Why a written security plan matters for your shipments

If you ship explosives, poisonous-by-inhalation (PIH) materials, or large bulk loads, regulators expect a written security plan. 49 CFR 172.800 requires a written security plan for the materials listed there. Failing to produce one invites audits and fines ranging roughly $3,000 to $7,500.

This post gives a practical, regulation-aligned template checklist that tells you what to include and how to document it. It covers highway, air, and vessel movements so one plan can serve multi-modal operations. The checklist maps to personnel security, unauthorized access, and en route security from PHMSA's security requirements brochure, and it follows a stepwise structure for implementation, training, and annual review.

Which shipments and facility activities actually trigger a written security plan

Not sure whether a shipment or operation needs a written security plan? According to 49 CFR 172.800, anyone who offers for transportation or transports the listed hazardous materials in commerce must have a written security plan.

• Any quantity of explosives in Division 1.1, 1.2, or 1.3 triggers a plan.
• Any quantity of materials poisonous by inhalation (PIH) triggers a plan.
• Any quantity of select agents or toxins, IAEA/NRC Category 1 or 2 radioactive materials, or Highway Route Controlled Quantities triggers a plan.
• Any shipment that requires placarding under 49 CFR Subpart F triggers a plan. Examples include certain Division 1.4–1.6 explosives, Division 4.3, and uranium hexafluoride.
• Large bulk shipments in a single packaging also trigger a plan when they exceed defined thresholds.
• Large-bulk materials that commonly trigger a plan include Class 3 (PG I/II), Division 2.1, Division 2.2 with subsidiary 5.1, Division 4.2 (PG I/II), Division 5.1 (PG I/II), certain ammonium nitrate/perchlorates, Division 6.1 (excluding PIH), and Class 8 (PG I).

The term "large bulk quantity" is defined as more than 3,000 kg for solids or more than 3,000 liters for liquids and gases in a single packaging. See the regulatory definition for precise wording.

If you run multi-modal operations, one unified plan can cover highway, air, and vessel movements. PHMSA recommends integrating mode-specific rules while keeping the three core security elements: personnel security, unauthorized access, and en-route security. That means documenting who is responsible, how you verify carriers, and how you meet IATA or IMDG documentation when those modes are used.

When in doubt, treat the shipment as covered and document the decision and responsible job titles in your plan. That simple step helps you pass an audit and avoid fines.

Section-by-section checklist you can paste into a WSP

Want a written security plan auditors will accept? Start with the three elements required by regulation and map each one to concrete procedures. According to 49 CFR 172.802, your plan must include a transportation security risk assessment and measures for personnel security, unauthorized access, and en route security.

Below is a ready-to-use structure with short, regulation-aligned sample language and options you can scale for small, mid, or large operations.

Suggested section headings

• Transportation security risk assessment and mitigation measures.
• Personnel security and applicant verification procedures.
• Unauthorized access controls and visitor management.
• En route security and carrier verification procedures.
• Roles and responsibilities, naming the senior official by job title.
• Training requirements and recordkeeping.
• Annual review, version control, and change notifications.
• Implementation logs, incident reporting, and distribution records.

Sample regulatory-aligned phrasing

Risk assessment: "We conduct a site-specific transportation security risk assessment identifying hazards, threat scenarios, and proportional countermeasures."

Personnel security: "We verify applicant identity, employment history, and credentials for roles with access to covered hazardous materials, consistent with employment and privacy laws."

Unauthorized access: "Hazardous materials are stored in locked areas with access limited by role-based credentials and visitor escort procedures."

En route security: "Carrier and driver identity are verified at pickup. Shipments use preplanned routes and secure layover procedures appropriate to hazard level."

Senior official and duties: "The Director of Operations is responsible for plan development, implementation, and annual review. Job descriptions list specific security duties by role."

Training and records: "We provide security awareness to all hazmat employees and in-depth security training to implementers. Training records are retained per HMR requirements."

Review and version control: "The plan is reviewed at least annually and revised as necessary. All revisions are logged with date, author, and distribution list."

Documentation of implementation: "Maintain carrier checks, seal numbers, training certificates, incident reports, and distribution records at the principal place of business for audit review."

Scale this template to your facility

• Small operations: Use locked storage, single-point access control, and supervisor-led carrier checks. Keep concise logs and photographed seals.
• Mid-size operations: Add electronic badge access, CCTV with log retention, supplier vetting checklists, and a formal training schedule.
• Large operations: Maintain site-specific plans for each facility, dedicated security staff, automated audit trails, and formal supplier security agreements.

Audit‑Ready Evidence: What to Keep, How Long, and Fast Fixes

Want to pass an inspector with minimal stress? Keep a tight, easy-to-audit set of records that proves you follow your security plan.

Start with training files. We recommend a single employee record for each hazmat worker that shows training dates, the materials used, the trainer, and a certification of testing. According to PHMSA training guidance, those records must be kept for three years and 90 days after the employee stops hazmat duties.

• Training records: Keep the employee name, most recent completion date, copy or description of materials, trainer name/address, and a signed certification of testing.
• Plan review and version control: Log annual reviews, revision dates, author, and who was notified. Retain the current plan while it remains in effect.
• Incident reporting: Make telephonic NRC notification as soon as practicable, and no later than 12 hours for major incidents. Use the reporting procedures in PHMSA reporting instructions.
• Written incident reports: File DOT Form F 5800.1 within 30 days when telephonic criteria are met, and keep a copy for two years at your principal place of business.
• Shipping papers and manifests: Keep ordinary hazardous materials shipping papers for two years and hazardous waste manifests for three years.
• Drills and corrective actions: Document date, participants, the plan elements tested, results, and any corrective action taken. Keep the after-action review with the revised plan version.

Inspectors often flag missing training dates, unsigned certifications, outdated plan versions, and undocumented drills. Quick fixes include adding a training matrix, digitizing certificates for easy retrieval, and stamping each plan copy with a revision date.

For a ready-to-audit training file template and executive packet you can hand an inspector, see our guide on organizing hazmat training records. It shows practical templates and CAPA examples.

Turn the checklist into an audit‑ready plan

Start by confirming whether your operations trigger a written security plan under 49 CFR 172.800. Next, paste the checklist sections into a single document and name the senior official by job title. Run a gap‑focused self-audit against recordkeeping and training items, then schedule the required annual review and version control.

A concise, well-documented plan with clear responsibilities and retained evidence sharply reduces inspection risk and the chance of fines. Simple, high-impact fixes include centralized training files, photographed seal records, and stamped plan versions with a revision log.

Need help turning the checklist into a compliant, audit‑ready WSP? TMGI develops written security plans and organizes training records for multi-modal shippers. Call us at (866) 572-8644 or email twagner@tmgihazmat.com. We’re based in Strongsville, Ohio, and ready to help you lower regulatory risk.