Developing a Physical and Cyber Security Primer for Transportation Agencies (2020)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

17 Appendix A Literature Review Contents A. Risk Management and Risk Assessment ................................................................................................ 18 B. Plans and Strategies ................................................................................................................................ 24 C. Physical Security Countermeasures ....................................................................................................... 29 D. Cyber Security Countermeasures ........................................................................................................... 46 E. Workforce Training and Exercises ......................................................................................................... 60 F. Infrastructure Protection, Resilience, and Sustainability ........................................................................ 79 G. Homeland Security Laws, Directives, and Guidance ............................................................................. 91 H. Space Weather ........................................................................................................................................ 99 I. Active Shooter ....................................................................................................................................... 102

18 A. Risk Management and Risk Assessment Railway Infrastructure Security (Setola et al, 2015, Springer) Citation. Setola, Roberto, Sforza, Antonio, Vittorini, Valeria, Pragliola, Concetta, Railway Infrastructure Security, Vol. 27, Topics in Safety, Risk, Reliability, and Quality, Springer International Publishing, Cham, Switzerland, 2015, [Online]. Available: http://link.springer.com/book/10.1007%2F978-3-319-04426-2 Synopsis. From the Transport Research International Documentation (TRID) Database: “Critical infrastructure protection is a very difficult. The objective of this book is to develop an understanding of the vulnerabilities of critical infrastructure and to provide efficient and effective strategies for reducing the risk of attacks and their consequences. The first chapter provides an introduction and the table of contents lists the remaining titles:  Towards Integrated Railway Protection;  The Railway Security: Methodologies and Instruments for Protecting a Critical Infrastructure;  Vulnerability Assessment in Railway Infrastructure System (RIS) Scenario through a Synergic Use of the Crime Prevention through Environmental Design (CPTED) Methodology and the System Dynamics Approach;  Cumana and Circumflegrea Railway Lines: A Circle Network in the Western Metropolitan Area of Naples;  Coping with Suicide Bombing Israel Railways Security Challenges 2000–2005;  Technologies for the Implementation of a Security System on Rail Transportation Infrastructures;  A Model-Driven Process for Physical Protection System Design and Vulnerability Evaluation;  Optimal Location of Security Devices;  The Methodological Tool for Railway Infrastructure Protection (METRIP) Tool;  Optimizing Investment Decisions for Railway Systems Protection; and  The Security into the Metro System: The Copenhagen Metro Experience.” Security of Road Infrastructure (2015, PIARC) Citation. Security of Road Infrastructure, World Road Association (PIARC), Paris, France, 2015, [Online]. Available: http://www.piarc.org/en/order-library/23425-en- Security%20of%20road%20infrastructure.htm?access=catalog Synopsis. From the Transport Research International Documentation (TRID) Database: “This paper addresses threats directed to the infrastructure. A correct understanding and a suitable handling of the security of road infrastructure is not only important to safeguard the infrastructure itself, but is also relevant to cover the protection of the social and economic values, the protection of the environment, and even the security of other transportation modes. The objective of the paper

19 is to: (1) provide an overview of the range of security threats and issues that may affect road infrastructure, operations and users; and (2) promote thought and discussion within the road community in order to raise awareness and allow Road Authorities and Operators to step forward with international good practices on “Road Infrastructure Security”. The paper outlines the following topics: assessment of physical security; different methodological approaches; safety and security programs; application of knowledge in security by design; and retrofit of existing infrastructure.” NCHRP Report 732: Methodologies to Estimate the Economic Impacts of Disruptions to the Goods Movement System Citation. Georgia Tech Research Corporation, Parsons Brinckerhoff, and Anne Strauss-Wieder. NCHRP Report 732: Methodologies to Estimate the Economic Impacts of Disruptions to the Goods Movement System, Transportation Research Board of the National Academies, Washington, DC, 2012, [Online]. Available: http://onlinepubs.trb.org/onlinepubs/nchrp/nchrp_rpt_732.pdf Synopsis. According to its TRB web page, this publication does several things. It “describes the impacts of bottlenecks and interruptions to the flow of goods through the nation’s major freight corridors and intermodal connectors”. It also describes “the dynamics of that flow in response to disruptions”. Lastly, it describes “the full economic impact on public and private entities beyond just the critical infrastructure and the carriers that depend on that flow”. The publication’s literature review first synthesizes the current state of knowledge of the economic impact of transportation disruptions on goods movement and relate this to a conceptual framework that describes key relationships. The framework itself is a five-step process to evaluate freight network disruption events (and accompanying economic impacts): 1. Identify the direct and immediate physical effects of a network disruption. 2. Identify current and future affected network flows by facility and link. 3. Identify supply chain characteristics and parameters. 4. Model the response of the supply chain to disruptions. 5. Model the economic impacts of network disruptions. Two types of costs are examined during the modeling:  Social and Public Sector Costs  Direct Supply Chain Costs This publication includes six chapters and no appendices. Chapter 2 presents a literature review of economic impact analysis models that have been used in disruption studies. Chapter 3 presents the analysis framework. Chapter 4 presents case studies of transportation system disruptions over the past 15 years (as of the date of the publication) in the United States. Chapter 5 describes the methodology and the rules of thumb that can be used for estimating economic impacts. The methodology is applied against a real disruption case study. Chapter 6 presents conclusions and identifies future areas of research.

20 Risk-Based Transportation Asset Management: Building Resilience into Transportation Assets: Report 5: Managing External Threats Through Risk-Based Asset Management Citation. “Report 5: Managing External Threats Through Risk-Based Asset Management”, Risk- Based Transportation Asset Management: Building Resilience into Transportation Assets, Federal Highway Administration (FHWA), U.S. Department of Transportation, Washington, DC, March 2013, [Online]. Available: http://www.fhwa.dot.gov/asset/pubs/hif13018.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “This is the fifth of five reports examining how risk management complements asset management. This last report examines how physical, climatic, seismic and other external threats can be addressed in risk-based asset management programs. The first four reports and the literature review emphasized the definition of risk as the positive or negative effect of uncertainty or variability upon agency objectives. Those reports emphasized that risks could be positive in that some types of uncertainty can create opportunities. However, this report will focus more on negative risks, or threats. These risks generally are external, and while highly probable over a long period of time, are difficult to predict in the short term. Randomness and variability complicate planning for them. In August 2011, Hurricane Irene reached one of the nation’s most northern states, Vermont, and damaged 480 bridges out of a total network of 2717 bridges. In one day, more bridge deterioration occurred than normally would occur over many years. Accurate prediction of such events is nearly impossible. Such a significant storm had not struck Vermont for 83 years. In managing risks to assets from external threats, this report emphasizes the Three Rs, which are Redundancy, Robustness and Resiliency. These will be defined, described and illustrated through several agency examples. Asset management plays a critical role in each, particularly Robustness and Resiliency. Including the Three Rs in asset planning efforts can better prepare agencies to cope with an increasingly unpredictable world.” The report consists of five major sections. The first is an introductory section. The second section discusses Climate Change and Extreme Weather Risks. The FHWA’s Vulnerability Assessment Model is presented in the third section. The fourth section discusses Risked-Based Approaches to Protecting Assets. Summary and Conclusions make up the fifth section. Risk-Based Transportation Asset Management: Evaluating Threats, Capitalizing on Opportunities: Report 1: Overview of Risk Management Citation. “Report 1: Overview of Risk Management”, Risk-Based Transportation Asset Management: Building Resilience into Transportation Assets, Federal Highway Administration (FHWA), U.S. Department of Transportation, Washington, DC, June 2012, [Online]. Available: http://www.fhwa.dot.gov/asset/pubs/hif12035.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “As the United States considers developing risk-based transportation asset management (TAM) plans, agencies will need to understand risk and how it can be used to improve decision making in asset management programs. This is the first of five reports that define risk, explain risk management and examine their application to TAM both in the U.S. and abroad. This first report provides an overview of risk management as applied to managing physical assets.”

21 The report consists of 16 short chapters. After a one-paragraph Background and a one-page Introduction, the report describes, What is Risk and Risk Management. Major goals include Assessing Negative Threats and Positive Opportunities, and Moving from Project to Enterprise Risk. The report then presents Basic Steps of Risk Management, and answers the question “Why Manage Risks?” The report explains Where Does Risk Management Fit? It identifies Threats to a Transportation Asset Management (TAM) Program, and Who Manages These Risks? The report describes Communicating and Monitoring Risks, then discusses ways of Tailoring Risk Management before presenting Simple Tools for Managing Risk. The report then asserts that while Managing Risk is Not New, Formalizing It Is. Several guidelines in Managing Risks to Assets are presented. The final section is the Summary and Conclusion. A Guide for Assessing Community Emergency Response Needs and Capabilities for Hazardous Materials Releases Citation. A Guide for Assessing Community Emergency Response Needs and Capabilities for Hazardous Materials Releases. HMCRP Report, Battelle Memorial Institute, Issue 5, 2011, 119p, [Online]. Available: http://www.trb.org/Publications/Blurbs/165201.aspx Synopsis. From the Transport Research International Documentation (TRID) Database: “This Guide presents comprehensive, step-by-step guidance on assessing hazardous materials emergency response needs at state, regional, and local levels; matching state, regional, and local capabilities with potential emergencies involving different types of hazardous materials; and assessing how quickly resources can be brought to bear in an emergency. The methodology described in the guide is designed to be scalable, allowing the implementation results to be aggregated at the local level up through regional, state, and national levels. Also, the guide is designed to connect as many components as possible to already-established standards, guidelines, regulations, and laws, so that the guide will remain current as these underlying components are updated. In addition, the guide discusses appropriate means for maintaining currency of the information over time. The guide and accompanying spreadsheet tool (on the attached CD-ROM), which leads planners through the assessment process, will be most useful for local jurisdictions that have limited resources and expertise in hazardous materials emergency response planning.” Security of Infrastructure Control Systems for Water and Transport Citation. Security of infrastructure control systems for water and transport, Victorian Auditor- General’s Report, Melbourne, Victoria, Australia, October 2010, [Online]. Available: http://www.audit.vic.gov.au/publications/2010-11/20100610-ICT-report.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “Infrastructure critical to the provision of essential water and transport services includes the physical assets, facilities, distribution systems, information technologies and communication networks. This infrastructure relies on control and management systems, such as Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems are usually computer-based. Computer interconnectivity has increased since the 1990s, especially the use of the Internet, which has revolutionised the way that the government and broader community communicate and do business. While the benefits of this widespread interconnectivity have been enormous, it also

22 exposes computer systems, and the essential services and critical infrastructure they support, to major security risks. If not properly controlled, the increased speed and accessibility that benefits intended users can also give unauthorized individuals and organizations access to operational information that is used for mischievous or malicious purposes, including fraud or sabotage.” Following the executive summary (here, “Audit summary”), the audit report consists of three chapters. The first chapter “Background” discusses, among other items, the policy and legislative context, roles and responsibilities, security standards and good practice, and the audit methodology. Chapter 2 covers the audit’s findings regarding operator security. Meanwhile, Chapter 3 presents the findings for portfolio agency oversight. There is no concluding chapter which collects the findings and recommendations – these are found in the Audit Summary instead. The sole Appendix A consists of submissions and comments made during the audit, in accordance with the 1994 Audit Act. Recovery Act: FEMA Could Take Steps to Protect Sensitive Port Security Grant Details and Improve Recipient Reporting Instructions Citation. Recovery Act: FEMA Could Take Steps to Protect Sensitive Port Security Grant Details and Improve Recipient Reporting Instructions. U.S. Government Accountability Office, 2010, 33p, [Online]. Available: http://www.gao.gov/new.items/d1188.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “The American Recovery and Reinvestment Act of 2009 (Recovery Act) requires recipients to report, among other things, project descriptions on Recovery.gov, the federal Recovery Act Web site. Within the Department of Homeland Security, the Federal Emergency Management Agency’s (FEMA) Grant Programs Directorate administers the Port Security Grant Program (PSGP) to strengthen ports against risks from terrorist attacks. FEMA received and obligated $150 million in Recovery Act PSGP funds in 2009, and, as of September 2010, recipients have drawn down over $10 million. To facilitate recipient reporting, FEMA must consider the need both for transparency and for protection of Sensitive Security Information (SSI), which could be detrimental to transportation security if disclosed. As requested, Government Accountability Office (GAO) assessed FEMA’s: (1) controls to ensure Recovery Act PSGP staff consistently follow SSI policies, and (2) steps to ensure PSGP recipients have not disclosed SSI on Recovery.gov. GAO reviewed relevant laws, regulations, guidance, and a random sample of PSGP Recovery Act recipient reports available as of February 2010, and interviewed agency officials.”

23 Supply Chain Security Guide Citation. Donner, Michel and Kruk, Cornelis, Supply Chain Security Guide_, World Bank, Washington, DC, 2009, [Online]. Available: http://siteresources.worldbank.org/INTPRAL/Resources/SCS_Guide_Final.pdfFinal.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “A supply chain is a system or organizations, people, resources, information, activities and technology involved in moving goods from the producer to the user or consumer. Supply chain security involves the systems, technology, programs, solutions and procedure that are applied to ameliorate threats to the supply chain and the resulting threats to the social, physical, and economic health of organized society and its citizens. This report provides an informational guide to supply chain security programs and measures.” This report has four chapters. After the Executive Summary and the Introduction chapter, the second chapter is a review of several Supply Chain Security Programs. The third chapter reviews Supply Chain Security Technologies, and the final chapter is the Conclusion. There are four Annexes (appendices).  Frequently Asked Questions  Glossary  Main Regional and National Supply Chain Security Programs  Supply Chain Security Implementation Checklist

24 B. Plans and Strategies National Disaster Recovery Framework, Second Edition – Information Sheet Citation. “National Disaster Recovery Framework, Second Edition – Information Sheet,” Emergency Management Agency (FEMA), Washington, DC, 2016, [Online]. Available: http://www.fema.gov/media-library-data/1466017528262- 73651ed433ccfe080bed88014ac397cf/InformationSheet_Recovery_Framework.pdf Synopsis. The National Disaster Recovery Framework describes “how the whole community works together to restore, redevelop, and revitalize the health, social, economic, natural, and environmental fabric of the community.” The new framework incorporates the edits to the National Preparedness Goal and new lessons learned. Additional changes made to the framework include: “Increased focus on Recovery’s relationship with the other four mission areas. Updated Recovery Support Functions (RSFs) to reflect changes in Primary Agencies and Supporting Organizations. Additional language on science and technology capabilities and investments for the rebuilding and recovery efforts.” National Response Framework, Third Edition – Information Sheet Citation. “National Response Framework, Third Edition – Information Sheet,” Emergency Management Agency (FEMA), Washington, DC, 2016, [Online]. Available: http://www.fema.gov/media-library-data/1466014891281- 6e7f60ceaf0be5a937ab2ed0eae0672d/InformationSheet_Response_Framework.pdf Synopsis. The NRF is aligned with NIMS and provides capabilities to save lives, protect property, and meet basic human needs. Response activities occur before, during, and after an incident and can overlap with the start of recovery activities. The following changes were made to the framework. • The addition of a new core capability, Fire Management and Suppression • Three revised core capability titles o Logistics and Supply Chain Management o On-scene Security, Protection, and Law Enforcement o Public Health, Healthcare, and Emergency Medical Services • Three revised core capability definitions o Environmental Response/ Health and Safety o Fatality Management Services o Logistics and Supply Chain Management

25 National Mitigation Framework, Second Edition – Information Sheet Citation. “National Mitigation Framework, Second Edition – Information Sheet,” Emergency Management Agency (FEMA), Washington, DC, 2016, [Online]. Available: http://www.fema.gov/media-library-data/1466014552462- 1b78d1a577324a66c4eb84b936c68f16/InformationSheet_Mitigation_Framework.pdf Synopsis. The National Mitigation Framework covers the capabilities necessary to reduce the loss of life and property by lessening the effects of disasters, and focuses on risk (understanding and reducing it), resilience (helping communities recover quickly and effectively after disasters), and a culture of preparedness. The new framework incorporates the edits to the National Preparedness Goal and new lessons learned including a revised core capability title, Threats and Hazards Identification. In addition, the following changes have been made: “Additional language on science and technology efforts to reduce risk and analyze vulnerabilities within the mitigation mission area. Updates on the Mitigation Framework Leadership Group (MitFLG), which is now operational. Updates to the Community Resilience core capability definition to promote preparedness activities among individuals, households and families.” National Protection Framework, Second Edition – Information Sheet Citation. “National Protection Framework, Second Edition – Information Sheet,” Federal Emergency Management Agency (FEMA), Washington, DC, 2016, [Online]. Available: http://www.fema.gov/media-library-data/1466013587164- 86696df20638bbf24e25d70070eda114/InformationSheet_Protection_Framework.pdf Synopsis. The National Protection Framework focuses on “actions to deter threats, reduce vulnerabilities, and minimize the consequences associated with an incident.” The new framework incorporates the edits to the National Preparedness Goal and new lessons learned. In addition, the following changes have been made: “Updated Cybersecurity Core Capability Critical Tasks to align with the Mitigation, Response, and Recovery Mission Areas. Additional language on science and technology investments to protect against emerging vulnerabilities are included within the protection mission area. Additional language on interagency coordination within the protection mission area to support the decision- making processes outlined within the framework.” National Prevention Framework, Second Edition – Information Sheet Citation. “National Prevention Framework, Second Edition – Information Sheet,” Federal Emergency Management Agency (FEMA), Washington, DC, 2016, [Online]. Available: http://www.fema.gov/media-library-data/1466011024787- 91b8e49bf7344dd6dadca441c26272ad/InformationSheet_Prevention_Framework.pdf

26 Synopsis. The National Prevention Framework focuses on terrorism and addresses the capabilities necessary to avoid, prevent, or stop imminent threats or attacks. Some core capabilities overlap with the protection mission area. The updates include edits to the Nation Preparedness Goal, and lessons learned. Other edits include: “Updates to Coordinating Structure language on Joint Operations Centers and the Nationwide Suspicious Activity Reporting Initiative. Clarification on the relationship and differences between the Prevention and Protection mission areas. Updated language on the National Terrorism Advisory System (NTAS) as part of the Public Information and Warning core capability. Additional language on science and technology investments within the prevention mission area.” National Preparedness Goal, Second Edition – Information Sheet Citation. “National Preparedness Goal, Second Edition – Information Sheet,” Federal Emergency Management Agency (FEMA), Washington, DC, 2015, [Online]. Available: http://www.fema.gov/media-library-data/1443624338930- 32e9ed3ac6cf8e95d7d463ed9b9685df/NationalPreparednessGoal_InformationSheet_2015.pdf Synopsis. The 2011 National Preparedness Goal was updated in 2015. The key changes are described in the National Preparedness Goal, Second Edition – What’s New Fact Sheet. The National Preparedness Goal itself has not changed: “A secure and resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.” The following changes were made to the National Preparedness Goal document:  Introduction: Language added to stress the importance of community preparedness and resilience.  Risk and the Core Capabilities: Enhanced items on cybersecurity and climate change.  Preliminary Targets: Updated preliminary targets.  New Core Capability: A new core capability, Fire Management and Suppression, was added.  Core Capability Titles: Revised the following core capability titles: o Threats and Hazard Identification (Mitigation) – revised to Threats and Hazards Identification; o Public and Private Services and Resources (Response) – revised to Logistics and Supply Chain Management; o On-scene Security and Protection (Response) – revised to On-scene Security, Protection, and Law Enforcement; and o Public Health and Medical Services (Response) – revised to Public Health, Healthcare, and Emergency Medical Services.  Core Capability Definitions: Several of the core capability definitions were revised.

27 NIPP 2013: Partnering for Critical Infrastructure Security and Resilience Citation. National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience , U.S. Department of Homeland Security, Washington, DC, 2013, [Online]. Available: https://www.dhs.gov/national-infrastructure-protection-plan Synopsis. From DHS.gov: “Our Nation’s well-being relies upon secure and resilient critical infrastructure—the assets, systems, and networks that underpin American society. The National Infrastructure Protection Plan (NIPP) — NIPP 2013: Partnering for Critical Infrastructure Security and Resilience — outlines how government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes.” “NIPP 2013 represents an evolution from concepts introduced in the initial version of the NIPP released in 2006 and revised in 2009. The National Plan is streamlined and adaptable to the current risk, policy, and strategic environments. It provides the foundation for an integrated and collaborative approach to achieve the vision of: “[a] Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened.” NIPP 2013 meets the requirements of Presidential Policy Directive-21: Critical Infrastructure Security and Resilience, signed in February 2013. The Plan was developed through a collaborative process involving stakeholders from all 16 critical infrastructure sectors, all 50 states, and from all levels of government and industry. It provides a clear call to action to leverage partnerships, innovate for risk management, and focus on outcomes.” The NIPP 2013 has six chapters, two appendices, and four supplements. After an Executive Summary, the Introduction (Chapter 1) gives an overview of the NIPP 2013 and its evolution from the 2009 NIPP. Chapter 2 defines the Vision, Mission, and Goals of the NIPP 2013, while Chapter 3 describes the Critical Infrastructure Environment in terms of key concepts, risk, policy, operations, and partnership. Core Tenets are established in Chapter 4. Ways to collaborate to manage risk are given in Chapter 5. The final chapter is a Call to Action (“Steps to Advance the National Effort”). The Sector-Specific Plans of the 16 critical infrastructure sectors are being updated to align with the NIPP 2013. The web page for NIPP 2013 also contains links to training courses, critical infrastructure partnership courses, security awareness courses, and the relevant authorities (i.e. laws, regulations, and guidance). Protecting America’s Roads, Bridges, and Tunnels: The Role of State DOTs in Homeland Security Citation. “Protecting America’s Roads, Bridges, and Tunnels: The Role of State DOTs in Homeland Security,” The American Association of State Highway and Transportation Officials (AASHTO), Washington, DC, Jan 2005, [Online]. Available: http://scotsem.transportation.org/Documents/Protecting_Americas_Roads.pdf

28 Synopsis. According to AASHTO’s page on Bridge and Tunnel Security, this publication is an “AASHTO brochure providing an overview of the vital role that state DOTs – builders and operators of the nation’s busiest roads, tunnels, and bridges – often play when emergency situations occur”. It explains “why the security of our roads, bridges, and tunnels is important, what DOTs are doing to improve it, and the keys to better partnership.” The document has four sections. The introductory section (“State Dots—Guardians of The Nation’s Transportation Infrastructure”) argues that DOTs’ foremost expanded roles include all-hazards emergency management and critical asset protection. The two body sections explain DOTs’ expertise and needs in their respective domain. The first body section (“A Vital Support Role in Emergency Management”) notes that DOTs’ all-hazards emergency management expertise includes the key functions of: traveler information; traffic management; transportation facilities, personnel, and equipment; and infrastructure reconstruction capabilities. At the same time, resources are needed to address the enhancement of Intelligent Transportation System (ITS) capabilities; improvement of emergency response; and better communications. The second body section (“Protecting Critical Transportation Assets”) notes that DOTs have several available countermeasures: deterrence and detection, defense, and design and re-design. But to address critical asset protection, DOTs need resources to address: bridge retrofits, bridge reconstruction, tunnel protection costs.” In its concluding section (“The Road Ahead – Setting an Agenda for Partnership in Security”), this publication advocates that DOTs be “considered as first responders in terms of support from the Department of Homeland Security.” For strengthening this partnership, four cornerstones are proposed:  recognition of vital role of DOT in emergency management and homeland security,  responsiveness to road, bridge, and tunnel asset protection needs,  additional resources for DOT to meet homeland security challenges, and  support for transportation-related security research.

29 C. Physical Security Countermeasures Leveraging Traffic and Surveillance Video Cameras for Urban Traffic Citation. Eriksson, Jakob, “Leveraging Traffic and Surveillance Video Cameras for Urban Traffic,” Illinois Center for Transportation, Illinois Department of Transportation, Springfield, IL, December 2014, [Online]. Available: https://apps.ict.illinois.edu/projects/getfile.asp?id=3346 Synopsis. This report discusses the use of security and surveillance cameras to collect traffic statistics – that is, a secondary use for the physical security asset which can enhance its value to owners and operators. From the Transport Research International Documentation (TRID) Database: “The objective of this project was to investigate the use of existing video resources, such as traffic cameras, police cameras, red light cameras, and security cameras for the long-term, real- time collection of traffic statistics. An additional objective was to gather similar statistics for pedestrians and bicyclists. Throughout the course of the project, several methods were investigated for tracking vehicles under challenging conditions.” TRID continues with the methods: “The initial plan called for tracking based on optical flow. However, it was found that current optical flow–estimating algorithms are not well suited to low- quality video—hence, developing optical flow methods for low-quality video has been one aspect of this project. The method eventually used combines basic optical flow tracking with a learning detector for each tracked object— that is, the object is tracked both by its apparent movement and by its appearance should it temporarily disappear from or be obscured in the frame.” TRID continues, “The authors have produced a prototype software that allows the user to specify the vehicle trajectories of interest by drawing their shapes superimposed on a video frame. The software then tracks each vehicle as it travels through the frame, matches the vehicle’s movements to the most closely matching trajectory, and increases the vehicle count for that trajectory. In terms of pedestrian and bicycle counting, the system is capable of tracking these “objects” as well, though at present it is not capable of distinguishing between the three classes automatically. Continuing research by the principal investigator under a different grant will establish this capability as well.” This document has four chapters. The first chapter introduces the problems and issues of counting vehicles in opportunistic video (like security cameras). Chapter 2 discusses the authors’ selected hybrid tracking algorithm. Chapter 3 discusses the implementation of the software prototype, and Chapter 4 concludes the report. Selection of Cameras, Digital Recording Systems, Digital High-Speed Networks and Trainlines for Use in Transit-Related CCTV Systems: APTA Recommended Practice Citation. APTA Recommended Practice: Selection of Cameras, Digital Recording Systems, Digital High-Speed Networks and Trainlines for Use in Transit-Related CCTV Systems, APTA IT-CCTV-RP-001-11, 2011. Available: http://www.apta.com/resources/standards/Documents/APTA-IT-CCTV-RP-001-11.pdf

30 Synopsis. This Recommended Practice provides guidelines for the selection of cameras, digital recording equipment and digital high-speed trainlines for use in transit-related CCTV applications. The document provides guidelines for the use of cameras in CCTV security systems in transit- related applications, such as rail cars, buses, depots and stations. It discusses both attended and unattended cameras, which include stationary cameras as well as PTZ cameras. On-site recording devices such as VCRs, DVRs and hard disks also will be discussed, as will data highway, backbone and structured wiring and trainline network requirements. Data network requirements for rail vehicles will be discussed in a separate section (Section 5) specifically focused on high-speed digital trainlines. Physical Security for Public Transit: APTA Recommended Practice Citation. APTA Recommended Practice: Physical Security for Public Transit, 2013. APTA SS- SIS-RP-013-13. Available: http://www.apta.com/resources/standards/Documents/APTA%20SS- SIS-RP-013-13.pdf Synopsis. This Recommended Practice proposes physical security practices for transit passenger facilities to enhance the security of people, operations, assets and infrastructure. This provides basic physical security strategy background information. It offers an overview and descriptions of the applicability of the physical security pillar. Elements of this pillar often include target- hardening elements such as security lighting, fencing and gates, security risk, exterior doors, industrial doors, windows and glazing, HVAC, mail rooms, utility openings and culverts, perimeter roads, lock and key control, standoff distance, and clear zones. The elements of this pillar may be integrated with other security standards and best practices used by transit agencies to enhance their security program(s). TCRP Synthesis 104: Use of Electronic Passenger Information Signage in Transit Citiation. Schweiger, C. L. TCRP Synthesis 104: Use of Electronic Passenger Information Signage in Transit. Transportation Research Board of the National Academies, Washington, DC, 2013. Available: http://onlinepubs.trb.org/onlinepubs/tcrp/tcrp_syn_104.pdf Synopsis. The literature review revealed many reports, papers, articles, and press releases that have been written about the use of electronic passenger information signage in transit. This review has the following sections, including the five elements identified in chapter one: • Underlying technology • Signage technology • Information characteristics • Information accessibility • Accuracy and reliability • Monitoring • Standards • Required resources • Decision processes • Selection criteria

31 • Signage placement. While agencies seem to be taking full advantage of almost universal access to the Internet and high mobile phone ownership rates to provide their information through these media, providing information by means of electronic signs is seen to provide an added benefit to users. It is easier to look at the sign than getting out a mobile device, opening up the application, and searching for the information. A review of the literature revealed a wealth of information, covering both U.S. and international experience, which is reported in detail. The survey conducted as part of this synthesis, covering the five elements mentioned earlier, was sent to 37 transit agencies around the world and 37 responses were received, a 100% response rate. Case examples offer more in-depth detailed information about practices at the Tri-County Metropolitan Transportation District of Oregon, Real-Time Information Group in the United Kingdom, the Chicago Transit Authority in Illinois, and Mobility Lab in Virginia. Optimal Bridge Retrofit Strategy to Enhance Disaster Resilience of Highway Transportation Systems, U.S. DOT RITA 2014 Citation. Banerjee, Swagata, Chandrasekaran, Sandhya, Venkittaraman, Ashok, Optimal Bridge Retrofit Strategy to Enhance Disaster Resilience of Highway Transportation Systems, Mid- Atlantic Universities Transportation Center (MAUTC), Pennsylvania State University, University Park, PA, July 2014, [Online]. Available: http://www.mautc.psu.edu/docs/PSU-2012-01.pdf Synopsis. This report discusses bridge retrofitting as a physical countermeasure for bridges that have been affected by earthquake, flood-induced scour, or both. From the Transport Research International Documentation (TRID) Database: “This study evaluated the resilience of highway bridges under the multihazard scenario of earthquake in the presence of flood-induced scour. To mitigate losses incurred from bridge damage during extreme events, bridge retrofit strategies are selected such that the retrofit not only enhances bridge performance, but also improves resilience of the system consisting of these bridges. The first part of the report focuses on the enhancement of seismic resilience of bridges through retrofit… The impact of retrofit on seismic resilience was observed by applying a suitable retrofit strategy to the bridge… A difference in resilience observed before and after bridge retrofit signified the effectiveness of seismic retrofit. “The applied retrofit technique was also found to be cost effective through a cost-benefit analysis… An optimal (with respect to cost and resilience) bridge retrofit strategy under multihazard was obtained in the second phase of this study… Three different retrofit materials— steel, carbon fiber, and glass fiber composites—were used…. Results from the optimization, called Pareto-optimal set, include solutions that are distinct from each other in terms of associated cost, contribution to resilience enhancement, and values of design parameters. This optimal set offers the best search results based on selected materials and design configurations for jackets.” LRFD Seismic Analysis and Design of Bridges Reference Manual, 2014 Citation. LRFD Seismic Analysis and Design of Bridges Reference Manual, National Highway Institute (NHI) Course No. 130093 & 130093A, Federal Highway Administration (FHWA), U.S. Department of Transportation, Washington, DC, October 2014, [Online]. Available: http://www.fhwa.dot.gov/bridge/seismic/nhi130093.pdf

32 Synopsis. This document includes physical security countermeasures for bridges against earthquakes such as restrainers, seat extensions, column jackets, footing overlays, and soil remediation. Additional information from the Abstract: “This manual is intended to provide a technical resource for bridge engineers responsible for seismic analysis and design. It serves as a reference manual for use with the 5-day National Highway Institute (NHI) 130093 course “LRFD Seismic Analysis and Design of Bridges”, and the 3-day 130093A course “Displacement-Based LRFD Seismic Analysis and Design of Bridges”. “The manual covers fundamental topics such as engineering seismology; seismic and geotechnical hazards; structural dynamics (SDOF and MDOF); and methods for modeling and analyzing bridges subject to earthquake ground motions. It also presents the principles of capacity design; applications of capacity design to piers, foundations, superstructures and connections; and discusses the requirements and recommendations of the seismic provision in each of the AASHTO LRFD Bridge Design Specifications and AASHTO Guide Specifications for LRFD Seismic Bridge Design, and their common features. Lastly, the manual addresses seismic isolation design in accordance with AASHTO Guide Specifications for Seismic Isolation Design, and retrofitting strategies in accordance with the 2006 FHWA Seismic Retrofitting Manual for Highway Structures.” NCHRP Report 750: Strategic Issues Facing Transportation, Volume 2: Climate Change, Extreme Weather Events, and the Highway System: Practitioner’s Guide and Research Report, 2014 Citation. Meyer, M., M. Flood, J. Keller, J. Lennon, G. McVoy, C. Dorney, K. Leonard, R. Hyman and J. Smith. NCHRP Report 750: Strategic Issues Facing Transportation, Volume 2: Climate Change, Extreme Weather Events, and the Highway System: A Practitioner’s Guide and Research Report. Transportation Research Board of the National Academies, Washington, DC, 2014, [Online]. Available: http://www.trb.org/Main/Blurbs/169781.aspx Synopsis. From the Transport Research International Documentation (TRID) Database: “This report presents guidance on adaptation strategies to likely impacts of climate change through 2050 in the planning, design, construction, operation, and maintenance of infrastructure assets in the United States (and through 2100 for sea level rise).In addition to the practitioner’s guide and research report, this project also developed the following items: 1. “a software tool that runs in common web browsers and provides specific, region-based information on incorporating climate change adaptation into the planning and design of bridges, culverts, stormwater infrastructure, slopes, walls, and pavements; 2. “tables that provide the same information as the previously mentioned software tool, but in a spreadsheet format that can be printed; and 3. “two spreadsheets that illustrate examples of the benefit-cost analysis of adaptation strategies discussed in Appendix B of Part I of NCHRP Report 750, Volume 2.” This report discusses physical countermeasures against storm surge, floods, extreme temperature, and permafrost instability. Storm surge countermeasures include shoreline revetments, elevated

33 approach roadways, extended wingwalls, enhanced scour protection and strengthened deck tie- downs. Additional flood countermeasures include floodplain culverts, hardening the slopes of approach roadways, adding/raising spans, and protecting coatings. Countermeasures against extreme temperature include widening expansion joints, redesigning bearings, and strengthening beams and girders. Countermeasures against permafrost instability include mitigation techniques such as the use of reflective surfaces, air convection embankment, geosynthetic reinforcement, thermosyphons, berms, air ducts, insulation materials and lightweight fill materials. Security and Survivability of Real-Time Communication Architecture for Connected- Vehicle Eco-Traffic Signal System Applications Citation. Krings, A, Serageldin, A, Abdel-Rahim, A, Dixon, M, “Security and Survivability of Real-Time Communication Architecture for Connected-Vehicle Eco-Traffic Signal System Applications,” TranLIVE, University of Idaho, Moscow, ID, 2014, [Online]. Available: http://ntl.bts.gov/lib/51000/51800/51862/UI_TranLIVE__Final_Report_Real- timeCommunication.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “Transportation Systems, and thus Intelligent Transportation Systems (ITS), are considered one of the most critical infrastructures. For wireless communication ITS use communication links based on Dedicated Short Range Communication (DSRC) in Wireless Access in Vehicular Environments (WAVE) systems. Due to the nature of wireless communication, the connected-vehicle real-time communication and control infrastructure is exposed to the entire spectrum of threats to security and survivability from cyberspace all the way to direct physical manipulations. For the infrastructure to be trusted one has to consider external manipulations that could render DSRC safety applications useless. This research therefore investigates the impact of malicious acts, in particular jamming, on the reliability and survivability of such applications.” This report has eight chapters. Chapter 1 introduces the problem statement and research objectives. While Chapter 2 details the approach and methodology, Chapter 3 presents the three safety application scenarios. The research team’s redundancy-based survivability architecture is explained in Chapter 4. Issues related to wireless communication and jamming are in Chapter 5, while the impact of redundancy is analyzed quantitatively in Chapter 6. Chapter 7 shows the results of the various scenarios, and Chapter 8 concludes the report with findings and recommendations. Crime Clusters and Safety in Underground Stations Citation. Uittenbogaard, Adriaan Cornelis, Crime clusters and safety in underground stations, KTH Royal Institute of Technology, Stockholm, 2014. Available (accessibly by subscription only): http://kth.diva-portal.org/smash/record.jsf?pid=diva2%3A695303&dswid=-2177 Synopsis. From the Transport Research International Documentation (TRID) Database: “The objective of the thesis is to explore ways to assess safety in an urban context and in transport nodes. The thesis is composed of articles which aim at assessing whether safety levels vary within a city, at a public transportation network, particularly at stations, and finally making suggestions to increase safety in these environments. The analysis makes use of geographical information systems

34 (GIS), statistical techniques and combines several different data sources. Fieldwork supports the data sources by presenting an investigation of the current environment at and around the underground stations in Stockholm. Regression models were used to assess the (strength) relationships between levels of crime and the social and physical environment at underground stations. “Findings show that urban crime in Stockholm municipality concentrates in stable hotspots, however, varying by type of crime, in different places at different times. A majority of the hotspots were located close to underground stations. The environment at underground stations has a significant impact on the crime levels at these transport nodes. For instance, low guardianship opportunities were related with higher crime rates, while well-illuminated and open stations showed lower crime rates. An open layout would provide better opportunities for guardianship, which in turn may decrease crime levels. The surrounding socio-economic composition of neighborhoods and the physical and social environment surrounding the stations affected crime levels similarly. For instance, mixed land-uses surrounding the station could be linked to increased crime rates. However, crime levels showed a varying distribution over time and space. Different stations showed different levels of crime at different times of the day, moreover, this also showed to be depended on crime type. For instance, theft would concentrate at central stations at peak hours, when it is most crowded. “The results include suggestions for policymakers and organizations dealing with urban safety, planning and public transportation, such as police, transportation companies and municipal planners. The results suggest that crime interventions should take into account the dynamic patterns of crime and adopt a more holistic approach taking into account the station and its surroundings.” Highway Bridge Fire Hazard Assessment and Guide Specification for Fire Damage Evaluation in Steel Bridges, NCHRP 12-85, 2013 Citation. Wright, William, Lattimer, Brian, Woodworth, Michael, Nahid, Mohammad, and Soletino, Elisa, Highway Bridge Fire Hazard Assessment Draft Final Report, NCHRP Project 12- 85, Virginia Polytechnic Institute and State University, Blacksburg, VA 2013, [Online]. Available: http://onlinepubs.trb.org/onlinepubs/nchrp/docs/NCHRP12-85_FR-Appendices.pdf Wright, William, Lattimer, Brian, Woodworth, Michael, Nahid, Mohammad, and Soletino, Elisa. Highway Bridge Fire Hazard Assessment Draft Guide Specification for Fire Damage Evaluation in Steel Bridges, NCHRP Project 12-85, Virginia Polytechnic Institute and State University, Blacksburg, VA, 2013, [Online]. Available: http://onlinepubs.trb.org/onlinepubs/nchrp/docs/NCHRP12-85_Guide.pdf Synopsis. This report and guide specification include physical countermeasures against vehicle collisions. From the Abstract of the final report: “This report presents the results for NCHRP Project 12-85 being performed by Virginia Tech. The project performed an in-depth evaluation of the problem of fire damage to highway bridges. The majority of bridges in the country consist of steel or concrete beams with a concrete deck. The primary fire risk for these bridge types in vehicle crashes. The largest fires and those that most often cause damage are caused by tanker truck

35 crashes. This project looked at a probability based approach to assess risk but this proved to be elusive due to limitations of existing data… The consequences of loss-of-service need to be considered on a bridge specific basis when making decisions about fire risk. The latter phases of the project focused on understanding bridge behavior during fire events and developing guidance for the post-fire evaluation of structures. This final report provides information on how to use the parametric study results and other information in the literature to evaluate the post-fire strength and serviceability of fire damaged bridges. This report is supplemented by the following appendices:  A Microsoft Access database of case study information that was uncovered during the project  APPENDIX A – Fire Simulation Modeling  APPENDIX B – Structural Response Modeling  APPENDIX C – State Survey, Case Studies, and Bibliography  APPENDIX D – Fuel Sources  APPENDIX E – Material Properties  APPENDIX F – Fire Statistics and Risk  APPENDIX G – Structural Modeling Validation Bridge Protective Beam Wrap Standard (BPBW) Issued as a Bridge Standard on July 10, 2013 Citation. Both the standard itself and a PPT based upon the standard: “Bridge Protective Beam Wrap (BPBW),” Bridge Division Standard, Texas Department of Transportation (TxDOT), Austin, TX, January 2015, [Online]. Available: http://ftp.dot.state.tx.us/pub/txdot-info/cmd/cserve/standard/bridge/bpbwstd1.pdf Smith, Amy, “Bridge Protective Beam Wrap,” TxDOT Bridge Presentations Webinar, Texas Department of Transportation (TxDOT), Austin, TX, 16 July 2014, [Online]. Available: https://ftp.dot.state.tx.us/pub/txdot-info/brg/webinars/2014-0716/smith.pdf Synopsis. BPBW is a physical countermeasure that prevents debris from falling on the roadway/traffic, in the event that the beam is impacted by, for example, a vehicle. According to a TxDOT webinar, the BPBW standard was posted on July 2013 and replaces the Bridge Protective Assembly (BPA) standard. Its benefits are in reducing total damage to beams, concentrating the damage, and capturing the debris. It is to be used when there is a high probability of hits from overheight vehicles. Design Practices and Products for Deterring Copper Wire Thefts Citation. CTC & Associates, LLC, “Design Practices and Products for Deterring Copper Wire Theft”, Preliminary Investigation, Caltrans Division of Research and Innovation, California Department of Transportation, Sacramento, CA, May 2013, [Online]. Available:

36 http://www.dot.ca.gov/newtech/researchreports/preliminary_investigations/docs/copper_theft_pi. pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “Recent copper wire thefts throughout California have had a serious impact on the operations of the California Department of Transportation’s (Caltrans’) electrical infrastructure, including roadway lighting, changeable message signs, ramp meters and vehicle detection systems. This Preliminary Investigation aims to identify strategies used by other state DOTs to deter wire theft, as well as methods used by other industries (power utilities, railroads) that may be applicable to Caltrans’ infrastructure. Common strategies include locating pull boxes in high visibility areas; locking pull boxes; burying pull boxes; using physical restraints such as banding wire with steel sleeves; using video surveillance; using less expensive materials such as aluminum; and tagging wire with agency identification.” The Executive Summary of the report contains Background, Summary of Findings, Gaps in Findings, and Next Steps. The remainder of the report consists of the following sections:  Contacts (national, state, municipalities, manufacturers)  National Resources  Strategies for Deterring Theft (from DOTs and Other Industries)  Details on Selected Products (wire restraints and alternative wiring systems)  States’ Experiences: Vallejo, CA; Arizona DOT; Michigan DOT; Missouri DOT; New Jersey DOT; New York State DOT; Utah DOT; Washington State DOT  Other Industries’ Experiences: Utility Companies; Railroads  Chart “Copper Theft: Possible Solutions”  Appendix B: Standard electrical details from New Jersey DOT ASCE 7-10 Guidelines for Design Standards for Wind Loading and Bridges. Citation. Minimum Design Loads for Buildings and Other Structures (ASCE/SEI 7-10), American Society of Civil Engineers, Reston, VA, 2013, [Online]. Available: http://ascelibrary.org/doi/book/10.1061/9780784412916 Synopsis. These guidelines provide design standards for wind loading and bridges. Physical countermeasures against high winds include upsizing/strengthening beams, girders, and wind/lateral bracing elements, adding/strengthening deck tie-downs, and enhancing scour countermeasures. From the ASCE Library: “ Minimum Design Loads for Buildings and Other Structures, ASCE/SEI 7-10, provides requirements for general structural design and includes means for determining dead, live, soil, flood, snow, rain, atmospheric ice, earthquake, and wind loads, as well as their combinations, which are suitable for inclusion in building codes and other documents. This standard, a revision of ASCE/SEI 7-05, offers a complete update and reorganization of the wind load provisions, expanding them from one chapter into six. The standard contains new ultimate event wind maps with corresponding reductions in load factors, so that the loads are not affected, and updates the seismic loads with new risk-targeted seismic maps. The snow, live, and atmospheric icing provisions are updated as well. In addition, the standard

37 includes a detailed Commentary with explanatory and supplementary information designed to assist building code committees and regulatory authorities.” Ad-Hoc Sensor Networks for Maritime Interdiction Operations and Regional Security Citation. Kontogiannis, Theofanis, “Ad-Hoc Sensor Networks for Maritime Interdiction Operations and Regional Security,” Masters Thesis, Naval Postgraduate School, Monterey, CA, September 2012, [Online]. Available: http://www.dtic.mil/dtic/tr/fulltext/u2/a567165.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “Robust communications are key to the success of naval operations such as area surveillance, control, and interdiction. Communication and sensor networks allow the flow of data and critical information that is necessary for conducting an operation from both the tactical and strategic perspectives. In naval operations, the platforms are hardly stationary, as the networking infrastructure operates from a variety of platforms in motion on the sea, above the sea, and from space, in the case of satellite support. Sensor networks consist of nodes made up of small sensors that are able to monitor, process, and analyze phenomena over geographical regions of varying sizes and for significant periods. Some categories of these small, and sometimes low-cost, sensors are able to collect and transmit, or relay, sensor data about physical values (e.g., temperature, humidity, and sea state), or dynamic attributes of objects, such as speed, direction, and the existence of dangerous substances (e.g., radioactive materials and explosives). The objective of this thesis is to examine how unstructured sensor networks, known also as ad-hoc sensor networks, can effectively support maritime interdiction operations and regional security by providing reliable communications and flow of information.” This thesis has five chapters. The first chapter is an Introduction to Maritime Interdiction Operations (MIO) and their use of ad-hoc sensor networks, and the second chapter is a literature review on ad-hoc network categories and sensor network design. The third chapter presents the MIO Network Operational Concept. The fourth chapter presents four case studies (“Experimentation Field”) in the San Francisco Bay Area (California), Fort Eustis Riverine Area (Virginia), and Souda Bay (Greece). The fifth chapter concludes the thesis. Evaluating Scour at Bridges, HEC-18, FHWA, 2012 Citation. Evaluating Scour at Bridges (HEC-18), 5th Ed., Federal Highway Administration (FHWA), Washington, DC, 2012, [Online]. Available: https://www.fhwa.dot.gov/engineering/hydraulics/library_arc.cfm?pub_number=17&id=151arc. cfm?pubnumber=17&id=151 Synopsis. This document focuses on physical countermeasures against scour for bridges. From the FHWA’s description: “This document is the fifth edition of HEC-18. It presents the state of knowledge and practice for the design, evaluation and inspection of bridges for scour. There are two companion documents, HEC-20 entitled “Stream Stability at Highway Structures,” and HEC- 23 entitled “Bridge Scour and Stream Instability Countermeasures.” These three documents contain updated material from previous editions and continued research by NCHRP, FHWA, state

38 DOTs, and universities. This fifth edition of HEC-18 also contains revisions obtained from further scour-related developments and the use of the 2001 edition by the highway community. “The major changes in the fifth edition of HEC-18 are: expanded discussion on the policy and regulatory basis for the FHWA Scour Program, including risk-based approaches for evaluations, developing Plans of Action (POAs) for scour critical bridges, and expanded discussion on countermeasure design philosophy (new vs. existing bridges). This fifth edition includes: a new section on contraction scour in cohesive materials, an updated abutment scour section, alternative abutment design approaches, alternative procedures for estimating pier scour, and new guidance on pier scour with debris loading. There is a new chapter on soils, rock and geotechnical considerations related to scour. Additional changes include: a new approach for pier scour in coarse material, new sections on pier scour in cohesive materials and pier scour in erodible rock, revised guidance for vertical contraction scour (pressure flow) conditions, guidance for predicting scour at bottomless culverts, deletion of the “General Scour” term, and revised discussion on scour at tidal bridges to reflect material now covered in HEC-25 (1st and 2nd Editions).” Sharma, H. and Hurlebaus, S. (2012) Overheight Collision Protection Measures for Bridges. Structures Congress 2012: pp. 790-797. Citation. Sharma, H. and Hurlebaus, S. (2012) Overheight Collision Protection Measures for Bridges. Structures Congress 2012: pp. 790-797. Available (accessible by subscription only): http://ascelibrary.org/doi/abs/10.1061/9780784412367.071 Synopsis. This article discusses a physical countermeasure for bridges against the collision of overheight vehicles. From the Abstract: “Low clearance bridges are susceptible to collision with overheight vehicles. Collisions of overheight vehicles can cause fatalities and injuries to the drivers and passengers of the overheight vehicles, and damage to bridge girders. The repair of the damaged bridges can be costly and time consuming. Overheight collision has become a significant cause for the damage of bridges and the number is expected to rise. “A previous work by the authors showed that a protection system called bridge bumper can be designed that maximizes the energy absorption and decreases the likelihood of damages and fatalities. The current work presents the full-scale implementation of the bridge bumper to a realistic bridge subjected to overheight collision with a heavy vehicle… The protection system consists of a plate made of steel to distribute the impact energy over a large area called stiff guard (SG). Energy absorbing material (EAM) are used to mitigate the effect of collision… The system can be designed for any given impact scenario. A realistic impact scenario is simulated and the applicability of the protection system is shown. “This is a novel system for the protection of bridge girders from overheight collision. It is a fairly cheap system when compared with the repair and closure costs. It is easy to manufacture, assemble and impalement on the bridge girder. The research can be further extended for the protection of bridge pier, building column against accidental collision or terrorist attacks.”

39 Texas Transportation Institute (TTI) “Guidelines for Designing Bridge Piers and Abutments for Vehicle Collisions.” —-Technical Reports 9-4973-1 and 9-4973-2 Citation. Two Reports: Buth, C.E., Williams, W.F., Brackin, M.S., Lord, D. Geedipally, S.R., Abu-Odeh, A.Y., “Analysis of Large Truck Collisions with Bridge Piers (Phase 1)”, Report of Guidelines for Designing Bridge Piers and Abutments for Vehicle Collisions, Texas Transportation Institute (TTI), Texas A&M University, College Station, TX, May 2010, [Online]. Available: http://d2dtl5nnlpfr0r.cloudfront.net/tti.tamu.edu/documents/9-4973-1.pdf Buth, C.E., Williams, W.F., Brackin, M.S., Fry, G.T., “Collision Loads on Bridge Piers (Phase 2),” Report of Guidelines for Designing Bridge Piers and Abutments for Vehicle Collisions, Texas Transportation Institute (TTI), Texas A&M University, College Station, TX, March 2011, [Online]. Available: http://ntl.bts.gov/lib/36000/36100/36133/9-4973-2.pdf Synopsis. This project resulted in two Technical Reports. The report corresponding to Phase 1 (9- 4973-1) is Analysis of Large Truck Collisions with Bridge Piers. The report corresponding to Phase 2 (9-4973-2) is Collision Loads on Bridge Piers. The project includes physical countermeasures against vehicle collisions. From the Abstract to the Phase 1 report: “The American Association of State Highway and Transportation Officials (AASHTO) Load and Resistance Factor Design (LRFD) Bridge Design Specifications require that ‘abutments and piers located within a distance of 30.0 ft of the edge of the roadway, or within a distance of 50.0 ft to the centerline of a railway track, shall be designed for an equivalent static force of 400 kip…’ Magnitude of the design force (400 kip) was established from data available at the time the LRFD specification was prepared. Supporting documentation for this design requirement, both its applicability and magnitude of the design force, was not extensive. Further detailed guidance for the design engineer is not available. The objective of this research effort is to address the following questions: 1. What risks warrant application of this requirement? 2. Is the magnitude of design force (400 kip) appropriate?” From the Abstract to the Phase 2 report: “An instrumented, simulated bridge pier was constructed, and two full-scale collisions with an 80,000-lb van-type tractor-trailer were performed on it. The trailer was ballasted with bags of sand on pallets. The simulated pier was 36 inches in diameter and was supported in the longitudinal direction by two load cells. Force-versus-time data were obtained from the load cells. Recommendations for possible revisions to the AASHTO LRFD Bridge Design Specifications are given.” Maritime Security: Coast Guard Should Conduct Required Inspections of Offshore Energy Infrastructure Citation. Maritime Security: Coast Guard Should Conduct Required Inspections of Offshore Energy Infrastructure. U.S. Government Accountability Office, 2011, 59p, [Online]. Available: http://www.gao.gov/new.items/d1237.pdf

40 Synopsis. From the Transport Research International Documentation (TRID) Database: “Congressional interest in the security of offshore energy infrastructure has increased because of the lives lost and the substantial damages that resulted from the Deepwater Horizon incident in April 2010. The U.S. Coast Guard—a component of the Department of Homeland Security (DHS)—is the lead federal agency for maritime security, including the security of offshore energy infrastructure. The Coast Guard oversees two main types of offshore energy infrastructure— facilities on the Outer Continental Shelf (OCS) and deepwater ports. The U.S. Government Accountability Office (GAO) was asked to examine: (1) Coast Guard actions to ensure the security of OCS facilities and what additional actions, if any, are needed; (2) Coast Guard actions to ensure the security of deepwater ports and what additional actions, if any, are needed; and (3) what limitations in oversight authority, if any, the Coast Guard faces in ensuring the security of offshore energy infrastructure. The GAO reviewed Coast Guard documents, such as inspection records, and relevant laws and regulations and interviewed Coast Guard inspectors and officials, including those at Coast Guard headquarters and the two Coast Guard districts that oversee all OCS facilities and deepwater ports that are subject to security requirements. GAO recommends that the Coast Guard develop policies or guidance to ensure that (1) annual security inspections are conducted at OCS facilities and (2) information entered into its database for both OCS facilities and deepwater ports is more useful for management. DHS and the Coast Guard concurred with these recommendations.” Maritime Security: Ferry Security Measures Have Been Implemented, but Evaluating Existing Studies Could Further Enhance Security Citation. Maritime Security: Ferry Security Measures Have Been Implemented, but Evaluating Existing Studies Could Further Enhance Security. U.S. Government Accountability Office, 2010, 44p, [Online]. Available: http://www.gao.gov/new.items/d11207.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “The U.S. Government Accountability Office (GAO) was asked to review ferry security, and this report addresses the extent to which (1) the Coast Guard, the lead federal agency for maritime security, assessed risk in accordance with the Department of Homeland Security’s (DHS) guidance and what risks it identified; and (2) federal agencies, ferry and facility operators, and law enforcement entities have taken actions to protect ferries and their facilities… Many of the Coast Guard, ferry system and law enforcement officials GAO spoke with generally believe ferries are vulnerable to passenger- or vehicle-borne improvised explosive devices, although not all ferry systems transport vehicles. The Coast Guard has also identified the potential consequences of an attack, which could include possible loss of life and negative economic effects. In April 2010, Coast Guard officials stated that the relative risk to ferries is increasing, as evidenced by attacks against land-based mass transit and other targets overseas. “Federal agencies—including the Coast Guard, the Transportation Security Administration (TSA), and Customs and Border Protection (CBP)—ferry operators, and law enforcement entities report that they have taken various actions to enhance the security of ferries and facilities and have implemented related laws, regulations, and guidance, but the Coast Guard may be missing opportunities to enhance ferry security. Security measures taken by the Coast Guard have included providing a security presence on ferries during transit. Coast Guard officials also reported that they

41 are revising regulations to improve ferry operator training and developing guidance on screening. Ferry operators’ security actions have included developing and implementing security plans and screening vehicles and passengers, among other things. “However, the Coast Guard had not evaluated and, if determined warranted, acted on all findings and recommendations resulting from five agency-contracted studies on ferry security completed in 2005 and 2006. Reports from these studies included several recommendations for standardizing and enhancing screening across ferry operators… As a result of our work on ferry security, in August 2010, Coast Guard officials stated they planned to review the reports… GAO recommends that the Commandant of the Coast Guard, after evaluating the completed studies on ferry security, reassess vehicle screening requirements and take further actions to enhance security, if determined warranted.” Guide Specifications and Commentary for Vessel Collision Design of Highway Bridges, 2nd Edition, with 2010 Interim Revisions Citation. Guide Specifications and Commentary for Vessel Collision Design of Highway Bridges, 2nd Edition, The American Association of State Highway and Transportation Officials (AASHTO), Washington, DC, 2009, [Online]. Available: https://bookstore.transportation.org/item_details.aspx?id=1345 Synopsis. These guide specifications include such physical countermeasures against vessel collisions as fender systems, pile-supported systems, protection systems (e.g. dolphin, island, and floating protection systems), movable bridge protection, and motorist warning systems. From the Foreword: “This Second Edition of the Guide Specification was developed to incorporate lessons learned from the use of the original 1991 Vessel Collision Guide Specification; incorporate the current LRFD Bridge Design methodology; clarify some of the risk procedure elements; make minor modifications and corrections; and discuss, and incorporate where deemed necessary, results from barge and ship collision research conducted since the original vessel collision publication. The use of the Guide Specification procedures to evaluate existing bridges has been highlighted in this revised edition, and a new worked example illustrating the vessel collision risk assessment procedures has been provided.” Bridge Analysis and Evaluation of Effects under Overload Vehicles, CFIRE 2009 Citation. Bae, Han-Ug and Michael Oliva, Bridge Analysis and Evaluation of Effects under Overload Vehicles , National Center for Freight & Infrastructure Research & Education (CFIRE), University of Wisconsin at Madison, Madison, WI, December 2009, [Online]. Available: http://www.wistrans.org/cfire/documents/phase1_InterimReport.pdf Synopsis. This manual includes physical countermeasures against overload vehicles. From the Abstract: Movement of industrial freight infrequently requires special overload vehicles weighing 5 to 6 times the normal legal truck weight to move across highway systems. The gross vehicle weight of the overload vehicles frequently exceeds 400 kips while the normal interstate legal limit for gross vehicle weight is 80 kips. Examples of the loads carried by the vehicles are pressure vessels and transformers used in power plants, huge boilers, military hardware, beams and barges.

42 Transportation agencies are asked to provide special permits for these vehicles along a specified pathway. Because of the unusual configuration of the vehicles it is difficult for those agencies to evaluate the effect of the vehicles on highway bridges. It is a time consuming job for the local agency since simple analysis methods for determining effects on bridges subjected to those overloads are not well established and the possibility of errors in estimating the impact of the loads on these structures could affect safety. This research aims to help agencies in evaluating the impact of these vehicles on structures. The following results were found from the research. 1. Finite element analyses of 118 multi-girder bridges and 16 load cases of overload vehicles for each multi-girder bridge were performed and the girder distribution factor equations for the multi-girder bridges under overload vehicles were developed based on the analysis results. The developed equations were found to be capable of replacing the time consuming 3D finite element analysis rationally and conservatively. 2. Investigation of the intermediate diaphragms to check the safety of the intermediate diaphragms under overload vehicles was performed and it was found that the safety of the intermediate diaphragms under overload vehicles is not of a concern from the investigation since relatively weak intermediate diaphragms were safe under the severe overload vehicles. 3. An equation to limit the weight of a single wheel set in overload vehicles to ensure the safety of the decks was developed. 4. Two detailed analysis examples of ‘complex bridges’ were performed and the results showed that it is necessary to perform three-dimensional finite analysis to find effects of overload vehicles on complex bridges since each complex bridge has a unique configuration with special structural components. FHWA Manual on Uniform Traffic Control Devices (MUTCD) Citation. Manual on Uniform Traffic Control Devices (MUTCD), Federal Highway Administration (FHWA), Washington, DC, 2009, [Online]. Available: http://mutcd.fhwa.dot.gov/index.htm Synopsis. This manual includes physical countermeasures against both overload vehicles and vehicle collisions. From the Overview on the FHWA’s website dedicated to the MUTCD: “The Manual on Uniform Traffic Control Devices (MUTCD), by setting minimum standards and providing guidance, ensures uniformity of traffic control devices across the nation. The use of uniform TCDs (messages, location, size, shapes, and colors) helps reduce crashes and congestion, and improves the efficiency of the surface transportation system. Uniformity also helps reduce the cost of TCDs through standardization. The information contained in the MUTCD is the result of either years of practical experience, research, and/or the MUTCD experimentation process. This effort ensures that TCDs are visible, recognizable, understandable, and necessary. The MUTCD is a dynamic document that changes with time to address contemporary safety and operational issues.

43 “Key Messages: The MUTCD contains the national standards governing all traffic control devices. All public agencies and owners of private roads open to public travel across the nation rely on the MUTCD to bring uniformity to the roadway. The MUTCD plays a critical role in improving safety and mobility of all road users. The MUTCD is the law governing all traffic control devices. Non- compliance of the MUTCD ultimately can result in loss of federal-aid funds as well as significant increase in tort liability. Uniformity of traffic control devices is critical in highway safety and mobility as well as cutting capital and maintenance costs of TCDs for public agencies and manufacturers. The FHWA has established a sound process to incorporate new devices and applications in the MUTCD. The process involves the Federal Register rulemaking activity which encourages public involvement. Any interested person or organization may provide input to the rulemaking activity by submitting comments to the docket. The process encourages innovation and flexibility while maintaining uniformity. The success of the MUTCD depends on nationwide complete acceptance and application of the MUTCD as well as extensive participation by the practitioners in developing and evaluating the content of the MUTCD. Input from practitioners and all other stakeholders is very critical in keeping the MUTCD current and relevant. “Audience: The MUTCD audience includes, but is not limited to: State and local highway agencies, public officials, owners of private roads open to public travel, the insurance industry, law enforcement agencies, incident management personnel, maintenance personnel, academic institutions, private industry, and planning, construction and engineering organizations.” NCHRP Report 587 Countermeasures to Protect Bridge Abutments from Scour, 2007 Citation. Barkdoll, B.D., Ettema, R, Melville, B.W. NCHRP Report 587: Countermeasures to Protect Bridge Abutments from Scour, Transportation Research Board of the National Academies, Washington, DC, 2007, [Online]. Available: http://www.trb.org/Main/Blurbs/159215.aspx Synopsis. The focus of this report is physical countermeasures for bridges against scour. From the Transport Research International Documentation (TRID) Database: “This report will be of interest to transportation departments that are responsible for constructing and maintaining bridges that span waterways. It provides selection criteria and guidelines for the design and construction of countermeasures to protect bridge abutments and approach embankments from scour damage. Guidelines are provided for the following abutment countermeasures: riprap, cable-tied blocks, geobags, parallel walls, spur dikes located locally to the abutment, and abutment collars.” Chapter 1 introduces certain abutment forms and countermeasure concepts. Chapter 2 elaborates upon the relationship between different abutment forms and the resulting scour. Countermeasure concepts and criteria are the topic of Chapter 3. Chapters 4 and 5 are the practitioner survey and literature review. Chapter 6 gives the lab results of preliminary experiments, while Chapters 7 through 9 are the lab results for various types of countermeasures: aprons at wing-wall abutments, aprons at spill-through abutments, and flow modification. Design guidelines are established in Chapter 10. Chapter 11 concludes the report. Evaluation of Debris Flow Removal Protocol, Mitigation Methods, and Development of a Field Data Sheet, CDOT, 2006

44 Citation. Santi, P.M., Soule, N.C., Brock, R.J., Evaluation of Debris Flow Removal Protocol, Mitigation Methods, and Development of a Field Data Sheet, Report No. CDOT-2006-16, Colorado Department of Transportation Research Branch, Denver, CO, December 2006, [Online]. Available: https://www.codot.gov/programs/research/pdfs/2006/debris.pdf Synopsis. This report includes physical countermeasures against wildfire such as post-wildfire debris flow mitigation and passive fire protection. Post-wildfire debris flow mitigation includes watershed-wide erosion control, interception of the debris above by deflection of flow away from bridge, debris basins, or high tensile steel netting or pipes, or passing the debris through a culvert or under a bridge. Passive fire protection such as fire resistive coatings, intumescent coatings, and fire resistant materials. Additional information from the report’s Abstract: “The purpose of this report is to discuss protocol for the removal of debris on roadways, maintaining worker safety, recording of key information for future use, and selecting feasible mitigation measures to protect the roadway from debris flow hazards. Collection of data during removal of debris from roadways will provide a database that may assist in ranking and/or mitigating roadways with frequent debris flow hazards. “The first part of this report provides a brief description of historic debris flow locations throughout Colorado. The second part details what systems other state and federal agencies have in place to collect information regarding debris flows and unstable slopes. As background research for this report, numerous state and federal agencies were contacted to determine what methods—if any— were in use by other departments of transportation or geological surveys.” FHWA Seismic Retrofitting Manual for Highway Structures: Part 1 – Bridges, 2006 Citation. Seismic Retrofitting Manual for Highway Structures: Part 1 – Bridges, Publication No. FHWA-HRT-06-032, Federal Highway Administration (FHWA), U.S. Department of Transportation, Washington, DC, January 2006, [Online]. Available: http://www.fhwa.dot.gov/publications/research/infrastructure/bridge/06032/06032.pdf Synopsis. This manual includes physical security countermeasures for bridges against earthquakes, such as restrainers, seat extensions, column jackets, footing overlays, and soil remediation. Additional information from the Abstract: “This report is the first of a two-part publication entitled Seismic Retrofitting Manual for Highway Structures… In particular, a performance-based retrofit philosophy is introduced similar to that used for the performance-based design of new buildings and bridges. Performance criteria are given for two earthquake ground motions with different return periods, 100 and 1000 years. A higher level of performance is required for the event with the shorter return period (the lower-level earthquake ground motion) than for the longer return period (the upper level earthquake ground motion). “Criteria are recommended according to bridge importance and anticipated service life, with more rigorous performance being required for important, relatively new bridges, and a lesser level for standard bridges nearing the end of their useful life. Minimum recommendations are made for screening, evaluation and retrofitting according to an assigned Seismic Retrofit Category. Bridges in Category A need not be retrofitted whereas those in Categories B, C and D require successively

45 more rigorous consideration and retrofitting as required. Various retrofit strategies are described and a range of related retrofit measures explained in detail, including restrainers, seat extensions, column jackets, footing overlays, and soil remediation.” FHWA Seismic Retrofitting Manual for Highway Structures: Part 2 – Retaining Structures, Slopes, Tunnels, Culverts, and Roadways, 2004 Citation. Seismic Retrofitting Manual for Highway Structures: Part 2 – Retaining Structures, Slopes, Tunnels, Culverts, and Roadways, Publication No. FHWA-HRT-05-067, Federal Highway Administration (FHWA), U.S. Department of Transportation, Washington, DC, August 2004, [Online]. Available: http://www.fhwa.dot.gov/publications/research/infrastructure/pavements/ltpp/05067/05067.pdf Synopsis. With a focus on non-bridge structures, this manual includes physical security countermeasures against earthquakes include restrainers, seat extensions, column jackets, footing overlays, and soil remediation. Additional information from the Abstract: “This report is the second of a two-part publication entitled Seismic Retrofitting Manual for Highway Structures… Part 2 includes new procedures for determining the seismic vulnerability of other important highway system structures, namely, retaining structures, slopes, tunnels, culverts, and roadways. Guidance is provided on (a) screening for potential seismic vulnerabilities; (b) conducting a detailed evaluation; and © describing strategies for retrofit design. In addition, discussion is provided for classifying each structure by type, construction, or expected performance. This is needed since different types of a given structure (e.g., different types of retaining walls) may have different failure modes and will therefore require somewhat different approaches to seismic vulnerability screening, detailed evaluation, and retrofitting.” Rockfall Hazard Rating System, FHWA, 1992 Citation. Rockfall Hazard Rating System: Participant’s Manual, Publication No. FHWA-SA-93- 057, National Highway Institute (NHI) Course No. 130220, Federal Highway Administration (FHWA), U.S. Department of Transportation, Washington, DC, August 1993 [Online]. Available: http://www.fhwa.dot.gov/engineering/geotech/pubs/009767.pdf Synopsis. This manual discusses physical countermeasures for bridges against landslides such as:  Scaling, slope screening, catch fences, excavation, artificial reinforcement, shotcrete, barrier systems, rock buttress construction; and soil nailing (inserting reinforcement bars to stabilize steep slopes).  Drainage systems such as installation of subsurface drainage facilities.  Retaining walls and viaducts to protect from further landslides. From the Abstract: “The RHRS (Rockfall Hazard Rating System) is a process used in the management of rockfall sites adjacent to highways. The system is proactive by design, providing a rational way to make informed decisions on where and how to spend construction funds in order to reduce the risks associated with rockfall. This Participant’s Manual documents the components

46 of the RHRS, the steps an agency should follow to implement the system, and discusses the level of commitment required. The benefits of implementation and the limitations of the system are also described. The manual serves as both a field guide and a desk top reference for those who perform the slope ratings and those who use the resulting database in establishing rockfall remediation designs and construction priorities.” D. Cyber Security Countermeasures Protection of Transportation Infrastructure from Cyber Attacks: A Primer Citation: Countermeasures Assessment and Security Experts LLC and Western Management and Consulting LLC. NCHRP Web-Only Document 221 and TCRP Web-Only Document 67: Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Transportation Research Board, Washington, DC, 2016, 183p. Available: http://trid.trb.org/view/1408236 Synopsis: This primer, a joint product of two Transportation Research Board Cooperative Research Programs, provides transportation organizations basic reference material concerning cyber security concepts, guidelines, definitions and standards. The primer delivers fundamental strategic, management and planning information associated with cyber security and its applicability to transit and state department of transportation operations. The primer presents fundamental definitions and rationales that describe the principles and practices that enable effective cyber security risk management. The goals of the primer are to: increase awareness of cyber security as it applies to highway and public transportation; plant the seeds of organizational culture change; address those situations where the greatest risks lie; and provide industry-specific approaches to monitoring, responding to and mitigating cyber threats. Individual chapters address: myths of cyber security; risk management, risk assessment and asset evaluation; plans and strategies, establishing priorities, organizing roles and responsibilities; transportation operations cyber systems; countermeasures; training; and security programs and support frameworks. Critical Infrastructure Protection: Sector-Specific Agencies Need to Better Measure Cybersecurity Progress. Citation. Wilshusen, Gregory C. Critical Infrastructure Protection: Sector-Specific Agencies Need to Better Measure Cybersecurity Progress. U.S. Government Accountability Office, 2015, 82p. Available: http://trid.trb.org/view/1375467 Synopsis: U.S. critical infrastructures, such as financial institutions, commercial buildings, and energy production and transmission facilities, are systems and assets, whether physical or virtual, vital to the nation’s security, economy, and public health and safety. To secure these systems and assets, federal policy and the National Infrastructure Protection Plan (NIPP) establish responsibilities for federal agencies designated as sector-specific agencies (SSA), including leading, facilitating, or supporting the security and resilience programs and associated activities of their designated critical infrastructure sectors. The Government Accountability Office's (GAO’s) objectives were to determine the extent to which SSAs have (1) identified the significance of cyber risks to their respective sectors’ networks and industrial control systems, (2) taken actions to mitigate cyber risks within their respective sectors, (3) collaborated across sectors to improve cybersecurity, and (4) established performance metrics to monitor improvements in their respective sectors. To conduct the review, GAO analyzed policy, plans, and other documentation

47 and interviewed public and private sector officials for 8 of 9 SSAs with responsibility for 15 of 16 sectors. GAO recommends that certain SSAs collaborate with sector partners to develop performance metrics and determine how to overcome challenges to reporting the results of their cyber-risk mitigation activities. Four of these agencies concurred with GAO’s recommendation, while two agencies did not comment on the recommendations. Maritime Critical Infrastructure Protection: DHS Needs to Enhance Efforts to Address Port Cybersecurity Citation. Wilshusen, Gregory C. Maritime Critical Infrastructure Protection: DHS Needs to Enhance Efforts to Address Port Cybersecurity. U.S. Government Accountability Office, 2015, 14p. Available: http://trid.trb.org/view/1371372 Synopsis: The nation’s maritime ports handle more than $1.3 trillion in cargo each year: a disruption at one of these ports could have a significant economic impact. Increasingly, port operations rely on computerized information and communications technologies, which can be vulnerable to cyber-based attacks. Federal entities, including the Department of Homeland Security's (DHS’s) Coast Guard and the Federal Emergency Management Agency (FEMA), have responsibilities for protecting ports against cyber-related threats. The Government Accountability Office (GAO) has designated the protection of federal information systems as a government-wide high-risk area since 1997, and in 2003 expanded this to include systems supporting the nation’s critical infrastructure. This statement by Gregory C. Wilshusen, Director, Information Security Issues, addresses (1) cyber-related threats facing the maritime port environment and (2) steps DHS has taken to address cybersecurity in that environment. In preparing this statement, GAO relied on work supporting its June 2014 report on cybersecurity at ports. (GAO-14-459). In its June 2014 report on port cybersecurity, GAO recommended that the Coast Guard include cyber risks in its updated risk assessment for the maritime environment, address cyber risks in its guidance for port security plans, and consider reestablishing the sector coordinating council. GAO also recommended that FEMA ensure funding decisions for its Port Security Grant Program are informed by subject matter expertise and a comprehensive risk assessment. DHS has partially addressed two of these recommendations since GAO’s report was issued. Guidebook on Best Practices for Airport Cybersecurity Citation. Murphy, R. J., M. Sukkarieh, J. Haass, and P. Hriljac. ACRP Report 140: Guidebook on Best Practices for Airport Cybersecurity. Transportation Research Board of the National Academies of Sciences, Engineering, and Medicine, Washington, DC, 2015, 162p. Available: http://trid.trb.org/view/1360787 Synopsis: Cybersecurity is a growing issue for all organizations, including airports. While the risks to traditional information technology (IT) infrastructure are often highlighted, many airports also rely on industrial control systems that introduce risks that are less apparent. The increasing practice of Bring Your Own Device (BYOD), whereby employees use their own personal devices for business purposes such as email and remote access to airport systems, brings its own risks that must be managed. These risks cannot be eliminated, but they can be reduced through implementation of industry standards, best practices, and awareness programs for employees. This report provides resources for airport managers and IT staff to reduce or mitigate inherent risks of cyberattacks on technology-based systems. Traditional IT infrastructure such as servers, desktops,

48 and network devices are covered along with increasingly sophisticated and interconnected industrial control systems, such as baggage handling, temperature control, and airfield lighting systems. Accompanying this guidebook is a CD-ROM (CRP-CD-171) of multimedia material that can be used to educate all staff at airports about the need, and how, to be diligent against cybersecurity threats. A Summary of Cybersecurity Best Practices Citation. McCarthy, Charlie; Harnett, Kevin; Carter, Art. A Summary of Cybersecurity Best Practices. Volpe National Transportation Systems Center; National Highway Traffic Safety Administration, 2014, 40p. Available: http://trid.trb.org/view/1329314 Synopsis: This report contains the results and analysis of a review of best practices and observations in the field of cybersecurity involving electronic control systems across a variety of industry segments where the safety-of-life is concerned. This research provides relevant benchmarks that are essential to making strategic decisions over the next steps for the National Highway Traffic Safety Administration's (NHTSA’s) research program. This publication is part of a series of reports that describe the authors' initial work under the goal of facilitating cybersecurity best practices in the automotive industry (Goals 1 and 2). The information presented herein increases the collective knowledge base in automotive cybersecurity; helps identify potential knowledge gaps; helps describe the risk and threat environments; and helps support follow-on tasks that could be used to establish security guidelines. Assessment of the Information Sharing and Analysis Center Model Citation. McCarthy, Charlie; Harnett, Kevin; Carter, Art; Hatipoglu, Cem. Assessment of the Information Sharing and Analysis Center Model. Volpe National Transportation Systems Center; National Highway Traffic Safety Administration, 2014, 46p. Available: http://trid.trb.org/view/1341933 Synopsis: An Information Sharing and Analysis Center (ISAC) is a trusted, sector-specific entity that can provide a 24-hour per day and 7-day per week secure operating capability that establishes the coordination, information sharing, and intelligence requirements for dealing with cyber security incidents, threats, and vulnerabilities. An ISAC can serve as an industry resource by which to gather key information about cyber security events and issues and identify, communicate, and analyze potential impacts of such concerns to the sector. This report presents findings from an assessment of the ISAC model, and how ISAC’s are effectively implemented in other sectors. The report also explains how a new sector ISAC could be formed by leveraging existing ISAC models. This publication supports the goal of facilitating the establishment of a cyber security information sharing forum in the automotive sector (Goal 2). Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity Citation. Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity. U.S. Government Accountability Office, 2014, 54p. Available: http://trid.trb.org/view/1312046

49 Synopsis: U.S. maritime ports handle more than $1.3 trillion in cargo annually. The operations of these ports are supported by information and communication systems, which are susceptible to cyber-related threats. Failures in these systems could degrade or interrupt operations at ports, including the flow of commerce. Federal agencies—in particular Department of Homeland Security (DHS)—and industry stakeholders have specific roles in protecting maritime facilities and ports from physical and cyber threats. The Government Accoutability Office's (GAO’s) objective was to identify the extent to which DHS and other stakeholders have taken steps to address cybersecurity in the maritime port environment. GAO examined relevant laws and regulations; analyzed federal cybersecurity-related policies and plans; observed operations at three U.S. ports selected based on being a high-risk port and a leader in calls by vessel type, e.g. container; and interviewed federal and nonfederal officials. GAO recommends that DHS direct the Coast Guard to (1) assess cyber-related risks, (2) use this assessment to inform maritime security guidance, and (3) determine whether the sector coordinating council should be reestablished. DHS should also direct the Federal Emergency Management Agency (FEMA) to (1) develop procedures to consult DHS cybersecurity experts for assistance in reviewing grant proposals and (2) use the results of the cyber-risk assessment to inform its grant guidance. DHS concurred with GAO’s recommendations. Critical Infrastructures: Background, Policy, and Implementation Citation. Moteff, John D. Critical Infrastructures: Background, Policy, and Implementation. Congressional Research Service, 2014, 39p. Available: http://trid.trb.org/view/1312743 Synopsis: The nation’s health, wealth, and security rely on the production and distribution of certain goods and services. The array of physical assets, functions, and systems across which these goods and services move are called critical infrastructures (e.g., electricity, the power plants that generate it, and the electric grid upon which it is distributed). The national security community has been concerned for some time about the vulnerability of critical infrastructure to both physical and cyberattack. In May 1998, President Clinton released Presidential Decision Directive No. 63. The directive set up groups within the Federal Government to develop and implement plans that would protect government-operated infrastructures and called for a dialogue between government and the private sector to develop a National Infrastructure Assurance Plan that would protect all of the nation’s critical infrastructures by the year 2003. While the directive called for both physical and cyber protection from both man-made and natural events, implementation focused on cyber protection against man-made cyber events (i.e., computer hackers). Following the destruction and disruptions caused by the September 11 terrorist attacks in 2001, the nation directed increased attention toward physical protection of critical infrastructures. Over the intervening years, policy, programs, and legislation related to physical security of critical infrastructure have stabilized to a large extent. However, current legislative activity has refocused on cyber security of critical infrastructure. This report discusses in more detail the evolution of a national critical infrastructure policy and the institutional structures established to implement it. The report highlights two primary issues confronting Congress going forward, both in the context of cyber security: information sharing and regulation. Critical Infrastructure Protection: More Comprehensive Planning Would Enhance the Cybersecurity of Public Safety Entities’ Emerging Technology

50 Citation. Critical Infrastructure Protection: More Comprehensive Planning Would Enhance the Cybersecurity of Public Safety Entities’ Emerging Technology. U.S. Government Accountability Office, 2014, 41p. Available: http://trid.trb.org/view/1290381 Synopsis: Individuals can contact fire, medical, and police first responders in an emergency by dialing 911. To provide effective emergency services, public safety entities such as 911 call centers use technology including databases that identifies phone number and location data of callers. Because these critical systems are becoming more interconnected, they are also increasingly susceptible to cyber-based threats that accompany the use of Internet-based services. This, in turn, could impact the availability of 911 services. The U.S. Government Accountability Office (GAO) was asked to review federal coordination with state and local governments regarding cybersecurity at public safety entities. The objective was to determine the extent to which federal agencies coordinated with state and local governments regarding cybersecurity efforts at emergency operations centers, public safety answering points, and first responder organizations involved in handling 911 emergency calls. The five identified federal agencies (Departments of Homeland Security, Commerce, Justice, and Transportation and Federal Communications Commission (FCC)) have to varying degrees, coordinated cybersecurity-related activities with state and local governments. These activities included (1) supporting critical infrastructure protection-related planning, (2) issuing grants, (3) sharing information, (4) providing technical assistance, and (5) regulating and overseeing essential functions. However, except for supporting critical infrastructure planning, federal coordination of these activities was generally not targeted towards or focused on the cybersecurity of state and local public safety entities involved in handling 911 emergency calls. Under the critical infrastructure protection planning activity, the Department of Homeland Security (DHS) coordinated with state and local governments and other federal stakeholders to complete the Emergency Services Sector-Specific Plan. The plan is to guide the sector, including the public safety entities, in setting protective program goals and objectives, identifying assets, assessing risks, prioritizing infrastructure components and programs to enhance risk mitigation, implementing protective programs, measuring program effectiveness, and incorporating research and development of technology initiatives into sector planning efforts. It also addressed aspects of cybersecurity of the current environment. However, the plan did not address the development and implementation of more interconnected, Internet-based planned information technologies, such as the next generation of 911 services. According to DHS officials, the plan did not address these technologies, in part, because the process for updating the sector- specific plan will begin after the release of the revised National Infrastructure Protection Plan—a unifying framework to enhance the safety of the nation’s critical infrastructure. A revised plan was released in December 2013, and, according to DHS, a new sector-specific plan is estimated to be completed in December 2014. Until DHS, in collaboration with stakeholders, addresses the cybersecurity implications of the emerging technologies in planning activities, information systems are at an increased risk of failure or being unavailable at critical moments. Under the other four activities, federal agencies performed some coordination related activities for public safety entities including administering grants for information technology enhancements, sharing information about cyber-based attacks, and providing technical assistance through education and awareness efforts. For example, the Departments of Transportation and Commerce allocated $43.5 million in grants to states over a 3-year period, starting in September 2009, to help implement enhancements to 911 system functionality. While these grants were not targeted towards the cybersecurity of these systems, cybersecurity was not precluded from the allowed use of the funds. GAO recommends that the Secretary of Homeland Security collaborate with emergency services

51 sector stakeholders to address the cybersecurity implications of implementing technology initiatives in related plans. The Critical Infrastructure Gap: U.S. Port Facilities and Cyber Vulnerabilities Citation. Kramek, Joseph. The Critical Infrastructure Gap: U.S. Port Facilities and Cyber Vulnerabilities. Brookings Institution, 2013, 50p. Available: http://trid.trb.org/view/1325343 Synopsis: This paper looks at the current state of cybersecurity as it relates to U.S. ports. Topics include port security prior to and post-September 11th, the Maritime Transportation Security Act, the Port Security Grant Program, and cybersecurity awareness, preparedness and recovery. Case studies outlining current port security and practices are presented for the Port of Baltimore, Maryland, the Port of Houston, Texas, the Port of Los Angeles, California, the Port of Long Beach, California, the Port of Vicksburg, Mississippi, and the Port of Beaumont, Texas. Of the six ports studied most had not conducted a cybersecurity vulnerability assessment nor developed a cyber incident response plan. Policy recommendations are provided to address port cybersecurity improvements. Critical Infrastructure Security: Assessment, Prevention, Detection, Response Citation. Critical Infrastructure Security: Assessment, Prevention, Detection, Response. WIT Press, 2012, 326p. Available: http://trid.trb.org/view/1247665 Synopsis: This book examines best practices and trends in infrastructure security at both the physical and digital level. Methods and tools for assessing, preventing, detecting and responding to security threats are outlined. The book is divided into five parts: (1) Security risk and vulnerability assessment; (2) Modeling and simulation tools; (3) Cybersecurity; (4) Monitoring and surveillance; (5) Security systems integration and alarm management. Homeland Security: DHS’s Progress and Challenges in Key Areas of Maritime, Aviation, and Cybersecurity Citation. Homeland Security: DHS’s Progress and Challenges in Key Areas of Maritime, Aviation, and Cybersecurity. U.S. Government Accountability Office, 2009, 25p. Available: http://trid.trb.org/view/906303 Synopsis: Securing the nation’s transportation and information systems is a primary responsibility of the Department of Homeland Security (DHS). Within DHS, the Transportation Security Administration (TSA) is responsible for securing all transportation modes; U.S. Customs and Border Protection (CBP) is responsible for cargo container security; the U.S. Coast Guard is responsible for protecting the maritime environment; and the National Protection and Programs Directorate is responsible for the cybersecurity of critical infrastructure. This statement focuses on the progress and challenges DHS faces in key areas of maritime, aviation, and cybersecurity. It is based on U.S. Government Accountability Office (GAO) products issued from June 2004 through November 2009, as well as ongoing work on air cargo security. DHS has made progress in enhancing security in the maritime sector, but key challenges remain. For example, as part of a statutory requirement to scan 100 percent of U.S.-bound container cargo by July 2012, CBP has implemented the Secure Freight Initiative at select foreign ports. However, CBP does not have a plan for fully implementing the 100 percent scanning requirement by July 2012 because it

52 questions the feasibility, although it has not performed a feasibility analysis of the requirement. Rather, CBP has planned two new initiatives to further strengthen the security of container cargo, but these initiatives will not achieve 100 percent scanning. Further, TSA, the Coast Guard, and the maritime industry took a number of steps to enroll over 93 percent of the estimated 1.2 million users in the Transportation Worker Identification Credential (TWIC) program (designed to help control access to maritime vessels and facilities) by the April 15, 2009 compliance deadline, but they experienced challenges resulting in delays and in ensuring the successful execution of the TWIC pilot. While DHS and the Coast Guard have developed a strategy and programs to reduce the risks posed by small vessels, they face ongoing resource and technology challenges in tracking small vessels and preventing attacks by such vessels. In the aviation sector, TSA has made progress in meeting the statutory mandate to screen 100 percent of air cargo transported on passenger aircraft by August 2010 and in taking steps to strengthen airport security, but TSA continues to face challenges. TSA’s efforts include developing a system to allow screening responsibilities to be shared across the domestic air cargo supply chain, among other steps. Despite these efforts, TSA and the industry face a number of challenges including the voluntary nature of the program, and ensuring that approved technologies are effective with air cargo. TSA also does not expect to meet the mandated 100 percent screening deadline as it applies to air cargo transported into the U.S., in part due to existing screening exemptions for this type of cargo and challenges in harmonizing security standards with other nations. GAO is reviewing these issues as part of its ongoing work and will issue a final report next year. In addition, TSA has taken a variety of actions to strengthen airport security by, among other things, implementing a worker screening program; however, TSA still faces challenges in this area. DHS has made progress in strengthening cybersecurity, such as addressing some lessons learned from a cyber attack exercise, but further actions are warranted. Since 2005, GAO has reported that DHS has not fully satisfied its key responsibilities for protecting the nation’s computer-reliant critical infrastructures and has made related recommendations to DHS, such as bolstering cyber analysis and warning capabilities and strengthening its capabilities to recover from Internet disruptions. DHS has since developed and implemented certain capabilities to satisfy aspects of its responsibilities, but it has not fully implemented GAO’s recommendations and, thus, more action is needed to address the risk to critical cybersecurity infrastructure. Freight Rail Security: Actions Have Been Taken to Enhance Security, but the Federal Strategy Can Be Strengthened and Security Efforts Better Monitored Citation. Freight Rail Security: Actions Have Been Taken to Enhance Security, but the Federal Strategy Can Be Strengthened and Security Efforts Better Monitored. U.S. Government Accountability Office, 2009, 129p. Available: http://trid.trb.org/view/889626 Synopsis: An attack on the U.S. freight rail system could be catastrophic because rail cars carrying highly toxic materials often traverse densely populated urban areas. The Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) is the federal entity primarily responsible for securing freight rail. The U.S. Government Accountability Office (GAO) was asked to assess the status of efforts to secure this system. This report discusses (1) stakeholder efforts to assess risks to the freight rail system and TSA’s development of a risk-based security strategy; (2) actions stakeholders have taken to secure the system since 2001, TSA’s efforts to monitor and assess their effectiveness, and any challenges to implementing future actions; and (3) the extent to which stakeholders have coordinated efforts. Federal and industry stakeholders have

53 completed a range of actions to assess risks to freight rail since September 2001, and TSA has developed a security strategy; however, TSA’s efforts have primarily focused on one threat, and its strategy does not fully address federal guidance or key characteristics of a successful national strategy. Specifically, TSA’s efforts to assess vulnerabilities and potential consequences to freight rail have focused almost exclusively on rail shipments of certain highly toxic materials, in part, because of concerns about their security in transit and limited resources. However, other federal and industry assessments have identified additional potential security threats, including risks to critical infrastructure and cybersecurity. Although many stakeholders agreed with TSA’s initial strategy, going forward TSA has agreed that including other identified threats in its freight rail security strategy is important, and reported that it is reconsidering its strategy to incorporate other threats. Additionally, in 2004, GAO reported that successful national strategies should identify performance measures with targets, among other elements. TSA’s security strategy could be strengthened by including targets for three of its four performance measures and revising its approach for the other measure to ensure greater consistency in how performance results are quantified. Federal and industry stakeholders have also taken a range of actions to secure freight rail, many of which have focused on securing certain toxic material rail shipments and have been implemented by industry voluntarily; however, TSA lacks a mechanism to monitor security actions and evaluate their effectiveness, and new requirements could pose challenges for future security efforts. GAO’s Standards for Internal Control in the Federal Government calls for controls to be designed to ensure ongoing monitoring. While the freight rail industry has taken actions to better secure shipments and key infrastructure, TSA has limited ability to assess the impacts of these actions because it lacks a mechanism to systematically track them and evaluate their effectiveness. Having such information could strengthen TSA’s efforts to efficiently target its resources to where actions have not been effective. New, mandatory security planning and procedural requirements will also necessitate additional federal and industry efforts and resources, and may pose some implementation challenges for both federal and industry stakeholders. Federal and industry stakeholders have also taken a number of steps to coordinate their freight rail security efforts; however, federal coordination can be enhanced by more fully leveraging the resources of all relevant federal agencies. GAO previously identified a number of leading practices for effective coordination that could help TSA strengthen coordination with federal and private sector stakeholders. Position Verification Systems for an Automated Highway System Citation. Gerdes, R., Biswas, B., Heaslip, K. “Position Verification Systems for an Automated Highway System,” Mountain-Plains Consortium, North Dakota State University, Fargo, ND, 2015, [Online]. Available: http://www.mountain-plains.org/pubs/pdf/MPC15-284.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “Automated vehicles promote road safety, fuel efficiency, and reduced travel time by decreasing traffic congestion and driver workload. In a vehicle platoon (grouping vehicles to increase road capacity by managing distance between vehicles using electrical and mechanical coupling) of such automated vehicles, as in automated highway systems (AHS), tracking of inter-vehicular spacing is one of the significant factors under consideration.”

54 This document directly concerns cyber security. The TRID entry continues: “Because of close spacing, computer-controlled platoons with inter-vehicular communication—the concept of adaptive cruise control (ACC)—become open to cybersecurity attacks. Cyber physical (CP) and cyber attacks on smart grid electrical systems have been a significant focus of researchers. However, CP attacks on autonomous vehicle platoons have not been examined. This research surveys a number of models of longitudinal vehicle motion and analysis of a special class of CP attacks called false data injection (FDI) on vehicle platoons. In this kind of attack, the configuration of any CP system is exploited to introduce arbitrary errors to gain control over the system. Here, an n-vehicle platoon is considered and a linearized vehicle model is used as a testbed to study vehicle dynamics and control, after false information is fed into the system.” This document consists of seven chapters. The first chapter is an Introduction. The second chapter reviews several papers and vehicle models. Vehicle and String Models are the subject of the third chapter. In Chapters 4 and 5, the report examines several false data injection models, both Linear (Ch 4) and Nonlinear (Ch 5). Chapter 6 features false data injection, but introducing Proportional- Integral-Derivative (PID) Control and Oscillations. Cybersecurity Resources NCHRP Web-Only Document 221/TCRP Web-Only Document 67: Protection of Transportation Infrastructure from Cyber Attacks: A Primer (2016) Available: https://www.nap.edu/download/23516 National Institute for Standards and Technology Special Publication 80-82, Guide to Industrial Control Systems (ICS) Security, Second Edition (2015) Available: http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_second_draft.pdf APTA Standards Development Program Recommended Practice: Securing Control and Communications Systems in Transit Environments The Recommended Practice establishes considerations for transit agencies in developing cybersecurity strategies and details practices and standards that address vulnerability assessment and mitigation, system resiliency and redundancy, and disaster recovery. Available: Part I: Elements, Organization and Risk Assessment/Management http://www.apta.com/resources/standards/documents/apta-ss-ccs-rp-001-10.pdf Part II: Defining a Security Zone Architecture for Rail Transit and Protecting Critical Zones http://www.apta.com/resources/standards/documents/apta-ss-ccs-rp-002-13.pdf Subpart IIIa: Attack Modeling Security Analysis White Paper http://www.apta.com/resources/standards/Documents/APTA-SS-CC-03-15.pdf Subpart IIIb will focus on Operationally Critical Security Zone and is in development. Subpart IIIc will focus on the application of the three security zones to rail transit vehicles. NIST Cybersecurity Framework Available: http://www.nist.gov/cyberframework/

55 The National Institute of Standards and Technology (NIST), the Federal Information Processing Standards (FIPS), with transportation specific guidance available from APTA and FHWA, have developed recommended practices and standards. There are international standards and recommendations from the International Organization for Standardization (ISO), the Information Systems Audit and the Control Association (ISACA), and Control Objectives for Information and related Technology (COBIT). Security working groups such as the Computer Security Incident Response Team (CSIRT) and the Computer Emergency Response Team (CERT), and ICS-CERT, which responds to breaches of cybersecurity, have compiled resources of recommended practices that can be applied across all industries. U.S. Department of Transportation (USDOT) Cybersecurity Action Team The U.S. Department of Transportation (USDOT) developed a Cybersecurity Action Team, as part of Executive Order 13636, to implement o the Department’s Cyber Incident Response Capability Program. The team monitors, alerts and advises the ITS and surface transportation communities of incidents and threats, and leverages the extensive body of assessments and research done by Federal Highway Administration (FHWA) staff related to the security threats and vulnerabilities of the United States’ transportation systems. US-CERT and Industrial Control Systems (ICS-CERT) Cyber Information Sharing and Collaboration Program Incident Hotline: 1-888-282-0870 Website: https://www.us-cert.gov/ The U.S. Computer Emergency Readiness Team (US-CERT), part of DHS' National Cybersecurity and Communications Integration Center (NCCIC), provides technical assistance, coordinates cyber information sharing and proactively manage cyber risks through its 24x7 operations center. US-CERT distributes vulnerability and threat information through its National Cyber Awareness System (NCAS), and operates a Vulnerability Notes Database to provide technical descriptions of system vulnerabilities. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) https://ics-cert.us-cert.gov/ ICS-CERT operates cybersecurity operations centers focused on control systems security as part of the National Cybersecurity and Communications Integration Center (NCCIC). The team:  Responds to and analyzes industrial control systems (ICS) related incidents  Provides on-site support for incident response and forensics  Conducts malware analysis  Coordinates responsible disclosure of ICS vulnerabilities/mitigations

56 • Shares vulnerability information and threat analysis through information products and alerts • Provides security awareness training courses (see http://ics-cert.us-cert.gov/Training- Available-Through-ICS-CERT) Transportation Security Administration (TSA) Transportation Systems Sector Cybersecurity Working Group (TSSCWG) https://www.dhs.gov/publication/cipac-trans-cybersecurity-agendas The TSA has authority to regulate cybersecurity in the transportation sector and provides cybersecurity pamphlets, a weekly newsletter, cybersecurity exercise support, and incident- specific threat briefings. TSA has pursued collaborative and voluntary approaches with industry. TSA DHS facilitates the Cybersecurity Assessment and Risk Management Approach (CARMA) for companies requesting assessments. TSA has hosted cybersecurity- focused Intermodal Security Training and Exercise Program (I-STEP) exercises, most recently in August 2014. TSA and its industry partners established the public/private joint TSSCWG to advance cybersecurity and faci l i ta te informat ion shar ing across all transportation modes. National Institute of Standards and Technology (NIST) The NIST is an agency of the U.S. Department of Commerce. The Computer Security Division (CSD), a component of NIST’s Information Technology Laboratory (ITL), provides standards and technology to protect information systems against threats to information and services. Executive Order 13636, Improving Critical Infrastructure Cybersecurity (2013) directed NIST to work with stakeholders to develop a voluntary cybersecurity framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. Available: http://www.nist.gov/cyberframework/ Cybersecurity Framework (CSF) Reference Tool, a runtime database solution, have been created the allows the user to browse the Framework Core by functions, categories, subcategories, informative references, search for specific words, and export the current viewed data to various file types. Available: http://www.nist.gov/cyberframework/csf_reference_tool.cfm National Institute of Standards and Emergency Technology (CERT®), Source on Insider Threat and Prevention Available: http://csrc.nist.gov/index.html NIST National Vulnerability Database National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data that includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics.

57 Available: http://nvd.nist.gov NIST Computer Security Division's Computer Security Resource Center (CSRC) facilitates broad sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia. The CSRC is the primary gateway for gaining access to NIST computer security publications, standards, and guidelines plus other useful security-related information. Available: http://csrc.nist.gov/publications/PubsSPs.html NIST has published over 300 Information Security guides that include Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, Information Technology Laboratory (ITL) Bulletins, and NIST Interagency Reports (NIST IR). Most commonly referenced NIST publications include:  Special Publication 800-12: An Introduction to Computer Security: The NIST Handbook (1995). Elements of security, roles and responsibilities, common threats, security policy, and program management. Initially created for the Federal Government, most practices are applicable to the private sector.  Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems (1996) describes common security principles that are used. It provides a high-level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and 14 practices are described within this document.  Special Publication 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model (2014). Learning-continuum model, security literacy and basics, role-based training.  Special Publication 800-30, Risk Management Guide for Information Technology Systems (2012). Risk management, assessment, mitigation.  Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems (2010)  Special Publication 800-39 Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View (2011).  Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations (2013). Security control fundamentals, baselines by system-impact level, common controls, and tailoring guidelines that are applied to a system to make it "more secure".  Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, (2008). Security objectives and types of potential losses, assignment of impact levels and system security category.

58  Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security (2014). Overview of industrial control systems (ICS), threats and vulnerabilities, risk factors, incident scenarios, security program development.  Special Publication 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i (2007).  Special Publication 800-100, Information Security Handbook: A Guide for Managers (2006). Governance, awareness and training, capital planning, interconnecting systems, performance measures, security planning, contingency planning.  Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (2010). Identifying, PII, impact levels, confidentiality safeguards, incident response. Recent draft publications include:  Special Publication 800-150 Guide to Cyber Threat Information Sharing, Draft (2014)  Special Publication 800-160 Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems, Draft (2014) Information Sharing and Analysis Centers (ISAC’s) http://www.isaccouncil.org/home.html The purpose of ISAC is to serve as the conduit for cross-modal lessons learned and best practices in ICS cybersecurity, and to provide a forum for partnership, outreach, and information sharing.  Surface Transportation Information and Sharing Analysis Center https://www.surfacetransportationisac.org/ The ST-ISAC was formed at the request of the Department of Transportation. The ISAC provides a secure cyber and physical security capability for owners, operators and users of critical infrastructure. Security and threat information is collected from worldwide resources, then analyzed and distributed to members to help protect their vital systems from attack. The ISAC also provides a vehicle for the anonymous or attributable sharing of incident, threat and vulnerability data among the members. Members have access to information and analytical reporting provided by other sources, such as the U.S. and foreign governments; law enforcement agencies, technology providers and international computer emergency response teams (CERT’s).  Public Transportation Information Sharing and Analysis Center http://www.apta.com/resources/safetyandsecurity/Pages/ISAC.aspx The PT-ISAC is a trusted, sector-specific entity which provides to its constituency a 24/7 Security Operating Capability that established the sector's specific

59 information/intelligence requirements for incidences, threats and vulnerabilities. Based on its sector-focused subject matter analytical expertise, the ISAC then collects, analyzes, and disseminates alerts and incident reports It provides to its membership and helps the government understand impacts for their sector. It provides an electronic, trusted ability for the membership to exchange and share information on all threats, physical and cyber, in order to defend public transportation systems and critical infrastructure. This includes analytical support to the government and other ISAC’s regarding technical sector details and in mutual information sharing and assistance during actual or potential sector disruptions, whether caused by intentional or natural events.  Over the Road Bus Information Sharing and Analysis Center (OTRB-ISAC) The OTRB-ISAC provides cyber and physical security warning and incident reporting for the OTR transportation segment. Information and news are compiled and extracted from multiple sources by OTRB-ISAC analysts for the purpose of supporting ISAC member homeland security awareness. News alerts and reports are distributed to members by the Over the Road Bus – Information Sharing and Analysis Center (OTRB-ISAC).  MultiState-ISAC (MS-ISAC) http://msisac.cisecurity.org/ The MS-ISAC is the focal point for cyber threat prevention, protection, response and recovery for the nation's state, local, tribal, and territorial (SLTT) governments. The MS- ISAC 24x7 cybersecurity operations center provides real-time network monitoring, early cyber threat warnings and advisories, vulnerability identification and mitigation and incident response. The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a collaborative state and local government-focused cybersecurity entity that is significantly enhancing cyber threat prevention, protection, and response and recovery throughout the states of our nation. The mission of the MS-ISAC is to provide a common mechanism for raising the level of cybersecurity readiness and response in each state/territory and with local governments. The MS-ISAC provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between and among the states, territories and with local government.  Supply Chain ISAC https://secure.sc-investigate.net/SC-ISAC/ISACHome.aspx The Supply Chain ISAC offers the most comprehensive forum for collaboration on critical security threats, incidents and vulnerabilities to the global supply chain. Its mission is to facilitate communication among supply chain dependent industry stakeholders, foster a partnership between the private and public sectors to share critical information, collect, analyze and disseminate actionable intelligence to help secure the global supply chain, provide an international perspective through private sector subject matter experts and help protect the critical infrastructure of the United States.

60 National Cyber Investigative Joint Task Force – Analytical Group http://www.fbi.gov/about-us/investigate/cyber/ncijtf In 2008, the U.S. President mandated the National Cyber Investigative Joint Task Force (NCIJTF) to be the focal point for all government agencies to coordinate, integrate, and share information related to all domestic cyber threat investigations. The Federal Bureau of Investigation (FBI) is responsible for developing and supporting the joint task force, which includes 19 intelligence agencies and law enforcement. Internet Crime Complaint Center (IC3) http://www.ic3.gov/default.aspx The Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center (NW3C). Internet crime complaints are reported online on the IC3 site. IC3 analysts review and research the complaints, disseminating information to the appropriate federal, state, local, or international law enforcement or regulatory agencies for criminal, civil, or administrative action, as appropriate. InfraGard https://www.infragard.org/ InfraGard is a partnership between the FBI, state and local law enforcement agencies, and the private sector - businesses, academic institutions and other participants - dedicated to sharing information and intelligence to prevent hostile acts against the U.S. With over 80 chapters, InfraGard chapters conduct local meetings pertinent to their area. National Cybersecurity Center of Excellence (NCCoE) http://nccoe.nist.gov/ Established in 2012 through a partnership among NIST, the State of Maryland and Montgomery County, the National Cybersecurity Center of Excellence is dedicated to furthering innovation through the rapid identification, integration and adoption of practical, standards-based cybersecurity solutions. E. Workforce Training and Exercises Fiscal Year 2016 Transit Security Grant Program Fact Sheet Citation. “Fiscal Year 2016 Transit Security Grant Program Fact Sheet,” Federal Emergency Management Agency (FEMA), Washington, DC, [Online]. Available: http://www.fema.gov/media-library-data/1467253705754- fbe7bb22b360adbe19e8ba1a4a8ef4e8/FY_2016_TSGP_Fact_Sheet_Final.pdf Synopsis. The 2016 Transit Security Grant Program (TSGP) is appropriated by the Department of Homeland Security Appropriations Act, 2016 (Pub. L. No. 114-113) and authorized by Section

61 1406 of the Implementing Recommendations of the 9/11 Commission Act of 2007, (Pub. L. No 110-53) (6 U.S.C. 1135). Owners and operators of transit systems apply for TSGP funds which are intended “to protect and increase the resilience of critical surface transportation infrastructure and the traveling public from acts of terrorism.” (TSGP Fact Sheet) Reviewers of applications include representatives from FEMA, DHS Office of Infrastructure Protection (IP), Transportation Security Administration (TSA), and Federal Transit Administration (FTA). Available funds are $87,000,000. Link for the main Transit Security Grant Program site: https://www.fema.gov/fiscal-year-2016-transit-security-grant-program FY 2016 Transit Security Grant Program (TSGP) Security Plan Requirements Citation. “FY 2016 TRANSIT SECURITY GRANT PROGRAM (TSGP) Security Plan Requirements,” Federal Emergency Management Agency (FEMA), Washington, DC, 2016, [Online]. Available: http://www.fema.gov/media-library-data/1455411216354- 30530ec96cc6eccdf07c0fb8e0e24637/FY_2016_TSGP_Security_Plan.pdf Synopsis. To be eligible for TSGP funds, the transit agency’s security plan should include the following: “A prioritized list of all items included in the public transportation agency’s security assessment that have not yet been addressed • A detailed list of any additional capital and operational improvements identified by DHS or the public transportation agency and a certification of the public transportation agency’s technical capacity for operating and maintaining any security equipment that may be identified in such list • Specific procedures to be implemented or used by the public transportation agency in response to a terrorist attack, including evacuation and passenger communication plans and appropriate evacuation and communication measures for the elderly and individuals with disabilities • A coordinated response plan that establishes procedures for appropriate interaction with state and local law enforcement agencies, emergency responders, and federal officials in order to coordinate security measures and plans for response in the event of a terrorist attack or other major incident; • A strategy and timeline for conducting training under Section 1408 of the 9/11 Act • Plans for providing redundant and other appropriate backup systems necessary to ensure the continued operation of critical elements of the public transportation system in the event of a terrorist attack or other major incident • Plans for providing service capabilities throughout the system in the event of a terrorist attack or other major incident in the city or region which the public transportation system serves • Methods to mitigate damage within a public transportation system in case of an attack on the system, including a plan for communication and coordination with emergency responders • Other actions or procedures as the Secretary of Homeland Security determines are appropriate to address the security of the public transportation system.” Fiscal Year (FY) 2016 Transit Security Grant Program (TSGP) Notice of Funding Opportunity (NOFO) – Key Changes

62 Citation. “Fiscal Year (FY) 2016 Transit Security Grant Program (TSGP) Notice of Funding Opportunity (NOFO) – Key Changes,” Federal Emergency Management Agency (FEMA), Washington, DC, 2016, [Online]. Available: http://www.fema.gov/media-library- data/14556275282931f7286cb288bde4e6f0860881273f9d0/FY_2016_TSGP_Key_Changes_Fin al.pdf Synopsis. To ensure that agencies focus on their individual risks and threats, priority scoring groups were eliminated and replaced with three equal Funding Priority Areas: “1. Operational Activities: Training, drills/exercises, public awareness, security planning 2. Operational Deterrence: Operational Packages, Directed/Surge Patrols on Overtime 3. Capital Projects* * For capital projects only, priority consideration will be given in the following order: 1. Top Transit Asset List (TTAL) Infrastructure 2. Multi-User High-Density Key Infrastructure o Tunnel Hardening o High-Density Elevated Operations o Multi-User High-Density Stations o Hardening of supervisory control and data acquisition, other industrial control systems, or other anti-terrorism cyber security programs o Sustainment/maintenance 3. Single-User High-Density Key Infrastructure o Anti-terrorism security enhancement measures for high-density stations and bridges o Sustainment/maintenance 4. Key Operating Asset Protection o Physical hardening/security of control centers o Secure stored/parked trains, engines, and buses (bus/rail yards) o Maintenance facilities o Bus/train hardening o Sustainment/maintenance 5. Other Mitigation Activities o Interoperable communications o Anti-terrorism security enhancement measures for low-density stations o Sustainment/maintenance o Other uses of funds, as outlined in Public Law 110-53 Section 1406(b)(1).” Scoring criteria include  Cost effectiveness  Feasibility of increasing security  Sustainability  Timely completion  Baseline assessment for security enhancement review alignment National Incident Management System (NIMS) Training Available: http://training.fema.gov/is/nims.aspx The National Incident Management System (NIMS) is a systematic, proactive approach to guide departments and agencies at all levels of government, nongovernmental organizations, and the private sector to work together seamlessly and manage incidents involving all threats and hazards—regardless of cause, size, location, or complexity—in order to reduce loss of life, property and harm to the environment. NIMS is the essential foundation to the National Preparedness System (NPS) and provides the template for the management of incidents and operations in support of all five National Planning Frameworks. NIMS updates since the 2010 Guide was published provided important new definitions, policy direction and guidance explaining: (1) the NIMS relationship to the National Preparedness Framework; (2) additions to cover intelligence and cyber issues; (3) support, coordination, collaboration, and command and management tactical and non-tactical operations; (4) use and

63 interoperability of emergency communications; and (5) inclusion of “whole community” concepts in the NIMS. The following NIMS and ICS courses are highlighted on the NIMS training page: ICS and NIMS Courses  ICS-100: Introduction to the Incident Command System  ICS-200: ICS for Single Resources and Initial Action Incidents  ICS-300: Intermediate ICS for Expanding Incidents  ICS-400: Advanced ICS for Command and General Staff  IS-700: National Incident Management System, An Introduction  IS-701: NIMS Multiagency Coordination System (MACS)  IS-702: NIMS Publication Information Systems  IS-703: NIMS Resource Management  IS-704: NIMS Communication and Information Management (unavailable)  IS-706: NIMS Intrastate Mutual Aid – An Introduction  IS-800: National Response Framework, An Introduction  G-191: Incident Command System/ Emergency Operations Center Interface*  G-402 Incident Command System (ICS) Overview for Executives/Senior Officials*  G-775: Emergency Operations Center (EOC) Management and Operations* *G191, G402, and G-775 are coordinated by local emergency management agencies. All-Hazards Position Specific Courses  E/L 950: All-Hazards Position Specific Incident Commander  E/L 952: All-Hazards Position Specific Public Information Officer  E/L 954: All-Hazards Position Specific Safety Officer  E/L 956: All-Hazards Position Specific Liaison Officer  E/L 958: All-Hazards Position Specific Operations Section Chief  E/L 960: All-Hazards Position Specific Division/Group Supervisor  E/L 962: All-Hazards Position Specific Planning Section Chief  E/L 964: All-Hazards Position Specific Situation Unit Leader  E/L 965: All-Hazards Position Specific Resources Unit Leader  E/L 967: All-Hazards Position Specific Logistics Section Chief

64  E/L 969: All-Hazards Position Specific Communications Unit Leader  E/L 970: All-Hazards Position Specific Supply Unit Leader  E/L 971: All-Hazards Position Specific Facilities Unit Leader  E/L 973: All-Hazards Position Specific Finance/Admin. Section Chief  E/L 975: All-Hazards Position Specific Finance/Admin. Unit Leader Course  E/L 984: Task Force/Strike Team Leader  E/L 986: Air Support Group Supervisor  E/L 987: Introduction to Air Operations Contacts: Contact information for state or territorial emergency management agencies can be found at https://training.fema.gov/programs/aps/stolist.aspx EMI contact for ICS course questions or scheduling robert.patrick@fema.dhs.gov EMI contact for All-Hazards Position Specific course questions or scheduling robert.ridgeway@fema.dhs.gov Link: NIMS ICS All-Hazards Position Specific Training Program Official Website http://training.fema.gov/allhazards/ NCHRP Web-Only Document 215: Incident Command System (ICS) Training for Field- Level Supervisors and Staff Citation. Edwards, F.L., Goodrich, D.C., Griffith, J. NCHRP Web-Only Document 215: Incident Command System (ICS) Training for Field-Level Supervisors and Staff. Transportation Research Board, Washington, DC, 2016, [Online]. Available:http://onlinepubs.trb.org/onlinepubs/nchrp/nchrp_w215.pdf Synopsis. According to its page on TRB’s web site, this publication provides training materials and guidance for transportation field personnel to help their organizations operate safely in an emergency or traffic management event. This course is intended to review the basic ICS structures and terminologies aimed to ensure safety, personnel accountability, and support for the agency’s financial reimbursement efforts. The product includes lesson plans, guidance on classroom setup, complete slide shows with scripts or instructor prompts, instructions for creating materials, and some information about training for adults. Specifically, the materials include: 1. A video presentation with voice-over 2. An Instructor Guide and Student Course Evaluation

65 3. An Instructor Guide and Student Evaluation 4. Discussion-Based Training Scenarios 5. ICS Quick Start Cards 6. A Supervisor’s Folder The TRB web page for this publication continues, “The course material provided in this project assumes that instructors have completed classes on delivering training to adults, have certificates in at least ICS 100, 200 and 300, and have some experience with ICS, at the field level or in an emergency operations center (EOC). It is also assumed that instructors may have had experience working with a transportation agency in emergency planning or training, or as a field supervisor, and to have also completed ICS 400 and E/L449 ICS “Incident Command System Curricula TTT” courses.” The report itself consists of 12 chapters. Chapter 1 discusses how to use the Instructor Guide. Chapter 2 discusses how the course and pilot programs were developed, and revealed the results of interviews and surveys providing feedback from pilot program participants. The Lesson Plans are in Chapter 3. Chapters 4 and 5 include the materials for Module 1, Chapters 6 and 7 the materials for Briefing Training, and Chapters 8 and 9 the materials for the Discussion-Based Scenarios. Chapter 10 consists of the ICS Quick Start Cards and accompanying instructions. Chapter 11 describes the materials in the Supervisor’s Folder. The report concludes in Chapter 12 with references related to the Incident Command System (ICS) and the Traffic Incident Management System (TIMS). NCHRP Web-Only Document 203: Curriculum for New State DOT Transit Grant Managers in Administering Federal and State Transit Grants Citation. Knapp, S. F., B. Hamby, and H. Chase. NCHRP Web-only Document 203: Curriculum for New State DOT Transit Grant Managers in Administering Federal and State Transit Grants, Transportation Research Board of the National Academies, Washington, DC, 2014. Available: http://www.trb.org/Publications/Blurbs/171298.aspx The curriculum is organized into modules and submodules appropriate for state transit staff. Module topics include:  Introduction to FTA grants  Legal authority & annual certifications  Grant administration  Financial management  Project management & grantee oversight  Planning  Procurement  Asset management  Safety & security

66  Subrecipient personnel-related issues  Subrecipient service requirements & restrictions  Training & technical assistance Safety & Security In the description of the Safety & Security module, it is noted that Section 5329, MAP-21 (49 USC 5329) provides FTA with the authority to establish a national transit safety framework, requires DOT to establish a national transit safety plan which includes safety performance criteria and standards and a Safety Certification Training Program for federal and state workers, contractors who conduct oversight, and transit workers responsible for safety oversight, and requires FTA funding recipients to create an agency safety plan and certify it meets FTA requirements. Up to 0.5% of Section 5307 or 5311 funds can be used to fund transit worker training in the Safety Certification Training Program. Training & Technical Assistance The key concepts in this module include FTA requirements for states. States are required to:  Inform sub-recipients of federal requirements and provide technical assistance to meet the requirements  Sub-recipients are required to train their own staff in several topic areas including: o Safety o ADA o Drug & Alcohol  FTA requires states to certify that they have well-trained and well-informed staff when carrying out proposed projects  States need to provide training to potential subrecipient applicants for applicants serving predominantly minority populations  FTA’s Rural Transportation Assistance Program (RTAP) funds subrecipient training and technical assistance. States have RTAPs that conduct state-sponsored training and offer training scholarships, and provide technical assistance. Additional FTA-funded training programs noted in this module include:  Transportation Safety Institute (TSI)  National Transit Institute (NTI)  National RTAP  National Center on Senior Transportation (NCST)  Easter Seals Project Action (ESPA) Additional recommended resources include:  Community Transportation Association of America (CTAA)

67  American Public Transportation Association (APTA) DHS Homeland Security Exercise and Evaluation Program (HSEEP), 2013 Citation. Available: https://www.fema.gov/media-library-data/20130726-1914-25045- 8890/hseep_apr13_.pdf Synopsis. The Homeland Security Exercise and Evaluation Program (HSEEP) provides a set of guiding principles for exercise programs, as well as a common approach to exercise program management, design and development, conduct, evaluation, and improvement planning. HSEEP exercise and evaluation doctrine is flexible, adaptable, and is for use by stakeholders across the whole community and is applicable for exercises across all mission areas – prevention, protection, mitigation, response, and recovery. The HSEEP document is organized in the following manner:  Chapter 1: HSEEP Fundamentals describes the basic principles and methodology of HSEEP.  Chapter 2: Exercise Program Management provides guidance for conducting a Training and Exercise Planning Workshop (TEPW) and developing a Multi-year Training and Exercise Plan (TEP).  Chapter 3: Exercise Design and Development describes the methodology for developing exercise objectives, conducting planning meetings, developing exercise documentation, and planning for exercise logistics, control, and evaluation.  Chapter 4: Exercise Conduct provides guidance on setup, exercise play, and wrap-up activities.  Chapter 5: Evaluation provides the approach to exercise evaluation planning and conduct through data collection, analysis, and development of an AAR.  Chapter 6: Improvement Planning addresses corrective actions identified in the exercise IP and the process of tracking corrective actions to resolution. Fundamental principles for exercise programs and individual exercises include the following:  They should be guided by Elected and Appointed Officials.  They are capability-based and objective driven. Exercises evaluate performance against capability-based objectives based on the National Preparedness Goal’s series of core capabilities.  A progressive planning approach with an increasing level of complexity over time should be used.  Whole community integration should take place throughout the exercise planning and execution process.  HSEEP’s common methodology for exercises should be used so that diverse organizations can readily collaborate and have a shared understanding.  Exercises should be informed by risk.

68 Key elements of HSEEP’s approach to exercise program management include: • Engaging Elected and Appointed Officials to Provide Intent and Direction. • Developing a Multi-year Training and Exercise Plan and Establishing Multi-year Exercise Program Priorities. These priorities inform the development of individual exercise objectives, ensuring coordinated and integrated. • Using a Progressive Approach. Which builds toward an increasing level of complexity over time. • Maintaining a Rolling Summary of Exercise Outcomes. A rolling summary report provides elected and appointed officials and other stakeholders with an analysis of issues, trends, and key outcomes from all exercises conducted as part of the exercise program. • Managing Exercise Program Resources. An effective exercise program utilizes the full range of available resources for exercise budgets, program staffing, and other resources Phases of the Exercises Cycle The exercise cycle phases described in HSEEP include  Design and Development  Conduct  Evaluation  Improvement Planning Design and Development: Exercise planning team members determine exercise objectives and design the scenario, and ensure that they are aligned with the overall multi-year plan. They also engage with key officials, state emergency management agencies (EMA), and other stakeholders; create documentation and the exercise plan; and, coordinate logistics. Safety of exercise participants is a key aspect of the exercise logistics. Exercise design and development steps include: “• Setting the exercise foundation by reviewing elected and appointed officials’ guidance, the TEP, and other factors; • Selecting participants for an exercise planning team and developing an exercise planning timeline with milestones; • Developing exercise-specific objectives and identifying core capabilities based on the guidance of elected and appointed officials; • Identifying evaluation requirements; • Developing the exercise scenario; • Creating documentation; • Coordinating logistics; and • Planning for exercise control and evaluation.” Design: The core components include establishing the scope, objectives, scenario, documentation, and media and public relations guidance. Objectives: Generally, planners should select a reasonable number of specific, measurable, achievable, relevant, and time-bound (SMART) exercise objectives.

69 Regarding the planning teams and reporting structure, a sample planning team structure and recommendations regarding organizational structure are provided in HSEEP:  Planning team structure: The team can be structured according to an ICS-type structure with the Exercise Planning Team Leader in the Commander position. Operations develops and evaluates the scenario. Planning develops/compiles all documentation and may be responsible for any simulated actions by absent positions/agencies necessary for the exercise. Logistics elements include service such as transportation, signage, food, medical, and security and support such as communications and supplies. Administration/Finance Section provides financial and administrative support.  The importance of understanding the exercise objectives and identifying core capabilities associated with each objective, and designing the exercise and evaluation plan around the capabilities to be tested are emphasized in HSEEP.  Training and Exercise Planning Workshop (TEPW): TEPWs, based on guidance from officials, establish exercise program strategy and structure, and set priorities and a multi- year schedule of training and exercise. TEPWs encourage efficiency, effectiveness, and coordination of exercise initiatives. TEPW participants are diverse and include elected and appointed officials, persons with administrative responsibility and those in relevant disciplines, and representatives from relevant NGOs or social support organizations. They review and take into account jurisdiction-specific threats and hazards from THIRA and risk assessments, AAR results, regulations and other external requirements. Conduct: Conduct-related activities include preparing for exercise play, managing exercise play, and conducting immediate exercise wrap-up activities. Conduct techniques for discussion-based exercises and operations-based exercises are presented in this section. Participant roles and responsibilities are also described in HSEEP, Table 4.1. Evaluation: Evaluation compares performance of exercise teams, individuals, equipment, protocols, systems, and plans against objectives. The evaluation section includes information on planning, exercise documentation and analysis, identification of strengths and improvement areas, and development of AARs. Evaluation planning begins at the start of exercise design and development. Exercise evaluation guides (EEGs) are designed to streamline data collection, and facilitate assessment of core capabilities, objectives, capability targets and critical tasks in a consistent manner. Improvement Planning: Improvement planning identifies improvements based on corrective actions revealed during the exercise. The improvement planning results are included in or appended to the AAR. Improvements may include changes to plans, procedures, organizational structures, processes, equipment or other resources, training. Individual corrective actions should be monitored until they have been implemented.

70 NCHRP Synthesis 468: Interactive Training for All-Hazards Emergency Planning, Preparation, and Response for Maintenance and Operations Field Personnel Citation. Nakanishi, Yuko J. and Auza, Pierre M. NCHRP Synthesis 468: Interactive Training for All-Hazards Emergency Planning, Preparation, and Response for Maintenance and Operations Field Personnel, Transportation Research Board of the National Academies, Washington, DC, 2015, [Online]. Available: http://onlinepubs.trb.org/onlinepubs/nchrp/nchrp_syn_468.pdf Synopsis. As stated in the synthesis summary, the project goals were “to identify interactive emergency training tools and sources appropriate for the M&O field personnel of state DOTs and PWs, identify obstacles to their implementation, and create a toolkit of relevant training and exercise information.” The target audience of the synthesis was the managers of M&O field personnel. Chapter 1 introduces NIMS, the importance of training and exercises and their place in the preparedness cycle, the emergency operations plan, and other plans and procedural documents. Chapter 2 describes emergency training and exercise needs of M&O field personnel including NIMS, TIM, federal directives, mutual aid and grants, winter maintenance and operations, evacuation, continuity of operations, supervisor training, and exercises. Chapter 3 covers the following emergency training and exercise delivery methods:  Field Crew Meetings, 33  Just-in-Time Training, 33  Interjurisdictional and Interagency Training and Exercises, 34  Joint Training, 34  Asynchronous Training, 34  Train-the-Trainer, 35  Planned Events, Incidents, and Exercises, 35  Computer-Assisted Simulations, 36  Classroom Training, 37  Online Training with Live Instructors, 38  Blended Training, 38  Exercises, 38 Chapter 4 on emergency training and exercise practices discusses implementation challenges, training needs and solutions, findings on the use of exercises and additional findings. Key challenges were scheduling difficulties and limited budgets. Additional challenges included lack of qualified training staff, personnel turnover, distance issues, senior management issues, inadequate facilities and other resources, insufficient information about available training, and infrequent need for training. Table 30 presents Implementation Issues and Possible Solutions.

71 Additional findings included: Peer-to-Peer Training, Field Training, In-House Training, Professional Organizations and Certifications, and Other Training. Findings on Use of Exercises included: discussion-based exercises, operations-based exercises, exercise evaluation, exercise scenarios, training and exercises for PWs, training and exercises for contractors, and law enforcement and fire departments. Chapter 5 described the development of the Toolkit which presents key courses and catalogs, guidance documents, source organizations, and source-specific information. Chapter 6 presented the conclusion to the synthesis and a summary of the key findings and further research needs. The Appendices which may be useful to the 51A project include: A – Toolkit, F – Washington DOT EOP Training and Exercises, G – Arizona DOT Emergency Planning, Management, and Maintenance Training Matrices, H – Missouri DOT Training Plan, and I – Missouri DOT NIMS Training Guide. NCHRP Report 793: Incorporating Transportation Security Awareness into Routine State DOT Operations and Training (2014) Http://Onlinepubs.Trb.Org/Onlinepubs/Nchrp/Nchrp_Rpt_793.Pdf Synopsis. This report outlines techniques to integrate all-hazards security awareness concepts and reminders into routine state department of transportation (DOT) operations, maintenance, and training. The report is structured as follows: Section 1 – introduces transportation security and role of state DOTs Section 2 – presents organizational readiness and five key “Questions to Ask” before implementation of a security awareness program Section 3 – identifies components of a security awareness campaign including general messages and delivery methods Section 4 – provides relatively inexpensive methods to promote security awareness Appendices Appendix A – Overview of current training and resources Appendix B – Contact list of transportation security training organizations Appendix C – Directory of transportation security resources The report notes that many DOTs may believe security is not DOT business. However, because transportation systems are vulnerable to various hazards and threats, DOTs play a significant role in infrastructure security and have the responsibility of controlling access to critical components, coordinating with law enforcement to ensure quick response, conducting risk and vulnerability assessments, and taking action to address the effects of risks and vulnerabilities. Hence, security awareness is important for all employees and is the cornerstone of a security culture in which security is an integral part of daily routine.

72 The report states that all transportation employees contribute to security by being vigilant and detecting suspicious activity, and by deterring unlawful acts simply by their presence. The report also notes that all employees should also understand the risks to transportation systems and assets, know how to recognize a security risk, what to do and what to do, and how to report a security threat. Section 3, Figure 1 provides a security reporting procedures flowchart used by Texas DOT. Training sources described in Appendix A and B include: DHS/TSA, TRB, NTI, CTSSR, FHWA, NHI, FTA, FMCSA, PHMSA, FEMA, LTAP/TTAP, other federal training, SEMA, RDPC, other sector resources, and other security resources. Security awareness programs described in Appendix C include If You See Something, Say SomethingTM, First ObserverTM, Highway Watch, and Transit Watch. NCHRP Report 525, Volume 9 / TCRP Report 86, Volume 9: Transportation Security: Guidelines for Transportation Emergency Training Exercises (2006) Citation. McCormick Taylor, Inc. NCHRP Report 525, Volume 9 / TCRP Report 86, Volume 9: Transportation Security: Guidelines for Transportation Emergency Training Exercises, Transportation Research Board of the National Academies, Washington, DC, 2006. Available: http://onlinepubs.trb.org/onlinepubs/nchrp/nchrp_rpt_525v9.pdf Synopsis. The report is designed to assist transportation agencies in developing drills and exercises in alignment with the National Incident Management System. The report describes the process of emergency exercise development, implementation, and evaluation. In addition, the available literature and materials to support transportation agencies such as state departments of transportation, traffic management centers, and public transportation systems are described. NCRRP Report 2: A Guide to Building and Retaining Workforce Capacity for the Railroad Industry (2015) Citation. QinetiQ North America, Hile Group, and Department of Engineering Professional Development, University of Wisconsin. NCRRP Report 2: A Guide to Building and Retaining Workforce Capacity for the Railroad Industry, Transportation Research Board, Washington, DC, 2015. Available: http://www.trb.org/Main/Blurbs/173352.aspx Synopsis. The report addresses current workforce development issues for the railroad industry, and identifies best practices for creating and maintaining a competent workforce. The authors note that the majority of the current workforce is or will be retiring, creating an urgency regarding knowledge transfer and the need to address the requirements of younger workers. The report’s authors identified the following key training successes, challenges, and recommendations. Successes:  On-the-job training creates positive training experiences.  State-of-the-art railroad education and training centers include the Railroad Education and Development Institute.

73 Challenges:  Experienced workers may be averse to provide on-the-job training due to liability concerns.  Lack of qualified trainers.  Lack of consistent and standardized training programs  Adapting training to different education and experience levels Recommendations:  A culture of preceptorship and mentoring should be created  Increased standardization and focus on training should be promoted  World-class training facilities and programs to deliver both classroom and hands-on training should be established TCRP Web-Only Document 60 / NCHRP Web-Only Document 200: Command-Level Decision Making for Transit Emergency Managers Citation. Pigora, Mary Ann. TCRP Web-Only Document 60 / NCHRP Web-Only Document 200: Command-Level Decision Making for Transit Emergency Managers. Transportation Research Board of the National Academies, Washington, DC, 2013 [Online]. Available:http://www.trb.org/Main/Blurbs/169839.aspx Synopsis. TRB’s TCRP Web-Only Document 60 / NCHRP Web-Only Document 200: Command- Level Decision Making for Transit Emergency Managers describes the development and implementation of Transit Emergency Response Application (TERA). The project goal was to develop a TERA “to achieve the goals as outlined in the National Response Framework through simulation guided experiential learning.” As stated in the report, “TERA provides training and exercise for command-level roles in the transit agency emergency operations center in relation to mitigating transit-specific emergencies and supporting state and local emergency management authorities in natural or manmade disaster incidents.” The Transit Scenarios included: flood, hurricane, earthquake, power outage, hazardous materials, and active shooter. TERA was later expanded with supplemental NCHRP funding to include state DOT roles. These expansion activities were executed in Phase 3 of the project. The research approach, introduced in Chapter 1 and described more fully in Chapter 2, involved three phases and the following sample activities per phase: Phase 1  Training Needs Analysis

74  Role-based learning objective profiles  Prioritized list of potential TERA scenarios Phase 2  Developed storyboards and facilitator/user guides  Developed a prototype module  Performed field testing of the prototype module Phase 3  Developed the scenario-based training system  Executed Test Plan Chapter 3 presents the project findings. Table 3, Scenarios with Task Function Differentiators, is included in this Chapter. The table provides a listing of various natural disaster and terrorism scenarios and also identifies sources and task function differentiators for each scenario. Chapter 4 recommends an approach to obtaining organizational acceptance for TERA and lists sources of technical and financial support along with training and system support. Chapter 5 presents the conclusions of the project report. Appendix A provides scenario outlines for  Flood with Hazmat spill  Subway Bombing/Active Shooter  Hurricane  Earthquake  Cyber Attack on the Power Grid  Hazmat Appendix B describes command-level transit agency role profiles. Appendix C describes training objectives for transit agency roles. Appendices D – K are only available through request via Stephan Parker. They include Scenario Scripts and Tasks by Role. Emergency management professionals in the transportation, transit, rail, and airport domains may register to use TERA for free at www.tera.train-emst.com. Advancing Workforce Health at the Department of Homeland Security: Protecting Those Who Protect Us Citation. Advancing Workforce Health at the Department of Homeland Security: Protecting Those Who Protect Us, National Academies Press, Washington, DC, 2014, [Online]. Available:

75 http://www.nap.edu/catalog/18574/advancing-workforce-health-at-the-department-of-homeland- security-protecting Synopsis. From the Transport Research International Documentation (TRID) Database: “The more than 200,000 men and women that make up the Department of Homeland Security (DHS) workforce have been entrusted with the ultimate responsibility – ensuring that the homeland is safe, secure, and resilient against terrorism and other hazards. Every day, these dedicated individuals take on the critical and often dangerous challenges of the DHS mission: countering terrorism and enhancing national security, securing and managing the nation’s borders, enforcing and administering U.S. immigration laws, protecting cyber networks and critical infrastructure, and ensuring resilience in the face of disasters. In return, DHS is responsible for protecting the health, safety, and resilience of those on whom it relies to achieve this mission, as well as ensuring effective management of the medical needs of persons who, in the course of mission execution, come into DHS care or custody. “Since its creation in 2002, DHS has been aggressively addressing the management challenges of integrating seven core operating component agencies and 18 supporting offices and directorates. One of those challenges is creating and sustaining a coordinated health protection infrastructure. This report examines how to strengthen mission readiness while better meeting the health needs of the DHS workforce. This report reviews and assesses the agency’s current occupational health and operational medicine infrastructure and, based on models and best practices from within and outside DHS, provides recommendations for achieving an integrated, DHS-wide health protection infrastructure with the necessary centralized oversight authority.” Protecting the homeland is physically and mentally demanding and entails many inherent risks, necessitating a DHS workforce that is mission ready. Among other things, mission readiness depends on (1) a workforce that is medically ready (free of health-related conditions that impede the ability to participate fully in operations and achieve mission goals), and (2) the capability, through an operational medicine program, to provide medical support for the workforce and others who come under the protection or control of DHS during routine, planned, and contingency operations. The recommendations of this report will assist DHS in meeting these two requirements through implementation (of) an overarching workforce health protection strategy encompassing occupational health and operational medicine functions that serve to promote, protect, and restore the physical and mental well-being of the workforce.” This report has nine chapters, and includes an extensive Executive Summary. The first chapter is the Introduction. The second chapter presents the history and the challenges of the DHS Workplace and Health System. Chapter 3 presents a Comprehensive Framework for Ensuring the Health of an Operational Workforce. Chapter 4 discusses the Current State of Workforce Health Protection at DHS, and Chapter 5 discusses the need for Leadership Commitment to Workforce Health and the current strategic approach. While Chapter 6 discusses Organizational Alignment and Coordination, Chapter 7 discusses Functional Alignment. The topic of Chapter 8 is Information Management and Integration. The report concludes with Considerations for Implementation (Chapter 9).

76 Workplace Violence in the Road Passenger Transport Sector in Maputo City, Mozambique: Extent, Causes, Consequences and Prevention Citation. Cuoto, Maria Tereza, Workplace violence in the road passenger transport sector in Maputo City, Mozambique: extent, causes, consequences and prevention, Karolinska Institutet, Stockholm, Sweden, 2011, [Online]. Available: https://openarchive.ki.se/xmlui/handle/10616/40554 Synopsis. From the Transport Research International Documentation (TRID) Database: “Background: Every year millions of workers around the world are victims of workplace violence (WPV). Globally, WPV is a major occupational health and safety hazard, and it has been regarded as a public health problem. There is no WPV preventive program specifically designed for low- income countries (LICs). WPV preventive intervention models usually come from high-income countries (HICs), and they may not be sustainable, feasible or effective in other settings. With regard to WPV, there is a need better to understand its extent, nature, risk factors, causes, consequences and means of prevention, especially in LICs. The overall aim of this thesis is to study WPV in the road passenger transport sector in Maputo City, Mozambique.” “Conclusions: The thesis illustrates that WPV is a common phenomenon and occurs wherever workers are on duty. The studies reveal prevalence, risk factors, consequences, and views of drivers and conductors on causes and means of prevention in relation to WPV in the road passenger transport sector in Maputo City, Mozambique. Finally, a need was detected for development of a framework for WPV prevention program in the road passenger transport sector. Such a framework should include primary, secondary and tertiary preventive interventions at individual, organizational and community levels.” This thesis is divided into eight chapters, and incorporates the work of four different studies. After an introduction chapter, a background chapter describes the extent of workplace violence in the transport sector in the context of Mozambique. The aims and objectives, methods, and results of the four studies are then described. The concern of Study I is violence against drivers and conductors in Maputo City, Mozambique. Study II examines the relationship between workplace violence and quality of life among drivers and conductors. In Study III, the topic is burnout, workplace violence, and social support among drivers and conductors. Study IV investigates drivers’ and conductors’ views on the causes and ways of preventing workplace violence. HMCRP Report 6: Feasibility of a Consolidated Security Credential for Persons Who Transport Hazardous Materials Citation. Marink, Andrew, Bowman, Darrell S, Pethtel, Ray, Trimble, Tammy. HMCRP Report 6: Feasibility of a Consolidated Security Credential for Persons Who Transport Hazardous Materials, Transportation Research Board of the National Academies, Washington, DC, 2011, [Online]. Available: http://onlinepubs.trb.org/onlinepubs/hmcrp/hmcrp_rpt_006.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “This report discusses the feasibility of consolidating several existing security credentials, which are necessary under current regulations and policies, into one credential for all transportation modes.

77 The report (1) evaluates the credentialing system to identify duplicative elements and redundant costs and (2) describes the acquisition process, the application elements, and the physical characteristics for each identified credential. In addition, the report identifies the elements of the vetting processes for each credential. An examination of four options for consolidation provides insight into the basic elements of a universally recognized security credential for Hazmat transportation workers. “The report also identifies key challenges (e.g., impetus and authority, organizational climate, financing, risk, and technological trending) for consolidation of security credentials. Finally, an alternative method of consolidating background checks is identified as a possible intermediate solution for removing duplicative processes and redundant costs. The report will be of interest to policymakers, trade and professional organizations, and other stakeholders involved in transportation credentials for persons who transport hazardous materials. An evaluation of the data through several key frameworks provides an understanding of the system at its fundamental level.” The report is organized into four chapters. After an Executive Summary and the first chapter (“Background”), Chapter 2 discusses the Research Approach for both phases I and II of the study. The majority of the report consists of the Findings and Applications (Chapter 3), which include: Identified Credentials; Credential Categorization; Requirements-to-Obtain Elements; Attribute Elements; Disqualifying Offenses; Time and Cost Analyses; Sample Demographics; Total Time to Obtain Credentials; Time to Complete Application; Total Time to Pick Up Credentials; Additional Respondent Feedback; Cost Analysis; Regulatory Analysis; SWOT Analysis; Consolidation Options Analysis; and Policy Implementation Analysis. In addition to an accompanying PowerPoint presentation, the report includes four appendices:  Appendix A Technical Advisory Group Biographies  Appendix B Requirements to Obtain  Appendix C Disqualifying Offenses Table  Appendix D Credential-Specific Survey Response Data 2014 National Strategy for Transportation Security (NSTS) Citation. 2014 National Strategy for Transportation Security (NSTS): Report to Congress, April, 2015 DHS/TSA. Available: http://www.transportationops.org/publications/2014-national- strategy-transportation-security Synopsis. The NSTS “presents a forward-looking, risk-based plan to protect the freedom of movement of people and goods while preserving civil rights, civil liberties, and privacy; it identifies priority objectives to enhance the security of infrastructure, conveyances, workers, travelers, and operations.” The report addresses the transportation strategic planning requirement in Section 1202(b) of the Intelligence Reform and Terrorism Prevention Act in title 49 of the U.S. Code. NSTS goals are:

78 Goal 1: Manage risks to transportation systems from terrorist attack and enhance system resilience. Goal 2: Enhance effective domain awareness of transportation systems and threats. Goal 3: Safeguard privacy, civil liberties, and civil rights, and the freedom of movement of people and commerce. The report components include a base plan and the appended modal security plans for Aviation, Maritime, Highway and Motor Carrier, Mass Transit and Passenger Rail, Freight Rail, and Pipelines, and Intermodal Security Plan. The base plan is structured as follows: II. Sector Risk Profile, III. Guiding PrinPiples, IV. Sector Mission, Vision, Goals, and Objectives, V. Cross Modal Priorities, VI. Performance, VII. Roles and Responsibilities, and VIII. Challenges and Path Forward Appendices:  Appendix A 2014 Aviation Security Plan  Appendix B 2014 Maritime Security Plan  Appendix C 2014 Surface Security Plans  Appendix D 2014 Intermodal Security Plan Training and exercises receive attention in the base plan and in the modal security plans as ways to enhance preparedness, response, and recovery.  A priority activity in response and recovery from a terrorist attack is to “promote participation in local security exercises to ensure public and private familiarity with plans, procedures, and capabilities.” (page 12)  To address Chemical and Biological Threats against transit, a priority is to assure availability of response training for frontline employees.  Domestic Nuclear Detection Office (DNDO) develops the Global Nuclear Detection Architecture, a framework to detect, analyze, and address nuclear and radiological threats against aviation, maritime, and land transportation modes. DNDO also has training and exercise programs to support their mission. Due to changing and emerging threats, a challenge is noted as the need for security officials to have advanced technological capabilities and continual training. Included below are highlights from the Highway and Motor Carrier, Mass Transit and Passenger Rail, and Freight Rail sections of Appendix C – 2014 Surface Security Plans. Highway and Motor Carrier Attack scenarios for highway and motor carrier include IEDs or vehicle-borne IEDs on critical infrastructure, small arms or IED attacks on passenger or school buses, use of trucks or vehicles with explosives or toxic materials as a weapon, and contamination of food products during

79 transport. These scenarios led to the risk-based priority of enhancing frontline employee security training and awareness. A related programming priority is the use of I-STEP and the Exercise Information System to promote security strategies. A challenge for highway and motor carrier security is noted as the changing threats and personnel turnover which require continual updating of security training. A path forward includes transitioning the First Observer™ program to a web-based training program and sharing of training materials and relevant information with stakeholders. Mass Transit and Passenger Rail: Based on the following mass transit and passenger rail attack scenarios:  IED attacks on trains or infrastructure;  Situations;  Sabotage of control systems; and,  Chemical/biological attack. A risk-based priority is to promote best practices for security planning, assessments, training, and exercises. Programming priorities include establishing an exercise program to test and improve resilience and promoting use of public awareness campaigns. The use of I-STEP is cited as a way to address the challenges of increasing operational deterrence at high-risk transit stations, and enhance modal resilience. The Transit Security Grant Program is also noted as being a priority tool for hardening assets and funding public awareness campaigns, anti-terrorism law enforcement positions, and preparedness drills and exercises. Freight Rail: Freight rail’s primary risk scenario includes an IED attack on hazardous materials and attacks on critical transportation system infrastructure. This scenario bolsters the following risk- based training and exercise priorities:  “Provide effective training for frontline employees in security-sensitive positions.  Conduct effective exercises employing realistic threat scenarios that evaluate and identify opportunities to improve security and resilience.” (page 42) F. Infrastructure Protection and Resilience Fundamental Capabilities of Effective All-Hazards Infrastructure Protection, Resilience and Emergency Management for State DOTs Citation: Fundamental Capabilities of Effective All-Hazards Infrastructure Protection, Resilience and Emergency Management for State DOTs, AASHTO, 2015. Available: http://scotsem.transportation.org/Documents/SCOTSEM/Fundamental%20Capabilities%20of%2 0Effective.pdf

80 Synopsis. A guide prepared to assist state DOTs understand the fundamentals of preventing incidents within their control, protect transportation users, supporting other responders, recover from incidents and evaluate responses. It also introduces concepts supporting resilience programs. This is an update to the 2007 publication Fundamentals of Effective All-Hazards Security Management for State DOTs. Critical Infrastructure Protection: Observations on Key Factors in DHS’s Implementation of Its Partnership Approach Citation. Caldwell, Stephen L, WIlshusen, Gregory C, “Critical Infrastructure Protection: Observations on Key Factors in DHS’s Implementation of Its Partnership Approach,” GAO-14- 464T, Testimony Before the Committee on Homeland Security and Governmental Affairs (U.S. Senate), U.S. Government Accountability Office (GAO), Washington, DC, 2014, [Online]. Available: http://www.gao.gov/assets/670/661945.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “Federal efforts to protect the nation’s critical infrastructure from cyber threats has been on the Government Accountability Office’s (GAO’s) list of high-risk areas since 2003. Critical infrastructure is assets and systems, whether physical or cyber, so vital to the United States that their destruction would have a debilitating impact on, among other things, national security and the economy. Recent cyber attacks highlight such threats. Department of Homeland Security (DHS), as the lead federal agency, developed a partnership approach with key industries to help protect critical infrastructure.” TRID continues, “This testimony identifies key factors important to DHS implementation of the partnership approach to protect critical infrastructure including : (1) recognizing and addressing barriers to sharing information, (2) sharing results of DHS assessments with industry and other stakeholders, and (3) measuring and evaluating the performance of DHS partnerships. GAO has made recommendations to DHS in prior reports to strengthen its partnership efforts. DHS generally agreed with these recommendations and reports actions or plans to address many of them. GAO will continue to monitor DHS efforts to address these recommendations.” Disaster Resilience: A National Imperative Citation. Disaster Resilience: A National Imperative, The National Academies, 2012.Available: http://www.nap.edu/catalog/13457/disaster-resilience-a-national-imperative Synopsis. Resilience is defined in this report as “the ability to prepare and plan for, absorb, recover from and more successfully adapt to adverse events.” It provides a discussion of how to increase the nation’s resilience to disasters through a vision of the characteristics of a resilient nation in the year 2030. Systems Resilience and Climate Change Citation. Systems Resilience and Climate Change, Transportation Research Record: Journal of the Transportation Research Board, No. 2532, Transportation Research Board, Washington, DC, 2015. Available: http://trrjournalonline.trb.org/toc/trr/2532

81 Synopsis.This edition of TRB’s Transportation Research Record includes 18 papers that examine resilience and climate change issues related to transportation:  Roadmaps for Adaptation Measures of Transportation to Climate Change.  Resilience Versus Risk: Assessing Cost of Climate Change Adaptation to California’s Transportation System and the City of Sacramento, California.  Barriers to Implementation of Climate Adaptation Frameworks by State Departments of Transportation.  Resilience of Coastal Transportation Networks Faced with Extreme Climatic Events  Analysis of Transportation Network Vulnerability Under Flooding Disasters  Vulnerability Evaluation of Logistics Transportation Networks Under Seismic Disasters  Integrating Stochastic Failure of Road Network and Road Recovery Strategy into Planning of Goods Distribution After a Large-Scale Earthquake  Multimodal Transit Connectivity for Flexibility in Extreme Events  Risk and Resilience Analysis for Emergency Projects  Unmanned Aircraft Systems Used for Disaster Management  Multimodal Evacuation Simulation and Scenario Analysis in Dense Urban Area: Philadelphia, Pennsylvania, Case Study  Spatiotemporal Population Distribution Method for Emergency Evacuation: Case Study of New Orleans, Louisiana  Joint Evacuation and Emergency Traffic Management Model with Consideration of Emergency Response Needs  Supporting Mobility-Impaired Populations in Emergency Evacuations  Agent-Based Evacuation Model Considering Field Effects and Government Advice  Selecting Four-Leg Intersections for Crossing Elimination in Evacuations  Using Dynamic Flashing Yellow for Traffic Signal Control Under Emergency Evacuation  Hurricane Evacuation Route Choice of Major Bridges in Miami Beach, Florida Resilience: Key Products and Projects Citation. TRB Resilience Update for January 2016. Resilience: Key Products and Projects. Available: https://transportationops.org/publications/trb-resilience-key-products-projects-2016 Synopsis. This presentation is a slideshow summary of the transportation research transportation security and resilience activities. These cross the main areas of TRB inquiry (freight, transit, highways and airports). Integrating Hazard Mitigation and Comprehensive Planning Workshop Citation. Integrating Hazard Mitigation and Comprehensive Planning Workshop, Philadelphia, PA, April 25, 2016. Available: http://www.dvrpc.org/Resiliency/HMP/pdf/2016-04- 25_Workshop_Summary.pdf

82 Synopsis. The workshop emphasized the important relationship between land use planning and hazard mitigation, noting that how we design, build, and regulate our communities impacts their ability to withstand hazards. Increasing National Resilience to Hazards and Disasters Citation. Increasing National Resilience to Hazards and Disasters, Committee on Science, Engineering and Public Policy, the National Academies of Sciences, Engineering and Medicine. Available: http://sites.nationalacademies.org/PGA/COSEPUP/nationalresilience/index.htm Synopsis. The ad-hoc committee conducted a study and issued a consensus report that integrates information from the natural, physical, technical, economic and social sciences to identify ways in which to increase national resilience to hazards and disasters in the United States. The ad-hoc committee report:  Defines “national resilience” and frames the primary issues related to increasing national resilience to hazards and disasters in the United States.  Provides goals, baseline conditions, or performance metrics for resilience at the U.S. national level.  Describes the state of knowledge about resilience to hazards and disasters in the United States.  Outlines additional information or data and gaps and obstacles to action that need to be addressed in order to increase resilience to hazards and disasters in the United States.  Presents conclusions and recommendations about what approaches are needed to elevate national resilience to hazards and disasters in the United States. Crisis Response and Disaster Resilience 2030: Forging Strategic Action in an Age of Uncertainty, Progress Report Highlighting the 2010-2011 Insights of the Strategic Foresight Initiative, FEMA, January 2012 Citation. Crisis Response and Disaster Resilience 2030: Forging Strategic Action in an Age of Uncertainty, Progress Report Highlighting the 2010-2011 Insights of the Strategic Foresight Initiative, FEMA, January 2012. Available: http://www.fema.gov/media-library-data/20130726- 1816-25045-5167/sfi_report_13.jan.2012_final.docx.pdf Synopsis. The Federal Emergency Management Agency (FEMA) established the Strategic Foresight Initiative (SFI) that has brought together a wide cross-section of the emergency management community to explore key future issues, trends and other factors, and to work through their implications. This report presents the findings from foresight efforts thus far, including: uncertainties that define and drive the future environment; strategic needs and gaps our community will have to address; a look into the emergency management community of 2030; and finally, suggested next steps for the community to prepare for the future. The strategic needs in particular – grouped into Essential Capabilities, Innovative Models and Tools, and Dynamic Partnerships – are intended as a catalyst for leaders throughout the emergency management community to prepare themselves and the nation for the challenges and opportunities the future holds.

83 Building Resilient States: A Framework for Agencies Citation. Building Resilient States: A Framework for Agencies, Smart Growth America. Available: http://www.smartgrowthamerica.org/resilience/ Synopsis. Smart Growth America’s State Resilience Program offers resources, tools, and ideas for state leaders and agencies to build more resilient places and reduce the risk of natural hazards to human life and investments. Drawing on the work of pioneering state leaders, federal agencies, and national experts, this program represents the cutting edge of land use and engagement strategies for hazard resilience. Materials are based on the experience of peer agencies from across the country, the latest research on programs and activities that states control, and proven approaches for building municipal partnerships. Resource Guide on Resilience Citation. Resource Guide on Resilience, International Risk Governance Council (IRGC). Available: https://www.irgc.org/irgc-resource-guide-on-resilience/ Synopsis. IRGC developed a web-based resource guide on resilience for researchers and practitioners. The resource guide available on this page is a collection of authored pieces that review existing concepts, approaches and illustrations or case studies for comparing, contrasting and integrating risk and resilience, and for developing resilience. Most papers focus also on the idea of measuring resilience. Although this idea may not sound right to some, there are ongoing efforts for evaluating resilience, developing resilience indicators, and measuring the effectiveness of actions taken to build resilience. These efforts are worth considering because indicators and metrics for resilience are needed to trigger interest and investment from decision-makers. This guide is designed to help scientists and practitioners working on risk governance and resilience evaluation. It stresses the importance of including resilience building in the process of governing risk, including in research, policy, strategies, and practices. It emphasizes the need to develop metrics and quantitative approaches for resilience assessment and instruments for resilience management. A Multidimensional Review of Resilience: Resources, Processes, and Outcomes Citation. Marcus L. Snell, Daniel A. Eisenberg, Thomas P. Seager, Susan Spierre Clark, Young Joon Oh, John E. Thomas, and Lauren R. McBurnett. A Multidimensional Review of Resilience: Resources, Processes, and Outcomes. Available at https://www.irgc.org/irgc-resource-guide-on- resilience/ Synopsis. This paper reviews a sampling of resilience literature from a variety of disciplines and identifies at least three dimensions of resilience: resources, processes, and outcome priorities. Critical Infrastructure Resilience Citation. Eric D. Vugrin, Sandia National Laboratories. Critical Infrastructure Resilience. Available: https://www.irgc.org/wp-content/uploads/2016/04/Vugrin-Critical-Infrastructure- Resilience-1.pdf

84 Synopsis. The Infrastructure Resilience Analysis Methodology (IRAM) provides a comprehensive framework for analyzing and managing critical infrastructure resilience (Biringer, Vugrin, & Warren, 2013). The IRAM is a hybrid methodology that includes performance-based metrics to quantify resilience and resilience attributes to inform analysis and improvement. The IRAM quantifies resilience with two primary sets of metrics: systemic impact (SI) and total recovery effort (TRE). Resilience: Approaches to Risk Analysis and Governance: An Introduction to the IRGC Resource Guide on Resilience Citation. Igor Linkov, Benjamin D. Trump, and Cate Fox-Lent. Resilience: Approaches to Risk Analysis and Governance: An Introduction to the IRGC Resource Guide on Resilience. Available: https://www.irgc.org/wp-content/uploads/2016/04/Linkov-Trump-Fox-Lent-Resilience- Approaches-to-Risk-Analysis-and-Governance-1.pdf Synopsis. This paper includes (I) a comparison of risk and resilience management strategies, (II) a description of common features within resilience analysis and thinking, and (III) a discussion of the benefits that resilience management brings to the field of risk management. This paper serves as a general introduction to the concept and application of resilience, specifically as it relates to traditional risk management, and in particular about suggestions for metrics or indicators that can be developed to assess resilience in a system, and the performance of resilience strategies. Measuring the Resilience of Infrastructure Systems Citation. Henry H. Willis, RAND Corporation. Measuring the Resilience of Infrastructure Systems. Available: https://www.irgc.org/wp-content/uploads/2016/04/Willis-Measuring-the- Resilience-of-Infrastructure-Systems.pdf Synopsis. This paper defines resilience – meaning both what it is and what aspects of the system must be measured –and understanding why resilience is being measured. Planning for a More Resilient Future: A Guide to Regional Approaches Citation. Planning for a More Resilient Future: A Guide to Regional Approaches, NADO. Available: https://www.nado.org/wp- content/uploads/2015/10/Regional_Resilience_report_FINAL.pdf Synopsis. This report summarizes the rapidly growing body of research on resilience, describing the main ideas that are driving policy and practice across the country, and examining current thinking on regional and economic resilience. It is accompanied by an online guide to resources on the practice of resilience, available at www.nado.org. The guide includes examples of ways to approach planning for resilience, a primer on the expansive federal policy framework which determines the priorities for funding resilience initiatives, and describes the current state of philanthropic engagement in resilience efforts. Enhancing Community Resilience: Practical Resources in Addressing the Collaboration Gaps

85 Citation. Stephen Diarmuid Walsh MIPI AIED, Martina Madden, Stephen M. Purcell, Future Analytics Consulting (FAC) Limited. Enhancing Community Resilience: Practical Resources in Addressing the Collaboration Gaps. Available: https://www.irgc.org/wp- content/uploads/2016/04/Walsh-Madden-Purcell-Enhancing-Community-Resilience.pdf Synopsis. This paper examines Community Resilience (CR), with particular reference to the “collaboration gap” and the manner in which it impedes the unification of communities and responding professionals in terms of reacting to the effects of an adverse event (disaster relief). The purpose of this paper is to highlight the impact of the “collaboration gap” and to then present resources which may enable communities and responding professionals to react together in order to mitigate and recover from the effects of an adverse event, thereby enhancing the resilience of communities. Improving the Resiliency of Transit Systems Threatened by Natural Disasters Citation. TCRP Project A-41, “Improving the Resiliency of Transit Systems Threatened by Natural Disasters” (completion expected February 2017). Available: http://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=3744 Synopsis. The objectives of this research are to develop (1) a handbook with an associated suite of digital presentation materials to address planning principles, guidelines (including metrics), strategies, tools, and techniques to enable public transit systems to become more resilient to natural disasters and climatic events; and (2) a draft recommended practice for public transit resilience to natural disasters and climatic events suitable as input to the APTA Standards Program. The handbook and its associated suite of digital presentation materials should be appropriately designed for use by public transit agency executive staff to plan, budget, and institutionalize effective practices to improve resilience, addressing (a) capital project planning and asset management (including financial planning and risk assessment for natural disasters and climatic events), (b) operations and maintenance, and (c) administration. They should provide sufficient detail to allow users to adapt them to their individual entities. A Resiliency Framework for Planning in State Transportation Agencies Citation. Amoaning-Yankson, Stephanie. A resiliency framework for planning in state transportation agencies. Available: https://smartech.gatech.edu/bitstream/handle/1853/49123/AMOANING-YANKSON-THESIS- 2013.pdf?sequence=1&isAllowed=y Synopsis. This thesis presents a framework for resiliency planning in state departments of transportation and other transportation agencies. The development of this framework is motivated by the need for more resilient transportation systems, due of the increasing frequency and the effect both natural and man-made catastrophic disasters have on transportation systems. The resiliency framework is based on the urban transportation planning framework and is thus applied in the broader context of general transportation planning. The resiliency framework is then applied in a preliminary review to three statewide transportation plans to show the resiliency deficiencies of

86 those plans and how the framework may be applied to increase resiliency. These plans are selected from three different states with diversity of locations and without any preconceived notions about their incorporation of resiliency in their planning process. This preliminary review reveals a reactive nature towards investments that increase an agency’s resilience. This may be attributed to the problem of limited funding for transportation investments, as well as, limited knowledge by the transportation agencies about the return on such resiliency investments, mostly due to the uncertainty associated with the occurrence of catastrophic disasters, especially the predictability of weather-related events. However, post-disaster transportation system overhauls provide enough evidence for the need for more systemic ways of addressing resiliency in planning processes. Federal and Transit Agencies Taking Steps to Build Transit Systems’ Resilience but Face Challenges Citation. Federal and Transit Agencies Taking Steps to Build Transit Systems’ Resilience but Face Challenges, GAO December 2014. Available: http://www.gao.gov/assets/670/667391.pdf Synopsis. This report examines (1) how DHS and DOT help transit agencies make their systems resilient; (2) actions selected transit agencies take to make their systems resilient; and (3) challenges transit agencies face with making their systems resilient. GAO examined documentation and interviewed officials from DHS and DOT, and officials from nine transit and five emergency management agencies. GAO selected a non-generalizable sample of agencies in five locations, chosen for transit ridership volume and variation in geography, types of risks, and transit modes. Transit agencies that GAO selected identified a number of actions they are taking to help make their systems more resilient, including performing risk assessments and developing plans, such as emergency operations plans. These agencies also take actions, such as building redundant assets or facilities, to ensure the continuity of operations of the agencies’ systems. Further, transit agencies have changed their infrastructure to mitigate the potential impact of disasters on their assets. For example, as shown in the figure below, one agency elevated vents and curbs to minimize water flowing into the subway. Although all transit agencies GAO selected are taking resilience-building actions, officials GAO interviewed said that transit agencies face challenges with placing priorities on resilience and with certain aspects of some grant programs. In particular, officials from DHS, DOT, and transit agencies GAO selected explained that it is difficult for transit agencies to place priority on resilience activities because managers may be reluctant to focus on resilience and resilience activities compete with other priorities for funding. Federal, transit agency, and emergency management officials cite challenges related to some aspects of federal grants that have made it difficult for transit agencies to, among other things, incorporate resilience into disaster recovery efforts and make regional transit-networks resilient. DHS, DOT, and some transit agencies are taking some actions to address these challenges, such as developing tools to help management prioritize resilience activities. FloodCast: A Framework for Enhanced Flood Event Decision Making for Transportation Resilience

87 Citation. NCHRP Project 20-59(53), “FloodCast: A Framework for Enhanced Flood Event Decision Making for Transportation Resilience,” Available: http://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=3725 Synopsis. The objectives of this research are to develop a strategic framework and a prototype tool for enhanced flood event decision making. The framework and tool should help state DOTs plan, manage risks, mitigate hazards, and respond to flood and flash flood events. The framework and tool should address not only immediate flood impacts, but also cascading, escalating impacts. Given the large amount and diversity of applicable data and tools, the framework design should be flexible and scalable to accommodate the available data sets and allow users to easily share both data and products with other users, thereby fostering collaboration across government organizations and the private sector. Guidelines to Incorporate the Costs and Benefits of Adaptation Measures in Preparation for Extreme Weather Events and Climate Change, Citation. NCHRP Project 20-101, “Guidelines to Incorporate the Costs and Benefits of Adaptation Measures in Preparation for Extreme Weather Events and Climate Change,” in progress (completion expected 2017). Available: http://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=3881 Synopsis. The objectives of this research are to develop (a) a stand-alone document providing guidance for practitioners on methods and tools, including illustrative case studies where applicable, to: (i) efficiently mine, manage, and document existing data sources; (ii) acquire and use data from new and innovative sources; and (iii) apply, and communicate the results from, a flexible and scalable framework for analyzing the costs and benefits of adaptation measures in preparation for extreme weather events and climate change conducted by various transportation organizations; (b) a final report that documents the entire research effort and includes the research team’s recommendation of research needs and priorities for additional related research; and (c) an updated PowerPoint presentation describing the research and results suitable (upon revision) for posting on the TRB website. The Innovative DOT: A Handbook of Policy and Practice Citation. “The Innovative DOT: A Handbook of Policy and Practice,” State Smart Transportation Initiative and Smart Growth America, 2014. Available: http://www.ssti.us/wp/wp-content/uploads/2014/01/The-Innovative-DOT-1.8.15.pdf Synopsis. This Handbook, developed by the State Smart Transportation Initiative and Smart Growth America, contains a resiliency section that provides guidance for state departments of transportation (DOTs) on how to incorporate climate change adaptation into long-range transportation planning. It provides state DOTs with a comprehensive list of reforms that will address potential climate-related vulnerabilities and reduce the likelihood, magnitude, duration and cost of disruption associated with extreme weather. The resiliency section, entitled “Incorporate Climate Change Resilience into Long-Range Planning,” is included into the larger handbook, which provides general guidance to state DOTs on ways to improve their transportation systems. The resiliency section summarizes the potential effects of climate change on a state’s transportation system, describes how climate change adaptation planning can help a state protect

88 its transportation assets, and outlines steps state DOTs can take to assess vulnerability and identify and implement changes to improve the system’s resilience. The section reviews the effects of climate change and the impact extreme weather can have on a state’s transportation assets. For example, the increased intensity, variability, duration, and frequency of weather events could lead to shortened infrastructure lifespans, increased risk of catastrophic failures, and increased costs. It provides guidance for state DOTs on ways to implement resilience in transportation systems through operational and infrastructure changes. There are three key adaptation planning steps that state DOTs can take to assess system vulnerability and risks, and identify and implement changes to improve the system’s resilience. These steps include: (1) documenting environmental changes and selecting the most appropriate climate models to predict future conditions; (2) identifying climate change-related stressors and their impacts on the transportation system, and inventorying transportation assets, focusing on characteristics that could help or hinder adaptation; and (3) developing and assessing alternative strategies for adapting infrastructure and operations. The handbook also highlights FHWA-sponsored pilot projects for incorporating resilience into transportation planning. These pilots were intended to encourage state and regional agencies in the development of climate adaptation plans using FHWA’s Climate Change and Extreme Weather Vulnerability Assessment Framework. Three of the states that conducted pilot projects (Washington, California, and Massachusetts) are featured in the handbook as case studies. Washington completed the vulnerability and risk assessment step by identifying at-risk transportation assets and planning to further develop a set of specific adaptation strategies for the assets. California has begun developing and selecting strategies for transportation infrastructure, and has developed guidance to assist MPOs and regional transportation planning agencies with assessing their vulnerability and incorporating climate adaptation into the development of their regional plans. Massachusetts committed funding to address climate impacts according to recommendations made in the state’s 2011 Climate Change Adaptation Report, which included recommendations for improving transportation facilities’ preparedness for extreme weather events. The handbook was commissioned by the U.S. DOT’s Federal Highway Administration to assist state DOTs with prioritizing reforms by offering strategies that can be undertaken to improve a state’s transportation system. NY Metropolitan Transportation Council, Resilience Planning, Plan 2040 Citation. NY Metropolitan Transportation Council Transportation Plan 2040. Available: https://www.nymtc.org/Regional-Planning-Activities/Resiliency-Planning Synopsis. Improving the resiliency of the transportation system was included in Plan 2040's regional goals. The plan includes various strategies for climate adaptation throughout the entire transportation system and stresses the importance of collaboration between all member agencies in planning for future severe weather events. Greater resiliency will mitigate the adverse impacts of disruptions on the movement of people and goods due to weather, climate, or other acts of nature. The following outcomes are associated with the regional resiliency goal:

89  Adaptation measures for critical components of the transportation system to accommodate variable and unexpected conditions without catastrophic failure;  Greater resiliency of the regional supply chain by identifying options for goods movement during and after events;  Cooperative partnerships with federal, state, local agencies, and other stakeholders to adapt the transportation system and improve recovery from disruptions. Transportation Sector Resilience, Final Report and Recommendations Citation. Transportation Sector Resilience, Final Report and Recommendations, National Infrastructure Advisory Council (NIAC), July 10, 2015. Available: https://www.dhs.gov/sites/default/files/publications/niac-transportation-resilience-final-report- 07-10-15-508.pdf Synopsis. The President directed the National Infrastructure Advisory Council (NIAC) to examine the resilience of the nation’s transportation sector to determine potential gaps and identify opportunities for the Federal Government to improve the sector’s resilience and security. Throughout this study, infrastructure resilience is defined as the ability to reduce the magnitude or duration of disruptive events that is accomplished by anticipating, absorbing, adapting to, or rapidly recovering from the disruption. The Council’s key findings are presented within three major topic areas: Finding 1: Understanding Systemic Risks • Transportation risks are not well understood across modes, regions, and critical interdependent sectors, creating uncertainty about national-level consequences that could arise from a major system disruption. • Owners and operators have limited visibility of risks across adjoining systems, jurisdictions, modes and critical dependent infrastructures. In particular, emerging risks related to cyber disruptions. • Finding 2: Incorporating Resilience into Operational Practice • Although national resilience policies are generally well established, they have not yet been integrated into comprehensive national transportation plans and strategies that coordinate decision making and risk management across modes at local, state, regional, and national levels. • Gaps in leadership, coordination, and workforce capabilities have made it difficult for organizations to effectively incorporate resilience as an embedded function of good operating practice. • There is no structured senior-level engagement between public and private sectors partners, and among transport modes and interdependent sectors, to address national-level transportation risks. • Finding 3: Investing in Resilient Infrastructure

90 • Chronic underinvestment in transportation infrastructure and the inability to monetize resilience for investment decisions have prevented resilience from being integrated into the built infrastructure. • There is no national consensus on the need for investment in resilient transportation infrastructure due in part to a limited understanding among the public, political leaders, and industry leaders about the role and value of resilience. • Uncertainty over the likelihood, costs, and consequences of emerging risks makes it difficult for owners and operators to invest in long-term resilience. There are three overarching recommendations: the need to 1) baseline current risks and establish a federal vision for transportation resilience; 2) develop the analytic tools, models, and exercises to better understand and plan for emerging risks and interdependencies; and 3) use the results of these efforts to operationalize resilience by increasing funding and implementing effective federal practices, procedures, and procurement processes.

91 G. Homeland Security Laws, Directives, and Guidance NCHRP Synthesis 472: FEMA and FHWA Emergency Relief Funds Reimbursements to State Departments of Transportation Citation. Nakanishi, Yuko J. and Auza, Pierre M. NCHRP Synthesis 472: FEMA and FHWA Emergency Relief Funds Reimbursements to State Departments of Transportation. Transportation Research Board of the National Academies. Washington, DC, 2015, [Online]. Available: http://onlinepubs.trb.org/onlinepubs/nchrp/nchrp_syn_472.pdf Synopsis. The Executive Summary states that this synthesis “focuses on state DOT experiences and practices related to the federal disaster reimbursement programs: FHWA Emergency Relief (ER) and the Federal Emergency Management Agency (FEMA) Public Assistance (PA)”. The synthesis consists of five chapters, and its case studies include ten (10) state departments of transportation (DOTs) and two (2) state emergency management agencies or offices. After an introductory Chapter 1, the report presents an overview of the FHWA and FEMA programs in Chapter 2. Chapter 3 examines the challenges and experiences of case study state DOTs with the two federal programs. In contrast, Chapter 4 compares and contrasts these state DOTs by aspects of their current practices, such as roles and responsibilities, disaster assessment practices, financial management systems, cost sharing, etc. In its Conclusion (Chapter 5), the synthesis summarizes its findings (challenges and effective practices of state DOTs) and shares useful resources for the two federal programs. Appendix D contains detailed write-ups of each case study participant DOT. Other appendices include  Presidential Declarations (Appendix B),  New York state DOT Detailed Damage Inspection Report (DDIR) form instructions (Appendix E),  California DOT (Caltrans) Damage Assessment Form (Appendices F and G),  Vermont Agency of Transportation (VTrans) checklists (Appendix H),  Louisiana Department of Transportation and Development (DOTD) emergency forms and equipment/supply checklist (Appendix I), and  Public Assistance Grant Program Summary (Appendix J). Legal Aspect of Environmental Permitting in the Emergency Response Environment Citation. Sun, Carlos; Williams, Douglas. NCHRP Legal Research Digest 64: Legal Aspect of Environmental Permitting in the Emergency Response Environment. Transportation Research Board, Washington, DC, 2015, 73 pp. [Online]. Available: http://www.trb.org/Main/Blurbs/172317.aspx Synopsis. From the Transport Research International Documentation (TRID) Database: “Disasters have created circumstances not typically encountered in highway rehabilitation, construction, and

92 reconstruction projects, leading to unique challenges and opportunities. Essential environmental and other regulatory requirements of resource agencies must be achieved on an expedited basis. The Federal Government, states, and local governments have made successful efforts to expedite the resumption of services and use of facilities. The above scenario presents an opportunity for a research project that compares and contrasts environmental resource, regulatory, and other processes that various governmental entities use to facilitate recovery from catastrophic events. “Government agencies stand to benefit from these case studies that demonstrate successful responses to the challenges faced. This legal digest discusses various processes used by governmental entities to attain compliance with environmental laws and regulations in the case of emergencies. These processes were identified through interviews and surveys of various agencies, including the Federal Highway Administration, the Federal Emergency Management Agency, and state departments of transportation. Some of these processes include strong interagency relationships, the use of categorical exclusions, formal preexisting procedures, up-to-date inventories and tools, staffing composition, informal arrangements, proper planning and scoping, and the use of waivers and exceptions. Case studies are reviewed to illustrate compliance in the case of emergencies such as hurricanes, tornadoes, floods, wildfires, structural failures, and accidents. Results of a national Web survey indicated that strong interagency relationships and the use of categorical exclusions represent two of the most popular best practices reported by agency experts.” Critical Infrastructure Protection: DHS Action Needed to Enhance Integration and Coordination of Vulnerability Assessment Efforts Citation. Critical Infrastructure Protection: DHS Action Needed to Enhance Integration and Coordination of Vulnerability Assessment Efforts. U.S. Government Accountability Office, 2014, 82p, [Online]. Available: http://www.gao.gov/assets/670/665788.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “Damage from natural disasters like Hurricane Sandy in 2012 highlights the vulnerability of the nation’s critical infrastructure (CI). CI includes assets and systems whose destruction would have a debilitating effect on security, national economic security, or national public health or safety. The private sector owns the majority of the nation’s CI, and multiple federal entities, including Department of Homeland Security (DHS), are involved in assessing its vulnerabilities. These assessments can identify factors that render an asset or facility susceptible to threats and hazards. The Government Accountability Office (GAO) was asked to review how federal entities assess vulnerabilities. “This report examines the extent to which DHS is positioned to (1) integrate DHS vulnerability assessments to identify priorities, (2) identify duplication and gaps within its coverage, and (3) manage an integrated and coordinated government-wide assessment approach. GAO reviewed CI laws, regulations, data from fiscal years 2011-2013, and other related documentation, as well as interviewed officials at DHS, other agencies, and a private CI association. “GAO recommends that DHS identify the areas assessed for vulnerability most important for integrating and comparing results, establish guidance for DHS offices and components to

93 incorporate these areas into their assessments, ensure that assessment data are consistently collected, and work with other federal entities to develop guidance for what areas to include in vulnerability assessments, among other things. DHS concurred with these recommendations.” Critical Infrastructures: Background, Policy, and Implementation Citation. Moteff, John D, “Critical Infrastructures: Background, Policy, and Implementation,” Congressional Research Service, Washington, DC, 2014, [Online]. Available: http://www.fas.org/sgp/crs/homesec/RL30153.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “The nation’s health, wealth, and security rely on the production and distribution of certain goods and services. The array of physical assets, functions, and systems across which these goods and services move are called critical infrastructures (e.g., electricity, the power plants that generate it, and the electric grid upon which it is distributed). The national security community has been concerned for some time about the vulnerability of critical infrastructure to both physical and cyberattack. “In May 1998, President Clinton released Presidential Decision Directive No. 63. The directive set up groups within the Federal Government to develop and implement plans that would protect government-operated infrastructures and called for a dialogue between government and the private sector to develop a National Infrastructure Assurance Plan that would protect all of the nation’s critical infrastructures by the year 2003. While the directive called for both physical and cyber protection from both man-made and natural events, implementation focused on cyber protection against man-made cyber events (i.e., computer hackers). “Following the destruction and disruptions caused by the September 11 terrorist attacks in 2001, the nation directed increased attention toward physical protection of critical infrastructures. Over the intervening years, policy, programs, and legislation related to physical security of critical infrastructure have stabilized to a large extent. However, current legislative activity has refocused on cybersecurity of critical infrastructure. This report discusses in more detail the evolution of a national critical infrastructure policy and the institutional structures established to implement it. The report highlights two primary issues confronting Congress going forward, both in the context of cybersecurity: information sharing and regulation.” This report has nine general sections. The first section is an Introduction. After a brief on Federal Critical Infrastructure Protection Policy (second section), the report covers the President’s Commission on Critical Infrastructure Protection and Presidential Decision Directive No. 63 (third and fourth sections). The fifth and sixth sections present a history of critical infrastructure protection policy through the Bush and Obama Administrations. A brief history of the Department of Homeland Security is the topic of the seventh section. Policy Implementation is discussed in the eighth section, and the concluding Issues and Discussion section is the ninth section. Emergency Transportation Relief: Agencies Could Improve Collaboration Begun during Hurricane Sandy Response

94 Citation. Emergency Transportation Relief: Agencies Could Improve Collaboration Begun during Hurricane Sandy Response. U.S. Government Accountability Office, 2014, 46p, [Online]. Available: http://www.gao.gov/products/GAO-14-512 Synopsis. From the Transport Research International Documentation (TRID) Database: “In October 2012, Hurricane Sandy devastated portions of the Mid-Atlantic coast causing severe damage to transit facilities and infrastructure and disrupting mobility in the New York metropolitan region. In January 2013, the President signed the Disaster Relief Appropriations Act, 2013 (DRAA), which provided approximately $50.5 billion in federal aid for expenses related to Hurricane Sandy. “The Government Accountability Office (GAO) was asked to examine DRAA emergency relief assistance for transportation. This report addresses (1) the progress the Department of Transportation (DOT) has made allocating, obligating, and disbursing DRAA surface transportation funds, (2) how the Federal Transit Administration’s (FTA’s) new Public Transportation Emergency Relief program compares to the Federal Emergency Management Agency’s (FEMA’s) and the Federal Highway Administration’s (FHWA’s) emergency relief programs, and (3) the extent to which FTA and FEMA have implemented their memorandum of agreement to coordinate their roles and responsibilities when providing assistance to transit agencies. GAO analyzed relevant laws, regulations, and agency documentation, and interviewed DOT, FEMA, and New Jersey and New York area transit officials. “GAO recommends that DOT and the Department of Homeland Security (DHS) direct FTA and FEMA to establish specific guidelines to monitor, evaluate, and report the results of collaborative efforts—including their communications program and protocol as contemplated in their memorandum of agreement. DHS agreed with our recommendation, and DOT took no position. DHS and DOT also provided technical comments, which are incorporated as appropriate.” Legal Issues in Public Transit Emergency Planning and Operation Citation. Tomizawa, Nicholas. Legal Issues in Public Transit Emergency Planning and Operation. TCRP Legal Research Digest, Issue 44, 2013, 76p, [Online]. Available: http://www.trb.org/Publications/Blurbs/170142.aspx Synopsis. From the Transport Research International Documentation (TRID) Database: “The goal of this study is to provide a synthesis and assessment of laws, regulations, and guidance from both the transit and homeland security industries to help transit agencies understand their legal responsibilities with respect to emergency planning and operational issues. “This study seeks to help transit systems be in or stay in compliance with requirements and guidance by: 1) Providing transit managers with guidance to navigate laws, regulations, and guidance from both the transit and homeland security/emergency management fields; 2) Summarizing, comparing, and contrasting transit and homeland security laws, regulations, and guidance; 3) Assisting transit managers to understand what documents and activities are legally required and which are recommended; 4) Providing practical approaches and insight to address emergency planning requirements and guidance, acknowledging concerns over tailoring these

95 programs to all sizes of transit systems and cost constraints; and 5) Providing an overview of legal issues pertinent to transit emergency management, including tort liability and immunities, understanding disaster public assistance programs, working with security-sensitive information, and developing memoranda of understanding. “It must be noted that the section entitled “The Role of the Attorney in Emergency Planning” is not just for lawyers, as it provides important planning advice for transit managers to comply with emergency management requirements. With such knowledge, transit managers may make informed planning and response decisions to reduce their exposure to claims, protect their property, enhance the safety and security of their employees and the general public, and expand the range of services and capabilities of transit.” Driver’s License Security: Federal Leadership Needed to Address Remaining Vulnerabilities Citation. Driver’s License Security: Federal Leadership Needed to Address Remaining Vulnerabilities. U.S. Government Accountability Office, 2012, 47p, [Online]. Available: http://www.gao.gov/assets/650/648689.pdf Synopsis. This GAO report discusses some of the remaining vulnerabilities of systems used in verifying driver’s licenses. From the Transport Research International Documentation (TRID) Database: “The REAL ID Act sets minimum standards for states when verifying license applicants’ identity, which go into effect in January 2013. If states do not meet these requirements, their licenses will not be accepted for official purposes such as boarding commercial aircraft… “The U.S. Government Accountability Office (GAO) was asked to examine (1) states’ identity verification procedures for license applicants, (2) the procedures’ effectiveness in addressing fraud, and (3) how federal agencies have helped states enhance procedures. To verify license applicants’ identity, all 50 states and the District of Columbia have procedures that may detect counterfeit documents… “State officials interviewed by GAO report that identity verification procedures have been effective at combating certain kinds of fraud, but vulnerabilities remain. Officials in most of the 11 states GAO contacted reported a decline in the use of counterfeit identity documents, and officials in states using facial recognition said they detected a number of identity theft attempts. However, criminals can still steal the identity of someone in one state and use it to get a license in another because states lack the capacity to consistently detect such cross-state fraud. A system for addressing such fraud would enable states to comply with the Act’s prohibition against issuing licenses to individuals who already have a license from another state, but may not be fully operational until 2023. Furthermore, officials in many states said they have difficulties detecting forged birth certificates. Verifying date of birth is also required by the Act, and a system exists for doing so, but no licensing agencies are using it because of concerns about incomplete data, among other reasons. Partly because these two systems are not fully operational, GAO investigators were able to use counterfeit out-of-state drivers’ licenses and birth certificates to fraudulently obtain licenses in three states. “By improving their respective verification systems, SSA and DHS have helped states enhance their identity verification procedures… DHS has also provided funding for states to develop new

96 systems. However, DHS has not always provided timely, comprehensive, or proactive guidance to help states implement provisions of the Act related to identity verification… Officials in some states indicated they needed direction from DHS in this area. GAO recommends that DHS work with partners to take interim actions to help states address cross-state and birth certificate fraud.” Implementing 9/11 Commission Recommendations, Progress Report 2011 Citation. Implementing 9/11 Commission Recommendations: Progress Report 2011, Department of Homeland Security, Washington, DC, 2011, [Online]. Available: https://www.dhs.gov/xlibrary/assets/implementing-9-11-commission-report-progress-2011.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “In recognition of the 9/11 Commission Report and the tenth anniversary of 9/11, this report describes how the U.S. Department of Homeland Security (DHS) has addressed specific 9/11 Commission recommendations over the past ten years.” The progress report is organized by various topic headings. For topics with recommendations, recommendations are also listed: 1. September 11 Chronology 2. Introduction – Strengthening the Homeland Security Enterprise to Address Evolving Threats 3. Expanding Information Sharing (Recommendation: Provide incentives for information sharing) 4. Developing and Implementing Risk-Based Transportation Security Strategies (Recommendation: Develop a risk-based plan for transportation security) 5. Strengthening Airline Passenger Pre-Screening and Targeting Terrorist Travel (Recommendation: Improve airline passenger pre-screening and target terrorist travel) 6. Enhancing Screening for Explosives (Recommendation: Improve aviation security through enhanced explosive screening) 7. Strengthening Efforts to Detect and Report Biological, Radiological and Nuclear Threats (Recommendation: Strengthen counterproliferation efforts to prevent radiological/nuclear terrorism) 8. Protecting Cyber Networks and Critical Physical Infrastructure. Recommendations:  Assess critical infrastructure and readiness,  Allocate homeland security funds based on risk,  Track and disrupt terrorist financing,  Improve interoperable communications at all levels of government,  Establish a unified incident command system, and

97  Prioritize private sector preparedness 9. Bolstering the Security of U.S. Borders and Identification Documents. Recommendations:  Standardize secure identification, and  Integrate border security into larger network of screening points that includes the transportation system and access to vital facilities 10. Ensuring Robust Privacy and Civil Rights and Civil Liberties Safeguards (Recommendation: Safeguard individual privacy when sharing information and maintain civil liberties while protecting security). Pipeline Security: TSA Has Taken Actions to Help Strengthen Security, but Could Improve Priority-Setting and Assessment Processes Citation. “Pipeline Security: TSA Has Taken Actions to Help Strengthen Security, but Could Improve Priority-Setting and Assessment Processes,” GAO-10-867, Report to Congressional Committees, U.S. Government Accountability Office (GAO), Washington, DC, 2010, [Online]. Available: http://www.gao.gov/new.items/d10867.pdf Synopsis. From the Transport Research International Documentation (TRID) Database: “The United States depends on a vast network of pipelines to transport energy. The U.S. Government Accountability Office (GAO) was asked to review the Transportation Security Administration’s (TSA) efforts to help ensure pipeline security. This report addresses the extent to which TSA’s Pipeline Security Division (PSD) has (1) assessed risk and prioritized efforts to help strengthen pipeline security, (2) implemented agency guidance and requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act) regarding pipeline security, and (3) measured its performance in strengthening pipeline security. “PSD identified the 100 most critical pipeline systems and developed a pipeline risk assessment model based on threat, vulnerability, and consequence, but could improve the model’s consequence component and better prioritize its efforts. PSD has taken actions to implement agency guidance that outlines voluntary actions for pipeline operators and 9/11 Commission Act requirements for pipeline security, but lacks a system for following up on its security recommendations to pipeline operators. PSD has taken steps to gauge its progress in strengthening pipeline security, but its ability to measure improvements is limited.” Presidential Policy Directive/PPD-41 United States Cyber Incident Coordination Citation. Presidential Policy Directive-41, United States Cyber Incident Coordination Policy, July 26, 2016. Available: https://www.whitehouse.gov/the-press-office/2016/07/26/presidential- policy-directive-united-states-cyber-incident Synopsis. PPD-41, United States Cyber Incident Coordination Policy, provides details concerning the Federal Government coordination architecture for significant cyber incidents and prescribes certain implementation tasks.

98 National Incident Management System (NIMS) Citation. National Incident Management System (NIMS), FEMA. Available: http://www.fema.gov/national-incident-management-system Synopsis. The National Incident Management System (NIMS) is a systematic, proactive approach to guide departments and agencies at all levels of government, nongovernmental organizations, and the private sector to work together seamlessly and manage incidents involving all threats and hazards—regardless of cause, size, location, or complexity—in order to reduce loss of life, property and harm to the environment. NIMS is the essential foundation to the National Preparedness System (NPS) and provides the template for the management of incidents and operations in support of all five National Planning Frameworks. NIMS updates provided important new definitions, policy direction and guidance explaining: (1) the NIMS relationship to the National Preparedness Framework; (2) additions to cover intelligence and cyber issues; (3) support, coordination, collaboration, and command and management tactical and non-tactical operations; (4) use and interoperability of emergency communications; and (5) inclusion of “whole community” concepts in the NIMS. The NIMS 2016 refresh retains key concepts and principles from earlier NIMS versions while incorporating new presidential directives, legislative changes, and lessons learned from exercises, actual incidents, and planned events. The NIMS refresh:  Reiterates concepts and principles of the original 2004 version and the updated 2008version;  Reflects and incorporates lessons learned from exercises, real world incidents, and policy updates, such as the National Preparedness System, and NIMS-related guidance ,including the 2013 NIMS Intelligence/Investigation Function Guidance and Field Operations Guide;  Reflects progress in resource typing and mutual aid and builds a foundation for the development of a national qualification system;  Clarifies that NIMS is more than just the Incident Command System (ICS) and that it applies to all stakeholders with roles in incident management across all five mission areas (Prevention, Protection, Mitigation, Response, and Recovery);  Explains the relationship among ICS, the Center Management System (CMS) for operations centers and coordination centers, and Multiagency Coordination Groups(MAC Groups); and  Enhances information management processes to improve data collection plans, social media integration, and the use of geographic information systems (GIS).

99 H. Space Weather Space-weather events are naturally occurring phenomena in the space environment that have the potential to disrupt technologies and systems in space and on Earth. These phenomena can affect satellite and airline operations, communications networks, navigation systems, the electric power grid, and other technologies and infrastructures critical to the daily functioning, economic vitality, and security of our nation. Space weather can affect communication and navigation systems that are critical for safe and efficient transportation systems Over the last several years, both industry and the Federal government have played an active role in maintaining and advancing the nation’s ability to forecast and mitigate the various impacts of space weather. These actions include taking steps to replace aging satellite assets essential to monitoring and forecasting space weather, proposing space-weather standards for both the national and international air space, developing regulations to ensure the continued operation of the electric grid during an extreme space-weather event, proposing a new option for replacing crucial extra high voltage (EHV) transformers damaged by space weather, and developing domestic production sources for EHV transformers. NOAA Space Weather Prediction Center The official U.S. government space weather bureau. http://www.swpc.noaa.gov/ SpaceWeather.com This website maintains all space-weather information including current conditions. White House Workshop on Space Weather, 2015 The White House held a workshop titled “Space Weather: Understanding Potential Impacts and Building Resilience” in October of 2015 and released following three documents: FACT SHEET: New Actions to Enhance National Space-Weather Preparedness https://www.whitehouse.gov/sites/default/files/microsites/ostp/space_weather_fact_sheet_final.p df NATIONAL SPACE WEATHER STRATEGY https://www.whitehouse.gov/sites/default/files/microsites/ostp/final_nationalspaceweatherstrateg y_20151028.pdf NATIONAL SPACE WEATHER ACTION PLAN https://www.whitehouse.gov/sites/default/files/microsites/ostp/final_nationalspaceweatheraction plan_20151028.pdf

100 National Space Weather Strategy and National Space Weather Action Plan The newly released National Space Weather Strategy (Strategy) and Space Weather Action Plan (Action Plan) were developed by an interagency group of experts, with input from stakeholders outside of the federal government, to clearly articulate how the Federal Government will work to fill these gaps by coordinating, integrating, and expanding existing policy efforts; engaging a broad range of sectors; and collaborating with international counterparts. The Strategy identifies goals and establishes the guiding principles that will guide these efforts in both the near and long term, while the action plan identifies specific activities, outcomes, and timelines that the Federal Government will pursue accordingly. The action plan broadly aligns with investments proposed in the President’s Budget for Fiscal Year 2016 and will be reevaluated and updated within 3 years of the date of publication or as needed. Taken together, the Strategy and Action Plan will facilitate the integration of space-weather considerations into federal planning and decision making to achieve preparedness levels consistent with national policies, and enhance the resilience of critical technologies infrastructures to the potentially debilitating effects of space weather on the people, economy, and security of the United States. Supporting Commitments to Enhance Space-Weather Preparedness Releasing New Space Environment Data. The U.S. Air Force (USAF), in partnership with the National Oceanic and Atmospheric Administration (NOAA), will provide Space Environment Data from the current GPS constellation and other U.S. Government satellites. This data could be used to validate space-weather forecast models, potentially enhancing space-weather prediction capabilities. As a first step, USAF and NOAA will make data from January 2014 – a month characterized by a high level of solar activity – freely available on data.gov, providing an opportunity for users to explore the scientific value of the data. Within three months of this release, the Office of Science and Technology Policy will chair an interagency group to evaluate the utility of the released data and to determine if the open data archive should be expanded to include additional historical and near real-time data. Launching a Space Weather Data Initiative. In accordance with President Obama’s Executive Order on making open and machine-readable the new default for government information, as well as on demonstrated successes of unleashing innovation and technology for disaster response and recovery, the Administration will launch a Space Weather Data Initiative. The goals of this Initiative are to (1) make easily accessible and freely available on data.gov an unprecedented amount of space weather-related data; (2) engage with the private sector and the open data community to leverage the open data and promote the development of data-driven tools, applications, and technology to enhance space-weather preparedness; and (3) expand U.S. Government capacity for using open data, innovation, and technology to support effective and efficient response to and recovery from space-weather events. Increasing International Collaboration. To strengthen international coordination and cooperation on space-weather preparedness, the Department of State will organize workshops and meetings in Washington, DC with embassy staff from a multitude of nations. These workshops

101 and meetings will provide an opportunity for other countries to learn more about the purpose and goals of the National Space Weather Strategy and accompanying Action Plan; ensure that policymakers in and leaders of partner nations recognize space weather as a global challenge; and facilitate the sustained, coordinated participation of partner nations in relevant international space- weather initiatives. Including Space Weather in Transportation “Fundamentals” Reports. Space weather can affect communication and navigation systems that are critical for safe and efficient transportation systems. By incorporating space-weather considerations into two reports that provide comprehensive and up-to-date guidance on the major elements of a state’s all- hazards transportation security and emergency management program – Security 101: A Physical Security Primer for Transportation, and A Guide to Emergency Response Planning at State Transportation Agencies – officials will have the information they need to incorporate space-weather considerations into transportation security guidelines and emergency response plans. The American Association of State Highway and Transportation Officials (AASHTO) – a nonprofit association representing highway and transportation departments in the 50 states, the District of Columbia, and Puerto Rico – will ensure that space weather is included in the next edition of these two AASHTO Special Committee on Transportation Security and Emergency Management “fundamentals” reports. Incorporating Space Weather into Emergency Management Training and Activities. Space- weather events can, directly or indirectly, cause or exacerbate major disasters or emergencies, and can interfere with or impair disaster response, relief, and recovery efforts. The National Emergency Management Association (NEMA) – a professional association of and for emergency management directors, dedicated to enhancing public safety by improving the nation’s ability to prepare for, respond to, and recover from all emergencies and disasters – will increase training and education related to space weather. Specifically, NEMA will:  Partner with the International Association of Emergency Managers to host a space- weather focused webinar for members of both groups, reaching up to 1200 state and local emergency managers, and others working in the emergency management field;  Incorporate space weather into training and education opportunities for newly appointed state emergency management directors; and  Incorporate space weather into the NEMA Homeland Security Committee’s policy focus on infrastructure resilience. Raising Awareness of Space Weather in the Aviation Sector. As part of their commitment to promote safety, security and a healthy U.S. airline industry, Airlines for America – America’s largest airline trade association – will work with member carriers and their affiliates to educate the community on space weather and its effects on aviation, which include degradation or loss of satellite navigation signals and radio transmissions for communication.

102 I. Active Shooter Safety Guidelines for Armed Subjects, Active Shooter Situations Citation. Safety Guidelines for Armed Subjects, Active Shooter Situations, Indiana University Police Department, April 2007. https://www2.indstate.edu/pubsafety/docs/active-shooter.pdf Synopsis. The guidelines provide recommendations on what to do if an active shooter is outside a building, inside a building, or enters your office or room. This two-page document also advises on communications during the incident with 911, and what to do and what not to do when law enforcement arrives. APTA Standards Development Program Recommended Practice Citation. APTA Standards Development Program Recommended Practice APTA-SS-SRM-RP- 005-12 (published March 2012), Security Awareness Training for Transit Employees http://www.apta.com/resources/standards/Documents/APTA-SS-SRM-RP-005-12.pdf Synopsis. APTA’s Recommended Practice provides the minimum guideline for security awareness training for all transit employees, including contract employees, to strengthen transit system security. It notes that all transit employees can contribute to enhanced transit security and should receive minimum security awareness training. The legislative basis for the Recommended Practice is Section 1408 of the “Implementing Recommendations of the 9/11 Commission Act of 2007” (9/11 Commission Act), Public Law 110- 53; 121 Stat. 266 (August 3, 2007) which directs the Secretary of Homeland Security “to develop and issue certain regulations for a security training program to prepare public transportation employees, including frontline employees, for potential security threats.” Learning objectives to be provided in a security awareness course are presented in Chapter 2, Transit Security Awareness Training. These objectives include:  Security awareness  Transit system threats and vulnerabilities  Security concerns  Recognizing, reacting, reporting and responding to transit crime and terrorism activities  All transit employees’ roles in security awareness Chapter 3 covers training delivery methods: classroom instruction, computer-based training, online courses, workshops, videos, handouts. Chapter 4 presents training frequency and recommends all hires be given training initially and be provided refresher training annually. Chapter 4 provides a sample security awareness training program. Appendix A contains a list of existing training resources and funding sources.

103 Active Shooter Preparedness, Department of Homeland Security Citation. “Active Shooter: What You Can Do,” Department of Homeland Security, Washington, DC, December 2015 [Online]. Available: http://www.dhs.gov/active-shooter-preparedness Synopsis. DHS has developed a course and reference materials on the active shooter topic: “Active Shooter: What You Can Do Course”. The independent study course was developed by DHS to inform the public on how to prepare for and respond to active shooter situations. The course can be accessed via FEMA’s Emergency Management Institute. Upon completion, course participants will be able to:  Describe the actions to take when confronted with an active shooter and to assist responding law enforcement officials;  Recognize potential workplace violence indicators;  Describe actions to take to prevent and prepare for potential active shooter incidents; and  Describe how to manage the consequences of an active shooter incident. (Additional training for law enforcement is available at Federal Emergency Management Agency Law Enforcement Active Shooter Emergency Response.) Active Shooter: How to Respond Resource Materials – Desk Reference Guide, Reference Poster, and Reference Card Citation. “Active Shooter: How to Respond Resource Materials,” Department of Homeland Security, Washington, DC, 2014-2015, [Online]. Available: https://www.dhs.gov/active-shooter- preparedness Synopsis. These resource materials including a desk reference guide, a reference poster, and a pocketsize reference card help government offices, businesses, and schools to prepare for and respond to an active shooter. Links to the resources are available via https://www.dhs.gov/active- shooter-preparedness. The following issues are covered in the materials:  Profile of an active shooter;  Responding to an active shooter or other workplace violence situation;  Training for an active shooter situation and creating an emergency action plan; and  Tips for recognizing signs of potential workplace violence. Spanish versions of the materials are available. Active Shooter Webinar Citation. “Active Shooter Awareness Virtual Roundtable,” Department of Homeland Security, Washington, DC, 2011, [Online]. Available: https://share.dhs.gov/asaware2011

104 Synopsis. The DHS webinar video on active shooter awareness is intended to assist the private and public sector understand the importance of developing an emergency response plan and the employee training for active shooter situations. Three types of active shooters—workplace/school, criminal, and ideological— their planning cycles and behaviors are covered. Objectives of the webinar are to “help critical infrastructure owners and operators understand the importance of “creating an emergency response plan and exercising that plan” and “[t]raining hourly employees on how to respond should they find themselves confronted with the danger of an active shooter incident” and to provide resources to help the owners and operators with planning and training. The following definitions are provided in the webinar. • Active Shooter “is immediately causing death or serious bodily injury” and his/her activity “is not contained” and there is “immediate risk of death or serious injury to potential victims.” • Dynamic situation is a situation that is “evolving very rapidly along with the suspect’s actions.” Static situation is a situation that has been contained and is not evolving. • Other definitions provided are Immediate Deployment, Barricade Suspect, Incident Transition, Soft Target, and Time Line of Violence. The three types of shooters are: • Workplace and school shooters – they have relationships with people at the targeted site; planning is often limited. • Criminal terrorists – they seek psychological thrill and reward and vengeance, and target soft targets. • Ideological terrorists – they include radical environmentalists, racists, separatists, political groups, and violent jihadists. They are cause-oriented (political, economic, social, geographic, religious) and aim to cause population terror; they believe violence is justified. With regards to profiling terrorists, profiling is not possible although typical terrorists are younger males, has a serious personal issue, and believe violent jihad is the solution. Planning work includes ROI analysis, target selection, surveillance, fundraising, weapons acquisition, and bomb making. Lessons Learned from past incidents:  Incidents are spontaneous with little or no warning  Suspect’s behavior is unpredictable  Occurs in a target rich environment  Law enforcement is outgunned  Multijurisdictional response issues  Training and patrol rifles needed

105  Tactical intervention is too late  Transportation capabilities A lessons learned with respect to outdoor venues is that securing an open venue is difficult and presents opportunities for the perpetrator to use different weapons (e.g., guns and pre-planted explosive devices). Needed changes in response/tactics include:  Response most likely by patrol  Non-traditional response  More tactically equipped  Booby traps training and specialized training  Team movement and training  IED training  Rapid command, control, and communications  Able to transition from active situation to barricade situation New tactical considerations include  Small arms and grenade attacks on multiple targets  Time-initiated IEDs  Special event planning to include response capabilities and address obstacles to response  High level of planning and preparations  Hostages taken, no negotiations  Attacks designed to cause high casualties and economic damage, and be as long as possible  U.S., UK and Israeli citizens specifically targeted  Command and control, and communications With regards to how individual employees can prepare, the video recommends identifying escape routes, having a plan in mind, knowing what information to tell police (shooter location, number of shooters), and knowing what to do when police arrives (hands in air, don’t point, follow instructions). Summary of the webinar includes:  Profiles are not helpful  Knowing Thinking-Feeling-Behaving patterns of individuals helpful to prevention  Mental illness is not a major risk factor  Risk assessment and violence prevention requires “all hands on deck”

106 Options for Consideration Active Shooter Preparedness Video Citation. “Options for Consideration Active Shooter Preparedness Video,” Department of Homeland Security, Washington, DC, 2015, [Online]. Available: https://www.dhs.gov/video/options-consideration-active-shooter-preparedness-video Synopsis. The Options for Consideration video demonstrates possible actions in an active shooter situation and how to assist authorities once law enforcement arrives. The video notes that active shooters do not follow a particular method or pattern. The video advises facility occupants to be prepared by knowing evacuation routes and what to do in an active shooter situation and that, when possible, evacuation should be the first option. When evacuation is not realistic, the video advises occupants to hide behind or underneath large items. If hiding is not possible, then the occupant should seek a tool that can be used to fight the perpetrator. Information that should be conveyed to law enforcement via 911 or at the scene includes the location of the shooter, number of shooters, and number of victims. The video also conveys what to expect and what to do and not to do when the police arrives. The video advises occupants to keep calm, keep hands visible at all times, not to point, and not to yell. Planning and Response to an Active Shooter: An Interagency Security Committee Policy and Best Practices Guide, 2015 Citation. Planning and Response to an Active Shooter: An Interagency Security Committee Policy and Best Practices Guide, Interagency Security Committee, Department of Homeland Security, Washington, DC, 2015, [Online]. Available: https://www.dhs.gov/sites/default/files/publications/isc-planning-response-active- shooter-guide-non-fouo-nov-2015-508.pdf Synopsis. The guide provides implementation procedures for federal policy on active shooter situations. The policy is required for all federal nonmilitary facilities. The following are the key core principles of the federal policy: 1) Each facility shall have an active shooter preparedness plan, which is to be updated every two years, as needed. At a minimum, a plan should comprise the following elements: a. Security Assessments b. Preparedness c. Communication d. Incident Plan (i.e., actions to take during an incident) e. Training and Exercises f. Post Incident Recovery i. Employees ii. Operations. 2) As plans are drafted, reviewed, and updated, each facility designated official or designee shall collaborate with the facility security provider (e.g. Federal Protective Service [FPS], U.S. Marshals Service [USMS], etc.), on-site law enforcement agencies (if applicable), and first responder agencies likely to address an active shooter situation. 3) Agency representatives shall collaborate with other tenants/agencies in development of the plan.

107 4) Agency representatives shall provide training, materials, and/or awareness discussions to inform employees of active shooter preparedness plans as they are updated.  Employees should be aware of the federally endorsed run, hide, fight concept.  Employees should be informed of the importance of having a personal plan.  New employees should be given active shooter preparedness training during the initial onboarding period.” The guide structure includes an introduction, background, and incorporation of the document into the Occupant Emergency Program. The remainder of the guide is divided into Preparedness, Training and Exercises, Response, Recovery, and Resources/Templates. Appendix A contains Victim and Family Support Considerations. Key content for selected chapters are provided below: Preparedness • Reporting indicators, warnings, and incidents • Threat Assessment Teams • Employee Assistance Program • Law Enforcement and First Responder Coordination Training and Exercises • Training and Awareness Material • Occupant Self-Help and First Aid • Considerations for Medical First Responders (Fire and EMS) • Exercises Response • Run, Hide, Fight • Run, Hide, Fight for Occupants with Disabilities • Interacting with First Responders • Roles and Responsibilities • Access and Staging • Tenant Cooperation with Law Enforcement • Communications/Media Messaging • Importance of Effective Communication Recovery • Reunification • Psychological First Aid and Training • Managing the Response to Victims and Families The document also includes several other federal, nonfederal, and foreign government resources for active shooter scenarios.

108 Shots Fired: When Lightning Strikes (DVD/Online Video) Citation. “Shots Fired: When Lightning Strikes (DVD/Online Video),” Center for Personal Protection and Safety, Reston, VA 2007, [Online]. Available: http://www.cpps.com/products Synopsis. This video is part of an instructional DVD and training program “designed to empower people with knowledge and strategies for preventing and surviving an active shooter situation.” The video states that a survival mindset is important in an active shooter situation. A survival mindset involves Awareness, taking time to understand the situation; Preparation, asking “what if” questions and developing response strategies prior to an incident; and Rehearsal, practicing your plan. Active shooter situations are very different from hostage situations. While in the latter, keeping calm and compliant is the best course of action. In active shooter situations, it is not. The actions of trained vs. untrained give trained people an advantage. Trained persons are anxious but recall what they have learned and prepare to act according to what they have rehearsed. Untrained persons panic and experience disbelief and denial. Trained persons get into the survival mindset, take rapid and effective actions and be mindful, not fearful. Gunshots may be difficult to recognize – in fact, real gunshots are unlike the ones heard on TV and may sound artificial. If popping noises are heard, try to evacuate immediately and trust your instincts. Get out if you can safely escape. Call 911 and provide information about the situation (location, what is transpiring). Hide out if evacuating is not possible and there is a good hiding place. Location should be a hidden location, ideally one that can be protected (e.g., a room with a door that can be locked or blockaded.) In the hiding location, turn off the lights, turn off cell phone alerts, and keep quiet. Do not huddle with other persons – this creates an easy target for the shooter. Therefore, spread out. Take out the shooter if there is no hiding place. If there are two or more persons, spread out, make a plan, act as a team, and do whatever is necessary to take out the shooter. If possible help others by: • helping them escape; • helping them remain calm; • keeping them away from danger area; and • helping the injured. When law enforcement arrives, tell them the location of the shooter, number of shooters, their physical description, and number and type of weapons. Be sure to remain quiet and compliant, show your hands, and not to point, scream, because they do not know who is a threat and do not make quick movements or move toward the officers.

109 Additional courses of interest offered by the Center for Personal Protection and Safety (CPPS) include the following. • Imminent Threat: Individual Response to Extreme Violence in the Workplace • Workplace Violence: Awareness, Prevention & Response • Workplace Violence Prevention: Enhanced Guidance for Managers & Supervisors How to Plan for Workplace Emergencies and Evacuations Citation. How to Plan for Workplace Emergencies and Evacuations, U.S. Department of Labor, Occupational Health and Safety Administration, OSHA 3088 (2001 Revised), [Online]. Available: https://www.osha.gov/Publications/osha3088.html Synopsis. This booklet (available online) provides a generic overview of How to Plan for Workplace Emergencies and Evacuations. An emergency action plan discusses “designated actions employers and employees must take to ensure employee safety from fire and other emergencies.” The booklet notes that the emergency action plan should include an evacuation policy and procedure; emergency escape procedures and route assignments; internal and external contacts; procedures for employees who remain to perform or shut down critical plant operations, operate fire extinguishers, or perform other essential services before evacuating; and rescue and medical duties for any designated workers. The content of the booklet also includes emergency alerting procedures; employee role of employees, coordinators, and evacuation wardens; provision of special equipment; the role of state programs; addressing hazardous substances; when to evacuate; and, helpful resources and training offered by OSHA and other organizations. A list of OSHA-approved Safety and Health Plans are provided in the appendices. OSHA’s requirements for emergencies are included in OSHA’s General Industry Occupational Safety and Health Standards (29 CFR 1910): Means of Egress, Hazmat, Personal Protective Equipment, General Environmental Controls, Medical and First Aid; Fire Protection, Special Industries, Electrical Power Generation, Transmission, and Distribution; and, Toxic and Hazardous Substances. Additional relevant OSHA standards include 29 CFR 1910.120(q), Hazardous Waste Operations and Emergency Response; 29 CFR 1910.156, Fire Brigades; and 29 CFR 1910.146(k), Permit-Required Confined Spaces. TRAINING INFORMATION With respect to education and training, the booklet notes that employees should be educated about emergencies that may occur and the proper course of action; understand the function and elements of the emergency action plan; special hazards; and, command and control roles. According to the booklet, the following general training content for employees should be addressed: • Individual roles and responsibilities; • Threats, hazards, and protective actions;

110 • Notification, warning, and communications procedures; • Means for locating family members in an emergency; • Emergency response procedures; • Evacuation, shelter, and accountability procedures; • Location and use of common emergency equipment; and • Emergency shutdown procedures. Additional topics may include first-aid procedures, including protection against blood borne pathogens; respiratory protection, including use of an escape-only respirator; and methods for preventing unauthorized site access. Once you have reviewed your emergency action plan with your employees and everyone has had the proper training, it is a good idea to hold practice drills as often as necessary to keep employees prepared. Include outside resources such as fire and police departments when possible. After each drill, gather management and employees to evaluate the effectiveness of the drill. Identify the strengths and weaknesses of your plan and work to improve it. With regards to training frequency, OSHA recommends a review of the plan with all employees and provision of annual training along with training when developing the initial plan, hiring new employees, introducing new equipment/materials/processes that alter evacuation routes; change the facility design/ layout; and revise or update emergency procedures. Transportation Security Awareness and All-Hazards Emergency Training Webinar Citation. Nakanishi, Yuko and J. Western. Transportation Security Awareness and All-Hazards Emergency Training. Presentation for TRB Webinar, Transportation Research Board, Washington, DC, 03 February 2016, [Online]. Available: http://www.trb.org/Calendar/Blurbs/173616.aspx Synopsis. The webinar provided key information regarding transportation agency Security Awareness and All-Hazards Emergency Training needs and challenges, and awareness and training methods, sources, and solutions. Specific information regarding active shooter scenarios was not supplied. Active Shooter Events from 2000 to 2012 Citation. Active Shooter Events from 2000 to 2012 J. Pete Blair, Ph.D., M. Hunter Martaindale, M.S., and Terry Nichols, M.S. FBI Law Enforcement Bulletin, [Online]. Available: http://leb.fbi.gov/2014/january/activeshooter-events-from-2000-to-2012 Synopsis. The authors of this report selected events from public records for inclusion in their active shooter list based on the following criteria: a person or persons engaged in or attempted to engage in the killing of multiple people with at least one victim unrelated to the shooter. The intent of the incidents was mass murder. They excluded gang-related shootings and shootings committed as a result of committing another crime.

111 Based on these criteria, the authors identified 110 active shooter events. Data sources included agency reports, FBI’s supplemental homicide reports, and news items. While there was a news item for each of the 110 events, 50% of these events were found in agency reports and 55% of available reports were found in the SHRs which were only available for the years 2000-2010. For events for which data were available from multiple sources, the agreement between/among the sources was high. The authors concluded that the trend of active shooter events has been increasing. They note that the rate increased from one every other month (2000-2008) or five per year to greater than one per month (2009-2012) or 16 per year. The annual number of people shot and the number of people killed also increased. With regards to event location, the authors note that 40% happened in businesses, 29% in schools, and 19% occurred outdoors. Also, 18% of shooters moved to another location during the attack. Information about shooter characteristics, police response time and event resolution charts are also provided. Training implications: officers need tactical training to be able to operate in both indoor and outdoor environments. Equipment recommendations: supply officers with patrol rifles and body armor. Also, training officers to provide medical attention and training EMS to enter the site to treat injuries during an active shooter situation may save lives. Joint Committee to Create a National Policy to Enhance Survivability from Mass Casualty Shooting Events Citation. Joint Committee to Create a National Policy to Enhance Survivability from Mass Casualty Shooting Events, “Improving Survival from Active Shooter Events: The Hartford Consensus,” http://bulletin.facs.org/2013/06/improving-survival-from-active-shooter-events/ Lenworth Jacobs, Jr. http://www.naemt.org/Files/LEFRTCC/Hartford%20Consensus%20Call%20to%20Action.pdf Synopsis. A joint committee of public safety organizations, FBI, hospitals, and the military, initiated by the American College of Surgeons, met in Hartford on April 2, 2013 and on July 11, 2013 to improve survivability of mass shooting victims. The concept to action is embodied in the THREAT acronym: T – threat suppression. H – hemorrhage control. RE – rapid extrication to safety. A – assessment by medical providers. T – transport to definitive care. The importance of hemorrhage control in saving lives is highlighted in the report. Also, the roles of the uninjured or minimally injured public, EMS/Fire/Rescue, and trauma care are defined. With regards to the public, recommendations include educating them as to what to do in providing initial response and prepositioning supplies, and educating them regarding the “Run, Hide, Fight” concept. The report notes that external hemorrhage control is a core skill for law enforcement. Recommendations include appropriate hemorrhage control training, evacuation support training, and provision of appropriate equipment. According to the report, EMS/Fire/Rescue’s role must be more active and start earlier, prior to the end of an incident.

112 ISC Violence in the Federal Workplace: A Guide for Prevention and Response and Appendix, 1st Edition (April 2013) Citation. Interagency Security Committee (ISC), “ISC Violence in the Federal Workplace: A Guide for Prevention and Response and Appendix, 1st Edition,” April 2013, [Online]. Available: http://www.dhs.gov/publication/interagency-securitycommittee-violence-federal-workplace- guide-april-2013 Synopsis. The guide discusses threat assessment, the workplace security roles of facility occupants, law enforcement and security personnel, physical security measures and surveys, and investigations of workplace incidents. The guide also describes the post-incident organizational recovery process and tools including the Critical Incident Stress Management Process and Psychological First Aid Model and its benefits in helping victims of critical incidents in their recovery process. The guide supplies a sample Workplace Violence Prevention and Response Program Checklist (page 26). The Training section of the guide states that the training for all employees, new hires, supervisors, and managers should include: “An overview of the various aspects and types of workplace violence; Symptoms and behaviors often associated with those who commit the violent behavior; Security hazards found in the organization’s workplace; The organization’s workplace violence prevention policies and procedures; Reporting requirements and processes; Specialized training on creating a positive work environment and developing effective teams; Training to improve awareness of cultural differences (diversity); Tips for protecting oneself and fellow coworkers; Response plan, communication, and alarm procedures; and Supervisory training in conducting a peaceful separation from service.” (Page 18) Additional training topics agencies may want to consider are: “Explanation of the agency’s workplace violence policy or program; Encouragement to report incidents; Ways of preventing or diffusing volatile situations or aggressive behavior; How to deal with hostile persons; How to identify and respond to behavior brought about by medical conditions, such as the onset of diabetic coma or the abuse of drugs; Managing anger; Techniques and skills to resolve conflicts; Stress management, relaxation techniques, wellness training; Security procedures, e.g. the location and operation of safety devices such as alarm systems; Personal security measures; and Programs operating within the agency that can assist employees in resolving conflicts, e.g. the Employee Assistance Program, the ombudsman, and mediation.” (Pages 19-20) In addition, the guide notes that all employees should know how to report “violent, intimidating, threatening, and other disruptive behavior” incidents and be supplied with emergency contacts/numbers.

113 ISC Occupant Emergency Programs Guide, 1st Edition (March 2013) Citation. Interagency Security Committee (ISC), “ISC Occupant Emergency Programs Guide, 1st Edition,” (March 2013), [Online]. Available: http://www.dhs.gov/publication/isc-occupant- emergency-programs-guide Synopsis. The Occupant Emergency Programs Guide establishes and standardizes basic procedures for implementing an Occupant Emergency Program which seeks to protect lives and property in and around nonmilitary government facilities during emergencies. (Note that the GSA, Chair and sponsor of the working group, established the requirement for an Occupant Emergency Program for federal facilities in 41 CFR 102-74.) Responsibilities for each key role in the Occupant Emergency Program are delineated. Roles include: designated official, occupant emergency coordinator, federal managers and supervisors, contractors. The designated official is in charge of developing the plan and activating and implementing it during emergencies. Emergency communications and alert procedures are also described in the guide. The Occupant Emergency Plan describes actions that should be taken by occupants during emergencies. Minimum elements of the plan are signature page, overall roles and responsibilities, determination of emergency, evacuation procedures, shelter-in-place, lockdown procedures, communications procedures, plan activation, alert, notification, special needs/medical conditions, and contacts. The intent of a testing, training and exercise program for the Occupant Emergency Plan is “to develop, implement, and institutionalize a comprehensive, all-hazard program to improve the ability of agencies to effectively manage and execute their occupant emergency plan.” (Page 9) The guide states the importance of considering and addressing the needs of individuals requiring additional assistance and cites the relevant regulations: ADA 1990; Rehabilitation Act 1973; EO 12196 1980; EO 13347 2004. The guide also states that facility-specific hazard assessments are required for facilities that house federal employees. Results of the hazard assessment and risk assessment will act as source documents for the Occupant Emergency Plan. FLETC – Active Shooter How to Respond, Supervisor Edition Citation. FLETC – Active Shooter How to Respond, Supervisor Edition, [Online]. Available: http://www.co.lincoln.or.us/sites/default/files/fileattachments/sheriff039s_office/page/3780/activ eshooterhowtorespondonesupervisor.pdf Synopsis. This document is a pamphlet for managers, employees, and others who may be in an active shooter situation, and describes good practices for dealing with the situation including evacuation tactics, hiding, and taking action. In addition, the document describes security/law enforcement role and how to respond when they arrive on the scene, and how to prepare for these

114 situations through the development of an Occupant Emergency Plan, and staff training and drills. Training content may include: “Reinforce the need to quickly react when gunshots are heard and/or when a shooting is witnessed, including one or more of the following:  Evacuating the area  Hiding out  Acting against the shooter as a last resort  Notifying FLETC Security  Reacting when security force/law enforcement officers arrive  Adopting the survival mindset during times of crisis  Documenting the familiarization activity for your records” Managing the consequences of an incident and post-incident assessment activities are also noted in this document.