TSA Publishes Surface Transportation Security Plan ANPRM

On Friday the DHS Transportation Security Administration (TSA) published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (81 FR 91401-91416) concerning surface transportation vulnerability assessments and security plans (VASP). This is another longstanding requirement from Congress dating back to 2007. Those requirements are outlined in 6 USC 1162 (railroads, both freight and passenger) and 6 USC 1172 (over-the-road bus – OTRB – companies).

Congressional Mandate

The congressional mandate prescribed that TSA tier rank railroads and OTRBs based upon risk of terrorist attack. Additionally, Congress required that TSA establish regulations to prescribe that identified high-risk railroads and OTRBs:

• Conduct a vulnerability assessment;

• Identify a security coordinator; and

• Prepare and submit security plans to TSA for approval.

These requirements were supposed to have been in place in 2008.

Cybersecurity Requirements

Interestingly the congressional mandate specifically identified two separate cybersecurity requirements in the vulnerability assessment obligations. First was the specific inclusion of ‘information systems’ in the list of potential critical assets and infrastructure to be evaluated {§1162(d)(1)(A) and §1172(d)(1)(A)}. Second, in the list of areas in which companies were to be required to identify weaknesses, Congress specifically included “the security of programmable electronic devices (emphasis added), computers, or other automated systems” {§1162(d)(1)(C)(iii) and §1172(d)(1)(C)(iii)}.

TSA Questions

TSA starts this ANPRM with the assumption that “many higher-risk railroads (freight and passenger), public transportation agencies, and over-the-road buses (OTRBs) have implemented security programs with security measures similar to those identified by the 9/11 Act's regulatory requirements.” With that in mind TSA is looking for information on three topics:

• Existing practices, standards, tools, or other resources used or available for conducting vulnerability assessments and developing security plans;

• Existing security measures, including whether implemented voluntarily or in response to other regulatory requirements, and the potential impact of additional requirements on operations; and

• The scope/cost of current security systems and other measures used to provide security and mitigate vulnerabilities.

Additionally, TSA has included in the ANPRM a list of thirteen specific questions that it would like to see answered by surface owner/operators that have conducted vulnerability assessments of security systems/operations. Additionally, TSA provides lists of questions about:

• Critical assets;

• Resource requirements;

• Existing security plans;

• Use of the existing T-START process;

• Existing risk reduction measures;

• Existing security exercise programs;

• Updates of existing vulnerability assessments;

• Accountable executives;

• Small owner/operator concerns; and

• Cost and benefit estimation.

Public Feedback

TSA is soliciting public feedback on this ANPRM. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov, Docket # TSA-2016-0002). Comments should be submitted by February 14^th, 2017.

Commentary

This is very early in the rulemaking process and this ANPRM (as is usual) does not provide a lot of indication about how TSA currently envisions the regulatory process. The only real insight provided is the list of entities that TSA expects might be affected by this rulemaking. It should not be a surprise that Class 1 railroads and any railroad transporting rail security-sensitive materials (RSSM) in a high-threat urban area (HTUA) are specifically included.

Throughout the ANPRM TSA makes the point that many of the potentially regulated entities already have vulnerability assessments and security plans in place. This is based upon a number of voluntary ‘inspections’ TSA surface inspectors have done over the years. In order to show a cost-effective regulation, TSA is going to have to make every effort to allow existing effective processes to be used to meet any regulatory requirements.

Interestingly though, TSA is careful to mention ‘many existing’ not ‘most existing’ to describe current effective programs in this ANPRM. This does not provide a great deal of confidence in the current security situation almost ten years after these requirements were established by Congress.