Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Threat Landscape
Transportation

Following information collection approval, TSA seeks input on security training for surface transportation employees

January 11, 2023
Following information collection approval, TSA seeks input on security training for surface transportation employees

The U.S. Department of Homeland Security (DHS) announced that its Transportation Security Administration (TSA) division invites public comment on a currently approved Information Collection Request (ICR), Office of Management and Budget (OMB), covering security training for surface transportation employees. Due to the TSA’s new rule, a decrease in the number of individuals subject to regulation has occurred, thus alleviating the load from asset owners and operators.

In a 60-day extension notice, the TSA seeks comments by Mar. 13 to evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility. It also evaluates the accuracy of the agency’s estimate of the burden; enhances the quality, utility, and clarity of the information to be collected; and minimizes the burden of the collection of information on those who are to respond, including using appropriately automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

The ICR explains the type of data being gathered and its anticipated workload. The collection involves information to validate compliance with the regulatory requirements, including security training programs, security training records, security coordinator information, and reporting significant security concerns information.

The TSA published in March 2020 the Security Training for Surface Transportation Employees Final Rule (Rule) calling upon owners/operators of higher-risk freight railroad carriers, public transportation agencies (including rail mass transit and bus systems), passenger railroad carriers, and over-the-road bus companies to provide TSA-approved security training to employees who perform security-sensitive functions. In addition, TSA expanded its requirements for security coordinators and the reporting of significant security concerns, including bus operations, within the scope of the regulation. 

As part of the security training program, the TSA ICR mandates each owner/operator to have a security training program and must submit the program to TSA for approval to ensure that the program meets the required program elements. “TSA then reviews the submitted-program, including curriculum, schedule for training, and employees to be trained, to verify that the training program satisfies the regulatory requirements. The curriculum must include training on how to observe, assess and respond to terrorist-related threats and/or incidents. The schedule must address both initial and recurrent training,” the notice added. 

The scope of the training must include all security-sensitive employees as applicable to the specific modal requirements. If TSA determines the program submitted meets the regulatory requirements, the owner/operator does not need to submit additional programs to TSA unless or until amendments or updates are required. If modifications are required, the owner/operator must re-submit their training program for TSA review and, as necessary, further modifications, until TSA approval is obtained.

In the case of the security training records, each owner/operator is required to maintain security training records for each employee trained for no less than five years from the date of the training. This record retention schedule is necessary to validate compliance with the requirement to provide triennial training.

Regarding security coordinator information, the TSA said that each owner/operator is required to designate and provide to TSA the contact information of a primary and at least one alternate Security Coordinator. This requirement is an expansion of previously imposed requirements applicable to rail operations.

In the matter of reporting significant security concerns information, the transport agency said that each owner/operator is required to report potential threats and significant security concerns to TSA within 24 hours of initial discovery. This requirement is an expansion of previously imposed requirements applicable to rail operations. 

The TSA said that since the rule was issued, changes in the industry have resulted in a reduction in the number of regulated persons. “As a result, TSA is reducing the estimated number of respondents to the information collection from 289 to approximately 218 respondents, with an annual burden estimate of 4,623 hours (13,869 over three years),” it added.

Last month, the TSA revised an ICR that calls for review and approval of a revision of the currently approved collection under the Paperwork Reduction Act (PRA), relating to corporate security reviews and security directives applicable to pipeline owners and operators.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights