Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Transportation

TSA extends information collection activity covering cybersecurity measures for surface modes

March 13, 2023
TSA extends information collection activity covering cybersecurity measures for surface modes

The Transportation Security Administration (TSA) division under the U.S. Department of Homeland Security (DHS) published a 30-day notice in the Federal Register, announcing that the transport agency has forwarded the Information Collection Request (ICR), Office of Management and Budget (OMB) control number 1652-0074, to the OMB for an extension of the currently approved collection under the Paperwork Reduction Act (PRA). The ICR deals with information collection activity under OMB review covering cybersecurity measures for surface modes, describes the nature of the information collection, and its expected burden. 

“Specifically, the collection involves the submission of data concerning the designation of a Cybersecurity Coordinator; the reporting of cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency; the development of a cybersecurity contingency/recovery plan to address cybersecurity gaps; and the completion of a cybersecurity assessment,” the Federal Register notice issued last week identified.

Interested parties must now send in their comments by Apr. 10, 2023. In preparation for OMB review and approval of the information collection, TSA is soliciting comments to evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; and evaluate the accuracy of the agency’s estimate of the burden. 

The information collection review will also look into enhancing the quality, utility, and clarity of the information to be collected; and minimizing the burden of the collection of information on those who are to respond, including using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

TSA may take immediate action to impose measures to protect transportation security without providing notice or an opportunity for comment. In December 2021, the TSA issued the Security Directive (SD) 1580-21-01 series, which remains in effect as revised, mandating TSA-specified owners/operators of ‘higher risk’ railroads and rail transit systems, respectively, to implement an array of cybersecurity measures to prevent disruption and degradation to their infrastructure; these security directives became effective December 31, 2021. 

Additionally, last October, the TSA issued the SD 1580/1582-2022-01 series, ‘Rail Cybersecurity Mitigation Actions and Testing,’ which applies to owners/operators of the ‘Higher Risk’ freight railroads and additional TSA-designated freight and passenger railroads. This security directive, which is complementary to the requirements in the previous directives, took effect on Oct. 24, last year. On Oct. 26, OMB approved TSA’s request for emergency approval, revising this information collection. 

The collection covers both mandatory reporting under the security directives and collection of information voluntarily submitted under Information Circular (IC) 2021-01, ‘Enhancing Surface Transportation Cybersecurity,’ which recommended voluntary implementation of actions and reporting by owner/operators not covered by the security directives, the Federal Register notice identified. The OMB approval allowed for the additional institution of mandatory reporting requirements and the collection of information voluntarily submitted. The TSA is now seeking renewal of this information collection for the maximum three-year approval period.

The requirements in the security directives and the recommendations in the information collection allow the TSA to execute its security responsibilities within the surface transportation industry through awareness of potential security incidents and suspicious activities. TSA will use the information collected to ensure compliance with the agency’s cybersecurity measures required by the security directives and the recommendations under the information collection.

Additionally, owners/operators can complete and submit the required information via email or other electronic options provided by TSA. Documentation of compliance must be provided upon request. As the measures in the information collection are voluntary, the information collection does not require owners/operators to report on their compliance.

The TSA had in November announced its intent to request an extension from the OMB on the current public collection of information concerning cybersecurity measures for surface modes. At the time, the Federal Register notice identified that the OMB had approved TSA’s request for emergency approval of this collection to address the ongoing cybersecurity threat to surface transportation and associated infrastructure. 

It added that the TSA is now seeking to renew the collection, which expires on April 30, 2023, with the incorporation of the subject of the emergency request. The ICR describes the nature of the information collection and its expected burden. The collection allows TSA to address the ongoing cybersecurity threat to surface transportation systems and associated infrastructure.

Then, in January, the TSA called for public comment on a currently approved ICR, OMB covering security training for surface transportation employees. Due to the TSA’s new rule, a decrease in the number of individuals subject to regulation has occurred, thus alleviating the load from asset owners and operators.

In a 60-day extension notice, the TSA seeks comments by Mar. 13 to evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility. It also evaluates the accuracy of the agency’s estimate of the burden; enhances the quality, utility, and clarity of the information to be collected; and minimizes the burden of the collection of information on those who are to respond, including using appropriately automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

Just last week, the TSA issued a cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced last October for passenger and freight railroad carriers. The agency calls for developing network segmentation policies and controls to ensure that operational technology (OT) systems can continue to safely operate if an IT system has been compromised, and vice versa.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems