PRIA Logo
Back to search
GovernmentHomeland Security

Surface Transportation Security — Rail, Transit, and Bus Security Programs

17 min read·Updated May 14, 2026

Surface Transportation Security — Rail, Transit, and Bus Security Programs

Most people think of airport security when they think of the Transportation Security Administration (see TSA and Transportation Security), but TSA's statutory mandate extends far beyond aviation. The Implementing Recommendations of the 9/11 Commission Act of 2007 created a comprehensive surface transportation security framework covering public transit, passenger rail, freight railroads, and over-the-road buses. The framework requires DHS to complete risk assessments for each mode, forces high-risk operators to develop security plans, funds grants for physical and cyber security improvements, mandates background checks for frontline employees, protects employees who report security concerns from retaliation, and requires regular security exercises to test response plans. Annual grant funding for transit security alone has exceeded $100 million per year, with grant recipients including New York's MTA, Chicago's CTA, and smaller transit systems in high-risk areas. For the millions of Americans who commute by subway, commuter rail, or bus — and for the freight shippers who depend on rail networks — understanding this framework explains how the federal government decides where to put security resources and what standards apply.

Current Law (2026)

ParameterValue
Core statutes6 U.S.C. §§ 1131–1169 (Implementing Recommendations of the 9/11 Commission Act of 2007, surface transportation provisions)
Administering agencyTSA (surface division) within DHS; Federal Transit Administration (FTA) for transit grants
National strategy requirementDHS must maintain a national strategy for public transportation security and a separate strategy for railroad security, updated periodically
Grant programsTransit security grants (§ 1135); Amtrak-specific security grants (§ 1164); railroad security assistance grants (§ 1163)
Security planningHigh-risk transit agencies and railroads must develop and submit security plans after completing vulnerability assessments
Employee protectionsTransit agency employees and contractors who report security threats or vulnerabilities are protected from retaliation (§ 1142)
Background checksFrontline transit employees must be subject to security background checks including terrorism watch-list checks (§ 1143)
Security exercisesDHS must administer security exercises for transit agencies and railroads to test response plans
Amtrak funding authorityDedicated grant authority for Northeast Corridor tunnel fire/life safety upgrades and Amtrak systemwide security improvements
  • 6 U.S.C. § 1132 — Congressional findings: Congress determined that 182 terrorist attacks on transit systems worldwide (as of 2007) demonstrated serious national security need; transit systems are high-value targets because of the volume of passengers, difficulty of screening, and open access architecture
  • 6 U.S.C. § 1133 — National Strategy for Public Transportation Security: DHS must create and maintain a national strategy coordinating federal, state, local, and private sector roles; strategy must identify priorities, define roles, and establish performance measures
  • 6 U.S.C. § 1134 — Security assessments and plans: FTA must provide DHS with all public transportation security assessments; DHS must write rules requiring any transit agency it designates as high-risk to develop a comprehensive security plan addressing vulnerabilities identified in the assessment
  • 6 U.S.C. § 1135 — Transit security grants: DHS administers grants (see also Homeland Security Grants) to public transportation agencies for capital security improvements, operational costs of security programs, training, exercises, and related activities; grants are prioritized based on risk — population served, ridership, threat history, and vulnerability
  • 6 U.S.C. § 1136 — Security exercises: DHS must conduct periodic security drills for public transit operators; exercises must be designed to test plans, identify gaps, and improve coordination with first responders; agencies must participate in at least one exercise every 3 years
  • 6 U.S.C. § 1137 — Training program: DHS must establish a training program for frontline transit employees covering recognizing suspicious behavior, reporting procedures, and response protocols; program content must be updated as threat environment evolves
  • 6 U.S.C. § 1140 — Threat assessments: DHS must run name-based terrorist watch-list and immigration law violation checks on frontline public transportation workers; the requirement covers both employees of agencies and contractor employees with access to secure areas
  • 6 U.S.C. § 1142 — Employee protections: public transit agencies, their contractors, and managers may not discharge, demote, or retaliate against any employee who reports a security threat, vulnerability, or violation; employees who experience retaliation may file a complaint with the Secretary of Labor
  • 6 U.S.C. § 1161 — Railroad transportation security risk assessment: DHS (with DOT and DOD) must maintain a national risk assessment for railroad transportation; TSA must tier railroads by risk level and require high-risk carriers to develop security plans and submit to vulnerability assessments
  • 6 U.S.C. § 1162 — Railroad carrier assessments and plans: within 12 months of the 2007 Act, DHS was required to establish regulations requiring high-risk tier railroad carriers to complete security assessments and develop security plans; plans must address passenger security, employee security awareness, and coordination with law enforcement
  • 6 U.S.C. § 1163 — Railroad security grants: DHS may award grants to railroad carriers for security equipment, employee training, security exercises, and fire/life safety improvements; Amtrak and commuter railroads are primary grant recipients alongside Class I freight railroads in high-risk areas
  • 6 U.S.C. § 1164 — Amtrak systemwide security upgrades: dedicated authority for DHS grants to Amtrak covering physical security infrastructure, security technology deployment, and threat response improvements
  • 6 U.S.C. § 1165 — Fire and life safety: dedicated grant authority for upgrades to Northeast Corridor tunnels (particularly Baltimore and New York) — including ventilation improvements, communication systems, and evacuation infrastructure

How the Program Is Organized

Surface transportation security is divided into three modes:

Public transit (subways, light rail, commuter rail, buses): The Federal Transit Administration maintains day-to-day grant relationships with transit agencies; TSA maintains the security oversight function. DHS conducts vulnerability assessments at major transit systems and works with agencies to prioritize capital investments in security cameras, communications systems, passenger screening where feasible, and employee training.

Passenger and freight railroads: TSA's surface division regulates railroad security with a risk-tiered approach. Tier 1 railroads (the largest passenger and freight carriers) are subject to the strictest requirements — mandatory security coordinator designations, incident reporting to TSA within specified timeframes, and regular government inspections. TSA inspectors conduct thousands of surface security inspections per year at rail facilities.

Over-the-road buses and motor coaches: Long-distance bus carriers and motorcoach operators are also covered, with requirements for security awareness training and coordination with local law enforcement along high-risk routes.

Grants drive most improvements: Because DHS cannot mandate spending by state and local transit agencies without federal funds attached, the grant programs are the primary mechanism for upgrading security infrastructure. Grant priorities shift based on current threat assessments. Post-COVID, DHS has emphasized cybersecurity for operational technology (train control systems, fare payment infrastructure) alongside traditional physical security.

Who Gets the Money and How

Transit security grants are competitive and risk-based. Urban areas with the highest ridership and threat profiles — New York, Washington, Chicago, Los Angeles, Boston, San Francisco, and a handful of others — receive the vast majority of transit security funding. DHS prioritizes:

  • Transit agencies that have experienced attacks or credible threats
  • Systems serving high-density urban cores
  • Agencies with aging infrastructure that creates safety-security overlaps (tunnel ventilation, emergency communications)
  • Projects using proven security technology with defined risk-reduction benefits

Agencies apply through a formula that combines ridership numbers, system complexity, threat assessments, and prior security audit findings. Smaller transit systems with lower ridership can still receive grants but typically receive smaller amounts; some regional consortia pool grant applications to access larger awards.

How It Affects You

<!-- pria:personalize type="impact" -->

If you commute daily by subway, rail, or bus: The security infrastructure you use — cameras, emergency intercoms, platform surveillance, employee recognition training — is substantially funded through DHS transit security grants authorized under 6 U.S.C. § 1135. Your city's transit agency applied for and received competitively awarded federal security dollars to install these systems. The background check requirements under § 1140 mean the transit operators, station agents, and maintenance workers you encounter have been screened against terrorism watch lists. If you see something suspicious — an unattended bag, suspicious behavior, a person tampering with infrastructure — most major transit agencies maintain anonymous tip lines tied directly to their security operations centers; New York's MTA uses 511 and mta.info/safety; WMATA (Washington DC) uses 202-962-2121; and the "See Something, Say Something" campaign provides a national framework (dhs.gov/see-something-say-something). Transit security incidents have declined significantly since the post-9/11 framework was implemented, but crowded, open-access environments remain the hardest security problem in transportation.

If you work for a transit agency or commuter railroad: Federal law protects you from retaliation if you report a security threat, vulnerability, or violation to your employer, DHS, or any law enforcement agency (6 U.S.C. § 1142). The protection covers both employees of the transit agency and contractor employees with access to transit facilities. If you're retaliated against for reporting — demoted, reassigned, fired — you can file a complaint with the Secretary of Labor; the DOL Occupational Safety and Health Administration handles transit security whistleblower complaints under its surface transportation whistleblower program at osha.gov/whistleblower-protection-programs. If your agency has received DHS transit security grants, those funds come with compliance requirements: participation in TSA security exercises (at least once every 3 years under § 1136), completion of DHS security training for frontline employees, and adherence to the security plan your agency submitted as a condition of the grant.

If you work in grants management or security planning at a transit agency: Transit Security Grant Program (TSGP) awards are competitive, risk-based, and announced annually by DHS through FEMA's grants program. Applications go through the Homeland Security Grant Program (HSGP) process — your state administrative agency coordinates the application, and you must demonstrate how your project reduces a specific risk identified in a DHS-approved vulnerability assessment. Award amounts have ranged from a few hundred thousand dollars for smaller systems to tens of millions for the largest agencies. Post-COVID, DHS has explicitly prioritized cybersecurity for operational technology — train control systems, fare payment infrastructure, supervisory control and data acquisition (SCADA) systems — alongside physical security. If your agency hasn't updated its security plan to include cyber risk, your competitive ranking will suffer. TSA's Surface Division conducts inspections of Tier 1 rail operators and maintains a liaison program for transit agencies; contact your regional TSA office through tsa.gov/for-industry/surface.

If you work in railroad operations or compliance: TSA's Security Directives issued since 2021 are legally binding for freight and passenger railroads — they require cybersecurity coordinator designation, incident reporting to CISA within 24 hours, and documented cyber incident response plans. Class I freight railroads (BNSF, Union Pacific, CSX, Norfolk Southern, CN's U.S. operations, and CPKC — the 2023 Canadian Pacific–Kansas City Southern merger) are Tier 1 under TSA's risk tiering and subject to the strictest requirements, including regular on-site TSA surface inspections. TSA's security inspection program for railroads is administered through its Surface Inspector workforce — inspectors can require access to facilities, security plans, and records. Tier designation disputes and plan approval questions should go through your TSA-assigned surface inspector or the TSA Transportation Sector Network Management office at tsa.gov/for-industry/surface.

<!-- /pria:personalize -->

Implementing Regulations

TSA's surface transportation security regulations live in 49 CFR Parts 1570–1584:

  • 49 CFR Part 1570 — General Rules (TSA surface and maritime security): the framework Part that establishes general security program requirements applying across all surface and maritime modes regulated by TSA:

    • § 1570.1 — Scope: Part 1570 applies to any person involved in maritime or surface transportation as specified in the subchapter — including freight railroads, passenger rail, transit, over-the-road bus, and certain maritime operations; the modes covered are those separately detailed in Parts 1580 (freight rail), 1582 (public transportation and passenger rail), and 1584 (over-the-road bus)
    • § 1570.101 — Security program structure: each operator required to have a security program must develop a written program that addresses all requirements in the applicable subpart; the security program is not a public document — operators submit it to TSA on a controlled-access basis; TSA reviews and may approve, approve with modifications, or reject security programs; an approved security program is a binding compliance commitment
    • § 1570.103 — Security program content: required elements include identification of a primary Security Coordinator (a specific named individual with 24/7 contact information); reporting protocols for security incidents, suspicious activities, and requests for security information from TSA; procedures for applying and maintaining security measures; and a process for employees to report security concerns; post-2021 TSA Security Directives added mandatory cybersecurity coordinator designation and 24-hour CISA cyber incident reporting as additional required program elements
    • § 1570.105 — Higher-risk operation determinations: TSA determines which operators are subject to the most demanding requirements in the subparts (Parts 1580–1584) based on risk tier; higher-risk determinations consider passenger volume or freight moved, security threat history, consequence of disruption to the transportation network, and known vulnerability; a transit authority's tier classification is determinative of which specific security measures it must implement; operators that dispute their tier designation may petition TSA

  • 49 CFR Parts 1580/1582/1584 — Mode-specific rules: freight railroads (Part 1580), public transportation and passenger rail (Part 1582), and over-the-road bus operators (Part 1584) each have dedicated security program requirements, Sensitive Security Information (SSI) handling protocols, and threat response procedures; Tier I freight railroad requirements include specific cyber incident reporting timelines (24 hours to CISA), chain-of-custody documentation for certain hazmat rail cars, and physical security measures at critical facilities

  • 49 CFR Part 1582 — Public Transportation and Passenger Railroad Security (6 sections — TSA's primary security framework for Amtrak, commuter rail operators, subway and light rail systems, and other rail transit agencies; the implementing regulation for mandatory security training programs for security-sensitive employees):

    • § 1582.1 — Scope: applies to passenger railroad carriers (Amtrak and intercity/commuter rail), public transportation agencies (subway, light rail, bus rapid transit, and similar systems), and rail transit systems not operating on the general railroad system; specific operators subject to the full security program requirements are listed in Appendix A
    • § 1582.5 — Preemptive effect: under 49 U.S.C. § 20106, the Part 1582 regulations preempt any state law, regulation, or order covering the same subject matter — except for additional or more stringent state requirements that are necessary to eliminate or reduce an essentially local security hazard and are not incompatible with federal requirements; this preemption provision establishes TSA's requirements as the federal floor for passenger rail and transit security, while preserving state authority to exceed the floor for locally identified threats
    • § 1582.101 — Applicability: Amtrak and the higher-risk operators listed in Appendix A, and any operator serving as a host railroad to freight or another passenger rail operation, must adopt a full security training program; smaller operators not in Appendix A must comply with training requirements under §§ 1582.113 and 1582.115 but are not subject to the full security program requirement — a two-tier structure based on the operator's size and passenger volume
    • § 1582.113 — Security training program general requirements: each operator required to have a program must adopt and carry out a written security training program; the program must identify the operator by name; designate a Security Coordinator responsible for implementing the program; describe security-sensitive job functions covered (Appendix B lists them, including train operations, platform work, dispatch, security monitoring, and maintenance work in passenger areas); document the training content and frequency; and provide for recordkeeping sufficient for TSA audit
    • § 1582.115 — Training for security-sensitive employees: no operator covered by § 1582.101 may use a security-sensitive employee to perform a security-sensitive function unless that employee has completed the required training; the training must cover terrorism awareness (recognizing suspicious activities, packages, and behavior); emergency response procedures; evacuation procedures; threat reporting protocols; and how to communicate with law enforcement and emergency responders; the training is designed to make every transit frontline employee a potential sensor for suspicious activity rather than placing security entirely on dedicated security personnel

    Part 1582 is the operational backbone of surface passenger rail security. Amtrak trains carry approximately 32 million passengers per year across 500+ stations; commuter rail and transit systems carry billions more. Unlike aviation, rail and transit operate without pervasive passenger screening — the security model relies primarily on trained employee awareness, CCTV, police presence, and targeted screening of suspicious individuals. Part 1582's security training requirement ensures that the many thousands of frontline transit and rail employees — conductors, platform personnel, station agents, maintenance workers — receive standardized training in what to look for and what to do when they spot it. Recent rulemakings: TSA Security Directives issued 2021–2023 added cybersecurity coordinator designation and incident reporting requirements to Part 1582 operator obligations beyond what the formal regulation specifies.

  • 49 CFR Part 1584 — Highway and Motor Carrier Security (5 sections — TSA's security training framework for over-the-road bus (OTRB) operators, intercity motor carriers of passengers, and school bus operations; the surface-mode counterpart to Part 1582's transit and passenger rail training requirements):

    • § 1584.1 — Scope: applies to operators of over-the-road buses — motor coaches used in fixed-route intercity service (Greyhound, FlixBus, Megabus), charter services, and other bus operators meeting specified criteria; unlike passenger rail (where Amtrak and transit agencies are large, identifiable entities), the OTRB sector includes hundreds of smaller carriers operating across the country
    • § 1584.101 — Applicability: the security training requirements apply specifically to operators identified in Appendix A to Part 1584 (higher-risk OTRB operators based on passenger volume and route characteristics) plus any operator that TSA determines is a higher-risk operation under § 1570.105; smaller OTRB operators not in Appendix A must comply with baseline training requirements under §§ 1584.113 and 1584.115 but are not subject to the full security program requirement
    • § 1584.113 — Security training program general requirements: each covered operator must adopt and implement a written security training program that designates a Security Coordinator; identifies security-sensitive employees and job functions (Appendix B to Part 1584 lists them, including drivers, ticket agents, and baggage handlers); and describes training content and recordkeeping; the program is treated as SSI
    • § 1584.115 — Training for security-sensitive employees: no covered operator may use a security-sensitive employee to perform a security-sensitive function unless the employee has completed the required security awareness training; the training covers recognizing suspicious activity, packages, and behavior; emergency response; evacuation procedures; and communications with law enforcement; the training must be updated when TSA-identified threats or security requirements change

    The OTRB security training framework mirrors Part 1582's structure but is adapted to the motor carrier context. Over-the-road bus services present distinct security challenges: buses stop at multiple terminals in different cities (unlike rail stations with fixed infrastructure), carry passengers whose luggage is stored in external cargo bays with limited screening, and use a driver-centered security model without dedicated on-board security personnel. The Part 1584 training requirement ensures that bus drivers and terminal staff receive standardized awareness training — the primary line of defense in a sector that cannot practically implement airport-style screening for every passenger.

  • 49 CFR Part 15 — Protection of Sensitive Security Information (DOT) (10 sections — DOT's own SSI protection framework, parallel to TSA's 49 CFR Part 1520; governs SSI designation, handling, marking, and disclosure for DOT programs outside TSA's direct jurisdiction, implemented under 49 U.S.C. § 40119):

    Sensitive Security Information (SSI) is a category of sensitive-but-unclassified security information that the government can withhold from the public and from FOIA disclosure — but that is not classified national security information. The TSA administers SSI designation for aviation and surface transportation programs under 49 CFR Part 1520; DOT Part 15 covers SSI for DOT programs where the Secretary of Transportation (not TSA) is the designating authority. In practice, Part 15 applies to security-related information in railroad, pipeline, maritime, and other DOT programs.

    • § 15.1 — Scope: Part 15 governs SSI that the Secretary of Transportation has designated; it does not apply to classified national security information (governed by Executive Order 12968), to other sensitive unclassified information exempt under FOIA on other grounds, or to critical infrastructure information designated under Section 214 of the Homeland Security Act (which has its own separate protective regime)
    • § 15.5 — What is SSI: SSI includes security programs, contingency plans, vulnerability assessments, security directives, threat information, inspection reports, and other information that reveals vulnerabilities or security measures in transportation systems; the definition mirrors the categories in TSA's Part 1520 but is administered by DOT rather than TSA for the covered programs
    • § 15.11 — Need-to-know standard: a person has need-to-know SSI when: (1) they require it to carry out transportation security activities approved, funded, or directed by DHS or DOT; (2) they are training for such activities; (3) they need it to supervise persons carrying out such activities; (4) they need it to provide legal or technical advice to a covered person on transportation security law; or (5) they need it to represent a covered person in judicial or administrative proceedings about security requirements; Federal employees have need-to-know if access is necessary for official duties; contractors have need-to-know if it is included in their contract scope
    • § 15.13 — Marking SSI: paper records containing SSI must bear the protective marking "SENSITIVE SECURITY INFORMATION" on the top and the standard distribution limitation warning at the bottom of each page, title page, and cover; the distribution warning states that the record contains SSI controlled under 49 CFR Parts 15 and 1520, that unauthorized release may result in civil penalty or other action, and that federal agency disclosure is governed by 5 U.S.C. § 552 (FOIA); non-paper records (electronic files, audio recordings) must be similarly marked
    • § 15.15 — FOIA and disclosure: SSI is not available for public inspection or copying, and DOT does not release SSI to persons without need-to-know — notwithstanding FOIA, the Privacy Act, or other laws; if a record contains both SSI and non-SSI, DOT may disclose the record with SSI redacted in response to a FOIA request; Congress and GAO may receive SSI; courts may receive SSI under protective order in judicial proceedings
    • § 15.17 — Consequences of unauthorized disclosure: violation of Part 15 is grounds for civil penalty, other enforcement action, and corrective action (including retrieval orders and orders to cease disclosure); Federal employees may face personnel actions in addition to civil penalties
    • § 15.19 — Destruction: SSI must be destroyed using appropriate methods (shredding for paper; degaussing or physical destruction for electronic media) when no longer needed; holders of SSI are responsible for its secure destruction

    Part 15 and TSA's parallel Part 1520 create a two-agency SSI framework for transportation security information. In practice, most SSI that arises in surface transportation contexts (freight railroad security plans, transit vulnerability assessments, pipeline security directives) is marked under Part 1520 (TSA-designated) rather than Part 15 (DOT-designated). Part 15 matters most for DOT programs where the Secretary retains direct SSI authority — for example, PHMSA pipeline security information or FRA railroad security directives that DOT rather than TSA has originated. The SSI framework has been litigated in cases where parties in administrative proceedings sought access to government SSI evidence under procedural due process claims; courts generally uphold SSI protection while requiring that parties be given meaningful notice of the security concerns driving enforcement actions.

State Variations

State and local governments fund most transit and railroad security spending — federal grants supplement but do not replace state and local investment. Several states (New York, California, Illinois, Massachusetts, New Jersey) have their own transit security offices and standards that exceed federal minimums. State emergency management agencies coordinate with TSA on exercise planning and information sharing. The distribution of grant funds between TSA and FTA creates some administrative complexity — agencies must navigate both DHS and DOT oversight requirements for security grant awards.

Pending Legislation

Congressional interest in cybersecurity for operational technology on transit systems and railroads has intensified since several high-profile ransomware incidents against transit agencies. Proposed legislation would expand DHS grant eligibility for cybersecurity hardening of industrial control systems and add mandatory incident reporting requirements for transit agencies that experience cyber incidents affecting operations.

Recent Developments

TSA has published Security Directives since 2021 requiring freight and passenger railroads to designate cybersecurity coordinators, report cybersecurity incidents to CISA within 24 hours, and develop cyber incident response plans — extending mandatory requirements into cybersecurity alongside the physical security requirements. The COVID-19 pandemic reduced transit ridership dramatically and shifted grant priorities toward maintaining basic security operations at reduced-ridership systems. Post-COVID recovery has led to renewed focus on fare evasion and public safety on transit, with some major agencies requesting DHS assistance in addressing open-platform security challenges.

At My Address

See how Surface Transportation Security — Rail, Transit, and Bus Security Programs plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address