The National Academies

NCHRP 20-124 [Active]

Deploying Transportation Security Practices in State DOTs

  Project Data
Funds: $698,636
Staff Responsibility: Stephan A. Parker
Research Agency: Critical Ops, LLC
Principal Investigator: Chelsea A. Treboniak
Effective Date: 1/22/2020
Completion Date: 7/21/2022
Comments: A continuation project was approved. Contract modification is in progress.


NCHRP Research Report 930: Security 101: A Physical and Cybersecurity Primer for Transportation Agencies, will be published in 2019. This primer provides updated information about current effective practices associated with the evolving physical and cyber security mission in surface transportation. The main audience for Security 101 is transportation personnel without a security background whose work requires them to address, perform, or supervise security activities as part of their overall job responsibilities. Although the document is designed for those with minimal or no formal security training or experience, the primer is also a handy reference guide sufficiently detailed to be of use to security professionals.

Translating the “what to do” from the primer to the real world (how to do it) is complex. Infrastructure planning, scoping, and design are essential to “designing-in” security. State departments of transportation (DOTs) vary in how they organize their activities. For example, many state DOTs share the role of security with other state agencies. This may include their State Homeland Security, Highway Patrol, and Offices of Emergency Management.  Policies among these entities outline roles and responsibilities in addressing security policies. Some allocate federal security funds. Many state DOTs depend on their Highway Patrol and/or local law enforcement to carry out the investigative and enforcement portion of security needs for their infrastructure. The roles and responsibilities of all parties may be outlined in a document commonly referred to as “Joint Operations Policy.” 

Research is needed to develop a strategy and a suite of supporting products and activities for deploying transportation security practices in state DOTs.


The objective of this research is to develop and support implementation of a comprehensive deployment and change management strategy for deploying transportation security practices in state DOTs.
The project should leverage useful resources such as the security guidelines recommended in the Security 101 primer and related material. See Special Note F.
The strategy should ensure the participation of other organizations involved in deploying security practices (e.g., emergency medical services, joint operation policies between DOTs and law enforcement) as well as the affected stakeholders (e.g., industries dependent on transportation services). Audiences for the security deployment strategy include state DOT executive managers, infrastructure planners and designers, field maintenance operations personnel, emergency managers, and security managers. Measurement of success will be the acceptance and implementation of the developed strategy in increasing security practices at the state DOTs.
Strategies must include guidelines for state DOTs to address a broad spectrum of security programs and practices from the perspectives of facility-based security, infrastructure-based security, and event-based security, including
  • Building security awareness as part of organizational culture;
  • Developing and updating of security design standards in bridge and facilities manuals;
  • Addressing cybersecurity in a comprehensive manner;
  • Incorporating security considerations into the planning and design processes;
  • Tracking the use of security design standards by state DOTs;
  • Securing design documents through the design, bid, and construction process; and
  • Recommending organizational changes and improvements in organizational structures to support deployment of security strategies.
Accomplishment of the project objective will require at least the following tasks.
Phase I
Task 1. Review and summarize relevant literature on deploying security in state DOTs. The project should leverage useful resources such as the 2019 NCHRP Research Report 930: Security 101: A Physical and Cybersecurity Primer for Transportation Agencies.
Task 2. Review current strategic physical and cybersecurity practices and related organizational structures across state transportation agencies (including staffing levels). Assess the gaps existing between commonly deployed practices and the recommendations appropriate to the threats and hazards of concern (e.g., states that are terrorism-focused, security-focused, or non-security-focused). Use the results of this review to support the development of project deliverables in Phase II. Identify clusters of agency types with similar characteristics to target for implementation and supporting activities in Phase II, such that each of the 50 state DOTs as well as those from the District of Columbia and Puerto Rico, is engaged in a multi-state, in-person activity.
Task 3. Develop a security guidelines deployment strategy and a revised work plan for Phase II. Develop draft plans and policies (or templates) for security practices implementation, workforce development, and change management at state DOTs. The work plan should include recommendations of appropriate learning and change management techniques for a state DOT to create a comprehensive deployment schedule. The resources should focus on CEOs for proclamations and executive orders; senior management to incorporate security issues into quarterly drills and exercises, as well as 2-page accountability plans or the like; and resource implementation plans for crews at the field level.
Task 4. Prepare an interim report on the findings and conclusions of Tasks 1 through 3. The interim report should include draft tables of contents for products that will be developed in Phase II and detailed plans for the Task 6 and Task 7 activities. The research plan shall provide a 2-month period for review and approval of the interim report. An interim meeting of the project panel to discuss the interim report with the research agency will be required. NCHRP will be responsible for the cost of panel member travel and will provide the meeting facility. For the interim meeting, provide a PowerPoint presentation suitable, upon revision, for posting on the NCHRP project webpage. The research agency shall not begin work on the remaining tasks without NCHRP approval.
Phase II
Task 5.  Develop training and educational courses and supplementary materials, such as train-the-trainer materials. Include self-evaluation materials in a capability maturity model. Include materials supporting an annual cycle of activities focused on preparing for incidents (e.g., active shooter) and special events (e.g., marathon, bridge walk, state fair, homecoming). Desired characteristics include
  • A list of terminal and enabling learning objectives for transportation emergency managers and staff;
  • Interactive, user-ready adult learning and retention approaches to training. Content should be delivered to meet different communications needs for a diverse workforce (e.g., mobile apps, tailgate talks); and
  • Scenarios and injects suitable to be presented as exercises or leveraged on an interactive technology-based solution [e.g., the Transportation Emergency Response Application (TERA)] that guides participants through exercises and documents their progress.
Task 6.  Based on the strategies, techniques, and approaches selected in Phase I, pilot test the lesson plans, training courses, checklists, and other materials for use in the deployment strategies.  
Task 7.  Plan and execute a series of multi-state activities to familiarize every state DOT and their security partners (including adjacent state DOTs) with security practices and implementation approaches (including the capability maturity model). Coordinate stakeholder outreach and engagement, and implement the deployment strategy using the materials developed in previous tasks.
Based on the approved Phase II work plan, conduct the following events, at a minimum:


  • At least one national workshop/training class of at least 6 hours;
  • At least four regional events – one per AASHTO Region of at least 4 hours;
  • At least two multi-state events of at least 4 hours to be hosted by state DOTs;
  • At least one nationally publicized webinar; and
  • At least six conference presentations, including one at a TRB Annual Meeting, one at an AASHTO Committee on Transportation System Security and Resilience (CTSSR) Annual Meeting, one at the AASHTO Committee on Bridges Annual Meeting, and one at the Great Lakes Homeland Security EXPO.


Proposers are encouraged to be creative in the selection of their proposed venues and events, identifying a diverse audience from field personnel to DOT executives. Co-locating and joint scheduling with existing meetings, conferences, and other training events is encouraged. Proposers should also recommend other ways to maximize the dissemination of the information collected and developed.



Task 8.  Final deliverables should include the following: (1) an implementation and change management strategy and all supporting lesson plans, scripts, training exercises, and all other didactic and experiential material developed in support of the strategy; (2) a final report summarizing the background research; (3) an updated interim meeting and PowerPoint presentation suitable, upon revision, for posting on the NCHRP project webpage; (4) a stand-alone, 1-page executive summary in a suitable format of text and graphics aimed at senior decision makers; (5) the Task 5 training and educational materials to achieve technology transfer of security practices; and (6) a summary report on the multi-state activities described in Task 7 .

Note: Following receipt of the draft final deliverables, the remaining 3 months shall be for NCHRP review and comment and for research agency preparation of the final deliverables.  




 Useful resources for this project include:




  1. NCHRP Research Report 930: Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. https://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=4070
  2. AASHTO Fundamental Capabilities of Effective All-Hazards Infrastructure Protection, Resilience, and Emergency Management. https://ctssr.transportation.org/wp-content/uploads/sites/54/2017/10/Fundamental-Capabilities-of-Effective.pdf
  3. AASHTO Managing Catastrophic Transportation Emergencies: A Guide for Transportation Executives. https://ctssr.transportation.org/wp-content/uploads/sites/54/2017/10/Managing-Catastrophic-Transportation-Emergencies.pdf
  4. NCHRP Research Report 931: A Guide to Emergency Management at State Transportation Agencies. https://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=4071
  5. National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience. https://www.dhs.gov/publication/nipp-2013-partnering-critical-infrastructure-security-and-resilience
  6. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
  7. National Institute of Standards and Technology (NIST) Security and Privacy Controls for Information Systems and Organizations. https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf
  8. National Critical Infrastructure Security and Resilience R&D Plan. https://www.dhs.gov/sites/default/files/publications/National%20CISR%20R%26D%20Plan_Nov%202015.pdf
  9. TSA Intermodal Security Training & Exercise Program (I-STEP) provides exercise, training, and security planning tools and services to the transportation community.
  10. TSA Exercise Information System (EXIS) is an online exercise tool that provides users with resources to design, document, and evaluate exercises for all transportation modes. https://exis.tsa.dhs.gov
  11. TSA First Observer Plus is a security domain awareness training program focused on delivery of a simple message to highway transportation professionals: to “Observe, Assess, and Report” suspicious activities. https://tsa.gov/firstobserver  
  12. The DHS Vehicle Ramming Attack Mitigation Video assists with mitigating the evolving threat corresponding to vehicle ramming incidents by providing information and insightful technical analysis from public and private sector subject-matter experts. It leverages real-world events to provide recommendations for protecting organizations and individuals against potential vehicle ramming incidents. https://www.dhs.gov/human-resources-or-security-professional
  13. The FBI Partners in Prevention: Vehicle Rentals and Vehicle Ramming Video is intended to assist vehicle rental corporate security officials facilitate conversations with front-line employees about suspicious activity and behavior that may possibly be associated with someone planning a vehicle ramming attack. https://www.fbi.gov/video-repository/vehicle-rentals-vehicle-ramming-013019.mp4/view
  14. TSA Counterterrorism Guides are intended to provide awareness of specific considerations when developing and implementing your organization’s security and emergency plan. Request them at HighwaySecurity@tsa.dhs.gov.  
  15. The DHS Active Shooter Preparedness site provides products, tools, and resources to help prepare for and respond to an active shooter incident. https://www.dhs.gov/cisa/active-shooter-preparedness
A final report is in the publication process. A continuation project was approved. Contract modification is in progress.

To create a link to this page, use this URL: http://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=4581