Review - TSA Publishes Surface Cybersecurity 60-day ICR Revision Notice

 Today the Transportation Security Administration published a 60-day information collection request (ICR) revision notice in the Federal Register (91 FR 20475-20477) for their “Cybersecurity Measures for Surface Modes” ICR. The revision deals with the new reporting requirements for the appointment of a primary or alternate Cybersecurity Coordinator who is not a US citizen. 

The table below shows the proposed and existing burden estimates for this ICR. Today’s notice does not report the number of annual responses expected for the revised ICR. 

Public Comments  

TSA is soliciting public comments on this ICR revision. Comments may be emailed to TSAPRA@tsa.dhs.gov. Comments should be sent by June 15th, 2026. 

For more information on this ICR, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-surface-cybersecurity - subscription required. 

Review - TSA Published Surface Cybersecurity NPRM

Last week, the Transportation Security Administration (TSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (89 FR 88488-88592) on “Enhancing Surface Cyber Risk Management”. The advanced notice of proposed rulemaking for this rule was published on November 30^th, 2022. The proposed rulemaking would require owner/operators of designated freight railroads, passenger railroads, rail transit, and pipeline facilities and/or systems to have a CRM program approved by TSA.

Overview

In general, the new rule would require designated owner/operators:

To have a Cyber Risk Management (CRM) program approved by TSA,

To develop a Cybersecurity Operational Implementation Plan (COIP), and

To have a Cybersecurity Assessment Plan (CAP) that includes a schedule for assessments, an annual report of assessment results, and identification of unaddressed vulnerabilities.

Additionally, TSA is proposing the following administrative changes to existing regulations:

To reorganize requirements in subchapter D of 49 CFR chapter XII related to security coordinators, reporting significant security concerns, and security training of security-sensitive employees,

To distinguish between requirements focused on physical security and those focused on cybersecurity, and

To incorporate into subchapter D a new section related to issuance of SDs and Information Circulars (ICs), mirroring language currently applicable in the aviation industry.

Public Comments

The TSA is soliciting public comments on this proposed rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # TSA-2022-0001). Comments should be submitted by February 5^th, 2025.

 

For more information on the provisions of this proposed rule, including links to proposed regulatory language, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-published-surface-cybersecurity - subscription required.

Review - OMB Approves TSA Surface Transportation Cybersecurity ICR – 8-29-23

On Tuesday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the three year extension of the TSA’s information collection request for “Cybersecurity Measures for Surface Modes”. This ICR extension was mandated when OIRA approved an emergency revision to the ICR to support the latest version of TSA’s security directives for certain surface transportation organizations. This ICR extension was submitted to OIRA on March 10^th, 2023.

Commentary

As I have noted on a number of occasions, the TSA does a poor job of providing detailed information in their ICR notices. The whole point of the ICR program is to keep the regulated public involved in the process of approving the collection of information. Public comments provide the necessary feedback for agencies to understand the impacts their regulatory actions have beyond achieving their regulatory goals. It does not seem to me that TSA understands this purpose and, unfortunately, OIRA does a poor job of ensuring that agencies fulfill the spirit of the ICR process.

 

For more information on this ICR, including burden estimate details and additional commentary on TSA’s ICR performance, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-tsa-surface-transportation - subscription required.

OMB Receives TSA Surface Cybersecurity ICR Renewal Request 3-10-23

The OMB’s Office of Information and Regulatory Affairs (OIRA) announced today that it had received the renewal request for the TSA’s ‘Cybersecurity Measures for Surface Modes’ information collection request. TSA published the 30-day ICR renewal notice for this action on Wednesday. The submission to OIRA clears up the confusion (subscription no longer required) in the numbers published in Wednesday’s notice, TSA is not changing any of the burden estimate numbers from those included in October’s emergency revision request for the TSA’s latest security directive. There was no explanation for the misleading and incorrect burden estimate numbers published this week.

As I noted Thursday, today’s action by OIRA provides a clear and simple method for filing comments on this ICR renewal request. Near the top of the page of today’s notice is a teal colored box ‘COMMENT’. Simply click on this box and complete the form provided.

TSA Publishes Surface Transportation Security 60-Day ICR Revision Notice – 11-10-22

Today, the Transportation Security Administration published a 60-day information collection request extension notice in the Federal Register (87 FR 68185-68186) for Cybersecurity Measures for Surface Modes. This notice is a follow-up to the recent emergency approval of a revision to that ICR supporting the new Security Directive (SD1580/82-2022) for surface transportation cybersecurity.

The ICR notice lists the information collection requirements of the new SD and confirms the continuation of the existing collection requirements of the earlier security directives. The overall burden estimate is provided, but TSA does not break down that information to the individual collection requirements. That data will probably not be available until TSA submits this ICR to the OMB’s Office of Information and Regulatory Affairs (OIRA).

The table below shows a comparison of the ICR burden data provided in the Emergency ICR revision notice and today’s 60-day ICR notice. The differences in the ‘Response’ numbers appears to be because the TSA is reporting different response, total responses in the first case and number of responding agencies in the second.

Burden Estimate	Emergency ICR	This Request
Response	2,562	854
Hours	134,023	134,023

The TSA is soliciting public comments on the ICR notice. Comments may be emailed to TSAPRA@tsa.dhs.gov. Comments should be received by January 13^th, 2022.

NOTE: Corrected date in title (changing '-12' to '-22'), 0757 EST 3-9-23.

OMB Approves TSA Surface Cybersecurity ANPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an advanced notice of proposed rulemaking (ANPRM) for “Enhancing Surface Cyber Risk Management”. The proposed rulemaking was submitted to OIRA on October 4^th, 2022. The rulemaking will “codify critical cybersecurity requirements for pipeline and certain other surface modes.”

The Spring 2022 Unified Agenda entry for this rulemaking notes that the TSA expects to issue a notice of proposed rulemaking in May of 2023. This ANPRM would be an information collection effort. That seems a bit odd since TSA has been working with pipeline and railroad organizations in the implementation of the various TSA cybersecurity security directives. I suspect that the ANPRM will be looking at expanding the universe of facilities that would be covered by the proposed rules.

Review - OMB Approves Emergency Revision of TSA Surface Cybersecurity ICR

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency revision for the Transportation Security Agency’s information collection request (ICR) for “Cybersecurity Measures for Surface Modes”. The update for that ICR was just approved by OIRA the day before yesterday. The emergency approval document shows an increased burden estimate and the addition of three new information collections in the ICR. This emergency ICR approval is in support of TSA’s updated “Enhancing Rail Cybersecurity” security directive directives (SD 1580-2021-01A).

OIRA provides these emergency approvals for only six months. TSA will be required to go through the 60-day and 30-day notification process to formalize these changes. Only then will we (and OIRA) be able to determine the true scope of the changes involved.

 

For more details about the ICR revision, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-emergency-revision-of - subscription required.

Review - OMB Approves TSA Surface Cybersecurity ICR – 10-26-22

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an extension without change for an information collection request in support of the TSA’s “Cybersecurity Measures for Surface Modes” program. This is the required six-month update for the emergency approval of a new ICR for this program. There is no change from the original burden estimate, but the TSA provides additional details about the information being collected, the collection process, and the basis for the burden estimate.

Interestingly, the TSA does not include the cybersecurity-incident reporting mandated by the Security Directive in this ICR. Instead, since they are using the CISA cybersecurity-incident reporting mechanism, they would have that reporting included in the CISA ICR (1670-0037) which was last updated in October of last year. They do estimate (pg 12) that the burden for that reporting requirement will be 96,163 hours in the first year and 50 hours in each subsequent year. It will be interesting to see if CISA modifies their burden estimate to include this new requirement when they next update that ICR.

For more details about the information that TSA provided to OIRA to support this ICR update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-tsa-surface-cybersecurity - subscription required.

TSA Publishes 30-day ICR for Surface Transportation Cybersecurity

Today, the TSA published a 30-day information collection extension notice in the Federal Register (87 FR 20453-20454) for “Cybersecurity Measures for Surface Modes”. This is the mandated follow-up ICR renewal for the emergency approval for the ICR provide by the OMB’s Office of Information and Regulatory Affairs (OIRA) on November 30th, 2021. The 60-day ICR notice was published on December 23^rd, 2022.

The TSA still has not yet made available a copy of the cybersecurity checklist the vulnerability assessment that are an integral part of the two Security Directives (SD-1580-21-01 and SD-1582-21-01) and Information Circular (Surface-IC-2021-01) that this ICR supports. That is not unexpected. TSA will submit a copy of those checklist(s) to OMB for review as part of this 30-day ICR. One would normally expect to see that happen today (I would see it tomorrow), but the TSA is notoriously slow at making these filings. Once that filing is published, I will have more information about this ICR Notice.