• A security plan must at a minimum address personnel security, unauthorized access, en route security, communication and training practices, and responsibilities for plan development and implementation.
• Security plans must be marked with “SENSITIVE SECURITY INFORMATION,” kept available to employees and officials in written form, and updated at least annually.
• Written security plans must be retained for as long as they are effective and reviewed at least annually to reflect necessary changes.

Each plan must include an assessment of possible transportation security risks for shipments of hazardous materials, including site-specific or location-specific risks associated with facilities at which the materials are prepared for transport, stored, or unloaded incidental to movement, and appropriate measures to address these risks. Specific measures may vary depending upon the level of threat.

At a minimum, a security plan must consist of the following elements:

• Personnel security. Measures to confirm information provided by job applicants hired for positions that involve access to and handling of hazardous materials covered by the security plan. These measures must be consistent with applicable federal and state laws and requirements concerning employment practices and individual privacy.
• Unauthorized access. Measures to address the assessed risk that unauthorized persons may gain access to hazmat covered by the security plan or transport conveyances being prepared for transportation of materials covered by the security plan.
• En route security. Measures to address the assessed security risks of shipments of hazmat covered by the security plan en route from origin to destination, including shipments stored incidental to movement.

In addition, a security plan must also include:

• Identification by job title of the senior management official responsible for overall development and implementation of the security plan.
• Security duties for each position or department that is responsible for implementing the plan or a portion of the plan.
• The process of notifying employees when specific elements of the plan must be implemented.
• A plan for training hazmat employees in accordance with 172.704 on security awareness and in-depth security training.

Handling sensitive security information

Security plans must be marked as Sensitive Security Information (SSI) as required by 49 CFR 15.13. Security plans on paper must include the protective marking “SENSITIVE SECURITY INFORMATION” at the top and the distribution limitation warning at the bottom of:

• The front and back cover, including a binder cover or folder;
• Any title page; and
• Each page of the document.

The distribution limitation warning must read as follows:

• WARNING: This record contains Sensitive Security Information that is controlled under 49 CFR parts 15 and 1520. No part of this record may be disclosed to persons without a “need to know”, as defined in 49 CFR parts 15 and 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520.

Non-paper security plans must be clearly and conspicuously marked with the protective marking and distribution limitation warning so that a viewer or listener is reasonably likely to see or hear them when obtaining access to the security plan.

Security plan retention and revision

The security plan, including the risk assessment, must be in writing and must be retained as long as it remains in effect. Copies must be made available to those employees who are responsible for implementing it, consistent with personnel security clearance or background investigation restrictions and demonstrated need to know.

The security plan must be reviewed at least annually and revised and/or updated as necessary to reflect changes in circumstances. When the plan is updated or revised, all employees responsible for implementing it must be notified. All copies of the plan must be maintained as of the date of the most recent revision.

A copy of the security plan or an electronic file must be maintained at the employer’s principal place of business and must be made available upon request, at a reasonable time and location, to an authorized Department of Transportation (DOT) or Department of Homeland Security (DHS) official.