Why a written transportation security plan matters

Under 49 CFR 172.800, anyone who offers for transportation or transports certain hazardous materials must have a written transportation security plan.

The rule requires a documented risk assessment, personnel security, measures to prevent unauthorized access, and en route security measures. The government text also says the plan must be retained while in effect and reviewed at least annually.

• A clear applicability checklist so you can quickly see which materials, quantities, or transport situations trigger the requirement.
• A modular template that covers the mandatory elements and maps roles and responsibilities to real jobs in your operation.
• Practical language you can adapt for highway, air, and vessel shipments, plus en route and stop‑over procedures.
• Training, recordkeeping, supplier integration, and self‑audit prompts to help keep the plan current and defensible.

Read on for a practical, compliant template you can adapt to your operations and transport modes.

Assess applicability quickly and build a modular plan framework

Not sure whether 49 CFR 172.800 applies to your operation? Start with a simple, repeatable checklist that answers one question: do you offer for transport or transport any listed materials, quantities, or situations that trigger the rule.

We recommend using a single table to capture handled materials, quantities, packaging, and transport modes. That approach makes it fast to spot triggers and document why a written security plan is required under 49 CFR 172.800.

What to capture in your applicability table

• Record the UN number or hazard class for each material handled so you can compare against the regulation list.
• Log the quantity in a single packaging and flag anything over the large bulk threshold of more than 3,000 kg or 3,000 liters.
• Note packaging type, such as cargo tank, portable tank, or tank car, since single‑packaging thresholds depend on package type.
• List transport modes used for that material: highway, air, rail, or vessel, because mode and placarding can trigger applicability.
• Add a quick yes/no column that maps each line to the specific 172.800 trigger clause for audit evidence.

Once applicability is clear, map the required plan sections directly to the regulation. That keeps your plan defensible and easy to update.

• Risk assessment and mitigation measures. Document site and transport risks and the controls you will use to address them.
• Personnel security. Describe applicant confirmation, background checks, and any ongoing monitoring for positions with access.
• Unauthorized access controls. List facility access, vehicle and conveyance security, visitor procedures, and inventory controls.
• En route security. Cover route planning, tracking, communication protocols, secure stops, and contingency actions during transit.
• Administrative items. Identify the senior management official by job title and assign security duties and training requirements.

Suggested file structure and who owns each section

• Main plan document with scope, senior management official, and signature page. Keep the current version here for easy access.
• Appendix A: Applicability table and current inventory of covered shipments and packagings.
• Appendix B: Risk assessments and route analyses used to select mitigation measures.
• Appendix C: Training records, attendance logs, and refresher schedules to support compliance during audits.
• Appendix D: Vendor assurances, carrier security practices, and contact rosters for incident response.

Assign responsibilities by job title so everyone knows what to do during a review or incident. For example, name a Director of Operations as the senior management official who owns the plan and updates.

• Director of Operations: overall plan owner and annual reviewer as required by PHMSA.
• Safety Manager: conducts the security risk assessment and maintains route analyses.
• HR Manager: manages background checks and personnel security documentation.
• Logistics Supervisor: keeps the applicability table and shipment inventory current.
• Training Coordinator: schedules security plan training and retains attendance records.

A clear table plus a modular plan file makes annual reviews and audits simple. If you want a ready checklist and role mapping template, see our guidance on mapping job roles to 49 CFR training for practical examples.

Run a defensible threat and vulnerability analysis, then assign controls and ownership

Want a risk assessment that stands up in an audit? Start with a structured, repeatable process so the logic is clear to inspectors.

We recommend following the PHMSA RMSEF approach: scope operations, record assets, identify threats, score vulnerabilities, and pick prioritized mitigations. That structure keeps assessments practical and repeatable for highway, air, and vessel operations.

Step-by-step threat and vulnerability analysis

• Scope operations by listing materials, packaging, modes, and locations so you know what the plan must cover.
• Document assets and activities such as storage areas, vehicles, key personnel, IT systems, and typical routes.
• Identify threats like theft, unauthorized access, sabotage, and cyber intrusion, and tie each threat to specific assets.
• Score vulnerabilities by likelihood and consequence so you can rank risks consistently across sites and over time.
• Select mitigations that match risk level and note why lower priority items were deferred, so reviewers see your decision path.

Document worksheets so auditors can follow your logic

Keep a dated assessment worksheet for every review showing inputs, scores, and mitigation choices. Include the reviewer name and version number so changes are traceable.

Retain threat matrices, vulnerability notes, and mitigation cost/benefit notes as appendices to the written security plan. Those records demonstrate you followed a systematic process and support audit defensibility.

Match role-based controls to assessed risks and document responsibility

• Physical controls: secure storage, controlled gates, lighting, surveillance, locks, and tamper-evident seals for vehicles and cargo.
• Procedural controls: inventory tracking, visitor logs, mandatory escorts in restricted areas, and written access policies tied to job functions.
• Personnel screening: verify applicant information and run background checks for roles with hazmat access, following applicable laws.
• Cyber controls: anti-malware, strong passwords, backups, restricted file access, and monitoring for industrial control systems that support hazmat operations.
• En route controls: approved route plans, GPS or telematics tracking, scheduled check-ins, secure-stop procedures, and clear contingency communications.

Assign each control to a job title, not a person, and record the verification method and frequency. For example, list "Logistics Supervisor: verify daily GPS check-ins and maintain the telematics log for 12 months."

Use simple verification tools auditors can read: signed checklists, electronic logs, badge-entry reports, training records, and telematics exports. Link role assignments to training requirements so staff know their duties and how compliance is verified.

Finally, review and update the assessment and control assignments at least annually, and when operations change. That aligns with the written security plan retention and review expectations under 49 CFR 172.800.

Need help mapping job titles to the responsibilities you document? See our guide on mapping roles to 49 CFR training for practical examples.

How to map job roles to mandatory 49 CFR training requirements

Training, records, supplier controls, and self-audits that pass DOT inspections

Worried an audit will flag missing training or sloppy records? Build the parts inspectors check most closely so you can prove compliance the moment an auditor asks.

We recommend defining initial, recurrent, and security‑plan‑specific training in your template. According to PHMSA guidance on training, security awareness is due within 90 days and recurrent training is required at least every three years.

Exactly what to capture in training logs

Keep a single training record per employee so auditors can find evidence fast. Each record should be complete and easy to read.

• Employee name and job title.
• Most recent training date and frequency category (initial, recurrent, in‑depth security).
• A description, copy, or storage location for the training materials used.
• Trainer name and contact information.
• Employer certification that the employee was trained and tested, and the type of test used.

Retain those records for three years from the last training date. Also keep them 90 days after an employee leaves the company.

Plan maintenance, version control, and employee notification

Make annual review mandatory in your template and require updates when operations change. When you revise the plan, notify every employee who implements it.

Add a revision table to the front of the plan that lists version number, revision date, a brief summary, and the reviewer name. Store the current version at your principal place of business and make it available on request as required by 49 CFR.

Supplier and carrier contract language plus essential appendices

Require carriers and suppliers to warrant basic security practices in writing. Ask for information on hiring, background checks, and ongoing security training.

• Include a clause requiring advance driver identity verification before loading.
• Request carrier security policies, insurance, and recent audit summaries.
• Require tamper‑evident seals and a reported chain of custody for high‑risk shipments.

Attach appendices that auditors expect. Cross‑reference them from the main plan so reviewers can find details quickly.

• Site maps and secure area diagrams.
• Emergency contact lists and response procedures.
• Job descriptions with specific security duties.
• Inventory spreadsheets and route analyses.
• Training materials and the full training log export.

Scaling controls and a compact self‑audit checklist

Small organizations can meet the rule with low‑cost, effective steps. Focus on training, a single controlled entry, lighting, inventory checks, and tamper‑evident seals.

For internal monitoring, run routine inspections, drills, and spot checks. Document findings and track corrective actions until closed.

• Verify training records for a sample of employees and confirm dates and test results.
• Inspect physical access controls and confirm locks, lighting, and visitor logs.
• Reconcile inventory records against physical stock for recent shipments.
• Review carrier vetting files and recent security assurances.
• Confirm the plan was reviewed within the last 12 months and implementer notification records exist.

Common audit failures include no written plan when required, weak site‑specific assessments, outdated training, and missed annual reviews. Avoid those by keeping simple, dated evidence for each requirement.

For a ready checklist and examples of organizing training files, see our guide on building an audit‑ready training file. You can also review what auditors typically expect before an inspection.

How to build an audit‑ready hazmat training file

What to expect during a hazmat compliance audit and how to prepare

Practical next steps to adapt the template to your site

Want a plan inspectors will accept? Start by completing the applicability checklist so you know whether 49 CFR 172.800 applies. Then run a site‑specific risk assessment, assign trained implementers to each control, and log training and ownership. Finally, schedule the annual review and record any revisions.

A structured, well documented plan reduces regulatory risk and inspection exposure. Keep the plan in writing, retain it while in effect, and review it at least annually. Common audit failures include no plan, weak assessments, inadequate training, and missed annual reviews.

Need hands‑on help customizing or defending your plan during an inspection? TMGI can assist with tailored security plans, role mapping, training files, and audit preparation. Call us at (866) 572-8644 or email twagner@tmgihazmat.com.

If you want examples and templates now, see our guides on tailoring security plans and building audit‑ready training files.