This is the accessible text file for GAO report number GAO-05-851 entitled 'Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize and Guide Security Efforts' which was released on October 7, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: September 2005: Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize and Guide Security Efforts: GAO-05-851: GAO Highlights: Highlights of GAO-05-851, a report to congressional requesters: Why GAO Did This Study: The U.S. passenger rail system is a vital component of the nation’s transportation infrastructure, carrying more than 11 million passengers each weekday. The Department of Homeland Security (DHS) and the Department of Transportation (DOT) share responsibility for ensuring the safety and security of rail systems. In this report, GAO addressed (1) DHS actions to assess the risks to the U.S. passenger rail system in the context of prevailing risk management principles, (2) federal actions taken to enhance the security of the U.S. passenger rail system, and (3) security practices that domestic and selected foreign passenger rail operators have implemented. What GAO Found: Within DHS, the Office for Domestic Preparedness has completed 7 risk assessments of passenger rail systems around the country, with 12 more under way. TSA has begun to conduct risk assessments and to establish a methodology for determining how to analyze and characterize risks that have been identified but has not yet completed either effort or set timelines for doing so. TSA will not be able to prioritize passenger rail assets and help guide security investment decisions until these efforts are completed. At the department level, DHS has begun developing, but has not yet completed, a framework to help agencies and the private sector develop a consistent approach for analyzing and comparing risks to transportation and other sectors. Until this framework is finalized and shared with stakeholders, it may not be possible to compare risks across different sectors, prioritize them, and allocate resources accordingly. The Federal Transit Administration and Federal Railroad Administration within DOT have ongoing initiatives to enhance passenger rail security. In addition, in 2004, TSA issued emergency security directives to domestic rail operators after terrorist attacks on the rail system in Madrid, Spain, and piloted a test of explosive detection technology for use in passenger rail systems. However, federal and rail industry officials raised questions about the feasibility of implementing and complying with the directives, citing limited opportunities to collaborate with TSA to ensure that industry best practices were incorporated. In September 2004, DHS and DOT signed a memorandum of understanding to improve coordination between the two agencies, and they are developing agreements to address specific rail security issues. Domestic and foreign passenger rail operators we contacted have taken a range of actions to help secure their systems. We also observed security practices among certain foreign passenger rail systems or their governments that are not currently used by the domestic rail operators we contacted, or by the U.S. government, and which could be considered for use in the United States. For example, some foreign rail operators randomly screen passengers, and some foreign governments maintain centralized clearinghouses on rail security technologies and best practices. [See PDF for image] [End of figure] What GAO Recommends: GAO is recommending, among other things, that the Secretary of DHS direct the Assistant Secretary of the Transportation Security Administration (TSA) to develop a plan with timelines for completing its methodology for conducting risk assessments and develop rail security standards that can be measured and enforced. The Secretary also should consider the feasibility of implementing certain security practices used by foreign operators. DHS, DOT, and Amtrak reviewed a draft of this report and generally agreed with the report’s recommendations. DHS’s detailed comments and GAO’s response are contained in the report. www.gao.gov/cgi-bin/getrpt?GAO-05-851. To view the full product, including the scope and methodology, click on the link above. For more information, contact Cathleen Berrick at (202) 512-8777 or JayEtta Hecker at (202) 512-2834 [End of section] Contents: Letter: Results in Brief: Background: DHS Has Taken Steps to Assess Risk to Passenger Rail Systems, but Additional Work Is Needed to Guide Security Investments: Multiple Federal Agencies Have Taken Actions to Enhance Passenger Rail Security: U.S. and Foreign Rail Operators Have Taken Similar Actions to Secure Rail Systems, and Opportunities for Additional Domestic Security Actions May Exist: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Elements of a Typical Homeland Security Risk Assessment: Appendix III: FTA and ODP Passenger Rail Risk Assessments Conducted or In Progress: FTA Risk Assessments Conducted: ODP Risk Assessments: Appendix IV: Comments from the Department of Homeland Security: Appendix V: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Selected Roles and Responsibilities of Federal Agencies Related to Risk Management and Critical Infrastructure Protection: Table 2: Selected Steps in ODP's Risk Assessment Process: Table 3: Examples of Measures Required by TSA Security Directives Issued to Passenger Rail Operators and Amtrak: Table 4: Domestic Passenger Rail Agencies We Visited or Interviewed for the Purposes of this Review: Table 5: Foreign Passenger Rail and Government Agencies We Visited or Interviewed for the Purposes of This Review: Figures: Figure 1: Geographic Distribution of Amtrak and Rail Transit Systems: Figure 2: Risk Management Cycle: Figure 3: Sample ODP Relative Risk Diagram: Figure 4: Status of TSA's Passenger Rail Risk Assessment Efforts, as of July 2005: Figure 5: Summary Information on TSA's Transit and Rail Inspection Pilot Program Phases: Figure 6: Example of Passenger Rail Customer Awareness Poster: Figure 7: Wallet-size Cards Distributed to BART Employees Containing Anti-terrorism Information: Figure 8: Selected Security Design Elements Incorporated into London's Underground: Figure 9: Security Design Elements Incorporated into London's Underground: Figure 10: Composite of Selected Security Practices in the Passenger Rail Environment: Abbreviations: AAR: American Association of Railroads: APTA: American Public Transportation Association: ATSA: Aviation and Transportation Security Act: BART: San Francisco Bay Area Rapid Transit: CCTV: closed-circuit television: DHS: Department of Homeland Security: DOT: Department of Transportation: FRA: Federal Railroad Administration: FTA: Federal Transit Administration: HSPD-7: Homeland Security Presidential Directive-7: IAIP: Information Analysis and Infrastructure Protection: MBTA: Massachusetts Bay Transportation Authority: MOU: memorandum of understanding: NIPP: National Infrastructure Protection Plan: ODP: Office for Domestic Preparedness: PANYNJ: Port Authority of New York and New Jersey: PATH: Port Authority Trans-Hudson: PDA: personal digital assistant: RATP: Regie Autonome des Transports Parisiens: SLGCP: Office of State and Local Government Coordination and Preparedness: TRIP: Transit and Rail Inspection Pilot: TSA: Transportation Security Administration: TSSP: transportation sector-specific plan: UASI: Urban Area Security Initiative: WMATA: Washington Metropolitan Area Transit Authority: United States Government Accountability Office: Washington, DC 20548: September 9, 2005: The Honorable Steven LaTourette: Chairman: Subcommittee on Railroads: Committee on Transportation and Infrastructure: House of Representatives: The Honorable Olympia Snowe: United States Senate: The Honorable Barbara Boxer: United States Senate: The Honorable Michael Castle: House of Representatives: The July 7 and July 21, 2005, bomb attacks on London's subway system, which resulted in over 50 fatalities and more than 700 injuries, dramatically highlighted the vulnerability of passenger rail systems worldwide to terrorist attacks and the need for an increased focus on security for these systems. The U.S. passenger rail system is a vital component of the nation's transportation infrastructure, encompassing rail transit (heavy rail, commuter rail, and light rail) and intercity rail systems.[Footnote 1] Together, these systems carry more than 11 million passengers each weekday. One of the critical challenges facing rail system operators--and the federal agencies that regulate and oversee them--is finding ways to protect rail systems from potential terrorist attacks without compromising the accessibility and efficiency of rail travel. Several entities play a role in helping to fund and secure the passenger rail industry. The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) is the primary regulator of the rail system's security, while DHS's Office for Domestic Preparedness (ODP) has been the primary federal source of security funding for passenger rail systems. In addition, the Department of Transportation's (DOT) Federal Transit Administration (FTA) and Federal Railroad Administration (FRA), state and local agencies (which operate most rail transit rail systems), and Amtrak are responsible for or have been involved in the security and safety of the U.S. passenger rail system. In the United States, passenger rail systems represent one of many modes of transportation--along with aviation, maritime, and others-- competing for limited federal security resources. Within the passenger rail sector itself, there is competition for resources, as federal, state, and local agencies and rail operators seek to identify and invest in appropriate security measures to safeguard these systems while also investing in other capital and operational improvements. Moreover, given competing priorities and limited homeland security resources, difficult policy decisions have to be made by Congress and the executive branch to prioritize security efforts and direct resources to areas of greatest risk within the passenger rail system, among all transportation modes, and across other nationally critical sectors. In this regard, to help federal decision makers determine how to best allocate limited resources, we have advocated, the National Commission on Terrorist Attacks Upon the United States (the 9/11 Commission) has recommended, and the subsequent Intelligence Reform and Terrorism Prevention Act of 2004 requires, that a risk management approach be employed to guide security decision making.[Footnote 2] A risk management approach entails a continuous process of managing risks through a series of actions, including setting strategic goals and objectives, assessing and quantifying risks, evaluating alternative security measures, selecting which measures to undertake, and implementing and monitoring those measures. In July 2005, in announcing his proposal for the reorganization of DHS, the Secretary of the Department of Homeland Security declared that as a core principle of the reorganization, the department must base its work on priorities driven by risk. You have expressed interest in the progress federal agencies and domestic passenger rail operators have made in setting and implementing security priorities in the wake of September 11 and terrorist attacks on rail systems. In addition, you expressed interest in learning about the security practices implemented by foreign passenger rail operators. For this report, we analyzed (1) the actions that DHS and its component agencies have taken to assess the risks posed by terrorism to the U.S. passenger rail system in the context of prevailing risk management principles; (2) the actions that federal agencies have taken to enhance the security of the U.S. passenger rail system; and (3) the security practices that domestic and selected foreign passenger rail operators have implemented to mitigate risks and enhance security, and any differences in these practices. To perform our analyses, we conducted site visits at, or held teleconferences with, a total of 32 passenger rail operators in the United States that represent over 95 percent of the nation's total rail ridership, as well as Amtrak. We also conducted site visits or met elsewhere with 13 passenger rail operators in seven European and Asian countries. During our domestic and international visits, we interviewed management and security personnel, toured stations and other facilities such as control centers, observed security practices, and obtained documentation of security procedures. In addition, we interviewed officials from domestic and foreign rail industry associations, foreign governments and rail operators, and representatives of the European Commission. Because we selected a nonprobability sample of both foreign and domestic passenger rail operators, the information we obtained from these interviews and visits cannot be generalized to all foreign or domestic rail operators. We also reviewed risk assessments of U.S. rail systems conducted by the federal government. Risk assessments are used to identify and rank risks to critical regional or national assets to further identify which would be most vulnerable to attack based on various threat scenarios. Risk assessments are an integral part of using a broader risk management approach to guide investments that help enhance security. While a risk management approach entails multiple iterative components, this report primarily addresses the risk assessment component of such an approach as applied in the homeland security context. (Additional information about the risk assessment component is contained in app. II.) Although we identified and cataloged security practices of the domestic and foreign passenger rail operators we contacted, we did not evaluate the appropriateness or effectiveness of these practices. We discussed foreign security practices we observed with DHS, DOT, passenger rail industry associations, select passenger rail operators, and transportation security experts from the RAND Corporation and the Mineta Transportation Institute to explore the potential applicability of these practices to U.S. passenger rail systems.[Footnote 3] Our work does not reflect the proposed reorganization of DHS and its component agencies announced by the Secretary of DHS. We conducted our work from May 2004 through July 2005 in accordance with generally accepted government auditing standards. Appendix I contains more details about our objectives, scope, and methodology. Results in Brief: Two component agencies with different missions within DHS are responsible for, and have engaged in, conducting risk assessments for the passenger rail industry, in an effort to identify and protect the assets most vulnerable to attack and most critical to operations, such as stations, tracks, and bridges. The first, the Office for Domestic Preparedness, is responsible for, among other things, providing grant funds and technical assistance to rail operators and others to improve preparedness at the state and local level. As part of this mission, ODP has developed and implemented a risk assessment methodology for mass transit agencies and port authorities, and used it to complete 7 risk assessments at rail facilities, with an additional 12 assessments in progress, as of July 2005. According to passenger rail operators we interviewed, ODP's risk management approach has helped them to prioritize and allocate resources to protect their systems. For example, one operator collaborated with ODP on a risk assessment that resulted in justifying a $500 million high-priority security capital investment program, which is to fund, among other things, a security operations center for its passenger train network, alarm monitoring systems, and an upgraded closed-circuit television system. The second agency, TSA, has also recently begun to conduct risk assessments of the rail sector as part of a broader effort to assess risk to all transportation modes. As of July 2005, while TSA had completed an overall threat assessment for mass transit and passenger rail, the agency had not yet completed a risk assessment for the passenger rail sector or a methodology for determining how to analyze and characterize risk (as high, medium, or low) identified through assessments, or indicated when this would be done. Until both of these efforts have been accomplished, in collaboration with rail industry stakeholders, TSA will not be able to prioritize passenger rail assets based on risk and help guide investment decisions about protecting them. A 2003 presidential directive required DHS to, among other things, establish uniform guidelines and methodologies for integrating federal infrastructure protection and risk management activities within and across entire economic sectors, such as transportation (including rail), energy, and agriculture. To address this requirement, at the department level, DHS has been developing a broad framework intended to help federal agencies, the private sector, and state and local governments develop a consistent approach to analyzing risk to critical infrastructure within and across sectors. This framework is intended to enable risks across sectors to be compared as a means of guiding resource allocation and emergency response planning. Because DHS has not yet finalized this framework, it is not known what impact, if any, it may have on risk assessment efforts now under way by TSA, ODP, and other federal agencies with critical infrastructure protection responsibilities. Until DHS finalizes this framework, it may not be possible to compare risks across different sectors, prioritize them, and then allocate resources accordingly. A number of federal departments and their component agencies have taken actions to strengthen passenger rail security. FTA and FRA were the primary federal agencies involved in passenger rail security matters prior to the creation of TSA, and both undertook numerous initiatives both before and after September 11, 2001. For example, FTA conducted security readiness assessments, sponsored security training, and developed security guidance for transit agencies. FRA conducted security inspections of commuter railroads and researched various rail security technologies. After taking over as the lead federal agency responsible for transportation security, TSA issued security directives to the passenger rail industry in May 2004, after terrorists attacked the commuter rail system in Madrid, Spain. The directives--based upon industry best practices, according to TSA--required rail operators to implement a number of security measures, such as conducting frequent inspections of stations, terminals, and other assets, or utilizing canine explosive detection teams, if available. According to TSA officials, because of the need to act quickly, the rule-making process for these security directives did not include a public comment period. As a result, stakeholder input was limited. The rapid issuance of these directives has posed challenges to TSA and rail operators. For example, while rail operators are required to implement the measures, and TSA has hired rail inspectors to enforce them, operators told TSA they were unsure how to comply with the directives because, for example, the directives include instructions requiring them to perform "frequent inspections" of key facilities, without defining relevant parameters. TSA told rail operators when the directives were issued that additional performance-based guidance would be provided to clarify the directives requirements, but this information has not been supplied. Further, TSA has not yet developed criteria or procedures for rail inspectors to use in enforcing compliance with the directives. In addition, stakeholders we contacted questioned the extent to which the security directives reflected industry best practices. For example, one requirement of the directives was that the doors of the rail engineer's compartment be locked, which conflicts with an existing FRA safety regulation calling for these doors to remain unlocked for escape purposes. In September 2004, in response to our prior recommendation, DHS and DOT signed a memorandum of understanding (MOU) intended to identify ways to improve coordination and collaboration between and among federal and rail industry stakeholders.[Footnote 4] As of July 2005, the departments were developing agreements within the framework of this memorandum to delineate specific security-related roles, responsibilities, and resources for mass transit, rail, research and development, and other matters.[Footnote 5] However, none of the agreements have been finalized and timelines have not been established for doing so. Completing these agreements could help to ensure that federal activities to secure passenger rail systems are coordinated and that stakeholders are appropriately involved in the development and implementation of these activities. Domestic and foreign passenger rail operators we contacted or visited have generally taken similar actions to help secure their systems against the risk posed by terrorism. Specifically, most U.S. and foreign operators we contacted had implemented customer awareness programs to encourage passengers to remain vigilant and report suspicious activities, increased the number and visibility of their security personnel, increased the usage of canine teams to detect drugs and explosives, enhanced employee training programs, upgraded security technology, tightened access controls, and made system design improvements to enhance security. However, we observed security practices among certain foreign passenger rail systems or their governments that were not in use, at the time we completed our fieldwork in June 2005, by the domestic rail operators we contacted or the U.S. government. For example, we found that 2 of 13 foreign rail operators we contacted utilize covert testing to help keep employees alert to security threats. In one type of covert test, suspicious items are placed throughout the rail system and employees are observed to see how long it takes them to find the objects. In addition, 2 of 13 foreign rail operators we visited randomly screen passengers and their baggage. After the July 7, 2005, London bombings, four domestic passenger rail operators began randomly screening passengers and their baggage on a limited basis. Further, in five countries we visited, national governments have centralized research on security technologies and maintain clearinghouses on these technologies and security best practices, giving rail operators a single source for identifying and comparing, among other things, chemical sensors, closed-circuit television, and intrusion detection systems. Introducing any of these security practices into the U.S. rail system may pose political, legal, fiscal, and cultural challenges, but may nevertheless warrant examination to determine whether they could enhance the security of domestic rail systems. To help ensure that the federal government has the information it needs to prioritize passenger rail assets based on risk, and in order to evaluate, select, and implement commensurate measures to help the nation's passenger rail operators protect their systems against acts of terrorism, we are making several recommendations. Among them, we recommend that TSA establish a plan with timelines for completing its methodology for conducting risk assessments, develop security standards that reflect industry best practices and can be measured and enforced, and set timelines for completing memorandum of understanding agreements. In addition, we are recommending that the Secretary of DHS determine the feasibility, in a risk management context, of implementing certain security practices used by foreign rail operators. These recommendations should be implemented in collaboration with DOT and the passenger rail industry. We provided DHS, DOT, and Amtrak a draft of this report for review and comment. DOT and Amtrak generally agreed with our findings and recommendations and provided technical comments, which we have incorporated where appropriate. DHS generally concurred with the report's recommendations. However, DHS raised questions about, among other things, the extent to which the report reflected the agency's efforts to involve federal and rail industry stakeholders in the development of security directives and criticality assessments. According to TSA, the emergency circumstances under which the directives were issued allowed for only limited input and review by federal and rail industry stakeholders. However, we believe that using the federal rule-making process as a means of establishing permanent standards would make the process more transparent and could help TSA in developing standards that are most appropriate for the industry and which can be measured, monitored, and enforced. These stakeholders will be involved in administering, implementing, and/or enforcing TSA standards and stakeholder buy-in would be critical to the success of such initiatives. DHS's comments appear in appendix IV. Background: Overview of the U.S. Passenger Rail System: Each weekday, 11.3 million passengers in 35 metropolitan areas and 22 states use some form of rail transit.[Footnote 6] Heavy rail systems-- subway systems like New York City's transit system and Washington, D.C.'s Metro--typically operate on fixed rail lines within a metropolitan area and have the capacity for a heavy volume of traffic. Commuter rail systems typically operate on railroad tracks and provide regional service (e.g., between a central city and adjacent suburbs). Commuter rail systems are traditionally associated with older industrial cities, such as Boston, New York, Philadelphia, and Chicago. Light rail systems are typically characterized by lightweight passenger rail cars that operate on track that is not separated from vehicular traffic for much of the way. All types of rail transit systems in the United States are typically owned and operated by public sector entities, such as state and regional transportation authorities. Amtrak operates the nation's primary intercity passenger rail service over a 22,000-mile network, primarily over leased freight railroad tracks.[Footnote 7] Amtrak serves more than 500 stations (240 of which are staffed) in 46 states and the District of Columbia, and it carried more than 25 million passengers in 2004. According to Amtrak, about two- thirds of its ridership is wholly or partially on the "Northeast Corridor," between Boston and Washington, D.C. Amtrak owns about 650 miles of track, primarily on the Northeast Corridor. Stations are owned by Amtrak, freight carriers, municipalities, and some private entities. Amtrak also operates commuter rail services in certain jurisdictions on behalf of state and regional transportation authorities. Figure 1 identifies the geographic location of rail transit systems and Amtrak within the United States. Figure 1: Geographic Distribution of Amtrak and Rail Transit Systems: [See PDF for image] [End of figure] Passenger Rail Systems Are Inherently Vulnerable to Terrorist Attacks: To date, U.S. passenger rail systems have not been targets of terrorist attacks. However, worldwide, public transportation in general and passenger rail in particular, have been attacked multiple times, sometimes with grave results. According to a database of worldwide terrorist incidents maintained by the RAND Corporation, from 1995 to June 2005, there have been over 250 terrorist attacks worldwide against rail targets, resulting in almost 900 deaths and over 6,000 injuries.[Footnote 8] Among them were the fatal 1995 sarin gas attack on the Tokyo subway system by the Aum Shinri Kyo doomsday cult, resulting in 12 deaths and 5,000 injuries; the December 2003 bomb attack by Chechen rebels on a Russian commuter train, resulting in 46 fatalities and 165 injuries; and the March 2004 terrorist bombing attacks on commuter trains in Madrid, for which an al Qaeda affiliate organization claimed responsibility, and in which 191 people were killed and 600 were injured. According to passenger rail officials and passenger rail experts, certain characteristics of domestic and foreign passenger rail systems make them inherently vulnerable to terrorist attacks and therefore difficult to secure. By design, passenger rail systems are open (i.e., have multiple access points, hubs serving multiple carriers, and, in some cases, no barriers) so that they can move large numbers of people quickly. In contrast, the U.S. commercial aviation system is housed in closed and controlled locations with few entry points. The openness of passenger rail systems can leave them vulnerable because operator personnel cannot completely monitor or control who enters or leaves the systems. In addition, other characteristics of some passenger rail systems--high ridership, expensive infrastructure, economic importance, and location (e.g., large metropolitan areas or tourist destinations)-- also make them attractive targets for terrorists because of the potential for mass casualties and economic damage and disruption. Moreover, some of these same characteristics make passenger rail systems difficult to secure. For example, the numbers of riders that pass through a subway system--especially during peak hours--may make the sustained use of some security measures, such as metal detectors, difficult because they could result in long lines that could disrupt scheduled service. In addition, multiple access points along extended routes could make the cost of securing each location prohibitive. Balancing the potential economic impacts of security enhancements with the benefits of such measures is a difficult challenge. Multiple Stakeholders Share Responsibility for Securing Passenger Rail Systems: Securing the nation's passenger rail systems is a shared responsibility requiring coordinated action on the part of federal, state, and local governments; the private sector; and rail passengers who ride these systems. Since the September 11 attacks, the role of federal government agencies in securing the nation's transportation systems, including passenger rail, have continued to evolve. Prior to September 11, DOT-- namely FTA and FRA--was the primary federal entity involved in passenger rail security matters. In response to the attacks of September 11, Congress passed the Aviation and Transportation Security Act (ATSA), which created TSA within DOT and defined its primary responsibility as ensuring security in all modes of transportation.[Footnote 9] The act also gave TSA regulatory authority for security over all transportation modes. ATSA does not specify TSA's roles and responsibilities in securing the maritime and land transportation modes at the level of detail it does for aviation security. Instead, the act broadly identifies that TSA is responsible for ensuring the security of all modes of transportation. With the passage of the Homeland Security Act of 2002, TSA was transferred, along with over 20 other agencies, to the Department of Homeland Security.[Footnote 10] With the creation of DHS in 2002, one of its components, ODP, became the primary federal source for security funding for passenger rail systems.[Footnote 11] ODP is the principal component of DHS responsible for preparing the United States for acts of terrorism and has primary responsibility within the executive branch for assisting and supporting DHS, in coordination with other directorates and entities outside of the department, in conducting risk analysis and risk management activities of state and local governments.[Footnote 12] In carrying out its mission, ODP provides training, funds for the purchase of equipment, support for the planning and execution of exercises, technical assistance, and other support to assist states, local jurisdictions, and the private sector to prevent, prepare for, and respond to acts of terrorism. Through the Urban Area Security Initiative (UASI) grant program, ODP has provided grants to urban areas to help enhance their overall security and preparedness level to prevent, respond to, and recover from acts of terrorism. In 2003 and 2004, $65 million and $50 million, respectively, were allocated to rail transit agencies through the UASI program. In addition, the DHS Appropriations Act of 2005 appropriated $150 million for rail transit, intercity passenger rail, freight rail, and transit agency security grants. This funding has allowed ODP to build upon the work under way through the UASI program and create and administer two new programs focused specifically on transportation security, the Transit Security Grant Program and the Intercity Passenger Rail Security Grant Program. These programs provide financial assistance to address security preparedness and enhancements for transit (to include commuter, heavy, and light rail systems, intracity bus, and ferry), and intercity rail (Amtrak) systems. The grant programs specifically provide funding for the prevention and detection of explosive devices and chemical, biological, radiological, and nuclear agents. About $108 million was provided to rail transit agencies and $7.1 million to Amtrak through these grant programs in 2005.[Footnote 13] While TSA is the lead federal agency for ensuring the security of all transportation modes, FTA conducts nonregulatory safety and security activities, including safety-and security-related training, research, technical assistance, and demonstration projects. In addition, FTA promotes safety and security through its grant-making authority. FTA provides financial assistance to rail transit agencies to plan and develop new systems and operate, maintain, and improve existing systems. FTA stipulates conditions of grants, such as certain safety and security statutory and regulatory requirements, and FTA may withhold funds for noncompliance with the conditions of a grant.[Footnote 14] While FTA cannot regulate safety and security operations at transit agencies,[Footnote 15] FRA has regulatory authority for rail safety over commuter rail operators and Amtrak, and employs over 400 rail inspectors that periodically monitor the implementation of safety and security plans at these systems.[Footnote 16] State and local governments, passenger rail operators, and private industry are also important stakeholders in the nation's rail security efforts. State and local governments play a vital role, in part, because they may own or operate a significant portion of the passenger rail system. Even when state and local governments are not owners and operators, they are directly affected by passenger rail systems that run within and through their jurisdictions. Consequently, the responsibility for responding to emergencies involving the passenger rail infrastructure often falls to state and local governments. Passenger rail operators, which can be public or private entities, are responsible for administering and managing passenger rail activities and services, including security. Passenger rail operators can directly operate the service provided or contract for all or part of the total service. Although all levels of government are involved in passenger rail security, the primary responsibility for securing passenger rail systems rests with the passenger rail operators. We discuss actions taken by federal agencies and passenger rail operators to enhance security in more detail later in this report. Assessing and Managing Risks to Rail Infrastructure Using a Risk Management Approach: In recent years, we, along with Congress (most recently through the Intelligence Reform and Terrorism Prevention Act of 2004),[Footnote 17] the executive branch (e.g., in presidential directives), and the 9/11 Commission have required or advocated that federal agencies with homeland security responsibilities utilize a risk management approach to help ensure that finite national resources are dedicated to assets or activities considered to have the highest security priority. We have concluded that without a risk management approach, there is limited assurance that programs designed to combat terrorism are properly prioritized and focused. Thus, risk management, as applied in the homeland security context, can help to more effectively and efficiently prepare defenses against acts of terrorism and other threats. A risk management approach entails a continuous process of managing risk through a series of actions, including setting strategic goals and objectives, performing risk assessments, evaluating alternative actions to reduce identified risks by preventing or mitigating their impact, selecting actions to undertake by management, and implementing and monitoring those actions. Figure 2 depicts a risk management cycle that is our synthesis of government requirements and prevailing best practices previously reported. Figure 2: Risk Management Cycle: [See PDF for image] --graphic text: 1. Strategic goals, objectives, and constraints, 2. Risk assessment, 3. Alternatives evaluation, 4. Management selection, 5. Implementation and monitoring. Source: GAO. [End of figure] Setting strategic goals, objectives, and constraints is a key first step in implementing a risk management approach and helps to ensure that management decisions are focused on achieving a strategic purpose. These decisions should take place in the context of an agency's strategic plan that includes goals and objectives that are clear, concise, and measurable. Risk assessment, a critical element of a risk management approach, helps decision makers identify and evaluate potential risks so that countermeasures can be designed and implemented to prevent or mitigate the effects of the risks. Risk assessment is a qualitative and/or quantitative determination of the likelihood of an adverse event occurring and the severity, or impact, of its consequences. Risk assessment in a homeland security application often involves assessing three key elements--threat, criticality, and vulnerability: * A threat assessment identifies and evaluates potential threats on the basis of factors such as capabilities, intentions, and past activities. * A criticality or consequence assessment evaluates and prioritizes assets and functions in terms of specific criteria, such as their importance to public safety and the economy, as a basis for identifying which structures or processes are relatively more important to protect from attack. * A vulnerability assessment identifies weaknesses that may be exploited by identified threats and suggests options to address those weaknesses. Information from these three assessments contributes to an overall risk assessment that characterizes risks on a scale such as high, medium, or low and provides input for evaluating alternatives and management prioritization of security initiatives.[Footnote 18] Additional details on these assessment elements can be found in appendix II. The risk assessment element in the overall risk management cycle may be the largest change from standard management steps and is central to informing the remaining steps of the cycle. The next step in a risk management approach--alternatives evaluation-- considers what actions may be needed to address identified risks, the associated costs of taking these actions, and any resulting benefits. This information is then to be provided to agency management to assist in the selection of alternative actions best suited to the unique needs of the organization. An additional step in the risk management approach is the implementation and monitoring of actions taken to address the risks, including evaluating the extent to which risk was mitigated by these actions. Once the agency has implemented the actions to address risks, it should develop criteria for and continually monitor the performance of these actions to ensure that they are effective and also reflect evolving risk. Federal Agencies with Risk Management Responsibilities: A number of federal departments and agencies have risk management and critical infrastructure protection responsibilities stemming from various requirements. The Homeland Security Act of 2002, which created DHS, directed the department's Information Analysis and Infrastructure Protection (IAIP) Directorate to utilize a risk management approach in coordinating the nation's critical infrastructure protection efforts. This includes using risk assessments to set priorities for protective and support measures by the department, other federal agencies, state and local government agencies and authorities, the private sector, and other entities. Homeland Security Presidential Directive 7 (HSPD-7) defines critical infrastructure protection responsibilities for DHS, sector-specific agencies (those federal agencies given responsibility for transportation, energy, telecommunications, and so forth), and other departments and agencies. The President instructs federal departments and agencies to identify, prioritize, and coordinate the protection of critical infrastructure to prevent, deter, and mitigate the effects of terrorist attacks. The Secretary of DHS is assigned several responsibilities by HSPD-7, including establishing uniform polices, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across sectors. To ensure the coverage of critical sectors, HSPD-7 designated sector-specific agencies for 17 critical infrastructure sectors.[Footnote 19] These agencies are responsible for infrastructure protection activities in their assigned sectors, including coordinating and collaborating with relevant federal agencies, state and local governments, and the private sector to carry out their responsibilities and facilitating the sharing of information about vulnerabilities, incidents, potential protective measures, and best practices. Pursuant to HSPD-7 and the National Infrastructure Protection Plan (NIPP), DHS was designated as the sector-specific agency for the transportation sector, a responsibility the department has delegated to TSA.[Footnote 20] As the sector-specific agency for transportation, TSA is required to develop a transportation sector-specific plan (TSSP) for identifying, prioritizing, and protecting critical transportation infrastructure and key resources that will provide key input to the broader NIPP to be prepared by IAIP. DHS issued an interim NIPP in February 2005 that was intended to serve as a road map for how DHS and stakeholders--including other federal agencies, the private sector, and state and local governments--should use risk management principles for determining how to prioritize activities related to protecting critical infrastructure and key resources within and among each of the 17 sectors in an integrated, coordinated fashion. DHS expects the next iteration of the NIPP to be issued in November 2005, with the sector- specific plans, including the TSSP, being incorporated into this plan in February 2006. HSPD-7 also requires DHS to coordinate with DOT on all transportation security matters. Table 1 summarizes selected responsibilities for federal agencies with lead or supporting roles for critical infrastructure protection and risk management efforts. Table 1: Selected Roles and Responsibilities of Federal Agencies Related to Risk Management and Critical Infrastructure Protection: Statute or directive: Homeland Security Act of 2002: Agency with lead or supporting role: IAIP[A]; Selected responsibilities: Coordinates national critical infrastructure protection (CIP) efforts by: * conducting risk assessments of key resources and critical infrastructure to determine the risks posed by terrorist attacks within the United States; * integrating relevant information, analyses, and assessments (whether conducted by department or others) in order to identify priorities for protective and support measures; * recommending measures to protect the key resources and critical infrastructure of the United States in coordination with other federal agencies and in cooperation with state and local government agencies and authorities, the private sector, and other entities; Related output of action: Develop a comprehensive national plan for securing the key resources and critical infrastructure; Due date: Not specified. Agency with lead or supporting role: ODP[A]; Selected responsibilities: As the principal federal agency in preparing the United States for acts of terrorism: * assists and supports DHS in conducting appropriate risk analysis and risk management activities of state, local, and tribal governments; * serves as primary office responsible for providing training, funds for the purchase of equipment, support for the planning and execution of exercises; Related output of action: Risk analysis and risk management activities for states and local jurisdictions; Due date: Not applicable. Statute or directive: Homeland Security Presidential Directive-7: Agency with lead or supporting role: IAIP[B]; Selected responsibilities: Coordinate national CIP efforts by: * identifying, prioritizing, and coordinating the protection of critical infrastructure, emphasizing protection against catastrophic health effects or mass casualties; * establishing uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across sectors; Related output of action: National Infrastructure Protection Plan; Due date: 12/04. Agency with lead or supporting role: TSA[C]; Selected responsibilities: As sector-specific agency for transportation: * identify, prioritize, and coordinate the protection of critical transportation systems infrastructure, including conducting and facilitating vulnerability assessments and encouraging risk management strategies; * coordinate and collaborate with relevant federal agencies, state and local governments, and the private sector; Related output of action: Transportation Sector-Specific Plan; Due date: 12/04. Agency with lead or supporting role: DOT[D]; Selected responsibilities: Support CIP activities in transportation sector by: * collaborating with DHS on all matters relating to transportation security and transportation infrastructure protection; Related output of action: Not applicable; Due date: Not applicable. Statute or directive: Intelligence Reform and Terrorism Prevention Act of 2004; Agency with lead or supporting role: TSA[E]; Selected responsibilities: Develop, prepare, implement, and update as needed a National Strategy for Transportation Security, including: * development of transportation modal security plans; * identification and evaluation of transportation assets that must be protected from terrorist attack; * development of risk-based priorities across all transportation modes and realistic deadlines for addressing security needs associated with those assets; Related output of action: National Strategy for Transportation Security; Due date: 4/05. Agency with lead or supporting role: DOT; Selected responsibilities: Works jointly with DHS to develop, revise, and update the National Strategy for Transportation Security; Related output of action: Not applicable; Due date: Not applicable. Source: GAO analysis of federal roles and responsibilities related to risk management and critical infrastructure protection. [A] Lead role designated by statute. [B] Lead role for all sectors; responsibility delegated by DHS. [C] Lead role for transportation sector; responsibility delegated by DHS. [D] Supporting role for DHS. [E] Lead role delegated by DHS. [End of table] DHS Has Taken Steps to Assess Risk to Passenger Rail Systems, but Additional Work Is Needed to Guide Security Investments: DHS component agencies have taken various steps to assess the risk posed by terrorism to U.S. passenger rail systems. ODP has developed and implemented a risk assessment methodology intended to help passenger rail operators and others enhance their capacity to respond to terrorist incidents and identify and prioritize security countermeasures. As of July 2005, ODP had completed 7 risk assessments with rail operators and 12 others were under way. Further, TSA completed a threat assessment for mass transit and rail and has begun to identify critical rail assets, but it has not yet completed an overall risk assessment for the passenger rail industry. DHS is developing guidance to help these and other sector-specific agencies work with stakeholders to identify and analyze risk. ODP Has Worked with Passenger Rail Operators to Develop Risk Assessments to Help Prioritize Rail Security Needs and Investments: In 2002, ODP began conducting risk assessments of passenger rail operators through its Mass Transit Technical Assistance program. These assessments are intended to help passenger rail operators and port authorities enhance their capacity and preparedness to respond to terrorist incidents involving weapons of mass destruction, and identify and prioritize security countermeasures and emergency response capabilities. ODP's approach to risk assessment is generally consistent with the risk assessment component of our risk management approach. The agency has worked with passenger rail operators and others to complete several risk assessments. As of July 2005, ODP had completed 7 risk assessments in collaboration with passenger rail operators.[Footnote 21] Twelve additional risk assessments are under way, and an additional 11 transit agencies have requested assistance through this program. ODP's methodology for conducting risk assessments is articulated in a tool kit designed to enable passenger rail operators and others to compare relative risks among assets, identify assets with a perceived high level of risk, and prioritize measures to mitigate those risks.[Footnote 22] Once ODP and a rail operator agree to collaborate on the risk assessment, ODP sends a technical assistance team consisting of experts in the risk management and emergency response field to visit the rail operator on-site to support the implementation of the risk assessment process. The team assists the operator in using the tool kit to generate information on criticality, threat, vulnerability, impact, and risk. Once completed, the documented results should serve as a guide for future applications of the risk assessment process to keep pace with new threat information and newly vulnerable assets. ODP's risk assessment process involves, first, an analysis of four elements--criticality, threat, vulnerability, and impact. Using the tool kit, the operator begins by conducting the criticality assessment to identify and prioritize critical assets based upon factors such as the potential for serious injury or loss of life, or the economic implications on the livelihood, resources, or wealth of the area, region, or country if the asset was destroyed. Assets deemed to be "most critical" are then evaluated using the remaining risk assessment components. The operator then conducts the threat assessment to identify the range of weapon types that terrorists might use against the operator's critical assets, establish the likelihood that critical assets might be targeted, and develop possible attack scenarios. These attack scenarios are then used to perform a vulnerability assessment that evaluates the susceptibility of critical assets to these scenarios and determines such things as the probability of an attack succeeding and whether it can be stopped. Once these first three assessment components are completed, the operator determines the impact that the partial or complete destruction of a critical asset would have on the asset's ability to function based upon specific threat scenarios. Table 2 describes selected steps that operators take, in conjunction with ODP, to carry out these four assessment components using ODP's risk assessment tool kit. Table 2: Selected Steps in ODP's Risk Assessment Process: Assessment component: Criticality; Assessment steps: Step 1. Develop a worksheet of candidate critical assets (i.e., infrastructure, facilities, equipment, and personnel) that enable the operator to achieve its mission; Step 2. Establish critical asset factors--factors that describe the characteristics of assets that would result in significant negative impact to the operator given their loss in a terrorist event (i.e., economic impact, symbolic importance, functional importance); Step 3. Assign quantitative values to each factor that indicate the importance of the factor to the overall mission of the operator; Step 4. Apply the factors to the list of candidate assets to develop a criticality score; Step 5. Prioritize assets based upon their criticality scores. Rail operator officials review rankings to determine their reasonableness and to establish a threshold for the assets considered most critical. Assessment component: Threat; Assessment steps: Step 1. Develop a list of weapons types (i.e., large or small explosives, biological conventional explosive, nuclear device) that might be used by terrorists; Step 2. Evaluate the selected weapon types on the likelihood (using a five-point scale) that terrorists have each weapon and would use it against the operator's assets; Step 3. Evaluate the attractiveness of targets based on the potential for casualties, potential for economic disruption, and symbolic importance; Step 4. Define attack scenarios (based on target asset, weapon, and mode of delivery); the information will be used in subsequent assessment components. Assessment component: Vulnerability; Assessment steps: Step 1. Develop a rating to determine the probability of a successful attack. Rating is based upon three factors: the ability to limit or deny ingress and egress to an asset by a terrorist (access control), the ability to expose or reveal an attack before it takes place (detection capabilities), the ability to interdict once an attack has been detected (interdiction capabilities); Step 2. Using these probability ratings, develop an overall vulnerability rating that represents the relative likelihood of an attack being attempted and successfully carried out. Assessment component: Impact; Assessment steps: Step 1. Use the critical asset factors identified above to rate the effect of a weapon on each asset's mission; Step 2. Once each asset has been rated, use a mathematical formula to calculate a total overall impact level--how each asset's mission is affected based upon the extent to which it would be destroyed. Source: GAO analysis of ODP information. [End of table] The results developed in the threat, criticality, vulnerability, and impact assessments are then used to develop an overall risk assessment in order to evaluate the relative risk among various assets, weapons, and modes of attack. This is intended to give operators an indication of which asset types and threat scenarios carry the highest risk and that, accordingly, are likely candidates for early risk mitigation action. Using the results of the risk assessment process, a diagram of relative risk is developed by plotting the assets and scenarios in terms of vulnerability and consequence, as shown in figure 3.[Footnote 23] Figure 3: Sample ODP Relative Risk Diagram: [See PDF for image] [End of figure] By showing the relative risk of all assets and scenarios identified, this diagram identifies the assets and scenarios that have the greatest estimated level of relative risk and provides critical information useful to develop and prioritize security countermeasures. According to ODP, assets with scenarios that fall in quadrants I and III have the greatest potential negative impact (i.e., the greatest consequence) on an operator's system if attacked. Assets with scenarios that fall in quadrants I and II have the greatest vulnerability to attack. Therefore, quadrant I contains the assets and scenarios that have the greatest vulnerability and negative consequence and are likely candidates for early mitigation action from a policy decision-making perspective. According to rail operators who have used ODP's risk assessment methodology and commented about it to DHS or us, the method has been successful in helping to devise risk reduction strategies to guide security-related investments. For example, between September 2002 and March 2003, ODP's technical assistance team worked with the Port Authority of New York and New Jersey (PANYNJ) to conduct a risk assessment of all of its assets--its Port Authority Trans-Hudson (PATH) passenger rail system, as well as airports, ports, interstate highway crossings, and commercial properties.[Footnote 24] According to PANYNJ officials, the authority was able to develop and implement a risk reduction strategy that enabled it to identify and set priorities for improvements in security and emergency response capability that are being used to guide security investments. As part of this risk assessment, PANYNJ identified and prioritized particular types of security countermeasures that, if implemented, would improve the authority's overall risk profile by moving assets into the lower parts of the risk diagram (as shown in fig. 3). Examples of countermeasures considered include site-hardening of assets such as bridges and tunnels; increased patrols, guards, and canine units; event- activated closed-circuit television (CCTV); and intrusion detection systems. According to PANYNJ officials, the associated costs and benefits of the countermeasures identified were considered, and management was involved in choosing and prioritizing the actions included in the plan. More specifically, according to authority officials, the risk assessment was instrumental in obtaining management approval for a 5-year, $500 million security capital investment program, as it provided a risk-based justification for these investments.[Footnote 25] Examples of passenger rail security capital investments PANYNJ is making as part of this program include the development of a state-of-the art system wide security operations center for the PATH system, access control and alarm monitoring system replacement at 45 locations, and digital video recording upgrades to its CCTV system. At the time of our review, the authority was 2 years into implementing the strategy and associated capital investment program and had just completed its first risk assessment update. PANYNJ officials told us they have formally incorporated the ODP risk assessment model into the authority's annual planning and budgeting cycle and are able to track and assess how security projects improve the authority's overall risk profile. PANYNJ staff are now working on a cost-benefit module to be included in the authority's risk assessment program, with the objective of making more discrete trade-offs among high-cost security programs on the basis of which ones provided the highest payoff. The six other passenger rail operators that have completed ODP's risk assessment process also stated that they valued the process. Specifically, operators said that the assessments enabled them to prioritize investments based on risk and are already allowing or are expected to allow them to effectively target and allocate resources toward security measures that will have the greatest impact on reducing risk across their system. For example, one rail operator stated that it is planning on spending its fiscal year 2005 Transit Security Grant Program funding to expand its CCTV coverage, with a focus on stations that serve major public gatherings but do not have such equipment, a measure identified by the risk assessment as the second most effective risk reduction measure to implement. [Footnote 26] In addition, as a result of the assessment, the operator said that it has incorporated CCTVs into its standard design criteria for new system construction, such as stations and parking garages. ODP Has Sought to Promote Risk-Based Decision Making among Federal Agencies and Rail Operators: On the basis of its own experience with conducting risk assessments in the field, and in keeping with its mission to develop and implement a national program to enhance the capacity of state and local agencies to respond to incidents of terrorism, ODP has offered to help other DHS components and federal agencies to develop risk assessment tools, according to ODP officials. For example, ODP is partnering with the FRA, TSA, the American Association of Railroads (AAR), and others to develop a risk assessment tool for freight rail corridors.[Footnote 27] In a separate federal outreach effort, ODP worked with TSA to establish a Federal Risk Assessment Working Group to promote interagency collaboration and information sharing. Representatives from participating federal agencies meet monthly to encourage information sharing regarding risk assessments and other related homeland security issues.[Footnote 28] The working group has, among other things, created a Web-based calendar so participating agencies can upload and share information regarding planned assessments. The calendar also contains detailed information on assessments, including locations, dates, types of assessment, and points of contact. In addition, in keeping with its mission to deliver technical assistance and training, ODP has partnered with the American Public Transportation Association (APTA) to inform passenger rail operators about its risk assessment technical assistance program.[Footnote 29] Since June 2004, ODP has attended five APTA conferences or workshops where it has set up information booths, made the tool kit available, and conducted seminars to educate passenger rail operators about the risk assessment process and its benefits. According to an APTA official, ODP's risk assessment technical assistance program has been well received by the transit community. The program is dependent on funding available in ODP's technical assistance budget for support. In fiscal years 2004 and 2005, the program received $5.2 million and $5.7 million, respectively, through ODP's technical assistance budget. ODP has leveraged its grant-making authority to promote risk-based funding decisions for passenger rail. For example, passenger rail operators must have completed a risk assessment to be eligible for financial assistance through the fiscal year 2005 Transit Security Grant program administered by ODP. To receive these funds, passenger rail operators are also required to have a security and emergency preparedness plan that identifies how the operator intends to respond to security gaps identified by risk assessments. This plan, along with a regional transit security strategy prepared by regional transit stakeholders, will serve as the basis for determining how the grant funds are to be allocated. Risk assessments are also a key driver of federal funds distributed through ODP's fiscal year 2005 Intercity Passenger Rail Grant Program. This $7.1 million program provides financial assistance to Amtrak for the protection of critical infrastructure and emergency preparedness activities along Amtrak's Northeast Corridor and its hub in Chicago. Amtrak is required to conduct a risk assessment of these areas in collaboration with ODP, in order to receive the grant funds.[Footnote 30] A recent review of Amtrak's security posture and programs conducted by the RAND Corporation and funded by FRA in 2004 found that no comprehensive terrorism risk assessment of Amtrak has been conducted that would provide an empirical baseline for investment prioritization and decision making for Amtrak's security policies and investment plans. As another condition for receiving the grant funds, Amtrak is required to develop a security and emergency preparedness plan that, along with the risk assessment, is to serve as the basis for proposed allocations of grant funding. According to an Amtrak security official, it welcomes the risk assessment effort and plans to use the results of the assessment to guide its security plans and investments. According to ODP officials, as of July 2005, the Amtrak risk assessment was nearly 50 percent complete. TSA Has Begun to Assess Risks to Passenger Rail: As the agency responsible for ensuring the security of all modes of transportation, TSA has been charged by DHS with fulfilling key requirements of HSPD-7 and the Intelligence Reform and Terrorism Prevention Act of 2004. Specifically, TSA is required to conduct and facilitate risk assessments in order to identify, prioritize, and coordinate the protection of critical transportation systems infrastructure, as well as develop risk-based priorities across all transportation modes. As part of this effort, TSA is required to develop plans that, among other things, identify and prioritize critical transportation assets for protection. At the time of our review, TSA had taken steps to meet these responsibilities but had not yet completed the risk assessments for the rail industry (among others) or the plans that they support as required. In October 2004, TSA completed an overall threat assessment for both mass transit and passenger and freight rail modes.[Footnote 31] TSA began conducting a second risk assessment element--criticality assessments of passenger rail stations--in the spring of 2004, but the effort had not been completed at the time of our review. According to TSA, a criticality assessment tool was developed that considers multiple factors, such as the potential for loss of life or effects on public health; the economic impact of the loss of function of the asset and the cost of reconstitution; and the local, regional, or national symbolic importance of the asset. These factors were to be used to arrive at a criticality score that, in turn, would enable the agency to rank assets and facilities based on relative importance, according to TSA officials. To date, TSA has assigned criticality scores to nearly 700 passenger rail stations. In May 2005, TSA began conducting assessments for other passenger rail assets such as bridges and tunnels. TSA officials told us that as of July 2005, they had completed 73 criticality assessments for bridge and tunnel assets and expect to conduct approximately 370 additional assessments in these categories. Once TSA has completed its criticality assessment, a senior group of transportation security experts will review these scores and subsequently rank and prioritize them. As of July 2005, TSA had not established a time frame for completing criticality assessments for passenger rail assets or for ranking assets, and had not identified whether it planned to do so. In 2003, TSA officials stated that they planned to work with transportation stakeholders to rank assets and facilities in terms of their criticality. HSPD-7 requires sector-specific agencies such as TSA to collaborate with all relevant stakeholders, including federal departments and agencies, state and local governments, and others. In addition, DHS's interim NIPP states that sector-specific agencies, such as TSA, are expected to work with stakeholders--such as rail operators- -to determine the most effective means of obtaining and analyzing information on assets. While TSA's methodology for conducting criticality assessments calls for "facilitated sessions" involving TSA modal specialists, DOT modal specialists, and trade association representatives, these sessions with stakeholders have not been held. According to TSA officials, their final methodology for conducting criticality assessments did not include DOT modal specialists and trade associations. With respect to rail operators, TSA officials explained that their risk assessment process does not require operators' involvement. TSA analysts said they have access to a great deal of information (such as open source records, satellite imagery, and insurance industry data) that can facilitate the assessment process. However, when asked to comment on TSA's ability to identify critical assets in passenger rail systems, APTA officials and 10 rail operators we interviewed told us it would be difficult for TSA to complete this task without their direct input and rail system expertise. TSA plans to rely on asset criticality rankings to prioritize which assets it will focus on in conducting vulnerability assessments. That is, once an asset, such as a passenger rail station, is deemed to be most critical, then TSA would focus on determining the station's vulnerability to attacks. TSA plans to conduct on-site vulnerability assessments for those assets deemed most critical. For assets that are deemed to be less critical, TSA has developed a software tool that it has made available to passenger rail and other transportation operators for them to use on a voluntary basis to assess the vulnerability of their assets. As of July 2005, the tool had not yet been used. According to APTA officials, passenger rail operators may be reluctant to provide vulnerability information to TSA without knowing how the agency intends to use such information. According to TSA, it is difficult, if not impossible, to project any timelines regarding completion of vulnerability assessments in the transportation sector because rail operators are not required to submit them. In this regard, while the rail operators are not required to submit this information, as the sector-specific agency for transportation, TSA is required by HSPD-7 to complete vulnerability assessments for the transportation sector. Figure 4 illustrates the overall progress TSA had made in conducting risk assessments for passenger rail assets as of July 2005. Figure 4: Status of TSA's Passenger Rail Risk Assessment Efforts, as of July 2005: [See PDF for image] --graphic text: 1. Strategic goals, objectives, and constraints, 2. Risk assessment, (in progress) 3. Alternatives evaluation, 4. Management selection, 5. Implementation and monitoring. 1. Threat assessment: fully completed. 2. Criticality assessment: in progress. 3. Vulnerability assessment: not initiated. Source: GAO. [End of figure] We recognize that TSA's risk assessment effort is still evolving and TSA has had other pressing priorities, such as meeting the legislative requirements related to aviation security. However, until all three assessments of rail systems--threat, criticality, and vulnerability-- have been completed in sequence, and until TSA determines how to use the results of these assessments to analyze and characterize risk (e.g., whether high, medium, or low), it may not be possible to prioritize passenger rail assets and guide investment decisions about protecting them. Finalizing a methodology for assessing risk to passenger rail and other transportation assets and conducting the assessments are key steps needed to produce the plans required by HSPD-7 and the Intelligence Reform and Terrorism Prevention Act of 2004. DHS and TSA have missed both deadlines for producing these plans. Specifically, DHS and TSA have yet to produce the TSSP required by HSPD-7 to be issued in December of 2004, though a draft was prepared in November 2004. DHS and TSA officials told us that they expected the first version of the TSSP to be completed in February 2006. DHS and TSA also missed the April 1, 2005, deadline for completing the national strategy for transportation security required by the Intelligence Reform and Terrorism Prevention Act of 2004. In an April 2005 letter to Congress addressing the missed deadline, the DHS Deputy Secretary identified the need to more aggressively coordinate the development of the strategy with other relevant planning work such as the TSSP, to include further collaboration with DOT modal administrations and DHS components. The Deputy Secretary further stated that DHS expected to finish the strategy within 2 to 3 months. However, as of July 31, 2005, the strategy had not been completed. In April 2005, senior DHS and TSA officials told us that in addition to DOT, industry groups such as APTA and AAR would also be more involved in developing the TSSP and other strategic plans. However, as of July 2005, TSA had not yet engaged these stakeholders in the development of these plans. DHS Faces Challenges in Comparing and Reconciling Risks and Prioritizing Investments within and across Sectors: As TSA, other sector-specific agencies, and ODP move forward with risk assessment activities, DHS is concurrently developing guidance intended to help these agencies work with their stakeholders to assess risk. HSPD-7 requires DHS to establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across sectors. To meet this requirement, DHS has, among other things, been working for nearly 2 years on a risk assessment framework through IAIP.[Footnote 32] This framework is intended to help the private sector and state and local governments to develop a consistent approach to analyzing risk and vulnerability across infrastructure types and across entire economic sectors, develop consistent terminology, and foster consistent results. The framework is also intended to enable a federal-level assessment of risk in general, and comparisons among risks, for purposes of resource allocation and response planning. DHS has informed TSA that this framework will provide overarching guidance to sector- specific agencies on how various risk assessment methodologies may be used to analyze, normalize, and prioritize risk within and among sectors. The interim NIPP states that the ability to rationalize, or normalize, results of different risk assessments is an important goal for determining risk-related priorities and guiding investments. One core element of the DHS framework--defining concepts, terminology, and metrics for assessing risk--has yet to be completed. The completion date for this element--initially due in September 2004--has been extended twice, with the latest due date in June 2005. However, as of July 31, 2005, this element has not been completed. Because neither this element nor the framework as a whole has yet been finalized or provided to TSA or other sector-specific agencies, it is not clear what impact, if any, DHS's framework may have on ongoing risk assessments conducted by, and the methodologies used by, TSA, ODP, and others, and whether or how DHS will be able to use these results to compare risks and prioritize homeland security investments among sectors. Until DHS finalizes this framework, and until TSA completes its risk assessment methodology, it may not be possible to determine whether different methodologies used by TSA and ODP for conducting threat, criticality, and vulnerability assessments generate disparate qualitative and quantitative results or how they can best be compared and analyzed. In addition, TSA and others will have difficulty taking into account whether at some point TSA may be unnecessarily duplicating risk management activities already under way at other agencies and whether other agencies' risk assessment methodologies, and the data generated by these methodologies, can be leveraged to complete the assessments required for the transportation sector. In the future, the implementation of DHS's departmentwide proposed reorganization could affect decisions relating to critical infrastructure protection as new directorates are established, such as the directorates of policy and preparedness, and other preparedness assets are consolidated from across the department. Multiple Federal Agencies Have Taken Actions to Enhance Passenger Rail Security: FTA and FRA were the primary federal agencies involved in passenger rail security matters prior to the creation of TSA. Before and after September 11, these two agencies launched a number of initiatives designed to strengthen passenger rail security. TSA also took steps to strengthen rail security, including issuing emergency security directives to rail operators and testing emerging rail security technologies for screening passengers and baggage. Rail industry stakeholders and federal agency officials raised questions about how effectively DHS had collaborated with them on rail security issues. DHS and DOT have signed a memorandum of understanding intended to identify ways that collaboration with federal and industry stakeholders might be improved. DOT Agencies Led Initial Efforts to Enhance Passenger Rail Security: Prior to the creation of TSA in November 2001, DOT agencies (i.e., modal administrations)--notably FTA and FRA--were primarily responsible for the security of passenger rail systems. These agencies undertook a number of initiatives to enhance the security of passenger rail systems prior to and after September 11. For example, prior to September 11, FTA offered voluntary security assessments, sponsored training at the Transportation Safety Institute, issued written guidelines to improve emergency response planning, and partially funded a chemical detection demonstration project, called PROTECT, at the Washington Metropolitan Area Transit Authority. In response to the terrorist attacks on September 11, FTA, using an $18.7 million appropriation by the Department of Defense Emergency Supplemental Act of 2002, launched a multipart transit security initiative, much of which is still in place. The initiative included security assessments, planning, drills, and training, as described below: * Security readiness assessments: FTA deployed teams to assess security at 32 rail transit operators. FTA chose these 32 agencies on the basis of their ridership, vulnerability, and the potential consequences of a terrorist attack. Each assessment included a threat and vulnerability analysis, an evaluation of security and emergency plans, and a focused review of the agency's unified command structure with external emergency responders. FTA completed the assessments in late summer 2002.[Footnote 33] * Security and emergency management technical assistance: As of July 2005, FTA had provided technical assistance to 32 passenger rail agencies on security and emergency plans and emergency response drills. This is also a follow-on effort to the security assessments, as FTA is helping transit agencies fill identified security gaps customized to the individual agency's needs and operating characteristics. * Emergency response drills: FTA offered transit agencies grants up to $50,000 for organizing and conducting emergency preparedness drills. According to FTA officials, FTA has awarded $3.4 million to over 80 transit agencies through these grants. * Transit Safety and Security Roundtables program: FTA developed the Transit Safety and Security Roundtables program, which brings together safety and security chiefs of the 30 largest transit systems to share information on technology and best practices and to develop relationships between federal and local officials working in the areas of transit safety and security. In October 2003, FTA and DHS, through TSA, sponsored the most recent roundtable, in Washington, D.C. In October 2005, FTA and DHS plan to hold a roundtable with safety and security representatives of the 50 largest transit agencies. * Connecting Communities program: FTA developed and currently is offering free emergency preparedness and security training to transit agencies through its Connecting Communities Forums. These forums are designed to bring together personnel from small and medium-sized transit agencies with their local emergency responders, including local firefighters and police officers. The purposes of the forums are to give the participants a better understanding of the roles played by transit agencies and emergency responders and to allow participants to begin developing the plans, tools, and relationships necessary to respond effectively in an emergency. FTA sponsored 17 forums under this program and has plans for the delivery of 12 more by the end of fiscal year 2006. TSA has provided financial support to this program. In fiscal year 2005, TSA transferred $100,000 to FTA to support the Connecting Communities program. * Transit Watch program: In 2003, FTA instituted the Transit Watch campaign, a nationwide safety and security awareness program designed to encourage the active participation of transit passengers and employees in maintaining a safe transit environment. The program provides information and instructions to transit passengers and employees so that they know what to do and whom to contact in the event of an emergency in a transit setting. Transit Watch invites riders and employees to be the "eyes and ears" of their local transit system. FTA plans to continue this initiative, in partnership with TSA and ODP, and offer additional security awareness materials that address unattended bags and emergency evacuation procedures for transit agencies. * Additional security training: In addition to the programs and training cited above, FTA worked with the National Transit Institute, Johns Hopkins University, and the Transportation Safety Institute to expand safety and security course offerings. For example, the National Transit Institute is now offering a security awareness course to frontline transit employees free of charge. The course covers skill sets for observing, determining, and reporting people and items that are suspicious or out of place. FTA also developed a training course for frontline transit employees to recognize and react to terrorist activity. This course incorporates the latest in international counterterrorism techniques. * Security guidance: FTA also developed security guidance for transit agencies based largely on the findings of the security readiness assessments. For example, in November 2003, FTA issued its Top 20 Security Program Action Items for Transit Agencies, which recommends measures for transit agencies to implement into their security programs to improve both security and emergency preparedness. Recommended practices include performing background checks on employees, instituting access control procedures, and providing security awareness training to frontline employees. In 2003, FTA also issued recommended measures for transit agencies to implement in responding to various DHS threat level designations. FTA has also used research and development funds to develop guidance for security design strategies to reduce the vulnerability of transit systems to acts of terrorism. In November 2004, FTA provided rail operators with security considerations for transportation infrastructure. This guidance provided recommendations intended to help operators deter and minimize attacks against their facilities, riders, and employees by incorporating security features into the design of rail infrastructure. (Additional details on the use of this guidance are discussed later in this report.) FRA has also taken a number of actions to enhance passenger rail security since September 11. For example, it has assisted commuter railroads in developing security plans, reviewed Amtrak's security plans, and helped fund FTA security readiness assessments for commuter railroads. More recently, in the wake of the Madrid terrorist bombings, nearly 200 FRA inspectors, in cooperation with DHS, conducted multi-day team inspections of each of the 18 commuter railroads and Amtrak to determine what additional security measures had been put into place to prevent a similar occurrence in the United States. FRA also conducted research and development projects related to passenger rail security. These projects included rail infrastructure security and trespasser monitoring systems and passenger screening and manifest projects, including explosives detection. Although DOT modal administrations now play a supporting role in transportation security matters since the creation of TSA, they remain important partners in the federal government's efforts to improve rail security, given their role in funding and regulating the safety of passenger rail systems. Moreover, as TSA moves ahead with its passenger rail security initiatives, FTA and FRA are continuing their passenger rail security efforts. TSA Issued Mandatory Security Directives to Rail Operators but Faces Challenges Related to Compliance and Enforcement: In response to the March 2004 commuter rail attacks in Madrid and federal intelligence on potential threats against U.S. passenger rail systems, TSA issued security directives to the passenger rail industry in May 2004. TSA issued these security directives to establish a consistent baseline standard of protective measures for all passenger rail operators, including Amtrak.[Footnote 34] The directives were not related to, and were issued independent of, TSA's efforts to conduct risk assessments to prioritize rail security needs. TSA considered the measures required by the directives to constitute mandatory security standards that were required to be implemented within 72 hours of issuance by all passenger rail operators nationwide. In an effort to provide some flexibility to the industry, the directives allowed rail operators to propose alternative measures to TSA in order to meet the required measures. Table 3 contains examples of security measures required by these directives. Table 3: Examples of Measures Required by TSA Security Directives Issued to Passenger Rail Operators and Amtrak: TSA directives require passenger rail operators to: * designate coordinators to enhance security-related communications with TSA, * provide TSA with access to the latest security assessments and security plans, * reinforce employee watch programs, * ask passengers and employees to report unattended property or suspicious behavior, * remove trash receptacles at stations determined by a vulnerability assessment to be at significant risk and only to the extent practical, except for clear plastic or bomb-resistant containers, * install bomb- resistant trash cans to the extent resources allow, * utilize canine explosive detection teams, if available, to screen passenger baggage, terminals, and trains, * utilize surveillance systems to monitor for suspicious activity, to the extent resources allow, * allow TSA- designated canine teams at any time or place to conduct canine operations, * conduct frequent inspections of key facilities, stations, terminals, or other critical assets for persons and items that do not belong, * inspect each passenger rail car for suspicious or unattended items, at regular periodic intervals, * ensure that appropriate levels of policing and security are provided that correlate to DHS threat levels and threat advisories, * lock all doors that allow access to train operators' cab or compartment, if equipped with locking mechanisms, * require Amtrak to request that adult passengers provide identification at the initial point where tickets are checked. Source: TSA. [End of table] Although TSA issued these directives, it is unclear how TSA developed the required measures contained in the directives, how TSA plans to monitor and ensure compliance with the measures, how rail operators are to implement the measures, and which entities are responsible for their implementation. According to the former DHS Undersecretary for Border and Transportation Security, the directives were developed based upon consultation with the industry and a review of best practices in passenger rail and mass transit systems across the country and were intended to provide a federal baseline standard for security. TSA officials stated to us that the directives were based upon FTA and APTA best practices for rail security. Specifically, TSA stated that it consulted a list of the top 20 actions FTA identified that rail operators can take to strengthen security, FTA-recommended protective measures and activities for transit agencies that may be followed based on current threat levels, and an APTA member survey. While some of the directives correlate to information contained in the FTA guidance, such as advocating that rail personnel watch for abandoned parcels, vehicles, and the like, the source for many of the directives is unclear. For example, the source material TSA consulted does not support the requirement that train cabs or compartment doors should be kept locked. Furthermore, the sources do not necessarily reflect industry best practices, according to FTA and APTA officials. FTA's list of recommended protective measures and the practices identified in the APTA survey are not necessarily viewed as industry best practices. For example, the APTA member survey that TSA used reports rail security practices that are in use by operators but which are not best practices endorsed by the group or other industry stakeholders. TSA officials have stated that they understood the importance of partnering with the rail industry on security matters, and that they would draw on the expertise and knowledge of the transportation industry and other DHS agencies, as well as all stakeholders, in developing security standards for all modes of transportation, including rail. TSA officials held an initial meeting with APTA, AAR, and Amtrak officials to discuss the draft directives prior to their issuance and told them that they would continue to be consulted prior to their final issuance. However, these stakeholders were not given an opportunity to comment on a final draft of the directives before their release because, according to TSA, DHS determined that it was important to release the directives as soon as possible to address a current threat to passenger rail. In addition, TSA stated that because the directives needed to be issued quickly, there was no public comment as part of the rule-making process. Shortly after the directives were issued, TSA's Deputy Assistant Administrator for Maritime and Land Security told rail operators at an APTA conference we attended in June 2004 that if TSA determined that there is a need for the directives to become permanent, they would undergo a notice-and-comment period as part of the regulatory process. As of July 2005, TSA had not yet determined whether it intends to pursue the rule-making process with a notice-and-comment period. APTA and AAR officials stated that because they were not consulted throughout the development of the directives, the directives did not, in their view, reflect a complete understanding of the passenger rail environment or necessarily incorporate industry best practices. For example, APTA, AAR, and some rail operators raised concerns about the feasibility of installing bomb-resistant trash cans in rail stations because they could direct the force of a bomb blast upward, possibly causing structural damage in underground or enclosed stations. DHS's Office for State and Local Government Coordination and Preparedness recently conducted tests to determine the safety and effectiveness of 13 models of commercially available bomb-resistant trash receptacles. At the time of our review, the results of these tests were not yet available. Amtrak and FRA officials raised concerns about some of the directives, as well, and told us they questioned whether the requirements reflected industry best practices. For example, before the directives were issued, Amtrak expressed concerns to TSA about the feasibility of the requirement to check the identification of all adult passengers boarding its trains because they did not have enough staff to perform these checks. However, the final directive included this requirement, and after they were released, Amtrak told TSA it could not comply with this requirement "without incurring substantial additional costs and significant detrimental impacts to its operations and revenues." Amtrak officials told us that since passenger names would not be compared against any criminal or terrorist watch list or database, the benefits of requiring such identification checks were open to debate. To resolve its concern, and as allowed by the directive, Amtrak proposed, and TSA accepted, random identification checks of passengers as an alternative measure. FRA officials further stated that current FRA safety regulations requiring engineer compartment doors be kept unlocked to facilitate emergency escapes[Footnote 35] conflicts with the security directive requirement that doors equipped with locking mechanisms be kept locked. This requirement was not included in the draft directives provided to stakeholders. TSA did call one commuter rail operator prior to issuing the directives to discuss this potential proposed measure, and the operator raised a concern about the safety of the locked door requirement. TSA nevertheless included this requirement in the directives. With respect to how the directives were to be enforced, rail operators were required to allow TSA and DHS to perform inspections, evaluations, or tests based on execution of the directives at any time or location. Upon learning of any instance of noncompliance with TSA security measures, rail operators were to immediately initiate corrective action. Monitoring and ensuring compliance with the directives has posed challenges for TSA. In the year after the directives were issued, TSA did not have dedicated field staff to conduct on-site inspections. When the rail security directives were issued, the former DHS Undersecretary for Border and Transportation Security stated that TSA planned to form security partnership teams with DOT, including FRA rail inspectors, to help ensure that industry stakeholders complied with the directives. These teams were to be established in order to tap into existing capabilities and avoid duplication of effort across agencies. As of July 2005, these teams had not yet been utilized to perform inspections. TSA has, however, hired rail compliance inspectors to, among other things, monitor and enforce compliance with the security directives. As of July 2005, TSA had hired 57 of up to 100 inspector positions authorized by Congress.[Footnote 36] However, TSA has not yet established processes or criteria for determining and enforcing compliance, including determining how rail inspectors or DOT partnership teams will be used in this regard. Establishing criteria for monitoring compliance with the directives may be challenging because the language describing the required measures allows for flexibility and does not define parameters. In an effort to acknowledge the variable conditions that existed in passenger rail environments, TSA designed the directives to allow flexibility in implementation through the use of such phrases as "to the extent resources allow," "to the extent practicable," and "if available." The directives also include non-specific instructions that may be difficult to measure or monitor, telling operators to, for example, perform inspections of key facilities at "regular periodic intervals" or to conduct "frequent inspections" of passenger rail cars. When the directives were issued, TSA stated that it would provide rail operators with performance-based guidance and examples of announcements and signs that could be used to meet the requirements of the directives, including guidance on the appropriate frequency and method for inspecting rail cars and facilities. However, as of July 2005, this information had not been provided. Industry stakeholders we interviewed raised questions about how they were to comply with the measures contained in the directives and which entities were responsible for implementing the measures. According to an AAR official, in June 2004, AAR officials and rail operators held a conference call with TSA to obtain clarification on these issues. According to AAR officials, in response to an inquiry about what would constitute compliance for some of the measures, the then-TSA Assistant Administrator for Maritime and Land Security told participants that the directives were not intended to be overly prescriptive but were guidelines, and that operators would have the flexibility to implement the directives as they saw fit. The officials also asked for clarification on who was legally responsible for ensuring compliance for measures where assets, such as rail stations, were owned by freight railroads or private real estate companies. According to AAR officials, TSA told them it was the responsibility of the rail operators and asset owners to work together to determine these responsibilities. However, according to AAR and rail operators, given that TSA has hired rail inspectors and indicated its intention to enforce compliance with the directives, it is critical that TSA clarify what compliance entails for measures required by the directives and which entities are responsible for compliance with measures when rail assets are owned by one party but operated by another--such as when private companies that own terminals or stations provide services for commuter rail operations. The challenges TSA has faced in developing security directives as standards that reflect industry best practices--and which can be measured and enforced--stem from the original emergency nature of the directives, which were issued with limited input and review. TSA told rail industry stakeholders when the directives were issued 15 months ago that the agency would consider using the federal rule-making process as a means of making the standards permanent. Doing so would require TSA to hold a notice-and-comment period, resulting in a public record that reflects stakeholders' input on the applicability and feasibility of implementing the directives, along with TSA's rationale for accepting or rejecting this input. While there is no guarantee that this process would produce more effective security directives, it would be more transparent and could help TSA in developing standards that are most appropriate for the industry and can be measured, monitored, and enforced. TSA Has Begun Testing Rail Security Technologies: In addition to issuing security directives, TSA also sought to enhance passenger rail security by conducting research on technologies related to screening passengers and checked baggage in the passenger rail environment. Beginning in May 2004, TSA conducted a Transit and Rail Inspection Pilot (TRIP) study, in partnership with DOT, Amtrak, the Connecticut Department of Transportation, the Maryland Transit Administration, and the Washington Metropolitan Area Transit Authority (WMATA). TRIP was a $1.5 million, three-phase effort to test the feasibility of using existing and emerging technologies to screen passengers, carry-on items, checked baggage, cargo, and parcels for explosives. Figure 5 summarizes TRIP's three-phased approach. Figure 5: Summary Information on TSA's Transit and Rail Inspection Pilot Program Phases: [See PDF for image] --graphic text: Text box: Phase I: Screen commuter rail passengers and carry-on baggage before trains are boarded using an explosive detection device similar in appearance to an airport metal detector and other explosive screening technologies. Phase II: Screen passenger baggage including checked baggage, unclaimed baggage, and cargo on longhaul Amtrak trains prior to departure. Phase III: Screen passengers and their carry-on baggage on board a moving commuter rail train. All passengers are required to enter the train in the specially designed screening car, which was a commuter rail passenger car that been reconfigured to hold screening equipment and security personnel. Source: TSA. [End of figure] According to TSA, all three phases of the TRIP program were completed by July 2004. However, TSA has not yet issued a planned report analyzing whether the technologies could be used effectively to screen rail passengers and their baggage. According to TSA officials, a report on results and lessons learned from TRIP is under review by DHS. TSA officials told us that based upon preliminary analyses, the screening technologies and processes tested would be very difficult to implement on more heavily used passenger rail systems, such as mass transit systems in large urban areas, because these systems carry high volumes of passengers and have multiple points of entry. However, TSA officials stated to us that the screening processes used in TRIP may be useful on certain long-distance intercity train routes, which make fewer stops. Further, officials stated that screening could be used either randomly or for all passengers during certain high-risk events or in areas where a particular terrorist threat is known to exist. For example, screening technology similar to that used in TRIP was used by TSA to screen certain passengers and belongings in Boston and New York during the Democratic and Republican national conventions, respectively, in 2004. APTA officials and the 28 passenger rail operators we interviewed--all who are not directly involved in the pilot--agreed with TSA's preliminary assessment. They told us they believed that the TRIP screening procedures could not work in most passenger rail systems, given the number of passengers using these systems and the open nature (e.g., multiple entry points) of the systems. For example, as one operator noted, over 1,600 people pass through dozens of access points in New York's Penn Station per minute during a typical rush hour, making screening of all passengers very challenging, if not impossible. Passenger rail operators were also concerned that screening delays could result in passengers opting to use other modes of transportation. APTA officials and some rail operators we interviewed said that had they been consulted by TSA, they would have recommended alternative technologies to explore and indicated that they hoped to be consulted on security technology pilot programs in the future. FRA officials further stated that TSA could have benefited from earlier and more frequent collaboration with them during the TRIP pilot than occurred, and could have tapped their expertise to analyze TRIP results and develop the final report. TSA research and development officials told us that the agency has begun to consider and test security technologies other than those used in TRIP, which may be more applicable to the passenger rail environment. For example, TSA's and DHS's Science and Technology Directorate are currently evaluating infrared cameras and electronic metal detectors, among other things. DHS and DOT Are Taking Steps to Improve Coordination and Collaboration with Federal Agencies and Industry Stakeholders: In our prior transportation security work, we have called for improved coordination among all levels of government and the private sector, as a means of enhancing security across all transportation modes.[Footnote 37] In September 2004, DHS and DOT signed a memorandum of understanding to develop procedures by which the two departments could improve their cooperation and coordination for promoting the safe, secure, and efficient movement of people and goods throughout the transportation system. The MOU defines broad areas of responsibility for each department. For example, it states that DHS, in consultation with DOT and affected stakeholders, will identify, prioritize, and coordinate the protection of critical infrastructure. The MOU was developed in response to a recommendation we made in June 2003 in which we noted that the roles and responsibilities of DOT and TSA for transportation security matters had not been clearly defined. We emphasized the need for greater coordination between DOT and TSA on transportation security efforts--noting that the lack of coordination can lead to duplication or conflicting efforts and gaps in preparedness. To improve coordination between DOT and DHS on transportation security matters, we recommended that DOT and DHS develop a mechanism, such as a memorandum, to clearly define roles and responsibilities for transportation security matters, in such areas as the development and implementation of security standards and regulations, determining funding priorities, and interfacing with the transportation industry. The MOU between DHS and DOT represents an overall framework for cooperation that is to be supplemented by additional signed agreements, or annexes, between the departments. These annexes are to delineate the specific security-related roles, responsibilities, resources, and commitments for mass transit, rail, research and development, and other matters. As of July 2005, separate annexes for mass transit security, rail security, and research and development were at various stages of development, according to DHS and DOT officials. DHS and DOT officials told us that an annex for mass transit security had been prepared and was undergoing final review by both departments. According to DHS and DOT officials, the annex is intended to ensure that the programs and protocols for incorporating stakeholder feedback and making enhancements to security measures are coordinated. According to officials, the mass transit annex will address how DHS's Office of State and Local Government Coordination and Preparedness, TSA, FTA, and DOT's Office of Intelligence, Security, and Emergency Management are to coordinate their programs and services, including grants, training, exercises, risk assessments, and technical assistance, in order to better assist transit agencies in prioritizing and addressing their security needs. For example, officials stated to us that the annex would likely address coordination on such programs as FTA's Transit Watch and Transit Safety and Security Roundtables programs, which are designed to raise transit employees' on-the-job awareness about security and provide a forum for stakeholders to share information on technology and best practices. In addition, according to officials, the annex will require DHS and DOT to consult on such matters as regulations and security directives that affect security and will identify points of contact for coordinating this consultation. In addition to the annexes currently under development, DHS and DOT must also complete an annex to define and clarify the respective roles and responsibilities of DHS and DOT relating to public transportation security within 45 days of the enactment of The Safe, Accountable, Flexible, and Efficient Transportation Equity Act of 2005, which President Bush signed on August 10, 2005. According to the law, this annex shall establish a process to develop security standards for public transportation agencies; create a method of direct coordination with public transportation agencies on security matters; address any other issues determined to be appropriate by the Secretary of Transportation and the Secretary of Homeland Security; and include a formal and permanent mechanism to ensure coordination and involvement by DOT, as appropriate, in public transportation security.[Footnote 38] In addition to their work on the MOU and related annexes, DHS and TSA have taken other steps in an attempt to improve collaboration with DOT and industry stakeholders. In April 2005, DHS officials stated that better collaboration with DOT and industry stakeholders was needed to develop strategic security plans associated with various homeland security presidential directives and statutory mandates, such as the Intelligence Reform and Terrorism Prevention Act of 2004, which required DHS to develop a national strategy for transportation security in conjunction with DOT. Responding to the need for better collaboration, DHS established a senior-level steering committee in conjunction with DOT to coordinate development of this national strategy. In addition, senior DHS and TSA officials stated that industry groups will also be involved in developing the national strategy for transportation security and other strategic plans. Moreover, according to TSA's assistant administrator for intermodal programs, TSA intends to work with APTA and other industry stakeholders in developing security standards for the passenger rail industry.[Footnote 39] U.S. and Foreign Rail Operators Have Taken Similar Actions to Secure Rail Systems, and Opportunities for Additional Domestic Security Actions May Exist: U.S. passenger rail operators have taken numerous actions to secure their rail systems since the terrorist attacks of September 11, in the United States, and the March 11, 2004, attacks in Madrid. These actions included both improvements to system operations and capital enhancements to a system's facilities, such as track, buildings, and train cars. All of the U.S. passenger rail operators we contacted have implemented some types of security measures--such as increased numbers and visibility of security personnel and customer awareness programs-- that were generally consistent with those we observed in select countries in Europe and Asia. We also identified three rail security practices--covert testing, random screening of passengers and their baggage, and centralized research and testing--utilized by foreign operators or their governments that are not currently utilized by domestic rail operators or the U.S. government.[Footnote 40] Actions Taken by U.S. and Foreign Passenger Rail Operators to Strengthen Security Reflect Security Assessments, Budgetary Constraints, and Other Factors: All 32 of the U.S. rail operators we interviewed or visited reported taking specific actions to improve the security and safety of their rail systems by, among other things, investing in new security equipment, utilizing more law enforcement personnel, and establishing public awareness campaigns. Passenger rail operators we spoke with cited the 1995 sarin gas attacks on the Tokyo subway system and the September 11 terrorist attacks as catalysts for their security actions. After the attacks, many passenger rail operators used FTA's security readiness assessments of heavy and passenger rail systems as a guide to determine how to prioritize their security efforts, as well as their own understanding of their system's vulnerabilities, to determine what actions to take to enhance security. Similarly, as previously mentioned, the rail systems that underwent ODP risk assessments are currently using or plan to use these assessments to guide their security actions. In addition, 20 of the 32 U.S. operators we contacted or visited had conducted some type of security assessment internally or through a contractor, separate from the federally funded assessments. For example, some assessments evaluated vulnerabilities of physical assets, such as tunnels and bridges, throughout the passenger rail system. Passenger rail operators stated that security-related spending by rail operators was also based, in part, on budgetary considerations, as well as other practices used by other rail operators that were identified through direct contact or during industry association meetings.[Footnote 41] Passenger rail operators frequently made capital investments to improve security, and these investments often are not part of federal funding packages for new construction unless they are part of new facilities being constructed. According to APTA, 54 percent of transit agencies are facing increasing deficits, and no operator covers expenses with fare revenue; thus, balancing operational and capital improvements with security-related investments has been an ongoing challenge for these operators. Several foreign rail operators we interviewed also stated that funding for security enhancements was limited in light of other funding priorities within the rail system, such as personnel costs and infrastructure and equipment maintenance. Foreign rail operators we visited also told us that risk assessments played an important role in guiding security-related spending for rail. For example, one foreign rail operator with a daily ridership of 2.3 million passengers used a risk management methodology to assess risks, threats, and vulnerabilities to rail in order to guide security spending. The methodology is part of the rail operator's corporate focus on overall safety and security and is intended to help protect the operator's various rail systems against, among other things, terrorist attacks, as well as other forms of corporate loss, such as service disruption and loss of business viability. According to the operator, the methodology employs a "risk-informed" approach to support management's business decision process regarding security. Other than the results of risk assessments, issues such as laws and regulations, and business requirements, are also taken into consideration. The approach relies on a combination of risk, threat, and vulnerability assessment and management, and focuses on proactive prevention. Implementing the methodology involves all corporate departments and staff at three activity levels: * At the corporate level, the focus on security is articulated in a three-part corporate security policy that states, among other things, that managers are responsible for performing risk management activities in their functional areas and maintaining cost-effective security measures. * At the department level, department heads are responsible for promoting security awareness, setting rules and guidelines, and allocating security responsibilities (in the form of assigning "risk ownership"). * At the line level, managers are responsible for implementing the risk assessment component of the methodology, consistent with the security policy described earlier. This component, which involves an iterative process, consists of identifying threats and quantifying risks (risk is expressed as a function of likelihood and consequence); designing and implementing security protective measures; and measuring compliance with and the effectiveness of these measures, similar to our risk management approach. According to officials of the foreign rail operator, to measure performance, the operator conducts periodic surveys to measure the perceptions of riders and employees; rates the success of drills; and measures the incidence of crime (such as pick pocketing). The operator's security department also conducts audits to measure compliance and help ensure that security procedures are being followed. Separately, the rail operator's insurers review the security management of the rail system, including the methodology, every 4 years. U.S. and Foreign Rail Operators Employ Similar Security Practices: Both U. S. and foreign passenger rail operators we contacted have implemented similar operational and capital improvements[Footnote 42] to enhance the security of their systems.[Footnote 43] A summary of these efforts follows. Operational improvements: Customer awareness: Customer awareness programs we observed used signage and announcements to encourage riders to alert train staff if they observed suspicious packages, persons, or behavior. Of the 32 domestic rail operators we interviewed, 30 had implemented a customer awareness program or made enhancements to an existing program. FTA has assisted rail operators in this area by creating the Transit Watch program, in cooperation with industry groups such as APTA. Transit Watch is a nationwide safety and security awareness program designed to encourage the active participation of transit passengers and employees in maintaining a safe transit environment. FTA distributed education and training materials to rail operators so these materials could be provided to customers and employees. Rail operators stated that they attempt to entitle their customer awareness programs so that customers can easily remember the goals of the program. New York City Transit's "If You See Something, Say Something" campaign and the WMATA program, "Is That Your Bag?" are examples of this. (See fig. 6 for an example of public awareness signage). Foreign rail operators we visited also attempt to enhance customer awareness. For example, 11 of the 13 operators we interviewed had implemented a customer awareness program. Similar to programs of U.S. operators, these programs used signage, announcements, and brochures to inform passengers and employees about the need to remain vigilant and report any suspicious activities. Only one of the European passenger rail operators that we interviewed has not implemented a customer security awareness program, citing the fear or panic that it might cause among the public. Figure 6: Example of Passenger Rail Customer Awareness Poster: [See PDF for image] [End of figure] Increased number and visibility of security personnel: Of the 32 U.S. rail operators we interviewed, 23 had increased the number of security personnel they utilized since September 11, to provide security throughout their system or had taken steps to increase the visibility of their security personnel. In addition to adding security personnel, many operators stated that increasing the visibility of security was as important as increasing the number of personnel. For example, several U.S. and foreign rail operators we spoke with had instituted policies such as requiring their security staff, in brightly colored vests, to patrol trains or stations more frequently, so they are more visible to customers and potential terrorists or criminals. These policies make it easier for customers to contact security personnel in the event of an emergency, or if they have spotted a suspicious item or person. At foreign sites we visited, 10 of the 13 operators had increased the number of their security officers throughout their systems in recent years because of the perceived increase in risk of a terrorist attack. One rail operator, the Tokyo Metro system, in addition to increasing the number of security personnel, has also made them more visible. Tokyo Metro stations now include an elevated security platform for security personnel to stand on, which allows them to better see throughout the station and allows passengers to see the security staff more easily. Increased use of canine teams: Of the 32 U.S. passenger rail operators we contacted, 21 had begun to use canine units, which include both dogs and human handlers, to patrol their facilities or trains or had increased their existing utilization of such teams. Often, these units are used to detect the presence of explosives, or in some cases, drugs, and may be called in when a suspicious package is detected. One operator we spoke with uses its canines to patrol its system simply as a crime deterrent rather than to detect explosives or drugs. Some operators that did not maintain their own canine units stated that it was prohibitively expensive to do so and that they could call in local police canine units if necessary. In foreign countries we visited, passenger rail operators' use of canines varied. In some Asian countries, canines were not culturally accepted by the public and thus were not used for rail security purposes. In contrast, most European passenger rail operators, as in the United States, used canines for explosive detection or as deterrents. Employee training: All of the domestic and foreign rail operators we interviewed had provided some type of security training to their staff, either through in-house personnel or an external provider. In many cases, this training consisted of ways to identify suspicious items and persons and how to respond to events once they occur. For example, the London Underground and the British Transport Police developed the "HOT" method for its employees to identify suspicious items in the rail system. In the HOT method, employees are trained to look for packages or items that are Hidden, Obviously suspicious, and not Typical of the environment. Items that do not meet these criteria would likely receive a lower security response than an item meeting all of the criteria. However, if items meet all of these criteria, employees are to notify station managers, who would call in the authorities and potentially shut down the station or take other action. According to London Underground officials, the HOT method has significantly reduced the number of system disruptions caused when a suspicious item was identified. In addition, officials noted that the HOT method is easy for rail employees to remember and is successful, in part, because it provides rail employees with the discretion to make security-related decisions on their own. According to British Transport Police and London Underground officials, there have been no cases where unattended packages that employees determined did not meet the HOT criteria contained explosive devices. Several passenger rail operators in the United States and abroad have trained their employees in the HOT method. Several domestic operators had also trained their employees in how to respond to terrorist attacks and provided them with wallet-size cards highlighting actions they should take in response to various forms of attack. (See fig. 7 for examples of cards that are distributed by the San Francisco Bay Area Rapid Transit [BART] to their employees to help them prevent or respond to terrorist attacks.) It is important to note that training such as the HOT method is not designed to prevent acts of terrorism like the July 2005 London attacks, where suicide bombers killed themselves rather than leaving bombs behind. Figure 7: Wallet-size Cards Distributed to BART Employees Containing Anti-terrorism Information: [See PDF for image] [End of figure] Officials from the London Underground also provided insights into the importance of how training is provided to staff, in addition to the type of training provided. In training rail station staff, London Underground officials stressed the importance of direct supervisors or managers providing security briefings to each employee or small groups of employees. In doing so, officials stated that they believed it helps make staff more aware of their responsibilities in certain situations, enables supervisors to hold employees accountable for what they learned in training, and allows employees to ask questions related to their specific job duties. Passenger and baggage screening practices: Some domestic and foreign rail operators have trained employees to recognize suspicious behavior as a means of screening passengers. Eight U.S. passenger rail operators we contacted were utilizing some form of behavioral screening. For example, the Massachusetts Bay Transportation Authority (MBTA), which operates Boston's T system, has utilized a behavioral screening system to identify passengers exhibiting suspicious behavior. The Massachusetts State Police train all MBTA personnel to be on the lookout for behavior that may indicate someone has criminal intent, and to approach and search such persons and their baggage when appropriate. Massachusetts State Police officers have been training rail operators on this behavior profiling system, and WMATA and New Jersey Transit were among the first additional operators to implement the system. According to MBTA personnel, several other operators have expressed interest in this system. Abroad, we found that 4 of 13 operators we interviewed had implemented forms of behavioral screening similar to MBTA's system. (Rail operators' use of random screening of passengers is discussed later in the report.) All of the domestic and foreign rail operators we contacted have ruled out an airport-style screening system for daily use in heavy traffic, where each passenger and the passenger's baggage are screened by a magnetometer or X-ray machine, based on cost, staffing, and customer convenience factors, among others. For example, although the Spanish National Railway screens passenger baggage using an X-ray machine on certain long-distance trains that it believes could be at risk, all of the operators we contacted stated that the cost, staffing requirements, delay of service, and inconvenience to passengers would make such a system unworkable in highly trafficked, inherently open systems like U.S. and foreign passenger rail operations. In addition, one Asian rail official stated that his organization was developing a contingency plan for implementing an airport-style screening system, but that such a system would be used only in the event of intelligence information indicating suicide bomb attacks were imminent, or if several attacks had already occurred during a short period of time. According to this official, the plan was in the initial stages of development, and the organization did not know how quickly such a system could be implemented. Capital improvements: Upgrading technology: Many rail operators we interviewed had embarked on programs designed to upgrade their existing security technology. For example, we found that 29 of the 32 U.S. operators had implemented a form of CCTV to monitor their stations, yards, or trains. While these cameras cannot be monitored closely at all times, because of the large number of staff they said this would require, many rail operators felt the cameras acted as a deterrent, assisted security personnel in determining how to respond to incidents that have already occurred, and could be monitored if an operator has received information that an incident may occur at a certain time or place in their system. One rail operator, New Jersey Transit, had installed "smart" cameras, which were programmed to alert security personnel when suspicious activity occurred, such as if a passenger left a bag in a certain location or if a boat were to dock under a bridge. According to the New Jersey Transit officials, this technology was relatively inexpensive and not difficult to implement. Several other operators stated they were interested in exploring this technology. Abroad, all 13 of the foreign rail operators we visited had CCTV systems in place. For example, the London Underground uses an extensive system of CCTV cameras to monitor all of its passenger rail system stations and respond to both criminal and emergency incidents. In addition, one Asian system we visited had over 1,000 cameras recording activity in some of its busier stations. However, as in the United States, foreign rail operators use these cameras primarily as a crime deterrent and to respond to incidents after they occur, because they do not have enough staff to continuously monitor all of these cameras. The Madrid Metro is currently testing the use of personal digital assistants (PDA), which would have the ability to operate all security functions in passenger rail stations. These PDAs would enab