Today the Transportation Security Administration published a 60-day Information collection Request (ICR) revision notice in the Federal Register (86 FR 30065-30066) for their “Baseline Assessment for Security Enhancement (BASE) Program” (1652-0062). The BASE program is used by TSA to assess the current security practices in the mass transit/passenger rail and highway and motor carrier industries.
BASE Revision
TSA is proposing to add a cyber annex to their BASE questionnaire. Completion of the cyber annex is reportedly going to be voluntary. TSA estimates that the cyber annex will take about six hours to complete. The only information about the questionnaire that TSA is supplying in this notice is the following more than vague statement:
“As a result, TSA is revising the collection to include all five core functions of the National Institute of Standards and Technology cybersecurity framework. All core functions and a majority of the subcategories are amalgamated with industry best practices in the newly developed cybersecurity questions and cyber annex, strengthening the cybersecurity health for the transportation sector.”
Burden Estimate
TSA provides the burden estimate information (‘current estimate’ data taken from OMB web site, .DOCX download link) in the table below. THE ‘MT/PR BASE’ refers to the mass transit/passenger railroad information collection. The ‘HWY BASE’ refers to the truck-freight information collection.
ICR Burden Estimate |
Revised Estimate |
Current Estimate |
Change |
MT/PR BASE (responses) |
75 |
75 |
0 |
MT/PR BASE (hrs) |
1196 |
825 |
+371 |
MT/PR BASE ($) |
No
Data |
$65,736 |
N/A |
HWY BASE (responses) |
107 |
90 |
+17 |
HWY BASE (hrs) |
512 |
450 |
+62 |
HWY BASE ($) |
No
Data |
$34,956 |
N/A |
Public Comments
TSA is soliciting public comments on this ICR revision notice. As is usual for TSA, they are not using the Federal eRulemaking Portal for these submissions, apparently in an effort to control who gets to see the public feedback. Instead, comments can be submitted via email to TSAPRA@tsa.dhs.gov. Comments should be submitted to TSA by August 3rd, 2021.
Commentary
The TSA is still looking to do a voluntary cyber questionnaire, even after the fiasco of their voluntary cyber program in the TSA pipeline security program was exposed by the Colonial Pipeline Hack. Someone at DHS needs to have a firm talking to the leadership at TSA, or maybe it should be the President’s cybersecurity advisor that needs to explain the political facts of life to the TSA Surface management team. This data collection is not making anyone take any cybersecurity action (that is a completely different ball game), but, if TSA is going to at least have an understanding of the current cybersecurity state of affairs, completing the cyber annex is going to have to be at least as mandatory as completing the BASE assessment (and unfortunately, that is still largely voluntary).
For a more detailed analysis on this ICR revision notice, which
would also be the comment that I am submitting to TSA about this Notice, see my
article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/tsa-publishes-baseline-assessment
No comments:
Post a Comment