This is the accessible text file for GAO report number GAO-13-20 
entitled 'Passenger Rail Security: Consistent Incident Reporting and 
Analysis Needed to Achieve Program Objectives' which was released on 
December 19, 2012. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Report to Congressional Committees: 

December 2012: 

Passenger Rail Security: 

Consistent Incident Reporting and Analysis Needed to Achieve Program 
Objectives: 

GAO-13-20: 

GAO Highlights: 

Highlights of GAO-13-20, a report to congressional committees. 

Why GAO Did This Study: 

Terrorist attacks on foreign passenger rail systems, which include 
rail transit and intercity rail, have underscored the importance of 
collecting and analyzing security incident information to identify 
potential vulnerabilities. Within the federal government, TSA is the 
primary agency responsible for overseeing and enhancing passenger rail 
security, and has several programs to fulfill this responsibility. In 
2008, TSA issued a regulation requiring U.S. passenger rail agencies 
to report all potential threats and significant security concerns to 
TSA, among other things. GAO was asked to assess the extent to which 
(1) TSA has overseen and enforced this reporting requirement and (2) 
TSA has analyzed passenger rail security incident information to 
identify security trends. GAO reviewed TSA policy documents, guidance, 
and incident data from January 2011 through June 2012, and interviewed 
federal officials and security officials from 19 passenger rail 
agencies. GAO selected these agencies, in part, because of their 
ridership volume. The results of these interviews are not 
generalizable but provide insights. 

What GAO Found: 

The Transportation Security Administration (TSA) has inconsistently 
overseen and enforced its rail security incident reporting requirement 
because it does not have guidance and its oversight mechanisms are 
limited, leading to considerable variation in the types and number of 
incidents reported. Though some variation is expected in the number 
and type of incidents reported because of differences in rail agency 
size, location, and ridership, local TSA inspection officials have 
provided rail agencies with inconsistent interpretations of the 
reporting requirement. For example, local TSA officials instructed one 
rail agency to report all incidents related to individuals struck by 
trains. However, local TSA officials responsible for another rail 
agency said these incidents would not need to be reported as they are 
most often suicides with no nexus to terrorism. Providing guidance to 
local TSA inspection officials and rail agencies on the types of 
incidents that are to be reported could improve consistency across 
different TSA field offices. GAO also found inconsistency in TSA 
compliance inspections and enforcement actions because TSA has not 
utilized limited headquarters-level mechanisms as intended for 
ensuring consistency in these activities. TSA’s rail security 
inspection policies do not specify inspection frequency but call for 
performing a “reasonable number” of inspections. However, 3 of the 19 
rail agencies GAO contacted were not inspected from January 2011 
through June 2012, including a large metropolitan rail agency, 
although local officials said it was unlikely that no incidents had 
occurred at that agency. Without inspections, TSA’s assurance that 
rail agencies are reporting security incidents, as required, is 
reduced. In addition, TSA took enforcement action against an agency 
for not reporting an incident involving a knife, but did not take 
action against another agency for not reporting similar incidents, 
though the agency had been inspected. Enhancing headquarters-level 
mechanisms for overseeing inspection and enforcement actions in the 
field could help ensure more consistency in these activities and 
improve TSA’s ability to use the information for trend analysis. 

TSA has not conducted trend analysis of rail security information, and 
weaknesses in TSA’s rail security incident data management system, 
including data entry errors, inhibit TSA’s ability to search and 
extract information. Data entry errors occur in part because the 
guidance provided to officials responsible for entering incident 
information does not define the available data field options. Without 
the ability to identify information from the data, such as the number 
of incidents reported by incident type, TSA faces challenges 
determining if patterns or trends exist. Additional guidance for 
officials who enter the incident information could help to reduce data 
entry errors and improve users’ ability to search and extract 
information from the system, ultimately improving TSA’s ability to 
analyze the incident information. These weaknesses notwithstanding, 
TSA has made limited use of the incident information it has collected, 
in part because it does not have a systematic process for conducting 
trend analysis. TSA’s purpose for collecting the rail security 
incident information was to allow TSA to “connect the dots” by 
conducting trend analysis. TSA has used the rail security incident 
information for situational awareness, but has conducted limited 
analysis of the information, missing an opportunity to identify any 
security trends or patterns in the incident information, or to develop 
recommended security measures to address any identified issues. 

What GAO Recommends: 

GAO recommends, among other things, that TSA (1) develop guidance on 
the types of incidents that should be reported, (2) enhance existing 
oversight mechanisms for compliance inspections and enforcement 
actions, (3) develop guidance to reduce errors from data entry 
problems, and (4) establish a process for regularly conducting trend 
analysis of incident data. TSA concurred and is taking actions in 
response. 

View [hyperlink, http://www.gao.gov/products/GAO-13-20]. For more 
information, contact Stephen M. Lord, (202)-512-4379, lords@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

TSA Has Provided Inconsistent Oversight and Enforcement of the 
Passenger Rail Security Incident Reporting Requirement: 

Incident Data and Process Limitations Hinder Trend Analysis: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Influence of Foreign Attacks on Selected U.S. Rail 
Agencies' Security Measures: 

Appendix II: Selected Mechanisms Used to Gather Information on Lessons 
Learned from Passenger Rail Attacks and Share Rail Security 
Information: 

Appendix III: Objectives, Scope, and Methodology: 

Appendix IV: Summary of Recent Attacks against Foreign Passenger Rail 
Systems: 

Appendix V: Comments from the Department of Homeland Security: 

Appendix VI: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Selected Mechanisms Cited by Eight High-Volume Rail Agencies 
to Obtain and Share Rail Security Information: 

Table 2: Passenger Rail Systems Interviewed: 

Figure: 

Figure 1: The Intended Rail Security Reporting Process: 

Abbreviations: 

AAR: Association of American Railroads: 

AFSD-I: assistant federal security director-inspection: 

CCTV: closed-circuit television: 

DHS: Department of Homeland Security: 

DOT: Department of Transportation: 

FRA: Federal Railroad Administration: 

FTA: Federal Transit Administration: 

I-STEP: TSA Intermodal Security Training and Exercise Program: 

MTI: Mineta Transportation Institute: 

PAG: TSA Transit Policing and Security Peer Advisory Group: 

PARIS: Performance and Results Information System: 

RSI-S: regional security inspector-surface: 

TSA: Transportation Security Administration: 

TSI-S: transportation security inspector-surface: 

TSOC: Transportation Security Operations Center: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

December 19, 2012: 

The Honorable John D. Rockefeller, IV:
Chairman:
The Honorable Kay Bailey Hutchison:
Ranking Member:
Committee on Commerce, Science, and Transportation:
United States Senate: 

The Honorable Frank R. Lautenberg:
Chairman:
The Honorable Roger F. Wicker:
Ranking Member:
Subcommittee on Surface Transportation and Merchant Marine 
Infrastructure, Safety, and Security:
Committee on Commerce, Science, and Transportation:
United States Senate: 

Passenger rail systems are vital components of the nation's 
transportation infrastructure, encompassing rail mass transit (heavy 
rail and light rail), commuter rail, and intercity rail.[Footnote 1] 
Terrorist attacks on passenger rail systems around the world--such as 
the March 2010 subway bombings in Moscow, Russia, and the July 2006 
passenger train bombing in Mumbai, India, that resulted in 209 
fatalities--highlight the vulnerability of these systems and 
demonstrate that even when security precautions are put into place, 
vulnerabilities remain. According to the Mineta Transportation 
Institute (MTI), from September 12, 2001, through December 31, 2011, 
there were 838 attacks worldwide on passenger rail systems, resulting 
in over 1,370 fatalities.[Footnote 2] In the United States, passenger 
rail systems have received heightened attention as several alleged 
terrorists' plots have been uncovered, including plots against rail 
systems in the New York City and Washington, D.C., areas in 2009 and 
2010, respectively. In addition, intelligence recovered from Osama bin 
Laden's compound indicates that U.S. rail systems were a suggested 
target as recently as February 2010, although there has been no 
indication of a specific or imminent threat to carry out such an 
attack. While there have been no terrorist attacks against U.S. 
passenger rail systems to date, the systems are vulnerable to attack 
in part because they rely on an open architecture that is difficult to 
monitor and secure because of its multiple access points; hubs serving 
multiple carriers; and, in some cases, no barriers to access. For 
example, in May 2011, an individual was able to walk the length of an 
underwater train tunnel between New York and New Jersey without being 
detected. Had this individual been a terrorist, he could have executed 
a disruptive and potentially damaging attack on this rail tunnel. 
Given the continued threat to passenger rail systems, such security 
breaches underscore the importance of tracking and analyzing security 
incident information to identify possible indicators or precursors of 
terrorist activity, as well as information on security vulnerabilities. 

Securing the nation's passenger rail systems is a shared 
responsibility requiring coordinated action on the part of federal, 
state, and local governments; the private sector; and passengers who 
ride these systems. Day-to-day responsibility for securing passenger 
rail systems falls on passenger rail agencies themselves, local law 
enforcement, and often state and local governments that own a 
significant portion of the infrastructure. Within the federal 
government, the Department of Homeland Security's (DHS) Transportation 
Security Administration (TSA) is the primary federal agency 
responsible for overseeing security for these systems and for 
implementing programs to enhance their security.[Footnote 3] We have 
previously reported on federal and industry efforts to secure 
passenger rail systems and have made recommendations for strengthening 
these efforts.[Footnote 4] DHS generally agreed with these 
recommendations and has taken actions to implement them. For example, 
in June 2009, we reported that TSA had taken some actions to implement 
a risk management approach but had not conducted a comprehensive risk 
assessment for mass transit and passenger rail that integrates threat, 
vulnerability, and consequence.[Footnote 5] We recommended that TSA 
conduct a risk assessment that combines these three elements, which 
the agency could use to inform its security strategy. In response to 
our recommendation, in June 2010, TSA produced the Transportation 
Sector Security Risk Assessment, which assessed risk within and across 
the various aviation and surface transportation modes, including rail, 
and incorporated threat, vulnerability, and consequence assessments. 

A key component of this shared responsibility for passenger rail 
security is ensuring that information on rail security threats and 
incidents is collected and analyzed effectively. As part of its rail 
security responsibilities, in 2008 TSA issued a regulation requiring 
U.S. passenger rail systems to report all potential threats and 
significant security concerns to TSA's Transportation Security 
Operations Center (TSOC), among other things.[Footnote 6] The TSOC is 
a 24/7 operations center that serves as TSA's main point of contact 
for monitoring security-related incidents or crises in all modes of 
transportation. TSA's regulation is intended to provide the agency 
with essential information on passenger rail security incidents so 
that TSA can conduct comprehensive intelligence analysis, threat 
assessment, and allocation of security resources, among other 
things.[Footnote 7] According to the regulation, potential threats and 
significant security concerns that must be reported to the TSOC 
encompass a variety of incidents and suspicious activities including 
bomb threats, indications of tampering with railcars, and other 
security breaches.[Footnote 8] 

You requested that we evaluate TSA's passenger rail security incident 
reporting process. Accordingly, this report addresses the following 
questions: 

* To what extent has TSA overseen and enforced the passenger rail 
security incident reporting requirement? 

* To what extent has TSA analyzed passenger rail security incident 
information to identify security trends and potential threats against 
passenger rail systems? 

Appendix I of this report also includes information on how selected 
rail agencies applied lessons learned from foreign rail attacks to 
enhance their rail security measures. Appendix II includes information 
on key mechanisms rail agencies use to obtain rail security-related 
information. 

To address these questions, we examined TSA's rail security incident 
reporting process. We reviewed the notice of proposed rulemaking and 
final rule that describe the purpose and justification of the incident 
reporting requirement, as well as relevant TSA policy documents, 
manuals, and guidance. To obtain rail industry perspectives on the 
rail security incident reporting process, we conducted visits at, or 
teleconferences with, 19 of the top 50 passenger rail systems across 
the nation, by passenger rail ridership.[Footnote 9] See appendix III 
for a list of the 19 rail agencies we interviewed through our visits 
and teleconferences. We selected these 19 passenger rail systems to 
reflect varied levels of ridership and geographic dispersion. Because 
we selected a nonprobability sample of passenger rail agencies, the 
information obtained from these visits and interviews cannot be 
generalized to all rail agencies nationwide, but provided illustrative 
examples of the perspectives of passenger rail stakeholders about the 
rail security incident reporting process, and corroborated information 
we gathered through other means. Further, we interviewed rail industry 
representatives from the American Public Transportation Association 
[Footnote 10] and the Association of American Railroads[Footnote 11] 
to obtain their perspectives on rail security issues. We selected 
these associations because they represent the majority of the 
passenger and freight rail systems in the United States. 

To assess the extent to which TSA has overseen and enforced the rail 
security reporting requirement, we interviewed officials from the 
selected rail systems discussed earlier on how they have implemented 
this requirement, including the guidance they have received from TSA. 
We interviewed TSA headquarters officials from the Compliance Programs 
Division within the Office of Security Operations and local TSA 
inspection officials from five TSA field offices regarding the 
guidance they provide to rail agencies on incident reporting and how 
they ensure rail agencies' compliance with the regulation. We selected 
these five field office locations because they had oversight 
responsibility for many of the rail agencies included in our scope. 
Because we selected a nonprobability sample of TSA's field offices and 
officials, the results from these interviews cannot be generalized to 
all field offices; however, the information we obtained provided us 
with an overview of the role of TSA surface inspectors in the rail 
incident reporting process and corroborated information we obtained 
through other sources. We also examined documentation on TSA's 
inspection processes for monitoring rail systems' compliance with the 
incident reporting requirement, including the Transportation Security 
Inspector Inspections Handbook, the National Investigations and 
Enforcement Manual, and the Compliance Work Plan for Transportation 
Security Inspectors. 

In addition, we analyzed incident data from the TSOC's incident 
management database, known as WebEOC, for the period January 2011 
through June 2012, to determine the number and types of passenger rail 
security incidents reported to the TSOC by rail agencies.[Footnote 12] 
On the basis of information from and discussions with TSA officials 
related to the controls in place to maintain the integrity of TSA's 
incident data, we determined that the information in WebEOC was 
sufficiently reliable for the purposes of providing information on 
differences in the number and types of rail security incidents 
reported by selected rail agencies to the TSOC. However, we identified 
issues with data entry and data quality, which are discussed later in 
this report. In addition, we analyzed data from TSA's Performance and 
Results Information System (PARIS) for January 2011 through June 2012 
on TSA's compliance inspections and all records related to enforcement 
actions taken under the passenger rail security incident reporting 
requirement.[Footnote 13] We also evaluated TSA's efforts to oversee 
and enforce the incident reporting requirement against criteria in 
GAO's Standards for Internal Control in the Federal Government. 
[Footnote 14] 

To assess the extent to which TSA has analyzed rail security incident 
information, we interviewed TSA officials from the TSOC, the Office of 
Intelligence and Analysis, the Office of Security Operations, and the 
Office of Security Policy and Industry Engagement regarding their 
roles and responsibilities. We reviewed TSA documentation and analyses 
containing rail security incident information. We also examined the 
WebEOC incident management database to identify any database 
limitations that could present challenges for analyzing the incident 
information, and we discussed these limitations with TSA officials. We 
also interviewed officials from the rail agencies noted earlier about 
their views on the information and analyses they receive from TSA on 
rail security incidents. 

To determine how selected rail agencies applied lessons learned from 
foreign rail attacks to enhance their rail security measures and how 
rail agencies obtain and share passenger rail security-related 
information, including information on lessons learned from foreign 
rail attacks, we interviewed security officials from selected 
passenger rail systems. During visits to passenger rail systems, we 
toured stations and other facilities such as control centers, and 
observed security practices. We also reviewed our prior reports on 
passenger rail security and information sharing as well as studies and 
reports conducted by outside organizations related to passenger rail, 
such as the DHS Office of the Inspector General. Appendix III provides 
more details on our objectives, scope, and methodology, including a 
list of the rail agencies we interviewed. 

We conducted this performance audit from January 2012 through December 
2012 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

Background: 

As previously stated, TSA's 2008 regulation requires passenger rail 
agencies to report potential threats and significant security concerns 
to the TSOC.[Footnote 15] According to the regulation, potential 
threats and significant security concerns (rail security incidents) 
include, but are not limited to, the following: 

1) interference with the train or transit vehicle crew; 

2) bomb threats, specific and non-specific; 

3) reports or discovery of suspicious items that result in the 
disruption of rail operations; 

4) suspicious activity occurring onboard a train or transit vehicle or 
inside the facility of a passenger railroad carrier or rail transit 
system that results in a disruption of rail operations; 

5) suspicious activity observed at or around rail cars or transit 
vehicles, facilities, or infrastructure used in the operation of the 
passenger railroad carrier or rail transit system; 

6) discharge, discovery, or seizure of a firearm or other deadly 
weapon on a train or transit vehicle or in a station, terminal, 
facility, or storage yard, or other location used in the operation of 
the passenger railroad carrier or rail transit system; 

7) indications of tampering with passenger rail cars or rail transit 
vehicles; 

8) information relating to the possible surveillance of a passenger 
train or rail transit vehicle or facility, storage yard, or other 
location used in the operation of the passenger railroad carrier or 
rail transit system; 

9) correspondence received by the passenger railroad carrier or rail 
transit system indicating a potential threat to rail transportation; 
and: 

10) other incidents involving breaches of the security of the 
passenger railroad carrier or the rail transit system operations or 
facilities. 

The regulation also authorizes TSA officials to view, inspect, and 
copy rail agencies' records as necessary to enforce the rail security 
incident reporting requirements.[Footnote 16] This regulatory 
authority is supported by TSA policies and guidance, including the 
Transportation Security Inspector Inspections Handbook, the National 
Investigations and Enforcement Manual, and the Compliance Work Plan 
for Transportation Security Inspectors. 

Within TSA, different offices have responsibilities related to 
implementing and enforcing the rail security incident reporting 
requirement. The TSOC, managed by TSA's Office of Law Enforcement/ 
Federal Air Marshal Service, is the TSA entity primarily responsible 
for collecting and disseminating information about rail security 
incidents. Once notified of a rail security incident, TSOC officials 
are responsible for inputting the incident information into their 
incident management database known as WebEOC, and for disseminating 
incident reports that they deem high priority or significant to select 
TSA officials; other federal, state, and local government officials; 
and select rail agencies' law enforcement officials. TSA's Office of 
Intelligence and Analysis is responsible for analyzing threat 
information for all modes of transportation, including information 
related to passenger rail. TSA's Office of Security Policy and 
Industry Engagement is responsible for using incident reports and 
analyses, among other things, to develop strategies, policies, and 
programs for rail security, including operational security activities, 
training exercises, public awareness, and technology. Figure 1 shows 
the intended steps and responsibilities of TSA components involved in 
the rail security incident reporting process. 

Figure 1: The Intended Rail Security Reporting Process: 

[Refer to PDF for image: process illustration] 

Incident occurs: 

Rail agency reports to Transportation Security Operation Center (TSOC). 

TSOC enters incident information in WebEOC. 

TSOC disseminates incident information for situational awareness; 
On a case-specific basis, Office of Intelligence and Analysis analyzes 
incident and reports results. 

Office of Security Policy and Industry Engagement uses incident 
information to inform policy. 

Source: GAO; Art Explosion (graphics). 

[End of figure] 

TSA's Office of Security Operations is responsible for overseeing and 
enforcing the incident reporting requirement. Responsible for managing 
TSA's inspection program for the aviation and surface modes of 
transportation, the Office of Security Operations' Surface Compliance 
Branch deploys approximately 400 transportation security inspectors-
surface (TSI-S) nationwide.[Footnote 17] The TSI-Ss are responsible 
for providing clarification to rail agencies regarding the incident 
reporting process highlighted in figure 1, and for overseeing rail 
agencies' compliance with the reporting requirement by conducting 
inspections to ensure that incidents were properly reported to the 
TSOC. TSI-Ss also conduct assessments of surface transportation 
systems, including passenger rail systems, and oversee compliance with 
other applicable transportation security policies, directives, 
standards, and agreements. At the headquarters level within the Office 
of Security Operations, the Compliance Programs Division is 
responsible for assisting TSA management and surface inspection 
officials in the field by providing guidance and subject matter 
expertise in ensuring compliance by regulated entities with security 
requirements. Six regional security inspectors-surface (RSI-S) within 
the Compliance Programs Division are responsible for providing 
national oversight of local surface inspection, assessment, and 
operational activities. 

TSA Has Provided Inconsistent Oversight and Enforcement of the 
Passenger Rail Security Incident Reporting Requirement: 

TSA has not provided consistent oversight of the implementation of the 
passenger rail security reporting requirement, leading to considerable 
variation in the types and number of rail security incidents reported. 
This variation is compounded by inconsistency in compliance 
inspections and enforcement actions, due in part to limited 
utilization of oversight mechanisms at the headquarters level. 

Variation in Implementation of the Reporting Requirement: 

Since the rail security incident reporting regulation went into effect 
in December 2008, local TSA inspection officials, who are the primary 
TSA points of contact for rail agencies, have not received clarifying 
guidance from TSA headquarters regarding how rail agencies should 
implement the reporting regulation. Although the regulation identifies 
10 broad types of rail security incidents that must be reported to the 
TSOC, 7 of the 19 rail agencies we spoke with noted that there are 
several gray areas within these incident types that can be open to 
interpretation.[Footnote 18] In the absence of clarifying guidance 
from TSA headquarters, local TSA inspection officials have provided 
rail agencies with inconsistent interpretations of the regulation's 
reporting requirements. Some variation is expected in the number of 
rail security incidents that rail agencies reported because of 
differences in agency size, geographic location, and ridership. For 
example, we analyzed incident data for 7 of the 19 rail agencies 
included in our review, and found that the number of incidents 
reported per million riders ranged from 0.25 to 23.15.[Footnote 19] 
Inconsistent interpretation of the regulation by local TSA inspection 
officials has contributed to this variation.[Footnote 20] For example, 
officials from one rail agency we spoke with had been told by their 
local TSA inspection officials that they were required to report all 
instances in which a person was hit by a train, because an individual 
cannot be struck by a train in the right of way without trespassing or 
breaching security. In contrast, officials from another rail agency 
told us that their agency does not report all of these incidents 
because they are most often intentional suicides that are unrelated to 
terrorism.[Footnote 21] The local TSA inspection officials responsible 
for this agency agreed with this interpretation, noting that suicides 
generally have no nexus to terrorism. 

Similarly, rail agencies may have received inconsistent feedback from 
their local TSA inspection officials about reporting incidents 
involving weapons. The regulation requires that rail agencies report 
incidents that involve the "discharge, discovery, or seizure of a 
firearm or other deadly weapon on a train or transit vehicle or in a 
station, terminal, facility, or storage yard, or other location used 
in the operation of the passenger railroad carrier or rail transit 
system."[Footnote 22] However, officials from one rail agency stated 
that if an individual is stopped for fare evasion and is subsequently 
found to be in possession of an illegal firearm, they would not report 
the incident to the TSOC because it is a local criminal incident 
unrelated to terrorism.[Footnote 23] These officials explained that 
they would report only incidents that could have a nexus to terrorism, 
in part because reporting incidents that are unrelated to terrorism 
could reduce the quality of the data TSA collects. The local TSA 
inspection officials responsible for this agency have never found it 
to be in noncompliance for not reporting a weapon, tacitly approving 
of the agency's interpretation of the regulation. In contrast, 
officials at another rail agency said that they report all incidents 
related to weapons--regardless of their possible nexus to terrorism--
because their local TSA inspection officials have instructed them that 
any firearm found in the system has to be reported. However, these 
officials stated that because of local gun laws, handguns are seized 
during the course of routine law enforcement activities, and are 
generally incidental to the original criminal offense. While they do 
report these local criminal incidents to the TSOC as directed by their 
local TSA inspection officials, the rail agency officials stated that 
it is unclear to them why it is necessary to do so if they have no 
nexus to terrorism. Clarification about which incidents should be 
reported could help address the confusion among rail agencies, and 
improve consistency in incident reporting. 

Before the final rule was issued in November 2008, rail stakeholders 
raised concerns about the types of incidents required to be reported 
in commenting on the notice of proposed rulemaking. Specifically, some 
rail stakeholders noted when commenting on the proposed rule that the 
regulation's definition of reportable events was too broad and would 
result in an overload of information that would divert attention from 
truly significant threats and dilute the effectiveness of the 
reporting system.[Footnote 24] Rail stakeholders requested that TSA 
clarify the reporting requirements, but in the preamble to the final 
rule, TSA stated that the agency would not further define or limit the 
scope of the reporting requirement, because doing so would reduce the 
data that TSA received, which could be used for broader trend analyses 
in order to anticipate or prevent an attack.[Footnote 25] TSA has 
maintained this position, and as a result, has not developed 
clarifying guidance at the headquarters level regarding the reporting 
requirement. 

However, local TSA inspection officials, headquarters level compliance 
officials, and rail agency officials that we interviewed stated that 
additional written guidance could help ensure that the regulation is 
implemented more consistently.[Footnote 26] According to Standards for 
Internal Control in the Federal Government, information should be 
communicated in a way that allows officials to carry out their 
responsibilities.[Footnote 27] In October 2011, we also reported that 
providing officials with guidance that contains specific criteria and 
definitions would provide greater assurance that decisions are made 
consistently.[Footnote 28] For the aviation mode, TSA has established 
written guidance for reporting security incidents.[Footnote 29] TSA's 
operational directive for reporting aviation security incidents 
includes attachments that, among other things, identify the types of 
incidents that are to be reported, based on the immediate security 
threat of different types of incidents. With regard to passenger rail, 
however, TSA has maintained the agency's position as detailed in the 
preamble to the final rule, as described above, and has not taken 
actions to develop clarifying guidance regarding the types of 
incidents that should be reported under the regulation. Providing 
similar guidance to local TSA inspection officials responsible for 
rail agencies could help to ensure that these officials are 
interpreting the regulation consistently across different field 
offices. These actions could also better position TSA to consistently 
collect rail security incident information, which may facilitate its 
efforts to conduct trend analysis and also help TSA to "connect the 
dots" to identify potential threats to passenger rail systems. 

Inconsistent Compliance and Enforcement: 

TSA monitors passenger rail agency compliance with incident reporting 
requirements through compliance inspections and related enforcement 
activities at the local level, but TSA has not utilized its limited 
oversight mechanisms at the headquarters level as intended for 
ensuring consistency in these activities. Local TSA inspection 
officials conduct inspections of rail agencies to ensure compliance 
with the incident reporting requirement--that is, to ensure that rail 
agencies are properly reporting significant security concerns to the 
TSOC. In addition to monitoring compliance, inspections offer local 
TSA officials opportunities to provide rail agencies with feedback 
regarding their implementation of the regulation. TSA inspection 
officials also may take enforcement action against a rail agency that 
TSA finds to be not in compliance. Within TSA headquarters, the 
Compliance Programs Division within the Office of Security Operations 
is responsible for ensuring consistency in the application of all 
regulatory priorities that are to be implemented by the field and for 
monitoring and overseeing operational and field activities intended to 
support TSA's national rail security programs and objectives. 

Our analysis of TSA's inspection data from January 1, 2011, through 
June 30, 2012, shows that the frequency of local TSA inspections of 
compliance with the reporting regulation varies among rail agencies. 
TSA's rail security inspection policies and guidance do not specify 
how often inspections should be conducted, instead recommending that 
inspections be driven by reportable events, with local discretion used 
to ensure a reasonable number of inspections are performed. According 
to senior TSA compliance officials, this means that inspections can be 
initiated in response to a particular incident that local TSA 
officials become aware of, as opposed to being scheduled at regular 
intervals. According to PARIS data, from January 1, 2011, through June 
30, 2012, of the 19 rail agencies we spoke with, 7 agencies had been 
inspected at least 18 times, or an average of once per month. However, 
3 agencies had not been inspected, including a large metropolitan rail 
agency.[Footnote 30] Information in the text box below provides an 
example of this rail agency's experience with TSA compliance 
activities. Average monthly inspections for this time period ranged 
from about eight inspections to no inspections, and there was also 
variation in the regularity with which inspections occur. For example, 
although 1 agency was inspected 4 times during the time period we 
reviewed, 3 of these inspections were conducted on the same day. 
[Footnote 31] In contrast, another agency was inspected a total of 11 
times, with each inspection occurring in a different month. 

[Begin text box] 
TSA Had Not Inspected a Major Rail Agency: 
On the basis of our review of the TSOC's database, we found that one 
major rail agency had not reported any incidents to the TSOC from 
January 1, 2011 through June 30, 2012. According to officials from 
this rail agency, the agency did not report any incidents because the 
rail agency had not clearly identified who in the agency was 
responsible for reporting incidents to the TSOC. Further, the local 
TSA inspectors responsible for this rail system had not conducted any 
compliance inspections to determine whether the system was meeting its 
requirement to report rail security incidents, according to PARIS 
inspection records. The regulation requires rail agencies to allow TSA 
inspectors to conduct inspections, copy records, and perform tests to 
ensure that rail agencies are meeting their rail security incident 
reporting responsibilities. Local TSA inspection officials told us, 
however, they did not have sufficient access to the rail agency's 
police records and personnel to complete these inspection activities 
and therefore were unable to determine whether rail security incidents 
have actually occurred in the system. Given the passenger volume of 
this rail system, the local TSA officials stated that it was highly 
unlikely that no rail security incidents had occurred. According to 
local news sources, several security incidents had occurred on the 
system during 2011 that, according to the regulation, should have been 
reported to the TSOC. For example, an Internet search we conducted in 
September 2012 indicated that in 2011, local news reported on a 
suspicious item found in one of the rail system's stations that 
resulted in a delay of service. Local TSA inspection officials stated 
that they did not pursue enforcement action against the rail system 
for incidents that should have been reported, nor did they request 
assistance from TSA's Surface Compliance Branch in obtaining access to 
the rail system's incident documentation. These local TSA inspection 
officials also explained that they are working on improving their 
relationship with the rail agency and their access to the agency's 
incident records.
[End of text box] 

TSA's policies also describe a variety of activities that may 
constitute an inspection. According to senior TSA compliance 
officials, these broad policies on how to conduct inspections 
contribute to inconsistent approaches across TSA field offices. For 
example, according to TSA policy, inspections could range from a phone 
call to the rail agency to inquire whether the agency reported a 
specific incident to more rigorous, regularly scheduled, on-site 
inspections of rail agencies' internal incident management systems. 
However, for an inspection official to inquire about whether an agency 
reported a specific incident by phone, that official must first become 
aware of the incident through other means, such as a media report, 
whereas on-site inspections could allow TSA inspection officials to 
identify incidents that did not result in media reports, but should 
have been reported to the TSOC under the regulation. Further, senior 
TSA compliance officials told us that some local TSA inspectors may be 
hesitant to conduct regular on-site inspections or find rail agencies 
not in compliance for incident reporting because doing so could make 
rail agencies less willing to participate in other important voluntary 
security activities, such as TSA's Baseline Assessment for Security 
Enhancement (BASE)[Footnote 32] and the TSA-led Visible Intermodal 
Prevention and Response Program.[Footnote 33] However, variations in 
the rigor and frequency of inspections highlight the need for enhanced 
oversight of these activities at the headquarters level to help ensure 
that rail agencies are reporting security incidents as required by the 
regulation. 

In addition, TSA has inconsistently applied enforcement actions 
against rail agencies for not complying with the regulation. TSA's 
progressive enforcement policy includes the following steps, in order 
of severity, following a finding of not in compliance: (1) on-the-spot 
counseling, (2) administrative action--notice of noncompliance, and 
(3) civil penalty action.[Footnote 34] In some cases, rail agencies 
have received a finding of not in compliance that resulted in on-the-
spot counseling or a notice of noncompliance for failing to report 
certain types of incidents that other agencies may not report as a 
matter of standard practice, such as weapons discovered during the 
course of routine criminal activity. For example, one rail agency 
received a notice of noncompliance for failing to report an incident 
involving a knife that was discovered in an individual's possession 
after law enforcement officials intervened in a verbal altercation on 
a train. In contrast, as discussed above, officials from another rail 
agency said that they would not report routine criminal incidents 
involving weapons, including firearms and other deadly weapons such as 
knives, and had discussed this policy with their local TSA inspection 
officials. While the agency had been inspected, the local TSA 
officials had never issued a finding of noncompliance related to not 
reporting incidents involving weapons. TSA inspection officials have 
also taken an enforcement action against a rail agency for failing to 
report an incident that was not required to be reported. Specifically, 
one rail agency received a notice of noncompliance for failing to 
report a suspicious item discovered in the public area of one of its 
bus garages. However, according to a senior TSA compliance official, 
rail agencies are not required to report incidents involving buses or 
bus facilities, and therefore TSA officials should not take 
enforcement actions against rail agencies for failing to report bus 
incidents. 

According to senior TSA compliance officials, inconsistent inspection 
and enforcement actions occur, in part because TSA has limited 
oversight mechanisms at the headquarters level, and has not utilized 
them as intended to monitor or oversee the rail security compliance 
and inspection activities in the field.[Footnote 35] Standards for 
Internal Control in the Federal Government provides that internal 
controls should be designed to ensure that ongoing monitoring occurs 
in the course of normal operations.[Footnote 36] TSA established the 
regional security inspector-surface (RSI-S) position as a primary 
oversight mechanism at the headquarters level for monitoring 
compliance inspections and enforcement actions to help ensure 
consistency across field offices. However, according to TSA officials, 
the RSI-S is not part of the formal inspection process and has no 
authority to ensure that inspections are conducted consistently. The 
RSI-S also has limited visibility over when and where inspections are 
completed or enforcement actions are taken because TSA lacks a process 
to systematically provide the RSI-S with this information during the 
course of normal operations. As a result, TSA has limited assurance 
that the RSI-S will be able to provide oversight of local passenger 
rail inspection and enforcement activities.[Footnote 37] For example, 
with regard to the situation discussed in the text box above, the RSI-
S responsible for that rail agency was not aware that the agency had 
not reported any incidents to the TSOC and had never been inspected by 
the local TSA inspection officials. The text box below provides 
another example of the challenges that TSA faces in ensuring 
consistency across local TSA offices. 

[Begin text box] 
TSA Efforts to Streamline Amtrak's Compliance Activities Face 
Challenges: 
In 2010, Amtrak worked with an RSI-S to streamline the reporting and 
inspection process, but TSA has faced challenges implementing this 
process across all its field offices. As the only nationwide passenger 
rail agency, Amtrak has been regularly inspected by multiple TSA field 
offices in locations that Amtrak services.[A] According to Amtrak and 
TSA officials, these inspections are duplicative and cause confusion 
because incidents may be inspected for compliance by multiple TSA 
field offices, each with potentially different interpretations of the 
regulatory requirement. For example, one local TSA office found Amtrak 
to be not-in-compliance for not reporting an incident that another TSA 
office had told Amtrak did not need to be reported. To ensure that the 
regulation was being applied consistently throughout its operations, 
Amtrak notified the RSI-S of these inconsistencies between different 
field offices, and worked with the RSI-S to establish a centralized 
incident reporting and inspection process. Under this new process, 
according to Amtrak and TSA officials, all rail security incidents 
occurring on Amtrak nationwide should be reported to TSOC by Amtrak's 
National Communications Center in Philadelphia, Pennsylvania, rather 
than by the local Amtrak officials where the incident occurred. In 
addition, according to Amtrak and TSA officials, all TSA compliance 
inspections should be conducted by the local TSA field office in 
Philadelphia. According to these officials, the centralized reporting 
and inspection process has been implemented effectively by the 
Philadelphia field office. Specifically, between one and three times 
per month, a TSA official from the Philadelphia office checks 
compliance by randomly selecting security incidents from Amtrak's 
centralized incident monitoring system to determine whether they have 
been properly reported to the TSOC. However, although Amtrak and the 
RSI-S have implemented this reporting approach with the Philadelphia 
TSA office, other local TSA offices have continued to conduct 
compliance inspections of Amtrak. According to PARIS data, from 
January 2011 through July 2012, Amtrak was inspected 145 times. Of 
these, 116 were carried out by local TSA offices other than the 
Philadelphia office. According to senior TSA compliance officials, TSA 
headquarters has not taken actions to ensure that other field offices 
adhere to this centralized inspection approach, and TSA's mechanisms 
to monitor or oversee the rail security compliance and inspection 
activities in the field are limited. 

[A] As the only nationwide passenger rail agency, Amtrak has a unique 
perspective on the differences between local TSA offices with regard 
to the reporting requirement. In a May 2012 hearing before the House 
Committee on Homeland Security, Amtrak testified that it has 
encountered difficulties over interpretation of regulations by 
different TSA field offices, and identified mission confusion and 
disconnects among offices and TSA headquarters regarding rail security 
incident reporting requirements.
[End of text box] 

In the absence of a process to systematically monitor the inspection 
and enforcement activities of TSA field offices, it is unlikely that 
the RSI-Ss or compliance officials at the headquarters level would 
become aware of inconsistencies in compliance and enforcement 
activities in the field, unless the inconsistencies were specifically 
brought to their attention. However, even when compliance officials 
have become aware of issues related to inconsistent application of 
compliance or enforcement measures in the field, according to senior 
TSA compliance officials, no action has been taken by the Office of 
Security Operations at the headquarters level to ensure consistency 
among field offices.[Footnote 38] TSA inspection and compliance 
officials agreed that TSA could take steps to ensure more consistent 
application of compliance inspections and enforcement actions among 
TSA surface inspectors. By enhancing the existing oversight mechanisms 
at the headquarters level to systematically monitor and oversee 
compliance inspections and enforcement actions, as intended, TSA could 
improve its visibility over activities in the field, helping to ensure 
that local TSA inspection officials are consistently overseeing the 
regulatory reporting requirement. Such actions could further reduce 
inconsistency in the number and type of incidents that rail agencies 
report to the TSOC, which could improve TSA's ability to use the 
incident information for trend analysis to identify potential threats, 
as discussed below. 

Incident Data and Process Limitations Hinder Trend Analysis: 

TSA's incident management data system, known as WebEOC, has incomplete 
information, is prone to data entry errors, and has other limitations 
which inhibit TSA's ability to search and extract basic information. 
These weaknesses in WebEOC hinder TSA's ability to use rail security 
incident data to identify security trends or potential threats. In 
addition to these data weaknesses, TSA has conducted limited analysis 
of rail security incident information, in part because TSA does not 
have a systematic process for identifying trends or patterns in rail 
security incident information. 

Incomplete Information: 

When TSA learns about an incident that may not have been properly 
reported to the TSOC (through a compliance inspection or other means), 
there is no established process to ensure that WebEOC is updated to 
include that incident.[Footnote 39] As a result, WebEOC has incomplete 
incident information, which hinders TSA's ability to identify security 
trends and patterns. For example, over the course of 19 months, five 
similar incidents involving a suspicious item occurred in different 
stations of one rail agency. Although the rail agency did not report 
these incidents to the TSOC, the rail agency's internal intelligence 
group recognized a pattern, and developed an intelligence brief that 
it then disseminated to relevant rail stakeholders, including TSA. 
Upon receipt of this intelligence brief, local TSA inspection 
officials responsible for this rail agency issued a notice of 
noncompliance to the agency for not reporting two incidents 
highlighted in the brief.[Footnote 40] In this case, the local TSA 
inspection official responsible for the agency reported these two 
incidents to the TSOC, but did not subsequently report the other three 
related incidents for inclusion in WebEOC.[Footnote 41] Similarly, of 
the 18 findings of noncompliance that were a result of failure to 
report an incident, 13 were not subsequently reported to the TSOC. 
Because TSA has no established process to help ensure TSA inspection 
officials or rail agencies notify the TSOC or update WebEOC with 
incident information that was not properly reported, WebEOC does not 
contain a record of these unreported rail security incidents. 
Standards for Internal Control in the Federal Government calls for 
agencies to take actions to help ensure that data are complete and 
accurate.[Footnote 42] Developing a process for ensuring the inclusion 
of incidents discovered during compliance inspections that were not 
immediately reported to the TSOC could provide TSA with a more 
comprehensive picture of security incidents to better position it to 
identify any trends or patterns. 

Data Entry Errors and Limitations: 

In addition, we identified data entry errors and limitations in 
WebEOC, which inhibit TSA's ability to search and extract certain 
information. Further, the guidance provided to officials responsible 
for entering incident information does not help prevent these errors 
because it allows for variation in the WebEOC data and assumes that 
the official responsible for entering the data fully understands the 
data entry options. As a result, the TSOC could not provide us with 
certain information about the rail security incident data, such as the 
number of incidents reported by incident type (e.g., suspicious item 
or bomb threat) or the total number of rail security incidents that 
have been reported to the TSOC.[Footnote 43] Without the ability to 
identify this information on the number of incidents by type or the 
total number of incidents, TSA faces challenges determining if 
patterns or trends exist in the data, as the reporting system is 
intended to do. Additionally, because WebEOC does not contain a 
specific data field to identify the agency affected by the incident, 
TSA could not provide us with the total number of incidents reported 
by a particular agency.[Footnote 44] Senior TSOC officials agreed with 
our findings and noted that these errors and limitations in WebEOC 
have complicated TSA's ability to use the data to identify security 
trends or potential threats. For example, TSA attempted to analyze the 
frequency of rail tunnel breaches occurring in the U.S. rail system, 
as directed by the conference report accompanying the DHS 
appropriations act for fiscal year 2012.[Footnote 45] However, 
according to a senior TSA intelligence analyst, the rail security 
incident information from WebEOC was inadequate for conducting this 
analysis, and as a result, TSA had to request information from rail 
agencies and industry associations to complete the analysis. 

We also found that WebEOC data entry errors occur, in part, because of 
problems in the data entry process and limitations in WebEOC, 
including inaccurate categorization of incident characteristics in key 
data fields, such as the "Incident Type" and "Type of Entry" fields. 
[Footnote 46] For example, we analyzed 1 month of the data provided by 
TSA, which included a total of 152 passenger rail security incidents. 
[Footnote 47] We reviewed the "Incident Type" data field for these 
incidents, and found that 106 (70 percent) were characterized as "Not 
Applicable" or "Other Rail Incidents."[Footnote 48] While this alone 
does not indicate that these incidents were mischaracterized, we found 
that 25 of these incidents should have been characterized under other 
available options, including "Firearm or Deadly Weapon," "Bomb 
Threat," or "Suspicious Activity," among others. TSA officials agreed 
that the options for the "Incident Type" data field could often result 
in errors, and that these errors contributed to TSA's inability to 
provide the number of security incidents reported by incident type. 

With regard to the "Type of Entry" data field, TSA provided data 
extracted from WebEOC using the "Mass Transit" and "Rail" categories 
within this data field in response to our request for all of the 
passenger rail incidents reported from January 2011 through June 2012. 
However, because the WebEOC data entry options did not distinguish 
between passenger rail and freight rail, TSA could not provide a 
dataset that included only incidents reported by passenger rail 
agencies. Further, because TSA officials responsible for entering the 
incident data were not provided guidance that included definitions of 
the data entry options, incidents reported by the passenger rail 
agencies in our scope were sometimes categorized as "Mass Transit" and 
other times as "Rail."[Footnote 49] As a result of our review, TSOC 
officials recognized that the options available under the "Type of 
Entry" data field were a key limitation of the WebEOC system resulting 
in data entry errors. In July 2012, officials at TSOC removed "Rail" 
as an option within "Type of Entry," and replaced it with two options--
"Passenger Rail" and "Freight Rail." TSOC officials also developed 
additional guidance for the individuals responsible for entering the 
data, which can be accessed directly from WebEOC. This guidance 
addresses the data entry options for the "Type of Entry" data field, 
providing definitions of each of the surface transportation modes 
included as options. 

TSA's actions to create new data entry options and guidance for the 
"Type of Entry" data field are positive steps toward improving the 
categorization of rail security incident data. However, TSOC officials 
have not taken similar actions to address issues that exist with other 
data fields in WebEOC, including the "Incident Type" data field. The 
WebEOC data entry guidance that TSA has provided officials in the TSOC 
for data fields other than "Type of Entry" does not help prevent data 
entry errors from occurring because it allows for variation in the 
WebEOC data and assumes that the official responsible for entering the 
data fully understands the data entry options. For example, the stated 
purpose of the guidance is to ensure that all necessary elements of an 
incident are captured "while maintaining each [official's] unique 
style." Further, the guidance states that the data fields such as 
"Incident Type" are "self-explanatory" and provides no additional 
information on how to enter the data or choose among different options. 

We have previously reported on the importance of clear data entry 
guidance to help ensure that TSA is collecting consistent data that 
will allow the agency to better "connect the dots" with regard to 
potential terror threats to U.S. transportation systems.[Footnote 50] 
Further, Standards for Internal Control in the Federal Government 
states that information should be communicated to officials within an 
agency in a way that allows them to carry out their 
responsibilities.[Footnote 51] Additional guidance that contains clear 
definitions of data entry options could help TSA to reduce data entry 
errors in other data fields and improve users' ability to search and 
extract basic information from the system, ultimately improving TSA's 
ability to analyze the rail security incident information. 

Limited Use of Incident Information: 

The weaknesses in the incident information notwithstanding, TSA has 
made limited use of the rail security incident information it has 
collected from rail agencies, in part because it does not have a 
systematic process for conducting trend analysis. As a result, TSA is 
missing an opportunity to identify potential security trends and 
patterns in the incident information, and develop recommended security 
measures to mitigate threats, as intended. Although TSA does not have 
a systematic process for identifying trends and patterns using the 
WebEOC rail security incident information, opportunities exist to 
identify trends from the information, despite the data weaknesses 
discussed above. In one example, the freight rail industry, through 
the Railway Alert Network--which is managed by the Association of 
American Railroads, a rail industry group--identified a trend where 
individuals were reportedly impersonating federal officials. In 
coordination with TSA and FRA, the Railway Alert Network subsequently 
issued guidance to its member organizations designed to increase 
awareness among freight rail employees and provide descriptive 
information on steps to take in response. The Railway Alert Network 
identified this trend through analysis of incident reporting from 
multiple freight railroads. In each case, the incident had been 
reported by a railroad employee. These incidents had also been 
reported to the TSOC. 

Similarly, in response to a specific request from freight rail 
stakeholders, TSA's Office of Intelligence and Analysis, which is 
responsible for analyzing threat information, used WebEOC incident 
information to identify the frequency and timing of shootings at 
freight trains.[Footnote 52] However, other products developed by the 
Office of Intelligence and Analysis and other DHS components that 
address domestic rail security incidents do not contain trend analysis 
of reported rail security incidents and are instead generally limited 
to descriptions of specific incidents.[Footnote 53] For example, TSA 
produces a series of periodic reports called the Global and Regional 
Intelligence Digest that provides descriptive reports of select 
transportation security incidents (for all transportation modes), with 
minimal accompanying analysis. Similarly, other products may contain 
intelligence information designed to inform rail stakeholders, but are 
based on sources other than the rail security incident data reported 
by rail agencies to the TSOC.[Footnote 54] Senior TSA intelligence 
officials we spoke with agreed that TSA does not have a systematic 
process for analyzing the rail security incident information, and is 
not using the information to conduct long-term trend analysis, though 
agency officials said they would like to do so in the future. 

In the absence of a systematic process for conducting trend analysis, 
TSA officials said that the agency primarily relies on internal TSA 
officials to notice trends when they receive daily incident report 
summaries from the TSOC, which are detailed summaries of the most 
significant incidents reported each day, across all modes of 
transportation. However, TSA officials said that the agency has not 
identified any trends in passenger rail incidents as a result of these 
summaries. As a result, officials from rail agencies we spoke with 
generally found little value in the reporting process, because it was 
unclear to them how, if at all, the information was being used by TSA 
to identify trends or threats that could help TSA and rail agencies 
develop appropriate security measures. The notice of proposed 
rulemaking,[Footnote 55] final rule,[Footnote 56] and the Privacy 
Impact Assessment associated with collecting the incident information 
in WebEOC state that TSA's purpose for collecting and maintaining the 
incident information is to help TSA "connect the dots." In these 
documents, the agency said it would "connect the dots" by pulling 
together seemingly disconnected or disparate reports of suspicious or 
unusual rail security incidents through trend analysis that may allow 
TSA to anticipate and prevent an attack, and determine whether to 
encourage or require rail agencies to implement particular security 
measures. Without a process for systematically conducting trend 
analysis of the rail security incident data, it will be difficult for 
TSA to use the incident data it collects from agencies. As a result, 
TSA may continue to miss opportunities to identify security trends, 
such as the freight rail security trend identified by the Railway 
Alert Network, or to develop recommended security measures. 

Conclusions: 

The foiled terrorist plots against the New York and Washington, D.C., 
passenger rail systems in 2009 and 2010, respectively, show the 
continued threat to passenger rail security and underscore the 
importance of tracking and analyzing security incident information to 
identify possible indicators or precursors of terrorist activity. 
TSA's incident reporting regulation, issued in 2008, was intended to 
allow TSA to "connect the dots" to identify significant incidents, and 
discern rail security threats and trends. However, TSA has not used 
the incident information as it was intended. Using the incident 
information to conduct trend analysis would better position TSA to 
anticipate a future attack, and encourage or require rail agencies to 
implement more targeted security measures. Key to the effectiveness of 
this effort is collecting consistent, accurate, and complete incident 
information from rail agencies. While some variation is expected among 
rail agencies in the number and types of rail security incidents 
reported, written guidance disseminated to rail agencies and local TSA 
inspection officials--clarifying the types of incidents that should be 
reported to the TSOC--and enhanced mechanisms for oversight of 
compliance and enforcement activities could help ensure that the 
regulation is implemented consistently. Such actions could also help 
improve consistency in TSA's compliance activities, thereby improving 
the reporting process and facilitating TSA's ability to use the 
incident information for trend analysis that may identify potential 
threats. 

In addition, incomplete information, data entry errors, and 
limitations in WebEOC hinder TSA's ability to use rail security 
incident data to identify security trends or potential threats. TSA 
has taken some steps toward addressing some of the weaknesses in 
WebEOC, but additional actions could improve the completeness and 
accuracy of the information in the database. A process for updating 
the database when incidents that had not previously been reported are 
discovered through compliance activities and additional guidance for 
TSOC officials who enter the information would help TSA to reduce data 
entry errors and improve users' ability to search and extract 
information from the system, ultimately improving TSA's ability to 
analyze the rail security incident information. The weaknesses in the 
incident information notwithstanding, without a systematic process in 
place for regularly conducting trend analysis, TSA has missed 
opportunities to use the data in its incident reporting system as it 
was intended--to identify trends or patterns in the incident 
information that could help TSA and rail agencies develop targeted 
security measures that could strengthen rail security. 

Recommendations for Executive Action: 

To help ensure that the rail security incident reporting process is 
consistently implemented and enforced, we recommend that the 
Administrator of TSA take the following two actions: 

* develop and disseminate written guidance for local TSA inspection 
officials and rail agencies that clarifies the types of incidents that 
should be reported to the TSOC, and: 

* enhance and utilize existing oversight mechanisms at the 
headquarters level, as intended, to provide management oversight of 
local compliance inspections and enforcement actions. 

To help fulfill TSA's stated purpose for collecting rail security 
incident information and improve the accuracy and completeness of the 
incident data in TSA's incident management system, WebEOC, we 
recommend that the Administrator of TSA take the following three 
actions: 

* establish a process for updating the database when incidents that 
had not previously been reported are discovered through compliance 
activities; 

* develop guidance for TSOC officials that includes definitions of 
data entry options to reduce errors resulting from data entry 
problems; and: 

* establish a systematic process for regularly conducting trend 
analysis of the rail security incident data, in an effort to identify 
potential security trends that could help the agency anticipate or 
prevent an attack against passenger rail and develop recommended 
security measures. 

Agency Comments and Our Evaluation: 

We provided a draft of this report to DHS for comment. In written 
comments received December 4, 2012, DHS concurred with the 
recommendations and identified actions taken, planned, or under way to 
implement the recommendations. DHS's written comments are summarized 
below and reproduced in appendix V. The Department of Transportation's 
Director of Audit Relations stated in an e-mail received on December 
6, 2012, that the department had no comments on the report. Amtrak's 
audit liaison stated in an email received on November 16, 2012, that 
Amtrak had no comments on the report. 

In its written comments, DHS concurred with our recommendation that 
TSA develop and disseminate written guidance for local TSA inspection 
officials and rail agencies that clarifies the types of incidents that 
should be reported to the TSOC. DHS stated that TSA's Office of 
Security Operations and its Office of Security Policy and Industry 
Engagement will work together to develop written guidance for 
passenger rail agencies clarifying the types of incidents that should 
be reported to the TSOC. TSA plans to disseminate the guidance to 
passenger rail agencies. If implemented, these actions would address 
our recommendation and could help reduce confusion among rail agencies 
and improve consistency in incident reporting. 

In response to our recommendation that TSA enhance and utilize 
existing oversight mechanisms at the headquarters level, as intended, 
DHS concurred with the recommendation and stated that while several 
mechanisms and layers are in place for oversight and management of 
local inspection and enforcement actions, TSA recognizes that there 
are opportunities for improving oversight. According to DHS, existing 
oversight mechanisms include RSI-Ss, who serve as technical 
specialists, oversee and implement transportation security policy and 
programs, and conduct field office audits and visits, among other 
things. DHS also stated that its Office of Chief Counsel coordinates 
enforcement actions with RSI-Ss, local field offices, TSA's Office of 
Compliance Programs, and TSA's Office of Security Policy and Industry 
Engagement. DHS stated that to improve headquarters oversight, RSI-Ss 
have recently been granted case review privileges in PARIS--which is 
used to record all TSA inspection activities--along with any findings 
and actions taken. DHS stated that this will allow the RSI-Ss greater 
visibility on all surface inspections, investigations, and 
recommendations for enforcement actions entered into PARIS by enabling 
the RSI-Ss to provide written recommendations in PARIS prior to 
inspection approval. Because RSI-Ss have recently been granted this 
access, it is too soon to determine the extent to which this action 
will address our recommendation. 

In response to our recommendation that TSA establish a process for 
updating its WebEOC database when incidents that had not been 
previously reported are discovered through compliance activities, DHS 
concurred and stated that TSA is currently establishing a business 
process to ensure the relevant databases are complete. According to 
DHS, the WebEOC system will be adjusted to permit inputting of records 
that are discovered through compliance activities. We will continue to 
monitor the agency's efforts to implement our recommendation. 

DHS also concurred with our recommendation that TSA develop guidance 
for TSOC officials that includes definitions of data entry options to 
reduce errors resulting from data entry problems. DHS stated that the 
TSOC had completed implementing this recommendation by updating the 
guidance with respect to input options. However, the updated guidance 
that TSA sent to us clarifies that incident logs in WebEOC need to 
indicate that an incident was reported by phone. The guidance does not 
provide definitions for data entry options, as we recommended, and we 
therefore continue to believe that additional guidance is necessary 
for the officials responsible for inputting the incident information 
into WebEOC. 

In response to our recommendation that TSA establish a systematic 
process for regularly conducting trend analysis of the rail security 
incident data, in an effort to identify potential security trends, DHS 
concurred and stated that TSA will develop a process to review 
suspicious activities and incidents in the mass transit and passenger 
rail areas in order to identify trends that might represent a threat 
to transportation. We will continue to monitor the agency's efforts to 
implement our recommendation. 

We are sending copies of this report to the Secretaries of Homeland 
Security and Transportation, the TSA Administrator, Amtrak, 
appropriate congressional committees, and other interested parties. In 
addition, this report is available at no charge on the GAO website at 
[hyperlink, http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-4379 or lords@gao.gov. Contact points for our 
Offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. Key contributors to this report are 
acknowledged in appendix VI. 

Signed by: 

Stephen M. Lord: 
Director, Homeland Security and Justice Issues: 

[End of section] 

Appendix I: Influence of Foreign Attacks on Selected U.S. Rail 
Agencies' Security Measures: 

Officials we met with from eight high-volume rail agencies generally 
stated that foreign rail attacks (such as those described in appendix 
IV) served as potent reminders of potential terror threats against 
rail, but they did not lead the rail agencies to make significant 
changes in their security measures.[Footnote 57] Nonetheless, agencies 
have used these incidents to inform security enhancements. 
Specifically, these agencies reported making changes to their security 
measures, in part as a result of lessons learned from foreign attacks. 
[Footnote 58] These changes were related to: 

* Public awareness campaigns. These include publicity posters and 
announcements over public address systems within rail stations that 
alert passengers and rail agency employees to report suspicious items 
or behaviors to police. For example, officials from one rail agency we 
spoke with reported making changes to its public awareness campaign 
following the attacks in Madrid and London. These changes included 
instituting a regional transit security awareness program, including 
periodic audio announcements reminding passengers to be aware of 
potential threats, in coordination with the Federal Transit 
Administration's Transit Watch Program. Other rail agencies reported 
that the attacks described in appendix IV emphasized the importance of 
having informed riders that can act as a "force multiplier" when it 
comes to noticing suspicious activity. 

* Armed mobile tactical teams. These are police teams similar to SWAT 
teams that patrol rail systems or that are intended for rapid 
deployment in the event of a terror attack or related incident. 
Officials from one high-volume rail agency reported that the 2008 
attack in Mumbai led it to immediately increase training in responding 
to "active shooter" scenarios by its existing mobile tactical teams. 
Officials from other high-volume rail agencies we interviewed also 
reported that they established mobile tactical teams or increased the 
training of their existing patrols following the 2008 Mumbai attacks. 

* Motorized emergency response vehicles. These are small battery-
operated vehicles intended to help first responders reach injured or 
stranded passengers when they cannot be quickly reached by a rescue 
train (if, for example, rails have been damaged by a terror blast or 
electrical outage). Officials from one agency we interviewed reported 
that it deployed these response vehicles directly in response to 
lessons learned from the London attack, during which first responders 
used such vehicles to rescue injured Underground rail passengers. 

* Closed-circuit television (CCTV). CCTV refers to a visible or covert 
video system intended for only a limited number of viewers. In CCTV, 
the picture is viewed or recorded, but not broadcast. According to 
officials from two high-volume rail agencies we interviewed, the July 
2005 attacks in London demonstrated the utility of CCTV coverage for 
forensic investigation. A United Kingdom government analysis reported 
that the cameras helped police determine the identity of the bombers. 
Officials from four high-volume rail agencies we interviewed stated 
that while they increased the number of CCTV cameras in their rail 
systems, this did not occur immediately following the London attacks. 
Rather, the London attacks reinforced the importance of CCTV camera 
coverage as a key security measure. 

[End of section] 

Appendix II: Selected Mechanisms Used to Gather Information on Lessons 
Learned from Passenger Rail Attacks and Share Rail Security 
Information: 

The Transportation Security Administration (TSA) and officials from 
eight high-volume passenger rail agencies we interviewed identified 
several different mechanisms they use to obtain and share passenger 
rail security-related information, including information on lessons 
learned from foreign rail attacks (such as those described in appendix 
IV) and security measures implemented or considered by other U.S. rail 
stakeholders.[Footnote 59] Many of these mechanisms have also been 
discussed in our previous reports on information sharing and rail 
security issues.[Footnote 60] The key mechanisms that officials from 
the eight high-volume rail agencies we interviewed cited using to 
obtain and share passenger rail security-related information are 
summarized in table 1. 

Table 1: Selected Mechanisms Cited by Eight High-Volume Rail Agencies 
to Obtain and Share Rail Security Information: 

Mechanism: TSA Transit Policing and Security Peer Advisory Group (PAG); 
Mechanism description: The PAG is a monthly TSA-sponsored forum 
consisting of transit police chiefs and security directors from 21 
major transit agencies in the country. The PAG holds regular monthly 
teleconferences and meetings, where participants discuss issues of 
concern to them, including security-related developments, and lessons 
learned from ongoing security processes. Officials from three of the 
eight rail agencies we interviewed described the PAG as useful for 
police and security officials to exchange information on rail security 
measures implemented by similar rail agencies, and to get to know one 
another. 

Mechanism: TSA transit community information-sharing call; 
Mechanism description: TSA facilitates monthly teleconferences with 
over 300 rail stakeholders invited to participate. These calls 
generally include an unclassified threat briefing conducted by the TSA 
Office of Intelligence and Analysis, TSA announcements, and 
presentations by rail agency officials on security best practices. 
Officials from one rail agency cited these calls as a useful way to 
discuss security-related information with a large number of interested 
stakeholders on a regular basis, thus improving their preparedness and 
situational awareness. However, another rail agency official noted 
that rail agencies may be hesitant to share their sensitive security 
practices in a teleconference setting. 

Mechanism: DHS's Homeland Security Information Network (HSIN); 
Mechanism description: HSIN is an access-restricted website available 
to rail and other transportation stakeholders. It is intended to 
provide searchable information to transportation-related entities 
including passenger rail. Officials from one rail agency cited HSIN as 
a useful resource to improve knowledge of rail-related events both in 
the United States and overseas. 

Mechanism: Public Transportation Information Sharing and Analysis 
Center (PT-ISAC)[A]; 
Mechanism description: Administered by the American Public 
Transportation Association, and in collaboration with TSA, the Federal 
Transit Administration (FTA), and the Association of American 
Railroads, the PT-ISAC is a 24/7 information center that collects, 
analyzes, and distributes security-and threat-related information to 
transportation entities from the federal government and open sources. 
For example, daily unclassified e-mail bulletins known as the Transit 
and Rail Intelligence Awareness Daily (TRIAD) are sent to subscribers 
summarizing and analyzing security information, news, threats, and 
potential vulnerabilities within the transportation sector. Officials 
from one rail agency we interviewed noted that information and 
analyses sent out by PT-ISAC, including TRIAD messages, have been 
particularly helpful for understanding rail security threats and 
incidents overseas. 

Mechanism: The International Working Group on Land Transport Security; 
Mechanism description: The working group consists of 20 countries and 
two observer organizations that meet annually to share best practices 
on surface transportation security. For example, the 2010 annual 
conference culminated in the completion of 71 "smart" rail security 
practices. TSA participates as the lead federal agency for the United 
States. TSA states that its participation permits it to identify 
effective rail security best practices and counterterrorism measures 
for potential integration domestically and states that it shares the 
information acquired through a variety of mechanisms, such as the 
monthly PAG and other teleconferences with rail stakeholders. 

Mechanism: FTA e-mail alerts; 
Mechanism description: The lead emergency coordinator at FTA 
disseminates rail security information to approximately 500 
individuals and organizations, including public transit agencies; 
federal, state, and local agencies; fusion centers; and law 
enforcement. Information is disseminated over e-mail and includes 
breaking news alerts, updates on incidents affecting rail operations, 
and intelligence information. One rail agency official noted that he 
received most of his security-related information from the FTA e-mail 
alerts. 

Mechanism: TSA/FTA Transit Security and Safety Roundtables; 
Mechanism description: TSA and FTA host roundtables with the nation's 
largest passenger rail agencies to discuss security challenges, 
terrorism prevention, and efforts to develop effective risk mitigation 
and security enhancements. These roundtables were formerly held twice 
a year, but will now be held annually, according to TSA officials. The 
meeting scheduled for 2012 has been postponed as FTA and TSA 
reconfigure the event. Several rail agencies described these 
roundtable discussions as useful for getting to know other rail 
security officials and keeping current on situational awareness and 
potential security threats. 

Mechanism: Other rail agencies; 
Mechanism description: Some rail agencies and their associated police 
forces have their own internal intelligence officers or departments 
that are responsible for analyzing international and domestic 
intelligence to identify potential threats or lessons learned from 
foreign attacks. For example, the New York Police Department maintains 
11 overseas offices for the purposes of gathering information on 
potential terror threats. The New York Police Department also 
maintains a restricted access website, The Shield, which makes 
available to rail and other security officials a wide variety of rail 
and other terror-related information and analysis. As another example, 
Boston's Massachusetts Bay Transportation Authority sends out analyses 
and information to other rail agencies. Both of these mechanisms--
internal intelligence officers and the restricted access website--were 
cited by rail agencies we interviewed as providing useful information 
about foreign rail attacks and for keeping aware of rail-related 
security issues.[B] 

Mechanism: Industry websites and related information distribution 
mechanisms; 
Mechanism description: Passenger rail industry organizations such as 
the American Public Transportation Association maintain websites to 
share information directly with public transit agencies. The American 
Public Transportation Association maintains a website with detailed 
security-and safety-related rail standards and recommended practices 
in 29 areas, including perimeter and station security. Officials from 
one rail agency cited the association's online resources as helpful 
for identifying standards for security. 

Mechanism: Baseline Assessment for Security Enhancement (BASE) review 
process; 
Mechanism description: TSA's BASE reviews provide periodic assessments 
of how well rail systems are meeting rating criteria related to rail 
security. BASE has 17 security and emergency management action items 
described by TSA as forming the foundation of an effective security 
program. These include topics such as agency security plans and 
training, public outreach efforts, and background checks. The BASE 
assessment analyzes the security program for each transit system and 
identifies vulnerabilities. Participation in a BASE assessment is 
voluntary. According to TSA, the agency is updating the BASE 
assessment criteria to make the assessment more robust. Officials from 
two rail agencies found BASE assessments to be useful by alerting them 
to needed improvements in their security-related processes or because 
they provide a minimum standard for security measures. 

Mechanism: TSA Intermodal Security Training and Exercise Program (I-
STEP); 
Mechanism description: Through I-STEP, TSA employs multiphased 
workshops, tabletop exercises, and "lessons learned" working groups to 
integrate mass transit and passenger rail agencies with regional law 
enforcement and emergency response partners to expand and enhance 
coordinated deterrence and incident management capabilities. Officials 
from two rail agencies cited I-STEP as useful for improving security 
processes and awareness. 

Source: GAO analysis of DHS, Department of Transportation, American 
Public Transportation Association, and rail agency information. 

[A] The PT-ISAC was created under the direction of the Department of 
Transportation (DOT) in 2003 and is funded by TSA via DOT's FTA. 
According to the American Public Transportation Association, its 
members serve more than 90 percent of persons using public 
transportation in the United States and Canada. The American Public 
Transportation Association is responsible for validating PT-ISAC 
membership. For more information on PT-ISAC, see GAO, Transportation 
Security Information Sharing: Stakeholders Generally Satisfied but TSA 
Could Improve Analysis, Awareness, and Accountability, GAO-12-44 
(Washington, D.C.: Nov. 21, 2011) and GAO, Public Transit Security 
Information Sharing: DHS Could Improve Information Sharing through 
Streamlining and Increased Outreach, GAO-10-895 (Washington, D.C.: 
Sept. 22, 2010). 

[B] We have previously reported in GAO-10-895 that public transit 
agencies may receive unclassified security-related information from 
other public transit agencies on an ad-hoc basis. For example, a large 
public transit agency may pass along security-related information to a 
smaller agency in the same geographic region, or security officials at 
one agency may receive information from officials at other agencies 
around the country through informal networks. 

[End of table] 

[End of section] 

Appendix III: Objectives, Scope, and Methodology: 

This report addresses the following questions: 

* To what extent has the Transportation Security Administration (TSA) 
overseen and enforced the passenger rail security incident reporting 
requirements? 

* To what extent has TSA analyzed passenger rail security incident 
information to identify security trends and potential threats against 
passenger rail systems? 

Appendix I of this report also includes information on how selected 
rail agencies applied lessons learned from foreign rail attacks to 
enhance their rail security measures. Appendix II includes information 
on key mechanisms rail agencies use to obtain rail security-related 
information. 

To address these questions, we examined TSA's rail security incident 
reporting process. We focused on TSA's regulation for rail security 
incident reporting, which requires passenger rail agencies to report 
rail security incidents to the Transportation Security Operations 
Center (TSOC). We reviewed the notice of proposed rulemaking and final 
rule that describe the purpose and justification of the incident 
reporting requirement, as well as TSA policy documents, manuals, and 
guidance concerning the rail security incident reporting process. We 
also interviewed cognizant TSA officials at headquarters and in the 
field regarding their roles in the incident reporting process. To 
obtain rail industry perspectives on the rail security incident 
reporting process, we conducted visits at, or teleconferences with, 19 
of the top 50 passenger rail systems across the nation, by passenger 
rail ridership.[Footnote 61] See table 2 for a list of passenger rail 
systems we interviewed. We selected these passenger rail systems to 
reflect varied levels of ridership and geographic dispersion. Because 
we selected a nonprobability sample of passenger rail systems, the 
information obtained from these visits and interviews cannot be 
generalized to all rail systems nationwide. However, we determined 
that the selection of these rail systems was appropriate for our 
design and objectives and that the selection would provide valid and 
reliable evidence. The information we obtained provided illustrative 
examples of the perspectives of various passenger rail stakeholders 
about the rail security incident reporting process, and corroborated 
information we gathered through other means. Further, we interviewed 
rail industry representatives from the American Public Transportation 
Association and the Association of American Railroads to obtain their 
perspectives on rail security issues. We selected these associations 
because they represent the majority of the passenger and freight rail 
systems in the United States. 

Table 2: Passenger Rail Systems Interviewed: 

Passenger rail system: Amtrak; 
Urban area served: Nationwide. 

Passenger rail system: Bay Area Rapid Transit (BART); 
Urban area served: San Francisco--Oakland, California. 

Passenger rail system: Bi-State Development Agency; 
Urban area served: St. Louis, Missouri. 

Passenger rail system: CALTRAIN; 
Urban area served: San Francisco and San Jose, California. 

Passenger rail system: Charlotte Area Transit System; 
Urban area served: Charlotte, North Carolina. 

Passenger rail system: Chicago Transit Authority (CTA); 
Urban area served: Chicago, Illinois. 

Passenger rail system: Greater Cleveland Regional Transit Authority; 
Urban area served: Cleveland, Ohio. 

Passenger rail system: Denver Regional Transportation District; 
Urban area served: Denver, Colorado. 

Passenger rail system: Maryland Transit Administration (MTA); 
Urban area served: Baltimore, Maryland and Washington, D.C. 

Passenger rail system: Metra Commuter Rail; 
Urban area served: Chicago, Illinois. 

Passenger rail system: New Jersey Transit; 
Urban area served: Newark, New Jersey--New York, New York. 

Passenger rail system: New York Metropolitan Transit Authority (MTA); 
Urban area served: New York, New York. 

Passenger rail system: Northern Indiana Commuter Transportation 
District; 
Urban area served: Chicago, Illinois. 

Passenger rail system: Port Authority of Allegheny County; 
Urban area served: Pittsburgh, Pennsylvania. 

Passenger rail system: Port Authority Trans Hudson (PATH); 
Urban area served: New York, New York--New Jersey. 

Passenger rail system: San Francisco Municipal Railway (Muni); 
Urban area served: San Francisco, California. 

Passenger rail system: Utah Transit Agency; 
Urban area served: Salt Lake City, Utah. 

Passenger rail system: Virginia Railway Express (VRE); 
Urban area served: Washington, D.C. 

Passenger rail system: Washington Metropolitan Area Transit Authority 
(WMATA); 
Urban area served: Washington, D.C. 

Source: GAO. 

[End of table] 

To assess the extent to which TSA has overseen and enforced the rail 
security reporting requirement, we interviewed officials from the 
selected rail systems discussed earlier on how they have implemented 
this requirement, including the guidance they have received from TSA 
on the types of incidents to report to the TSOC. We interviewed TSA 
headquarters officials from the Compliance Programs Division within 
the Office of Security Operations and local TSA officials from five 
field offices, including transportation security inspectors-surface 
(TSI-S) and assistant federal security directors-inspections (AFSD-I), 
regarding the guidance they provide to rail agencies on incident 
reporting and how they ensure rail agencies' compliance with the 
regulation. We selected these five field office locations because they 
had oversight responsibility for many of the rail agencies included in 
our scope. We also interviewed one TSA regional security inspector-
surface (RSI-S) regarding his role in the rail security incident 
reporting process.[Footnote 62] Because we selected a nonprobability 
sample of TSA's field offices and officials, the results from these 
interviews cannot be generalized to all TSA field offices; however, 
the information we obtained provided us with an overview of the role 
of TSA surface inspectors in the rail incident reporting process and 
corroborated information we obtained through other sources. We 
examined documentation on TSA's inspection processes for monitoring 
rail systems' compliance with the incident reporting requirement, 
including the Transportation Security Inspector Inspections Handbook, 
the National Investigations and Enforcement Manual, and the Compliance 
Work Plan for Transportation Security Inspectors. We also reviewed a 
TSA operational directive related to reporting aviation security 
incidents to TSA. 

We obtained incident data from the TSOC's incident management 
database, known as WebEOC, for the period January 2011 through June 
2012.[Footnote 63] We reviewed the data to determine the number and 
types of passenger rail security incidents reported to the TSOC by 
rail agencies. We also analyzed the data to identify differences in 
the number or types of rail security incidents reported by rail 
agencies of comparable size and volume. As part of this work, we 
assessed the reliability of data in WebEOC by conducting visits to the 
TSOC and interviewing TSOC officials to discuss their role in incident 
reporting and the mechanisms in place to ensure data quality. We also 
reviewed WebEOC documentation to identify how passenger rail security 
incident data are collected and managed, and how data quality is 
ensured. While we determined that the information in WebEOC was 
sufficiently reliable for the purposes of providing information on 
differences in the number and types of rail security incidents 
reported by selected rail agencies to the TSOC, we identified issues 
with data entry and data quality, which are discussed in this report. 
In addition, we obtained data from TSA's Performance and Results 
Information System (PARIS) for January 2011 through June 2012 on TSA's 
compliance inspections and all records related to enforcement actions 
taken under the passenger rail security incident reporting 
requirement.[Footnote 64] We analyzed the data to identify the content 
and frequency of TSA inspections conducted and enforcement actions 
taken under the incident reporting regulation. We ascertained the 
reliability of compliance data derived from PARIS by interviewing TSA 
officials from the Compliance Programs Division and reviewing 
documentation on controls implemented to ensure the integrity of the 
data in PARIS, and found the compliance data sufficiently reliable for 
our purposes. We also evaluated TSA's efforts to oversee and enforce 
the incident reporting requirement against criteria in Standards for 
Internal Control in the Federal Government.[Footnote 65] 

To assess the extent to which TSA has analyzed rail security incident 
information, we interviewed TSA officials from the TSOC, the Office of 
Intelligence and Analysis, the Office of Security Operations, and the 
Office of Security Policy and Industry Engagement regarding their 
roles and responsibilities. We reviewed available documentation and 
analyses that TSA prepared containing rail security incident 
information. We also examined the WebEOC incident management database 
to identify any limitations in the database that could present 
challenges for analyzing the rail security incident data, and we 
discussed these limitations with relevant TSA officials. We also 
interviewed officials from the rail agencies noted earlier about their 
views on the information and analyses they receive from TSA on rail 
security incidents. 

We also obtained information on how selected rail agencies applied 
lessons learned from foreign rail attacks to enhance their rail 
security measures and how rail agencies obtain and share passenger 
rail security-related information, including information on lessons 
learned from foreign rail attacks. To do this, we reviewed TSA 
documentation describing TSA's security strategy for the mass transit 
and passenger rail systems, such as TSA's Mass Transit and Passenger 
Rail Annex, and we discussed the rail security actions outlined in the 
annex with TSA officials. In addition, we reviewed rail security 
reports and interviewed an official from the Mineta Transportation 
Institute (MTI). We met with MTI because the organization's database 
on attacks against surface transportation, including passenger rail, 
was cited by TSA as the most comprehensive and up-to-date of existing 
databases. On the basis of information we obtained from MTI, and 
discussions with MTI and TSA officials, we found the quality of the 
methods used to develop these reports sufficient for use as a source 
in this report. We also interviewed security officials from selected 
passenger rail systems regarding their key security measures.[Footnote 
66] During visits to passenger rail systems, we toured stations and 
other facilities such as control centers, and observed security 
practices. We also interviewed officials from other federal agencies 
including the Central Intelligence Agency and the Department of 
Transportation's Federal Transit Administration and Federal Railroad 
Administration regarding their roles in passenger rail security, and 
we interviewed government officials involved with securing passenger 
rail in the United Kingdom. We also reviewed our prior reports on 
passenger rail security and information sharing as well as studies and 
reports conducted by outside organizations related to passenger rail, 
such as the Department of Homeland Security Office of the Inspector 
General. 

[End of section] 

Appendix IV: Summary of Recent Attacks against Foreign Passenger Rail 
Systems: 

According to the Mineta Transportation Institute (MTI), from September 
12, 2001 through December 31, 2011, 838 attacks occurred worldwide 
against passenger and commuter rail systems, resulting in 1,372 
fatalities.[Footnote 67] Most of these attacks occurred in South Asia 
(Pakistan, India, and Thailand) and Russia. For purposes of our 
review, we focused on recent passenger rail attacks that occurred in 
the following locations: Madrid, Spain; London, England; Mumbai, 
India; and Moscow, Russia. In this section, we summarize the basic 
facts of these attacks, using reports and information from the 
Department of Homeland Security (DHS), the Transportation Security 
Administration (TSA), open source, MTI, and others. Other attacks may 
have occurred at these locations, both before and after those cited. 

Madrid, Spain: March 2004: 

On March 11, 2004, 10 bombs exploded on three trains on Madrid's 
commuter rail system during the morning rush hour, killing 191 people 
and wounding more than 1,500 others. The bombs were placed in 
backpacks and detonated by cell phones. According to DHS's report on 
the attack, those responsible were from a terrorist group associated 
with al-Qaeda. According to DHS, by the end of March 2004, authorities 
had arrested 22 people in connection with the attack. The following 
month, Madrid law enforcement located a safe house associated with the 
suspected bombers. As authorities entered the apartment, the suspected 
terrorists inside detonated explosives, killing themselves and a 
police officer. Officers subsequently found backpacks filled with of 
explosives and detonators in the wreckage. 

London, England: July 2005: 

On July 7, 2005, four suicide bombers detonated improvised explosive 
devices during the London rush hour on three Underground (subway) 
trains and on a double-decker bus, killing a total of 52 people and 
injuring about 700. All four bombers were also killed in the attacks. 
The three Underground attacks occurred within moments of one another 
and the bus bombing occurred approximately 1 hour later. The bombers 
traveled together from a commuter rail station north of London to the 
King's Cross Underground station, from which they departed to their 
respective attack destinations. A second series of attacks was 
attempted 2 weeks later, on July 21. However, the explosives failed to 
detonate. According to DHS, no terrorist group has claimed 
responsibility. After a police investigation of the attacks, three 
additional suspects were charged with conspiracy in the identification 
and reconnaissance of potential terrorist targets in London. However, 
all three were acquitted on those charges in April 2009. 

Mumbai, India: July 2006 and November 2008: 

On July 11, 2006, a series of seven explosions occurred on a single 
rail line of Mumbai's commuter railway. In all, 190 people were killed 
and 625 were injured across all the incidents. In September 2006, 
Indian police said that the attacks were executed by Lashkar-e-Taiba. 

Starting on November 26, 2008, and continuing for the next 2 days, 
terrorists attacked various locations in the Mumbai area including a 
passenger rail station and hotels catering to Western tourists. The 
attackers used assault weapons, small arms, grenades, and explosives. 
One of the first attacks occurred at the Chhatrapati Shivaji rail 
terminus, one of the busiest train stations in the country. Two gunmen 
entered the passenger hall and opened fire, killing 59 and injuring 
104. The terrorists then dispersed throughout the city attacking 
another eight locations, killing at least an additional 129 and 
injuring more than 223 others. According to DHS, like the attacks on 
July 11, 2006, the terrorists were also from Lashkar-e-Taiba. Nine 
terrorists were killed during the course of the attacks, while one was 
captured alive. 

Moscow, Russia: March 2010: 

On March 29, 2010, two suicide bombers attacked trains at two stations 
in the Moscow Metro during the morning rush hour, killing 40 and 
injuring 58 others. The first explosion occurred on a train as it 
pulled into Lubyanka station. The second explosion occurred at the 
Park Kultury station as passengers were boarding a train. Both the 
Lubyanka and Park Kultury stations are transfer stations and may have 
been chosen by the attackers in an effort to target the greatest 
number of people. Russian officials attribute the attack to Chechen 
separatists. 

[End of section] 

Appendix V: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

December 4, 2012: 

Stephen M. Lord: 
Director, Homeland Security and Justice Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Re: GAO Draft Report 13-20, Passenger Rail Security: Consistent 
Incident Reporting and Analysis Needed to Achieve Program Objectives: 

Dear Mr. Lord: 

Thank you for the opportunity to review and comment on this draft 
report. The U.S. Department of Homeland Security (DHS) appreciates the 
U.S. Government Accountability Office's (GAO's) work in planning and 
conducting its review and issuing this report. 

As highlighted in the report, the Transportation Security 
Administration (TSA) has both a vital and primary federal role in 
passenger rail security, and its success in this domain is pivotal to 
national security. While GAO notes that there have been no terrorist 
attacks against U.S. passenger rail systems, passenger rail security 
has vulnerabilities that adversaries may attempt to exploit. This has 
been made evident by several alleged terrorist plots uncovered in the 
United States and overseas in the last several years. 

This current threat has produced several proactive steps on the part 
of TSA to protect the nearly 15 million daily riders of mass transit 
and passenger rail systems nationwide. These actions include, among 
other initiatives, implementation of regulations that are the subject 
of this review, as well as TSA's incorporation of a comprehensive, 
strategic, and risk-based approach to rail security. 

In response to GAO's findings, TSA is taking active steps to 
strengthen the passenger rail security reporting and analysis 
continuum through upgrades to guidance protocols and data collection 
methodology. On the front end of the process, TSA agrees with GAO that 
clarifying written guidance directed at both TSA inspectors and rail 
agencies is the right course of action. Additionally, the 
Transportation Security Operations Center (TSOC) has already 
implemented protocols to ensure that data entry is consistent and 
complete. The need for uniform, accurate, and complete reporting of 
passenger rail data is paramount. 

Significantly, in support of GAO's recommendation for greater 
oversight of local inspection activities, the TSA Office of Security 
Operations (OSO) Compliance Programs has granted Regional Security 
Inspectors (RSIs) with review privileges to provide greater visibility 
on all surface inspections entered into the Performance and Results 
Information System (PARIS). 

Taken together, these efforts should produce greater dividends related 
to continuous trend analysis and ultimately, implementation of 
security measures that detect and deter terrorism. 

Finally, TSA continues to maintain collaborative working relationships 
with industry representatives within mass transit and passenger rail 
agencies; which will enhance rail security and improve communication 
with respect to incident reporting. 

The GAO's draft report contained five recommendations with which DHS 
concurs. Specifically, GAO recommended the Administrator of the 
Transportation Security Administration: 

Recommendation 1: Develop and disseminate written guidance for local 
TSA inspection officials and rail agencies that clarifies the types of 
incidents that should be reported to the TSOC. 

Response: Concur. TSA OSO and the Office of Security Policy and 
Industry Engagement (OSPIE) will work together to develop written 
guidance for passenger rail agencies clarifying the types of incidents 
that should be reported to the TSOC. TSA will then disseminate the 
guidance to these passenger rail agencies. 

Recommendation 2: Enhance and utilize existing oversight mechanisms at 
the Headquarters level, as intended, to provide additional management 
oversight of local compliance inspections and enforcement actions. 

Response: Concur. TSA has several mechanisms in place at the 
Headquarters (HQ) level to manage and oversee compliance and 
enforcement actions in the field. Within the TSA OSO Office of 
Compliance Programs, Surface Compliance Branch, RSIs serve as the 
principal technical specialists at the national level for compliance 
oversight activities for surface transportation. RSIs oversee and 
implement transportation security measures, policy, programs, and 
operations. RSIs conduct field office audits as well as field office 
visits as a mechanism to provide HQ oversight of local compliance 
inspections and enforcement actions for consistency and continuity. 
TSA HQ conducts monthly calls and holds quarterly visits with RSIs. 

Additionally, while the TSA OSO Office of Compliance Programs manages 
and oversees inspections, investigations, and recommendations for 
enforcement action, TSA's Office of Chief Counsel (OCC) within HQ 
manages and oversees TSA's enforcement actions. Field inspection 
offices coordinate enforcement actions with local field counsel. Local 
field counsels coordinate these enforcement actions with the TSA OCC 
Enforcement Division. In addition to coordinating enforcement actions 
with RSIs and the local field offices, the TSA OCC coordinates 
enforcement actions with OSO Office of Compliance Programs and with 
OSPIE. 

While TSA believes that several mechanisms and layers are in place for 
the oversight and management of local inspection and enforcement 
actions, TSA recognizes that there are always opportunities for 
improving oversight. In order to improve HQ oversight and management 
of local compliance inspections and enforcement actions, RSIs recently 
have been granted case review privileges in PARIS. This will allow the 
Surface RSIs even greater visibility on all Surface inspections, 
investigations, and recommendations for enforcement actions entered 
into PARIS by enabling them to provide written recommendations in 
PARIS prior to inspection approval. This effort will memorialize RSI 
guidance and provide greater quality control of cases. 

Recommendation 3: Establish a process for updating the database when 
incidents that had not previously been reported are discovered through 
compliance activities. 

Response: Concur. TSA, through the TSOC and the OSO Office of 
Compliance Programs, is currently establishing a business process to 
ensure the relevant databases are complete. Once this process is 
finalized, the TSOC will update the WebEOC (Emergency Operations 
Center) to allow Compliance/Inspectors to input records into the 
system to denote reports that are not reported to the TSOC and 
discovered via compliance activities. 

Recommendation 4: Develop guidance for TSOC officials that includes 
definitions of data entry options to reduce errors resulting from data 
entry problems. 

Response: Concur. TSA, through the TSOC, completed this recommendation 
at close of the exit conference by updating the guidance for TSOC 
Watch Officer with respect to WebEOC input options. 

Recommendation 5: Establish a systematic process for regularly 
conducting trend analysis of the rail security incident data, in an 
effort to identify potential security trends that could help the 
agency anticipate or prevent an attack against passenger rail and 
develop recommended security measures. 

Response: Concur. The TSA Office of intelligence and Analysis will 
work with OSPIE to develop a process to review suspicious activities 
and incidents in the mass transit and passenger rail arenas in order 
to identify trends which might represent a threat to transportation. 

Again, thank you for the opportunity to review and comment on this 
draft report. Technical comments were previously provided under 
separate cover. Please feel free to contact me if you have any 
questions. We look forward to working with you in the future. 

Sincerely, 

Signed by: 

Roda Bradshaw, for: 
Jim H. Crumpacker: 
Director: 
Departmental GAO-OIG Liaison Office: 

[End of section] 

Appendix VI: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Stephen M. Lord, (202) 512-4379 or LordS@gao.gov. 

Staff Acknowledgments: 

In addition to the contact named above, Jessica Lucas-Judy (Assistant 
Director), Eric Hauswirth, Adam Hoffman, Tracey King, Elizabeth 
Kowalewski, Kelly Rubin, and Jonathan Tumin made key contributions to 
this report. 

[End of section] 

Footnotes: 

[1] Passenger rail systems consist of various mass transit and 
passenger rail transit systems. Transit rail is composed of heavy and 
light rail systems. Heavy rail is an electric railway that can carry a 
heavy volume of traffic, and is characterized by high speed and rapid 
acceleration, passenger rail cars operating singly or in multi-car 
trains on fixed rails, separate rights of way from which all other 
vehicular and foot traffic is excluded, sophisticated signaling, and 
high-platform loading. Most subway systems are considered heavy rail. 
Light rail systems typically operate passenger railcars singly (or in 
short, usually two-car trains) and are driven electrically with power 
being drawn from an overhead electric line. Commuter rail is 
characterized by passenger trains operating on railroad tracks and 
providing regional service, such as between a central city and its 
adjacent suburbs. Intercity rail is primarily provided by Amtrak. For 
purposes of this review we are using the term "passenger rail system" 
to include all of these different types of passenger rail transit 
systems. 

[2] The Mineta Transportation Institute database--Terrorist and 
Serious Criminal Attacks Against Public Surface Transportation--
includes data on attacks against rail and other types of surface 
transportation. The Norman Y. Mineta International Institute for 
Surface Transportation Policy Studies was established by the 
Intermodal Surface Transportation Efficiency Act of 1991. Pub. L. No. 
102-240, § 6024, 105 Stat. 1914 2188 (1991). The institute's 
transportation policy work is centered on, among other things, 
research into transportation security, planning, and policy 
development. 

[3] The Department of Transportation's Federal Transit Administration 
also has responsibility for overseeing passenger rail agencies' system 
security plans. 49 C.F.R. pt. 659. 

[4] See, for example, GAO, Rail Security: TSA Improved Risk Assessment 
but Could Further Improve Training and Information Sharing, 
[hyperlink, http://www.gao.gov/products/GAO-11-688T] (Washington, 
D.C.: June 14, 2011); Technology Assessment: Explosives Detection 
Technologies to Protect Passenger Rail, [hyperlink, 
http://www.gao.gov/products/GAO-10-898] (Washington, D.C.: July 28, 
2010); and Transportation Security: Key Actions Have Been Taken to 
Enhance Mass Transit and Passenger Rail Security, but Opportunities 
Exist to Strengthen Federal Strategy and Programs, [hyperlink, 
http://www.gao.gov/products/GAO-09-678] (Washington, D.C.: June 24, 
2009). 

[5] Threat is an indication of the likelihood that a specific type of 
attack will be initiated against a specific target or class of 
targets. Vulnerability is the probability that a particular attempted 
attack will succeed against a particular target or class of targets. 
Consequence is the effect of a successful attack. 

[6] 49 C.F.R. pt. 1580. These requirements generally apply to 
passenger rail carriers, including intercity passenger railroads, 
commuter railroads, and rail transit systems (subways and light rail), 
among others. The regulation also requires rail agencies to designate 
a rail security coordinator, and codifies TSA's authority to conduct 
security inspections of passenger rail agency property. 49 C.F.R. §§ 
1580.201, 1580.5. This is the only rule that TSA has issued to date 
regarding passenger rail security. The Implementing Recommendations of 
the 9/11 Commission Act mandates TSA to develop and issue regulations 
for a public transportation security training program, among other 
things. Pub. L. No. 110-53, § 1408, 121 Stat. 266, 409 (2007). TSA 
stated it expects to issue a notice of proposed rulemaking for this 
program in 2013. 

[7] 71 Fed. Reg. 76,852, 76,876 (Dec. 21, 2006). 

[8] 49 C.F.R. § 1580.203(c). For the purposes of this report, we refer 
to potential threats and significant security concerns as rail 
security incidents. 

[9] The American Public Transportation Association compiled this 
ridership data from the Federal Transit Administration's National 
Transit Database. Ridership on rail transit systems in the District of 
Columbia and Puerto Rico is included in these statistics. Passenger 
rail ridership is calculated by the number of unlinked passenger 
trips. An unlinked passenger trip is defined as the number of 
passengers who board public transportation vehicles. Passengers are 
counted each time they board vehicles no matter how many vehicles they 
use to travel from their origin to their destination. 

[10] The American Public Transportation Association represents the 
public transit industry. Its members serve more than 90 percent of 
persons using public transportation in the United States and Canada. 

[11] The Association of American Railroads is a trade association 
whose membership includes freight railroads that operate 72 percent of 
the industry's mileage, employ 92 percent of the workers, and account 
for 95 percent of the freight revenue of all railroads in the United 
States, and passenger railroads that operate intercity passenger 
trains and provide commuter rail service. 

[12] We chose January 2011 as the starting point for our analysis 
because it was 2 full years after the regulation became effective, 
which would allow rail agencies and TSA a period of adjustment. The 
regulation went into effect in December 2008. June 2012 was the end of 
our data collection period. 

[13] All TSA inspection activities must be documented and entered into 
PARIS, along with any findings and actions taken. We chose January 
2011 as the starting point for our analysis because it was 2 full 
years after the regulation became effective, which would allow rail 
agencies and TSA a period of adjustment. 

[14] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: Nov. 1, 1999). 

[15] 49 C.F.R. § 1580.203. The rule also includes requirements that 
pertain exclusively to certain freight railroad carriers, rail 
hazardous materials shippers, and rail hazardous materials receivers, 
including a requirement that these entities report significant 
security concerns to the TSOC. 49 C.F.R. § § 1580.100.111. 

[16] 49 C.F.R. § 1580.5 

[17] The surface transportation modes include mass transit and 
passenger rail, freight rail, highway and commercial vehicle, and 
pipeline. There are currently 68 TSA field offices under the Surface 
Compliance Branch. TSI-Ss report to assistant federal security 
directors-inspection (AFSD-I), who are responsible for all inspection, 
compliance, and enforcement activity in their areas of responsibility. 
Each office is led by a federal security director charged with the 
implementation of all field operational activities across all modes of 
transportation. For other transportation modes, in fiscal year 2012, 
TSA deployed 630 air cargo inspectors, and 958 aviation regulation 
inspectors. 

[18] The seven rail agencies made these comments during open-ended 
discussions about the incident-reporting process in the course of our 
site visits and telephone interviews. 

[19] This includes incidents reported to the TSOC from January 1, 
2011, through December 31, 2011, and recorded in WebEOC. However, 
there are limitations and errors associated with these data, which are 
discussed in greater detail later in this report. Because of 
limitations associated with identifying the total number of incidents 
by agency, we limited this analysis to 7 of the 19 rail agencies that 
we included in our review. Ridership data for 2011 were provided by 
the American Public Transportation Association. 

[20] For purposes of this report, "local TSA inspection officials" 
refers to TSI-Ss and AFSD-Is. 

[21] While TSA has not provided written guidance on whether or not 
these types of incidents are to be reported, a senior TSA compliance 
official said that on the basis of his interpretation of the 
regulation, these types of incidents would not need to be reported. 

[22] 49 C.F.R. § 1580.203(c)(6). 

[23] Officials noted that if the individual had several accomplices 
that were also in possession of weapons, the agency would report the 
incident to the TSOC. 

[24] See 73 Fed. Reg. 72,130, 72,145 (Nov. 26, 2008). 

[25] In the preamble to the final rule, TSA stated that "Detecting 
activities that may compromise transportation security entails piecing 
together seemingly unrelated incidents or observations and conducting 
analysis in context with information from other sources. However as 
the threat environment is dynamic and indicators of incident planning 
and preparation can change, TSA cannot provide a threshold for 
reporting events or a specific definition." 73 Fed. Reg. 72,130, 
72,145 (Nov. 26, 2008). 

[26] Freight railroads are subject to the same TSA requirement to 
report rail security incidents, per 49 C.F.R. § 1580.105. Freight 
railroads' security professionals have raised similar concerns to TSA 
management about inconsistent guidance regarding the interpretation of 
the rule by local TSA surface inspection officials and the types of 
incidents that should be reported. 

[27] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[28] See GAO, Aviation Security: TSA Has Taken Steps to Enhance Its 
Foreign Airport Assessments, but Opportunities Exist to Strengthen the 
Program, [hyperlink, http://www.gao.gov/products/GAO-12-163] 
(Washington, D.C.: Oct. 21, 2011). 

[29] TSA, Reporting Security Incidents to the Transportation Security 
Operations Center, Attachments 1-4, OD-400-18-2D. This operational 
directive applies to TSA employees responsible for reporting aviation 
incidents. For passenger rail, regulated entities (rail agencies) are 
responsible for reporting rail security incidents. 

[30] We determined that the inspection data included in PARIS were 
sufficiently reliable to include in this report, but a senior TSA 
compliance official explained that some inspections may not have been 
consistently documented in PARIS. TSA's process for ensuring 
compliance with its PARIS documentation procedures was outside the 
scope of our review. 

[31] This could occur if a local inspection official created separate 
documentation in PARIS for individual incidents that were discussed 
with the rail agency on the same day. 

[32] BASE reviews are non-regulatory security posture assessments. 
During a BASE review, surface inspectors, in coordination with the 
rail agency, assess the rail agency's overall security posture, 
focusing on the implementation and effectiveness of security plans, 
programs and measures, security gaps, and best practices. The results 
are used to inform the development of security programs and to 
determine priorities for allocating mass transit and passenger rail 
security grants. 

[33] TSA's Visible Intermodal Prevention and Response Program works 
with local security and law enforcement officials to conduct a variety 
of security tactics to introduce unpredictability and deter potential 
terrorist actions, including random high-visibility patrols at 
passenger rail stations, and passenger and baggage screening 
operations involving specially trained behavior detection officers and 
explosive detection canine teams and technologies. 

[34] TSA's enforcement framework proscribes progressively more 
punitive enforcement actions in response to repeated violations, 
failure of a regulated entity to take effective corrective action, 
flagrant violations, and violations that indicate chronic problems. 
According to TSA, for the enforcement framework to be effective, all 
inspections must be documented in PARIS. According to data in PARIS, 
for passenger rail agencies, TSA has taken 33 enforcement actions in 
the form of on-the-spot counseling, and issued four notices of 
noncompliance. TSA has never taken step 3 against a passenger rail 
agency in enforcing the rail security incident reporting regulation, 
according to PARIS data. 

[35] A recent report from DHS's Office of the Inspector General found 
similar issues with TSA's oversight of aviation security incidents. 
Specifically, the report found that TSA did not have a process in 
place to ensure that all security breaches at airports are identified 
and reported, or to review security breach reports to identify 
reporting discrepancies among different airports. See DHS Office of 
Inspector General, Transportation Security Administration's Efforts to 
Identify and Track Security Breaches at Our Nation's Airports 
(Redacted), OIG-12-80 (Washington, D.C.: May 3, 2012). 

[36] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[37] The freight rail industry has raised similar concerns to TSA 
management about the lack of an oversight role provided by the RSI-S 
in the regulatory inspection and compliance process. 

[38] Another way in which TSA headquarters could help to ensure 
consistency is through periodic conference calls that the Office of 
Compliance Programs hosts with local TSA inspection officials and RSI-
Ss. However, according to senior TSA officials, passenger rail 
incident reporting issues have not been discussed during these calls. 

[39] In addition to rail security incident reports provided to the 
TSOC directly from the rail agencies, WebEOC also contains incidents 
reported by TSA employees or the public, or incidents that TSOC 
officials became aware of as a result of media reports or other 
governmental incident management systems. 

[40] The intelligence brief referred to similar incidents that had 
occurred previously, but did not provide specific details about those 
incidents. 

[41] According to officials from the rail agency, they did not report 
four of these incidents to the TSOC because they believed that none of 
the individual incidents met the criteria for reporting--specifically, 
the incidents did not disrupt service, and the individual(s) who left 
the items were not required to breach security to do so. However, in 
issuing a notice of noncompliance, TSA stated that these incidents 
should have been reported. In response to TSA's notice of 
noncompliance, the agency stated that it had reported one of the 
incidents to the TSOC. According to TSA's investigation, however, the 
incident had been reported to local TSA inspection officials instead. 

[42] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[43] To conduct our analysis, we asked TSA to provide all passenger 
rail incidents reported to the TSOC from January 1, 2011, through June 
30, 2012, as well as the total number of incidents reported by select 
rail agencies. In response to this request for data, TSA provided us 
with several inconsistent datasets from WebEOC, which officials 
attributed to differences in the way the data were searched and 
compiled from WebEOC. 

[44] Such a data field would use a standard agency identifier, such as 
the agency name. (e.g., Amtrak or New York City Transit). Without such 
a field, identifying all the incidents reported by a specific agency 
requires TSOC officials to conduct a keyword search of the rail agency 
name, in the WebEOC incident narrative field, that accounts for any 
number of variations in the agency name, to include misspellings. For 
example, our review of WebEOC data revealed five potential key words 
for New York City Transit and Amtrak, including the misspelling 
"Amtrack." TSOC officials also noted that WebEOC lacks other specific 
data fields, such as incident location and severity, among others, 
that could help refine the data and improve the ability for it to be 
analyzed. 

[45] H.R. Rep. No. 112-331, at 973 (2011) (Conf. Rep.); S. Rep. No. 
112-74, at 76 (2011). 

[46] At the time of our review, the "Type of Entry" options included 
the following categories: cargo, highway, infrastructure, maritime, 
mass transit, natural disaster, notification, pipeline, postal, rail, 
and special event. The "Incident Type" entry options refer to the 10 
incident types identified by the regulation, and are dependent on the 
selection under "Type of Entry." Therefore, incidents that are 
improperly identified under "Type of Entry" cannot be correctly 
identified under "Incident Type." 

[47] The total number of incidents identified as "Mass Transit" or 
"Rail" for the month of August 2011 was 377. However, 60 percent of 
these entries were either related to freight rail or were batch e-mail 
notifications that contained multiple incidents, and were therefore 
excluded from our analysis. 

[48] The "Incident Type" category includes data options that align 
with the incident type criteria identified by the regulation, as well 
as a "Not Applicable" category. 

[49] In addition to these discrepancies, one option under "Type of 
Entry"--"Notifications"--was responsible for most of the incorrectly 
categorized incidents for the agencies in our scope. This discrepancy 
became clear when we compared agency-specific datasets (which were 
produced using keyword searches of the agency name) with the overall 
dataset that TSA provided. 

[50] GAO, Aviation Security: Efforts to Validate TSA's Passenger 
Screening Behavior Detection Program Underway, but Opportunities Exist 
to Strengthen Validation and Address Operational Challenges, 
[hyperlink, http://www.gao.gov/products/GAO-10-763] (Washington, D.C.: 
May 20, 2010). 

[51] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[52] The TSOC is responsible for collecting the incident information 
from rail agencies and other sources, and providing this information 
to internal and external stakeholders. The Office of Security Policy 
and Industry Engagement is responsible for developing and recommending 
security measures or strategies to rail agencies. 

[53] A senior TSA intelligence analyst explained that the Office of 
Intelligence and Analysis generally focuses on analyzing attacks that 
have occurred overseas. As noted earlier, there have been no 
successful attacks against rail in the United States. See appendix IV 
for descriptions of recent attacks on rail systems. 

[54] These reports include, among others, the Joint Information 
Bulletin, produced by DHS and the Federal Bureau of Investigation, and 
Mass Transit and Passenger Rail Threat Assessments, produced by DHS's 
Office of Intelligence and Analysis, in coordination with TSA's Office 
of Intelligence and Analysis. 

[55] 71 Fed. Reg. 76,852, 76,865 (Dec. 21, 2006). 

[56] 73 Fed. Reg. 72,130, 72,145 (Nov. 26, 2008). 

[57] The high-volume passenger rail agencies we interviewed were: 
Amtrak; the New York City Metropolitan Transit Authority; New York-New 
Jersey Port Authority; New Jersey Transit; Washington Metropolitan 
Area Transit Authority; Chicago Transit Authority; Metra; and San 
Francisco Bay Area Rapid Transit. We also interviewed municipal police 
departments that provide security for two of these transit systems, 
including the New York Police Department Transit Bureau and the 
Chicago Police Department Public Transportation Section. 

[58] For additional information on rail security measures implemented 
by TSA and rail agencies, see GAO, Transportation Security: Key 
Actions Have Been Taken to Enhance Mass Transit and Passenger Rail 
Security, but Opportunities Exist to Strengthen Federal Strategy and 
Programs, [hyperlink, http://www.gao.gov/products/GAO-09-678] 
(Washington, D.C.: June 24, 2009). 

[59] These mechanisms were cited by TSA and high-volume passenger rail 
stakeholders or by rail security entities associated with them (i.e., 
police departments that are part of a rail system, or that provide 
policing for one of the high-volume systems that we interviewed). The 
high-volume passenger rail agencies we interviewed were: Amtrak; the 
New York City Metropolitan Transit Authority; New York-New Jersey Port 
Authority; New Jersey Transit; Washington Metropolitan Area Transit 
Authority; Chicago Transit Authority; Metra; and San Francisco Bay 
Area Rapid Transit. We also interviewed municipal police departments 
that provide security for two of these transit systems, including the 
New York Police Department Transit Bureau and the Chicago Police 
Department Public Transportation Section. 

[60] Our prior work on information sharing with private and public 
security stakeholders has shown that security-related information 
sharing continues to be a challenge for the federal government. See, 
for example, GAO, Transportation Security Information Sharing: 
Stakeholders Generally Satisfied but TSA Could Improve Analysis, 
Awareness, and Accountability, [hyperlink, 
http://www.gao.gov/products/GAO-12-44] (Washington, D.C.: Nov. 21, 
2011); Public Transit Security Information Sharing: DHS Could Improve 
Information Sharing through Streamlining and Increased Outreach, 
[hyperlink, http://www.gao.gov/products/GAO-10-895] (Washington, D.C.: 
Sept. 22, 2010); and Transportation Security: Key Actions Have Been 
Taken to Enhance Mass Transit and Passenger Rail Security, but 
Opportunities Exist to Strengthen Federal Strategy and Programs, 
[hyperlink, http://www.gao.gov/products/GAO-09-678] (Washington, D.C.: 
June 24, 2009). 

[61] The American Public Transportation Association compiled these 
ridership data from the Federal Transit Administration's National 
Transit Database. Ridership data on rail transit systems in the 
District of Columbia and Puerto Rico are included in these statistics. 
Passenger rail ridership is calculated by the number of unlinked 
passenger trips. An unlinked passenger trip is defined as the number 
of passengers who board public transportation vehicles. Passengers are 
counted each time they board vehicles no matter how many vehicles they 
use to travel from their origin to their destination. 

[62] There are six RSI-Ss located throughout the country. 

[63] We chose January 2011 as the starting point for our analysis 
because it was 2 full years after the regulation became effective, 
which would allow rail agencies and TSA a period of adjustment. The 
regulation went into effect in December 2008. June 2012 was the end of 
our data collection period. 

[64] All TSA inspection activities must be documented and entered into 
PARIS, along with any findings and actions taken. We chose January 
2011 as the starting point for our analysis because it was 2 full 
years after the regulation became effective, which would allow rail 
agencies and TSA a period of adjustment. June 2012 was the end of our 
data collection period. 

[65] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: Nov. 1, 1999). 

[66] For some of the rail systems in our review, security is provided 
by the local police department. In those cases, we interviewed 
officials from the cognizant police department as well as security 
officials from the rail systems themselves. 

[67] The MTI database--Terrorist and Serious Criminal Attacks Against 
Public Surface Transportation--includes data on attacks against rail 
and other types of surface transportation. The Mineta International 
Institute for Surface Transportation Policy Studies was established by 
the Intermodal Surface Transportation Efficiency Act of 1991. Pub. L. 
No. 102-240, § 6024, 105 Stat. 1914, 2188 (1991). The institute's 
transportation policy work is centered on, among other things, 
research into transportation security, planning, and policy 
development. According to TSA officials, this database is among the 
most complete and comprehensive source for surface transportation 
terrorist attacks. Funding for the database, about $64,000 annually, 
had been provided by DHS's Science and Technology Directorate, but 
ceased in June 2012, as part of a broader budget reduction. The last 
update of the database occurred in December 2011, according to MTI. 
According to TSA, the agency is currently working with MTI to develop 
a statement of work and a contract for continued population of data to 
the MTI database. According to TSA, this contract will also allow TSA 
analysts unlimited access to the database. 

[End of section] 

GAO’s Mission: 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the 
performance and accountability of the federal government for the 
American people. GAO examines the use of public funds; evaluates 
federal programs and policies; and provides analyses, recommendations, 
and other assistance to help Congress make informed oversight, policy, 
and funding decisions. GAO’s commitment to good government is 
reflected in its core values of accountability, integrity, and 
reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each 
weekday afternoon, GAO posts on its website newly released reports, 
testimony, and correspondence. To have GAO e-mail you a list of newly 
posted products, go to [hyperlink, http://www.gao.gov] and select 
“E-mail Updates.” 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black 
and white. Pricing and ordering information is posted on GAO’s 
website, [hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 
MasterCard, Visa, check, or money order. Call for additional 
information. 

Connect with GAO: 

Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov]. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; 
E-mail: fraudnet@gao.gov; 
Automated answering system: (800) 424-5454 or (202) 512-7470. 

Congressional Relations: 

Katherine Siggerud, Managing Director, siggerudk@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, DC 20548. 

Public Affairs: 
Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, DC 20548. 

[End of document]