Friday, April 8, 2022

Review - OMB Receives TSA 30-day ICR for Surface Transportation Cybersecurity

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received the 30-day ICR renewal notice from the TSA for “Cybersecurity Measures for Surface Modes” that the TSA announced yesterday in the Federal Register. The data provided to OIRA should have included more of the information that a commentor would have needed to provide the public feedback on this ICR that was requested in both the 60-day and 30-day ICR notices.

Security Assessment Checklist

According to the Supporting Document (pg 2), a key component of this Information Collection is the completion of “a cybersecurity vulnerability assessment to address cybersecurity gaps using the form provided by TSA [emphasis added].” TSA has not included that form in the data submitted to OIRA. The TSA describes this requirement (Table, pg3) as an assessment of their “current cybersecurity posture consistent with the functions and categories found in the National Institute of Standards and Technology Cybersecurity Guidance Framework”, it is hard to imagine that this blank form could be sensitive enough that it cannot be made available to the public. Completed forms should certainly be considered Sensitive Security Information, but since the TSA is not, at this point at least, specifying security measures that need to be taken, the blank forms should be part of the public record of this ICR.

Comments Solicited

In accordance with regulatory requirements, the TSA is soliciting public comments on this ICR. Comments should be submitted to OIRA via their website by clicking on the ‘Comments’ button on the page for this ICR. Comments should be submitted by May 9th, 2022.

I will be submitting the ‘Security Assessment Checklist’ section above as a comment on this ICR.

For more details about the information submitted to OIRA on this ICR, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-receives-tsa-30-day-icr-for-surface - subscription required.

No comments:

 
/* Use this with templates/template-twocol.html */