A PHMSA inspector conducting a compliance review at a chemical distribution company requests the company’s HAZMAT security plan. The safety manager hands over a three-page document that lists the company’s general security practices. The inspector reviews it and issues citations for three deficiencies: the plan does not address the specific security risks associated with the hazardous materials the company ships, the plan does not identify personnel responsible for implementing security measures, and the company’s HAZMAT employees have not received documented security training in the past three years.
Each deficiency is a separate violation under 49 CFR Part 172 Subpart I. The citations carry a combined civil penalty assessment and a required corrective action timeline. The safety manager’s position is that the company has never had a security incident and that the plan reflects their actual security practices. The inspector’s position is that the regulations do not require a security incident to have occurred for the security plan requirements to apply.
The HAZMAT transportation security regulations enacted following the September 11, 2001 attacks are among the most consistently under-implemented requirements in the Hazardous Materials Regulations. They apply broadly, they have specific content requirements, and their enforcement has been a sustained PHMSA priority. This guide explains what the law requires, who is covered, and where compliance most commonly fails.
PHMSA inspectors reviewing HAZMAT security plans evaluate three questions in sequence: Does the company have a written security plan? Does the plan address the content requirements of 49 CFR 172.802? Have all HAZMAT employees received security awareness training under 49 CFR 172.704(a)(4) and, where a security plan is required, in-depth security training under 172.704(a)(5)? A company that passes the first question but fails the second or third is still in violation. All three elements must be present and documented.
Who Is Required to Have a HAZMAT Security Plan
Under 49 CFR 172.800, a security plan is required for any person who offers for transportation in commerce or transports in commerce one or more of the following categories of hazardous materials:
- Any quantity of a material in Hazard Zone A or B (most toxic-by-inhalation materials)
- A highway route-controlled quantity of a Class 7 (radioactive) material
- More than 25 kg of a Division 1.1, 1.2, or 1.3 explosive
- More than 1 litre of a material in Packing Group I of Division 6.1 or a material in Division 2.3 (toxic gases)
- An International Shipment of Dangerous Goods in Packing Group I
- A select agent or toxin regulated by the CDC or USDA
- More than 3,000 kg of a Class 3 flammable liquid, Class 8 corrosive, or Division 5.1 oxidiser in a cargo tank or portable tank
- Bulk quantities (more than 3,000 kg) of Class 2 gases in a cargo tank
In addition, all carriers subject to the Federal Motor Carrier Safety Regulations who transport any quantity of hazardous materials are required to have a security plan under 49 CFR 390.15T.
Shippers and carriers who are unsure whether they meet the threshold quantities should review the full list at 49 CFR 172.800(b) and assess their shipments against each category. The threshold quantities are specific, and exceeding even one of them on even one shipment per year triggers the full security plan requirement.
The security plan threshold quantities in 49 CFR 172.800 are lower than most shippers expect. More than 25 kg of Division 1.1 explosive, more than 1 litre of a Packing Group I toxic liquid, and any quantity of a Hazard Zone A material trigger the requirement. A company that occasionally ships small quantities of high-hazard materials as part of a broader product line may not realise that those shipments subject the entire organisation to the security plan requirement. The plan requirement applies to the company, not to individual shipments. One qualifying shipment per year is sufficient to make the security plan mandatory.
Required Content of the HAZMAT Security Plan
Under 49 CFR 172.802, the security plan must address the security risks associated with the specific hazardous materials offered for transportation or transported by the covered entity. A generic security plan that addresses security in general terms without reference to the specific materials, modes, and routes involved does not satisfy the content requirement.
The three required elements of a compliant security plan are:
1. Personnel security: The plan must include procedures to confirm the employment background of new employees who will have access to or responsibility for hazardous materials shipments. The specific background confirmation methods required are not prescribed, but the plan must describe what the company does to screen and confirm the trustworthiness of personnel in HAZMAT roles. At minimum this means a description of the hiring and screening process for HAZMAT employees.
2. Unauthorised access: The plan must include measures to address the risk of unauthorised access to hazardous materials during transportation. This means physical security procedures for facilities where HAZMAT is stored or staged for transport, access control measures for vehicles carrying HAZMAT, and procedures for what drivers and handlers should do if they observe or suspect unauthorised access to a HAZMAT shipment.
3. En route security: The plan must include measures to address the security of hazardous materials during transport. For motor carriers, this includes procedures for parking and attendance of vehicles carrying high-hazard materials, communication protocols for drivers, and what to do if a vehicle is followed or if suspicious activity is observed. For shippers, this includes procedures for verifying the identity and authority of carriers before releasing a HAZMAT shipment.
The plan must be in writing. It must be retained for as long as it remains in effect and for 180 days thereafter. It must be reviewed and updated on a regular basis as circumstances change. The plan must be accessible to PHMSA and DOT inspectors upon request and must not itself be posted publicly or shared in ways that could compromise security.
The most common security plan deficiency found during PHMSA inspections is a plan that describes physical facility security measures (locks, cameras, fencing) without addressing the three specific content areas of 49 CFR 172.802. A plan that documents that the warehouse has badge access and CCTV but does not address personnel screening procedures, unauthorised access to in-transit shipments, or en-route security measures for drivers is non-compliant even if the physical security described is excellent. The plan must track the regulatory structure, not the company’s preferred framing of security.
Security Training Requirements: Two Distinct Obligations
The HAZMAT security training requirements under 49 CFR 172.704 create two distinct obligations that apply to different populations of employees:
Security awareness training (49 CFR 172.704(a)(4)): Required for all HAZMAT employees, defined broadly as any person employed by a hazmat employer who in the course of employment directly affects hazardous materials transportation safety. This includes everyone who prepares HAZMAT for shipment, loads or unloads HAZMAT, operates a vehicle carrying HAZMAT, or is responsible for the safety of a vehicle carrying HAZMAT. Security awareness training must cover: how to recognise and respond to possible security threats, including suspicious packages, suspicious persons, and suspicious inquiries about HAZMAT movements; the employee’s role in implementing the company’s security plan; and the procedures for reporting security concerns. This training must be provided before an employee performs HAZMAT functions for the first time and must be repeated as necessary to maintain current knowledge, but no specific recurrence interval is mandated.
In-depth security training (49 CFR 172.704(a)(5)): Required only for employees of companies that are required to have a security plan under 49 CFR 172.800. This training must be specific to the company’s security plan and must cover the specific security risks associated with the hazardous materials the company handles, the measures in the plan that address those risks, and how to implement those measures. In-depth security training must occur before the employee performs functions covered by the security plan and must be repeated at least every three years.
Companies subject to the security plan requirement frequently provide only security awareness training to all employees and do not implement the separate in-depth security training requirement for HAZMAT employees. Security awareness training satisfies 172.704(a)(4) but does not satisfy 172.704(a)(5). Employees who work for a company with a security plan and whose functions are covered by that plan must receive both types of training, separately documented. PHMSA inspectors review training records to confirm that plan-covered employees have completed both training types within the required timeframes.
Civil Penalty Exposure and PHMSA Enforcement Pattern
PHMSA civil penalties for HAZMAT security violations are assessed under 49 U.S.C. 5123. The current penalty schedule sets a maximum of $84,425 per violation per day for general violations and up to $196,992 per violation for violations that result in death, serious illness, or severe injury. PHMSA’s enforcement pattern for security plan violations typically involves:
- Missing or inadequate security plan: Assessed as a serious violation. Typically cited as a single violation per inspection rather than per shipment, but the absence of any security plan at a company subject to the requirement has resulted in penalty assessments at the upper range of the serious violation schedule.
- Missing or inadequate security training: Assessed per employee class where training is missing. A company with 12 HAZMAT employees who have not received in-depth security training may face 12 separate training violation citations or a consolidated citation depending on inspector discretion and the company’s enforcement history.
- Security plan not accessible: A company that has a security plan but cannot produce it during an inspection is cited for failure to maintain required records under 49 CFR 172.802(c), in addition to any substantive plan deficiency findings.
PHMSA’s Hazardous Materials Inspection and Compliance Activity report documents security plan compliance as a recurring enforcement priority. Companies that have received prior citations for security plan deficiencies and have not completed required corrective actions face repeat violation penalty multipliers.
Knowledge Check
Test your understanding of HAZMAT security plan and training requirements.
Yes. The security plan requirement under 49 CFR 172.800 applies to any person who offers for transportation in commerce or transports in commerce the covered materials. A freight broker who offers hazardous materials for transportation by arranging and tendering a shipment is an offeror subject to the HMR. Chlorine (Division 2.3, Hazard Zone B) triggers the security plan requirement for any quantity. The broker is required to have a written security plan addressing the three required content areas of 49 CFR 172.802, and employees of the broker who perform HAZMAT functions are required to receive both security awareness and in-depth security training.
No, for the 8 employees whose training is 38 months old. In-depth security training under 49 CFR 172.704(a)(5) must be provided before an employee performs HAZMAT functions covered by the security plan and must be repeated at least every three years (36 months). Employees whose in-depth security training was completed 38 months ago have exceeded the three-year recurrence requirement and are out of compliance. The company must complete refresher in-depth security training for those 8 employees before the next inspection. The 7 employees hired within the past 18 months whose training is current are in compliance. PHMSA inspectors routinely audit training recurrence dates and calculate elapsed time from the most recent training record for each employee.
The plan does not address the three content areas required by 49 CFR 172.802. Badge access and CCTV address physical facility security, which is relevant to but not sufficient for a compliant security plan. The plan must address: (1) personnel security procedures for screening and confirming the trustworthiness of HAZMAT employees, (2) measures to prevent unauthorised access to hazardous materials during transportation (not only at the facility), and (3) en-route security measures for vehicles carrying HAZMAT. A plan that documents facility physical security without addressing these three specific regulatory content areas is non-compliant regardless of how strong the physical security actually is. The plan must track the structure of 49 CFR 172.802, not the company’s natural framing of security.
HAZMAT Security Compliance Checklist
✓ Determined whether any shipment meets the threshold quantities in 49 CFR 172.800(b) that trigger the security plan requirement
✓ Written security plan exists and addresses the three required content areas: personnel security, unauthorised access, and en-route security
✓ Plan is specific to the hazardous materials handled, transport modes used, and routes operated – not generic
✓ Plan identifies the personnel responsible for implementing each security measure
✓ Plan is retained in writing and accessible to PHMSA and DOT inspectors on request
✓ Plan has been reviewed within the past year and updated to reflect any changes in materials, operations, or personnel
✓ All HAZMAT employees have completed security awareness training under 49 CFR 172.704(a)(4) before first performing HAZMAT functions
✓ All HAZMAT employees covered by a security plan have completed in-depth security training under 49 CFR 172.704(a)(5) at hire and within the past 36 months
✓ Training records document employee name, training date, content covered, and trainer or provider
✓ Security plan and training records are retained for the required period (plan: 180 days after expiry; training: 3 years)
Sources
- 49 CFR Part 172 Subpart I: Safety and Security Plans (172.800-172.822)
- 49 CFR 172.704: Training Requirements (Security Awareness and In-Depth Security Training)
- PHMSA: Hazardous Materials Security Plan Requirements Guidance
- PHMSA: Hazardous Materials Civil Penalty Policy and Schedule
- 49 CFR 172.700-704: Hazmat Employee Training Requirements


