Not later than 18 months after August 3, 2007, the Secretary shall issue regulations that—
require each over-the-road bus operator assigned to a high-risk tier under this section—
(A) to conduct a vulnerability assessment in accordance with subsections (c) and (d); and
(B) to prepare, submit to the Secretary for approval, and implement a security plan in accordance with subsection (e); and
(2) establish standards and guidelines for developing and implementing the vulnerability assessments and security plans for carriers assigned to high-risk tiers consistent with this section.
The Secretary may establish a security program for over-the-road bus operators not assigned to a high-risk tier, including—
(1) guidance for such operators in conducting vulnerability assessments and preparing and implementing security plans, as determined appropriate by the Secretary; and
(2) a process to review and approve such assessments and plans, as appropriate.
Not later than 9 months after the date of issuance of the regulations under subsection (a), the vulnerability assessments and security plans required by such regulations for over-the-road bus operators assigned to a high-risk tier shall be completed and submitted to the Secretary for review and approval.
The Secretary shall provide technical assistance and guidance to over-the-road bus operators in conducting vulnerability assessments under this section and shall require that each vulnerability assessment of an operator assigned to a high-risk tier under this section includes, as appropriate—
The Secretary shall provide technical assistance and guidance to over-the-road bus operators in conducting vulnerability assessments under this section and shall require that each vulnerability assessment of an operator assigned to a high-risk tier under this section includes, as appropriate—
(A) identification and evaluation of critical assets and infrastructure, including platforms, stations, terminals, and information systems;
(B) identification of the vulnerabilities to those assets and infrastructure; and
(C) identification of weaknesses in— (i) physical security; (ii) passenger and cargo security; (iii) the security of programmable electronic devices, computers, or other automated systems which are used in providing over-the-road bus transportation; (iv) alarms, cameras, and other protection systems; (v) communications systems and utilities needed for over-the-road bus security purposes, including dispatching systems; (vi) emergency response planning; (vii) employee training; and (viii) such other matters as the Secretary determines appropriate.
(2) Threat information The Secretary shall provide in a timely manner to the appropriate employees of an over-the-road bus operator, as designated by the over-the-road bus operator, threat information that is relevant to the operator when preparing and submitting a vulnerability assessment and security plan, including an assessment of the most likely methods that could be used by terrorists to exploit weaknesses in over-the-road bus security.
The Secretary shall provide technical assistance and guidance to over-the-road bus operators in preparing and implementing security plans under this section and shall require that each security plan of an over-the-road bus operator assigned to a high-risk tier under this section includes, as appropriate—
The Secretary shall provide technical assistance and guidance to over-the-road bus operators in preparing and implementing security plans under this section and shall require that each security plan of an over-the-road bus operator assigned to a high-risk tier under this section includes, as appropriate—
(A) the identification of a security coordinator having authority— (i) to implement security actions under the plan; (ii) to coordinate security improvements; and (iii) to receive communications from appropriate Federal officials regarding over-the-road bus security;
(B) a list of needed capital and operational improvements;
(C) procedures to be implemented or used by the over-the-road bus operator in response to a terrorist attack, including evacuation and passenger communication plans that include individuals with disabilities, as appropriate;
(D) the identification of steps taken with State and local law enforcement agencies, emergency responders, and Federal officials to coordinate security measures and plans for response to a terrorist attack;
(E) a strategy and timeline for conducting training under section 1184 of this title;
(F) enhanced security measures to be taken by the over-the-road bus operator when the Secretary declares a period of heightened security risk;
(G) plans for providing redundant and backup systems required to ensure the continued operation of critical elements of the over-the-road bus operator’s system in the event of a terrorist attack or other incident; and
(H) such other actions or procedures as the Secretary determines are appropriate to address the security of over-the-road bus operators.
(2) Security coordinator requirements The Secretary shall require that the individual serving as the security coordinator identified in paragraph (1)(A) is a citizen of the United States. The Secretary may waive this requirement with respect to an individual if the Secretary determines that it is appropriate to do so based on a background check of the individual and a review of the consolidated terrorist watchlist.
Not later than 6 months after receiving the assessments and plans required under this section, the Secretary shall—
(1) review each vulnerability assessment and security plan submitted to the Secretary in accordance with subsection (c);
(2) require amendments to any security plan that does not meet the requirements of this section; and
(3) approve any vulnerability assessment or security plan that meets the requirements of this section.
The Secretary may require over-the-road bus operators, during the period before the deadline established under subsection (c), to submit a security plan to implement any necessary interim security measures essential to providing adequate security of the over-the-road bus operator’s system. An interim plan required under this subsection shall be superseded by a plan required under subsection (c).
The Secretary shall assign each over-the-road bus operator to a risk-based tier established by the Secretary:
(1) Provision of information The Secretary may request, and an over-the-road bus operator shall provide, information necessary for the Secretary to assign an over-the-road bus operator to the appropriate tier under this subsection.
(2) Notification Not later than 60 days after the date an over-the-road bus operator is assigned to a tier under this section, the Secretary shall notify the operator of the tier to which it is assigned and the reasons for such assignment.
(3) High-risk tiers At least one of the tiers established by the Secretary under this section shall be a tier designated for high-risk over-the-road bus operators.
(4) Reassignment The Secretary may reassign an over-the-road bus operator to another tier, as appropriate, in response to changes in risk and the Secretary shall notify the over-the-road bus operator within 60 days after such reassignment and provide the operator with the reasons for such reassignment.
Nothing in this subsection shall relieve the Secretary of the obligation—
(1) Determination In response to a petition by an over-the-road bus operator or at the discretion of the Secretary, the Secretary may determine that existing procedures, protocols, and standards meet all or part of the requirements of this section regarding vulnerability assessments and security plans.
(2) Election Upon review and written determination by the Secretary that existing procedures, protocols, or standards of an over-the-road bus operator satisfy the requirements of this section, the over-the-road bus operator may elect to comply with those procedures, protocols, or standards instead of the requirements of this section.
(3) Partial approval If the Secretary determines that the existing procedures, protocols, or standards of an over-the-road bus operator satisfy only part of the requirements of this section, the Secretary may accept such submission, but shall require submission by the operator of any additional information relevant to the vulnerability assessment and security plan of the operator to ensure that the remaining requirements of this section are fulfilled.
(4) Notification If the Secretary determines that particular existing procedures, protocols, or standards of an over-the-road bus operator under this subsection do not satisfy the requirements of this section, the Secretary shall provide to the operator a written notification that includes an explanation of the reasons for nonacceptance.
Nothing in this subsection shall relieve the Secretary of the obligation—
(A) to review the vulnerability assessment and security plan submitted by an over-the-road bus operator under this section; and
(B) to approve or disapprove each submission on an individual basis.
Not later than 3 years after the date on which a vulnerability assessment or security plan required to be submitted to the Secretary under subsection (c) is approved, and at least once every 5 years thereafter (or on such a schedule as the Secretary may establish by regulation), an over-the-road bus operator who submitted a vulnerability assessment and security plan and who is still assigned to the high-risk tier shall also submit to the Secretary an evaluation of the adequacy of the vulnerability assessment and security plan that includes a description of any material changes made to the vulnerability assessment or security plan.
(1) Submission of evaluation Not later than 3 years after the date on which a vulnerability assessment or security plan required to be submitted to the Secretary under subsection (c) is approved, and at least once every 5 years thereafter (or on such a schedule as the Secretary may establish by regulation), an over-the-road bus operator who submitted a vulnerability assessment and security plan and who is still assigned to the high-risk tier shall also submit to the Secretary an evaluation of the adequacy of the vulnerability assessment and security plan that includes a description of any material changes made to the vulnerability assessment or security plan.
(2) Review of evaluation Not later than 180 days after the date on which an evaluation is submitted, the Secretary shall review the evaluation and notify the over-the-road bus operator submitting the evaluation of the Secretary’s approval or disapproval of the evaluation.
The Secretary may permit under this section the development and implementation of coordinated vulnerability assessments and security plans to the extent that an over-the-road bus operator shares facilities with, or is colocated with, other transportation entities or providers that are required to develop vulnerability assessments and security plans under Federal law.
Nothing in this section shall be construed as authorizing the withholding of any information from Congress.
(1) Submission of information to Congress Nothing in this section shall be construed as authorizing the withholding of any information from Congress.
(2) Disclosure of independently furnished information Nothing in this section shall be construed as affecting any authority or obligation of a Federal agency to disclose any record or information that the Federal agency obtains from an over-the-road bus operator under any other Federal law.
(Pub. L. 110–53, title XV, § 1531, Aug. 3, 2007, 121 Stat. 454.)