Review – TSA Publishes Surface Transportation Security ICR Notice

On Monday TSA will publish (available online yesterday) a 60-day information collection request (ICR) revision notice in the Federal Register (90 FR 16697-16698). The TSA is intending to combine two existing ICRs into a single document to support their surface transportation security program. The combined ICR would be reported under RIN# 1652-0051. The two existing ICRs are:

1652-0051 - Rail Transportation Security, and

1652-0066 - Security Training Program for Surface Transportation Employees

The table below shows the current burden estimates for the two ICRs as well as the combined burden being reported in Monday’s ICR Notice. There is one ‘apples and oranges’ problem with this data, the ICR notice reports the number of ‘respondents’ not the number of responses.

TSA has not explained the drastic decrease in burden estimate for the combined ICR.

Public Comments

TSA is soliciting public comments on the accuracy of the data presented in this ICR notice. Comments may be submitted via email (TSAPRA@dhs.gov). Comments should be submitted by June 20^th, 2025.

Commentary

The TSA has a long history of providing inadequate information to support changes to the burden estimates in their ICR notices. This makes it difficult for the affected public to provide meaningful comments on “the accuracy of the agency’s estimate of the burden of the proposed collection of information” being proposed by the TSA as required by 44 USC 3506(c)(2)(A)(ii). Unfortunately, OIRA only apparently cares about the supporting information provided to them after the 30-day ICR notice is published as OIRA has never taken TSA to task for their inadequate information sharing.

 

For more information on this ICR notice, including a look at why the burden estimate is almost certainly too low, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-surface-transportation-e9b - subscription required.

Review - TSA Publishes Surface Transportation Employee Vetting NPRM

Today, the Transportation Security Administration (TSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (88 FR 33472-33522) for “Vetting of Certain Surface Transportation Employees”. The proposed regulations would implement provisions of the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act) that require security vetting of certain public transportation, railroad, and over-the-road-bus (OTRB) employees. A vetting fee schedule is included in the proposal.

Public Comments

The TSA is soliciting public comments on the proposed rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov: Docket # TSA-2023-0001). Comments should be submitted by August 21^st, 2023.

Commentary

Interestingly, the TSA did not appear to consider the option of using the current Transportation Workers Identification Credential as the mode for carrying out the vetting requirement for frontline employees, as was suggested in the Congressional mandate. I am sure that this will be mentioned in industry comments.

 

For more details about the provisions of this rulemaking, including a lengthier commentary, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-surface-transportation-aa8 - subscription required.

TSA Announces STSAC Meeting – 11-17-22

The Transportation Security Administration published a meeting notice in Monday’s (available online today) Federal Register (87 FR 64243-64244) for in-person meeting (with virtual participation) of the Surface Transportation Security Advisory Committee (STSAC) on November 17^th, 2022 in Springfield, VA.

The agenda includes committee and subcommittee briefings on FY 2023 activities, including:

Cybersecurity Information Sharing,

Emergency Management and Resiliency,

Insider Threat, and

Security Risk and Intelligence

The public may participate via a WebEx link. Participation (including the presentation of oral or written comments) registration should be done by contacting STSAC@tsa.dhs.gov by November 14, 2022.  

GAO Reports – TSA Surface Transportation Security Training

This week the Government Accounting Office published a report on “Surface Transportation: TSA Implementation of Security Training Requirement”. This report is a look at the training mandate rule for selected surface transportation organizations that was published by TSA in 2020. The compliance date for that rule was extended a couple of times because of the impact of the COVID-19 pandemic.

According to the report the TSA has identified 127 organizations subject to the training requirements of the new regulations. The ‘Highlights’ document accompanying the report notes that:

“As of December 2021, TSA had reviewed each of the 121 submitted training programs and had approved about three-fourths (88 of 121). TSA reported that it returned 84 percent of the submitted programs to owner/operators at least once for revision. The primary reason for TSA-requested revisions was that programs did not cover all the required training topics.”

This report also includes a list of public transportation and passenger railroads that are subject to the training requirements of the rule and a list of urban areas where over-the-road bus companies would be subject to those requirements.

Review - OMB Receives TSA 30-day ICR for Surface Transportation Cybersecurity

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received the 30-day ICR renewal notice from the TSA for “Cybersecurity Measures for Surface Modes” that the TSA announced yesterday in the Federal Register. The data provided to OIRA should have included more of the information that a commentor would have needed to provide the public feedback on this ICR that was requested in both the 60-day and 30-day ICR notices.

Security Assessment Checklist

According to the Supporting Document (pg 2), a key component of this Information Collection is the completion of “a cybersecurity vulnerability assessment to address cybersecurity gaps using the form provided by TSA [emphasis added].” TSA has not included that form in the data submitted to OIRA. The TSA describes this requirement (Table, pg3) as an assessment of their “current cybersecurity posture consistent with the functions and categories found in the National Institute of Standards and Technology Cybersecurity Guidance Framework”, it is hard to imagine that this blank form could be sensitive enough that it cannot be made available to the public. Completed forms should certainly be considered Sensitive Security Information, but since the TSA is not, at this point at least, specifying security measures that need to be taken, the blank forms should be part of the public record of this ICR.

Comments Solicited

In accordance with regulatory requirements, the TSA is soliciting public comments on this ICR. Comments should be submitted to OIRA via their website by clicking on the ‘Comments’ button on the page for this ICR. Comments should be submitted by May 9^th, 2022.

I will be submitting the ‘Security Assessment Checklist’ section above as a comment on this ICR.

For more details about the information submitted to OIRA on this ICR, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-receives-tsa-30-day-icr-for-surface - subscription required.

TSA Sends Surface Transportation Vetting NPRM to OMB

Yesterday the TSA sent a notice of proposed rulemaking (NPRM) to the OMB’s Office of Information and Regulatory Affairs (OIRA) for “Vetting of Certain Surface Transportation Employees”. This security vetting was required by sections 1411, 1414, 1512, and 1531 of the Implementing Recommendations of the 9/11 Commission Act of 2007. The deadline for implementing these requirements was August 3^rd, 2008.

Review - TSA Publishes 60-day ICR Renewal Notice for Surface Cybersecurity

Today the TSA published a 60-day information collection request (ICR) notice in the Federal Register (86 FR 72988-72990) for “Cybersecurity Measures for Surface Modes” (1652-0074). This is the mandated follow-up ICR renewal for the emergency approval for the ICR provide by the OMB’s Office of Information and Regulatory Affairs (OIRA) on November 30^th, 2021.

Cybersecurity Security Directives

This ICR supports two cybersecurity related Security Directives and an Information Circular issued by the TSA earlier this month:

SD-1580-21-01 – Enhancing Rail Cybersecurity, and

SD-1582-21-01 – Enhancing Public Transportation and Passenger Railroad Cybersecurity, and

Surface-IC-2021-01 – Enhancing Surface Transportation Cybersecurity

The IC is a set of voluntary recommendations made by the TSA for surface transportation organizations not covered by the two Security Directives.

Burden Estimate

The Notice provides a generic burden estimate of 781 respondents and a total of 96,163 burden hours. The support document submitted last month by the TSA to OIRA for the emergency ICR appoval included the burden estimates shown in the table below. Since the total numbers are the same, I would expect that they reflect the current burden estimate.

	Responses	Hours	Burden
Designate a Cybersecurity Coordinator	831	1	831
Report cybersecurity incidents to CISA	50	1	50
Develop a cybersecurity incident response plan	781	80	62,480
Complete a cybersecurity vulnerability assessment	781	42	32,802
Total	2,443		96,163

TSA will be providing a form for the completion of the vulnerability assessment. That form will be based upon the NIST Cybersecurity Framework. The Notice does not provide a link to the form. Normally, I would expect such a form to be included in the Notice docket on www.Regulations.gov, but TSA is not using that service and does not provide a docket number for this notice to be used on that site. The TSA’s Surface Transportation Cybersecurity Toolkit web site does not include a copy of the vulnerability assessment form.

Public Comments

TSA is soliciting public comments on this ICR. Comments may be emailed to TSA (TSAPRA@tsa.dhs.gov). Comments should be submitted by February 22^nd, 2022.

Commentary

Since this is essentially a new information collection, neither the TSA nor the affected parties have any direct history upon which to base an evaluation of the burden estimate provided by TSA. TSA has made their best guess of the burden. Unfortunately, without a copy of the form that TSA is requiring organizations to use for the vulnerability assessment, most organizations will some difficulty providing realistic feedback on the time necessary to complete the assessment.

For more details on the ICR notice provisions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-60-day-icr-renewal - subscription required.

 

TSA Amends Surface Security Training Compliance Dates

The TSA published a notice in Monday’s Federal Register (available online today; 85 FR 67681-67683) announcing the extension of compliance deadlines for the “Security Training for Surface Transportation Employees” final rule. This notice further extends one of the compliance deadlines that was revised in May. Both sets of extensions were established because of complications in the transportation sector due to the COVID-19 pandemic.

In this latest extension the TSA keeps the effective date of the regulation at the extended date of September 21^st, 2020. The deadline for notifying TSA of applicability determination (1570.105) remains October 21st, 2020. The deadline for providing security coordinator information (49 CFR 1570.201) remains October 28th, 2020. The notice states that the deadline for §1570.203 (security incident reporting requirement) compliance has not been changed. There was no specific date set in the regulation for that requirement, so the effective date for that requirement is the effective date of the regulation; 9-21-20.

The only change then is the deadline for submission of security training program to TSA for approval {§1570.109(b)}; it is being changed from December 21st, 2020 to March 22^nd, 2021.

TSA is making this change in the regulation without going through the publish and comment process under provisions of 5 USC 553 (b) and (d). They note that:

“TSA has good cause to delay the compliance deadline for submission of security training programs without advance notice and comment or a delayed effective date. To delay taking this action while waiting for public comment would be impracticable and contrary to the public interest. The owner/operators subject to the requirements of the final rule need immediate certainty regarding the deadlines of the final rule so that they may focus on other urgent issues affecting their operations.”

OMB Approves TSA Surface Security Employee Training Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the final rule from the Transportation Security Administration (TSA) on “Security Training for Surface Transportation Employees”. This final rule was submitted to OIRA back in July. The NPRM was published in December 2016. I did a series of blog posts on the provisions of the NPRM.

This rulemaking was mandated by Congress in the Recommendations of the 9/11 Commission Act of 2007 (PL 110-53) and codified at (6 USC 1137; 6 USC 1167; and 6 USC 1184). That mandate required that these rulemakings be completed by 2008. Needless to say this provides an interesting lesson in the efficacy of congressional mandates.

There was some thought in the industry when the NPRM was published that the Trump Administration would quash this rulemaking or at least fail to act on it. It will be interesting to see what changes have been made by an administration that is reluctant to regulate at best. This could be another rulemaking that makes it into the court system if this final rule deviates too far from the Congressional mandate.

OMB Approves ICR for Surface Transportation Security Survey

Last Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an information collection request (ICR) for a Surface Transportation Stakeholder Survey to be conducted by the TSA. The survey was mandated by Congress in §1983 of the FAA Reauthorization Act of 2018 (HR 302 from the 115^th Congress, it was signed as PL115-254, but that law has not yet been published).

Stakeholder Survey

Congress required the TSA to conduct a survey of surface transportation security stakeholder “regarding resource challenges, including the availability of Federal funding, associated with securing such assets that provides an opportunity for respondents to set forth information on specific unmet needs” {§1983(a)}. TSA reports [.DOCX download link] that it will be offering the survey to 3,200 organization “with whom TSA has established working relationships” (pg 1). It only expects that about 20% of those organizations to respond during the 21-days that TSA will have the survey available on their web site. This accounts for the 641 surveys expected to be collected under this ICR.

OIRA published [.DOCX download link]  a copy of the questions that will be asked on the TSA’s Survey Monkey operated web site for the survey (the URL is not available in the ICR documents). The questions are a relatively broad look at the application of federal grant programs to support surface transportation security efforts. The last two questions directly address the congressional mandate to provide “an opportunity for respondents to set forth information on specific unmet needs.”

TSA is not going to meet the 120-day deadline for conducting the survey that was established in HR 302. Given the requirement to get OMB approval to conduct the information collection, that deadline was never reasonably set. It took TSA almost that long to put the information together necessary to publish the 60-day ICR notice in March of this year. The 30-day ICR notice quickly followed the close of the comment period on the first ICR notice and it only took OIRA a little more than 2-months to approve the ICR, a remarkably short time for ORIA approval.

TSA will probably not provide a notice in the Federal Register concerning the publication of the survey on a TSA web site. The congressional mandate was to collect information from “stakeholders responsible for securing surface transportation assets”, not the public, community organizations or emergency response personnel. Thus, TSA will directly contact organizations with whom it has established relationships as well as surface transportation trade associations to announce the start of the survey period and the location of the survey web site.

Commentary

I am concerned that there is no mention of cybersecurity in the survey; not even a hint that TSA was including cybersecurity challenges in the surface transportation efforts being surveyed. This is not entirely TSA’s fault, the congressional mandate for this survey did not include any mention of cybersecurity either. Hopefully, the stakeholders being surveyed will be able to read between the lines and will specifically include mention of the concerns that they have about cybersecurity efforts in protecting surface transportation assets from outsider (and insider) attacks.

HR 3318 Introduced – TSA Threat Analysis

Last month Rep. Joyce (R,PA) introduced HR 3318, the Emerging Transportation Security Threats Act of 2019. The bill would require the Transportation Security Administration (TSA) to “establish a task force to conduct an analysis of emerging and potential future threats to transportation security” {§2(a)}. No specific funding for the task force is authorized in the bill.

Emerging and Future Threats

The Task Force analysis would include emerging and potential future threats posed by the following {§2(b)}:

• Evolving tactics by terrorist organizations that may pose a catastrophic risk to an aviation or surface transportation entity.

• Explosive and explosive devices or attacks involving the use of explosives that may cause catastrophic damage to an aviation or surface transportation system.

• Chemical or biological agents being released in either aviation or surface transportation systems.

• Cyberthreat actors seeking to undermine confidence in transportation systems or cause service disruptions that jeopardize transportation security.

• Unmanned aerial systems with the capability of inflicting harm on transportation targets.

• Individuals or groups seeking to attack soft targets, public areas, or crowded spaces of transportation systems.

• Inconsistent or inadequate security screening protocols at last point of departure airports with direct flights to the United States.

• Information sharing challenges within the Federal Government and among partner governments.

• Information sharing challenges between the Administration or other relevant Federal agencies and transportation stakeholders, including air carriers, airport operators, surface transportation operators, and State and local law enforcement.

• Growth in passenger volume in both the aviation and surface transportation sectors.

Threat Mitigation

The bill would subsequently require the TSA to develop “a threat mitigation strategy for each of the threats examined in such analysis” {§2(c)}. This would include:

• Assigning appropriate resources of the Administration to address such threats, based on calculated risk; or

• Provide recommendations through the Department of Homeland Security to the appropriate Federal department or agency responsible for addressing such threats.

TSA would also be required to improve stakeholder engagement and provide a briefing to Congress.

Moving Forward

Joyce and his cosponsor, Rep. Rogers (R,AL) are both members of the House Homeland Security Committee (and Rogers is the Ranking Member of that Committee), so there is a reasonable chance that this bill could be considered by the Committee.

There is nothing in the bill that would engender any specific political or business opposition to the bill; study and report bills seldom do. I suspect that the bill would receive substantial bipartisan support in Committee. With such support the bill would be considered by the full House (if there were enough political influence to move the bill forward) under the suspension of the rules process.

Commentary

Joyce’s staff did a good job of ensuring that the language of the bill provided nearly equal coverage to threats against both airline and surface transportation assets. Unfortunately, the language is clearly focused on passenger transportation, and calls for scant scrutiny of freight transportation (either air or ground) or pipeline security. This is especially true when it comes to the one reference to chemical threats.

With that in mind, I would like to offer the following changes to some of the ‘elements’ of the threat that are be considered by the threat analysis in §2(b) (Highlighted words are added):

(1) Evolving tactics by terrorist organizations that may pose a catastrophic risk to an aviation or surface transportation entity including freight transportation in both modes.

(2) Explosive and explosive devices or attacks involving the use of explosives that may cause catastrophic damage to an aviation or surface transportation system or cause a release of hazardous industrial chemicals in surface freight transportation.

(4) Cyberthreat actors seeking to undermine confidence in transportation systems or cause service disruptions that jeopardize transportation security or cause catastrophic damage to a hazardous material or fuel pipeline.

The other problem that this bill ignores is the lack of specific authority provided to TSA to issue security regulations for surface transportation or the failure of TSA to implement the few regulations that it has been authorized to issue. With that in mind I would re-do paragraph (e) to read:

(e) BRIEFING TO CONGRESS.—The Administrator of the Transportation Security Administration shall brief the Committee on Homeland Security of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on: the results of the analysis required under subsection (a) and relevant mitigation strategies developed in accordance with subsection (c).

(1) The results of the analysis required under subsection (a);

(2) The relevant mitigation strategies developed in accordance with subsection (c);

(3) The status of current rulemakings authorized by Congress that might address the threats identified in subsection (a); and

(4) What rulemaking authorities that TSA or other Federal agencies might need from Congress to appropriately apply the mitigation strategies developed in accordance with subsection (c).

STSAC Meeting Announcement – 07-11-19

Yesterday the DHS Transportation Security Administration (TSA) published a meeting notice in the Federal Register (84 FR 27795) for a meeting of the newly established Surface Transportation Security Advisory Committee (STSAC) on July 11^th, 2019 at TSA Headquarters in Arlington, VA.

The agenda includes:

• Unclassified Surface Transportation Intelligence Briefing

• TSA Organizational Structure

• Surface Transportation Rulemaking

• Organization of STSAC

• Public Comments

Public participation is welcomed, but advanced registration (for the purpose of clearing people for access to the TSA HQ) is required. Oral or written comments may be submitted, but advanced notice is required. That notification should be made by June 30^th, 2019. Apparently there are no provisions for webcasting the meeting.

Commentary

This is the initial meeting of STSAC so it is way too early to tell how effective this Advisory Committee will be. Some agencies (DOT in particular) have made their advisory committees an integral part of the regulatory development process. The broad membership of this Committee should make for a reasonable level of expertise that should be of benefit to the understaffed and underfunded surface transportation folks at TSA. Yet to be determined, however, is how well the Committee and its inevitable subcommittees work together and how much attention TSA pays to their recommendations.

On the later, I hope that the lack of a meeting webcast or even teleconference monitoring is not an indication of lack of support from TSA management for this congressionally mandated Advisory Committee.

Committee Hearings – Week of 02-24-19

This week with both the House and Senate in session there are a wide variety of important congressional hearings taking place. Among those are some that are of particular interest here; EMP effects on the grid, the CFATS program, and two cybersecurity hearings.

EMP and the Grid

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on “Perspectives on Protecting the Electric Grid from an Electromagnetic Pulse or Geomagnetic Disturbance”. A witness list is not yet available.

CFATS Program

On Wednesday the House Homeland Security Committee will be holding a hearing on “Securing Our Nation’s Chemical Facilities: Building on the Progress of the CFATS Program”. The witness list includes:

• David Wulf, ISCD, DHS; and
• Nathan Anderson, GAO

The lack of industry witnesses on the list may be just temporary, or it may indicate that Chairman Thompson (D,MS) intends to take a close look at the most recent GAO report (not yet available) on the program.

Surface Transportation Cybersecurity

Today two subcommittee of the House Homeland Security Committee will hold a hearing on “Securing U.S. Surface Transportation from Cyber Attacks”. The witness list includes:

• Bob Kolasky, CISA, DHS;
• Sonya T. Proctor, TSA, DHS;
• Rebecca Gagliostro, Interstate Natural Gas Association of America;

• James A. Lewis, Center for Strategic and International Studies;

• Erik Robert Olson, Rail Security Alliance; and

• John Hultquist, FireEye

Interesting that there will be witnesses representing pipelines and railroads, but no one from the trucking industry. Hopefully that has more to do with House committee politics than representing a cybersecurity blind spot.

DOD Cybersecurity

Today the Subcommittee on Intelligence and Emerging Threats and Capabilities of the House Committee on Armed Services will hold a hearing on “Department of Defense Information Technology, Cybersecurity, and Information Assurance”. The witness list includes:

• Dana Deasy, CIO, DOD;

• Lisa Hershman, Acting Chief Management Officer, DOD; and

• BG Dennis Crall, Deputy Principal Cyber Advisor, DOD

This looks like it will be principally an IT cybersecurity hearing, but topics of supply chain security may arise.

HR 5089 Introduced – Local Transportation Security

Last month Rep. Barragan introduced HR 5089, the Strengthening Local Transportation Security Capabilities Act of 2018. The bill would increase DHS support to fusion centers supporting high-risk sur1face transportation assets.

Definitions

Section 2 of the bill provides a number of definitions of terms that are used in the bill. Two of the key terms are:

Surface transportation asset {§2(2)} - includes facilities, equipment, or systems used to provide transportation services by:

• Public transportation agency;

• Railroad carrier;

• Over-the-road bus company; or

• Bus terminal.

Transportation facility {§2(3)} - a bus terminal, intercity or commuter passenger rail station, airport, or multi-modal transportation center.

Fusion Center Support

Section 3 of the bill addresses assistance that DHS would be required to provide to fusion centers. First, DHS would be required to assign ‘officers and intelligence analysts’ from TSA and Office of Intelligence and Analysis of the Department of Homeland Security to locations with participating State, local, and regional fusion centers. Those personnel would be expected to develop “transportation security intelligence products, with an emphasis on terrorist and other threats to surface transportation assets” {§3(b)(1)}.

DHS would also be required to process security clearance requests by “appropriate owners and operators of surface transportation assets, and any other person that the Secretary determines appropriate to foster greater sharing of classified information relating to terrorist and other threats to surface transportation assets” {§3(c)}.

Other Surface Transportation Security Support

Section 4 would require TSA to develop a framework for the establishment of integrated and unified operations center for transportation facilities. Those operations centers would be responsible for overseeing daily operations with an emphasis on providing coordination for responses to terrorism, and other serious incidents.

Section 5 of the bill would allow DHS to establish at Federal Law Enforcement Training Centers a training program that would “enhance the protection, preparedness, and response capabilities of law enforcement agencies with respect to terrorism and other serious incidents at a surface transportation asset” {§5(a)}.

Moving Forward

Barragan is a member of the House Homeland Security Committee to which this bill was assigned for consideration. Both of her cosponsors are also influential Democrats on that Committee. The bill is scheduled to be considered in Committee on Wednesday.

I see nothing in the bill that would draw significant opposition; either in Committee or on the floor of the House. I suspect that it would receive substantial bipartisan support in both venues.

Commentary

Generally, this is a motherhood and apple pie bill that makes it look like DHS and Congress are doing something to address surface transportation security. There are two main problems with this bill; the reliance on classified intelligence reports and the failure to include truck freight operations in surface transportation.

While it is certainly a good idea for fusion centers to share classified intelligence products with the potentially affected sector, the reality is that most transportation service providers referenced in this bill will not be able to afford the establishment and maintenance of secure transmission and storage facilities to receive and use those classified intelligence products. The largest entities (Class I railroads and the top two over-the-road bus companies for example) may be able to afford these facilities, but most organizations cannot either justify or afford the expenditure of funds necessary.

The bill should have required DHS to establish a formal, expedited process to extract actionable information from these classified reports that can be shared with organizations as Sensitive Security Information (SSI) rather than as classified information. The regulatory requirements for the receiving and storage of SSI information are still expensive, but are significantly more affordable than the requirements for classified information.

The second issue (failure to include truck freight operations) is more understandable. For the most part these freight operations are considered to be at substantially lower threat of terrorist attack. There are, however, one subset of the truck industry that should be considered as being at significant threat of terrorist attack, those trucking companies that handle hazardous materials. I would have added the following to the definition of ‘surface transportation asset’ as a covered provider of transportation services:

“(D) Freight truck operations that handle placarded (as defined in 49 CFR 172.500) loads of hazardous materials; and”

I understand that the trucking industry has been vociferous in their opposition to further security regulations affecting their operations. This bill, however, has no regulatory impact, so there should be little or no opposition to the inclusion of truck freight operations in the requirements outlined for DHS in the bill.

Bills Introduced – 02-27-18

Yesterday with both the House and Senate in session, there were 63 bills introduced. Of those, two may be of specific interest to readers of this blog:

HR 5099 To amend the Homeland Security Act of 2002 to establish in the Department of Homeland Security a fusion center technical assistance program. Rep. Estes, Ron [R-KS-4]

HR 5131 To improve the effectiveness of Federal efforts to identify and address homeland security risks to surface transportation, secure against vehicle-based attacks, and conduct a feasibility assessment of introducing new security technologies and measures, and for other purposes. Rep. Watson Coleman, Bonnie [D-NJ-12] 

I will be watching HR 5099 to see if it includes specific cybersecurity requirements, particularly for industrial control system security issues.

I will be watching HR 5131 for chemical transportation security issues.

Committee Hearings – Week of 01-21-18

This week, with the House finally getting back home for their ‘District Work’ week after ‘restarting’ the government, we have a rather short list of Senate hearings this week. Only one of those hearings may be of specific interest to readers of this blog; surface transportation security.

On Tuesday, the Transportation and Merchant Marine Infrastructure, Safety and Security Subcommittee of the Senate Commerce, Science, and Transportation Committee will hold a hearing on “Surface Transportation Security: Addressing Current and Emerging Threats”. The witness list is short:

• David Pekoske, Administrator, Transportation Security Administration; and

• John Kelly, Acting Inspector General, Department of Homeland Security

While there are a great many topics that could be discussed at such a hearing, I expect that what ever short comings the IG report has identified in the much-overlooked Surface Transportation Security wing of the TSA will be the main focus of the hearing. I was hoping that a copy of that report would have been available today, but with the short Federal Financial Fiasco 2018…… (that will be the oft stated excuse for a week or two).

HR 4474 Introduced – Surface Transportation Security

Last month Rep. Watson-Coleman (D,NJ) introduced HR 4474, the Surface Transportation and Public Area Security Act of 2017. While the main focus of the bill is on public transportation security issues, it would have some impact on chemical transportation security issues.

Sections of the bill that may be of specific interest to readers of this blog include:

§106. Frontline employee security training.

§202. Risk scenarios.

§203. Assessments and security plans.

§301. Threat information sharing.

§302. Integrated and unified operations centers.

§304. Security technologies tied to foreign threat countries.

Security Training

Section 106 attempts to address the failure of the Transportation Security Administration (TSA) to implement surface transportation employee security training requirements established by Congress in 2007 (6 USC 1137, 1167, and 1184). TSA published a notice of proposed rulemaking in December 2016. The Fall 2017 Unified Agenda indicates that the Trump Administration currently intends to publish a final rule in September of next year, though that date slips each time the Unified Agenda is updated.

This section would require a report to Congress by the TSA on the status of the rulemaking and a subsequent review of that report by the DHS Inspector General.

Risk Scenarios

Section 202 would require TSA to annually use terrorist attack scenarios in establishing risk-based priorities supporting the modal transportation security plans currently required by 49 USC 114(s)(1)(B). Those scenarios are specifically required to include “cyber attack scenarios” {§202(b)}. A report to Congress is required on the priorities established, but details on the scenarios used is not required to be part of that report.

Security Plans

Similar to §106, §203 would require a report to Congress (with a subsequent review by the DHS IG) of the status of the rulemaking supporting the congressionally mandated (6 USC 1134, 1162, and 1181) development of security assessments and security plans by various surface transportation organizations. TSA published an advanced notice of proposed rulemaking on these requirements in December 2016 and the Trump Administration re-opened the comment period in March of this year. The current Unified Agenda lists this rulemaking under the ‘Long-Term Actions’ section with a ‘to be determined’ date for the issuance of an NPRM.

Information Sharing

Section 301 would specifically require TSA to provide personnel to support fusion centers “in jurisdictions with a high-risk surface transportation asset” {§302(a)} to improve the “timely sharing of classified information regarding terrorist and other threats”. It would also require DHS to provide assistance in obtaining security clearances for “appropriate owners and operators of surface transportation assets, and any other person that the Secretary determines appropriate to foster greater sharing of classified information relating to terrorist and other threats to surface transportation assets” {§302(c)}.

Security Technologies

Section 304 would require DHS to provide a report to Congress on the threats posed to surface transportation assets “posed by the use of security technologies, including soft4

ware and networked technologies, developed or manufactured by firms that are owned or closely linked to the governments of countries that are known to pose a cyber or homeland security threat”.

Moving Forward

Watson-Coleman is a member of the House Homeland Security Committee (as are a number of her co-sponsors), one of the two committees to which this bill was assigned for consideration. Other co-sponsors {including Rep. Lipinski, (D,IL)} are members of the House Transportation and Infrastructure Committee, the other committee to which the bill was assigned. This means that it is possible that this bill could be considered in either or both committees. There are no Republican co-sponsors, however, which would suggest that there is insufficient bipartisan support to move the bill forward in Committee.

The security training and security plan provisions of this bill are sure to draw objections from owners of the potentially affected transportation companies and their lobbying organizations. This makes it unlikely that the bill would be supported by a sufficient number of Republicans to move the bill forward in the House.

Bills Introduced – 11-28-17

Yesterday with both the House and Senate in session there were 31 bills introduced. Of these only one may be of specific interest to readers of this blog:

HR 4474 To enhance the security of surface transportation assets, and for other purposes. Rep. Watson Coleman, Bonnie [D-NJ-12]

Looking at the bill fact sheet prepared by Watson-Coleman’s office this looks like it will be a very comprehensive surface transportation security bill. While it does not appear to specifically address chemical transportation security issues, it would require DOT to complete their rulemaking on transportation security training and may address transportation cybersecurity issues.

HR 2825 Amended and Approved in Committee

Last week the House Homeland Security Committee held a markup hearing on HR 2825, the DHS Authorization Act of 2018 [corrected date 6-19-17 0710 EDT]. The Committee adopted a large number of amendments, including substitute language.

Substitute Language

The original bill was extremely light in its coverage and was obviously missing some titles. The substitute language offered by Rep. McCaul (R,TX) substantially enlarged and expanded the coverage of the bill. New sections in the substitute language that may be of specific interest to readers of this blog include:

§403. Cyber at ports.

§409. Repeal of interagency operational centers for port security and secure systems of transportation.

§572. Surface transportation security assessment and implementation of

risk-based strategy.

§577. Surface transportation security advisory committee.

§583. Study on surface transportation inspectors.

§584. Security awareness program.

§585. Voluntary use of credentialing.

§586. Background records checks for issuance of hazmat licenses.

§587. Recurrent vetting for surface transportation credential-holders.

§588. Pipeline security study.

§589. Repeal of limitation relating to motor carrier security-sensitive material

tracking technology.

§620. Cyber preparedness.

§642. Medical Countermeasures Program.

The provisions I discussed in my post about the original bill remain essentially unchanged.

Maritime Security

Title IV of the substitute language addresses maritime security issues. Most of the provisions found in this title were included in HR 2831, the Maritime Security Coordination Improvement Act that I reviewed yesterday. That bill includes provisions not seen in this bill, so it is likely to continue forward. I suspect that the duplicate provisions in this bill are those that McCaul considers the most important.

The cybersecurity provisions that I discussed in HR 2831 are included in this bill (§403) essentially unchanged.

Surface Transportation Security Studies

The substitute language contains a new Title V, Subtitle G (sections 571 thru 589) that addresses a number of surface transportation security issues. Many of them deal with various study and report requirements. There are two studies outlined in this subtitle that may be of specific interest to owners and operators of surface transportation organizations and activities.

Section 583 would require the Government Accountability Office (GAO) to conduct a study looking at potential duplications or redundancies between TSA and DOT “relating to surface transportation security inspections or over sight” {§583(1)}. While TSA has been given the responsibility for overseeing all transportation security issues, its main (some would say almost exclusive) focus has been on passenger air transportation security. As a result, the DOT modal agencies have continued to oversee the pre-TSA security requirements that were initiated by the modal agencies. There exists a very real potential that this study could lead to the disbanding of the TSA surface transportation security program as duplicative and ineffective.

Section 588 requires a separate GAO study of the TSA/DOT oversight conflict in the pipeline security arena. Of particular interest to readers of this blog is the specific inclusion of cybersecurity issues in the study parameters. The GAO is tasked with looking at how the current memorandum of understanding between DHS and DOT adequately delineates the responsibility for {§588(a)(1)}:

• Protecting against intentional pipeline breaches and cyber-attacks;

• Responding to intentional pipeline breaches and cyber-attacks; and

• Planning to recover from the impact of intentional pipeline breaches and cyber-attacks.

The big problem here is that most of the activities that are used to respond to a pipeline breach are the same for both intentional and accidental breaches. Given the fact that accidental breaches are much more common than intentional breaches, the DOT pipeline safety folks will have much more practical experience in this field.

The one area that is not specifically identified in the §588 requirements is having the GAO study identify if either PHMSA or TSA have enough people with the requisite skill and background in control system security to deal with cyber-attacks.

Other Amendments

An amendment offered by Rep. Thompson (D,MS) amended the new requirement for surface security awareness training outlined in §584. The Thompson amendment would reiterate that this new requirement would not “replace or affect in any way the security training program requirements” specified in 6 USC sections 1137, 1167, and 1184. Readers of this blog will remember that TSA finally published a notice of proposed rulemaking (NPRM) on those requirement last December. This amendment was adopted by voice vote.

An amendment offered by Rep. Langevin (D,RI) would add a new section to the bill that would require the FEMA Administrator to conduct a study on the use of grant funds awarded pursuant to 6 USC §604 (Urban Area Security Initiative) and §605 (State Homeland Security Grant Program) to support efforts to prepare for and respond to cybersecurity risks and incidents (as such terms are defined in 6 USC 148. Readers should see my discussion on HR 2831 on why the reference to 6 USC 148 ignores control system security issues. This amendment was adopted by voice vote.

Moving Forward

The amended substitute language on this bill passed by a voice vote. Even with the Democrats losing party line votes on six amendments, there is still substantial bipartisan support within the Committee for the amended bill. If McCaul can get buy in from the House leadership (including the chairs of a number of other potentially interested committees) to bring this bill to the floor, it is almost certain to pass. Convincing the Senate leadership to bring the bill to the floor in that body will be another intra-party, political issue.

Senate Committee Amends and Approves S 763

Earlier today the Senate Commerce, Science, and Transportation Committee held a markup hearing where they amended and subsequently approved S 763, the Surface and Maritime Transportation Security Act by a voice vote. Sen. Thune (R,SD) offered substitute language for the bill which was further amended by an amendment offered by Sen. Baldwin (D,WI). This bill is similar to S 3379 that was introduced in the 114^th Congress. That bill was not considered during the last session.

This bill is public transportation centric with little or no mention of issues related to the secure transportation of hazardous chemicals. In fact, there are only two areas of the bill that specifically touch on this area:

§19 – Voluntary use of credentialing; and

§20 – Background records checks for issuance of hazmat licenses.

The one other area of potential interest to readers of this blog will be the requirement for TSA to establish a surface transportation workers training program for all operators and frontline employees specifically identified in §16 of the bill.

TSA Credentials

The first allows any person that is subject to a background investigation required by a TSA supported program to voluntarily meet that requirement by applying for and receiving a Transportation Workers Identification Credential (TWIC). This section specifically mentions Hazardous Material Endorsements (HME) for commercial drivers’ license and personnel working at a CFATS covered facility as TSA background investigation requirements for which a TWIC can be used as proof of having the appropriate background investigation.

Section 20 specifically states that an individual who holds a valid TWIC “shall be deemed to have met background records check requirement” to be issued an HME.

Security Awareness Training

Section 16 would require TSA to establish a security awareness training program for specific surface transportation employees {§16(g)}. The training would be required to address “the skills necessary to recognize, assess, and respond to suspicious items or actions that could indicate a threat to transportation” {§16(c)}.

In establishing the requirements for this training program the TSA is required to examine existing security training programs (both required and voluntary) and determine if any gaps in those training programs exist.

Interestingly there is no reference to the current requirement for TSA to establish much more expansive security training programs for over-the-road bus operators {49 USC 1584.115}; freight rail {§1580.115} and public transportation and passenger rail {§1582.115}. TSA published a notice of proposed rulemaking (NPRM) for these requirements in December, 2016 and extended the comment period last month.

Grant Programs

The bill does provide authorization for a variety of existing surface transportation security grant programs. It authorizes a base amount for each year ($250 Million for 2018 increasing to $325 Million for 2021) and an equal or greater additional amount each year that the DHS Secretary certifies that grant approval process “adequate reflects the results of the risk-based assessment and risk-based strategy” outlined in the bill. Half of the grant monies would be reserved for the Port Security Grant Program.

 

Moving Forward

Thune is the Chair of the Committee and his concern with moving this bill forward can be seen in the rapidity with which the Committee held this markup. The bipartisan support for this bill within the Committee is a clear indication that there should be little or no opposition to this bill if it were to make it to the floor of the Senate. This bill is, however, unlikely to be considered under the unanimous consent process due to the inclusion of the authorization of funds for a variety of transportation security grant programs. This probably means at least a couple days of debate and amendments when it is considered.

This bill is up against a number of arguably more important issues that the Senate will have to deal with in the near future. A FY 2017 spending bill (or at least a continuing resolution) needs to be sent to the President by April 28^th and then work must begin on the FY 2018 spending bills. There are still a large number of presidential appointees that must be approved by the Senate and it would seem that few of them will be controversy free.

The Senate is unlikely to consider this bill any earlier than June.