| Mass Transit BASE Scoring Guidance - Appendix IX | 
	
		| As general guidance , scores are to be assigned on a scale of 0-4 as follows: “0” Security element should be in place but does not exist. (Equates to total non-adherence – 0%)
 “1” Security element exists, but does not include all essential recommended components. (Equates to minimal adherence – 25-50%)
 “2” Security element is in place with all essential components but not fully implemented or practiced. (Equates to partial adherence or implementation – 50-75%)
 “3” Security element is in place and practiced but not monitored or periodically reviewed. (Equates to strong adherence, but not full implementation – 75-99%)
 “4” Security element is in place, fully implemented and regularly reviewed/verified. (Equates to full implementation – 100%)  Also assigned to “yes/no” question having a “Yes” response.
 “N/A” Checked - Security element is not applicable and rational must be given to support the N/A rating.
 | 
	
		| Line Element | SIDoT | Comments | Items of Interest | Scoring Example | 
	
		| Establish Written System Security Plans (SSPs) and Emergency Response Plans (ERPs) | 
	
		| System Security Plan (SSP) | 
	
		| 1.101 | Does the transit agency have a System Security Plan (SSP)? | Document Review | Inspectors should refer to the MT BASE Guidance, Pg12. | Policies and procedures related to security--including personnel security, vehicle security, facility security, and threat/vulnerability management. | 4 | SSP is a well developed plan, complete with detailed policies and procedures related to personnel security, facility security, vehicle security, and threat/vulnerability management. SSP is missing no key elements and has been completely implemented by the agency. | 
	
		| 3 | SSP is a complete document with polices and procedures that have been appropriately implemented by the agency. Only a few minor security elements are missing. Key concepts are detailed with minimal exceptions. | 
	
		| 2 | Generic policies and procedures are documented and implemented adequately. Key concepts are documented, but lacking any depth. In fact, the plan simply appears to be a commonly available "template." | 
	
		| 1 | SSP is a generalized document that is lacking any detailed, agency-specific security elements. Key concepts are missing or not adequately implemented by the agency. | 
	
		| 0 | There is no SSP in place. | 
	
		| 1.102 | Does the SSP identify the goals and objectives for the security program? | Document Review | 
 | Documented method of effectively assessing and monitoring security program's purpose and progress. | 4 | Goals and objectives are identified, documented and actively monitored to ensure the SSP is fulfilling its purpose. | 
	
		| 2 | Goals and objectives are identified and documented, but not monitored. Items may be missing or ineffective. | 
	
		
	
		| 1 | Goals and objectives are minimal, lacking any specifics or depth. These items do not effectively assess and monitor the SSP's purpose and progress, respectively. | 
	
		| 0 | The SSP does not address goals or objectives of the security program. | 
	
		| 1.103 | Does a written policy statement exist that endorses and adopts the policies and procedures of the SSP that is approved and signed by top management, including the agency's chief executive? | Document Review | Justification should include at least two management and implementation statements | Policy statement including: endorsement statement/signature, applicability, and authority/background of the plan. | 4 | Policy statement is a well developed written statement (memo, mission statement, etc.) that includes all elements: endorsement statement, applicability, authority establishing the plan, and approval signature from the agencies chief executive. | 
	
		| 2 | Policy statement a brief endorsement statement by chief executive and a signature. | 
	
		
	
		| 1 | Policy statement only includes a brief endorsement statement. No endorsement signature. | 
	
		| 0 | There is no policy statement of any sort in place. | 
	
		| 1.104 | Is the SSP separate from the agency’s System Safety Program Plan (SSPP)? | Document Review | 
 | "Yes" or "No." | 4 | SSP is a stand-alone document, separate from the System Safety Plan. | 
	
		
	
		
	
		| 0 | System Security Plan is part of another document. (Note: In the past, railroads/agencies would incorporate the Security Plan into the Safety Plan - using the APTA SSPP template, element 17: Security) | 
	
		
	
		| 1.105 T1
 | Do the Security and Emergency Response Plans address protection and response for critical underwater tunnels, underground stations/ tunnels and other critical systems, where applicable? | Document Review | In addition to underwater tunnels, underground stations/ tunnels, this question also applies to other critical systems. | Review SSP to determine if items are address effectively. | 4 | Security plans address specific policies and procedures related to security and emergency response for underwater / underground infrastructure (if system has any) and/or other critical systems. | 
	
		| 2 | Security plans address policies and procedures with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Security plans do not address items. | 
	
		| 1.106 | Does the SSP contain or reference other documents establishing procedures for the management of security incidents by the operations control center (or dispatch center)? | Document Review | 
 | Operation Control Center: managing incidents | 4 | Procedures for the management of security incidents by the OCC (or dispatch center) is identified in the Security Plan. Specific procedures are in place and documented in the SSP. If documented elsewhere, such as in a stand-alone Emergency Response Plan, the SSP references that document. | 
	
		| 3 | Plans and procedures are in place and function appropriately. However, minor aspects are missing. SSP includes--or references documents that contain--the procedures. | 
	
		| 2 | Well organized procedures are in place and contained as part of another document with no reference in the SSP. | 
	
		| 1 | Procedures are lacking any depth or clarity, plans are scattered between multiple documents with no reference in SSP, or responsibilities are otherwise ineffectively assigned. | 
	
		| 0 | Procedures are not in place or documented. | 
	
		| 1.107 | Does the SSP contain or reference other documents establishing plans, procedures, or protocols for responding to security events with external agencies (such as law enforcement, local EMA, fire departments, etc.)? | Document Review | In Justification, describe plans, procedures or protocols. | Documented plans for coordinating with external agencies. | 4 | Well-developed, specific procedures are in place and documented in the SSP or as part of another document and referenced in the SSP. | 
	
		| 2 | Procedures are in place with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Procedures are not in place or documented. | 
	
		| 1.108 | Does the SSP contain or reference other documents that establish protocols addressing specific threats from (i) Improvised Explosive Devices (IED) and (ii) Weapons of Mass Destruction (chemical, biological, radiological hazards)? | Document Review | 
 | Protocols for IED and WMD | 4 | Well-developed, specific protocols are in place that address IED and WMD. These protocols are documented in the SSP or as part of another document, such as a stand-alone Emergency Response Plan, and referenced in the SSP. | 
	
		| 2 | Protocols are developed with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Protocols have not been developed. | 
	
		| 1.109 T3
 | Are visible, random security measures integrated into security plans to introduce unpredictability into security activities for deterrent effect? | Document Review | Agency should strive to implement and document their own unpredictable security measures using their own resources. | Random or unpredictable security measures that are documented in security plans. | 4 | Random, unpredictable measures are well-documented with specific measures assigned by employee-type. Includes both security and non-security personnel. | 
	
		| 2 | Random, unpredictable measures are documented. Measures are simply general guidance lacking specifics. | 
	
		
	
		| 1 | The agency relies on outside entities to provide random, unpredictable measures. Agency only participates in VIPR or other similar outreach. Participation in program is documented in the SSP. | 
	
		| 0 | Random, visible measures are not documented in the SSP. | 
	
		| 1.110 | Does the SSP include provisions requiring that security be addressed in extensions, major projects, new vehicles and equipment procurement and other capital projects, and including integration with the transit agency’s safety certification process? | Document Review | 
 | Project/procurement planning, engineering, design, construction, and testing. | 4 | Security plays a role in all new projects and procurements and is part of the safety certification process. This is required by the agency and documented in the SSP. There is a formal process in place for planning and implementing a project with security playing a role in various phases, including: planning, engineering, construction, testing, and final implementation. | 
	
		| 3 | Security plays a role in all new projects and procurements and is part of the safety certification process.  There is a formal process in place for planning and implementing a project with security playing a role in various phases, including: planning, engineering, construction, testing, and final implementation. This is required by the agency and documented in the agency's Safety plan--not the SSP. | 
	
		| 2 | Specific security concerns are considered for all new projects, but implementation is an informal process and not required (recommended as opposed to required). Process is documented. | 
	
		| 1 | Security is addressed on an informal basis with only general security guidance considered. Process is documented. | 
	
		| 0 | There is no documented evidence in place that suggest security is addressed with new projects or procurements. | 
	
		| 1.111 | Does the SSP include or reference other documents adopting Crime Prevention Through Environmental Design (CPTED) principles as part of the agency's engineering practices? | Document Review | 
 | Project design, engineering, and construction. | 4 | CPTED principles are addressed in all facilities and fully implemented. These principles are documented in the SSP or other documents (which are referenced in the SSP). | 
	
		| 3 | CPTED principles are addressed and implemented in a majority of facilities. This is documented in the SSP or other documents (which are referenced in the SSP). Vulnerabilities have been identified. | 
	
		| 2 | CPTED principles are addressed with minimal implementation. Principles are documented in the SSP or other documents (which are referenced in the SSP). | 
	
		| 1 | CPTED adoption is merely a general acknowledgement contained in the SSP or other document (that is referenced in the SSP). | 
	
		| 0 | CPTED is not adopted by the agency. | 
	
		| 1.112 | Does the SSP require an annual review? | Document Review | Reference date of last review in justification. | Annual review requirement. A review is focused on written policy and ensuring policies are sufficient. | 4 | Annual review is a written requirement with verification measures in place (signed and dated) | 
	
		| 2 | Annual review is a "commonly known" requirement (not documented) or a written requirement with no verification measure in place. | 
	
		
	
		| 1 | SSP is reviewed on an "as-needed" basis, but at least every two years. | 
	
		| 0 | There are no review requirements in place, and the SSP is not regularly reviewed. | 
	
		| 1.113 | Does the transit agency produce periodic reports reviewing its progress in meeting its SSP goals and objectives? | Document Review | 
 | An example of periodic reports reviewing SSP progress | 4 | Reports are produced once per year at a minimum and are detailed and developed regularly to track the agency's progress in meeting the goals and objectives identified in the SSP. | 
	
		| 3 | Periodic reports are detailed and developed once in a two-year cycle OR periodic reports are developed once per year but are lacking in detail. | 
	
		| 2 | Informal reports are developed on an "as-needed" basis. | 
	
		| 1 | Reports are not documented, per se, but the agency does have an informal, verbal system in place to monitor the agency's progress in fulfilling its goals and objectives. | 
	
		| 0 | The agency does not monitor its progress in any way. | 
	
		| 1.114 | Has an annual review of the SSP been performed and documented in the preceding 12 months? | Document Review | 
 | Documented evidence of a annual review. A review is focused on written policy and ensuring policies are sufficient. | 4 | Annual review is verifiable by document review. | 
	
		
	
		| 2 | Annual review is only verifiable by interview. | 
	
		
	
		| 0 | SSP has not been reviewed. | 
	
		| 1.115 | Does the SSP outline a process for securing SSO agency review and approval of updates to the SSP? | Document Review | 49 CFR PART 659 SSO Only Question | "Yes" or "No." Documented process for SSO approval. N/A for entities not regulated under 49 CFR § 659. | 4 | Documented process for securing SSO review and approval of SSP is included in writing, or directly referenced, in the SSP. | 
	
		
	
		
	
		| 0 | Documented process does not exist. | 
	
		
	
		| 1.116 | Has the transit agency submitted and received documentation from the SSO confirming its review and approval of the SSP currently in effect? | Document Review | 49 CFR PART 659 SSO Only Question If yes, indicate the approval date in evidence.
 | Current SSP has been approved by SSO. N/A for entities not regulated under 49 CFR § 659. | 4 | Approval (including date of approved) is verifiable through document review. | 
	
		
	
		| 2 | SSP has been submitted to the SSO agency, but approval is pending. | 
	
		
	
		| 0 | SSP has not been approved. | 
	
		| Emergency Response Plan (ERP) | 
	
		| 1.201 | Does the transit agency have an Emergency Response Plan (ERP)? | Document Review | Inspectors should refer to the MT BASE Guidance, Pg13. | Emergency response procedures | 4 | ERP is a well developed plan, complete with detailed policies and procedures related to emergency response. ERP is missing no key elements and has been completely implemented by the agency. | 
	
		| 3 | ERP is a complete document with polices and procedures that have been appropriately implemented by the agency. Only a few minor elements are missing. Key concepts are detailed with minimal exceptions. | 
	
		| 2 | Generic policies and procedures are documented and implemented adequately. Key concepts are documented, but lacking any depth. In fact, the plan simply appears to be a commonly available "template." | 
	
		| 1 | ERP is a generalized document that is lacking any detailed, agency-specific security elements. Key concepts are missing or not adequately implemented by the agency. | 
	
		| 0 | There is no ERP in place. | 
	
		| 1.202 | Does a written policy statement exist that endorses and adopts the policies and procedures of the ERP that is approved and signed by top management, including the agency's chief executive? | Document Review | 
 | Policy statement including: endorsement statement/signature, applicability, and authority/background of the plan. | 4 | Policy statement is well developed and includes all elements: endorsement statement, applicability, authority establishing the plan, and approval signature from the agencies chief executive. | 
	
		| 3 | Includes a brief endorsement statement by chief executive and a signature. | 
	
		| 2 | Policy statement only includes an endorsement signature. | 
	
		| 1 | Policy statement only includes a brief endorsement statement. No endorsement signature. | 
	
		| 0 | There is no policy statement of any sort in place. | 
	
		| 1.203 | Does the ERP require an annual review to determine if it needs to be updated? | Document Review | 
 | Documented requirement for annual review. | 4 | Annual review is a written requirement with verification measures in place (signed and dated). | 
	
		| 2 | Annual review is a "commonly known" requirement (not documented) or a written requirement with no verification measure in place. | 
	
		
	
		| 1 | ERP is reviewed on an "as-needed" basis, but at least every two years. | 
	
		| 0 | There are no review requirements in place, and the ERP is not regularly reviewed. | 
	
		| 1.204 | Has an annual review of the ERP been performed and documented in the preceding 12 months? | Document Review | Reference date of last review in justification. | Documented evidence of a annual review. | 4 | Annual review is verifiable by document review. | 
	
		
	
		| 2 | Annual review is only verifiable by interview. | 
	
		
	
		| 0 | ERP has not been reviewed. | 
	
		| 1.205 | Does the ERP include a process or review provision to ensure coordination with the rail transit agency’s SSPP and SSP? | Document Review | 
 | Emergency response procedures coordinated with security and safety procedures. (Emergency procedures do not hinder safety or security.) | 4 | ERP includes documented provisions that ensure its coordination with the agency's safety and security plans. | 
	
		| 3 | ERP includes documented provisions that ensure its coordination with either the agency's security plans or the agency's safety plans--not both. | 
	
		| 2 | Provisions are in place and clearly implemented, but no documentation established. | 
	
		| 1 | Coordination is very informal with no specific provisions in place. Documentation includes only vague general statements ("Safety and security should be addressed during emergency situations"). | 
	
		| 0 | There is no coordination between the ERP and SSP/SSPP. | 
	
		| 1.206 | Has the transit agency received documentation from the SSO confirming its review and approval of the ERP currently in effect? | Document Review | 49 CFR PART 659 SSO Only Question | SSO approval of current ERP. N/A for entities not regulated under 49 CFR § 659. | 4 | Approval (including date of approval) is verifiable. | 
	
		
	
		| 2 | ERP has been approved, but approval is not verifiable. | 
	
		
	
		| 0 | ERP has not been approved. | 
	
		| 1.207 | Does the ERP contain or reference other documents establishing plans, procedures, or protocols for responding to emergency events with external agencies (such as law enforcement, local EMA, fire departments, etc.)? | Document Review | 
 | Documented plans for coordinating with external agencies. | 4 | Well-developed, specific procedures are in place and documented in the ERP or as part of another document and referenced in the ERP. | 
	
		| 2 | Procedures are in place with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Procedures are not in place or documented. | 
	
		| 1.208 | Does the ERP contain or reference other documents that establish procedures for the management of emergency events, including those to be employed by the operations control center (or dispatch center)? | Document Review | 
 | Management of emergency events | 4 | The responsibility for the management of security incidents has been assigned to the Operations Control Center (or dispatch center). Specific procedures are in place and documented in the ERP. If documented elsewhere, the ERP references that document. | 
	
		| 3 | Plans and procedures are in place and function appropriately. However, minor aspects are missing. ERP includes--or references documents that contains--the procedures. | 
	
		| 2 | Well organized procedures are in place and contained as part of another document with no reference in the ERP. | 
	
		| 1 | Procedures are lacking any depth or clarity, plans are scattered between multiple documents with no reference in ERP, or responsibilities are otherwise ineffectively assigned. | 
	
		| 0 | Procedures are not in place or documented. | 
	
		| 1.209 | Does the ERP contain or reference other documents to provide for Continuity of Operations while responding to emergency events? | Document Review | Verify COOP addresses 5 main goals outlined in the MT BASE Guidance, Pg13. | Continuity of Operations plan. | 4 | Continuity of Operations plans exist and are included as part of the ERP (or in another document that is referenced in the ERP). | 
	
		
	
		| 2 | Continuity of Operations plans exist but are not included as part of the ERP or referenced in the ERP. | 
	
		
	
		| 0 | No Continuity of Operations plans exist. | 
	
		| 1.210 | Does the agency have a written Business Recovery Plan to guide restoration of facilities and services following an emergency event? | Document Review | 
 | Procedures to recover from an event and resume normal operations. | 4 | Business Recovery Plan is a comprehensive plan. Essential business functions (HR, IT, etc.) have been identified , and the agency has taken steps to protect vital business information (records, data, etc.). The plan outlines steps to be taken to return the agency to a "normal" operational status in a timely manner. Policies and procedures (including who activates the plan and how the agency transitions from emergency operations to business recovery) are detailed. | 
	
		| 3 | Business Recovery Plan is a well-developed document, missing only a few elements or details. | 
	
		| 2 | Business Recovery Plan is a generic plan that appears to be a commonly available "template" with only general procedures. | 
	
		| 1 | Business Recovery Plan is lacking details and appears incomplete. | 
	
		| 0 | There is no plan in place to achieve a timely and orderly recovery and resumption of full service. | 
	
		| 1.211 | Does the agency have a written Business Continuity Plan and COOP to guide restoration of facilities and services following an emergency event? | Document Review | 
 | Procedures to continue essential operations during emergency. | 4 | Business Continuity Plan is a comprehensive plan. Essential operations functions (bus operations, security infrastructure) and key facilities have been identified. Policies and procedures are detailed and effective in mitigating any disruption to operations. Continuity responsibilities are identified (including who is responsible for activating the plan). Any resulting SOP changes are documented. | 
	
		| 3 | Business Continuity Plan is a well-developed document, missing only a few elements or details. | 
	
		| 2 | Business Continuity Plan is a generic plan that appears to be a commonly available "template" with only general procedures. | 
	
		| 1 | Business Continuity Plan is lacking details and appears incomplete. | 
	
		| 0 | There is no plan in place to ensure the continuity of operations. | 
	
		| 1.212 | Does the agency have a back-up operations control center capability? | Document Review | indicate last time this was tested (if applicable) in Justification. | Secondary site of Operations Control. | 4 | The agency has identified a back-up location for operations control. This secondary location can quickly become fully operational and is equipped to function in the same capacity as the primary Operation Control Center. | 
	
		
	
		| 2 | There is a back up operations control center, but it cannot fully replicate the primary operations center capabilities. | 
	
		
	
		| 0 | There is no back-up capabilities for the Operations Control Center. | 
	
		| Define Roles and Responsibilities for Security and Emergency Management | 
	
		| System Security Plan (SSP) | 
	
		| 2.101 | Does the SSP establish and assign responsibility for implementation of the security program to a Senior Manager who is a "direct report" to the agency's Chief Executive Officer? | Document Review | Inspectors should refer to the MT BASE Guidance, Pg14. | Documented evidence assigning implementation of security program in the SSP. | 4 | The implementation of the security program has been assigned to a Senior Manager who is a "direct report" to the CEO. This responsibility is documented in the SSP. | 
	
		| 3 | The implementation of the security program has been assigned to a Senior Manager who is a "direct report" to the CEO. This responsibility is not documented in the SSP, but it is a commonly known assignment that is documented elsewhere. | 
	
		| 2 | The implementation of the security program has been assigned to a manager or leadership position that is not a "direct report" to the CEO. The responsibility is documented in the SSP. | 
	
		| 1 | The implementation of the security program has been ineffectively assigned to a position that cannot act independently. The responsibility is documented in the SSP. | 
	
		| 0 | The implementation of the security program is not assigned, or there is no documentation establishing the responsibility of implementation. | 
	
		| 2.102 | Has the agency established lines of delegated authority/succession of security responsibilities and, if so, has that information been distributed to agency managers? | Document Review | 
 | Chain of Command and Lines of Succession for security responsibilities. | 4 | The agency has established comprehensive policies and procedures related to "chain of command" and "lines of succession" for security responsibilities. The policy is well documented, and lines of succession include multiple individuals based on the importance of responsibilities (more important roles have longer, multi-personnel lines of succession). This policy is shared with agency managers. | 
	
		| 3 | The agency has established basic--yet fully developed--procedures related to "chain of command" and "lines of succession" for security responsibilities.  Minor elements are missing or needing further development. Lines of succession may not be in-depth, only identifying one successor for security-critical roles. The policy is documented and shared with agency manager. | 
	
		| 2 | The agency has established and documented a "chain of command." Informal (or "generally understood") "lines of succession" are in place but not documented. | 
	
		| 1 | The agency has an informal (not documented) "chain of command" only. | 
	
		| 0 | The agency has no established "chain of command" | 
	
		| 2.103 | Are roles and responsibilities for security and/or law enforcement personnel assigned by title and/or position established in the SSP or other documents? | Document Review | 
 | Security roles and responsibilities of Security Personnel. | 4 | Roles and responsibilities of security personnel are assigned by position and documented in the SSP or other documents. Roles are comprehensive and detailed for all position-types, from security managers to supervisors to front-line security personnel. | 
	
		| 3 | Roles and responsibilities of security personnel are assigned by position and documented in the SSP or other documents; however, minor elements are missing or require minor additions. | 
	
		| 2 | General roles and responsibilities are assigned by position and documented in the SSP or other documents. While assigned by position type, the roles and responsibilities are vague. Position types identified may also be vague or missing key positions. | 
	
		| 1 | General security roles and responsibilities are documented in the SSP or other documents. These roles and responsibilities are not assigned by position. | 
	
		| 0 | Roles and responsibilities are not documented. | 
	
		| 2.104 | Are security-related roles and responsibilities for non-security and/or law enforcement personnel  (i.e., operators, conductors, maintenance workers and station attendants) established in the SSP or other documents? | Document Review | 
 | Security roles and responsibilities of non-security personnel. | 4 | Specific security-related responsibilities have been established for non-security personnel and assigned based on job function for all (or a majority of) employees. Roles and responsibilities are comprehensive and clearly identify the role non-security personnel play in regards to security. These responsibilities are documented in the SSP or other documents. | 
	
		| 3 | Security-related responsibilities have been established for non-security personnel. Specific responsibilities are identified and assigned to all non-security personnel, regardless of job function ("blanket statement"). Responsibilities are documented in the SSP or other documents. | 
	
		| 2 | Specific security responsibilities for non-security personnel encompasses less than half of the applicable workforce, but the responsibilities in place are adequately developed. Responsibilities are documented. | 
	
		| 1 | Only general security-related responsibilities are documented. | 
	
		| 0 | No security-related roles have been established or documented for non-security personnel. | 
	
		| 2.105 TSF 2
 | Do senior staff and middle management conduct security meetings to review recommendations for changes to plans and processes? | Interview / Document Review | Security should be the primary focus of these meetings and briefings | Management meetings for security recommendations. Operational. | 4 | Senior staff and management conduct security meetings on a quarterly basis, at minimum, to review recommendations for changes to plans and processes. Verified by both interview and document review. | 
	
		| 2 | Senior staff and management conduct security meetings infrequently, but at least annually, to review recommendations for changes to plans and processes. Only verifided through interview. | 
	
		| 0 | Senior staff and management meet on an infrequent basis, if ever, or meetings related to security are not conducted. | 
	
		| 2.106 | Does a Security Review Committee (or other designated group) regularly review security incident reports, trends, and program audit findings? | Interview | Security should be the primary focus of these meetings and briefings | Security Review Committee | 4 | A formal security committee or working group has been established. This group meets multiple times per year at predictable intervals (at least once per quarter) to review security incident reports, trends, and program audit findings. All applicable security items are addressed. | 
	
		| 3 | A formal security committee or working group has been established. This group meets at least twice per year to review security incident reports, trends, and program audit findings. All applicable security items are addressed. | 
	
		| 2 | A formal security committee or working group has been established, but it only meets once per year or on an "as needed" basis. This score also applies if the group meets at a higher frequency but doesn't effectively address all applicable security items. | 
	
		| 1 | Security items are discussed and addressed by a Safety committee. | 
	
		| 0 | Security review committee does not exist or meets on an infrequent basis. | 
	
		| 2.107 | Are informational briefings with appropriate personnel held whenever security protocols, threat levels, or protective measures  are updated or as security conditions warrant? | Interview | 
 | Security Briefings (written or verbal), means of acknowledgement. Operational. | 4 | Policies and procedures are in place to ensure that frontline personnel are made aware of anything relevant to the security of their transit system. Agency utilizes a variety of message delivery systems for security messages based on message importance: face-to-face verbal, electronic dispersal, written-memo system, and bulletin board postings. The agency has also developed a means of tracking/monitoring who has (or has not) received high-importance informational briefings (acknowledgement/signature sheet, email receipt, etc.). | 
	
		| 3 | Entity has procedures in place to ensure that frontline personnel are made aware of anything relevant to the security of their transit system. Method of delivery is, for the most part, effective, with very little (but possible) chance of employees not receiving critical information. Agency has not developed a means of monitoring or tracking who receives informational briefings. | 
	
		| 2 | Briefings are only delivered through written-memos or other ineffective means of personal dispersal. For a score of 2, the delivery method might reach a high number of employees, but the message itself is not guaranteed (employees may not understand a message, employees may not actually read the message, and the agency may not be able to accurately gauge who has received the message). | 
	
		| 1 | Entity only utilizes bulletin board-style briefings. | 
	
		| 0 | No briefings. | 
	
		| 2.108 | Have appropriate reference guides or other written instructions or procedures been distributed to transit employees to implement the requirements of the SSP? | Document Review | 
 | Reference guides for transit personnel | 4 | Individual written guides or reference material based on job function have been provided to employees to assist employees with the implementation of security procedures. (Example: Driver's manual, SOP, etc.) | 
	
		| 3 | Individual written guides or reference material with generalized guidance have been provided to employees to assist employees with the implementation of security procedures. | 
	
		| 2 | Written guides or other written materials have been provided to every department and are available to employees if needed. | 
	
		| 1 | Written guides or other written materials exist but are not conveniently available to employees. | 
	
		| 0 | Written materials are not readily available to employees. | 
	
		| 2.109 | Has the agency appointed a Primary and Alternate Security Coordinator to serve as its primary and immediate 24-hr contact for intelligence and security-related contact with TSA and are the names of those Coordinators on file with TSA OSPIE office correct? | Document Review / Interview | This question applies to both Regulated and Non-Regulated entities. | Security Coordinator | 4 | The agency has appointed a Primary and Alternate Security Coordinator that meet all criteria established by TSA and provided TSA the names of these individuals. | 
	
		| 2 | The agency has a Primary and or Alternate Security Coordinator, but their roles are not clearly defined (may not be documented) and/or do not meet all criteria established by TSA (not available 24/7, etc.). | 
	
		| 0 | The agency has not identified any Security Coordinators. | 
	
		| 2.110 | Does the agency maintain a record of security related incidents that are reported within the agency? | Document Review | 
 | Incident recording (may be document retention or summary archives) | 4 | Agency maintains a record of security related incidents that are reported within the agency. Agency has the ability to review incidents that have occurred over one year earlier. | 
	
		| 3 | Agency has the ability to review incidents that have occurred up to one year earlier. | 
	
		| 2 | Agency has the ability to review incidents that have occurred up to six months earlier. | 
	
		| 1 | Agency has the ability to review incidents that have occurred up to three months earlier. | 
	
		| 0 | Agency does not maintain a record of security related incidents. | 
	
		| Emergency Response Plan (ERP) | 
	
		| 2.201 | Does the ERP establish and assign responsibility for implementation of the security program to a Senior Manager who is a "direct report" to the agency's Chief Executive Officer? | Document Review | Inspectors should refer to the MT BASE Guidance, Pg14. | Documented evidence assigning implementation of security program in the ERP. | 4 | The implementation of the security program has been assigned to a Senior Manager who is a "direct report" to the CEO. This responsibility is documented in the ERP. | 
	
		| 3 | The implementation of the security program has been assigned to a Senior Manager who is a "direct report" to the CEO. This responsibility is not documented in the ERP, but it is a commonly known assignment that is documented elsewhere. | 
	
		| 2 | The implementation of the security program has been assigned to a manager or leadership position that is not a "direct report" to the CEO. The responsibility is documented in the ERP. | 
	
		| 1 | The implementation of the security program has been ineffectively assigned to a position that cannot act independently. The responsibility is documented in the ERP. | 
	
		| 0 | The implementation of the security program is not assigned, or there is no documentation establishing the responsibility of implementation. | 
	
		| 2.202 | Are emergency response roles and responsibilities for all departments identified in the ERP or other supporting documents? | Document Review | 
 | Documented emergency response responsibilities. | 4 | The agency takes an all-inclusive, system-wide approach to emergency preparedness. Emergency response roles and responsibilities have been developed and are assigned for all departments. Roles are comprehensive, detailed, and documented. | 
	
		| 3 | Emergency response roles and responsibilities have been developed and assigned to most departments. Not all departments have an assigned role in emergency response. Roles and responsibilities are well-developed and assigned effectively, but there is room for improvement. This is documented. | 
	
		| 2 | Documented roles and responsibilities have been only assigned to critical departments (security, etc.), may be generalized in nature, or a combination thereof. | 
	
		| 1 | Documented roles and responsibilities have been assigned as a blanket-statement. Roles may be vague or ineffectively developed. | 
	
		| 0 | Roles and responsibilities are not documented. | 
	
		| 2.203 TSF 5
 | Are roles and responsibilities for front-line personnel (i.e. system law enforcement, system security officials, train or vehicle operators, conductors, station attendants, maintenance workers) described in the system's Emergency Response Plan (ERP)? | Document Review | 
 | Frontline Personnel Responsibilities. | 4 | Roles and responsibilities of frontline personnel are assigned by position and documented in the ERP. Roles are comprehensive and detailed. | 
	
		| 3 | Roles and responsibilities of frontline personnel are assigned and documented in the ERP.  Roles are relatively detailed and effectively assigned, but may be missing minor details. | 
	
		| 2 | Roles and responsibilities of frontline personnel are developed and documented in the ERP.  Roles are general and lack specific details based on job function. | 
	
		| 1 | General security roles and responsibilities are documented in the SSP or other documents. These roles and responsibilities are not assigned by position. | 
	
		| 0 | Roles and responsibilities are not documented. | 
	
		| 2.204 | Has the ERP been distributed to appropriate departments in the organization? | Interview | 
 | ERP Distribution | 4 | The agency takes a total approach to emergency response, including all departments in the process. All departments have been provided a copy of the ERP. | 
	
		| 3 | The agency is proactive with emergency response. The ERP has been provided to departments that are critical to emergency response as well as some departments that would serve a secondary support role during emergency response. | 
	
		| 2 | The agency has only provided the ERP to departments that are critical to emergency response. Upon request, the ERP is readily available to other departments. | 
	
		| 1 | ERP distribution is very limited. Departments do not have easy access to the document. | 
	
		| 0 | The ERP is not distributed. | 
	
		| 2.205 | Have appropriate reference guides or other written instructions or procedures been distributed to transit employees to implement the requirements of the ERP? | Document Review | 
 | Reference guides for transit personnel | 4 | Individual written guides or reference material based on job function have been provided to all employees to assist employees with the implementation of emergency procedures. | 
	
		| 3 | Individual written guides or reference material with generalized guidance have been provided to all employees to assist employees with the implementation of emergency procedures. | 
	
		| 2 | Written guides or other written materials have been provided to every department and are available to employees if needed. | 
	
		| 1 | Written guides or other written materials exist but are not conveniently available to employees. | 
	
		| 0 | Written materials are not readily available to employees. | 
	
		| 2.206 | Are senior staff and middle management ERP coordination meetings held on a regular basis? | Interview | Emergency response should be the primary focus of these meetings and briefings | Management meetings for ERP coordination. Operational. | 4 | Senior staff and management conduct ERP coordination meetings on a monthly basis. | 
	
		| 3 | Senior staff and management conduct ERP coordination meetings on a quarterly basis. | 
	
		| 2 | Senior staff and management conduct ERP coordination meetings twice per year. | 
	
		| 1 | Senior staff and management conduct ERP coordination meetings annually or on an "as needed" basis. | 
	
		| 0 | Senior staff and management meet on an infrequent basis, if ever, or meetings related to ERP coordination are not conducted. | 
	
		| 2.207 | Are informational briefings with appropriate personnel held whenever emergency response protocols are substantially changed or updated? | Interview | 
 | Briefings related to emergency response. Operational. | 4 | Policies and procedures are in place to ensure that frontline personnel are made aware of anything relevant to the emergency response plan. Agency utilizes a variety of message delivery systems for security messages based on message importance: face-to-face verbal, electronic dispersal, written-memo system, and bulletin board postings. The agency has also developed a means of tracking/monitoring who has (or has not) received high-importance informational briefings (acknowledgement/signature sheet, email receipt, etc.). | 
	
		| 3 | Entity has procedures in place to ensure that frontline personnel are made aware of anything relevant to the emergency response. Method of delivery is, for the most part, effective, with very little (but possible) chance of employees not receiving critical information. Agency has not developed a means of monitoring or tracking who receives informational briefings. | 
	
		| 2 | Briefings are only delivered through written-memos or other ineffective means of personal dispersal. For a score of 2, the delivery method might reach a high number of employees, but the message itself is not guaranteed (employees may not understand a message, employees may not actually read the message, and the agency may not be able to accurately gauge who has received the message). | 
	
		| 1 | Entity only utilizes bulletin board-style briefings. | 
	
		| 0 | No briefings. | 
	
		| Ensure that operations and maintenance supervisors, forepersons and managers are held accountable for security issues under their control | 
	
		| 3.101 | Do managers and supervisors routinely provide information to front-line personnel regarding security and emergency response issues? | Interview, Frontline Verification, Document Review
 | Inspectors should refer to the MT BASE Guidance, Pg16. | Frontline Personnel Briefings | 4 | Frontline employees receive a weekly briefing from their immediate supervisor regarding security and emergency preparedness. Security and emergency response issues are the primary focus of briefings (or equal to that of safety).  Verified by Interview, Document review and Frontline employee's | 
	
		| 3 | Frontline employees receive a monthly briefing from their immediate supervisor regarding security, and emergency preparedness. Security and emergency response issues are the primary focus of briefings (or equal to that of safety). | 
	
		| 2 | Frontline employees receive a quarterly briefing from their immediate supervisor regarding security, and emergency preparedness. Security and emergency response issues are the primary focus of briefings (or equal to that of safety). | 
	
		| 1 | Frontline employees are provided information regarding security and emergency response issues on an infrequent or "as needed" basis. | 
	
		| 0 | Frontline employees are not provided information regarding security and emergency response issues. | 
	
		| 3.102 | Are regular supervisor, manager, and/or foreperson security review and coordination briefings held?  If so, detail frequency and subjects covered in the justification. | Interview | 
 | Supervisor Briefings | 4 | Supervisor/management security review and coordination meetings are held on a monthly basis. | 
	
		| 3 | Supervisor/management security review and coordination meetings are held on a bimonthly basis. | 
	
		| 2 | Supervisor/management security review and coordination meetings are held on a  quarterly basis. | 
	
		| 1 | Supervisor/management security review and coordination meetings are held on an infrequent or "as-needed" basis. | 
	
		| 0 | Meetings are not held or do not focus on security. | 
	
		| 3.103 | Does the agency have a program for confirming that personnel have a working knowledge of security protocols?  If so, summarize program in the justification. | Interview / Document Review | Possible follow-up questions needed. Summarize program in justification. | Internal verification of knowledge | 4 | The agency actively engages its workforce to ensure a high rate of security knowledge. Agency utilizes a formal, measurable and on-going system of verification, such as internal audits, challenge procedures, or qualification testing. The program--or procedures/responsibilities related to it--is documented. Verified by both  Interview and Document Review | 
	
		| 3 | The agency has an on-going, informal system of measuring its workforce's knowledge of security elements. The program may not be documented, but the agency can articulate specific measures it takes to ensure its personnel retain a working knowledge of security. Examples include informal (undocumented or unmeasured) internal testing or auditing. | 
	
		| 2 | Employees are tested after training, and Supervisors are tasked with ensuring protocols are followed and knowledge is retained. | 
	
		| 1 | Direct supervision is the only method of ensuring that security knowledge is retained. | 
	
		| 0 | The agency does not have a program of confirming that personnel have a working knowledge of security protocols. | 
	
		| 3.104 | Are managers and/or supervisors required to debrief front-line employees regarding their involvement in or management of any security or emergency incidents? | Interview / Document Review | 
 | Debriefing Requirement | 4 | There is a written policy that requires leadership to debrief frontline personnel regarding their involvement in or management of any security or emergency incidents. Verified by both  Interview and Document Review | 
	
		| 3 | There isn't a written requirement, but leadership is expected to debrief frontline personnel regarding their involvement in or management of any security or emergency incidents. This expectation is widely known. Verified by both  Interview and Document Review. | 
	
		| 2 | Leadership is expected to debrief frontline personnel only after major incidents regarding their involvement in or management of security or emergency incidents. | 
	
		| 1 | Debriefing are being held, but the policy is very insufficient and inconsistent. | 
	
		| 0 | There are no debriefing measures in place. | 
	
		| Coordinate Security and Emergency Management Plan(s) with local and regional agencies | 
	
		| 4.101 | Have Mutual Aid agreements been established between the transit agency and entities in the area that would be called upon to supplement the agency's resources in the event of an emergency event? | Interview / Document Review | Inspectors should refer to the MT BASE Guidance, Pg16. | MOUs involving law enforcement, other transit agencies, and first responders | 4 | The agency has taken a comprehensive approach to emergency preparedness and has established mutual aid agreements with all outside entities that the agency may need to coordinate with during an emergency situation. This includes: law enforcement entities, other transit agencies that operate in the same area, and first responders. Verified by both Interview and Document Review | 
	
		| 3 | The agency has taken a proactive approach to emergency preparedness and has established mutual aid agreements with multiple types of outside entities. | 
	
		| 2 | The agency has taken a limited approach to emergency preparedness and has established mutual aid agreements with only all local law enforcement entities that operate with the geographical scope of their system. | 
	
		| 1 | The agency has taken the first steps of establishing mutual aid agreements. Agreements are actively being pursued. | 
	
		| 0 | Mutual aid agreements are non-existent and not being pursued. | 
	
		| 4.102 | Does the agency participate in a regional Emergency Management Working Group or similar regional coordinating body for emergency preparedness and response? | Interview | 
 | Regional Emergency Management Group. "Yes" or "No." | 4 | The agency participates in a regional security and emergency preparedness/management working group or committee (this is not the same as participation in drills or exercises). | 
	
		
	
		| 0 | The agency does not participate in a security and emergency preparedness/management working group or committee. | 
	
		
	
		
	
		| 4.103 | Have regional incident management protocols been shared with the agency and incorporated into the agency's ERP/SSP/SEPP? | Document Review / Interview | 
 | Regional Incident Management Protocols | 4 | The agency has received--and is knowledgeable of--regional incident management protocols. These protocols have been completely incorporated into the agency's ERP/SSP/SEPP. Verified by both Interview and Document Review. | 
	
		| 3 | The agency has received--and is knowledgeable of--regional incident management protocols. These protocols are partially incorporated (or in the process of being incorporated) into the agency's ERP/SSP/SEPP. Verified by both Interview and Document Review. | 
	
		| 2 | The agency has received--and is knowledgeable of--regional incident management protocols. These protocols are not part of the agency's ERP. | 
	
		| 1 | The agency is aware of regional protocols and understands how they may obtain them. | 
	
		| 0 | The agency  is completely unfamiliar with regional protocols. | 
	
		| 4.104 | Have agency resources been appropriately identified and provided to the regional EMA? | Interview | 
 | Agency Resources. "Yes" or "No." | 4 | The agency has provided the regional EMA with a detailed list of  resources (vehicles, facilities, etc.) that may be utilized in the event of an emergency. | 
	
		
	
		| 0 | Agency resource inventory has not been provided to the regional EMA | 
	
		
	
		
	
		| 4.105 | Does the agency have a designated point-of-contact or liaison with the local/regional Emergency Operations Center (EOC)? | Interview / Document Review | 
 | POC identified from EOC. "Yes" or "No." | 4 | Agency has established a point-of-contact at the Emergency Operations Center. Must be verified by Document Review. | 
	
		
	
		| 0 | Agency has no identified POC at the EOC. | 
	
		
	
		
	
		| 4.106 | Does the agency send a representative to the local/regional EOC, should it be activated? | Interview / Document Review | 
 | Agency Representative sent to EOC. "Yes" or "No." | 4 | Agency has officially designated a representative to be sent to the EOC, upon activation. This is documented in SSP/ERP/SEPP. Must be verified by Document Review. | 
	
		| 2 | The agency has designated a representative to be sent to the EOC, upon activation, although formal policies are not in place. | 
	
		| 0 | Agency has not designated a representative. | 
	
		| 
 | 
	
		| 
 | 
	
		| 4.107 | Does the agency have information sharing capabilities with the regional/local EOC (i.e., contacts, procedures, resource inventories, etc.)? | Interview / Document Review | 
 | Information Sharing Capabilities | 4 | The agency has developed a formal method of effectively sharing information with the EOC, information flow is two-way (information can be shared and received), and the method of sharing is known by both entities. Capabilities are documented.  Must be verified by Document Review. | 
	
		| 2 | The agency has developed an informal method of effectively sharing with the EOC, information flow is two-way (information can be shared and received), and the method of sharing is known by both entities. It is clear that the agency has planned for information sharing, but the capabilities are not documented. | 
	
		| 1 | Information sharing procedures and capabilities exist, but are vague and have received little attention or planning. | 
	
		| 0 | The agency has no information sharing capabilities or procedures and is not actively pursuing the development of any. | 
	
		| 4.108 | Has the agency developed internal incident management protocols that comply with the National Response Plan and the National Incident Management System (NIMS)? | Document Review / Interview | 
 | Internal Incident Management Protocols. "Yes" or "No." | 4 | The agency's internal emergency response procedures follow the NRP and the NIMS. Must be verified by Document Review. | 
	
		
	
		| 0 | The agency's internal emergency response procedures do not follow the NRP and the NIMS. | 
	
		
	
		
	
		| 4.109 | Have the agency's emergency response protocols been shared with the EMA and appropriate first responder agencies? | Interview | 
 | Internal Emergency Response Protocols. "Yes" or "No." | 4 | The agency has shared its internal emergency response protocols with the regional EMA and appropriate first response agencies. | 
	
		
	
		| 2 | The agency has shared its internal emergency response protocols with only the regional EMA or only first response agencies. | 
	
		
	
		| 0 | The agency has not shared its emergency response protocols. | 
	
		| 4.110 TSF 5
 | Has the transit system tested its communications systems for interoperability with appropriate emergency response agencies? | Interview | 
 | Interoperability | 4 | The agency is very proactive in regards to interoperable communication and ensures that its communication systems can communicate with appropriate external agencies across jurisdictional lines. The agency uses compatible radio systems (800mHz, UHF, VHF, etc.), has developed a plan (either documented or trained personnel) for interoperable communication, and has tested its system for compatibility with appropriate external agencies. | 
	
		| 3 | The agency has an effective interoperable communications system (800mHz, UHF, VHF, interoperable CAD system), but minor elements are missing. Planning (training or documentation) is missing or the agency has not tested its system for compatibility. | 
	
		| 2 | The agency has an effective interoperable communications system (800mHz, UHF, VHF, interoperable CAD system). Neither planning (training or documentation) or compatibility testing is in place. | 
	
		| 1 | The agency's systems are not interoperable, but is in the process of actively implementing such a system (plans established, funds identified). | 
	
		| 0 | The agency's systems are not interoperable, nor is such a system being currently implemented. | 
	
		| 4.111 | If the agency's communications systems are NOT inter-operable with appropriate emergency response agencies, have alternate communication protocols been established?  Describe the alternate communication protocols in the justification. | Interview / Document Review | 
 | Interoperability Substitute | 4 | The agency has developed effective alternatives to interoperable communication (beyond the reliance of standard communication, like telephone). These procedures are documented and shared with appropriate first responder agencies. Must be verified by Document Review. | 
	
		| 2 | The agency has developed partially effective alternatives to interoperable communication (beyond the reliance of standard communication, like telephone). The procedures are informal and may not be documented and/or shared with first responder agencies. | 
	
		| 0 | The agency has identified no alternatives for interoperable communication. | 
	
		| Establish and Maintain a Security and Emergency Training Program | 
	
		| 5.101 TSF 4
 | Is initial training provided to all new agency employees regarding security orientation/awareness? | Document Review /Frontline Verification | Inspectors should refer to the MT BASE Guidance, Pg18. | Training records, training material | 4 | All new employees, regardless of job function, receive initial training, which is focused on general security awareness and orientation. The agency has a well-developed program with an official curriculum and training is provided in a formal environment (classroom or computer-based). Must be verified by Document Review and Frontline Employee's. | 
	
		| 2 | Initial training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Security is not addressed in initial training. | 
	
		| 5.102 TSF 4
 | Is annual refresher training provided regarding security orientation/awareness to Senior Management staff, managers and supervisors? | Interview / Document Review | 
 | Training records, training material | 4 | Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review. | 
	
		| 2 | Training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Refresher training is not provided annually or does not focus on the appropriate subject. | 
	
		| 5.103 TSF 4
 | Is annual refresher training provided regarding security orientation/awareness to managers and supervisors? | Interview / Document Review | 
 | Training records, training material | 4 | Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review. | 
	
		| 2 | Training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Refresher training is not provided annually or does not focus on the appropriate subject. | 
	
		| 5.104 TSF 4
 | Is annual refresher training provided regarding security orientation/awareness  to front-line employees? | Document Review  / Frontline                                                   Verification | 
 | Training records, training material | 4 | Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review and Frontline Employee's. | 
	
		| 2 | Training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Refresher training is not provided annually or does not focus on the appropriate subject. | 
	
		| 5.105 | Is ongoing advanced security training focused on job function provided at least annually? | Interview / Frontline                                                              Verification | 
 | Training records, training material | 4 | Advanced security training is provided in an ongoing manner, with classes/courses being provided at least once per year. Agency has established an official training curriculum, training is specifically designed based on job function, and training is provided in a formal environment (classroom or computer-based). Must be verified by Document Review and Frontline Employee's. | 
	
		| 2 | Ongoing advanced security training based on job function is provided with varying degrees of implementation and frequency. | 
	
		
	
		
	
		| 0 | Ongoing security training based on job function is not provided. | 
	
		| 5.106 TSF 4
 | Is initial training provided to all new transit employees regarding emergency response? | Interview / Frontline Verification | General emergency response / awareness training | Training records, training material | 4 | All new employees, regardless of job function, receive initial training, which is focused on emergency response. The agency has a well-developed program with an official curriculum and training is provided in a formal environment (classroom or computer-based).  Must be verified by Document Review and Frontline Employee's. | 
	
		| 2 | Initial training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Emergency response is not addressed in initial training. | 
	
		| 5.107 | Is annual refresher training provided regarding emergency response to Senior Management staff, supervisors, and managers? | Interview / Document Review | 
 | Training records, training material | 4 | Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based).  Must be verified by Document Review. | 
	
		| 2 | Training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Refresher training is not provided annually or does not focus on the appropriate subject. | 
	
		| 5.108 TSF 4
 | Is annual refresher training provided regarding emergency response to Managers and Supervisors? | Interview / Document Review | 
 | Training records, training material | 4 | Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review. | 
	
		| 2 | Training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Refresher training is not provided annually or does not focus on the appropriate subject. | 
	
		| 5.109 TSF 4
 | Is annual refresher training provided regarding emergency response to front-line Employees? | Interview / Frontline Verification | 
 | Training records, training material | 4 | Annual refresher training is well-developed with an official curriculum, focused on the appropriate subject, and provided in a formal manner (classroom or computer-based). Must be verified by Document Review and Frontline Employee's. | 
	
		| 2 | Training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Refresher training is not provided annually or does not focus on the appropriate subject. | 
	
		| 5.110 TSF 4
 | Have agency employees received general training on Incident Command System (ICS) procedures in accordance with National Incident Management System at least annually? | Interview / Frontline                                      Verification | 
 | Training records, training material | 4 | All employees who may have a role in emergency response--frontline personnel and leadership--have received ICS training in accordance with the NIMS. The agency has a well-developed program with an official curriculum and training is provided annually in a formal environment (classroom or computer-based). Must be verified by Document Review and Frontline Employee's. | 
	
		| 2 | Training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | ICS training is not provided. | 
	
		| 5.111 | Has ICS and NIMS training appropriate to the position been provided to Senior Management staff, supervisors, and managers at least annually? | Interview / Document Review | 
 | Training records, training material | 4 | Annual ICS and NIMS training based on job function is provided by the agency to all senior leadership. Must be verified by Document Review. | 
	
		| 2 | Training appropriate to the position has been provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Senior leadership only receives basic ICS/NIMS training, or ICS/NIMS training is not provided. | 
	
		| 5.112 | Has ICS and NIMS training appropriate to the position been provided to managers and supervisors at least annually? | Interview / Document Review | 
 | Training records, training material | 4 | Annual ICS and NIMS training based on job function is provided by the agency to all supervisors and managers. Must be verified by Document Review. | 
	
		| 2 | Training appropriate to the position has been provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Supervisors and managers only receive basic ICS/NIMS training, or ICS/NIMS training is not provided. | 
	
		| 5.113 | Has ICS and NIMS training appropriate to the position been provided to front-line employees at least annually? | Interview / Frontline                                  Verification | 
 | Training records, training material | 4 | Annual ICS and NIMS training based on job function is provided by the agency to all frontline personnel.  Must be verified by Document Review. | 
	
		| 2 | Training appropriate to the position has been provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | ICS/NIMS training is not provided. | 
	
		| 5.114 | Has the agency developed a program and provided annual training on its own incident response protocols? | Document Review / Interview | 
 | Training records, training material | 4 | The agency has developed internal procedures for incident response and a comprehensive training program to support these procedures. Training has an established curriculum, official training materials, and is provided in a formal environment (classroom or computer-based). Training is provided annually. Must be verified by Document Review. | 
	
		| 2 | Training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The agency has not established training for its internal incident response procedures. | 
	
		| 5.115 TSF 4
 | Has training on the agency's incident response protocols appropriate to the position been provided to Senior Management staff, managers and supervisors at least annually? | Interview / Document Review | 
 | Training records, training material | 4 | Annual training based on job function is provided by the agency to all senior leadership. Must be verified by Document Review. | 
	
		| 2 | Training appropriate to the position has been provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Senior leadership only receives basic training, training appropriate for frontline personnel, or training is not provided. | 
	
		| 5.116 TSF 4
 | Has training on the agency's incident response protocols appropriate to the position been provided to managers and supervisors? | Interview / Document Review | 
 | Training records, training material | 4 | Annual training based on job function is provided by the agency to all supervisors and managers. Must be verified by Document Review. | 
	
		| 2 | Training appropriate to the position has been provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Supervisors and managers only receive basic training, training that is appropriate to frontline personnel, or training is not provided. | 
	
		| 5.117 TSF 4
 | Has training on the agency's incident response protocols appropriate to the position been provided to front-line employees at least annually? | Document Review / Frontline                                               Verification | 
 | Training records, training material | 4 | Annual training based on job function is provided by the agency to all frontline personnel.  Must be verified by Document Review and Frontline Employee's. | 
	
		| 2 | Training appropriate to the position has been provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Training is not provided. | 
	
		| 5.118 TSF 4
 | Has the transit system implemented an annual training program for personnel regarding response to terrorism, including (i) Improvised Explosive Devices and ii) Weapons of Mass Destruction (chemical, biological, radiological, nuclear)?  If so, summarize the relevant programs in the justification? | Document Review / Interview | 
 | Training records, training material | 4 | Annual training provided regarding response to IEDs and WMD. This is part of an official curriculum, uses effective training materials, and is provided in a formal environment (classroom or computer-based). Must be verified by Document Review. | 
	
		| 2 | Training  has been developed and provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The agency has not developed a relevant training program. | 
	
		| 5.119 | Has training focused on IEDs and WMDs appropriate to the position been provided to Senior Management staff, managers, and supervisors at least annually? | Document Review / Interview | 
 | Training records, training material | 4 | Annual training based on job function is provided by the agency to all senior leadership. Must be verified by Document Review. | 
	
		| 2 | Training appropriate to the position has been provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Senior leadership only receives basic training, training is appropriate for frontline personnel, or training is not provided. | 
	
		| 5.120 | Has training focused on IEDs and WMDs appropriate to the position been provided to manager and supervisors? | Document Review / Interview | 
 | Training records, training material | 4 | Annual training based on job function is provided by the agency to all supervisors and managers. Must be verified by Document Review. | 
	
		| 2 | Training appropriate to the position has been provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Supervisors and managers only receive basic training, training is appropriate to frontline personnel, or training is not provided. | 
	
		| 5.121 | Has training focused on IEDs and WMDs appropriate to the position been provided to front-line employees at least annually? | Document Review / Frontline Verification | 
 | Training records, training material | 4 | Annual training based on job function is provided by the agency to all frontline personnel.  Must be verified by Document Review and Frontline Employee's. | 
	
		| 2 | Training appropriate to the position has been provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Training is not provided. | 
	
		| 5.122 | Do law enforcement/security department personnel at the agency receive specialized training in counter-terrorism annually? Summarize program in the justification. | Document Review / Interview | in justification, provide description of specialized training or provider. | Training records, training material | 4 | All personnel in security-related positions receive annual specialized training focused on counter-terrorism. Training is in addition to general training, with materials developed by or instruction led by subject matter experts. Training is part of an established curriculum and provided in a formal environment (classroom or computer-based).  Must be verified by Document Review. | 
	
		| 2 | Specialized counter-terrorism training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Specialized counter-terrorism training is provided with varying degrees of implementation. | 
	
		| 5.123 | Do law enforcement/security department personnel at the agency receive specialized training supporting their incident management and emergency response roles at least annually? Summarize program in the justification. | Document Review / Interview | in justification, provide description of specialized training or provider. | Training records, training material | 4 | All personnel in security-related positions receive annual specialized training supporting incident response. Training is in addition to general training, with materials developed by or instruction led by subject matter experts. Training is part of an established curriculum and provided in a formal environment (classroom or computer-based). Must be verified by Document Review. | 
	
		| 2 | Specialized incident response training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Specialized incident response training is provided with varying degrees of implementation. | 
	
		| 5.124 
 | Does the agency have an established program to monitor employee training and to schedule employees for training? | Document Review | General training review.  This does not have to revolve around Security Training but establishes if they have an active system. | Training Scheduling (General) | 4 | The agency has developed a formal system of monitoring employee training and scheduling employee training as needed. This includes retaining training records, having the ability of easily determining employee training status, and having the ability to effectively schedule employee training in an effective manner. | 
	
		| 2 | A program for monitoring and scheduling training exists with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Such a program does not exist. | 
	
		| 5.125 
 | Does the agency have a system that records and tracks personnel training for all security-related courses (including initial, annual, periodic and other)? | Document Review | This question asks specifically about security-related courses. | Training Recording (Security) (ex. 30-day file) | 4 | The agency has a formal system to record and track personnel training for all security-related training, including initial, annual, and periodic. Records for all employees contain the following: employee name/identifier, training/course identifier, and date of course completion. Must be verified by Document Review. | 
	
		| 2 | The agency employs a system with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Such a system does not exist, or security training is not specifically addressed. | 
	
		| 5.126 | Does the transit agency have a system that records and tracks personnel training for emergency response courses (including initial, periodic and other)? | Document Review | This question asks specifically about emergency response related courses. | Training Recording (Emergency Response) (ex. 30-day file) | 4 | The agency has a formal system to record and track personnel training for all emergency response-related training, including initial, annual, and periodic. Records for all employees contain the following: employee name/identifier, training/course identifier, and date of course completion. | 
	
		| 2 | The agency employs a system with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Such a system does not exist, or emergency response training is not specifically addressed. | 
	
		| 5.127 | Does the agency have a program to regularly review and update security awareness and emergency response training materials? | Interview / Document Review | 
 | Security Review and Updating | 4 | The agency has developed a formal program of reviewing and updating security and emergency response training materials to ensure they are up-to-date, this program is documented (generally or as a "role/responsibility"), and the program ensures materials are reviewed at least annually. Must be verified by Document Review. | 
	
		| 2 | The agency has developed a program with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The agency has no established program of reviewing and updating security and emergency response training materials. | 
	
		| 5.128 TSF 4
 | Are all appropriate personnel notified via briefings, email, voicemail, or signage of changes in threat condition, protective measures or the employee watch programs? | Interview | 
 | Operational Changes | 4 | Appropriate personnel are notified of operational changes--including those related to threat levels and protective measures. Individuals with a "need to know" have been formally identified, and measures are in place to effectively reach all appropriate employees. | 
	
		| 3 | Appropriate personnel are notified of operational changes--including those related to threat levels and protective measures. Individuals with a "need to know" have been formally identified, and measures are in place for the agency to confidently reach most of those employees in timely manner.. | 
	
		| 2 | Appropriate personnel are notified of operational changes. Individuals with a "need to know" are informally identified, but measures of communicating information is lacking consistency. | 
	
		| 1 | The agency notification measures are inconsistent with little to no planning involved whatsoever. Individuals with a "need to know" have not been identified. | 
	
		| 0 | Operational changes are rarely--if ever--communicated to employees, or no policy exists to support the recommendation. | 
	
		| 5.129 TSF 1
 | Do the agency's security awareness and emergency response training programs cover response and recovery operations in critical facilities and infrastructure?  If so, summarize relevant provisions of program in the justification. | Document Review | 
 | Response and recovery operations in critical facilities and infrastructure. | 4 | The agency's security and emergency response training covers response and recovery operations in critical facilities and infrastructure (including COOP-related procedures). Training is part of an official curriculum, utilizes effective training materials, and is provided in a formal environment (classroom or computer-based). | 
	
		| 2 | Security and emergency response training covers response and recovery operations in critical facilities and infrastructure with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Training does not cover response and recovery operations. | 
	
		| 5.130 TSF1
 | Has the agency provided training to regional first responders (law enforcement agencies, firefighters, and emergency medical response teams) to enable them to operate in critical facilities and infrastructure? | Interview | During interview, dates or frequency of training should be documented to receive full score. Also, describe scope of training. | Training program for external agencies. | 4 | The agency has provided training to regional first responders to enable them to operate in critical facilities and infrastructure. The training is well-developed, and the agency has actively offered it to outside entities. | 
	
		| 2 | The agency has provided training with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The agency has not provided training to external agencies to enable them to operate effectively in critical facilities and infrastructure. | 
	
		| 5.131 TSF 3
 | Does training of transit system law enforcement and/or security personnel integrate the concept and employment of visible, random security measures? | Interview / Document Review | 
 | Training program featuring concepts of random and highly visible countermeasures. | 4 | The concept and employment of visible, unpredictable, and random security measures is included as part of the training curriculum for all personnel in security-related positions. This is documented in training materials. Must be verified by Document Review. | 
	
		| 2 | Training covers the concept of visible and random security measures with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Training does not cover the concept visible or random security measures. | 
	
		| 5.132 TSF 4
 | Has the agency implemented a program to train or orient first responders (law enforcement, firefighters, emergency medical teams) and other potential supporting assets (e.g., TSA regional personnel for VIPR exercises) on their system vehicle familiarization? | Interview / Document Review | During interview, dates or frequency of training should be documented to receive full score. Also, describe scope of training. | Training program for external agencies. | 4 | The agency has developed and implemented a program to annually train or orient first responders and other supporting agencies (TSA VIPR teams) on their system vehicle familiarization. Training is well-developed, and the agency has actively offered it to outside entities. Must be verified by Document Review. | 
	
		| 2 | The program has been developed with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Such a program does not exist. | 
	
		| Establish plans and protocols to respond to the DHS National Terrorism Advisory System (NTAS). | 
	
		| 6.101 | Does the SSP contain or reference other documents identifying incremental actions (imminent or elevated) to be implemented for a NTAS threat? | Document Review | Inspectors should refer to the MT BASE Guidance, Pg19. | Incremental actions based on NTAS threat | 4 | The agency has identified incremental actions that correlate with NTAS threat level increases. Incremental actions are identified for all threat conditions, well-developed, effective, and documented. | 
	
		| 2 | Incremental actions are identified with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Incremental actions are not documented. | 
	
		| 6.102 TSF 2
 | Does the agency have actionable operational response protocols for the specific threat scenarios from NTAS? | Document Review | 
 | Response protocols for specific threat scenarios  based on NTAS | 4 | The agency has identified possible NTAS alert scenarios and established detailed procedures and protocols to respond to these scenarios. These procedures are well-developed and documented. | 
	
		| 2 | Actionable operational response protocols for specific threat scenarios from NTAS have been developed with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Actionable operational response protocols have not been developed or specific threat scenarios haven't been identified. | 
	
		| 6.103 | Has the agency provided annual training and/or instruction focused on job function regarding the incremental activities to be performed by employees? | Interview / Document Review | 
 | Job-specific NTAS training | 4 | Job-specific NTAS training that focuses on incremental activities to be performed by employees has been provided annually by the agency. Training is a well-developed part of an official curriculum, focuses on appropriate individual roles in response to NTAS threats, and is provided in a formal environment (classroom or computer-based). Must be verified by Document Review. | 
	
		| 2 | Job-specific NTAS training is provided with varying degrees of implementation. | 
	
		
	
		| 1 | General NTAS training is provided to appropriate personnel. | 
	
		| 0 | The agency does not provide NTAS training. | 
	
		| Implement and reinforce a Public Security and Emergency Awareness program: | 
	
		| 7.101 | Has the transit agency developed and implemented a public security and emergency awareness program? | Interview | Inspectors should refer to the MT BASE Guidance, P20.               In justification, provide description of agency’s emergency awareness program. | Outreach program | 4 | Agency has implemented a well-developed public awareness program that addresses specific issues of both security and emergency response. | 
	
		| 3 | Agency has implemented a well-developed public awareness program that addresses specific issues of security. Emergency response material is generalized or missing. | 
	
		| 2 | Agency has implemented a well-developed public awareness program that address specific issues of emergency response and safety. Security material is generalized or missing. | 
	
		| 1 | Agency has a public awareness program, but the program is vague or otherwise ineffective. | 
	
		| 0 | The agency has no public awareness program in place. | 
	
		| 7.102 TSF 6
 | Does the agency provide active public outreach for security awareness and emergency preparedness (e.g., Transit Watch, “If You See Something, Say Something”, message boards, brochures, channel cards, posters, fliers)? | Document Review / Onsite Observation | 
 | Active outreach, utilizes program materials | 4 | The agency's public awareness program covers security and emergency response and is communicated effectively. Program materials--brochures, posters, fliers--are widely distributed and highly visible.  Must be verified by Document Review and Onsite Observation. | 
	
		| 2 | Public awareness materials and outreach have been developed and deployed with varying degrees of implementation.  Verified by Document Review only. | 
	
		
	
		
	
		| 0 | Public awareness materials and outreach have not been developed and/or deployed. | 
	
		| 7.103 TSF 6
 | Is the above consistent with agency's overall announcement program? | Document Review / Onsite Observation | 
 | Appropriate outreach material. "Yes" or "no." | 4 | Public awareness material is consistent with the agency's overall announcement program. All information/instruction/guidance is the same.   Must be verified by Document Review and Onsite Observation. | 
	
		
	
		| 0 | Public awareness material conflicts with the agency's overall announcement program. | 
	
		
	
		
	
		| 7.104 TSF 6
 | Are general security awareness and emergency preparedness messages included in public announcement messages at stations and on board vehicles? | Onsite Observation | 
 | Public announcements (Pre-recorded voice announcements) | 4 | The agency includes frequent mentions of general security and emergency preparedness items in its pre-recorded announcement messages at all appropriate areas, including at stations and onboard vehicles. | 
	
		| 3 | The agency includes frequent mentions of general security items (but no emergency preparedness items) in its pre-recorded announcement messages at all appropriate areas, including at stations and onboard vehicles. | 
	
		| 2 | The agency includes frequent mentions of general emergency preparedness items and infrequent mentions of general security items in its pre-recorded announcement messages at all appropriate areas, including at stations and onboard vehicles; | 
	
		| 1 | The agency includes infrequent mentions of general security and emergency preparedness items in its pre-recorded announcement messages at all appropriate areas, including at stations and onboard vehicles. | 
	
		| 0 | Security and emergency preparedness items are not included in the agency's pre-recorded announcement messages. | 
	
		| 7.105 TSF 6
 | Are passengers urged to report unattended property, suspicious behavior, and security concerns to uniformed crew members, law enforcement or security personnel, and/or a contact telephone number?  If so, summarize the type of materials used and content in the justification. | Document Review / Onsite                                                           Observation | 
 | Materials specifically mention reporting unattended property, suspicious behavior and security concerns. | 4 | Passengers are urged to report unattended property, suspicious behavior, and other security concerns to an identified agency representative (uniformed crew member, law enforcement, etc.) or identified contact number. This is documented in awareness material and readily observable. Must be verified by Document Review and Onsite Observation. | 
	
		| 2 | Passengers are urged to report unattended property, suspicious behavior, and other security concerns with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Passengers are not urged to report unattended property, suspicious behavior, and other security concerns with varying degrees of implementation. | 
	
		| 7.106 TSF 6
 | Does the agency have an appropriate mechanism in place for passengers to communicate an (e.g., 1-800 number, smart phone applications, social media, etc.)  that can be called or used to report security concerns?  If so, is this information indicated in public awareness materials and messages? | Document Review / Onsite                                                                          Observation | 
 | Effective reporting mechanism | 4 | The agency utilizes an effective mechanism in place that can be used by passengers to report security concerns (phone number, smart phone application, social media, etc.). This mechanism is actively monitored by the agency and widely distributed to passengers as part of the awareness program's materials. Must be verified by Document Review and Onsite Observation. | 
	
		| 2 | A mechanism is in place with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | There is no mechanism in place. | 
	
		| 7.107 | Does the agency issue public service announcements or press releases to social media (e.g. Twitter/ Facebook/etc., QRC codes, and/or apps for smart phones) regarding security and emergency protocols? | Interview / Document Review | In justification, provide description of social media utilized. | Social Media Announcements for Security and Emergency. "Yes" or "No." | 4 | The agency utilizes social media to issue public service announcements related to security or emergency response. This method is documented or readily observable. | 
	
		
	
		| 0 | The agency does not issue security-related PSAs or press releases to local media. | 
	
		
	
		
	
		| 7.108 TSF 6
 | Does the agency issue public service announcements or press releases to local media (e.g. newspaper, radio and/or television) regarding security or emergency protocols? | Interview / Document Review | In Justification, describe the most recent public announcement or press release to local media. | Local Media Announcements for Emergency Response. "Yes" or "No." | 4 | The agency issues security- and emergency response-related PSAs or press releases to local media. This method is documented or readily observable. | 
	
		
	
		| 0 | The agency does not issue emergency response-related PSAs or press releases to local media. | 
	
		
	
		
	
		| 7.109 | Does the transit agency conduct a volunteer training program for non-employees to aid with system evacuations and emergency response? | Interview / Document Review | 
 | Training for non-employee volunteers  for emergency response | 4 | The agency conducts training of non-employee volunteers to aid with system evacuations an emergency response. This training program has an official curriculum and provided on a semi-frequent basis.  Must be verified by Document Review. | 
	
		| 2 | Training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Training is not provided. | 
	
		| 7.110 | Does the transit agency conduct an outreach program to enlist members of the public as security awareness volunteers, similar to Neighborhood Watch programs? | Interview / Document Review | 
 | Active volunteer program (not the same as "See Something, Say Something") | 4 | The agency has established a volunteer program to enlist an active security awareness volunteer force. This program (including how passengers can get involved) is  documented. Must be verified by Document Review. | 
	
		| 2 | The agency has established an active volunteer program with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The agency has not established an active volunteer program. | 
	
		| 7.111 TSF 1
 | Do public awareness materials and/or messages inform passengers on the means to evacuate safely from transit vehicles and underwater/underground facilities? | Interview / Document Review | If agency has no underwater/underground facilities question applies to transit vehicles. | Passenger evacuation guidance material | 4 | The agency has developed awareness material to assist passengers on the means to evacuate safely from transit vehicles and underwater/underground facilities. These materials are readily available or readily visible to passengers. Must be verified by Document Review. | 
	
		| 2 | The agency has developed awareness material with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The agency has not developed awareness material to assist passengers on the means of safe evacuation. | 
	
		| 7.112 | Does the agency track and monitor customer complaints reported by passengers? | Interview | 
 | Customer complaint tracking system | 4 | The agency has a system in place to actively and effectively monitor and follow up on customer reports. | 
	
		| 2 | The agency has developed a system with varying degrees of effectiveness or implementation. | 
	
		
	
		
	
		| 0 | The agency has not developed a system for tracking and following up on customer reports. | 
	
		| Establish and use a Risk Management Process to assess and manage threats, vulnerabilities and consequences | 
	
		| 8.101 TSF 2
 | Does the agency have a risk assessment process approved by its management, for managing threats and vulnerabilities?  If so, summarize the process in the justification. | Document Review / Interview | Inspectors should refer to the MT BASE Guidance, Pg20. | Process of Risk Assessment | 4 | Risk assessment process is developed, documented, specifically addresses threats and vulnerabilities, and is approved by management. Must be verified by Document Review. | 
	
		| 2 | Risk assessment process is developed with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Risk assessment process has not been developed. | 
	
		| 8.102 | Has the agency identified facilities and systems it considers to be its critical assets? | Interview / Document Review | In Justification, describe the critical assets identified by the agency. | Identification of Critical Assets | 4 | The agency has identified facilities and systems it considers critical assets. This is documented (or clearly implied in documentation/procedures). Must be verified by Document Review. | 
	
		| 2 | The agency has identified critical assets with varying degrees of documentation or development. | 
	
		
	
		
	
		| 0 | The agency has not identified critical assets. | 
	
		| 8.103 TSF 2
 | Has the agency had an internal or external vulnerability assessment on its critical assets within the past 3 years?  Specify the dates of the most recent assessments and the entity(ies) that conducted the assessment(s). | Interview / Document Review | Scoring Justification should list at a minimum: date of assessment, identify critical assets, who conducted the assessment, etc. | Date of last vulnerability assessment (General). "Yes" or "no." | 4 | A vulnerability assessment focused on the agency's critical assets has been conducted within the last 3 years. Must also be verified by Document Review. | 
	
		
	
		| 2 | A vulnerability assessment focused on the agency's critical assets has been conducted within the last 3 years. Only verified by Interview. | 
	
		
	
		| 0 | A security assessment focused on the agency's critical assets has not been conducted within the last 3 years. | 
	
		| 8.104 TSF 1
 | Has the agency had an internal or external Risk Assessment, analyzing threat, vulnerability, & consequence, for critical assets and infrastructure, and systems within the past 3 years?  Have management and staff responsible for the risk assessment process been properly trained to manage the process? | Interview / Document Review | Scoring Justification should list at a minimum: date of assessment, identify critical assets, who conducted the assessment, etc. | Recent Risk Assessment (specifically threat, vulnerability, and consequence analyzed), appropriate personnel trained. | 4 | A risk assessment focused on the agency's critical assets has been conducted within the last 3 years; focuses specifically on threats, vulnerabilities, and consequences; and is documented. The personnel tasked with conducting the assessment have been provided adequate training to effectively conduct such an assessment. Must be verified by Document Review. | 
	
		| 2 | A risk assessment has been conducted with varying degrees of implementation or training on completing such assessment.  Assessment is documented and available for review.  Must be verified by Document Review. | 
	
		
	
		
	
		| 0 | A risk assessment has not been conducted, or documentation does not exist. | 
	
		| 8.105 TSF 2
 | Has the system implemented procedures to limit and monitor authorized access to underground and underwater tunnels?  If so, summarize procedures in the justification. | Interview / Document Review | 
 | Access to underground and underwater tunnels. N/A if the system does not have underground/underwater tunnels. | 4 | The system has well-developed, well-documented policies and procedures in place to limit and monitor access to underground and underwater tunnels.  Must be verified by Document Review. | 
	
		| 2 | Documented policies are in place with varying degrees of implementation.  Verified only by Interview. | 
	
		
	
		
	
		| 0 | Policies and procedures have not been developed or documented. | 
	
		| 8.106 | Are security investments prioritized using information developed in the risk assessment process? | Interview | In justification, examples of improvements based off of risk assessment results should be provided. | Security Investments, examples of security investment prioritization | 4 | Risk assessments play a large role in agency policy and procurement. Security investments are prioritized based on information obtained during risk assessments. This is evident based on the agency's recent security investments that corrected items identified in past risk assessments, or is part of a documented policy. | 
	
		| 2 | Security investments are prioritized based on information obtained during risk assessments; however, this has been implemented or documented with varying degrees of development. | 
	
		
	
		
	
		| 0 | Security investments are not prioritized based on information obtained during risk assessments or risk assessments play no role in financial decisions. | 
	
		| 8.107 TSF 1
 | Upon request, has TSA been provided access to the agency's vulnerability assessments, Security Plan and related documents? | Document Review | 
 | Inspector was able to review all requested documents, including assessments and Security Plans. "Yes" or "no." | 4 | The agency has provided TSA with all requested documents. | 
	
		
	
		| 0 | The agency has not provided TSA with all requested documents. | 
	
		
	
		
	
		| Establish and use an information sharing process for threat and intelligence information | 
	
		| 9.101 | Does the agency have a formalized process and procedures for reporting and exchange of threat and intelligence information with Federal, State, and/or local law enforcement agencies? | Document Review | Inspectors should refer to the MT BASE Guidance, Pg22. | Formalized process of intelligence sharing with Federal, State, and local law enforcement agencies. | 4 | The entity is actively involved with intelligence sharing and has developed a formalized (documented) method of sharing threat/intel information with multiple entities representing local, State and Federal law enforcement. | 
	
		| 2 | The entity has a formalized method of sharing information with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The entity does not have a formalized method of sharing information with law enforcement entities. | 
	
		| 9.102 TSF 2
 | Does the system report threat and intelligence information directly to FBI Joint Terrorism Task Force (JTTF) or other regional anti-terrorism task force? | Document Review / Interview | 
 | Reporting directly to JTTF or regional anti-terrorism body. "Yes" or "no." | 4 | The agency reports threat/intel information directly to the JTTF or regional anti-terrorism task force.  Must be verified by Document Review. | 
	
		
	
		| 0 | The agency does not report threat/intel information directly to the JTTF or regional anti-terrorism task force. | 
	
		
	
		
	
		| 9.103 TSF2
 | Does the system have a protocol to report threats or significant security concerns to appropriate law enforcement authorities, and TSA's Transportation Security Operations Center (TSOC)? | Document Review / Interview | This question applies to both Regulated and Non-Regulated entities. | Reporting threats and significant security concerns to TSOC and local law enforcement. | 4 | The agency has detailed policies and protocols in place to report real-time threats/significant security concerns to appropriate law enforcement and TSOC. These protocols are documented and include a "time" element (immediately, within "X" hours, etc.).  Must be verified by Document Review. | 
	
		| 2 | The agency has detailed policies and protocols in place to report real-time threats/significant security concerns to appropriate law enforcement or TSOC. These protocols are documented and include a "time" element (immediately, within "X" hours, etc.). | 
	
		| 1 | General/vague policies and procedures are in place with varying degrees of implementation. | 
	
		
	
		| 0 | Policies and procedures are not in place. | 
	
		| 9.104 | Does the agency routinely receive threat and intelligence information directly from any Federal government agency, State Homeland Security Office, Regional or State Intelligence Fusion Center,  PT-ISAC, or other transit agencies? | Interview | 
 | Documented evidence of intel receiving (Daily Report, etc.). | 4 | The agency receives threat/intel information at least once per week. | 
	
		| 3 | The agency receives threat/intel information on an every-other-week basis. | 
	
		| 2 | The agency receives threat/intel information on a monthly basis. | 
	
		| 1 | The agency receives threat/intel information on a quarterly basis or information is not directly from an appropriate source. | 
	
		| 0 | The agency does not receive threat/intel information. | 
	
		| 9.105 | Does the agency report their NTA security data to FTA as required by 49 CFR 659? | Interview | 49 CFR PART 659 SSO Only Question | NTA Security Data (regulation) | 4 | The agency reports NTA security data to FTA. | 
	
		
	
		| 0 | The agency does not report NTA security data to FTA. | 
	
		
	
		
	
		| Conduct Tabletop and Functional Drills | 
	
		| 10.101 | Does the agency’s System Safety Program Plan (SSPP) contain or reference a document describing the process used by the agency to develop an approved, coordinated schedule for all emergency management program activities, including local/regional emergency planning and participation in exercises and drills? | Document Review | Inspectors should refer to the MT BASE Guidance, P22.               In Justification, describe agencies approved coordinated schedule for all emergency management program activities | Process for developing/ coordinating/ scheduling emergency management activities. | 4 | The agency has developed a detailed process of developing an approved, coordinated schedule for all emergency management program activities, including local/regional emergency planning and participation in exercises and drills. This is documented in the System Safety Program Plan (SSPP) or another document which is referenced in the SSPP. | 
	
		| 2 | The agency has developed a process with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | The agency has not developed such a process. | 
	
		| 10.102 | Does the agency’s SSPP or SSP describe or reference how the agency performs its emergency planning responsibilities and requirements regarding emergency drills and exercises? | Document Review | 
 | Emergency planning responsibilities and drills/exercises general requirements | 4 | The agency has documented roles and responsibilities that detail how it performs its emergency planning activities, including those related to drills and exercises. Furthermore, the agency has established written requirements for emergency drills and exercises (timelines, method of evaluation, personnel required to participate, etc.). All roles, responsibilities, and requirements are documented in the agency's SSPP or SSP--or another documented that is referenced in the SSPP or SSP. | 
	
		| 2 | Roles, responsibilities and requirements regarding emergency planning are developed with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Roles, responsibilities and requirements regarding emergency planning are not developed or documented. | 
	
		| 10.103 TSF 5
 | Does the agency evaluate its emergency preparedness by using annual field exercises, tabletop exercises, and/or drills?  If so, please summarize the exercise events held in the past year. | Interview | Agency driven | Agency conducting functional drills and exercises. "Yes" or "no." | 4 | The agency conducts drills and exercises annually with the purpose of evaluating its emergency preparedness procedures. | 
	
		
	
		| 0 | The agency does not conduct drills and exercises annually, or the agency does not use drills/exercises to evaluate emergency preparedness procedures. | 
	
		
	
		
	
		| 10.104 | Does the agency's SSPP or a related document include a requirement for annual field exercises, tabletops and drills? | Document Review | 
 | Annual Requirement. "Yes" or "no." | 4 | The agency has a documented requirement for drills/exercises to be conducted once per year at a minimum. | 
	
		
	
		| 0 | The agency does not have a documented requirement for drills/exercises to be conducted once per year at a minimum. | 
	
		
	
		
	
		| 10.105 | Does the agency’s SSPP or SSP describe or reference how the agency documents the results of its emergency preparedness evaluations (i.e., briefings, after action reports and implementation of findings)? | Document Review | 
 | Results of drills/ exercises/ evaluations, documentation of results. "Yes" or "no." | 4 | The process of drill/exercise evaluation is described and documented in the SSPP, SSP, or another document that is referenced by the SSPP/SSP. | 
	
		
	
		| 0 | The process of evaluation is not documented. | 
	
		
	
		
	
		| 10.106 | Does the agency’s SSPP or a related document describe or reference its program for providing employee training on emergency response protocols and procedures? | Document Review | 
 | Documented training. "Yes" or "no." | 4 | The program for providing employee training on emergency response protocols and procedures is documented. | 
	
		
	
		| 0 | The training program is not documented. | 
	
		
	
		
	
		| 10.107 | Does the agency participate as an active player in full-scale, regional exercises held at least annually? | Interview | Region driven | Active-player participation. "Yes" or "no." | 4 | The agency participates as an active player in full-scale, regional exercises held at least annually. | 
	
		
	
		| 0 | The agency does not participate as an active player in full-scale, regional exercises held at least annually. | 
	
		
	
		
	
		| 10.108 TSF 5
 | In the last year, has the agency conducted and/or participated in  a drill, tabletop exercise, and/or field exercise including scenarios involving (i) IED's and (ii) WMD (chemical, biological, radiological, nuclear) with other transit agencies and first responders (e.g., NTAS scenarios)? | Interview | In Justification, describe the drill/exercise and include date. | Drills: Specific Focus. Participants: other transit agencies, first responders. | 4 | In the last year, the agency has been involved in drills/exercises that specifically focus on IEDs and WMD with appropriate external entities, to include first responders and other transit agencies that operate in the same environment. | 
	
		| 2 | Terrorism-specific drills have been conducted/participated in with varying degrees of action. | 
	
		
	
		
	
		| 0 | Terrorism-specific drills have not been conducted or participated in. | 
	
		| 10.109 TSF 5
 | In the last year, has the agency reviewed results and prepared after-action reports to assess performance and develop lessons learned for all drills, tabletop, and/or field exercises? | Interview / Document Review | 
 | Evaluation of results | 4 | In the last year, the agency has reviewed and prepared after-action reports (or other evaluating report) for all drills and exercises. All evaluations are documented.  Must be verified by Document Review. | 
	
		| 2 | The agency has evaluated drills with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | The agency has not evaluated drills in the past year. | 
	
		| 10.110 TSF 5
 | In the last 12 months, has the agency updated plans, protocols and processes to incorporate after-action report recommendations/findings and corrective actions?  If so, summarize the actions taken in the justification. | Interview / Document Review | In Justification, summarize the actions taken in the justification. | Evaluation of results, plan modifications. "Yes" or "no." | 4 | In the last year, the agency has updated plans, protocols, or processes to incorporate after-action report recommendations/findings.  Must be verified by Document Review. | 
	
		
	
		| 0 | The agency has not made any changes based on the results of drills/exercises. | 
	
		
	
		
	
		| 10.111 | Has the agency established metrics to assess its performance during emergency exercises and to measure improvements? | Interview / Document Review | 
 | Method of analysis | 4 | The agency has developed a formal, objective system of evaluating drill performance. The agency has identified evaluation criteria, establishes drill/exercise goals, and analyzes the results appropriately. This system is documented.  Must be verified by Document Review. | 
	
		| 2 | The agency has established performance metrics with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The agency has not established metrics to  assess performance during emergency exercises. | 
	
		| 10.112 TSF 1
 | Does the system conduct drills and exercises of its security and emergency response plans to test capabilities of i.) employees and ii.) first responders to operate effectively in underwater/underground infrastructure and other critical systems? | Interview | In addition to underwater/underground infrastructure, this question applies to other critical systems as identified by the entity. | Drills in underwater/underground infrastructure and other critical systems. | 4 | The agency conducts exercises of its security and emergency response plans to test operational capabilities of employees and first responders in underwater/underground infrastructure and other critical systems. | 
	
		| 2 | The agency conducts exercises with a varying degree of implementation. | 
	
		
	
		
	
		| 0 | The agency does not conduct exercises related to underwater/underground infrastructure. | 
	
		| 10.113 TSF 5
 | Does the transit system integrate local and regional first responders (law enforcement, firefighters, emergency medical teams) in drills, tabletop exercises, and/or field exercises?  If so, summarize each joint event and state when it took place. | Interview | In justification, summarize each joint event and state when it took place. | Drills with external agencies | 4 | The agency actively reaches out to external emergency agencies (local and regional) when planning and conducting exercises. The agency integrates all appropriate entities: fire, medical, and law enforcement. | 
	
		| 2 | Drills with external agencies have been conducted with varying degrees of inclusion or frequency. | 
	
		
	
		
	
		| 0 | Drills with external agencies have not been conducted. | 
	
		| Developing a Comprehensive Cyber Security Strategy | 
	
		| 11.101 | Has the agency conducted a risk assessment to identify operational control and communication/business enterprise IT assets and potential vulnerabilities? | Document Review / Interview | Inspectors should refer to the MT BASE Guidance, Pg24. | Risk assessment focused on IT SECURITY | 4 | The agency has conducted a risk assessment focused on IT systems as they relate to operational control, communication, and business enterprise. The assessment is documented and addresses threats, vulnerabilities, and consequences.   Must be verified by Document Review. | 
	
		| 2 | The agency has conducted an IT risk assessment with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | The agency has not conducted an IT risk assessment. | 
	
		| 11.102 | Has the agency implemented protocols to ensure that all IT facilities (e.g., data centers, server rooms, etc.) and equipment are properly secured to guard against internal or external threats or attacks? | Document Review / Interview | 
 | Security measures for critical IT facilities/equipment | 4 | The agency has identified all critical IT facilities/infrastructure and established procedures and protocols that ensure the security (physical and cyber) of these assets. Procedures are well-developed--specifically referencing IT-facilities/equipment and IT-security--and documented.  Must be verified by Document Review. | 
	
		| 2 | Protocols have been established with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Such security protocols have not been established. | 
	
		| 11.103 | Has a written strategy been developed and integrated into the overall security program to mitigate the cyber risk identified? | Document Review | 
 | Written IT security measures | 4 | A written IT-security strategy--which includes countermeasures and personnel responsibilities--has been developed to mitigate cyber risk and is part of the overall security program (included as part of the  SSP or other appropriate document). | 
	
		| 2 | An IT-security strategy has been developed with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | An IT-security strategy has not been developed. | 
	
		| 11.104 | Does the agency have a designated representative to secure the internal network through appropriate access controls for employees, a strong authentication (i.e., password) policy, encrypting sensitive data, and employing network security infrastructure (example: firewalls, intrusion detection systems, IT security audits, antivirus, etc.)? | Interview | 
 | IT Security Coordinator | 4 | The agency has formally designated an individual responsible for securing the internal network through appropriate measures. This individual is knowledgeable of the agency's cybersecurity measures, and his/her responsibilities are documented. | 
	
		| 3 | The agency has formally designated an individual responsible for securing the internal network through appropriate measures. This individual is knowledgeable of the agency's cybersecurity measures, but his/her responsibilities are not documented (but widely known). | 
	
		| 2 | The agency has formally designated an individual responsible for securing the internal network. This individual lacks a comprehensive knowledge of the agency's cybersecurity measures. | 
	
		| 1 | An individual has been informally designated, and his/her responsibilities are not widely known. | 
	
		| 0 | An individual has not been designated. | 
	
		| 11.105 | Does the agency ensure that recurring cyber security training reinforces security roles, responsibilities, and duties of employees at all levels to protect against and recognize cyber threats? | Interview | 
 | Recurrent cybersecurity training | 4 | The agency provides ongoing, recurrent cyber training that identifies cyber threats and addresses roles, responsibilities, and duties at all levels to mitigate these threats. Training is part of an official curriculum, utilizes well-developed materials, and is provided in a formal environment (classroom or computer-based). | 
	
		| 2 | IT-security training is provided with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | IT-security training is not provided. | 
	
		| 11.106 | Has the agency established a cyber-incident response and reporting protocol? | Document Review / Interview | 
 | Cyber-incident response and reporting protocols | 4 | The agency has established cyber-incident response and reporting protocols. These procedures are detailed, documented, and address (a) employee actions to be taken in the event of a cyber-incident and (b) to whom cyber-incidents shall be reported.   Must be verified by Document Review. | 
	
		| 2 | Cyber-incident response and reporting protocols have been established with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Cyber-incident response and reporting protocols have not been established. | 
	
		| 11.107 | Is the agency aware of and using available resources (e.g., standards, PT-ISAC, US CERT, National Cyber Security Communication and Integration Center, etc.)? | Interview | In Justification, describe resources used by agency. | Available resources. "Yes" or "no." | 4 | The agency is aware of and makes use of available resources. | 
	
		
	
		| 0 | The agency is not aware of available resources or the agency does not use available resources. | 
	
		
	
		
	
		| Control Access to Security Critical Facilities | 
	
		| 12.101 | Have assets and facilities requiring restricted access been identified? | Interview / Document Review | Inspectors should refer to the MT BASE Guidance, Pg26. | Restricted Areas | 4 | Restricted areas are identified and documented. Agency personnel are familiar with their location and restricted status.  Must be verified by Document Review. | 
	
		| 2 | Restricted areas have been identified with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Restricted areas have not been identified. | 
	
		| 12.102 | Are ID badges or other measures employed to restrict access to facilities not open to the public? | Frontline Observation / Interview | 
 | ID Badges | 4 | ID badges (or other effective measure) are issued to all employees with access to restricted areas, and the agency has policies in place requiring their use and/or display.  Must be verified by Frontline Observation. | 
	
		| 2 | ID badges (or other effective measure) are issued with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | ID badges or similar measures are not employed by the agency. | 
	
		| 12.103 TSF 2
 | Has the transit agency developed and implemented procedures to monitor, update and document access control (e.g. card key, ID badges, keys, safe combinations, etc.)? | Interview | 
 | Access Control Monitoring/Updating | 4 | The agency has implemented an access control system that is capable of all of the following: (1) monitoring access; (2) documenting access; and (3) updating access. | 
	
		| 2 | The agency utilizes an access control system with varying degrees of implementation of capability. | 
	
		
	
		
	
		| 0 | The agency's access control procedures is not capable of monitoring, documenting, and updating access. | 
	
		| 12.104 | Does the agency have procedures to issue ID badges for visitors and contractors? | Interview / Frontline                                                 Observation | 
 | ID Badges for contractors and visitors | 4 | The agency has documented procedures in place to issue ID badges for visitors and contractors. These procedures are implemented perfectly. | 
	
		| 2 | The agency has procedures in place to issue ID badges for visitors and contractors with varying degrees of implementation or documentation.  Must be verified by Frontline Observation. | 
	
		
	
		
	
		| 0 | The agency does not have procedures for issuing ID badges to visitors and contractors. | 
	
		| 12.105 | Does the agency require escorts for visitors accessing non-public areas? | Interview | 
 | Escorts Policy | 4 | The agency has a documented policy that requires visitors to be escorted when accessing non-public areas. This policy is implemented perfectly. | 
	
		| 2 | The agency has policy In place with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | The agency has no escort requirements for visitors. | 
	
		| 12.106 | Is CCTV equipment installed in transit agency facilities? | Interview / Frontline Observation | 
 | CCTV: Facilities | 4 | Effective and capable CCTV systems are installed at all facilities. Must be verified by Frontline Observation. | 
	
		| 2 | Facilities are equipped with CCTV with varying degrees of installation or capability. | 
	
		
	
		
	
		| 0 | Facilities are equipped with CCTV with varying degrees of installation. | 
	
		| 12.107 | Is CCTV equipment protecting critical assets interfaced with an access control system? | Interview | 
 | CCTV: Access Control | 4 | CCTV equipment protecting critical assets are completely integrated with other access control measures (door breach triggers automated CCTV functions, etc.). | 
	
		| 2 | CCTV is interfaced with access control systems with varying degrees of integration. | 
	
		
	
		
	
		| 0 | CCTV is a stand-alone system, not interfaced with access control. | 
	
		| 12.108 | Is CCTV equipment installed on transit vehicles? | Interview | 
 | CCTV: Vehicles | 4 | Effective and capable CCTV systems are installed on a vast majority of vehicle fleet. | 
	
		| 2 | CCTV is installed with varying degrees of implementation or capability. | 
	
		
	
		
	
		| 0 | CCTV is not installed on vehicles or CCTV is non-functional. | 
	
		| 12.109 | Are Crime Prevention through Environmental Design (CPTED) and technology (e.g., CCTV, access control, intrusion detection, bollards, etc.) incorporated into design criteria for all new and/or existing capital projects? | Interview | 
 | CPTED; Design/Engineering Representative interview | 4 | CPTED is incorporated in the design of all projects. CPTED-related vulnerabilities are identified and corrected promptly using technological solutions or other solutions. | 
	
		| 2 | CPTED criteria is used with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | CPTED criteria is not used. | 
	
		| 12.110 | Based on the risk assessment, does the agency use fencing, barriers, and/or intrusion detection to protect against unauthorized entry into stations, facilities, and other identified critical assets? | Interview | 
 | Physical barriers | 4 | The agency has installed physical barriers or intrusion detection systems to prevent unauthorized access at all appropriate stations, facilities, and critical infrastructure. | 
	
		| 2 | The agency uses barriers and intrusion detection systems with varying degrees of installation or capability. | 
	
		
	
		
	
		| 0 | The agency does not use physical barriers or intrusion detection systems at appropriate stations, facilities and/or critical infrastructure. | 
	
		| 12.111 TSF 2
 | Has the system implemented protective measures to secure high risk/high consequence assets and systems identified in risk assessments?  Examples of protective measures include but are not limited to CCTV, intrusion detection systems, smart camera technology, fencing, enhanced lighting, access control, LE patrols, K-9s, protection of ventilation systems.    If protective measures for this infrastructure are employed, summarize type and location in in the justification. | Interview | 
 | Additional measures for high-risk assets | 4 | The agency has identified high risk/high consequence assets and has implemented additional security measures for all such assets. Additional measures are documented. | 
	
		| 2 | The agency has identified high risk/high consequence assets and developed additional security measures with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | The agency has not identified high risk/high consequence assets and/or implemented additional security measures to protect such assets. | 
	
		| 12.112 | Does the transit agency monitor a network of security, fire, duress, intrusion, utility and internal 911 alarm systems? | Interview | 
 | Alarm monitoring | 4 | The agency has a means of effectively monitoring a network of alarms, including intrusion, life-safety, and  other security-related alarms. The agency has plans and procedures in place for responding to such alarms. | 
	
		| 3 | The agency has a means of effectively monitoring a network of alarms. | 
	
		| 2 | The agency has a network of appropriate alarms that are not effectively monitored. | 
	
		| 1 | The agency utilizes an ineffective or insufficient network of alarms. | 
	
		| 0 | The agency has no alarm systems. | 
	
		| 12.113 | Are emergency call boxes provided for passengers? | Physical Observation / Interview | 
 | Call boxes | 4 | Call boxes are installed at all stations, terminals, and appropriate facilities. Call boxes are fully functional. | 
	
		| 2 | Call boxes are installed at varying degrees. Must be verified by Physical Observation. | 
	
		
	
		
	
		| 0 | Call boxes are not used. | 
	
		| 12.114 | Do transit agency personnel administer an automated employee access control system and perform corrective analysis of security breaches? | Interview | 
 | Automated Access Control (employee-controlled badge/keycard entry) | 4 | The agency uses an automated access control system and performs a corrective analysis of all security breaches to prevent future occurrences of a similar nature. This corrective analysis is documented as part of an overarching policy or as part of an identified employee's responsibilities. | 
	
		| 3 | The agency uses an automated access control system and performs a formal corrective analysis of all security breaches to prevent future occurrences of a similar nature. Corrective analysis is being performed, but this responsibility is not documented. | 
	
		| 2 | The agency uses an automated access control system and performs a corrective analysis of some security breaches, including those deemed "important." | 
	
		| 1 | The agency uses an automated access control system, but has not developed procedures to perform corrective analysis of security breaches. | 
	
		| 0 | The agency does not use an automated access control system. | 
	
		| 12.115 | Does the agency have policies and procedures for screening of mail and/or outside deliveries? | Interview | 
 | Mail screening | 4 | The agency has documented policies and specific, well-developed procedures that address the screening of mail or outside deliveries. Procedures are completely implemented. | 
	
		| 2 | The agency has specific, well-developed procedures that are not documented. Procedures are completely implemented. | 
	
		
	
		| 1 | The agency has general procedures in place with varying degrees of implementation. | 
	
		| 0 | The agency has policies or procedures for screening mail or outside deliveries. | 
	
		| 12.116 | Have locks, bullet resistant materials and anti-fragmentation materials been installed/used at critical locations? | Interview | 
 | Breach preparedness at critical location | 4 | The agency uses multiple methods of breach prevention (locks, anti-frag materials, bullet resistant materials, etc) at all critical locations. | 
	
		| 2 | The agency utilizes methods of breach prevention at critical location with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The agency does not use locks, bullet-resistant materials, or anti-fragmentation materials at critical locations. | 
	
		| 12.117 | Does the agency use National Fire Protection Association (NFPA) Standard 130 or equivalent to evaluate fire/life safety in station design or modification (including fire detection systems, firewalls and flame-resistant materials, back-up powered emergency lighting, defaults in turnstile and other systems supporting emergency exists, and pre-recorded public announcements)? | Interview | 
 | Access Control does not interfere with Safety or Emergency Operations. "Yes" or "no." | 4 | NFPA 130 or equivalent is used in station design or modification criteria. Access Control systems do not interfere with safety or emergency operations. | 
	
		
	
		| 0 | Access control systems interfere with safety or emergency operations. | 
	
		
	
		
	
		| 12.118 | Is directional signage with adequate lighting provided in a consistent manner in all stations, both to provide orientation and to support emergency evacuation? | Physical Observation | 
 | Lighting | 4 | Directional signage and lighting is consistent at all stations and is installed in a manner that supports security, safety and emergency operations. | 
	
		| 2 | Directional signage and lighting is used with varying degrees of implementation or installation. Must be verified by Physical Observation. | 
	
		
	
		
	
		| 0 | Directional signage and lighting does not support security, safety, and emergency operations. | 
	
		| 12.119 | Are gates and locks used on all facility doors to prevent unauthorized access? | Interview / Physical Observation | 
 | Methods of restricting access | 4 | The agency uses gates and locks to prevent unauthorized access at all facilities. Policies and procedures are in place to effectively utilize locks and gates. | 
	
		| 2 | Gates and locks are used with varying degrees of implementation. Must be verified by Physical Observation. | 
	
		
	
		
	
		| 0 | Gates and locks are not used to restrict access to facilities. | 
	
		| 12.120 | Are keys controlled through an established program managed by the security/police function? | Interview | 
 | Key control program | 4 | The agency has a documented key control program that is managed by the security/internal police department. | 
	
		| 2 | The agency has a key control program with varying degrees of documentation or implementation. | 
	
		
	
		
	
		| 0 | The agency has no key control program. | 
	
		| 12.121 | Are gates and locks also used to close down system facilities after operating hours? | Physical Observation / Interview | 
 | Methods of securing facilities | 4 | Gates and locks are used at all facilities that are closed down. Policies and procedures are in place to effectively utilize locks and gates. Must be verified by Physical Observation. | 
	
		| 2 | Gates and locks are used with varying degrees of implementation. Must be verified by Physical Observation. | 
	
		
	
		
	
		| 0 | Gates and locks are not used to secure facilities after operating hours. | 
	
		| 12.122 | Do transit vehicles have radios, silent alarms, and/or passenger communication systems? | Interview | 
 | Means of communication | 4 | All (or the vast majority of) transit vehicles are equipped with radios, silent alarms, and/or passenger communication systems. Policies and procedures are in place to effectively utilize these measures. | 
	
		| 2 | Radios, silent alarms, and/or passenger communication systems are used with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Radios, silent alarms, and/or passenger communication systems are not used. | 
	
		| 12.123 | Does the transit agency use graffiti-resistant/etch-resistant materials for walls, ceilings, and windows? | Interview | 
 | "Broken Windows Theory" | 4 | Graffiti-resistant/etch-resistant materials are used at all (or a vast majority of) facilities. | 
	
		| 2 | Materials are actively deployed at "problematic" areas prone to vandalism. | 
	
		
	
		| 1 | Materials are rarely used. | 
	
		| 0 | Materials are not used. | 
	
		| 12.124 | Are Uninterruptible Power Supply (UPS) or redundant power sources provided for safety and security of critical equipment, such as but not limited to: exit and platform lighting; parking lot lighting; ancillary space and shop lighting; intrusion detection (alarmed rooms and spaces, fare collection equipment, etc.); fire detection, alarm and suppression systems; public address (shop and public areas); call-for-aid telephones; CCTV; emergency trip stations; vital train control functions; etc.? | Interview | 
 | Back-up power for critical safety and security equipment | 4 | Uninterruptible Power Supplies are provided for all safety- and security-critical equipment. | 
	
		| 3 | A combination of UPS and other back-up power is provided for all safety- and security-critical equipment. | 
	
		| 2 | A combination of UPS and other back-up power is provided for a majority of safety- and security-critical equipment. | 
	
		| 1 | A combination of UPS and other back-up power is provided for main facilities. | 
	
		| 0 | The agency has no back-up power capabilities. | 
	
		| 12.125 | At passenger stations at which a vulnerability assessment has identified a significant risk, and to the extent practicable, has the owner/operator removed trash receptacles and other non-essential receptacles or containers  (with the exception of bomb resistant receptacles or clear plastic containers) from the platform areas of passenger terminals and stations? | Interview | 
 | Trash receptacles | 4 | The agency has removed non-explosive resistant trash receptacles from platform areas of terminals and stations. | 
	
		
	
		| 0 | The agency has not removed non-explosive resistant trash receptacles from platform areas of terminals and stations. | 
	
		
	
		
	
		| 12.126 | Does the agency employ specific protective measures for all critical infrastructure  (e.g., tunnels, bridges, stations, control centers, etc) identified through the risk assessment particularly at access points and ventilation infrastructure in place and maintained in optimal condition? Examples of protective measures include, but are not limited to, CCTV, intrusion detection systems, smart camera technology, fencing, lighting, access control, law enforcement patrols, canine patrols, physical protection for ventilation systems.  If protective measures for this infrastructure are employed, summarize type and location in the justification. | Interview | 
 | Protective Measures for Critical Infrastructure | 4 | The agency has formally identified critical infrastructure and deployed specific, effective protective measures, which are maintained and implemented appropriately, at all identified areas. | 
	
		| 2 | The agency has deployed protective measures with varying degrees of implementation or effectiveness. | 
	
		
	
		
	
		| 0 | Measures are not deployed to protect critical infrastructure or critical infrastructure has not been identified. | 
	
		| 12.127 TSF 1
 | Does the agency have or utilize explosive detection canine teams, either maintained by the system or made available from other law enforcement agencies?  If so, has the system implemented procedures for reporting of and response to positive reactions by the canine? | Interview | 
 | Explosive detection canine unit, Mutual Aid Agreements | 4 | The agency utilizes explosive detection canine teams (with appropriate mutual aid agreements established, if necessary) and has established documented policies and procedures regarding their use. | 
	
		| 2 | The agency utilizes explosive detection canine teams with varying degrees of program development. | 
	
		
	
		
	
		| 0 | The agency does not use or have access to explosive detection canine teams. | 
	
		| Conduct Physical Security Inspections | 
	
		| 13.101 TSF 1
 | Does the agency conduct frequent inspections of key facilities, stations, terminals, trains and vehicles, or other critical assets for persons, materials, and items that do not belong? | Document Review / Interview | Inspectors should refer to the MT BASE Guidance, Pg29. | Critical asset inspections (General) | 4 | The agency has procedures in place to conduct security inspections of facilities and vehicles for suspicious items and persons at multiple times per day. These procedures are appropriately documented and implemented perfectly. | 
	
		| 2 | Security inspections are conducted with varying degrees of implementation or documentation. Must be verified by Document Review. | 
	
		
	
		
	
		| 0 | Security inspections are not conducted. | 
	
		| 13.102 | Has the transit agency established procedures for inspecting/sweeping vehicles and stations to identify and manage suspicious items, based on HOT characteristics (hidden, obviously suspicious, not typical) or equivalent system? | Document Review / Frontline Verification | In justification, provide results of interview with Front Line employees. | Inspection procedures reflect "HOT" characteristics. "Yes" or "no." | 4 | Documented security procedures reflect HOT characteristics. Must be verified by Frontline Employee's. | 
	
		
	
		| 0 | Documented security procedures do not reflect HOT characteristics. | 
	
		
	
		
	
		| 13.103 | Has the transit agency developed a form or quick reference guide for operations and personnel to conduct pre-trip, post-trip, and within-trip inspections? | Document Review | 
 | Vehicle inspection checklist. "Yes" or "no." | 4 | The agency utilizes a checklist or other widely distributed document that specifically addresses security to assist personnel conducting pre-, post-, and within-trip security inspections. | 
	
		
	
		| 0 | The agency does not use a checklist/form for vehicle security inspections or the agency's checklist/form does not address security. | 
	
		
	
		
	
		| 13.104 | Has the transit agency developed a form or quick reference guide for station attendants and others regarding station and facility inspections? | Document Review | 
 | Facility inspection checklist. "Yes" or "no." | 4 | The agency utilizes a checklist or other widely distributed document that specifically addresses security to assist personnel conducting station/facility inspections. | 
	
		
	
		| 0 | The agency does not use a checklist/form for facility security inspections or the agency's checklist/form does not address security. | 
	
		
	
		
	
		| 13.105 TSF 2 | Does the system document the results of inspections and implement any changes to policies and procedures or implement corrective actions, based on the findings? | Document Review | 
 | Inspection results | 4 | Inspection results are documented and the agency implements corrective actions or other modifications based on these results. This is readily observable in changes made by the agency or is a documented policy. | 
	
		| 2 | Results are documented and changes are made with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Results are not documented or inspection results are not a factor in the decision-making process. | 
	
		| 13.106 TSF 2
 | Does the agency conduct frequent inspections of access points, ventilation systems, and the interior of underground/underwater assets and systems for indications of suspicious activity? | Document Review /interview | 
 | Inspections of non-normal areas. N/A if the system has no underground/underwater tunnels. | 4 | The agency conducts security inspections of non-normal areas (access points, ventilation systems, interior of underground/underwater assets) for indications of suspicious activity multiple times per week. These procedures are documented appropriately and implemented to perfection.  Must be verified by Document Review. | 
	
		| 2 | Security inspections are conducted with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Security inspections are not conducted. | 
	
		| 13.107 | Does the system integrate randomness and unpredictability into its security activities to enhance deterrent effect? | Interview / Document Review | Agency should strive to implement and document their own unpredictable security measures using their own resources. | Randomness and unpredictability as it relates to inspections. "Yes" or "no." | 4 | Security activities are conducted at random times and at random intervals and these procedures are documented. Must be verified by Document Review. | 
	
		
	
		| 0 | Security activities are conducted at set times. | 
	
		
	
		
	
		| 13.108 | Is there a process in place, with necessary training provided to personnel, to ensure that in service vehicles are inspected at regular periodic intervals for suspicious or unattended items? Specify type and frequency of inspections. | Interview | In justification, specify type and frequency of inspections. | Security Inspections: Vehicles | 4 | The agency has documented policies and procedures in place to ensure that all in-service rail cars are inspected at multiple times per day for suspicious or unattended items and personnel receive training to properly conduct these inspections. | 
	
		| 2 | Rail cars are inspected with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Rail cars are not inspected for suspicious or unattended items. | 
	
		| 13.109 | Is there a process in place, with necessary training provided to personnel, to ensure that all critical infrastructure are inspected at regular periodic intervals for suspicious or unattended items? Specify type and frequency of inspections. | Interview | In justification, specify type and frequency of inspections. | Security Inspections: Critical Infrastructure | 4 | The agency has documented policies and procedures in place to ensure that all critical infrastructure areas are inspected at multiple times per day for suspicious or unattended items and personnel receive training to properly conduct these inspections. | 
	
		| 2 | Critical infrastructure is inspected with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Critical infrastructure is not inspected for suspicious or unattended items. | 
	
		| Conduct Background Investigations of Employees and Contractors | 
	
		| 14.101 TSF 2
 | Does the agency conduct background investigations (i.e., criminal history and motor vehicle records) on all new front-line operations and maintenance employees, and employees with access to sensitive security information, facilities and systems? | Interview | Inspectors should refer to the MT BASE Guidance, Pg30. | Background checks, HR Representative interview | 4 | The agency conducts an appropriate level of background check on all frontline employees, maintenance employees, and employees with access to sensitive security information/facilities/systems. | 
	
		| 2 | The agency conducts an appropriate level of background check with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Agency-personnel are not subject to background investigation. | 
	
		| 14.102 TSF 2
 | To the extent allowed by agency policy or law, does the agency conduct background investigations on contractors, including vendors, with access to critical facilities, sensitive security systems, and sensitive security information? | Interview | 
 | Background checks, HR Representative interview | 4 | The agency (a) conducts an appropriate level of background check on relevant contract employees or (b) the agency builds appropriate background check criteria into the bid process and has established a method of verifying/auditing background checks. | 
	
		| 2 | The agency conducts (or requires) an appropriate level of background check with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Relevant contract employees are not subject to background investigation. | 
	
		| 14.103 | Has counsel for the agency reviewed the process for conducting employee background investigations to confirm that procedures are consistent with applicable statutes and regulations? | Interview | 
 | Background checks, HR Representative interview | 4 | The agency's process for conducting background investigations has been reviewed by a legal professional. | 
	
		
	
		| 0 | The agency's process for conducting background investigations has not been reviewed by a legal professional. | 
	
		
	
		
	
		| 14.104 | Is the background investigation process documented? | Document Review | 
 | Background check process, HR Representative interview | 4 | The process for conducting background checks is documented. This includes the following: the method/type of background check utilized, positions that require background checks, who is responsible for conducting the investigation, and other factors of consideration (such as policies restricting the commencement of employment until after the investigation is complete). | 
	
		| 2 | The background investigation process is documented with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The background investigation process is not documented. | 
	
		| 14.105 | Is the criteria for background investigations based on employee type (senior management staff, law enforcement officers, managers/supervisors, operators, maintenance, safety/security sensitive, contractor, etc.) and/or responsibility and access documented? | Document Review | 
 | Background check process, HR Representative interview | 4 | Background screening criteria (disqualifying conditions) are based on job-function, required level of access, and/or responsibility. Criteria covers all functions that may require a background check. This is documented. | 
	
		| 2 | Background screening criteria (disqualifying conditions) is based on job-function, required level of access, and/or responsibility with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | Background screening criteria is not documented. | 
	
		| Control Access to documents of security critical systems and facilities | 
	
		| 15.101 TSF 2
 | Does the agency keep documentation of its security critical systems, such as tunnels, bridges, HVAC systems and intrusion alarm detection systems (i.e. plans, schematics, etc.) protected from unauthorized access? | Interview | Inspectors should refer to the MT BASE Guidance, Pg31. | Security-critical documentation, Engineering Representative interview | 4 | The agency has well-developed document control procedures that protect security-critical documentation from unauthorized access. All documents are appropriately protected: plans, schematics, etc. | 
	
		| 2 | The agency has developed document control procedures with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | The agency does not protect security-critical documentation. | 
	
		| 15.102 | Has the agency designated a department/person responsible for administering the access control policy with respect to agency documents? | Interview | 
 | Document control authority. "Yes" or "no" | 4 | A person or department has been formally tasked with administering the access control policy with respect to agency documents. | 
	
		
	
		| 0 | A person or department has not been formally tasked with administering the access control policy with respect to agency documents. | 
	
		
	
		
	
		| 15.103 | Does the security review committee (or other designated group) review document control practices, assess compliance applicable procedures, and identify discrepancies and necessary corrective action? | Interview | 
 | Document control policy monitoring | 4 | A security review committee actively reviews document control practices, assess compliance-applicable procedures, and identifies discrepancies and corrective action regularly. | 
	
		| 2 | A security review committee covers document control issues with varying degrees of action. | 
	
		
	
		
	
		| 0 | Document control issues are not addressed by the security review committee. | 
	
		| Process for handling and access to Sensitive Security Information (SSI) | 
	
		| 16.101 | Does the agency have a documented policy for identifying and controlling the distribution of and access to documents  it considers to be Sensitive Security Information (SSI) pursuant to 49 CFR Part 15 or 1520? | Document Review | Inspectors should refer to the MT BASE Guidance, Pg32. | Documented SSI Policy | 4 | The agency has a fully-developed policy for identifying and controlling the distribution of and access to SSI documents. This policy is documented and includes all of the following: (1) what materials are considered SSI; (2) how SSI is marked; (3) who has access to SSI; and (4) how SSI is shared or distributed. | 
	
		| 2 | The agency's SSI policy covers identification and distribution with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | The SSI policy is not documented or documentation contains no mention of SSI identification and distribution. | 
	
		| 16.102 | Does the agency have a documented policy for proper handling, control, and storage of documents labeled as or otherwise determined to be Sensitive Security Information (SSI) pursuant to 49 CFR Part 15 or 1520? | Document Review | 
 | Documented SSI Policy | 4 | The agency has a fully-developed policy for identifying and controlling the distribution of and access to SSI documents. This policy is documented and includes all of the following: (1) proper handling of SSI (how distribution is tracked, how SSI should be treated once received by employees, etc.); (2) how SSI is stored and secured (locked, encrypted, etc.); and (3) how SSI is destroyed/disposed of. | 
	
		| 2 | The agency's SSI policy covers handling and storage with varying degrees of implementation or documentation. | 
	
		
	
		
	
		| 0 | The SSI policy is not documented or documentation contains no mention of SSI handling or storage. | 
	
		| 16.103 | Are employees who may be provided SSI materials per 49 CFR Part 15 or 1520) familiar with the documented policy for the proper handling of such materials? | Frontline Verification | 
 | Employee familiarization (requires frontline interviews) | 4 | Based on a random sampling of frontline personnel interviews, all employees who may be provided SSI materials have a working knowledge of the agency's SSI policy--including (a) what constitutes SSI, (b) how it is controlled, (c) how it is handled, and (d) how it is stored. Must be verified. | 
	
		| 2 | Based on a random sampling of frontline interviews, employees who may be provided SSI materials have a working knowledge of the agency's SSI policy with varying degrees of familiarity. Must be verified. | 
	
		
	
		
	
		| 0 | Based on a random sampling of frontline interviews, employees who may be provided SSI materials are not familiar with the agency's SSI policy or such a policy does not exist. | 
	
		| 16.104 | Have employees provided access to SSI material per 49 CFR Part 15 or 1520 received training on proper labeling, handling, dissemination, and storage (such as through the TSA on-line SSI training program)? | Frontline Verification | 
 | SSI Training development and implementation (requires frontline interviews) | 4 | The agency has established official SSI training (with appropriate materials), and based on a sampling of frontline personnel interviews, all employees who may be provided access to SSI have been provided the training.  Must be verified. | 
	
		| 2 | Based on a sampling of frontline interviews, SSI training has been provided with varying degrees of implementation or development. Must be verified. | 
	
		
	
		
	
		| 0 | SSI training has not been provided or has not been developed. | 
	
		| Audit Program | 
	
		| 17.101 | Has the agency established a schedule for conducting  its internal security audit process? | Document Review | Inspectors should refer to the MT BASE Guidance, Pg32. | Established Schedule Internal Security Audit (self-assessment). An audit is focused on  practices identified in the SSP and ensuring these policies are implemented and followed effectively. | 4 | The agency has a documented schedule for conducting internal security audits in an ongoing manner over a three-year period. | 
	
		| 2 | The agency has developed a schedule for conducting internal security audits with varying degrees of documentation. | 
	
		
	
		
	
		| 0 | The agency has no documented schedule for conducting internal security audits. | 
	
		| 17.102 | Does the SSP contain a description of the process used by the agency to audit its implementation of the SSP over the course of the agency's published schedule? | Document Review | In justification, provide description of process. | Process Description: Internal Security Audit (self-assessment). An audit is focused on  practices identified in the SSP and ensuring these policies are implemented and followed effectively. | 4 | The agency has a detailed, well-documented process for conducting internal security reviews. This process is described in the SSP and includes the following: (1) what activities and documents are audited; (2) how these items are audited (methods of verification); and (3) the extent/depth/level of the audit. | 
	
		| 2 | The SSP contains a description of the internal security audit process with varying degrees of development or documentation. | 
	
		
	
		
	
		| 0 | The SSP does not contain a description of the internal security audit process. | 
	
		| 17.103 | Has the transit agency established checklists and procedures to govern the conduct of its internal security audit process? | Document Review | 
 | Checklists: Internal Security Audit (self-assessment). An audit is focused on  practices identified in the SSP and ensuring these policies are implemented and followed effectively. | 4 | The agency has well-developed procedures for conducting internal security audits and uses checklists/forms to properly and consistently conduct audits. | 
	
		| 2 | The agency has developed procedures and checklists with varying degrees of development or implementation. | 
	
		
	
		| The agency does not use checklists, but has documented procedures in place. | 
	
		| 0 | The agency has no documented procedures for | 
	
		| 17.104 | Is the transit agency complying with its internal security audit schedule? | Interview / Document Review | 
 | Implementation: Internal Security Audit (self-assessment). An audit is focused on  practices identified in the SSP and ensuring these policies are implemented and followed effectively. "Yes" or "no." | 4 | The agency is conducting internal security audits in a manner that reflects its established schedule. Must be verified by Document Review. | 
	
		
	
		| 0 | The agency is not complying with it established schedule or such a schedule does not exist. | 
	
		
	
		
	
		| 17.105 | Is each internal security audit documented in a written report, which includes evaluation of the adequacy and effectiveness of the SSP element and applicable implementing procedures audited, needed corrected actions, needed recommendations, an implementation schedule for corrective actions and status reporting? | Document Review | 
 | Documentation: Internal Security Audit (self-assessment). An audit is focused on  practices identified in the SSP and ensuring these policies are implemented and followed effectively. | 4 | All internal security audits are documented in a written report, which include all of the following: (1) evaluation of all audited items, including a policy and its implementation; and (2) corrective/recommended actions. | 
	
		| 2 | Internal security audits are documented with varying degrees of implementation. | 
	
		
	
		
	
		| 0 | Audits are not documented. | 
	
		| 17.106 | In the last 12 months, has the Security Review Committee (or other designated group) addressed the findings and recommendations from the internal security audits, and updated plans, protocols and processes as necessary? | Interview | 
 | Peer Review: Internal Security Audit (self-assessment). An audit is focused on  practices identified in the SSP and ensuring these policies are implemented and followed effectively. | 4 | In the last 12 months, the Security Review Committee has reviewed audit reports, addressed findings, and updated plans and protocols as necessary. | 
	
		| 2 | In the last 12 months, the Security Review Committee has reviewed audit reports with varying degrees of action. | 
	
		
	
		
	
		| 0 | The Security Review Committee does not review audit reports or the committee has not reviewed audit reports within the last 12 months. | 
	
		| 17.107 | Does the transit agency’s internal security audit process ensure that auditors are independent from those responsible for the activity being audited? | Interview | 
 | Independent Auditors: Internal Security Audit (self-assessment). An audit is focused on  practices identified in the SSP and ensuring these policies are implemented and followed effectively. "Yes" or "no." | 4 | Auditors are independent from the individuals they are tasked with auditing to prevent any conflicts of interest. | 
	
		
	
		| 0 | Auditors are not independent from the individuals they are tasked with auditing. | 
	
		
	
		
	
		| 17.108 | Has the agency made its internal security audit schedule available to the SSO agency? | Interview | 49 CFR PART 659 SSO Only Question | SSO: Internal Security Audit (self-assessment). An audit is focused on  practices identified in the SSP and ensuring these policies are implemented and followed effectively. "Yes" or "no." | 4 | The agency has made its internal security audit schedule available to the SSO agency. | 
	
		
	
		| 0 | The agency has not made its internal security audit schedule available to the SSO agency. | 
	
		
	
		
	
		| 17.109 | Has the agency made checklists and procedures used in its internal security audits available to the SSO agency? | Interview | 49 CFR PART 659 SSO Only Question | SSO: Internal Security Audit (self-assessment). An audit is focused on  practices identified in the SSP and ensuring these policies are implemented and followed effectively. "Yes" or "no." | 4 | The agency has made checklists and procedures used in its internal security audits available to the SSO agency. | 
	
		
	
		| 0 | The agency has not made checklists and procedures used in its internal security audits available to the SSO agency. | 
	
		
	
		
	
		| 17.110 | Has the agency notified the SSO agency 30 days prior to the conduct of an internal security audit? | Interview | 49 CFR PART 659 SSO Only Question | SSO: Internal Security Audit (self-assessment). "Yes" or "no." | 4 | The agency has notified the SSO agency 30 days prior to the conduct of an internal security audit. | 
	
		
	
		| 0 | The agency has not notified the SSO agency 30 days prior to the conduct of an internal security audit. | 
	
		
	
		
	
		| 17.111 | Has a report documenting internal security audit process and the status of findings and corrective actions been made available to the SSO agency within the previous 12 months? | Interview | 49 CFR PART 659 SSO Only Question | SSO: Internal Security Audit (self-assessment). "Yes" or "no." | 4 | A report documenting internal security audit process and the status of findings and corrective actions have been made available to the SSO agency within the previous 12 months. | 
	
		
	
		| 0 | A report documenting internal security audit process and the status of findings and corrective actions have not been made available to the SSO agency within the previous 12 months. | 
	
		
	
		
	
		| 17.112 | Has the agency's chief executive certified to the SSO agency that the agency is in compliance with its SSP? | Interview | 49 CFR PART 659 SSO Only Question | SSO: Internal Security Audit (self-assessment). "Yes" or "no." | 4 | The agency's chief executive has certified to the SSO agency that the agency is in compliance with its SSP. | 
	
		
	
		
	
		| 0 | The agency's chief executive has not certified to the SSO agency that the agency is in compliance with its SSP. | 
	
		
	
		| 17.113 | Was that certification included with the most recent annual report submitted to the SSO agency? | Interview | 49 CFR PART 659 SSO Only Question | SSO: Internal Security Audit (self-assessment). "Yes" or "no." | 4 | The previously mentioned certification was included with the most recent annual report submitted to the SSO agency. | 
	
		
	
		| 0 | The previously mentioned certification was not included with the most recent annual report submitted to the SSO agency. | 
	
		
	
		
	
		| 17.114 | If the agency's chief executive was not able to certify to the SSO agency that the agency is in compliance with its SSP, was a corrective action plan developed and made available to the SSO? | Interview | 49 CFR PART 659 SSO Only Question | SSO: Internal Security Audit (self-assessment). "Yes" or "no." | 4 | A corrective action plan was developed and made available to the SSO. | 
	
		
	
		| 0 | A corrective action plan was not developed and made available to the SSO. | 
	
		
	
		
	
	
	
	
	
	
	
	
	
		| DEPARTMENT OF HOMELAND SECURITY | 
 | 
 | 
	
		| Transportation Security Administration | 
 | 
 | 
	
		| Mass Transit | 
 | 
 | 
	
		| Baseline Assessment & Security Enhancement Review Checklist | 
 | 
 | 
	
		| 
 | Company Name: | 
 | 
 | Lead Inspector: | 0 | 
 | 
 | 
	
		| 
 | 0 | 
 | 
 | Assessment Date: | 12/30/1899 | 
 | 
 | 
	
		| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | Description | 
 | Findings | Justification | 
 | 
 | 
	
		| Section | 
 | N/A | Score | Source | Score Rationale | 
 | 
 | 
	
		| 
 | MANAGEMENT AND ACCOUNTABILITY | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.000 | Establish Written System Security Plans (SSPs) and Emergency Response Plans (ERPs) | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.100 | System Security Plan (SSP) | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| Blue means Baseline Security Mesure
		1.101 | Does the transit agency have a System Security Plan (SSP)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.102 | Does the SSP identify the goals and objectives for the security program? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.103 | Does a written policy statement exist that endorses and adopts the policies and procedures of the SSP that is approved and signed by top management, including the agency's chief executive? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.104 | Is the SSP separate from the agency’s System Safety Program Plan (SSPP)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.105 / T1 | Do the Security and Emergency Response Plans address protection and response for critical underwater tunnels, underground stations/ tunnels and other critical systems, where applicable? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.106 | Does the SSP contain or reference other documents establishing procedures for the management of security incidents by the operations control center (or dispatch center)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.107 | Does the SSP contain or reference other documents establishing plans, procedures, or protocols for responding to security events with external agencies (such as law enforcement, local EMA, fire departments, etc.)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.108 | Does the SSP contain or reference other documents that establish protocols addressing specific threats from (i) Improvised Explosive Devices (IED) and (ii) Weapons of Mass Destruction (chemical, biological, radiological hazards)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.109 / T3 | Are visible, random security measures integrated into security plans to introduce unpredictability into security activities for deterrent effect? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.110 | Does the SSP include provisions requiring that security be addressed in extensions, major projects, new vehicles and equipment procurement and other capital projects, and including integration with the transit agency’s safety certification process? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.111 | Does the SSP include or reference other documents adopting Crime Prevention Through Environmental Design (CPTED) principles as part of the agency's engineering practices? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.112 | Does the SSP require an annual review? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.113 | Does the transit agency produce periodic reports reviewing its progress in meeting its SSP goals and objectives? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.114 | Has an annual review of the SSP been performed and documented in the preceding 12 months? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.115 | Does the SSP outline a process for securing SSO agency review and approval of updates to the SSP? | 
 | 
 |  |  | 
 | 
 | 
	
		| 1.116 | Has the transit agency submitted and received documentation from the SSO confirming its review and approval of the SSP currently in effect? | 
 | 
 |  |  | 
 | 
 | 
	
		| 1.200 | Emergency Response Plan (ERP) | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.201 | Does the transit agency have an Emergency Response Plan (ERP)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.202 | Does a written policy statement exist that endorses and adopts the policies and procedures of the ERP that is approved and signed by top management, including the agency's chief executive? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.203 | Does the ERP require an annual review to determine if it needs to be updated? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.204 | Has an annual review of the ERP been performed and documented in the preceding 12 months? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.205 | Does the ERP include a process or review provision to ensure coordination with the transit agency’s SSPP and SSP? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.206 | Has the transit agency received documentation from the SSO confirming its review and approval of the ERP currently in effect? | 
 | 
 |  |  | 
 | 
 | 
	
		| 1.207 | Does the ERP contain or reference other documents establishing plans, procedures, or protocols for responding to emergency events with external agencies (such as law enforcement, local EMA, fire departments, etc.)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.208 | Does the ERP contain or reference other documents that establish procedures for the management of emergency events, including those to be employed by the operations control center (or dispatch center)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.209 | Does the ERP contain or reference other documents to provide for Continuity of Operations (COOP) while responding to emergency events? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.210 | Does the agency have a written Business Recovery Plan to guide restoration of facilities and services following an emergency event? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.211 | Does the agency have a written Business Continuity Plan and COOP to guide restoration of facilities and services following an emergency event? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 1.212 | Does the agency have a back-up operations control center capability? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.000 | Define Roles and Responsibilities for Security and Emergency Management | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.100 | System Security Plan (SSP) | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 2.101 | Does the SSP establish and assign responsibility for implementation of the security program to a Senior Manager who is a "direct report" to the agency's Chief Executive Officer? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.102 | Has the agency established lines of delegated authority/succession of security responsibilities and, if so, has that information been distributed to agency managers? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.103 | Are roles and responsibilities for security and/or law enforcement personnel assigned by title and/or position established in the SSP or other documents? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.104 | Are security-related roles and responsibilities for non-security and/or law enforcement personnel  (i.e., operators, conductors, maintenance workers and station attendants) established in the SSP or other documents? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.105 / T2 | Do senior staff and middle management conduct security meetings to review recommendations for changes to plans and processes? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.106 | Does a Security Review Committee (or other designated group) regularly review security incident reports, trends, and program audit findings? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.107 | Are informational briefings with appropriate personnel held whenever security protocols, threat levels, or protective measures  are updated or as security conditions warrant? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.108 | Have appropriate reference guides or other written instructions or procedures been distributed to transit employees to implement the requirements of the SSP? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.109 | Has the agency appointed a Primary and Alternate Security Coordinator to serve as its primary and immediate 24-hr contact for intelligence and security-related contact with TSA and are the names of those Coordinators on file with TSA OSPIE office correct? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.110 | Does the agency maintain a record of security related incidents that are reported within the agency? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.200 | Emergency Response Plan (ERP): | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 2.201 | Does the ERP establish and assign responsibility for implementation of the security program to a Senior Manager who is a "direct report" to the agency's Chief Executive Officer? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.202 | Are emergency response roles and responsibilities for all departments identified in the ERP or other supporting documents? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.203 / T5 | Are roles and responsibilities for front-line personnel (i.e. system law enforcement, system security officials, train or vehicle operators, conductors, station attendants, maintenance workers) described in the system's Emergency Response Plan (ERP)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.204 | Has the ERP been distributed to appropriate departments in the organization? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.205 | Have appropriate reference guides or other written instructions or procedures been distributed to transit employees to implement the requirements of the ERP? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.206 | Are senior staff and middle management ERP coordination meetings held on a regular basis? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 2.207 | Are informational briefings with appropriate personnel held whenever emergency response protocols are substantially changed or updated? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 3.000 | Ensure that operations and maintenance supervisors, forepersons and managers are held accountable for security issues under their control | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 3.101 | Do managers and supervisors routinely provide information to front-line personnel regarding security and emergency response issues? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 3.102 | Are regular supervisor, manager, and/or foreperson security review and coordination briefings held?  If so, detail frequency and subjects covered in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 3.103 | Does the agency have a program for confirming that personnel have a working knowledge of security protocols?  If so, summarize program in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 3.104 | Are managers and/or supervisors required to debrief front-line employees regarding their involvement in or management of any security or emergency incidents? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.000 | Coordinate Security and Emergency Management Plan(s) with local and regional agencies | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.101 | Have Mutual Aid agreements been established between the transit agency and entities in the area that would be called upon to supplement the agency's resources in the event of an emergency event? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.102 | Does the agency participate in a regional Emergency Management Working Group or similar regional coordinating body for emergency preparedness and response? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.103 | Have regional incident management protocols been shared with the agency and incorporated into the agency's ERP/SSP/SEPP? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.104 | Have agency resources been appropriately identified and provided to the regional EMA? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.105 | Does the agency have a designated point-of-contact or liaison with the local/regional Emergency Operations Center (EOC)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.106 | Does the agency send a representative to the local/regional EOC, should it be activated? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.107 | Does the agency have information sharing capabilities with the regional/local EOC (i.e., contacts, procedures, resource inventories, etc.)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.108 | Has the agency developed internal incident management protocols that comply with the National Response Plan and the National Incident Management System (NIMS)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.109 | Have the agency's emergency response protocols been shared with the EMA and appropriate first responder agencies? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.110 / T5 | Has the transit system tested its communications systems for interoperability with appropriate emergency response agencies? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 4.111 | If the agency's communications systems are NOT inter-operable with appropriate emergency response agencies, have alternate communication protocols been established?  Describe the alternate communication protocols in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | SECURITY AND EMERGENCY RESPONSE TRAINING | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 5.000 | Establish and Maintain a Security and Emergency Training Program | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.101 / T4 | Is initial training provided to all new agency employees regarding security orientation/awareness? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.102 / T4 | Is annual refresher training provided regarding security orientation/awareness to Senior Management staff, managers and supervisors? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.103 / T4 | Is annual refresher training provided regarding security orientation/awareness to managers and supervisors? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.104 / T4 | Is annual refresher training provided regarding security orientation/awareness  to front-line employees? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.105 | Is ongoing advanced security training focused on job function provided at least annually? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.106 / T4 | Is initial training provided to all new transit employees regarding emergency response? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.107 / T4 | Is annual refresher training provided regarding emergency response to Senior Management staff, supervisors, and managers? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.108 / T4 | Is annual refresher training provided regarding emergency response to Managers and Supervisors? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.109 / T4 | Is annual refresher training provided regarding emergency response to front-line Employees? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.110 / T4 | Have agency employees received general training on Incident Command System (ICS) procedures in accordance with National Incident Management System at least annually? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.111 | Has ICS and NIMS training appropriate to the position been provided to Senior Management staff, supervisors, and managers at least annually? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.112 | Has ICS and NIMS training appropriate to the position been provided to managers and supervisors at least annually? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.113 | Has ICS and NIMS training appropriate to the position been provided to front-line employees at least annually? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.114 | Has the agency developed a program and provided annual training on its own incident response protocols? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.115 / T4 | Has training on the agency's incident response protocols appropriate to the position been provided to Senior Management staff, managers and supervisors at least annually? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.116 / T4 | Has training on the agency's incident response protocols appropriate to the position been provided to managers and supervisors? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.117 / T4 | Has training on the agency's incident response protocols appropriate to the position been provided to front-line employees at least annually? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.118 / T4 | Has the transit system implemented an annual training program for personnel regarding response to terrorism, including (i) Improvised Explosive Devices and ii) Weapons of Mass Destruction (chemical, biological, radiological, nuclear)?  If so, summarize the relevant programs in the justification? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.119 | Has training focused on IEDs and WMDs appropriate to the position been provided to Senior Management staff, managers, and supervisors at least annually? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.120 | Has training focused on IEDs and WMDs appropriate to the position been provided to manager and supervisors? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.121 | Has training focused on IEDs and WMDs appropriate to the position been provided to front-line employees at least annually? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.122 | Do law enforcement/security department personnel at the agency receive specialized training in counter-terrorism annually? Summarize program in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.123 | Do law enforcement/security department personnel at the agency receive specialized training supporting their incident management and emergency response roles at least annually? Summarize program in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.124 | Does the agency have an established program to monitor employee training and to schedule employees for training? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.125 | Does the agency have a system that records and tracks personnel training for all security-related courses (including initial, annual, periodic and other)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.126 | Does the transit agency have a system that records and tracks personnel training for emergency response courses (including initial, periodic and other)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.127 | Does the agency have a program to regularly review and update security awareness and emergency response training materials? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.128 / T4 | Are all appropriate personnel notified via briefings, email, voicemail, or signage of changes in threat condition, protective measures or the employee watch programs? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.129 / T1 | Do the agency's security awareness and emergency response training programs cover response and recovery operations in critical facilities and infrastructure?  If so, summarize relevant provisions of program in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.130 / T1 | Has the agency provided training to regional first responders (law enforcement agencies, firefighters, and emergency medical response teams) to enable them to operate in critical facilities and infrastructure? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.131 / T3 | Does training of transit system law enforcement and/or security personnel integrate the concept and employment of visible, random security measures? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 5.132 / T4 | Has the agency implemented a program to train or orient first responders (law enforcement, firefighters, emergency medical teams) and other potential supporting assets (e.g., TSA regional personnel for VIPR exercises) on their system vehicle familiarization? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | NATIONAL TERRORISM ADVISORY SYSTEM (NTAS) | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 6.000 | Establish plans and protocols to respond to the National Terrorism Advisory System (NTAS) | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 6.101 | Does the SSP contain or reference other documents identifying incremental actions (imminent or elevated) to be implemented for a NTAS threat? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 6.102 / T2 | Does the agency have actionable operational response protocols for the specific threat scenarios from NTAS? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 6.103 | Has the agency provided annual training and/or instruction focused on job function regarding the incremental activities to be performed by employees? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | PUBLIC AWARENESS | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 7.000 | Implement and reinforce a Public Security and Emergency Awareness program | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.101 | Has the transit agency developed and implemented a public security and emergency awareness program? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.102 / T6 | Does the agency provide active public outreach for security awareness and emergency preparedness (e.g., Transit Watch, “If You See Something, Say Something”, message boards, brochures, channel cards, posters, fliers)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.103 / T6 | Is the above consistent with agency's overall announcement program? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.104 / T6 | Are general security awareness and emergency preparedness messages included in public announcement messages at stations and on board vehicles? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.105 / T6 | Are passengers urged to report unattended property, suspicious behavior, and security concerns to uniformed crew members, law enforcement or security personnel, and/or a contact telephone number?  If so, summarize the type of materials used and content in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.106 / T6 | Does the agency have an appropriate mechanism in place for passengers to communicate an (e.g., 1-800 number, smart phone applications, social media, etc.)  that can be called or used to report security concerns?  If so, is this information indicated in public awareness materials and messages? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.107 | Does the agency issue public service announcements or press releases to social media (e.g. Twitter/ Facebook/etc., QRC codes, and/or apps for smart phones) regarding security and emergency protocols? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.108 / T6 | Does the agency issue public service announcements or press releases to local media (e.g. newspaper, radio and/or television) regarding security or emergency protocols? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.109 | Does the transit agency conduct a volunteer training program for non-employees to aid with system evacuations and emergency response? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.110 | Does the transit agency conduct an outreach program to enlist members of the public as security awareness volunteers, similar to Neighborhood Watch programs? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.111 / T1 | Do public awareness materials and/or messages inform passengers on the means to evacuate safely from transit vehicles and underwater/underground facilities? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 7.112 | Does the agency track and monitor customer complaints reported by passengers? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | RISK MANAGEMENT | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 8.000 | Establish and use a risk management process | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 8.101 / T2 | Does the agency have a risk assessment process approved by its management, for managing threats and vulnerabilities?  If so, summarize the process in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 8.102 | Has the agency identified facilities and systems it considers to be its critical assets? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 8.103 / T2 | Has the agency had an internal or external vulnerability assessment on its critical assets within the past 3 years?  Specify the dates of the most recent assessments and the entity(ies) that conducted the assessment(s). | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 8.104 / T1 | Has the agency had an internal or external Risk Assessment, analyzing threat, vulnerability, & consequence, for critical assets and infrastructure, and systems within the past 3 years?  Have management and staff responsible for the risk assessment process been properly trained to manage the process? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 8.105 / T2 | Has the system implemented procedures to limit and monitor authorized access to underground and underwater tunnels?  If so, summarize procedures in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 8.106 | Are security investments prioritized using information developed in the risk assessment process? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 8.107 / T1 | Upon request, has TSA been provided access to the agency's vulnerability assessments, Security Plan and related documents? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | ESTABLISH A RISK ASSESSMENT AND INFORMATION SHARING PROCESS | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 9.000 | Establish and use an information sharing process for threat and intelligence information. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 9.101 | Does the agency have a formalized process and procedures for reporting and exchange of threat and intelligence information with Federal, State, and/or local law enforcement agencies? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 9.102 / T2 | Does the system report threat and intelligence information directly to FBI Joint Terrorism Task Force (JTTF) or other regional anti-terrorism task force? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 9.103 / T2 | Does the system have a protocol to report threats or significant security concerns to appropriate law enforcement authorities, and TSA's Transportation Security Operations Center (TSOC)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 9.104 | Does the agency routinely receive threat and intelligence information directly from any Federal government agency, State Homeland Security Office, Regional or State Intelligence Fusion Center,  PT-ISAC, or other transit agencies? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 9.105 | Does the agency report their NTA security data to FTA as required by 49 CFR 659? | 
 | 
 |  |  | 
 | 
 | 
	
		| 
 | DRILLS AND EXERCISES | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.000 | Conduct Tabletop and Functional Drills | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 10.101 | Does the agency’s System Safety Program Plan (SSPP) contain or reference a document describing the process used by the agency to develop an approved, coordinated schedule for all emergency management program activities, including local/regional emergency planning and participation in exercises and drills? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.102 | Does the agency’s SSPP or SSP describe or reference how the agency performs its emergency planning responsibilities and requirements regarding emergency drills and exercises? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.103 / T5 | Does the agency evaluate its emergency preparedness by using annual field exercises, tabletop exercises, and/or drills?  If so, please summarize the exercise events held in the past year. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.104 | Does the agency's SSPP or a related document include a requirement for annual field exercises, tabletops and drills? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.105 | Does the agency’s SSPP or SSP describe or reference how the agency documents the results of its emergency preparedness evaluations (i.e., briefings, after action reports and implementation of findings)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.106 | Does the agency’s SSPP or a related document describe or reference its program for providing employee training on emergency response protocols and procedures? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.107 | Does the agency participate as an active player in full-scale, regional exercises held at least annually? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.108 / T5 | In the last year, has the agency conducted and/or participated in  a drill, tabletop exercise, and/or field exercise including scenarios involving (i) IED's and (ii) WMD (chemical, biological, radiological, nuclear) with other transit agencies and first responders (e.g., NTAS scenarios)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.109 / T5 | In the last year, has the agency reviewed results and prepared after-action reports to assess performance and develop lessons learned for all drills, tabletop, and/or field exercises? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.110 / T5 | In the last 12 months, has the agency updated plans, protocols and processes to incorporate after-action report recommendations/findings and corrective actions?  If so, summarize the actions taken in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.111 | Has the agency established metrics to assess its performance during emergency exercises and to measure improvements? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.112 / T1 | Does the system conduct drills and exercises of its security and emergency response plans to test capabilities of i.) employees and ii.) first responders to operate effectively in underwater/underground infrastructure and other critical systems? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 10.113 / T5 | Does the transit system integrate local and regional first responders (law enforcement, firefighters, emergency medical teams) in drills, tabletop exercises, and/or field exercises?  If so, summarize each joint event and state when it took place. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 11.000 | Developing a Comprehensive Cyber Security Strategy | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 11.101 | Has the agency conducted a risk assessment to identify operational control and communication/business enterprise IT assets and potential vulnerabilities? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 11.102 | Has the agency implemented protocols to ensure that all IT facilities (e.g., data centers, server rooms, etc.) and equipment are properly secured to guard against internal or external threats or attacks? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 11.103 | Has a written strategy been developed and integrated into the overall security program to mitigate the cyber risk identified? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 11.104 | Does the agency have a designated representative to secure the internal network through appropriate access controls for employees, a strong authentication (i.e., password) policy, encrypting sensitive data, and employing network security infrastructure (example: firewalls, intrusion detection systems, IT security audits, antivirus, etc.)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 11.105 | Does the agency ensure that recurring cyber security training reinforces security roles, responsibilities, and duties of employees at all levels to protect against and recognize cyber threats? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 11.106 | Has the agency established a cyber-incident response and reporting protocol? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 11.107 | Is the agency aware of and using available resources (e.g., standards, PT-ISAC, US CERT, National Cyber Security Communication and Integration Center, etc.)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | FACILITY SECURITY AND ACCESS CONTROLS | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 12.000 | Control Access to Security Critical Facilities with ID badges for all visitors, employees and contractors | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.101 | Have assets and facilities requiring restricted access been identified? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.102 | Are ID badges or other measures employed to restrict access to facilities not open to the public? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.103 / T2 | Has the transit agency developed and implemented procedures to monitor, update and document access control (e.g. card key, ID badges, keys, safe combinations, etc.)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.104 | Does the agency have procedures to issue ID badges for visitors and contractors? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.105 | Does the agency require escorts for visitors accessing non-public areas? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.106 | Is CCTV equipment installed in transit agency facilities? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.107 | Is CCTV equipment protecting critical assets interfaced with an access control system? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.108 | Is CCTV equipment installed on transit vehicles? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.109 | Are Crime Prevention through Environmental Design (CPTED) and technology (e.g., CCTV, access control, intrusion detection, bollards, etc.) incorporated into design criteria for all new and/or existing capital projects? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.110 | Based on the risk assessment, does the agency use fencing, barriers, and/or intrusion detection to protect against unauthorized entry into stations, facilities, and other identified critical assets? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.111 / T2 | Has the system implemented protective measures to secure high risk/high consequence assets and systems identified in risk assessments?  Examples of protective measures include but are not limited to CCTV, intrusion detection systems, smart camera technology, fencing, enhanced lighting, access control, LE patrols, K-9s, protection of ventilation systems.    If protective measures for this infrastructure are employed, summarize type and location in in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.112 | Does the transit agency monitor a network of security, fire, duress, intrusion, utility and internal 911 alarm systems? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.113 | Are emergency call boxes provided for passengers? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.114 | Do transit agency personnel administer an automated employee access control system and perform corrective analysis of security breaches? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.115 | Does the agency have policies and procedures for screening of mail and/or outside deliveries? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.116 | Have locks, bullet resistant materials and anti-fragmentation materials been installed/used at critical locations? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.117 | Does the agency use National Fire Protection Association (NFPA) Standard 130 or equivalent to evaluate fire/life safety in station design or modification (including fire detection systems, firewalls and flame-resistant materials, back-up powered emergency lighting, defaults in turnstile and other systems supporting emergency exists, and pre-recorded public announcements)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.118 | Is directional signage with adequate lighting provided in a consistent manner in all stations, both to provide orientation and to support emergency evacuation? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.119 | Are gates and locks used on all facility doors to prevent unauthorized access? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.120 | Are keys controlled through an established program managed by the security/police function? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.121 | Are gates and locks also used to close down system facilities after operating hours? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.122 | Do transit vehicles have radios, silent alarms, and/or passenger communication systems? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.123 | Does the transit agency use graffiti-resistant/etch-resistant materials for walls, ceilings, and windows? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.124 | Are Uninterruptible Power Supply (UPS) or redundant power sources provided for safety and security of critical equipment, such as but not limited to: exit and platform lighting; parking lot lighting; ancillary space and shop lighting; intrusion detection (alarmed rooms and spaces, fare collection equipment, etc.); fire detection, alarm and suppression systems; public address (shop and public areas); call-for-aid telephones; CCTV; emergency trip stations; vital train control functions; etc.? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.125 | At passenger stations at which a vulnerability assessment has identified a significant risk, and to the extent practicable, has the owner/operator removed trash receptacles and other non-essential receptacles or containers  (with the exception of bomb resistant receptacles or clear plastic containers) from the platform areas of passenger terminals and stations? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.126 | Does the agency employ specific protective measures for all critical infrastructure  (e.g., tunnels, bridges, stations, control centers, etc) identified through the risk assessment particularly at access points and ventilation infrastructure in place and maintained in optimal condition? Examples of protective measures include, but are not limited to, CCTV, intrusion detection systems, smart camera technology, fencing, lighting, access control, law enforcement patrols, canine patrols, physical protection for ventilation systems.  If protective measures for this infrastructure are employed, summarize type and location in the justification. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 12.127 / T1 | Does the agency have or utilize explosive detection canine teams, either maintained by the system or made available from other law enforcement agencies?  If so, has the system implemented procedures for reporting of and response to positive reactions by the canine? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 13.000 | Conduct Physical Security Inspections | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 13.101 / T1 | Does the agency conduct frequent inspections of key facilities, stations, terminals, trains and vehicles, or other critical assets for persons, materials, and items that do not belong? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 13.102 | Has the transit agency established procedures for inspecting/sweeping vehicles and stations to identify and manage suspicious items, based on HOT characteristics (hidden, obviously suspicious, not typical) or equivalent system? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 13.103 | Has the transit agency developed a form or quick reference guide for operations and personnel to conduct pre-trip, post-trip, and within-trip inspections? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 13.104 | Has the transit agency developed a form or quick reference guide for station attendants and others regarding station and facility inspections? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 13.105 / T2 | Does the system document the results of inspections and implement any changes to policies and procedures or implement corrective actions, based on the findings? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 13.106 / T2 | Does the agency conduct frequent inspections of access points, ventilation systems, and the interior of underground/underwater assets and systems for indications of suspicious activity? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 13.107 | Does the system integrate randomness and unpredictability into its security activities to enhance deterrent effect? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 13.108 | Is there a process in place, with necessary training provided to personnel, to ensure that in service vehicles are inspected at regular periodic intervals for suspicious or unattended items? Specify type and frequency of inspections. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 13.109 | Is there a process in place, with necessary training provided to personnel, to ensure that all critical infrastructure are inspected at regular periodic intervals for suspicious or unattended items? Specify type and frequency of inspections. | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | BACKGROUND INVESTIGATIONS | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 14.000 | Conduct Background Investigations of Employees and Contractors | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 14.101 / T2 | Does the agency conduct background investigations (i.e., criminal history and motor vehicle records) on all new front-line operations and maintenance employees, and employees with access to sensitive security information, facilities and systems? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 14.102 / T2 | To the extent allowed by agency policy or law, does the agency conduct background investigations on contractors, including vendors, with access to critical facilities, sensitive security systems, and sensitive security information? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 14.103 | Has counsel for the agency reviewed the process for conducting employee background investigations to confirm that procedures are consistent with applicable statutes and regulations? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 14.104 | Is the background investigation process documented? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 14.105 | Is the criteria for background investigations based on employee type (senior management staff, law enforcement officers, managers/supervisors, operators, maintenance, safety/security sensitive, contractor, etc.) and/or responsibility and access documented? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | DOCUMENT CONTROL | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 15.000 | Control Access to documents of security critical systems and facilities | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 15.101 / T2 | Does the agency keep documentation of its security critical systems, such as tunnels, bridges, HVAC systems and intrusion alarm detection systems (i.e. plans, schematics, etc.) protected from unauthorized access? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 15.102 | Has the agency designated a department/person responsible for administering the access control policy with respect to agency documents? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 15.103 | Does the security review committee (or other designated group) review document control practices, assess compliance applicable procedures, and identify discrepancies and necessary corrective action? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 16.000 | Process for handling and access to Sensitive Security Information (SSI) | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 16.101 | Does the agency have a documented policy for identifying and controlling the distribution of and access to documents  it considers to be Sensitive Security Information (SSI) pursuant to 49 CFR Part 15 or 1520? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 16.102 | Does the agency have a documented policy for proper handling, control, and storage of documents labeled as or otherwise determined to be Sensitive Security Information (SSI) pursuant to 49 CFR Part 15 or 1520? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 16.103 | Are employees who may be provided SSI materials per 49 CFR Part 15 or 1520) familiar with the documented policy for the proper handling of such materials? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 16.104 | Have employees provided access to SSI material per 49 CFR Part 15 or 1520 received training on proper labeling, handling, dissemination, and storage (such as through the TSA on-line SSI training program)? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | SECURITY PROGRAM AUDITS | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 17.000 | Audit Program | 
 | a | 
 | 
 | 
 | 
 | 
	
		| 17.101 | Has the agency established a schedule for conducting  its internal security audit process? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 17.102 | Does the SSP contain a description of the process used by the agency to audit its implementation of the SSP over the course of the agency's published schedule? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 17.103 | Has the transit agency established checklists and procedures to govern the conduct of its internal security audit process? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 17.104 | Is the transit agency complying with its internal security audit schedule? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 17.105 | Is each internal security audit documented in a written report, which includes evaluation of the adequacy and effectiveness of the SSP element and applicable implementing procedures audited, needed corrected actions, needed recommendations, an implementation schedule for corrective actions and status reporting? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 17.106 | In the last 12 months, has the Security Review Committee (or other designated group) addressed the findings and recommendations from the internal security audits, and updated plans, protocols and processes as necessary? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 17.107 | Does the transit agency’s internal security audit process ensure that auditors are independent from those responsible for the activity being audited? | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 17.108 | Has the agency made its internal security audit schedule available to the SSO agency? | 
 | 
 |  |  | 
 | 
 | 
	
		| 17.109 | Has the agency made checklists and procedures used in its internal security audits available to the SSO agency? | 
 | 
 |  |  | 
 | 
 | 
	
		| 17.110 | Has the agency notified the SSO agency 30 days prior to the conduct of an internal security audit? | 
 | 
 |  |  | 
 | 
 | 
	
		| 17.111 | Has a report documenting internal security audit process and the status of findings and corrective actions been made available to the SSO agency within the previous 12 months? | 
 | 
 |  |  | 
 | 
 | 
	
		| 17.112 | Has the agency's chief executive certified to the SSO agency that the agency is in compliance with its SSP? | 
 | 
 |  |  | 
 | 
 | 
	
		| 17.113 | Was that certification included with the most recent annual report submitted to the SSO agency? | 
 | 
 |  |  | 
 | 
 | 
	
		| 17.114 | If the agency's chief executive was not able to certify to the SSO agency that the agency is in compliance with its SSP, was a corrective action plan developed and made available to the SSO? | 
 | 
 |  |  | 
 | 
 | 
	
		| 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
 | 
	
		| 
 | Number of items requiring Options for Consideration | 
 | 0 | 
 | 
 | 
 | 
 |