Completing the Vulnerability Self-Assessment Check

The “Vulnerability Self-Assessment Checklist" requires Microsoft Excel™ to run properly.

The “Vulnerability Self-Assessment Checklist" lists a series of specific security practices that are available and as
objectively determine if these practices are being employed. The Vulnerability Self-Assessment Checklist further se
weaknesses identified. The security practices are identical to the security issues addressed and evaluated during the

The majority of security practices being assessed by the VSAT are applicable to all highway modes (trucking, mot
actions, however, are not applicable to all modes, and mode-specific practices should be answered only by compan
addressed. Some questions have been modified to be mode specific and are identified as "Motorcoach Version," "T
Companies should assess only those practices applicable to their particular operation. In responding to security p
mode, a response of "N/A" would be appropriate.

The “Vulnerability Self-Assessment Checklist” starts by identifying the four (4) main categories into which all securi
& Accountability; Personnel Security; Facility Security; and Vehicle Security. The Checklist then presents a compreh
or “Security Action Items” (SAIs) (shown in Column “A”), that a company may or may not be employing to some de
or “Components” listed (shown in Column “C”) that identify the specific actions that collectively define that SAI. The
SAI Component is then further defined as the “Component Standard,” shown in Column “D.” For each Security
representative or "evaluator" is then asked:

Does your company or facility fully meet the Component Standard shown?
The Evaluator enters an answer Yes or No (N/A may be selected if available) in Column “E”

If you answer “no” because your company does not meet the SAI Component Standard, you have identified a poten

INSTRUCTIONS FOR COMPLETING THE “Vulnerability Self-Assessment Checklist”

The person(s) completing this “Vulnerability Self-Assessment Checklist” should be familiar with all security operati
areas covered in the Checklist include Management & Accountability, Personnel Security, Facility Security and Vehic

Questions should be answered in an honest, unbiased manor. The answers should reflect the evaluator's inform
level of security. This Vulnerability Self-Assessment Checklist is for internal company use with no expectation th
need-to-know. To begin, open the "Checklist” tab.

Fill in Company Name, Date Completed and Name of person completing the assessment as requested.

The appropriate "Mode" for your company should be selected and checked from the drop-down options. T
Motorcoach Terminal; School Bus Company; School District with Buses; and Trucking.

Each column in the Checklist is described as follows:

Column A: "Security Action Item (SAI)” – A list of twenty general (20) Security Action Items (SAIs) that are
implemented by all highway transportation entities.

Column B: “SAI Component Number” - Assigns a unique number to each SAI Component.

Column C: "SAI Component” – Identifies and lists the specific security steps or sub-parts that define the large
examined individually to help establish the overall level of effectiveness for the broader SAI.

Column D: "SAI Component Standard” – Identifies and defines the optimal level of implementation for th
representation of the “standard” that should be in place in order to achieve the maximum level of risk reduction th
The standards are derived from guidance provided by PL 110, Sections 1501-1554, industry engagement, and staff r

Column E: Asks the question, "Does Your Company/Facility Fully Meet This Standard?” – If the SAI Component Sta
company/facility, pick “Yes” from the drop-down options list for the Component being reviewed. Answering “yes”
for this Component. If any portion of the SAI Component Standard is lacking, select “No” from the drop-down
available from the drop-down list.

Each SAI Component must be addressed and answered as "yes or no." An unanswered line defaults to "Awaiti
Changing an answer on the Checklist will automatically revise the Summary Sheet. Once all SAI Components h
Yes/No/N/A answer entered, the evaluator should open the "Summary Sheet" tab.

THE "MITIGATION PRIORITIES" SHEET

Opening the Mitigation Priorities tab will reveal the results of your vulnerability self-assessment. All SAI Componen
will appear in Green shaded cells on the Mitigation Priorities Sheet. All SAI Components not met will appear in a Re
Vulnerabilities), a Yellow shaded box (for Medium Priority Vulnerabilities), or a Blue shaded box (for Low Priority Vu
identified will appear at the top of the Summary Sheet.

Evaluators, in consultation with management, should review the results of the Vulnerability Self-Assessment. Decis
security improvements should be initiated. High Priority Vulnerabilies should be considered first when planning sec
Priority Vulnerabilities should next be considered, in descending order.

The Security Actions shown here are provided as options to be considered. All actions shown are voluntary and com
obligation to implement any specific security measures offered.

NOTE: Conducting a valid Vulnerability Assessment is an essential process for all transportation companies. This Vu
designed for companies that are self-assessing their security vulnerability level. Companies planning to actively par
conducted by a TSA Surface Inspector may choose to forego completing this Checklist and instead, accept the “Exec
as an acceptable Vulnerability Assessment.

PROCEED TO THE CHECKLIST TO BEGIN

Vulnerability Self-Assessment for HMC Stakeholders

Vulnerability Self-Assessment Checklist

Company Name Person Conducting Assessment Date Conducted
<Enter Your Company Here> <Enter Name of Assessor Here> 10/31/2013
<Enter Facility Name or Location Here> <Enter Name of Facility Manager Here>
Mode: <Choose Mode from drop-down>
Column A Col B Column C Column D Column E
SAI Component #

SECURITY Does your company

or facility fully meet
ACTION ITEMS SAI COMPONENT SAI COMPONENT STANDARD this standard? (Yes,
(SAI'S) No, N/A)

Management and Accountability Section

SAI #1 SAI #1 Components SAI Component Standard
1 This entity designates a qualified primary Security Coordinator/ Director. The entity has a qualified person designated as Security
Coordinator/Director that is responsible for overall transportation
security. Recommended that the security coordinator be a citizen of the
U.S, and have law enforcement, private security, or appropriate military
background; or adequate on-the-job experience. Recognized
supplemental certifications in security, safety, or environmental
programs may be beneficial.

SAI #1 – Have a
Designated 2 This entity designates an alternate Security Coordinator/Director. A qualified individual with this title must be identified (may be a shared
Security title).
Coordinator
3 This entity has policies that specify the transportation related duties of Should have documented specific transportation security related duties
the Security Coordinator. of Security Coordinator. May be found in job description, security plan, or
other documents as appropriate. PL 110, Sec. 1531 states Security
Coordinator duties include: Implement security actions under the
security plan; coordinate security improvements; receive
communications from appropriate federal officials.

SAI #2 SAI #2 Components SAI Component Standard

4 This entity recognizes they may have certain assets of specific interest to
terrorists (i.e.: vehicles, IT information, passengers, critical personnel,
etc.) and considers this factor when developing transportation security
practices.
Entity should list its assets and determine which may be of specific
interest to terrorists. Assets may include vehicles, platforms, stations,
terminals, fueling depot, key personnel, information systems, cargo,
passengers, storage areas, etc. Consider detailing security measures to
implement and protect each asset in order to: (1) deter security incidents
that may result in significant local, regional, or national consequences,
and (2) effectively maintain business operations in the event of a loss to
asset(s).

SAI #2 – Conduct a
Thorough Risk
4/9/13
Assessment
Vulnerability Self-Assessment
SAI #2 – Conduct a for HMC Stakeholders
Thorough Risk 5 This entity has conducted a documented, site specific “Vulnerability The entity should conduct and document a site specific “Vulnerability
Assessment Assessment” and is generally familiar with any significant threats or Assessment” or improve upon an existing assessment, that addresses
consequences they may face. vulnerabilities and is familiar with threats and consequences present.
Identified weaknesses should be minimized or corrected as soon as
possible.

6 Management generally supports efforts to improve security and provides Management for the entity should support efforts to enhance security
funding and/or approves corrective actions to security vulnerabilities or and should consider ensuring that funds are provided toward mitigation
weaknesses identified. measures designed to address security vulnerabilities identified.

SAI #3 SAI #3 Components SAI Component Standard

7 This entity has a written, site specific transportation Security Plan that Entity should have a site specific Security Plan that addresses
addresses, at a minimum, management procedures, personnel security, management procedures, personnel security, facility security, vehicle
facility security and vehicle security along with actions to be taken in the security, and sets forth actions to be taken in the event of a security
event of a security incident or security breach. incident or security breach.

8 This entity limits access to its security plan or security procedures to
employees with a "need-to-know.”
The entity should limit access to its Security Plan or security procedures
to employees with a “need-to-know” (i.e., Safety/Security Coordinators,
management). Other employees should have access only to portions of
the plan pertaining specifically to the function of job duties and for
implementing security procedures.

9 This entity requires that employees with access to security procedures The entity should require employees with access to any portion of the
sign a non-disclosure agreement (NDA). Security Plan or security procedures to sign a Non-Disclosure Agreement
(NDA). Although many NDAs apply to the sharing of business
practices/proprietary information, access to critical information such as
risk assessments, Security Plans, critical assets, etc. need to be protected
as well and should be documented in an NDA.
SAI # 3 - Develop a
Security Plan
(Security Specific
Protocols) 10 This entity has written security plans/policies that have been reviewed Security Procedures, including revisions, should be reviewed and
and approved at the entity's executive level. approved at the company's highest (executive) level.
11 This entity has security procedures to be followed by all personnel (i.e., Procedures are in place setting forth the expectations, responsibilities, or
drivers, office workers, maintenance workers, laborers and others) in the limitations for all personnel (drivers, office workers, administrators, etc.)
event of a security breach or incident. in the event of a security incident or breach.

12 This entity requires that their security policies be reviewed at least An annual review of any written security procedures is required, and the
annually and updated as needed. date they were last reviewed or updated noted.

13 Employees are provided with site-specific, up to date contact information "Contact lists" provided to employees should include security personnel
for entity management and/or security personnel to be notified in the to be contacted and the data should be current.
event of a security incident and this entity periodically tests their
notification or "call-tree" procedures.

4/9/13
Vulnerability Self-Assessment for HMC Stakeholders
14 This entity has procedures for 24/7 notification of entity security Guidelines are provided to employees requiring them to notify, at a
personnel and/or local/state/federal authorities to be notified in the minimum, local law enforcement authorities and the security coordinator
event of a security incident. in the event of a security incident or breach.

SAI #4 SAI #4 Components SAI Component Standard

15 Following a significant operational disruption, this entity has procedures The entity should have documented procedures designed to ensure
designed to ensure an appropriate response and the restoration of restoration of facilities and services following a significant operational
facilities and services. (May be in the form of a Business Recovery Plan, disruption. This may be in the form of a Business Recovery Plan,
Continuity of Operations Plan or Emergency Response/Safety Plan). Continuity of Operations Plan, or part of the Emergency Response/Safety
Plan.
SAI # 4 – Plan for
Emergency
Response & 16 This entity ensures all facilities have an auxiliary power source if needed The entity should have procedures in place to ensure the continuity of
Continuity of or the ability to operate effectively from an identified secondary site. operations if needed. Procedures may include data backup,
Operations uninterruptible power supply (generator, battery backup), or a having
secondary site location with full operational capabilities. Secondary
power methods of operation should be tested or practiced occasionally.

SAI #5 SAI #5 Components SAI Component Standard

17 This entity has methods for communicating with drivers during normal The entity should have documented procedures for communicating with
conditions. drivers during routine trips. Procedures should include methods of
communication, transmitting information (including threat); reporting
suspicious activities while en-route and driver check-in. These
procedures should be practiced or discussed regularly to ensure drivers
are properly prepared for future events. Radio, cellphone or public
address equipment (if applicable) is available for the company to
communicate with drivers and/or customers/passengers during normal
conditions.

SAI # 5 – Develop a
Communications
Plan 18 This entity has emergency procedures in place for drivers on the road to The entity should have documented emergency procedures for drivers to
follow in the event normal communications are disrupted. Entity should follow in the event normal communications are disrupted while en-route.
have contingencies in place in the event dispatch system, if applicable, Entities may consider using back-up technology that will function in the
becomes inoperable. event normal communication is disrupted. Other options for drivers may
include: discontinuation of the trip, safe harboring, returning to terminal,
and/or identifying an alternate method of communication. These are
examples of things to consider and plan for in the event communications
fail. This should be part of a written Communications Plan.

SAI #6 SAI #6 Components SAI Component Standard

19 This entity controls access to business documents (i.e. security plans, This facility controls and minimizes internal and external access to
critical asset lists, risk/vulnerability assessments, schematics, drawings, sensitive business information (Operational Security – OPSEC).
manifests, etc.) that may compromise entity security practices.

SAI # 6 - Safeguard
Business and
4/9/13
Security Critical
Information
Vulnerability Self-Assessment for HMC Stakeholders
20 This entity controls personnel information (i.e. SSN, address, drivers This facility controls and minimizes internal and external access to
SAI # 6 - Safeguard license, etc.) that may be deemed sensitive in nature. personnel information (keeps files or office locked, computer access
Business and controlled).
Security Critical
Information
21 This entity maintains and safeguards an up-to-date list of all assets that The facility/entity has an adequate inventory control process that
are critical to the continuation of business operations (i.e. vehicles, IT ensures accountability for all at-risk assets (i.e.; products, vehicles,
equipment, products, other equipment, etc.), periodically inventories equipment, and computers) that may be of specific interest to criminals
these assets, and has the ability to determine their general location at and/or terrorists.
any given time.

SAI #7 SAI #7 Components SAI Component Standard

22 Personnel at this entity meet/ communicate with industry peers, partners Security or administrative personnel at this entity/facility belong to and
or associations that share security related information or best practices. meet with one or more industry groups that provide or share resources
(May include individual or corporate membership with an industry trade or security related guidance. (ABA, ACC, ATA, NAPT, NASDOTS, NTTC,
association). OOIDA, UMA, others)
SAI # 7 - Be Aware
of Industry Security
Best Practices. 23 Personnel at this entity have sought and/or obtained transportation This entity has used or provided security related information (best/
related security information or "best practices" guidance from private recommended practices) to or from industry peers or governmental
security concerns, military resources, academic pursuits or governmental partners.
resources.

Personnel Security Section

SAI #8 SAI #8 Components SAI Component Standard
24 This entity requires verification and documentation that persons DMV inquiry required upon hire to verify proper class of license and
operating entity vehicles have a valid driver’s license for the type of driving history, and periodically (at least semi-annually thereafter) or
vehicle driven, along with any applicable endorsement(s) needed. company is enrolled to receive automatic DMV updates.

25 This entity requires a criminal history check, verification of Social Security A fingerprint based background check using a reputable security
number and verification of immigration status for personnel operating company is optimal; or possession of a valid CDL with Haz Mat
entity vehicles. endorsement or TWIC credential.

26 This entity requires a criminal history check, verification of Social Security This entity/facility has security-related criteria that would disqualify
number and verification of immigration status for non-driver employees current or prospective personnel from employment.
with access to security related information or restricted areas.

27 This entity asks prospective drivers if they have been denied a This entity asks applicants if they have been denied a Transportation
SAI # 8 – Conduct Transportation Worker Identification Credential (TWIC) or a Commercial Worker Identification Credential (TWIC) or a Commercial Driver's License
Licensing & Driver's License with HazMat Endorsement (CDL-HME) for employment with HazMat Endorsement (CDL-HME) for employment elsewhere
Background Checks elsewhere specifically as the result of a security background check. specifically as the result of a security background check.
for Drivers /
Employees /
Contractors
28 This entity has security-related criteria that would disqualify current or This entity/facility has written procedures for reviewing, evaluating and
prospective personnel from employment. acting upon any new criminal activity information for current employees
that may come to light.

4/9/13
Vulnerability Self-Assessment for HMC Stakeholders
29 This entity has policies to address criminal allegations that may arise or This entity/facility has comparable licensing and background check
come to light involving current employees. requirements for both company employees and
unsupervised/unescorted contracted employees.

30 The entity requires that contact employees having access to security This entity providing additional security training to employees having specified
related information or restricted areas be held to comparable licensing security responsibilities, or other security training required by applicable federal
and background checks as those required of regular company employees regulation.
(contracted employees may include contractual drivers, unescorted
cleaning crews, etc.).

SAI #9 SAI #9 Components SAI Component Standard

31 This entity provides general security awareness training to all employees This entity/facility provides, at a minimum, general security awareness
(separate from or in addition to regular safety training). training for all employees.

32 This entity provides additional security training to employees having The security training/re-training being offered by this entity/facility is
assigned security responsibilities. specific to the type of transportation operation being conducted
(trucking, school bus, motor coach or infrastructure).

33 This entity provides periodic security re-training to all employees. This entity provides periodic security re-training (recurrent training) no
less than every three years or with change of job.

SAI # 9 – Develop 34 The security training/re-training offered by this entity is specific to and This entity/facility documents and retains records relating to security
and Follow appropriate for the type of transportation operation being conducted training received by employees.
Security Training (trucking, school bus, motor coach or infrastructure mode).
Plan(s)

35 This entity has comparable security training requirements for both This facility requires identical training requirements for both entity
regular employees and contracted employees with security employees and contracted employees.
responsibilities or access to security-related information.

36 This company requires documentation and retention of records relating This entity has conducted or participated in some type of security
to security training received by employees. exercises/drills. Examples would include active participation in
exercises/drills such as: Tabletops, ISTEP, Situational Drills (bomb threats,
hijacking, lock downs, etc.).

SAI #10 SAI #10 Components SAI Component Standard

37 This entity meets with outside agencies (i.e.; law enforcement/first This entity meets with outside agencies (i.e.; law enforcement/first
responders/Federal officials) regarding security support and or issues in responders/Federal officials) regarding security issues or security
the event of a terrorist attack . exercises/ drills in the event of a terrorist attack.

38 Personnel at this entity have actually conducted or participated in some This entity has conducted or participated in some type of security
SAI # 10 – type of exercises/drills that involve security related activities. exercises/drills. Examples would include active participation in
Participates in exercises/drills such as: Tabletops, ISTEP, Situational Drills (bomb threats,
Security Exercises hijacking, lock downs, etc.).
& Drills

39 This entity has administrative and/or security personnel trained in the This entity has security personnel trained in the National Incident
National Incident Management System (NIMS) or Incident Command Management System (NIMS) or Incident Command System (ICS).
System (ICS).

4/9/13
Vulnerability Self-Assessment for HMC Stakeholders
Facility Security Section
SAI #11 SAI #11 Components SAI Component Standard
40 This entity has controlled points of entry/exit for employees and restricts This entity/facility restricts employee and non-employee entry/exit to
non-employee access to buildings, terminals and/or work areas. certain doors in the buildings, terminals or work areas. Entry (doors)
must be capable of being locked or otherwise secured.

41 This entity has secured all doors, windows, skylights, roof openings and This entity/facility secures by locking, disabling, or covering all windows,
other access points to all buildings, terminals and/or work areas. skylights, roof opening and other access points at all times.

42 This entity restricts employee access into certain secure areas located This entity/facility restricts employee and non-employee extry/exit to
within their building or site (i.e.; computer room, administrative areas, certain secure "off limit" areas in the buildings, terminals or work areas.
dispatch, etc.).

43 This entity issues photo-identification cards/badges or uses other This entity/facility issues identification cards/badges or other effective
effective identification methods to identify employees. identification methods to identify all employees.

44 This entity requires employees to carry and/or display their identification This entity/facility requires employees to carry and/or display an
card/badge or other form of positive employee ID while on duty. identification badge while on duty

SAI # 11 - Maintain
Facility Access 45 This entity has a challenge procedure that requires employees to safely This entity/facility has a "challenge procedure" that requires employees
Control report unknown persons or persons not having proper identification. to report unknown persons or persons not having proper identification.

46 This entity utilizes advanced physical control locking measures beyond This entity/facility requires biometric (fingerprint, voice, eye scan, etc.)
simple locks and keys (i.e.; biometric input, key card, PIN, combination input, key card swipe, or PIN combination locks, for access to buildings,
locks) for access to buildings, sites or secure areas (excludes vehicles). sites or secure areas. Access is deactivated upon employee separation
and codes are changed regularly.

47 Where appropriate, entrance and/or exit data to facilities and/or to This entity/facility electronically records entrance/exit data for persons
secure areas can be reviewed as needed (may be written logs, PIN or accessing restricted areas, and the data can be reviewed, if needed,
biometric data, or recorded camera surveillance). either manually or electronically. Manually recording (using a log) is an
exceptable alternative if electronic record is unavailable.

48 This entity utilizes visitor control protocols for non-employees accessing This entity/facility requires documented visitor control protocols for
non-public areas. visitors/guests that requires visitor being positively identified, logged-in,
is issued visitor badge and escorted while on premises.

SAI #12 SAI #12 Components SAI Component Standard

49 This entity utilizes perimeter physical security barriers Perimeter physical security barriers to restrict unauthorized vehicles and
(fences/gates/walls/ planters /bollards, etc.) that restricts unauthorized pedestrians are utilized and effective.
vehicle and pedestrian access.

50 All perimeter physical security barriers on site are functional, used as All perimeter physical security barriers on site are functional, used as
designed, and adequately maintained to effectively restrict vehicle designed, and adequately maintained to effectively restrict vehicle
and/or pedestrian access. and/or pedestrian access.

4/9/13
Vulnerability Self-Assessment for HMC Stakeholders
51 This entity utilizes a tamper-proof intrusion detection system(s) This entity has a tamper-proof intrusion detection system (burglary
(burglary/robbery alarm). /robbery alarm) at this and/or all locations. Windows /doors/interior at
all locations are covered and system is monitored 24/7 when armed.

52 This entity utilizes closed circuit television cameras (CCTV). This entity/facility has closed circuit television cameras (CCTV) deployed
to cover all secure areas.

53 The CCTV cameras present are functional and adequately monitored CCTV cameras used by this entity/facility are functional, used as
and/or recorded. designed, and adequately monitored 24/7 and/or recorded.

54 This entity has adequate security lighting. This entity/facility has adequate security lighting that functions properly
at all locations.

55 This entity utilizes key control procedures for buildings, terminals and This facility has a key control program for buildings, terminals and gates.
gates (excludes vehicles). All keys are accounted for and are recovered from separated employees.
SAI # 12 -
Implement Strong
Physical Security at
all Locations 56 This entity employs on-site security personnel. This entity has on-site security personnel who are adequately armed.
“On-site security personnel” should be someone who performs physical
security functions (i.e. perimeter checks, gate guards, ID badge checks,
etc.) This is not a function of the Security Coordinator/Alternate.

57 This entity provides a secure location for employee parking separate This facility provides a secure location for employee parking, preferably
from visitor parking. serparate from visitor parking.

58 Clearly visible and easily understood signs are present that identify Clearly visible and easily understood signs are used that identify
restricted or off-limit areas. restricted or off-limit areas at this entity/ facility, as well as any facility
security practices that the public may be subjected to.

59 Vehicle parking, stopping or standing is controlled, to the extent possible, Vehicle parking, stopping or standing is adequately restricted, to the
along perimeter fencing or near restricted areas. extent possible, in areas within or adjacent to all facilities.

60 This entity controls the growth of vegetation so that sight lines to This entity adequately controls growth of vegetation so that sight lines to
vehicles, pedestrians, perimeter fences or restricted areas are vehicles, pedestrians or restricted areas remain unobstructed.
unobstructed.

61 This entity conducts periodic random security checks on This entity uses unique or random security measures that introduce
personnel/vehicles and/or other physical security countermeasures (i.e. unpredictability into the entity’s practices for an enhanced deterrent
random perimeter checks, breach/trespass tests, bomb threat drills, etc.). effect. May be spot inspections, “red alerts,” or other
random/imaginative security initiatives.

SAI #13 SAI #13 Components SAI Component Standard

62 This entity requires an employee logon and password that grants access This entity requires an employee logon and password that grants access
to limited data consistent with job function. to limited entity data consistent with job function. Passwords must be
reset periodically.

4/9/13
Vulnerability Self-Assessment for HMC Stakeholders
63 This entity utilizes an Information Technology (IT) "firewall" that prevents This entity/ facility utilizes an IT "firewall" that prevents improper IT
improper IT system access to entity information, programs, and system access to entity information, programs, and automated systems
automated systems from both internal and external threats. from both internal and external threats. Note: Most Windows and Mac
based operating systems come preloaded with a standard “firewall.”

SAI # 13 - Enhance
Internal and 64 This entity has sufficient IT security guidelines. This entity has IT security guidelines that prohibit opening unknown files
External Cyber or emails, revealing/sharing passwords, or introducing unauthorized
Security software or hardware into the company's computer system.

65 This entity identifies a qualified IT security officer or coordinator. This entity identifies an IT security officer or coordinator.
66 This entity tests their IT system for vulnerabilities. This entity tests its IT system for vulnerabilities, keeps firewalls up to date
and removes/rejects any suspicious data received.

67 This entity has off-site backup capability for data generated and system This entity provides off-site backup capability for data generated and
redundancy. systems redundancy for this and/or all locations.

Vehicle Security Section

SAI #14 SAI #14 Components SAI Component Standard
68 The vehicles used by this entity are equipped with appropriate All vehicles used by this entity have adequate door/window & ignition
door/window locks and their use is required (if not prohibited by State locks and their use is required.
law) when unattended.

69 This entity provides some type of supplemental equipment for securing This entity provides some type of supplemental equipment for securing
vehicles, which may include steering wheel locks, theft alarms, "kill vehicles (i.e.; steering wheel locks, theft alarms, "kill switches," other
switches," or other devices. devices).

70 This entity utilizes a key control program for their vehicles (separate from This entity/facility has an adequate key control program for their
key control for buildings). vehicles. All keys are accounted for and separated employees must
return keys. NOTE: Vehicles that require no key or share keys with other
vehicles are not recommended.

71 This entity employs technology that requires the use of key card, PIN or This entity uses key card, PIN or biometric (fingerprint, voice command,
biometric input to enter or start vehicles. etc.) input to enter or start vehicles

SAI # 14 - Develop 72a This entity equips vehicles or provides drivers with panic button This entity equips vehicles with some type of panic button capability.
a Robust Vehicle capability.
Security Program
72b This entity uses unique distress codes or signals to alert dispatch, police This entity has instituted a distress code or signals in order to alert
or other employees in the event of an emergency situation. dispatch, other drivers/employees in the event of emergency situations.

73 This entity uses vehicles equipped with an interior and/or exterior on- This entity equips all vehicles with an on-board, functioning and
board, functioning and recording video camera. recording video camera.

74 This entity uses vehicles equipped with GPS or land based tracking This entity equips vehicles with some type of GPS or land based tracking
system, or tracks drivers through a cellphone application. system, or tracks drivers through a cellphone application.

4/9/13
Vulnerability Self-Assessment for HMC Stakeholders
75 This entity prohibits unauthorized passengers in company vehicles. This entity prohibits unauthorized passengers in entity vehicles.

76 This entity restricts or has policies regarding overnight parking of vehicles This entity prohibits unauthorized overnight parking of company vehicles
at off-site locations (i.e.; residences, shopping centers, parking lots, etc.). at off-site locations (i.e.; residences, shopping centers, parking lots, etc.).

SAI #15 SAI #15 Components SAI Component Standard

Motor Coach Version
77MC X X

78MC X X

79MC X X

School Bus Version

77SB X X

SAI # 15 - Develop 78SB X X

a Solid
Cargo/Passenger
Security Program 79SB X X

Trucking Version
77TR X X

78TR X X

79TR X X

SAI #16 SAI #16 Components SAI Component Standard

N/A - This Question Intentionally left blank.
80 X
81 This entity has additional security procedures that take effect in the event This entity has enhanced procedures that take effect in the event of an
of a heightened security alert status from the DHS National Terrorist Alert elevated security alert status from the DHS National Terrorist Alert
System (NTAS) or other government source. System (NTAS) or other government source.

82 This entity monitors news or other media sources for the most current This entity monitors TV news, newspapers, homeland security website, or
security threat information. other media sources every day for security threat information.

4/9/13
# 16 - Plan for High
Vulnerability Self-Assessment for HMC Stakeholders
83 This entity distributes relevant or evolving threat information to affected This company distributes relevant or evolving threat information to
company personnel as needed. affected company personnel as needed via direct communications (radio,
# 16 - Plan for High email, text, in person).
Alert Level
Contingencies 84 Administrative or security personnel at this company have been granted This entity has personnel who have been granted access to HSIN,
access to an unclassified intelligence based internet site such as HSIN, Cybercop, Infragard, or other appropriate network and frequently
Cybercop, or Infragard and they regularly review current intelligence accesses the site.
information relating to their industry.

85 Administrative or security personnel at this company regularly check the This entity has personnel who regularly access the DHS NTSA site, or
status of the DHS sponsored National Terrorism Alert System (NTAS) or automatically receive updates from an accreditied government site.
have enrolled to receive automatic electronic NTAS alert updates at
www.dhs.gov/alerts or other government site.

SAI #17 SAI #17 Components SAI Component Standard

86 In addition to any pre-trip safety inspection conducted, this entity This entity requires a pre-trip vehicle security inspection. Note: This is in
requires a pre-trip vehicle security inspection. addition to DOT safety inspection requirements.

87 This entity requires a post-trip vehicle security inspection. This entity requires a post-trip vehicle security inspection.
88 This entity requires additional vehicle security inspections at any other This entity requires additional vehicle security inspections at any other
times (vehicle left unattended, driver change, etc.). times (vehicle left unattended, driver change, etc.).

Motor Coach Version

# 17 - Conduct 89MC X X
Regular Security
Inspections
School Bus Version
89SB X X

Trucking Version
89TR X X

SAI #18 SAI #18 Components SAI Component Standard

90 This entity has participated in or received some type of domain All employees receive domain awareness training and employees receive
awareness/SAR/counterterrorism training. some type of re-training at least every three years.

91 This entity has policies requiring employees to report security related This entity has written notification requirements for employees to report
# 18 - Have “suspicious activities” to management and/or law enforcement. suspicious activity to management and/or law enforcement.
Procedures for
Reporting
Suspicious 92 This entity has notification procedures (who to call, when to call, etc.) for This entity has written notification procedures (who to call, when to call,
Activities all personnel upon observing suspicious activity. etc.) for all personnel upon observing suspicious activity.

93 This company has policies requiring a written report be filed for This entity has policies requiring a written report be filed upon observing
suspicious activities observed. suspicious activity.

4/9/13
Vulnerability Self-Assessment for HMC Stakeholders
SAI #19 SAI #19 Components SAI Component Standard
Motor Coach Version
94MC X X

95MC X X

96MC N/A - This Question Intentionally left blank.

School Bus Version

94SB X X

95SB X X
# 19 - Ensure Chain
of Custody &
Shipment/ Service 96SB N/A - This Question Intentionally left blank.
Verification Trucking Version
94TR X X

95TR X X

96TR X X

97 This entity requires specific security protocols be followed in the event a This company requires specific security protocols be followed in the
trip must be delayed, discontinued, require multiple days to complete or event a trip must be delayed, discontinued, require multiple days to
exceeds hours-of-service regulations. complete or exceeds hours-of-service regulations.

SAI #20 SAI #20 Components SAI Component Standard

98 This entity prohibits drivers from diverting from authorized routes, This company prohibit drivers from diverting from authorized routes,
making unauthorized pickups or stopping at unauthorized locations making unauthorized pickups or stopping at unauthorized locations
without justification. without justification.
# 20 - Pre-plan
Emergency Travel
Routes. 99 This entity has identified alternate routes in the event primary routes This entity has identified and pre-planned alternate routes in the event
cannot be used under certain security related emergencies. primary routes cannot be used under certain security related
emergencies.

4/9/13

<Enter Your Company Here>
<Enter Facility Name or Location Here>
Mode:
SAI Component #
Vulnerability Self-Assessment Summary Sheet
<Enter Name of Assessor Here> Date Conducted
<Enter Name of Facility Manager Here> 10/31/2013
<Choose Mode from drop-down>
Applicable Components 91
# of High Priority Items to be completed 0
# of Medium Priority Items to be completed 0
# of Low Priority Items to be completed 0
# of Items Awaiting a Response 91

SECURITY ACTION ITEMS SAI COMPONENT SAI COMPONENT STANDARD PRIORITY LEVEL ACTIONS TO BE CONSIDERED
(SAI'S)

SAI #1 – Have a Designated
Security Coordinator
This entity designates a qualified primary Security The entity has a qualified person designated as Security Coordinator/Director that is
Coordinator/ Director. responsible for overall transportation security. Recommended that the security coordinator
be a citizen of the U.S, and have law enforcement, private security, or appropriate military
background; or adequate on-the-job experience. Recognized supplemental certifications in
1 security, safety, or environmental programs may be beneficial. High Awaiting Response!

SAI #2 – Conduct a Thorough Risk
Assessment
This entity has conducted a documented, site specific
“Vulnerability Assessment” and is generally familiar
with any significant threats or consequences they may
5
face.
The entity should conduct and document a site specific “Vulnerability Assessment” or improve
upon an existing assessment, that addresses vulnerabilities and is familiar with threats and
consequences present. Identified weaknesses should be minimized or corrected as soon as
possible. High Awaiting Response!

This entity has a written, site specific transportation
Security Plan that addresses, at a minimum,
management procedures, personnel security, facility
security and vehicle security along with actions to be
7 taken in the event of a security incident or security
breach.
Entity should have a site specific Security Plan that addresses management procedures,
personnel security, facility security, vehicle security, and sets forth actions to be taken in the
event of a security incident or security breach.
High Awaiting Response!

SAI #3 - Develop a Security Plan

(Security Specific Protocols)
This entity has security procedures to be followed by Procedures are in place setting forth the expectations, responsibilities, or limitations for all
all personnel (i.e., drivers, office workers, maintenance personnel (drivers, office workers, administrators, etc.) in the event of a security incident or
workers, laborers and others) in the event of a security breach.
11 breach or incident. High Awaiting Response!

SAI #4 – Plan for Emergency
Response & Continuity of
Operations
Following a significant operational disruption, this The entity should have documented procedures designed to ensure restoration of facilities
entity has procedures designed to ensure an and services following a significant operational disruption. This may be in the form of a
appropriate response and the restoration of facilities Business Recovery Plan, Continuity of Operations Plan, or part of the Emergency
15 and services. (May be in the form of a Business
Recovery Plan, Continuity of Operations Plan or
Response/Safety Plan. High Awaiting Response!
Emergency Response/Safety Plan).

SAI #5 – Develop a
Communications Plan
This entity has methods for communicating with
drivers during normal conditions.
17
The entity should have documented procedures for communicating with drivers during
routine trips. Procedures should include methods of communication, transmitting information
(including threat); reporting suspicious activities while en-route and driver check-in. These
procedures should be practiced or discussed regularly to ensure drivers are properly prepared
for future events. Radio, cellphone or public address equipment (if applicable) is available for
the company to communicate with drivers and/or customers/passengers during normal High Awaiting Response!
conditions.

SAI #6 - Safeguard Business and
Security Critical Information
19
This entity controls access to business documents (i.e. This facility controls and minimizes internal and external access to sensitive business
security plans, critical asset lists, risk/vulnerability information (Operational Security – OPSEC).
assessments, schematics, drawings, manifests, etc.)
that may compromise entity security practices. High Awaiting Response!

SAI #7 - Be Aware of Industry
Security Best Practices.
22
Personnel at this entity meet/ communicate with
industry peers, partners or associations that share
security related information or best practices. (May
include individual or corporate membership with an
industry trade association).
Security or administrative personnel at this entity/facility belong to and meet with one or
more industry groups that provide or share resources or security related guidance. (ABA, ACC,
ATA, NAPT, NASDOTS, NTTC, OOIDA, UMA, others)
High Awaiting Response!

24
SAI #8 – Conduct Licensing &
Background Checks for Drivers /
Employees / Contractors
25
This entity requires verification and documentation DMV inquiry required upon hire to verify proper class of license and driving history, and
that persons operating entity vehicles have a valid periodically (at least semi-annually thereafter) or company is enrolled to receive automatic
driver’s license for the type of vehicle driven, along DMV updates.
with any applicable endorsement(s) needed. High Awaiting Response!
This entity requires a criminal history check, A fingerprint based background check using a reputable security company is optimal; or
verification of Social Security number and verification possession of a valid CDL with Haz Mat endorsement or TWIC credential.
of immigration status for personnel operating entity
vehicles.
High Awaiting Response!

SAI #9 – Develop and Follow
Security Training Plan(s)
31
This entity provides general security awareness This entity/facility provides, at a minimum, general security awareness training for all
training to all employees (separate from or in addition employees.
to regular safety training). High Awaiting Response!

This entity meets with outside agencies (i.e.; law This entity meets with outside agencies (i.e.; law enforcement/first responders/Federal
enforcement/first responders/Federal officials) officials) regarding security issues or security exercises/ drills in the event of a terrorist attack.
SAI #10 –Participates in Security
Exercises & Drills
37 regarding security support and or issues in the event
of a terrorist attack .
High Awaiting Response!

This entity has controlled points of entry/exit for This entity/facility restricts employee and non-employee entry/exit to certain doors in the
employees and restricts non-employee access to buildings, terminals or work areas. Entry (doors) must be capable of being locked or otherwise
40 buildings, terminals and/or work areas. secured. High Awaiting Response!
SAI #11 - Maintain Facility Access
Control This entity has secured all doors, windows, skylights, This entity/facility secures by locking, disabling, or covering all windows, skylights, roof
roof openings and other access points to all buildings, opening and other access points at all times.
41 terminals and/or work areas. High Awaiting Response!

This entity utilizes perimeter physical security barriers Perimeter physical security barriers to restrict unauthorized vehicles and pedestrians are
(fences/gates/walls/ planters /bollards, etc.) that utilized and effective.
SAI #12 - Implement Strong restricts unauthorized vehicle and pedestrian access.
Physical Security at all Locations 49 High Awaiting Response!

This entity requires an employee logon and password This entity requires an employee logon and password that grants access to limited entity data
SAI #13 - Enhance Internal and that grants access to limited data consistent with job consistent with job function. Passwords must be reset periodically.
External Cyber Security 62 function. High Awaiting Response!

The vehicles used by this entity are equipped with All vehicles used by this entity have adequate door/window & ignition locks and their use is
appropriate door/window locks and their use is required.
68 required (if not prohibited by State law) when High Awaiting Response!
unattended.
SAI #14 - Develop a Robust Vehicle
Security Program
This entity uses vehicles equipped with GPS or land This entity equips vehicles with some type of GPS or land based tracking system, or tracks
based tracking system, or tracks drivers through a drivers through a cellphone application.
74 cellphone application. High Awaiting Response!

X X
77MC High Not Applicable

SAI #15 - Develop a Solid X X

Cargo/Passenger Security 77SB High Not Applicable
Program
X X
77TR High Not Applicable

This entity has additional security procedures that take This entity has enhanced procedures that take effect in the event of an elevated security alert
effect in the event of a heightened security alert status status from the DHS National Terrorist Alert System (NTAS) or other government source.
from the DHS National Terrorist Alert System (NTAS)
81 or other government source. High Awaiting Response!
SAI #16 - Plan for High Alert Level
Contingencies
SAI #16 - Plan for High Alert Level
Contingencies
This entity distributes relevant or evolving threat This company distributes relevant or evolving threat information to affected company
information to affected company personnel as personnel as needed via direct communications (radio, email, text, in person).
83 needed. High Awaiting Response!

In addition to any pre-trip safety inspection This entity requires a pre-trip vehicle security inspection. Note: This is in addition to DOT
SAI #17 - Conduct Regular Security conducted, this entity requires a pre-trip vehicle safety inspection requirements.
Inspections 86 security inspection. High Awaiting Response!

This entity has participated in or received some type All employees receive domain awareness training and employees receive some type of re-
of domain awareness/SAR/counterterrorism training. training at least every three years.
90 High Awaiting Response!
SAI #18 - Have Procedures for
Reporting Suspicious Activities This entity has policies requiring employees to report This entity has written notification requirements for employees to report suspicious activity to
security related “suspicious activities” to management management and/or law enforcement.
91 and/or law enforcement. High Awaiting Response!

X X
94MC High Not Applicable

X X
SAI #19 - Ensure Chain of Custody
& Shipment/ Service Verification 94SB High Not Applicable

X X
94TR High Not Applicable

This entity prohibits drivers from diverting from This company prohibit drivers from diverting from authorized routes, making unauthorized
authorized routes, making unauthorized pickups or pickups or stopping at unauthorized locations without justification.
SAI #20 - Pre-plan Emergency stopping at unauthorized locations without
Travel Routes.
98
justification.
High Awaiting Response!

This entity has policies that specify the transportation Should have documented specific transportation security related duties of Security
related duties of the Security Coordinator. Coordinator. May be found in job description, security plan, or other documents as
appropriate. PL 110, Sec. 1531 states Security Coordinator duties include: Implement security
SAI #1 – Have a Designated
Security Coordinator
3 actions under the security plan; coordinate security improvements; receive communications Medium Awaiting Response!
from appropriate federal officials.

SAI #2 – Conduct a Thorough Risk
Assessment
This entity recognizes they may have certain assets of
specific interest to terrorists (i.e.: vehicles, IT
information, passengers, critical personnel, etc.) and
considers this factor when developing transportation
4 security practices.
Entity should list its assets and determine which may be of specific interest to terrorists.
Assets may include vehicles, platforms, stations, terminals, fueling depot, key personnel,
information systems, cargo, passengers, storage areas, etc. Consider detailing security
measures to implement and protect each asset in order to: (1) deter security incidents that
may result in significant local, regional, or national consequences, and (2) effectively maintain Medium Awaiting Response!
business operations in the event of a loss to asset(s).

This entity has written security plans/policies that Security Procedures, including revisions, should be reviewed and approved at the company's
have been reviewed and approved at the entity's highest (executive) level.
10 executive level. Medium Awaiting Response!

SAI #3 - Develop a Security Plan
(Security Specific Protocols)
14
This entity has procedures for 24/7 notification of Guidelines are provided to employees requiring them to notify, at a minimum, local law
entity security personnel and/or local/state/federal enforcement authorities and the security coordinator in the event of a security incident or
authorities to be notified in the event of a security breach.
incident. Medium Awaiting Response!

SAI #4 – Plan for Emergency
Response & Continuity of
Operations
This entity ensures all facilities have an auxiliary power The entity should have procedures in place to ensure the continuity of operations if needed.
source if needed or the ability to operate effectively Procedures may include data backup, uninterruptible power supply (generator, battery
from an identified secondary site. backup), or a having secondary site location with full operational capabilities. Secondary
16 power methods of operation should be tested or practiced occasionally. Medium Awaiting Response!

SAI #5 – Develop a
Communications Plan
This entity has emergency procedures in place for
drivers on the road to follow in the event normal
communications are disrupted. Entity should have
contingencies in place in the event dispatch system, if
18 applicable, becomes inoperable.
The entity should have documented emergency procedures for drivers to follow in the event
normal communications are disrupted while en-route. Entities may consider using back-up
technology that will function in the event normal communication is disrupted. Other options
for drivers may include: discontinuation of the trip, safe harboring, returning to terminal,
and/or identifying an alternate method of communication. These are examples of things to
consider and plan for in the event communications fail. This should be part of a written
Medium Awaiting Response!
Communications Plan.

SAI #6 - Safeguard Business and
Security Critical Information
SAI #7 - Be Aware of Industry
Security Best Practices.
SAI #8 – Conduct Licensing &
Background Checks for Drivers /
Employees / Contractors
SAI #9 – Develop and Follow
Security Training Plan(s)
SAI #10 –Participates in Security
Exercises & Drills
SAI #11 - Maintain Facility Access
Control
This entity maintains and safeguards an up-to-date list The facility/entity has an adequate inventory control process that ensures accountability for
of all assets that are critical to the continuation of all at-risk assets (i.e.; products, vehicles, equipment, and computers) that may be of specific
business operations (i.e. vehicles, IT equipment, interest to criminals and/or terrorists.
products, other equipment, etc.), periodically
inventories these assets, and has the ability to
21
determine their general location at any given time.
Medium Awaiting Response!
Personnel at this entity have sought and/or obtained This entity has used or provided security related information (best/ recommended practices)
transportation related security information or "best to or from industry peers or governmental partners.
practices" guidance from private security concerns,
23 military resources, academic pursuits or governmental Medium Awaiting Response!
resources.
This entity requires a criminal history check, This entity/facility has security-related criteria that would disqualify current or prospective
verification of Social Security number and verification personnel from employment.
of immigration status for non-driver employees with
26 access to security related information or restricted Medium Awaiting Response!
areas.
This entity has security-related criteria that would This entity/facility has written procedures for reviewing, evaluating and acting upon any new
disqualify current or prospective personnel from criminal activity information for current employees that may come to light.
28 employment. Medium Awaiting Response!
This entity has policies to address criminal allegations This entity/facility has comparable licensing and background check requirements for both
that may arise or come to light involving current company employees and unsupervised/unescorted contracted employees.
29 employees. Medium Awaiting Response!
The entity requires that contact employees having This entity providing additional security training to employees having specified security
access to security related information or restricted responsibilities, or other security training required by applicable federal regulation.
areas be held to comparable licensing and background
checks as those required of regular company
30 employees (contracted employees may include Medium Awaiting Response!
contractual drivers, unescorted cleaning crews, etc.).
This entity provides additional security training to The security training/re-training being offered by this entity/facility is specific to the type of
employees having assigned security responsibilities. transportation operation being conducted (trucking, school bus, motor coach or
32 infrastructure). Medium Awaiting Response!
The security training/re-training offered by this entity This entity/facility documents and retains records relating to security training received by
is specific to and appropriate for the type of employees.
transportation operation being conducted (trucking,
34 school bus, motor coach or infrastructure mode). Medium Awaiting Response!
This company requires documentation and retention This entity has conducted or participated in some type of security exercises/drills. Examples
of records relating to security training received by would include active participation in exercises/drills such as: Tabletops, ISTEP, Situational Drills
36 employees. (bomb threats, hijacking, lock downs, etc.). Medium Awaiting Response!
Personnel at this entity have actually conducted or This entity has conducted or participated in some type of security exercises/drills. Examples
participated in some type of exercises/drills that would include active participation in exercises/drills such as: Tabletops, ISTEP, Situational Drills
38 involve security related activities. (bomb threats, hijacking, lock downs, etc.). Medium Awaiting Response!
This entity restricts employee access into certain This entity/facility restricts employee and non-employee extry/exit to certain secure "off limit"
secure areas located within their building or site (i.e.; areas in the buildings, terminals or work areas.
42 computer room, administrative areas, dispatch, etc.). Medium Awaiting Response!
This entity issues photo-identification cards/badges or This entity/facility issues identification cards/badges or other effective identification methods
uses other effective identification methods to identify to identify all employees.
43 employees. Medium Awaiting Response!
This entity requires employees to carry and/or display This entity/facility requires employees to carry and/or display an identification badge while on
their identification card/badge or other form of duty
44 positive employee ID while on duty. Medium Awaiting Response!
This entity has a challenge procedure that requires This entity/facility has a "challenge procedure" that requires employees to report unknown
employees to safely report unknown persons or persons or persons not having proper identification.
45 persons not having proper identification. Medium Awaiting Response!

SAI #12 - Implement Strong
Physical Security at all Locations
SAI #13 - Enhance Internal and
External Cyber Security
SAI #14 - Develop a Robust Vehicle
Security Program
SAI #15 - Develop a Solid
Cargo/Passenger Security
Program
SAI #16 - Plan for High Alert Level
Contingencies
This entity utilizes visitor control protocols for non- This entity/facility requires documented visitor control protocols for visitors/guests that
employees accessing non-public areas. requires visitor being positively identified, logged-in, is issued visitor badge and escorted while
48 on premises. Medium Awaiting Response!
All perimeter physical security barriers on site are All perimeter physical security barriers on site are functional, used as designed, and
functional, used as designed, and adequately adequately maintained to effectively restrict vehicle and/or pedestrian access.
50 maintained to effectively restrict vehicle and/or
pedestrian access.
Medium Awaiting Response!
This entity utilizes a tamper-proof intrusion detection This entity has a tamper-proof intrusion detection system (burglary /robbery alarm) at this
system(s) (burglary/robbery alarm). and/or all locations. Windows /doors/interior at all locations are covered and system is
51 monitored 24/7 when armed. Medium Awaiting Response!
This entity utilizes closed circuit television cameras This entity/facility has closed circuit television cameras (CCTV) deployed to cover all secure
52 (CCTV). areas. Medium Awaiting Response!
The CCTV cameras present are functional and CCTV cameras used by this entity/facility are functional, used as designed, and adequately
53 adequately monitored and/or recorded. monitored 24/7 and/or recorded. Medium Awaiting Response!
This entity has adequate security lighting. This entity/facility has adequate security lighting that functions properly at all locations.
54 Medium Awaiting Response!
This entity utilizes key control procedures for This facility has a key control program for buildings, terminals and gates. All keys are
buildings, terminals and gates (excludes vehicles). accounted for and are recovered from separated employees.
55 Medium Awaiting Response!
This entity employs on-site security personnel. This entity has on-site security personnel who are adequately armed. “On-site security
personnel” should be someone who performs physical security functions (i.e. perimeter
checks, gate guards, ID badge checks, etc.) This is not a function of the Security
56
Coordinator/Alternate. Medium Awaiting Response!
This entity utilizes an Information Technology (IT) This entity/ facility utilizes an IT "firewall" that prevents improper IT system access to entity
"firewall" that prevents improper IT system access to information, programs, and automated systems from both internal and external threats.
entity information, programs, and automated systems Note: Most Windows and Mac based operating systems come preloaded with a standard
63 from both internal and external threats. “firewall.” Medium Awaiting Response!
This entity has sufficient IT security guidelines. This entity has IT security guidelines that prohibit opening unknown files or emails,
revealing/sharing passwords, or introducing unauthorized software or hardware into the
64 company's computer system. Medium Awaiting Response!
This entity tests their IT system for vulnerabilities. This entity tests its IT system for vulnerabilities, keeps firewalls up to date and removes/rejects
66 any suspicious data received. Medium Awaiting Response!
This entity has off-site backup capability for data This entity provides off-site backup capability for data generated and systems redundancy for
67 generated and system redundancy. this and/or all locations. Medium Awaiting Response!
This entity utilizes a key control program for their This entity/facility has an adequate key control program for their vehicles. All keys are
vehicles (separate from key control for buildings). accounted for and separated employees must return keys. NOTE: Vehicles that require no
70 key or share keys with other vehicles are not recommended. Medium Awaiting Response!
This entity prohibits unauthorized passengers in This entity prohibits unauthorized passengers in entity vehicles.
75 company vehicles. Medium Awaiting Response!
X X
79MC Medium Not Applicable
78SB X X Medium Not Applicable
X X
78TR Medium Not Applicable
This entity monitors news or other media sources for This entity monitors TV news, newspapers, homeland security website, or other media sources
82 the most current security threat information. every day for security threat information. Medium Awaiting Response!
Administrative or security personnel at this company This entity has personnel who have been granted access to HSIN, Cybercop, Infragard, or other
have been granted access to an unclassified appropriate network and frequently accesses the site.
intelligence based internet site such as HSIN,
Cybercop, or Infragard and they regularly review
84
current intelligence information relating to their Medium Awaiting Response!
industry.

SAI #17 - Conduct Regular Security
Inspections
SAI #18 - Have Procedures for
Reporting Suspicious Activities
SAI #19 - Ensure Chain of Custody
& Shipment/ Service Verification
SAI #20 - Pre-plan Emergency
Travel Routes.
SAI #1 – Have a Designated
Security Coordinator
SAI #2 – Conduct a Thorough Risk
Assessment
SAI #3 - Develop a Security Plan
(Security Specific Protocols)
SAI #4 – Plan for Emergency
Response & Continuity of
Operations
This entity requires a post-trip vehicle security This entity requires a post-trip vehicle security inspection.
87 inspection. Medium Awaiting Response!
X X
89MC Medium Not Applicable
X X
89SB Medium Not Applicable
X X
89TR Medium Not Applicable
This entity has notification procedures (who to call, This entity has written notification procedures (who to call, when to call, etc.) for all personnel
when to call, etc.) for all personnel upon observing upon observing suspicious activity.
92 suspicious activity. Medium Awaiting Response!
X X
95MC Medium Not Applicable
X X
95SB Medium Not Applicable
X X
95TR Medium Not Applicable
This entity requires specific security protocols be This company requires specific security protocols be followed in the event a trip must be
followed in the event a trip must be delayed, delayed, discontinued, require multiple days to complete or exceeds hours-of-service
97 discontinued, require multiple days to complete or regulations. Medium Awaiting Response!
exceeds hours-of-service regulations.
No Medium Priority Components for SAI #20 No Medium Priority Components for SAI #20
Medium Not Applicable
This entity designates an alternate Security A qualified individual with this title must be identified (may be a shared title).
Coordinator/Director.
2 Low Awaiting Response!
Management generally supports efforts to improve Management for the entity should support efforts to enhance security and should consider
security and provides funding and/or approves ensuring that funds are provided toward mitigation measures designed to address security
corrective actions to security vulnerabilities or vulnerabilities identified.
6
weaknesses identified.
Low Awaiting Response!
This entity limits access to its security plan or security The entity should limit access to its Security Plan or security procedures to employees with a
procedures to employees with a "need-to-know.” “need-to-know” (i.e., Safety/Security Coordinators, management). Other employees should
8 have access only to portions of the plan pertaining specifically to the function of job duties and Low Awaiting Response!
for implementing security procedures.
This entity requires that employees with access to The entity should require employees with access to any portion of the Security Plan or security
security procedures sign a non-disclosure agreement procedures to sign a Non-Disclosure Agreement (NDA). Although many NDAs apply to the
(NDA). sharing of business practices/proprietary information, access to critical information such as
9 risk assessments, Security Plans, critical assets, etc. need to be protected as well and should be Low Awaiting Response!
documented in an NDA.
This entity requires that their security policies be An annual review of any written security procedures is required, and the date they were last
reviewed at least annually and updated as needed. reviewed or updated noted.
12 Low Awaiting Response!
Employees are provided with site-specific, up to date "Contact lists" provided to employees should include security personnel to be contacted and
contact information for entity management and/or the data should be current.
security personnel to be notified in the event of a
security incident and this entity periodically tests their
13 notification or "call-tree" procedures. Low Awaiting Response!
No Low Priority Components for SAI #4 No Low Priority Components for SAI #4
Low Not Applicable
 SAI #5 – Develop a
Communications Plan
SAI #6 - Safeguard Business and
Security Critical Information
SAI #7 - Be Aware of Industry
Security Best Practices.
SAI #8 – Conduct Licensing &
Background Checks for Drivers /
Employees / Contractors
SAI #9 – Develop and Follow
Security Training Plan(s)
SAI #10 –Participates in Security
Exercises & Drills
SAI #11 - Maintain Facility Access
Control
SAI #12 - Implement Strong
Physical Security at all Locations
SAI #13 - Enhance Internal and
External Cyber Security
No Low Priority Components for SAI #5 No Low Priority Components for SAI #5
Low Not Applicable
This entity controls personnel information (i.e. SSN, This facility controls and minimizes internal and external access to personnel information
address, drivers license, etc.) that may be deemed (keeps files or office locked, computer access controlled).
20 sensitive in nature. Low Awaiting Response!
No Low Priority Components for SAI #7 No Low Priority Components for SAI #7
Low Not Applicable
This entity asks prospective drivers if they have been This entity asks applicants if they have been denied a Transportation Worker Identification
denied a Transportation Worker Identification Credential (TWIC) or a Commercial Driver's License with HazMat Endorsement (CDL-HME) for
Credential (TWIC) or a Commercial Driver's License employment elsewhere specifically as the result of a security background check.
with HazMat Endorsement (CDL-HME) for
27 employment elsewhere specifically as the result of a Low Awaiting Response!
security background check.
This entity provides periodic security re-training to all This entity provides periodic security re-training (recurrent training) no less than every three
33 employees. years or with change of job. Low Awaiting Response!
This entity has comparable security training This facility requires identical training requirements for both entity employees and contracted
requirements for both regular employees and employees.
contracted employees with security responsibilities or
35 access to security-related information. Low Awaiting Response!
This entity has administrative and/or security This entity has security personnel trained in the National Incident Management System (NIMS)
personnel trained in the National Incident or Incident Command System (ICS).
Management System (NIMS) or Incident Command
39
System (ICS).
Low Awaiting Response!
This entity utilizes advanced physical control locking This entity/facility requires biometric (fingerprint, voice, eye scan, etc.) input, key card swipe,
measures beyond simple locks and keys (i.e.; biometric or PIN combination locks, for access to buildings, sites or secure areas. Access is deactivated
input, key card, PIN, combination locks) for access to upon employee separation and codes are changed regularly.
46 buildings, sites or secure areas (excludes vehicles). Low Awaiting Response!
Where appropriate, entrance and/or exit data to This entity/facility electronically records entrance/exit data for persons accessing restricted
facilities and/or to secure areas can be reviewed as areas, and the data can be reviewed, if needed, either manually or electronically. Manually
47 needed (may be written logs, PIN or biometric data, or recording (using a log) is an exceptable alternative if electronic record is unavailable. Low Awaiting Response!
recorded camera surveillance).
This entity provides a secure location for employee This facility provides a secure location for employee parking, preferably serparate from visitor
57 parking separate from visitor parking. parking. Low Awaiting Response!
Clearly visible and easily understood signs are present Clearly visible and easily understood signs are used that identify restricted or off-limit areas at
that identify restricted or off-limit areas. this entity/ facility, as well as any facility security practices that the public may be subjected to.
58 Low Awaiting Response!
Vehicle parking, stopping or standing is controlled, to Vehicle parking, stopping or standing is adequately restricted, to the extent possible, in areas
the extent possible, along perimeter fencing or near within or adjacent to all facilities.
59 restricted areas. Low Awaiting Response!
This entity controls the growth of vegetation so that This entity adequately controls growth of vegetation so that sight lines to vehicles, pedestrians
sight lines to vehicles, pedestrians, perimeter fences or restricted areas remain unobstructed.
60 or restricted areas are unobstructed. Low Awaiting Response!
This entity conducts periodic random security checks This entity uses unique or random security measures that introduce unpredictability into the
on personnel/vehicles and/or other physical security entity’s practices for an enhanced deterrent effect. May be spot inspections, “red alerts,” or
countermeasures (i.e. random perimeter checks, other random/imaginative security initiatives.
61 breach/trespass tests, bomb threat drills, etc.). Low Awaiting Response!
This entity identifies a qualified IT security officer or This entity identifies an IT security officer or coordinator.
65 coordinator. Low Awaiting Response!
This entity provides some type of supplemental This entity provides some type of supplemental equipment for securing vehicles (i.e.; steering
equipment for securing vehicles, which may include wheel locks, theft alarms, "kill switches," other devices).
69 steering wheel locks, theft alarms, "kill switches," or Low Awaiting Response!
other devices.

SAI #14 - Develop a Robust Vehicle
Security Program
SAI #15 - Develop a Solid
Cargo/Passenger Security
Program
SAI #16 - Plan for High Alert Level
Contingencies
SAI #17 - Conduct Regular Security
Inspections
SAI #18 - Have Procedures for
Reporting Suspicious Activities
SAI #19 - Ensure Chain of Custody
& Shipment/ Service Verification
SAI #20 - Pre-plan Emergency
Travel Routes.
This entity employs technology that requires the use This entity uses key card, PIN or biometric (fingerprint, voice command, etc.) input to enter or
of key card, PIN or biometric input to enter or start start vehicles
71 vehicles. Low Awaiting Response!
This entity equips vehicles or provides drivers with This entity equips vehicles with some type of panic button capability.
72a panic button capability. Low Awaiting Response!
This entity uses unique distress codes or signals to This entity has instituted a distress code or signals in order to alert dispatch, other
alert dispatch, police or other employees in the event drivers/employees in the event of emergency situations.
72b of an emergency situation. Low Awaiting Response!
This entity uses vehicles equipped with an interior This entity equips all vehicles with an on-board, functioning and recording video camera.
and/or exterior on-board, functioning and recording
73 video camera. Low Awaiting Response!
This entity restricts or has policies regarding overnight This entity prohibits unauthorized overnight parking of company vehicles at off-site locations
parking of vehicles at off-site locations (i.e.; (i.e.; residences, shopping centers, parking lots, etc.).
76 residences, shopping centers, parking lots, etc.). Low Awaiting Response!
X X
78MC Low Not Applicable
X X
79SB Low Not Applicable
X X
79TR Low Not Applicable
Administrative or security personnel at this company This entity has personnel who regularly access the DHS NTSA site, or automatically receive
regularly check the status of the DHS sponsored updates from an accreditied government site.
National Terrorism Alert System (NTAS) or have
enrolled to receive automatic electronic NTAS alert
85 updates at www.dhs.gov/alerts or other government Low Awaiting Response!
site.
This entity requires additional vehicle security This entity requires additional vehicle security inspections at any other times (vehicle left
inspections at any other times (vehicle left unattended, driver change, etc.).
88 unattended, driver change, etc.). Low Awaiting Response!
This company has policies requiring a written report This entity has policies requiring a written report be filed upon observing suspicious activity.
93 be filed for suspicious activities observed. Low Awaiting Response!
No Low Priority Motor Coach Components for SAI #19 No Low Priority Motor Coach Components for SAI #19
94MC Low Not Applicable
No Low Priority School Bus Components for SAI #19 No Low Priority School Bus Components for SAI #19
94SB Low Not Applicable
X X
96TR Low Not Applicable
This entity has identified alternate routes in the event This entity has identified and pre-planned alternate routes in the event primary routes cannot
primary routes cannot be used under certain security be used under certain security related emergencies.
99 related emergencies. Low Awaiting Response!