.png)
.png)
A comprehensive, agency-by-agency playbook for staying audit-ready — powered by Nexus
DOT drug & alcohol compliance is one of the few HR/compliance functions where administrative gaps can become operational failures with massive consequences: missed tests, incomplete documentation, delayed reporting, audits that derail schedules, and fines that diminish leadership trust.
The hard part isn’t understanding the rules. It’s running the rules consistently — across supervisors, locations, safety-sensitive roles, and potentially multiple DOT agencies.
This guide breaks compliance into a practical framework, and discusses agency-specific requirements for FMCSA, FAA, FRA, and FTA, with the Nexus approach baked in.
The DOT Compliance Structure
Most DOT programs are governed by two layers:
- 49 CFR Part 40 = DOT-wide testing procedures (how collections, labs, MRO processes, results handling, and return-to-duty steps must be executed).
- Agency rules (FMCSA / FAA / FRA / FTA) = who is covered, required testing circumstances, random testing rates, and agency-specific reporting.
Where Nexus fits: Nexus is built to run this as a single compliance operating system — multi-agency rule sets in one overarching company, with workflows, records, and reporting aligned to how audits actually happen.
The 5 Pillars of a Defensible DOT Program
1. Core Requirements: Build your program like an audit is scheduled
A “defensible” program is one where you can prove — quickly — that you did the right thing and that your system prevents drift.
At minimum, that means you can consistently produce:
- Coverage: who is safety-sensitive, when they entered/left coverage.
- Testing events: pre-employment, random, post-accident, reasonable suspicion/cause, RTD/follow-up.
- Service agent chain: collectors, labs, MRO, SAP.
- Secure recordkeeping and confidentiality controls
- Reporting artifacts: MIS, Clearinghouse records where applicable.
Implementing a compliance management system, like Nexus, gives you automated MIS reports, pool tracking, document tracking, dashboard reports, and API integrations with any internal or third-party platforms or testing tools & partners, so everything is integrated into one unified system.
2. Random Testing Management
Random testing is continuous, distributed, and highly scrutinized — which means it’s where manual programs fail quietly.
What “audit defensible” looks like
You should be able to show:
- Who was in the pool and when.
- How selections were generated - and show that they were objective and consistent.
- That the selections were spread throughout the year.
- The flow–Notification → collection → result → action–is fully documented.
2026 Quick Reference Random Testing Rates
DOT publishes a consolidated chart of minimum random testing rates by agency each year.
Notable 2026 items include:
- FAA rates remain 25% drug / 10% alcohol for covered aviation employees.
- FRA 2026 determination includes a change for mechanical employees (alcohol minimum reduced to 10%, drug remains 50%).
Your compliance management software, like Nexus, should provide Automated Random Pooling which removes manual bias risk and produces a cleaner audit trail (pool history, selection history, completion evidence).
4. Record Retention: Your “Audit Shield”
Audits aren’t about what you intended to do — they’re about what you can prove.
Part 40 defines retention categories and minimum durations (including common 1-year, 2-year, 3-year, and 5-year buckets).
With Nexus, you’ll get a secure document vault that replaces paper files and scattered drives with controlled access + structured retention logic + fast retrieval by employee, event, date range, and test type.
5. The TPA Partnership: Oversight without losing control
A TPA can reduce workload — but it doesn’t remove accountability. The most mature programs define:
- Role split (who does what)
- SLAs and escalation
- Documentation ownership
- Audit response workflow
Newly launched Nexus TPA services (as part of our fully unified platform) provides professional oversight while keeping you in the driver’s seat for visibility, audit readiness, and internal accountability.
Agency-by-Agency Compliance Requirements (FMCSA, FAA, FRA, FTA)
A quick “Reporting Reality” table (MIS)
MIS reporting uses the DOT MIS form and instructions tied to Part 40. March 15 is the key date across DOT agencies when annual reporting is required.
|
Agency |
Primary rule |
Is an annual MIS report required? |
Deadline |
|
FMCSA |
49 CFR Part 382 |
Required when requested (often requested in January) |
March 15 (if requested) |
|
FAA |
14 CFR Part 120 |
Required annually for covered entities |
March 15 |
|
FRA |
49 CFR Part 219 |
Required for railroads meeting threshold (and certain contractors) |
March 15 |
|
FTA |
49 CFR Part 655 |
Required when requested by FTA |
March 15 (when requested) |
FMCSA (Motor Carriers): Part 382 + Clearinghouse + tight operational triggers
FMCSA programs are operationally intense because they’re tied to real-world incidents (accidents, roadside events, citations) and involve Clearinghouse workflows.
What FMCSA gets audited hard
Post-accident testing decisions and documentation
FMCSA post-accident testing requirements depend on the type of accident, and whether the driver receives a citation in certain scenarios.
Supervisor training
Supervisors must receive 60 minutes alcohol misuse + 60 minutes controlled substances training to support reasonable suspicion determinations.
Record retention security
FMCSA requires records be maintained in a secure location with controlled access and includes a retention schedule.
MIS reporting when requested
FMCSA MIS reports are required when requested, and if notified during January, due by March 15.
Nexus for FMCSA: automated pool management + standardized accident workflows + Clearinghouse lifecycle visibility + +automated MIS report builder + secure retention that matches how audits are requested.
FAA (Aerospace): Part 120 adds structure + annual reporting discipline
FAA-regulated drug & alcohol programs emphasize formal program controls, annual reporting, and specific testing requirements for safety-sensitive aviation employees in commercial, private, or Department of Defense contractors.
Testing types you must be ready to execute (Part 120)
FAA includes required testing types such as pre-employment, random, reasonable cause, post-accident, return-to-duty, and follow-up within its Part 120 framework.
Post-accident time windows
FAA guidance emphasizes post-accident timing limits: Drug testing as soon as possible and not later than 32 hours; alcohol testing as soon as possible and not later than 8 hours.
Random rates for 2026
For 2026, FAA rates remain 25% drug / 10% alcohol for covered aviation employees.
Annual MIS reporting is not optional
FAA requires annual testing results reports, due March 15 of the succeeding year.
Nexus for FAA: the operational win is consistency — ensuring testing events, documentation, and annual reporting outputs live in one system, not across HR files + vendor portals.
FRA (Rail): Part 219 Sets It Apart
FRA is distinct because it includes FRA post-accident toxicological testing requirements and a formal annual reporting structure tied to thresholds.
Post-accident toxicological testing (Subpart C)
FRA’s post-accident toxicological program includes required testing for certain “qualifying events,” including fatalities and major accidents, with defined responsibilities for regulated employees.
Annual reporting to FRA (Subpart I)
Railroads meeting the defined employee-hour threshold must submit an annual report to FRA by March 15 summarizing program results.
Random testing rates (2026)
FRA’s 2026 determination maintains minimum random rates, with a notable mechanical employee alcohol minimum at 10% (drug at 50%).
Nexus for FRA: FRA compliance collapses without workflow control — especially post-accident criteria execution and documentation. Nexus provides a defensible record trail, not an “all-hands email thread.”
FTA (Transit): Part 655 is policy-driven & decision-documented
FTA programs are heavily anchored to:
- a formal employer policy statement
- documented decision-making (especially post-accident)
- secure records + correct reporting when requested
Policy requirements
FTA requires employers to adopt and maintain an anti-drug and alcohol misuse policy statement with specific contents.
Post-accident testing is not “always test”
FTA requires post-accident tests in defined scenarios, but also requires employers to make and document determinations in non-fatal accidents; including whether the employee’s performance can be completely discounted as a contributing factor.
MIS reporting when requested
FTA requires annual MIS summaries and submission when requested, due by March 15.
Nexus for FTA: Nexus supports “decision defensibility” — the ability to show the policy basis, the decision-maker logic, and the complete record trail without hunting across departments.
The Nexus Perspective: What Best-in-Class Looks Like in 2026
If you’re managing compliance across FMCSA, FAA, FRA, or FTA — the goal is not to “do paperwork.” It’s to create a program that is:
- Multi-agency by design, not by spreadsheet
- Objective and automated where risk is highest: random testing, pool changes, deadlines
- Built for fast proof: audit-ready records, secure storage, structured retention
- Supported by real oversight: TPA partnership that doesn’t hide the ball
That’s the gap Nexus is positioned to close: turning compliance from scattered admin into a controlled system.
