justification. Evaluation of results, plan modifications. "Yes" or "no." 4 In the last year, the agency has updated plans, protocols, or processes to incorporate after-action report recommendations/findings. Must be verified by Document Review.
0 The agency has not made any changes based on the results of drills/exercises.
10.111 Has the agency established metrics to assess its performance during emergency exercises and to measure improvements? Interview / Document Review
Method of analysis 4 The agency has developed a formal, objective system of evaluating drill performance. The agency has identified evaluation criteria, establishes drill/exercise goals, and analyzes the results appropriately. This system is documented. Must be verified by Document Review.
2 The agency has established performance metrics with varying degrees of implementation.
0 The agency has not established metrics to assess performance during emergency exercises.
10.112
TSF 1
Does the system conduct drills and exercises of its security and emergency response plans to test capabilities of i.) employees and ii.) first responders to operate effectively in underwater/underground infrastructure and other critical systems? Interview In addition to underwater/underground infrastructure, this question applies to other critical systems as identified by the entity. Drills in underwater/underground infrastructure and other critical systems. 4 The agency conducts exercises of its security and emergency response plans to test operational capabilities of employees and first responders in underwater/underground infrastructure and other critical systems.
2 The agency conducts exercises with a varying degree of implementation.
0 The agency does not conduct exercises related to underwater/underground infrastructure.
10.113
TSF 5
Does the transit system integrate local and regional first responders (law enforcement, firefighters, emergency medical teams) in drills, tabletop exercises, and/or field exercises? If so, summarize each joint event and state when it took place. Interview In justification, summarize each joint event and state when it took place. Drills with external agencies 4 The agency actively reaches out to external emergency agencies (local and regional) when planning and conducting exercises. The agency integrates all appropriate entities: fire, medical, and law enforcement.
2 Drills with external agencies have been conducted with varying degrees of inclusion or frequency.
0 Drills with external agencies have not been conducted.
Developing a Comprehensive Cyber Security Strategy
11.101 Has the agency conducted a risk assessment to identify operational control and communication/business enterprise IT assets and potential vulnerabilities? Document Review / Interview Inspectors should refer to the MT BASE Guidance, Pg24. Risk assessment focused on IT SECURITY 4 The agency has conducted a risk assessment focused on IT systems as they relate to operational control, communication, and business enterprise. The assessment is documented and addresses threats, vulnerabilities, and consequences. Must be verified by Document Review.
2 The agency has conducted an IT risk assessment with varying degrees of implementation or documentation.
0 The agency has not conducted an IT risk assessment.
11.102 Has the agency implemented protocols to ensure that all IT facilities (e.g., data centers, server rooms, etc.) and equipment are properly secured to guard against internal or external threats or attacks? Document Review / Interview
Security measures for critical IT facilities/equipment 4 The agency has identified all critical IT facilities/infrastructure and established procedures and protocols that ensure the security (physical and cyber) of these assets. Procedures are well-developed--specifically referencing IT-facilities/equipment and IT-security--and documented. Must be verified by Document Review.
2 Protocols have been established with varying degrees of implementation or documentation.
0 Such security protocols have not been established.
11.103 Has a written strategy been developed and integrated into the overall security program to mitigate the cyber risk identified? Document Review
Written IT security measures 4 A written IT-security strategy--which includes countermeasures and personnel responsibilities--has been developed to mitigate cyber risk and is part of the overall security program (included as part of the SSP or other appropriate document).
2 An IT-security strategy has been developed with varying degrees of implementation or documentation.
0 An IT-security strategy has not been developed.
11.104 Does the agency have a designated representative to secure the internal network through appropriate access controls for employees, a strong authentication (i.e., password) policy, encrypting sensitive data, and employing network security infrastructure (example: firewalls, intrusion detection systems, IT security audits, antivirus, etc.)? Interview
IT Security Coordinator 4 The agency has formally designated an individual responsible for securing the internal network through appropriate measures. This individual is knowledgeable of the agency's cybersecurity measures, and his/her responsibilities are documented.
3 The agency has formally designated an individual responsible for securing the internal network through appropriate measures. This individual is knowledgeable of the agency's cybersecurity measures, but his/her responsibilities are not documented (but widely known).
2 The agency has formally designated an individual responsible for securing the internal network. This individual lacks a comprehensive knowledge of the agency's cybersecurity measures.
1 An individual has been informally designated, and his/her responsibilities are not widely known.
0 An individual has not been designated.
11.105 Does the agency ensure that recurring cyber security training reinforces security roles, responsibilities, and duties of employees at all levels to protect against and recognize cyber threats? Interview
Recurrent cybersecurity training 4 The agency provides ongoing, recurrent cyber training that identifies cyber threats and addresses roles, responsibilities, and duties at all levels to mitigate these threats. Training is part of an official curriculum, utilizes well-developed materials, and is provided in a formal environment (classroom or computer-based).
2 IT-security training is provided with varying degrees of implementation.
0 IT-security training is not provided.
11.106 Has the agency established a cyber-incident response and reporting protocol? Document Review / Interview
Cyber-incident response and reporting protocols 4 The agency has established cyber-incident response and reporting protocols. These procedures are detailed, documented, and address (a) employee actions to be taken in the event of a cyber-incident and (b) to whom cyber-incidents shall be reported. Must be verified by Document Review.
2 Cyber-incident response and reporting protocols have been established with varying degrees of implementation or documentation.
0 Cyber-incident response and reporting protocols have not been established.
11.107 Is the agency aware of and using available resources (e.g., standards, PT-ISAC, US CERT, National Cyber Security Communication and Integration Center, etc.)? Interview In Justification, describe resources used by agency. Available resources. "Yes" or "no." 4 The agency is aware of and makes use of available resources.
0 The agency is not aware of available resources or the agency does not use available resources.
Control Access to Security Critical Facilities
12.101 Have assets and facilities requiring restricted access been identified? Interview / Document Review Inspectors should refer to the MT BASE Guidance, Pg26. Restricted Areas 4 Restricted areas are identified and documented. Agency personnel are familiar with their location and restricted status. Must be verified by Document Review.
2 Restricted areas have been identified with varying degrees of implementation.
0 Restricted areas have not been identified.
12.102 Are ID badges or other measures employed to restrict access to facilities not open to the public? Frontline Observation / Interview
ID Badges 4 ID badges (or other effective measure) are issued to all employees with access to restricted areas, and the agency has policies in place requiring their use and/or display. Must be verified by Frontline Observation.
2 ID badges (or other effective measure) are issued with varying degrees of implementation.
0 ID badges or similar measures are not employed by the agency.
12.103
TSF 2
Has the transit agency developed and implemented procedures to monitor, update and document access control (e.g. card key, ID badges, keys, safe combinations, etc.)? Interview
Access Control Monitoring/Updating 4 The agency has implemented an access control system that is capable of all of the following: (1) monitoring access; (2) documenting access; and (3) updating access.
2 The agency utilizes an access control system with varying degrees of implementation of capability.
0 The agency's access control procedures is not capable of monitoring, documenting, and updating access.
12.104 Does the agency have procedures to issue ID badges for visitors and contractors? Interview / Frontline Observation
ID Badges for contractors and visitors 4 The agency has documented procedures in place to issue ID badges for visitors and contractors. These procedures are implemented perfectly.
2 The agency has procedures in place to issue ID badges for visitors and contractors with varying degrees of implementation or documentation. Must be verified by Frontline Observation.
0 The agency does not have procedures for issuing ID badges to visitors and contractors.
12.105 Does the agency require escorts for visitors accessing non-public areas? Interview
Escorts Policy 4 The agency has a documented policy that requires visitors to be escorted when accessing non-public areas. This policy is implemented perfectly.
2 The agency has policy In place with varying degrees of implementation or documentation.
0 The agency has no escort requirements for visitors.
12.106 Is CCTV equipment installed in transit agency facilities? Interview / Frontline Observation
CCTV: Facilities 4 Effective and capable CCTV systems are installed at all facilities. Must be verified by Frontline Observation.
2 Facilities are equipped with CCTV with varying degrees of installation or capability.
0 Facilities are equipped with CCTV with varying degrees of installation.
12.107 Is CCTV equipment protecting critical assets interfaced with an access control system? Interview
CCTV: Access Control 4 CCTV equipment protecting critical assets are completely integrated with other access control measures (door breach triggers automated CCTV functions, etc.).
2 CCTV is interfaced with access control systems with varying degrees of integration.
0 CCTV is a stand-alone system, not interfaced with access control.
12.108 Is CCTV equipment installed on transit vehicles? Interview
CCTV: Vehicles 4 Effective and capable CCTV systems are installed on a vast majority of vehicle fleet.
2 CCTV is installed with varying degrees of implementation or capability.
0 CCTV is not installed on vehicles or CCTV is non-functional.
12.109 Are Crime Prevention through Environmental Design (CPTED) and technology (e.g., CCTV, access control, intrusion detection, bollards, etc.) incorporated into design criteria for all new and/or existing capital projects? Interview
CPTED; Design/Engineering Representative interview 4 CPTED is incorporated in the design of all projects. CPTED-related vulnerabilities are identified and corrected promptly using technological solutions or other solutions.
2 CPTED criteria is used with varying degrees of implementation.
0 CPTED criteria is not used.
12.110 Based on the risk assessment, does the agency use fencing, barriers, and/or intrusion detection to protect against unauthorized entry into stations, facilities, and other identified critical assets? Interview
Physical barriers 4 The agency has installed physical barriers or intrusion detection systems to prevent unauthorized access at all appropriate stations, facilities, and critical infrastructure.
2 The agency uses barriers and intrusion detection systems with varying degrees of installation or capability.
0 The agency does not use physical barriers or intrusion detection systems at appropriate stations, facilities and/or critical infrastructure.
12.111
TSF 2
Has the system implemented protective measures to secure high risk/high consequence assets and systems identified in risk assessments? Examples of protective measures include but are not limited to CCTV, intrusion detection systems, smart camera technology, fencing, enhanced lighting, access control, LE patrols, K-9s, protection of ventilation systems. If protective measures for this infrastructure are employed, summarize type and location in in the justification. Interview
Additional measures for high-risk assets 4 The agency has identified high risk/high consequence assets and has implemented additional security measures for all such assets. Additional measures are documented.
2 The agency has identified high risk/high consequence assets and developed additional security measures with varying degrees of implementation or documentation.
0 The agency has not identified high risk/high consequence assets and/or implemented additional security measures to protect such assets.
12.112 Does the transit agency monitor a network of security, fire, duress, intrusion, utility and internal 911 alarm systems? Interview
Alarm monitoring 4 The agency has a means of effectively monitoring a network of alarms, including intrusion, life-safety, and other security-related alarms. The agency has plans and procedures in place for responding to such alarms.
3 The agency has a means of effectively monitoring a network of alarms.
2 The agency has a network of appropriate alarms that are not effectively monitored.
1 The agency utilizes an ineffective or insufficient network of alarms.
0 The agency has no alarm systems.
12.113 Are emergency call boxes provided for passengers? Physical Observation / Interview
Call boxes 4 Call boxes are installed at all stations, terminals, and appropriate facilities. Call boxes are fully functional.
2 Call boxes are installed at varying degrees. Must be verified by Physical Observation.
0 Call boxes are not used.
12.114 Do transit agency personnel administer an automated employee access control system and perform corrective analysis of security breaches? Interview
Automated Access Control (employee-controlled badge/keycard entry) 4 The agency uses an automated access control system and performs a corrective analysis of all security breaches to prevent future occurrences of a similar nature. This corrective analysis is documented as part of an overarching policy or as part of an identified employee's responsibilities.
3 The agency uses an automated access control system and performs a formal corrective analysis of all security breaches to prevent future occurrences of a similar nature. Corrective analysis is being performed, but this responsibility is not documented.
2 The agency uses an automated access control system and performs a corrective analysis of some security breaches, including those deemed "important."
1 The agency uses an automated access control system, but has not developed procedures to perform corrective analysis of security breaches.
0 The agency does not use an automated access control system.
12.115 Does the agency have policies and procedures for screening of mail and/or outside deliveries? Interview
Mail screening 4 The agency has documented policies and specific, well-developed procedures that address the screening of mail or outside deliveries. Procedures are completely implemented.
2 The agency has specific, well-developed procedures that are not documented. Procedures are completely implemented.
1 The agency has general procedures in place with varying degrees of implementation.
0 The agency has policies or procedures for screening mail or outside deliveries.
12.116 Have locks, bullet resistant materials and anti-fragmentation materials been installed/used at critical locations? Interview
Breach preparedness at critical location 4 The agency uses multiple methods of breach prevention (locks, anti-frag materials, bullet resistant materials, etc) at all critical locations.
2 The agency utilizes methods of breach prevention at critical location with varying degrees of implementation.
0 The agency does not use locks, bullet-resistant materials, or anti-fragmentation materials at critical locations.
12.117 Does the agency use National Fire Protection Association (NFPA) Standard 130 or equivalent to evaluate fire/life safety in station design or modification (including fire detection systems, firewalls and flame-resistant materials, back-up powered emergency lighting, defaults in turnstile and other systems supporting emergency exists, and pre-recorded public announcements)? Interview
Access Control does not interfere with Safety or Emergency Operations. "Yes" or "no." 4 NFPA 130 or equivalent is used in station design or modification criteria. Access Control systems do not interfere with safety or emergency operations.
0 Access control systems interfere with safety or emergency operations.
12.118 Is directional signage with adequate lighting provided in a consistent manner in all stations, both to provide orientation and to support emergency evacuation? Physical Observation
Lighting 4 Directional signage and lighting is consistent at all stations and is installed in a manner that supports security, safety and emergency operations.
2 Directional signage and lighting is used with varying degrees of implementation or installation. Must be verified by Physical Observation.
0 Directional signage and lighting does not support security, safety, and emergency operations.
12.119 Are gates and locks used on all facility doors to prevent unauthorized access? Interview / Physical Observation
Methods of restricting access 4 The agency uses gates and locks to prevent unauthorized access at all facilities. Policies and procedures are in place to effectively utilize locks and gates.
2 Gates and locks are used with varying degrees of implementation. Must be verified by Physical Observation.
0 Gates and locks are not used to restrict access to facilities.
12.120 Are keys controlled through an established program managed by the security/police function? Interview
Key control program 4 The agency has a documented key control program that is managed by the security/internal police department.
2 The agency has a key control program with varying degrees of documentation or implementation.
0 The agency has no key control program.
12.121 Are gates and locks also used to close down system facilities after operating hours? Physical Observation / Interview
Methods of securing facilities 4 Gates and locks are used at all facilities that are closed down. Policies and procedures are in place to effectively utilize locks and gates. Must be verified by Physical Observation.
2 Gates and locks are used with varying degrees of implementation. Must be verified by Physical Observation.
0 Gates and locks are not used to secure facilities after operating hours.
12.122 Do transit vehicles have radios, silent alarms, and/or passenger communication systems? Interview
Means of communication 4 All (or the vast majority of) transit vehicles are equipped with radios, silent alarms, and/or passenger communication systems. Policies and procedures are in place to effectively utilize these measures.
2 Radios, silent alarms, and/or passenger communication systems are used with varying degrees of implementation.
0 Radios, silent alarms, and/or passenger communication systems are not used.
12.123 Does the transit agency use graffiti-resistant/etch-resistant materials for walls, ceilings, and windows? Interview
"Broken Windows Theory" 4 Graffiti-resistant/etch-resistant materials are used at all (or a vast majority of) facilities.
2 Materials are actively deployed at "problematic" areas prone to vandalism.
1 Materials are rarely used.
0 Materials are not used.
12.124 Are Uninterruptible Power Supply (UPS) or redundant power sources provided for safety and security of critical equipment, such as but not limited to: exit and platform lighting; parking lot lighting; ancillary space and shop lighting; intrusion detection (alarmed rooms and spaces, fare collection equipment, etc.); fire detection, alarm and suppression systems; public address (shop and public areas); call-for-aid telephones; CCTV; emergency trip stations; vital train control functions; etc.? Interview
Back-up power for critical safety and security equipment 4 Uninterruptible Power Supplies are provided for all safety- and security-critical equipment.
3 A combination of UPS and other back-up power is provided for all safety- and security-critical equipment.
2 A combination of UPS and other back-up power is provided for a majority of safety- and security-critical equipment.
1 A combination of UPS and other back-up power is provided for main facilities.
0 The agency has no back-up power capabilities.
12.125 At passenger stations at which a vulnerability assessment has identified a significant risk, and to the extent practicable, has the owner/operator removed trash receptacles and other non-essential receptacles or containers (with the exception of bomb resistant receptacles or clear plastic containers) from the platform areas of passenger terminals and stations? Interview
Trash receptacles 4 The agency has removed non-explosive resistant trash receptacles from platform areas of terminals and stations.
0 The agency has not removed non-explosive resistant trash receptacles from platform areas of terminals and stations.
12.126 Does the agency employ specific protective measures for all critical infrastructure (e.g., tunnels, bridges, stations, control centers, etc) identified through the risk assessment particularly at access points and ventilation infrastructure in place and maintained in optimal condition? Examples of protective measures include, but are not limited to, CCTV, intrusion detection systems, smart camera technology, fencing, lighting, access control, law enforcement patrols, canine patrols, physical protection for ventilation systems. If protective measures for this infrastructure are employed, summarize type and location in the justification. Interview
Protective Measures for Critical Infrastructure 4 The agency has formally identified critical infrastructure and deployed specific, effective protective measures, which are maintained and implemented appropriately, at all identified areas.
2 The agency has deployed protective measures with varying degrees of implementation or effectiveness.
0 Measures are not deployed to protect critical infrastructure or critical infrastructure has not been identified.
12.127
TSF 1
Does the agency have or utilize explosive detection canine teams, either maintained by the system or made available from other law enforcement agencies? If so, has the system implemented procedures for reporting of and response to positive reactions by the canine? Interview
Explosive detection canine unit, Mutual Aid Agreements 4 The agency utilizes explosive detection canine teams (with appropriate mutual aid agreements established, if necessary) and has established documented policies and procedures regarding their use.
2 The agency utilizes explosive detection canine teams with varying degrees of program development.
0 The agency does not use or have access to explosive detection canine teams.
Conduct Physical Security Inspections
13.101
TSF 1
Does the agency conduct frequent inspections of key facilities, stations, terminals, trains and vehicles, or other critical assets for persons, materials, and items that do not belong? Document Review / Interview Inspectors should refer to the MT BASE Guidance, Pg29. Critical asset inspections (General) 4 The agency has procedures in place to conduct security inspections of facilities and vehicles for suspicious items and persons at multiple times per day. These procedures are appropriately documented and implemented perfectly.
2 Security inspections are conducted with varying degrees of implementation or documentation. Must be verified by Document Review.
0 Security inspections are not conducted.
13.102 Has the transit agency established procedures for inspecting/sweeping vehicles and stations to identify and manage suspicious items, based on HOT characteristics (hidden, obviously suspicious, not typical) or equivalent system? Document Review / Frontline Verification In justification, provide results of interview with Front Line employees. Inspection procedures reflect "HOT" characteristics. "Yes" or "no." 4 Documented security procedures reflect HOT characteristics. Must be verified by Frontline Employee's.
0 Documented security procedures do not reflect HOT characteristics.
13.103 Has the transit agency developed a form or quick reference guide for operations and personnel to conduct pre-trip, post-trip, and within-trip inspections? Document Review
Vehicle inspection checklist. "Yes" or "no." 4 The agency utilizes a checklist or other widely distributed document that specifically addresses security to assist personnel conducting pre-, post-, and within-trip security inspections.
0 The agency does not use a checklist/form for vehicle security inspections or the agency's checklist/form does not address security.
13.104 Has the transit agency developed a form or quick reference guide for station attendants and others regarding station and facility inspections? Document Review
Facility inspection checklist. "Yes" or "no." 4 The agency utilizes a checklist or other widely distributed document that specifically addresses security to assist personnel conducting station/facility inspections.
0 The agency does not use a checklist/form for facility security inspections or the agency's checklist/form does not address security.
13.105 TSF 2 Does the system document the results of inspections and implement any changes to policies and procedures or implement corrective actions, based on the findings? Document Review
Inspection results 4 Inspection results are documented and the agency implements corrective actions or other modifications based on these results. This is readily observable in changes made by the agency or is a documented policy.
2 Results are documented and changes are made with varying degrees of implementation or documentation.
0 Results are not documented or inspection results are not a factor in the decision-making process.
13.106
TSF 2
Does the agency conduct frequent inspections of access points, ventilation systems, and the interior of underground/underwater assets and systems for indications of suspicious activity? Document Review /interview
Inspections of non-normal areas. N/A if the system has no underground/underwater tunnels. 4 The agency conducts security inspections of non-normal areas (access points, ventilation systems, interior of underground/underwater assets) for indications of suspicious activity multiple times per week. These procedures are documented appropriately and implemented to perfection. Must be verified by Document Review.
2 Security inspections are conducted with varying degrees of implementation or documentation.
0 Security inspections are not conducted.
13.107 Does the system integrate randomness and unpredictability into its security activities to enhance deterrent effect? Interview / Document Review Agency should strive to implement and document their own unpredictable security measures using their own resources. Randomness and unpredictability as it relates to inspections. "Yes" or "no." 4 Security activities are conducted at random times and at random intervals and these procedures are documented. Must be verified by Document Review.
0 Security activities are conducted at set times.
13.108 Is there a process in place, with necessary training provided to personnel, to ensure that in service vehicles are inspected at regular periodic intervals for suspicious or unattended items? Specify type and frequency of inspections. Interview In justification, specify type and frequency of inspections. Security Inspections: Vehicles 4 The agency has documented policies and procedures in place to ensure that all in-service rail cars are inspected at multiple times per day for suspicious or unattended items and personnel receive training to properly conduct these inspections.
2 Rail cars are inspected with varying degrees of implementation or documentation.
0 Rail cars are not inspected for suspicious or unattended items.
13.109 Is there a process in place, with necessary training provided to personnel, to ensure that all critical infrastructure are inspected at regular periodic intervals for suspicious or unattended items? Specify type and frequency of inspections. Interview In justification, specify type and frequency of inspections. Security Inspections: Critical Infrastructure 4 The agency has documented policies and procedures in place to ensure that all critical infrastructure areas are inspected at multiple times per day for suspicious or unattended items and personnel receive training to properly conduct these inspections.
2 Critical infrastructure is inspected with varying degrees of implementation or documentation.
0 Critical infrastructure is not inspected for suspicious or unattended items.
Conduct Background Investigations of Employees and Contractors
14.101
TSF 2
Does the agency conduct background investigations (i.e., criminal history and motor vehicle records) on all new front-line operations and maintenance employees, and employees with access to sensitive security information, facilities and systems? Interview Inspectors should refer to the MT BASE Guidance, Pg30. Background checks, HR Representative interview 4 The agency conducts an appropriate level of background check on all frontline employees, maintenance employees, and employees with access to sensitive security information/facilities/systems.
2 The agency conducts an appropriate level of background check with varying degrees of implementation.
0 Agency-personnel are not subject to background investigation.
14.102
TSF 2
To the extent allowed by agency policy or law, does the agency conduct background investigations on contractors, including vendors, with access to critical facilities, sensitive security systems, and sensitive security information? Interview
Background checks, HR Representative interview 4 The agency (a) conducts an appropriate level of background check on relevant contract employees or (b) the agency builds appropriate background check criteria into the bid process and has established a method of verifying/auditing background checks.
2 The agency conducts (or requires) an appropriate level of background check with varying degrees of implementation.
0 Relevant contract employees are not subject to background investigation.
14.103 Has counsel for the agency reviewed the process for conducting employee background investigations to confirm that procedures are consistent with applicable statutes and regulations? Interview
Background checks, HR Representative interview 4 The agency's process for conducting background investigations has been reviewed by a legal professional.
0 The agency's process for conducting background investigations has not been reviewed by a legal professional.
14.104 Is the background investigation process documented? Document Review
Background check process, HR Representative interview 4 The process for conducting background checks is documented. This includes the following: the method/type of background check utilized, positions that require background checks, who is responsible for conducting the investigation, and other factors of consideration (such as policies restricting the commencement of employment until after the investigation is complete).
2 The background investigation process is documented with varying degrees of implementation.
0 The background investigation process is not documented.
14.105 Is the criteria for background investigations based on employee type (senior management staff, law enforcement officers, managers/supervisors, operators, maintenance, safety/security sensitive, contractor, etc.) and/or responsibility and access documented? Document Review
Background check process, HR Representative interview 4 Background screening criteria (disqualifying conditions) are based on job-function, required level of access, and/or responsibility. Criteria covers all functions that may require a background check. This is documented.
2 Background screening criteria (disqualifying conditions) is based on job-function, required level of access, and/or responsibility with varying degrees of implementation or documentation.
0 Background screening criteria is not documented.
Control Access to documents of security critical systems and facilities
15.101
TSF 2
Does the agency keep documentation of its security critical systems, such as tunnels, bridges, HVAC systems and intrusion alarm detection systems (i.e. plans, schematics, etc.) protected from unauthorized access? Interview Inspectors should refer to the MT BASE Guidance, Pg31. Security-critical documentation, Engineering Representative interview 4 The agency has well-developed document control procedures that protect security-critical documentation from unauthorized access. All documents are appropriately protected: plans, schematics, etc.
2 The agency has developed document control procedures with varying degrees of implementation.
0 The agency does not protect security-critical documentation.
15.102 Has the agency designated a department/person responsible for administering the access control policy with respect to agency documents? Interview
Document control authority. "Yes" or "no" 4 A person or department has been formally tasked with administering the access control policy with respect to agency documents.
0 A person or department has not been formally tasked with administering the access control policy with respect to agency documents.
15.103 Does the security review committee (or other designated group) review document control practices, assess compliance applicable procedures, and identify discrepancies and necessary corrective action? Interview
Document control policy monitoring 4 A security review committee actively reviews document control practices, assess compliance-applicable procedures, and identifies discrepancies and corrective action regularly.
2 A security review committee covers document control issues with varying degrees of action.
0 Document control issues are not addressed by the security review committee.
Process for handling and access to Sensitive Security Information (SSI)
16.101 Does the agency have a documented policy for identifying and controlling the distribution of and access to documents it considers to be Sensitive Security Information (SSI) pursuant to 49 CFR Part 15 or 1520? Document Review Inspectors should refer to the MT BASE Guidance, Pg32. Documented SSI Policy 4 The agency has a fully-developed policy for identifying and controlling the distribution of and access to SSI documents. This policy is documented and includes all of the following: (1) what materials are considered SSI; (2) how SSI is marked; (3) who has access to SSI; and (4) how SSI is shared or distributed.
2 The agency's SSI policy covers identification and distribution with varying degrees of implementation or documentation.
0 The SSI policy is not documented or documentation contains no mention of SSI identification and distribution.
16.102 Does the agency have a documented policy for proper handling, control, and storage of documents labeled as or otherwise determined to be Sensitive Security Information (SSI) pursuant to 49 CFR Part 15 or 1520? Document Review
Documented SSI Policy 4 The agency has a fully-developed policy for identifying and controlling the distribution of and access to SSI documents. This policy is documented and includes all of the following: (1) proper handling of SSI (how distribution is tracked, how SSI should be treated once received by employees, etc.); (2) how SSI is stored and secured (locked, encrypted, etc.); and (3) how SSI is destroyed/disposed of.
2 The agency's SSI policy covers handling and storage with varying degrees of implementation or documentation.
0 The SSI policy is not documented or documentation contains no mention of SSI handling or storage.
16.103 Are employees who may be provided SSI materials per 49 CFR Part 15 or 1520) familiar with the documented policy for the proper handling of such materials? Frontline Verification
Employee familiarization (requires frontline interviews) 4 Based on a random sampling of frontline personnel interviews, all employees who may be provided SSI materials have a working knowledge of the agency's SSI policy--including (a) what constitutes SSI, (b) how it is controlled, (c) how it is handled, and (d) how it is stored. Must be verified.
2 Based on a random sampling of frontline interviews, employees who may be provided SSI materials have a working knowledge of the agency's SSI policy with varying degrees of familiarity. Must be verified.
0 Based on a random sampling of frontline interviews, employees who may be provided SSI materials are not familiar with the agency's SSI policy or such a policy does not exist.
16.104 Have employees provided access to SSI material per 49 CFR Part 15 or 1520 received training on proper labeling, handling, dissemination, and storage (such as through the TSA on-line SSI training program)? Frontline Verification
SSI Training development and implementation (requires frontline interviews) 4 The agency has established official SSI training (with appropriate materials), and based on a sampling of frontline personnel interviews, all employees who may be provided access to SSI have been provided the training. Must be verified.
2 Based on a sampling of frontline interviews, SSI training has been provided with varying degrees of implementation or development. Must be verified.
0 SSI training has not been provided or has not been developed.
Audit Program
17.101 Has the agency established a schedule for conducting its internal security audit process? Document Review Inspectors should refer to the MT BASE Guidance, Pg32. Established Schedule Internal Security Audit (self-assessment). An audit is focused on practices identified in the SSP and ensuring these policies are implemented and followed effectively. 4 The agency has a documented schedule for conducting internal security audits in an ongoing manner over a three-year period.
2 The agency has developed a schedule for conducting internal security audits with varying degrees of documentation.
0 The agency has no documented schedule for conducting internal security audits.
17.102 Does the SSP contain a description of the process used by the agency to audit its implementation of the SSP over the course of the agency's published schedule? Document Review In justification, provide description of process. Process Description: Internal Security Audit (self-assessment). An audit is focused on practices identified in the SSP and ensuring these policies are implemented and followed effectively. 4 The agency has a detailed, well-documented process for conducting internal security reviews. This process is described in the SSP and includes the following: (1) what activities and documents are audited; (2) how these items are audited (methods of verification); and (3) the extent/depth/level of the audit.
2 The SSP contains a description of the internal security audit process with varying degrees of development or documentation.
0 The SSP does not contain a description of the internal security audit process.
17.103 Has the transit agency established checklists and procedures to govern the conduct of its internal security audit process? Document Review
Checklists: Internal Security Audit (self-assessment). An audit is focused on practices identified in the SSP and ensuring these policies are implemented and followed effectively. 4 The agency has well-developed procedures for conducting internal security audits and uses checklists/forms to properly and consistently conduct audits.
2 The agency has developed procedures and checklists with varying degrees of development or implementation.
The agency does not use checklists, but has documented procedures in place.
0 The agency has no documented procedures for
17.104 Is the transit agency complying with its internal security audit schedule? Interview / Document Review
Implementation: Internal Security Audit (self-assessment). An audit is focused on practices identified in the SSP and ensuring these policies are implemented and followed effectively. "Yes" or "no." 4 The agency is conducting internal security audits in a manner that reflects its established schedule. Must be verified by Document Review.
0 The agency is not complying with it established schedule or such a schedule does not exist.
17.105 Is each internal security audit documented in a written report, which includes evaluation of the adequacy and effectiveness of the SSP element and applicable implementing procedures audited, needed corrected actions, needed recommendations, an implementation schedule for corrective actions and status reporting? Document Review
Documentation: Internal Security Audit (self-assessment). An audit is focused on practices identified in the SSP and ensuring these policies are implemented and followed effectively. 4 All internal security audits are documented in a written report, which include all of the following: (1) evaluation of all audited items, including a policy and its implementation; and (2) corrective/recommended actions.
2 Internal security audits are documented with varying degrees of implementation.
0 Audits are not documented.
17.106 In the last 12 months, has the Security Review Committee (or other designated group) addressed the findings and recommendations from the internal security audits, and updated plans, protocols and processes as necessary? Interview
Peer Review: Internal Security Audit (self-assessment). An audit is focused on practices identified in the SSP and ensuring these policies are implemented and followed effectively. 4 In the last 12 months, the Security Review Committee has reviewed audit reports, addressed findings, and updated plans and protocols as necessary.
2 In the last 12 months, the Security Review Committee has reviewed audit reports with varying degrees of action.
0 The Security Review Committee does not review audit reports or the committee has not reviewed audit reports within the last 12 months.
17.107 Does the transit agency’s internal security audit process ensure that auditors are independent from those responsible for the activity being audited? Interview
Independent Auditors: Internal Security Audit (self-assessment). An audit is focused on practices identified in the SSP and ensuring these policies are implemented and followed effectively. "Yes" or "no." 4 Auditors are independent from the individuals they are tasked with auditing to prevent any conflicts of interest.
0 Auditors are not independent from the individuals they are tasked with auditing.
17.108 Has the agency made its internal security audit schedule available to the SSO agency? Interview 49 CFR PART 659 SSO Only Question SSO: Internal Security Audit (self-assessment). An audit is focused on practices identified in the SSP and ensuring these policies are implemented and followed effectively. "Yes" or "no." 4 The agency has made its internal security audit schedule available to the SSO agency.
0 The agency has not made its internal security audit schedule available to the SSO agency.
17.109 Has the agency made checklists and procedures used in its internal security audits available to the SSO agency? Interview 49 CFR PART 659 SSO Only Question SSO: Internal Security Audit (self-assessment). An audit is focused on practices identified in the SSP and ensuring these policies are implemented and followed effectively. "Yes" or "no." 4 The agency has made checklists and procedures used in its internal security audits available to the SSO agency.
0 The agency has not made checklists and procedures used in its internal security audits available to the SSO agency.
17.110 Has the agency notified the SSO agency 30 days prior to the conduct of an internal security audit? Interview 49 CFR PART 659 SSO Only Question SSO: Internal Security Audit (self-assessment). "Yes" or "no." 4 The agency has notified the SSO agency 30 days prior to the conduct of an internal security audit.
0 The agency has not notified the SSO agency 30 days prior to the conduct of an internal security audit.
17.111 Has a report documenting internal security audit process and the status of findings and corrective actions been made available to the SSO agency within the previous 12 months? Interview 49 CFR PART 659 SSO Only Question SSO: Internal Security Audit (self-assessment). "Yes" or "no." 4 A report documenting internal security audit process and the status of findings and corrective actions have been made available to the SSO agency within the previous 12 months.
0 A report documenting internal security audit process and the status of findings and corrective actions have not been made available to the SSO agency within the previous 12 months.
17.112 Has the agency's chief executive certified to the SSO agency that the agency is in compliance with its SSP? Interview 49 CFR PART 659 SSO Only Question SSO: Internal Security Audit (self-assessment). "Yes" or "no." 4 The agency's chief executive has certified to the SSO agency that the agency is in compliance with its SSP.
0 The agency's chief executive has not certified to the SSO agency that the agency is in compliance with its SSP.
17.113 Was that certification included with the most recent annual report submitted to the SSO agency? Interview 49 CFR PART 659 SSO Only Question SSO: Internal Security Audit (self-assessment). "Yes" or "no." 4 The previously mentioned certification was included with the most recent annual report submitted to the SSO agency.
0 The previously mentioned certification was not included with the most recent annual report submitted to the SSO agency.
17.114 If the agency's chief executive was not able to certify to the SSO agency that the agency is in compliance with its SSP, was a corrective action plan developed and made available to the SSO? Interview 49 CFR PART 659 SSO Only Question SSO: Internal Security Audit (self-assessment). "Yes" or "no." 4 A corrective action plan was developed and made available to the SSO.
0 A corrective action plan was not developed and made available to the SSO.

Sheet 3: Profile Sheet

DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
Mass Transit Baseline Assessment for Security Enhancements (MT-BASE)






Date of Visit TSA Field Office Region #







Please enter the 3-letter airport code of your field office assignment.
TSA Region #1-7






FSD AOR Field Office (Optional): Only necessary if it differs from the previously listed TSA Field Office.






Assessment Started:






Assessment Completed:






Outbrief Conducted:
TYPE OF VISIT Agency
Corporate Review
Is This A Revisit? Date of Last Interview/Visit? Street Address of Corporate Facility or HQ visited.


City
State
Zip Code
Not Governed By 49 CFR Part 659? Place an "X" in the box if this Agency is not governed by 49 CFR Part 659. (by checking this box it will eliminate questions that reflect this reg)
Agency Website:
Agency Size:
Company Chosen By: Was this agency on your workplan?
Agency Annual Ridership Amount:
HTUA Name: Choose HTUA from dropdown menu.
lFTA Section 5311 Section 5311 is a non-urbanized area formula funding program authorized by 49 United States Code (U.S.C) Section 5311. This federal grant program provides funding for public transit in non-urbanized areas with a population under 50,000 as designated by the Bureau of the Census http://www.fta.dot.gov/funding/grants/grants_financing_4126.html#general Grant Funding - Section 5311 of Title 49:
Most Recent Grant Received in:

Place "X" next to all applicable types of service at this agency. Types of Service (Check all that apply)



Light Rail
Inclined Plane
Tourist / Scenic




Heavy Rail
Funicular
Commuter




Rapid Rail
Trolley
Intercity




Monorail
Automated Guideway
Transit Bus



Security Personnel Interviewed
Name Title Telephone Cell E-mail

Security Coordinator



Alternate Security Coordinator

























Other Agency Points of Contact
Name Title Telephone Cell E-mail






































TSI Inspector Information
Name Title Airport Code Telephone E-mail

Lead TSI



Secondary TSI






























Supervisory Approval
Name Title Airport Code Telephone E-mail

STSI



AFSD-I

























Headquarters Approval
Name Title Airport Code Telephone E-mail


HQ



HQ

Paperwork Reduction Act Statement:  This is a voluntary collection of information.  TSA estimates that the total average burden per response associated with this collection is approximately 48 hours.  An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a valid OMB control number.  The control number assigned to this collection is OMB 1652-0062, which expires on 07/31/2015.


Sheet 4: Checklist

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

Mass Transit

Baseline Assessment & Security Enhancement Review Checklist


Company Name:

Lead Inspector: 0


0

Assessment Date: 12/30/1899










Description
Findings Justification

Section
N/A Score Source Score Rationale


MANAGEMENT AND ACCOUNTABILITY





1.000 Establish Written System Security Plans (SSPs) and Emergency Response Plans (ERPs)





1.100 System Security Plan (SSP)





Blue means Baseline Security Mesure 1.101 Does the transit agency have a System Security Plan (SSP)?





1.102 Does the SSP identify the goals and objectives for the security program?





1.103 Does a written policy statement exist that endorses and adopts the policies and procedures of the SSP that is approved and signed by top management, including the agency's chief executive?





1.104 Is the SSP separate from the agency’s System Safety Program Plan (SSPP)?





1.105 / T1 Do the Security and Emergency Response Plans address protection and response for critical underwater tunnels, underground stations/ tunnels and other critical systems, where applicable?





1.106 Does the SSP contain or reference other documents establishing procedures for the management of security incidents by the operations control center (or dispatch center)?





1.107 Does the SSP contain or reference other documents establishing plans, procedures, or protocols for responding to security events with external agencies (such as law enforcement, local EMA, fire departments, etc.)?





1.108 Does the SSP contain or reference other documents that establish protocols addressing specific threats from (i) Improvised Explosive Devices (IED) and (ii) Weapons of Mass Destruction (chemical, biological, radiological hazards)?





1.109 / T3 Are visible, random security measures integrated into security plans to introduce unpredictability into security activities for deterrent effect?





1.110 Does the SSP include provisions requiring that security be addressed in extensions, major projects, new vehicles and equipment procurement and other capital projects, and including integration with the transit agency’s safety certification process?





1.111 Does the SSP include or reference other documents adopting Crime Prevention Through Environmental Design (CPTED) principles as part of the agency's engineering practices?





1.112 Does the SSP require an annual review?





1.113 Does the transit agency produce periodic reports reviewing its progress in meeting its SSP goals and objectives?





1.114 Has an annual review of the SSP been performed and documented in the preceding 12 months?





1.115 Does the SSP outline a process for securing SSO agency review and approval of updates to the SSP?



1.116 Has the transit agency submitted and received documentation from the SSO confirming its review and approval of the SSP currently in effect?



1.200 Emergency Response Plan (ERP)





1.201 Does the transit agency have an Emergency Response Plan (ERP)?





1.202 Does a written policy statement exist that endorses and adopts the policies and procedures of the ERP that is approved and signed by top management, including the agency's chief executive?





1.203 Does the ERP require an annual review to determine if it needs to be updated?





1.204 Has an annual review of the ERP been performed and documented in the preceding 12 months?





1.205 Does the ERP include a process or review provision to ensure coordination with the transit agency’s SSPP and SSP?





1.206 Has the transit agency received documentation from the SSO confirming its review and approval of the ERP currently in effect?



1.207 Does the ERP contain or reference other documents establishing plans, procedures, or protocols for responding to emergency events with external agencies (such as law enforcement, local EMA, fire departments, etc.)?





1.208 Does the ERP contain or reference other documents that establish procedures for the management of emergency events, including those to be employed by the operations control center (or dispatch center)?





1.209 Does the ERP contain or reference other documents to provide for Continuity of Operations (COOP) while responding to emergency events?





1.210 Does the agency have a written Business Recovery Plan to guide restoration of facilities and services following an emergency event?





1.211 Does the agency have a written Business Continuity Plan and COOP to guide restoration of facilities and services following an emergency event?





1.212 Does the agency have a back-up operations control center capability?





2.000 Define Roles and Responsibilities for Security and Emergency Management





2.100 System Security Plan (SSP)
a



2.101 Does the SSP establish and assign responsibility for implementation of the security program to a Senior Manager who is a "direct report" to the agency's Chief Executive Officer?





2.102 Has the agency established lines of delegated authority/succession of security responsibilities and, if so, has that information been distributed to agency managers?





2.103 Are roles and responsibilities for security and/or law enforcement personnel assigned by title and/or position established in the SSP or other documents?





2.104 Are security-related roles and responsibilities for non-security and/or law enforcement personnel (i.e., operators, conductors, maintenance workers and station attendants) established in the SSP or other documents?





2.105 / T2 Do senior staff and middle management conduct security meetings to review recommendations for changes to plans and processes?





2.106 Does a Security Review Committee (or other designated group) regularly review security incident reports, trends, and program audit findings?





2.107 Are informational briefings with appropriate personnel held whenever security protocols, threat levels, or protective measures are updated or as security conditions warrant?





2.108 Have appropriate reference guides or other written instructions or procedures been distributed to transit employees to implement the requirements of the SSP?





2.109 Has the agency appointed a Primary and Alternate Security Coordinator to serve as its primary and immediate 24-hr contact for intelligence and security-related contact with TSA and are the names of those Coordinators on file with TSA OSPIE office correct?





2.110 Does the agency maintain a record of security related incidents that are reported within the agency?





2.200 Emergency Response Plan (ERP):
a



2.201 Does the ERP establish and assign responsibility for implementation of the security program to a Senior Manager who is a "direct report" to the agency's Chief Executive Officer?





2.202 Are emergency response roles and responsibilities for all departments identified in the ERP or other supporting documents?





2.203 / T5 Are roles and responsibilities for front-line personnel (i.e. system law enforcement, system security officials, train or vehicle operators, conductors, station attendants, maintenance workers) described in the system's Emergency Response Plan (ERP)?





2.204 Has the ERP been distributed to appropriate departments in the organization?





2.205 Have appropriate reference guides or other written instructions or procedures been distributed to transit employees to implement the requirements of the ERP?





2.206 Are senior staff and middle management ERP coordination meetings held on a regular basis?





2.207 Are informational briefings with appropriate personnel held whenever emergency response protocols are substantially changed or updated?





3.000 Ensure that operations and maintenance supervisors, forepersons and managers are held accountable for security issues under their control





3.101 Do managers and supervisors routinely provide information to front-line personnel regarding security and emergency response issues?





3.102 Are regular supervisor, manager, and/or foreperson security review and coordination briefings held? If so, detail frequency and subjects covered in the justification.





3.103 Does the agency have a program for confirming that personnel have a working knowledge of security protocols? If so, summarize program in the justification.





3.104 Are managers and/or supervisors required to debrief front-line employees regarding their involvement in or management of any security or emergency incidents?





4.000 Coordinate Security and Emergency Management Plan(s) with local and regional agencies





4.101 Have Mutual Aid agreements been established between the transit agency and entities in the area that would be called upon to supplement the agency's resources in the event of an emergency event?





4.102 Does the agency participate in a regional Emergency Management Working Group or similar regional coordinating body for emergency preparedness and response?





4.103 Have regional incident management protocols been shared with the agency and incorporated into the agency's ERP/SSP/SEPP?





4.104 Have agency resources been appropriately identified and provided to the regional EMA?





4.105 Does the agency have a designated point-of-contact or liaison with the local/regional Emergency Operations Center (EOC)?





4.106 Does the agency send a representative to the local/regional EOC, should it be activated?





4.107 Does the agency have information sharing capabilities with the regional/local EOC (i.e., contacts, procedures, resource inventories, etc.)?





4.108 Has the agency developed internal incident management protocols that comply with the National Response Plan and the National Incident Management System (NIMS)?





4.109 Have the agency's emergency response protocols been shared with the EMA and appropriate first responder agencies?





4.110 / T5 Has the transit system tested its communications systems for interoperability with appropriate emergency response agencies?





4.111 If the agency's communications systems are NOT inter-operable with appropriate emergency response agencies, have alternate communication protocols been established? Describe the alternate communication protocols in the justification.






SECURITY AND EMERGENCY RESPONSE TRAINING
a



5.000 Establish and Maintain a Security and Emergency Training Program





5.101 / T4 Is initial training provided to all new agency employees regarding security orientation/awareness?





5.102 / T4 Is annual refresher training provided regarding security orientation/awareness to Senior Management staff, managers and supervisors?





5.103 / T4 Is annual refresher training provided regarding security orientation/awareness to managers and supervisors?





5.104 / T4 Is annual refresher training provided regarding security orientation/awareness to front-line employees?





5.105 Is ongoing advanced security training focused on job function provided at least annually?





5.106 / T4 Is initial training provided to all new transit employees regarding emergency response?





5.107 / T4 Is annual refresher training provided regarding emergency response to Senior Management staff, supervisors, and managers?





5.108 / T4 Is annual refresher training provided regarding emergency response to Managers and Supervisors?





5.109 / T4 Is annual refresher training provided regarding emergency response to front-line Employees?





5.110 / T4 Have agency employees received general training on Incident Command System (ICS) procedures in accordance with National Incident Management System at least annually?





5.111 Has ICS and NIMS training appropriate to the position been provided to Senior Management staff, supervisors, and managers at least annually?





5.112 Has ICS and NIMS training appropriate to the position been provided to managers and supervisors at least annually?





5.113 Has ICS and NIMS training appropriate to the position been provided to front-line employees at least annually?





5.114 Has the agency developed a program and provided annual training on its own incident response protocols?





5.115 / T4 Has training on the agency's incident response protocols appropriate to the position been provided to Senior Management staff, managers and supervisors at least annually?





5.116 / T4 Has training on the agency's incident response protocols appropriate to the position been provided to managers and supervisors?





5.117 / T4 Has training on the agency's incident response protocols appropriate to the position been provided to front-line employees at least annually?





5.118 / T4 Has the transit system implemented an annual training program for personnel regarding response to terrorism, including (i) Improvised Explosive Devices and ii) Weapons of Mass Destruction (chemical, biological, radiological, nuclear)? If so, summarize the relevant programs in the justification?





5.119 Has training focused on IEDs and WMDs appropriate to the position been provided to Senior Management staff, managers, and supervisors at least annually?





5.120 Has training focused on IEDs and WMDs appropriate to the position been provided to manager and supervisors?





5.121 Has training focused on IEDs and WMDs appropriate to the position been provided to front-line employees at least annually?





5.122 Do law enforcement/security department personnel at the agency receive specialized training in counter-terrorism annually? Summarize program in the justification.





5.123 Do law enforcement/security department personnel at the agency receive specialized training supporting their incident management and emergency response roles at least annually? Summarize program in the justification.





5.124 Does the agency have an established program to monitor employee training and to schedule employees for training?





5.125 Does the agency have a system that records and tracks personnel training for all security-related courses (including initial, annual, periodic and other)?





5.126 Does the transit agency have a system that records and tracks personnel training for emergency response courses (including initial, periodic and other)?





5.127 Does the agency have a program to regularly review and update security awareness and emergency response training materials?





5.128 / T4 Are all appropriate personnel notified via briefings, email, voicemail, or signage of changes in threat condition, protective measures or the employee watch programs?





5.129 / T1 Do the agency's security awareness and emergency response training programs cover response and recovery operations in critical facilities and infrastructure? If so, summarize relevant provisions of program in the justification.





5.130 / T1 Has the agency provided training to regional first responders (law enforcement agencies, firefighters, and emergency medical response teams) to enable them to operate in critical facilities and infrastructure?





5.131 / T3 Does training of transit system law enforcement and/or security personnel integrate the concept and employment of visible, random security measures?





5.132 / T4 Has the agency implemented a program to train or orient first responders (law enforcement, firefighters, emergency medical teams) and other potential supporting assets (e.g., TSA regional personnel for VIPR exercises) on their system vehicle familiarization?






NATIONAL TERRORISM ADVISORY SYSTEM (NTAS)





6.000 Establish plans and protocols to respond to the National Terrorism Advisory System (NTAS)





6.101 Does the SSP contain or reference other documents identifying incremental actions (imminent or elevated) to be implemented for a NTAS threat?





6.102 / T2 Does the agency have actionable operational response protocols for the specific threat scenarios from NTAS?





6.103 Has the agency provided annual training and/or instruction focused on job function regarding the incremental activities to be performed by employees?






PUBLIC AWARENESS
a



7.000 Implement and reinforce a Public Security and Emergency Awareness program





7.101 Has the transit agency developed and implemented a public security and emergency awareness program?





7.102 / T6 Does the agency provide active public outreach for security awareness and emergency preparedness (e.g., Transit Watch, “If You See Something, Say Something”, message boards, brochures, channel cards, posters, fliers)?





7.103 / T6 Is the above consistent with agency's overall announcement program?





7.104 / T6 Are general security awareness and emergency preparedness messages included in public announcement messages at stations and on board vehicles?





7.105 / T6 Are passengers urged to report unattended property, suspicious behavior, and security concerns to uniformed crew members, law enforcement or security personnel, and/or a contact telephone number? If so, summarize the type of materials used and content in the justification.





7.106 / T6 Does the agency have an appropriate mechanism in place for passengers to communicate an (e.g., 1-800 number, smart phone applications, social media, etc.) that can be called or used to report security concerns? If so, is this information indicated in public awareness materials and messages?





7.107 Does the agency issue public service announcements or press releases to social media (e.g. Twitter/ Facebook/etc., QRC codes, and/or apps for smart phones) regarding security and emergency protocols?





7.108 / T6 Does the agency issue public service announcements or press releases to local media (e.g. newspaper, radio and/or television) regarding security or emergency protocols?





7.109 Does the transit agency conduct a volunteer training program for non-employees to aid with system evacuations and emergency response?





7.110 Does the transit agency conduct an outreach program to enlist members of the public as security awareness volunteers, similar to Neighborhood Watch programs?





7.111 / T1 Do public awareness materials and/or messages inform passengers on the means to evacuate safely from transit vehicles and underwater/underground facilities?





7.112 Does the agency track and monitor customer complaints reported by passengers?






RISK MANAGEMENT
a



8.000 Establish and use a risk management process
a



8.101 / T2 Does the agency have a risk assessment process approved by its management, for managing threats and vulnerabilities? If so, summarize the process in the justification.





8.102 Has the agency identified facilities and systems it considers to be its critical assets?





8.103 / T2 Has the agency had an internal or external vulnerability assessment on its critical assets within the past 3 years? Specify the dates of the most recent assessments and the entity(ies) that conducted the assessment(s).





8.104 / T1 Has the agency had an internal or external Risk Assessment, analyzing threat, vulnerability, & consequence, for critical assets and infrastructure, and systems within the past 3 years? Have management and staff responsible for the risk assessment process been properly trained to manage the process?





8.105 / T2 Has the system implemented procedures to limit and monitor authorized access to underground and underwater tunnels? If so, summarize procedures in the justification.





8.106 Are security investments prioritized using information developed in the risk assessment process?





8.107 / T1 Upon request, has TSA been provided access to the agency's vulnerability assessments, Security Plan and related documents?






ESTABLISH A RISK ASSESSMENT AND INFORMATION SHARING PROCESS





9.000 Establish and use an information sharing process for threat and intelligence information.





9.101 Does the agency have a formalized process and procedures for reporting and exchange of threat and intelligence information with Federal, State, and/or local law enforcement agencies?





9.102 / T2 Does the system report threat and intelligence information directly to FBI Joint Terrorism Task Force (JTTF) or other regional anti-terrorism task force?





9.103 / T2 Does the system have a protocol to report threats or significant security concerns to appropriate law enforcement authorities, and TSA's Transportation Security Operations Center (TSOC)?





9.104 Does the agency routinely receive threat and intelligence information directly from any Federal government agency, State Homeland Security Office, Regional or State Intelligence Fusion Center, PT-ISAC, or other transit agencies?





9.105 Does the agency report their NTA security data to FTA as required by 49 CFR 659?




DRILLS AND EXERCISES





10.000 Conduct Tabletop and Functional Drills
a



10.101 Does the agency’s System Safety Program Plan (SSPP) contain or reference a document describing the process used by the agency to develop an approved, coordinated schedule for all emergency management program activities, including local/regional emergency planning and participation in exercises and drills?





10.102 Does the agency’s SSPP or SSP describe or reference how the agency performs its emergency planning responsibilities and requirements regarding emergency drills and exercises?





10.103 / T5 Does the agency evaluate its emergency preparedness by using annual field exercises, tabletop exercises, and/or drills? If so, please summarize the exercise events held in the past year.





10.104 Does the agency's SSPP or a related document include a requirement for annual field exercises, tabletops and drills?





10.105 Does the agency’s SSPP or SSP describe or reference how the agency documents the results of its emergency preparedness evaluations (i.e., briefings, after action reports and implementation of findings)?





10.106 Does the agency’s SSPP or a related document describe or reference its program for providing employee training on emergency response protocols and procedures?





10.107 Does the agency participate as an active player in full-scale, regional exercises held at least annually?





10.108 / T5 In the last year, has the agency conducted and/or participated in a drill, tabletop exercise, and/or field exercise including scenarios involving (i) IED's and (ii) WMD (chemical, biological, radiological, nuclear) with other transit agencies and first responders (e.g., NTAS scenarios)?





10.109 / T5 In the last year, has the agency reviewed results and prepared after-action reports to assess performance and develop lessons learned for all drills, tabletop, and/or field exercises?





10.110 / T5 In the last 12 months, has the agency updated plans, protocols and processes to incorporate after-action report recommendations/findings and corrective actions? If so, summarize the actions taken in the justification.





10.111 Has the agency established metrics to assess its performance during emergency exercises and to measure improvements?





10.112 / T1 Does the system conduct drills and exercises of its security and emergency response plans to test capabilities of i.) employees and ii.) first responders to operate effectively in underwater/underground infrastructure and other critical systems?





10.113 / T5 Does the transit system integrate local and regional first responders (law enforcement, firefighters, emergency medical teams) in drills, tabletop exercises, and/or field exercises? If so, summarize each joint event and state when it took place.





11.000 Developing a Comprehensive Cyber Security Strategy
a



11.101 Has the agency conducted a risk assessment to identify operational control and communication/business enterprise IT assets and potential vulnerabilities?





11.102 Has the agency implemented protocols to ensure that all IT facilities (e.g., data centers, server rooms, etc.) and equipment are properly secured to guard against internal or external threats or attacks?





11.103 Has a written strategy been developed and integrated into the overall security program to mitigate the cyber risk identified?





11.104 Does the agency have a designated representative to secure the internal network through appropriate access controls for employees, a strong authentication (i.e., password) policy, encrypting sensitive data, and employing network security infrastructure (example: firewalls, intrusion detection systems, IT security audits, antivirus, etc.)?





11.105 Does the agency ensure that recurring cyber security training reinforces security roles, responsibilities, and duties of employees at all levels to protect against and recognize cyber threats?





11.106 Has the agency established a cyber-incident response and reporting protocol?





11.107 Is the agency aware of and using available resources (e.g., standards, PT-ISAC, US CERT, National Cyber Security Communication and Integration Center, etc.)?






FACILITY SECURITY AND ACCESS CONTROLS
a



12.000 Control Access to Security Critical Facilities with ID badges for all visitors, employees and contractors





12.101 Have assets and facilities requiring restricted access been identified?





12.102 Are ID badges or other measures employed to restrict access to facilities not open to the public?





12.103 / T2 Has the transit agency developed and implemented procedures to monitor, update and document access control (e.g. card key, ID badges, keys, safe combinations, etc.)?





12.104 Does the agency have procedures to issue ID badges for visitors and contractors?





12.105 Does the agency require escorts for visitors accessing non-public areas?





12.106 Is CCTV equipment installed in transit agency facilities?





12.107 Is CCTV equipment protecting critical assets interfaced with an access control system?





12.108 Is CCTV equipment installed on transit vehicles?





12.109 Are Crime Prevention through Environmental Design (CPTED) and technology (e.g., CCTV, access control, intrusion detection, bollards, etc.) incorporated into design criteria for all new and/or existing capital projects?





12.110 Based on the risk assessment, does the agency use fencing, barriers, and/or intrusion detection to protect against unauthorized entry into stations, facilities, and other identified critical assets?





12.111 / T2 Has the system implemented protective measures to secure high risk/high consequence assets and systems identified in risk assessments? Examples of protective measures include but are not limited to CCTV, intrusion detection systems, smart camera technology, fencing, enhanced lighting, access control, LE patrols, K-9s, protection of ventilation systems. If protective measures for this infrastructure are employed, summarize type and location in in the justification.





12.112 Does the transit agency monitor a network of security, fire, duress, intrusion, utility and internal 911 alarm systems?





12.113 Are emergency call boxes provided for passengers?





12.114 Do transit agency personnel administer an automated employee access control system and perform corrective analysis of security breaches?





12.115 Does the agency have policies and procedures for screening of mail and/or outside deliveries?





12.116 Have locks, bullet resistant materials and anti-fragmentation materials been installed/used at critical locations?





12.117 Does the agency use National Fire Protection Association (NFPA) Standard 130 or equivalent to evaluate fire/life safety in station design or modification (including fire detection systems, firewalls and flame-resistant materials, back-up powered emergency lighting, defaults in turnstile and other systems supporting emergency exists, and pre-recorded public announcements)?





12.118 Is directional signage with adequate lighting provided in a consistent manner in all stations, both to provide orientation and to support emergency evacuation?





12.119 Are gates and locks used on all facility doors to prevent unauthorized access?





12.120 Are keys controlled through an established program managed by the security/police function?





12.121 Are gates and locks also used to close down system facilities after operating hours?





12.122 Do transit vehicles have radios, silent alarms, and/or passenger communication systems?





12.123 Does the transit agency use graffiti-resistant/etch-resistant materials for walls, ceilings, and windows?





12.124 Are Uninterruptible Power Supply (UPS) or redundant power sources provided for safety and security of critical equipment, such as but not limited to: exit and platform lighting; parking lot lighting; ancillary space and shop lighting; intrusion detection (alarmed rooms and spaces, fare collection equipment, etc.); fire detection, alarm and suppression systems; public address (shop and public areas); call-for-aid telephones; CCTV; emergency trip stations; vital train control functions; etc.?





12.125 At passenger stations at which a vulnerability assessment has identified a significant risk, and to the extent practicable, has the owner/operator removed trash receptacles and other non-essential receptacles or containers (with the exception of bomb resistant receptacles or clear plastic containers) from the platform areas of passenger terminals and stations?





12.126 Does the agency employ specific protective measures for all critical infrastructure (e.g., tunnels, bridges, stations, control centers, etc) identified through the risk assessment particularly at access points and ventilation infrastructure in place and maintained in optimal condition? Examples of protective measures include, but are not limited to, CCTV, intrusion detection systems, smart camera technology, fencing, lighting, access control, law enforcement patrols, canine patrols, physical protection for ventilation systems. If protective measures for this infrastructure are employed, summarize type and location in the justification.





12.127 / T1 Does the agency have or utilize explosive detection canine teams, either maintained by the system or made available from other law enforcement agencies? If so, has the system implemented procedures for reporting of and response to positive reactions by the canine?





13.000 Conduct Physical Security Inspections





13.101 / T1 Does the agency conduct frequent inspections of key facilities, stations, terminals, trains and vehicles, or other critical assets for persons, materials, and items that do not belong?





13.102 Has the transit agency established procedures for inspecting/sweeping vehicles and stations to identify and manage suspicious items, based on HOT characteristics (hidden, obviously suspicious, not typical) or equivalent system?





13.103 Has the transit agency developed a form or quick reference guide for operations and personnel to conduct pre-trip, post-trip, and within-trip inspections?





13.104 Has the transit agency developed a form or quick reference guide for station attendants and others regarding station and facility inspections?





13.105 / T2 Does the system document the results of inspections and implement any changes to policies and procedures or implement corrective actions, based on the findings?





13.106 / T2 Does the agency conduct frequent inspections of access points, ventilation systems, and the interior of underground/underwater assets and systems for indications of suspicious activity?





13.107 Does the system integrate randomness and unpredictability into its security activities to enhance deterrent effect?





13.108 Is there a process in place, with necessary training provided to personnel, to ensure that in service vehicles are inspected at regular periodic intervals for suspicious or unattended items? Specify type and frequency of inspections.





13.109 Is there a process in place, with necessary training provided to personnel, to ensure that all critical infrastructure are inspected at regular periodic intervals for suspicious or unattended items? Specify type and frequency of inspections.






BACKGROUND INVESTIGATIONS
a



14.000 Conduct Background Investigations of Employees and Contractors
a



14.101 / T2 Does the agency conduct background investigations (i.e., criminal history and motor vehicle records) on all new front-line operations and maintenance employees, and employees with access to sensitive security information, facilities and systems?





14.102 / T2 To the extent allowed by agency policy or law, does the agency conduct background investigations on contractors, including vendors, with access to critical facilities, sensitive security systems, and sensitive security information?





14.103 Has counsel for the agency reviewed the process for conducting employee background investigations to confirm that procedures are consistent with applicable statutes and regulations?





14.104 Is the background investigation process documented?





14.105 Is the criteria for background investigations based on employee type (senior management staff, law enforcement officers, managers/supervisors, operators, maintenance, safety/security sensitive, contractor, etc.) and/or responsibility and access documented?






DOCUMENT CONTROL





15.000 Control Access to documents of security critical systems and facilities





15.101 / T2 Does the agency keep documentation of its security critical systems, such as tunnels, bridges, HVAC systems and intrusion alarm detection systems (i.e. plans, schematics, etc.) protected from unauthorized access?





15.102 Has the agency designated a department/person responsible for administering the access control policy with respect to agency documents?





15.103 Does the security review committee (or other designated group) review document control practices, assess compliance applicable procedures, and identify discrepancies and necessary corrective action?





16.000 Process for handling and access to Sensitive Security Information (SSI)





16.101 Does the agency have a documented policy for identifying and controlling the distribution of and access to documents it considers to be Sensitive Security Information (SSI) pursuant to 49 CFR Part 15 or 1520?





16.102 Does the agency have a documented policy for proper handling, control, and storage of documents labeled as or otherwise determined to be Sensitive Security Information (SSI) pursuant to 49 CFR Part 15 or 1520?





16.103 Are employees who may be provided SSI materials per 49 CFR Part 15 or 1520) familiar with the documented policy for the proper handling of such materials?





16.104 Have employees provided access to SSI material per 49 CFR Part 15 or 1520 received training on proper labeling, handling, dissemination, and storage (such as through the TSA on-line SSI training program)?






SECURITY PROGRAM AUDITS
a



17.000 Audit Program
a



17.101 Has the agency established a schedule for conducting its internal security audit process?





17.102 Does the SSP contain a description of the process used by the agency to audit its implementation of the SSP over the course of the agency's published schedule?





17.103 Has the transit agency established checklists and procedures to govern the conduct of its internal security audit process?





17.104 Is the transit agency complying with its internal security audit schedule?





17.105 Is each internal security audit documented in a written report, which includes evaluation of the adequacy and effectiveness of the SSP element and applicable implementing procedures audited, needed corrected actions, needed recommendations, an implementation schedule for corrective actions and status reporting?





17.106 In the last 12 months, has the Security Review Committee (or other designated group) addressed the findings and recommendations from the internal security audits, and updated plans, protocols and processes as necessary?





17.107 Does the transit agency’s internal security audit process ensure that auditors are independent from those responsible for the activity being audited?





17.108 Has the agency made its internal security audit schedule available to the SSO agency?



17.109 Has the agency made checklists and procedures used in its internal security audits available to the SSO agency?



17.110 Has the agency notified the SSO agency 30 days prior to the conduct of an internal security audit?



17.111 Has a report documenting internal security audit process and the status of findings and corrective actions been made available to the SSO agency within the previous 12 months?



17.112 Has the agency's chief executive certified to the SSO agency that the agency is in compliance with its SSP?



17.113 Was that certification included with the most recent annual report submitted to the SSO agency?



17.114 If the agency's chief executive was not able to certify to the SSO agency that the agency is in compliance with its SSP, was a corrective action plan developed and made available to the SSO?












Number of items requiring Options for Consideration
0




Sheet 5: Additional Information

Date of Visit TSA Field Office Lead TSI Inspector
12/30/1899 0 0
Agency Name
0

Additional Information
General Description of the Entity:
Additional description information about the entity. INSPECTOR SHALL PROVIDE A GENERAL NARRATIVE OVERVIEW OF THE ENTITY’S SCOPE OF OPERATIONS, FACILITIES, ETC.:

General Summary of Assessment Process and Entities Security Posture Other information obtained during BASE assessment:
Additional description information about the entity.
Smart Practice Information:
Did you observe anything significant or "cutting edge" in the area of corporate/facility security?

1. List the infrastructure and assets identified as critical by the agency:
a.
b.
c.
d.
e.
f.
g.
2. Where do you, as an industry, feel vulnerable?
a.
b.
3. What concerns do you have?
a.
b.

4. In what Federal programs or security initiatives does your company participate?
a.
b.
c.
File Typeapplication/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File Modified0000-00-00
File Created0000-00-00

© 2024 OMB.report | Privacy Policy