TSA seeks OMB extension on information collection concerning cybersecurity measures for surface modes

The Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) division announced its intent to request an extension from the OMB (Office of Management and Budget) on the current public collection of information concerning cybersecurity measures for surface modes. 

In a notice published in the Federal Register on Monday, the TSA invites public comment on one currently-approved Information Collection Request (ICR), bearing OMB control number 1652-0074, which the transport agency will submit to OMB for an extension in compliance with the Paperwork Reduction Act (PRA). 

“On October 26, 2022, OMB approved TSA’s request for an emergency approval of this collection to address the ongoing cybersecurity threat to surface transportation and associated infrastructure,” the Federal Register said. “TSA is now seeking to renew the collection, which expires on April 30, 2023, with incorporation of the subject of the emergency request. The ICR describes the nature of the information collection and its expected burden. The collection allows TSA to address the ongoing cybersecurity threat to surface transportation systems and associated infrastructure.”

The TSA has now called for comments by Jan. 13, next year. The transport agency has already sought an extension from the OMB over a current public information collection on its pipeline corporate security review (PCSR) program. The TSA is seeking to renew the collection, which expires on Jan. 31, with the incorporation of the subject of the emergency revision for the maximum three-year approval period.

In preparation for OMB review and approval of the information collection, TSA is soliciting comments to evaluate whether the proposed information requirement is necessary for the proper performance of the agency’s functions, including whether the information will have practical utility. The agency is also looking to evaluate the accuracy of its estimate of the burden; enhance the quality, utility, and clarity of the information to be collected. It also works on minimizing the burden of the collection of information on those who are to respond, including using appropriately automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

Last month, the TSA released a security directive regulating designated passenger and freight railroad carriers to enhance cybersecurity resilience by focusing on performance-based measures. Effective from Oct. 24 this year, the security directive will further enhance cybersecurity preparedness and resilience for the nation’s railroad operations and build on the agency’s work to strengthen defenses in other transportation modes.

It also calls for a cybersecurity implementation plan to be submitted to TSA for approval, an annual audit plan for the cybersecurity assessment program that describes how the owners/operator will proactively and regularly assess the effectiveness of cybersecurity measures. Furthermore, it identifies and resolves device, network, and/or system vulnerabilities and provides documentation as necessary to establish compliance, to be provided upon TSA request.

Within seven days of the effective date of the security directives, owners/operators must provide their designated cybersecurity coordinator information, while within 90 days of the effective date of the security directives, owners/operators must submit their cybersecurity implementation plan. Furthermore, within 120 days of the effective date of the security directives, owners/operators must complete the vulnerability assessment (TSA form), and within 180 days of the effective date of the security directives, owners/operators must adopt a cybersecurity incident response plan. 

Additionally, within seven days of completing the cybersecurity incident response plan requirement, owners/operators must submit a statement to TSA through email certifying that the owners/operators have completed this requirement. Owner/operators can complete and submit the required information via email or other electronic options provided by TSA documentation of compliance must be provided upon request. As the measures in the information collection are voluntary, the information collection does not require owners/operators to report on their compliance.

Previous security directives that remain in effect and call for designating a cybersecurity coordinator, who is available to the TSA 24/7, to coordinate cybersecurity practices and address any incidents that arise. It also calls for reporting cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), developing a cybersecurity incident response plan, and completing a cybersecurity vulnerability assessment to address cybersecurity gaps using the form provided by TSA.

The October security directive applies to 73 owners/ operators, while earlier security directives apply to 457 railroad owners/operators, 115 public transportation agencies and rail transit system owners/operators, and 209 over-the-road bus owners/operators, for a total of 781 respondents. For this collection, TSA estimates the total annual respondents to be 854 and the total annual hour burden to be 134,023 hours.

Last November, OMB approved TSA’s request for emergency approval of this information collection to address the ongoing cybersecurity threat to surface transportation and associated infrastructure. On Apr. 7 this year, TSA submitted an extension request to OMB, which was approved on Oct. 25. Subsequently, on Oct. 26, the OMB approved TSA’s request for an additional emergency approval, revising this information collection. The collection covers both mandatory reporting and voluntary reporting of information. 

The OMB approval allowed for the additional institution of mandatory reporting requirements and the collection of information voluntarily submitted. TSA is now seeking renewal of the information collected for the maximum three-year approval period. The request for a revised collection was necessary as a result of actions TSA took to address the ongoing cybersecurity threats to the nation’s national and economic security posed by the threat to surface transportation and associated infrastructure. 

TSA, with federal partners such as CISA will use the reports of cybersecurity incidents to evaluate and respond to imminent and evolving cybersecurity incidents and threats as they occur and as a basis for creating new cybersecurity policies moving forward. The monitoring will allow TSA and federal partners to take action to contain threats, take mitigating action, and issue timely warnings to similarly-situated entities against the further spread of the threat. 

TSA and its federal partners will also use the information to inform timely modifications to cybersecurity requirements to improve transportation security and national economic security. TSA will use the collection of information to ensure compliance with TSA’s cybersecurity measures required by the security directives and the recommendations under the information collection.

Last week, the CISA addressed the need to transform the vulnerability management landscape. It identifies that in the current risk environment, organizations of all sizes are challenged to manage the number and complexity of new vulnerabilities. Organizations with mature vulnerability management programs seek more efficient ways to triage and prioritize efforts, while smaller organizations struggle with understanding where to start and how to allocate limited resources. Fortunately, there is a path toward more efficient, automated, prioritized vulnerability management.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.