Thursday, December 23, 2021

Review - TSA Publishes 60-day ICR Renewal Notice for Surface Cybersecurity

Today the TSA published a 60-day information collection request (ICR) notice in the Federal Register (86 FR 72988-72990) for “Cybersecurity Measures for Surface Modes” (1652-0074). This is the mandated follow-up ICR renewal for the emergency approval for the ICR provide by the OMB’s Office of Information and Regulatory Affairs (OIRA) on November 30th, 2021.

Cybersecurity Security Directives

This ICR supports two cybersecurity related Security Directives and an Information Circular issued by the TSA earlier this month:

SD-1580-21-01 – Enhancing Rail Cybersecurity, and

SD-1582-21-01 – Enhancing Public Transportation and Passenger Railroad Cybersecurity, and

Surface-IC-2021-01 – Enhancing Surface Transportation Cybersecurity

The IC is a set of voluntary recommendations made by the TSA for surface transportation organizations not covered by the two Security Directives.

Burden Estimate

The Notice provides a generic burden estimate of 781 respondents and a total of 96,163 burden hours. The support document submitted last month by the TSA to OIRA for the emergency ICR appoval included the burden estimates shown in the table below. Since the total numbers are the same, I would expect that they reflect the current burden estimate.





Designate a Cybersecurity Coordinator




Report cybersecurity incidents to CISA




Develop a cybersecurity incident response plan




Complete a cybersecurity vulnerability assessment








TSA will be providing a form for the completion of the vulnerability assessment. That form will be based upon the NIST Cybersecurity Framework. The Notice does not provide a link to the form. Normally, I would expect such a form to be included in the Notice docket on, but TSA is not using that service and does not provide a docket number for this notice to be used on that site. The TSA’s Surface Transportation Cybersecurity Toolkit web site does not include a copy of the vulnerability assessment form.

Public Comments

TSA is soliciting public comments on this ICR. Comments may be emailed to TSA ( Comments should be submitted by February 22nd, 2022.


Since this is essentially a new information collection, neither the TSA nor the affected parties have any direct history upon which to base an evaluation of the burden estimate provided by TSA. TSA has made their best guess of the burden. Unfortunately, without a copy of the form that TSA is requiring organizations to use for the vulnerability assessment, most organizations will some difficulty providing realistic feedback on the time necessary to complete the assessment.

For more details on the ICR notice provisions, see my article at CFSN Detailed Analysis - - subscription required.


No comments:

/* Use this with templates/template-twocol.html */