Review - TSA Sends Detailed Info on Base ICR Changes to OMB – 9-8-21

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a 30-day information collection revision request from the Transportation Security Administration for their “Highway Baseline Assessment for Security Enhancement (BASE) Program” ICR. TSA published their 60-day ICR notice in June, and I filed comments upon that notice. The 30-day ICR notice was published two-weeks ago.

Cybersecurity Questions

As expected, TSA has provided significantly more information to OIRA about the new cybersecurity questions that it will be covering in its revised base. They provided OIRA with copies of the spreadsheets that will be used to collect the responses to the new questions. The four new spread sheets are:

• Highway Cybersecurity New Question Set

• Highway New Cybersecurity Annex

• MTPR Cybersecurity New Question Set

• MTPR New Cybersecurity Annex

NOTE: The links above are all download links of .xlsx files. MTPR – Mass Transit/Passenger Rail

Commentary

In my comment submitted in response to the 60-day ICR notice I complained that the TSA did not provide adequate information about the changes to the collection to allow industry to comment on the proposed burden assessment. Their response was included in the Support Document submitted yesterday to OIRA. They explained that the information was now available. So, that information is now available, and the public has until September 27^th, 2021 to submit their comments to OIRA; this is substantially less that the 30-days required by 44 USC 3507(b).

It is very disappointing to see that while the TSA is including additional details on cybersecurity in its BASE information collection it is not taking any effort to include the responses to those questions in its assessment. It seems to me that lacking that assessment, the TSA does not have any reason to collect the new information. OMB should disapprove this revision to the information collection as the new burden is not necessary.

I urge all highway transportation, mass transit, and passenger rail organizations to review the new data to provide feedback to OIRA about the adequacy of the burden assessment and the necessity of the data collection. The easiest way submit a comment that is to go to the ICR page and click on the ‘Comment’ button on that page.

For more details on new cybersecurity questions and their relationship to the BASE Assessment conducted by TSA, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-sends-detailed-info-on-base-icr - subscription required.