Intent To Request an Extension From OMB of One Current Public Collection of Information: Cybersecurity Measures for Surface Modes, 72988-72990 [2021-27886]
Download as PDF
<![CDATA[
72988
Federal Register / Vol. 86, No. 244 / Thursday, December 23, 2021 / Notices
Toxicology Program (NTP) prepares the
RoC on behalf of the Secretary of Health
and Human Services. For the 15th RoC,
NTP followed an established, multi-step
process with multiple opportunities for
public input, and used established
criteria to evaluate the scientific
evidence on each candidate substance
under review (https://ntp.niehs.nih.gov/
go/rocprocess).
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
National Institutes of Health
Announcement of Availability of the
Fifteenth Report on Carcinogens
AGENCY:
National Institutes of Health,
HHS.
ACTION:
Notice.
The Department of Health and
Human Services released the 15th
Report on Carcinogens (RoC) to the
public on December 21, 2021. The
report is available on the RoC website
at: https://ntp.niehs.nih.gov/go/roc or
from the Office of the RoC (see
ADDRESSES below).
DATES: The 15th RoC is available to the
public on December 21, 2021.
ADDRESSES: Dr. Ruth Lunn, Integrated
Health Effects Branch, Division of the
NTP, NIEHS, P.O. Box 12233, MD K2–
14, Research Triangle Park, NC 27709;
telephone: (919) 316–4637; FAX: (301)
480–2970; lunn@niehs.nih.gov.
FOR FURTHER INFORMATION CONTACT:
Questions or comments concerning the
15th RoC should be directed to Dr. Ruth
Lunn (telephone: 919–316–4637 or
lunn@niehs.nih.gov).
SUPPLEMENTARY INFORMATION:
jspears on DSK121TN23PROD with NOTICES1
SUMMARY:
Background Information on the RoC
This notice is in accordance with the
Public Health Service Act Section
301(b)(4). The Report on Carcinogens
(RoC) is a Congressionally mandated
document that identifies and discusses
agents, substances, mixtures, or
exposure circumstances (collectively
referred to as ‘‘substances’’) that may
pose a hazard to human health because
of their carcinogenicity. Substances are
listed in the report as either known or
reasonably anticipated to be human
carcinogens. The listing of a substance
in the RoC indicates a potential hazard;
it does not establish the exposure
conditions that pose a cancer hazard to
individuals in their daily lives. For each
listed substance, the RoC provides
information from cancer studies that
support the listing, as well as
information about potential sources of
exposure and current federal regulations
to limit exposures. Each edition of the
RoC is cumulative, that is, it lists newly
reviewed substances in addition to
substances listed in the previous
edition. Information about the RoC is
available on the RoC website (https://
ntp.niehs.nih.gov/go/roc) or by
contacting Dr. Lunn (see ADDRESSES
above).
The National Institute of
Environmental Health Science, National
VerDate Sep<11>2014
20:50 Dec 22, 2021
Jkt 256001
New Listings in the 15th RoC
The 15th RoC contains 256 listings,
some of which consist of a class of
structurally related chemicals or agents.
There are eight new listings in this
edition. The new listing in the category
of known to be a human carcinogen is
Helicobacter pylori (chronic infection).
Seven of the new listings are in the
category of reasonably anticipated to be
a human carcinogen: Antimony trioxide
and six haloacetic acids found as water
disinfection by-products, including
bromochloroacetic acid,
bromodichloroacetic acid,
chlorodibromoacetic acid,
dibromoacetic acid, dichloroacetic acid,
and tribromoacetic acid.
Dated: December 20, 2021.
Richard P. Woychik,
Director, National Institute of Environmental
Health Science and National Toxicology
Program.
[FR Doc. 2021–27910 Filed 12–22–21; 8:45 am]
BILLING CODE 4140–01–P
DEPARTMENT OF HOMELAND
SECURITY
Transportation Security Administration
Intent To Request an Extension From
OMB of One Current Public Collection
of Information: Cybersecurity
Measures for Surface Modes
Transportation Security
Administration, DHS.
ACTION: 60-Day notice.
AGENCY:
The Transportation Security
Administration (TSA) invites public
comment on one currently-approved
Information Collection Request (ICR),
Office of Management and Budget
(OMB) control number 1652–0074,
abstracted below, that we will submit to
OMB for an extension in compliance
with the Paperwork Reduction Act
(PRA). On November 30, 2021, OMB
approved TSA’s request for an
emergency approval of this collection to
address the ongoing cybersecurity threat
to surface transportation and associated
infrastructure. TSA is now seeking to
renew the collection, which expires on
May 31, 2022, with incorporation of the
SUMMARY:
PO 00000
Frm 00072
Fmt 4703
Sfmt 4703
subject of the emergency request. The
ICR describes the nature of the
information collection and its expected
burden. The collection allows TSA to
address the ongoing cybersecurity threat
using a risk-based approach to
transportation security.
DATES: Send your comments by
February 22, 2022.
ADDRESSES: Comments may be emailed
to TSAPRA@tsa.dhs.gov or delivered to
the TSA PRA Officer, Information
Technology (IT), TSA–11,
Transportation Security Administration,
6595 Springfield Center Drive,
Springfield, VA 20598–6011.
FOR FURTHER INFORMATION CONTACT:
Christina A. Walsh at the above address,
or by telephone (571) 227–2062.
SUPPLEMENTARY INFORMATION:
Comments Invited
In accordance with the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501
et seq.), an agency may not conduct or
sponsor, and a person is not required to
respond to, a collection of information
unless it displays a valid OMB control
number. The ICR documentation will be
available at https://www.reginfo.gov
upon its submission to OMB. Therefore,
in preparation for OMB review and
approval of the following information
collection, TSA is soliciting comments
to—
(1) Evaluate whether the proposed
information requirement is necessary for
the proper performance of the functions
of the agency, including whether the
information will have practical utility;
(2) Evaluate the accuracy of the
agency’s estimate of the burden;
(3) Enhance the quality, utility, and
clarity of the information to be
collected; and
(4) Minimize the burden of the
collection of information on those who
are to respond, including using
appropriate automated, electronic,
mechanical, or other technological
collection techniques or other forms of
information technology.
Information Collection Requirement
OMB Control Number 1652–0074;
Cybersecurity Measures for Surface
Modes. Under the Aviation and
Transportation Security Act 1 and
delegated authority from the Secretary
of Homeland Security, TSA has broad
responsibility and authority for
‘‘security in all modes of transportation
. . . including security responsibilities
. . . over modes of transportation that
are exercised by the Department of
1 Public Law 107–71 (115 Stat. 597; Nov. 19,
2001), codified at 49 U.S.C. 114.
E:\FR\FM\23DEN1.SGM
23DEN1
Federal Register / Vol. 86, No. 244 / Thursday, December 23, 2021 / Notices
Transportation.’’ 2 TSA is specifically
empowered to assess threats to
transportation; 3 develop policies,
strategies, and plans for dealing with
threats to transportation; 4 oversee the
implementation and adequacy of
security measures at transportation
facilities; 5 and carry out other
appropriate duties relating to
transportation security.6
On November 30, 2021, OMB
approved TSA’s request for an
emergency approval of this information
collection that covers both mandatory
reporting and voluntary reporting of
information. The OMB approval
allowed for the institution of mandatory
reporting requirements and collection of
information voluntarily submitted. See
ICR Reference Number: 202111–1652–
003. TSA is now seeking renewal of this
information collection for the maximum
three-year approval period.
The request for a new collection was
necessary as a result of actions TSA took
to address the ongoing and escalating
cybersecurity threat to surface
transportation and associated
infrastructure. On December 2, 2021,
TSA issued Security Directive (SD)
1580–2021–01 or SD1582–2021–02
mandating TSA-specified owner/
operators of ‘‘higher risk’’ railroads and
rail transit systems, respectively, to
implement an array of cybersecurity
measures to prevent disruption and
degradation to their infrastructure.7 The
scope of these SDs align with the
railroads and rail transit systems
required to report significant security
incidents to TSA under 49 CFR
1570.203.
On that same date, TSA also issued an
‘‘information circular’’ (IC), which
contains non-binding recommendations
with the same measures for railroad
owner/operators, public transportation
agencies, rail transit system owner/
operators, and certain over-the-road bus
owner/operators not specifically
covered under SDs 1580–2021–01 or
1582–2021–02. The requirements in the
SDs and the recommendations in the IC
allow TSA to execute its security
responsibilities within the surface
transportation industry, through
awareness of potential security
incidents and suspicious activities. The
SDs require, and the IC recommends,
the following security measures:
1. Designate a Cybersecurity
Coordinator who is available to TSA 24/
7 to coordinate cybersecurity practices
and address any incidents that arise;
2. Report cybersecurity incidents to
the Cybersecurity and Infrastructure
Security Agency (CISA);
72989
3. Develop a cybersecurity incident
response plan; and
4. Complete a cybersecurity
vulnerability assessment to address
cybersecurity gaps using the form
provided by TSA.
TSA, in conjunction with federal
partners such as CISA, will use the
reports of cybersecurity incidents to
evaluate and respond to imminent and
evolving cybersecurity incidents and
threats as they occur, and as a basis for
creating new cybersecurity policy
moving forward. This monitoring will
allow TSA and federal partners to take
action to contain threats, take mitigating
action, and issue timely warnings to
similarly-situated entities against
further spread of the threat. TSA and its
federal partners will also use the
information to inform timely
modifications to cybersecurity
requirements to improve transportation
security and national economic security.
TSA will use the collection of
information to ensure compliance with
TSA’s cybersecurity measures required
by the SDs and the recommendations
under the IC.
Table 1 provides more detail on the
measures included in the SDs and IC.
TABLE 1—SUMMARY OF SECURITY MEASURES IN THE SECURITY DIRECTIVE AND INFORMATION CIRCULAR
Title
Designate a Cybersecurity
Coordinator.
Cybersecurity Incident Reporting.
jspears on DSK121TN23PROD with NOTICES1
Cybersecurity Incident Response Plan.
Security measure
Owner/Operators are required or recommended, as applicable, to appoint a U.S. Citizen Cybersecurity Primary
and Alternate Coordinator who must or should, as applicable, submit contact information. The Cybersecurity
Coordinator serves as the primary contact for cyber-related intelligence information and cybersecurity-related
activities and communications with TSA and CISA; must/should be accessible to TSA and CISA 24 hours a
day, seven days a week; must/should coordinate cyber and related security practices and procedures internally; and must/should work with appropriate law enforcement and emergency response agencies.
Owner/Operators Cybersecurity Coordinators are required or recommended, as applicable, to report actual and
potential cybersecurity incidents to CISA within 24 hours of identification of a cybersecurity incident. The information provided to CISA pursuant to the SD is shared with TSA and may also be shared with the National Response Center and other agencies as appropriate. Conversely, information provided to TSA pursuant to this directive is shared with CISA and may also be shared with the National Response Center and other agencies as
appropriate. Cybersecurity incident reports are submitted using the CISA Reporting System form at: https://uscert.cisa.gov/forms/report. Incident reports can also be reported by calling (888) 282–0870. CISA has an approved information collection for cybersecurity incident reporting. See OMB control number 1670–0037.
Owner/Operators are required or recommended, as applicable, to develop and adopt a Cybersecurity Incident
Response Plan to reduce the risk of operational disruption should their Information Technology and/or Operational Technology systems be affected by a cybersecurity incident. Owner/operators must provide or are recommended to provide, as applicable, evidence of compliance to TSA upon request.
2 See 49 U.S.C. 114(d). The TSA Administrator’s
current authorities under the Aviation and
Transportation Security Act have been delegated to
him by the Secretary of Homeland Security. Section
403(2) of the Homeland Security Act (HSA) of 2002,
Public Law 107–296 (116 Stat. 2135, Nov. 25, 2002),
transferred all functions of TSA, including those of
the Secretary of Transportation and the Under
Secretary of Transportation of Security related to
TSA, to the Secretary of Homeland Security.
VerDate Sep<11>2014
20:50 Dec 22, 2021
Jkt 256001
Pursuant to DHS Delegation Number 7060.2, the
Secretary delegated to the Administrator of TSA,
subject to the Secretary’s guidance and control, the
authority vested in the Secretary with respect to
TSA, including that in section 403(2) of the HSA.
3 49 U.S.C. 114(f)(2).
4 49 U.S.C. 114(f)(3).
5 49 U.S.C. 114(f)(11).
6 49 U.S.C. 114(f)(15).
PO 00000
Frm 00073
Fmt 4703
Sfmt 4703
7 Companies and agencies that are identified as
higher-risk service the regions with the highest
surface transportation-specific risk. Risk ranking is
based on considerations related to ridership,
location of services provided (use of the same
stations and stops), and relationship between feeder
and primary systems. See https://www.tsa.gov/sites/
default/files/guidance-docs/high_threat_urban_
area_htua_group_designations_0.pdf.
E:\FR\FM\23DEN1.SGM
23DEN1
72990
Federal Register / Vol. 86, No. 244 / Thursday, December 23, 2021 / Notices
TABLE 1—SUMMARY OF SECURITY MEASURES IN THE SECURITY DIRECTIVE AND INFORMATION CIRCULAR—Continued
Title
jspears on DSK121TN23PROD with NOTICES1
Cybersecurity Vulnerability
Assessment.
Security measure
Owner/Operators are required or recommended, as applicable, to assess their current cybersecurity posture consistent with the functions and categories found in the National Institute of Standards and Technology Cybersecurity Guidance Framework. The assessment and identification of cybersecurity gaps must or should, as applicable, be completed using a using a form provided by TSA. As part of this assessment, the owners and operators must/may identify remediation measures to address the vulnerabilities and cybersecurity gaps identified
during the assessment and a plan for implementing the identified measures if necessary, and report the results
to TSA.
TSA will use the results of the assessments to make a global assessment of the cyber risk posture of the industry and possibly impose additional security measures as appropriate or necessary. TSA may also use the information, with company-specific data redacted, for TSA’s intelligence-derived reports. TSA and CISA may also
use information submitted for vulnerability identification, trend analysis, or to generate anonymized indicators of
compromise or other cybersecurity products to prevent other cybersecurity incidents. All reported information
will be protected in a manner appropriate for the sensitivity and criticality of the information.
Certification of Completion of SD
Requirements
DEPARTMENT OF HOMELAND
SECURITY
The SDs and IC took effect on
December 31, 2021. Within 7 days of the
effective date of the SDs, owner/
operators must provide their designated
Cybersecurity Coordinator information;
within 90 days of the effective date of
the SDs owner/operators must complete
the Vulnerability Assessment (TSA
form); within 180 days of the effective
date of the SDs, owner/operators must
adopt a Cybersecurity Incident
Response Plan; within 7 days of
completing the Cybersecurity Incident
Response Plan requirement, owner/
operators must submit a statement to
TSA via email certifying that the owner/
operator has completed this requirement
of the SD. Owner/Operators can
complete and submit the required
information via email or other electronic
options provided by TSA.
Documentation of compliance must be
provided upon request. As the measures
in the IC are voluntary, the IC does not
require owner/operators to report on
their compliance.
Portions of the responses that are
deemed Sensitive Security Information
(SSI) are protected in accordance with
procedures meeting the transmission,
handling, and storage requirements of
SSI set forth in 49 CFR part 15 and
1520.
TSA estimates this collection applies
to 457 railroad owner/operators, 115
public transportation agencies and rail
transit system owner/operators, and 209
over-the-road bus owner/operators, for a
total of 781 respondents. TSA estimates
the total hour burden for this collection
to be 96,163 hours.
Transportation Security Administration
Dated: December 20, 2021.
Christina A. Walsh,
TSA Paperwork Reduction Act Officer,
Information Technology.
[FR Doc. 2021–27886 Filed 12–22–21; 8:45 am]
BILLING CODE 9110–05–P
VerDate Sep<11>2014
20:50 Dec 22, 2021
Jkt 256001
[Docket No. TSA–2006–26514]
Intent To Request Extension From
OMB of One Current Public Collection
of Information: Rail Transportation
Security
Transportation Security
Administration, DHS.
ACTION: 60-Day notice.
AGENCY:
The Transportation Security
Administration (TSA) invites public
comment on one currently approved
Information Collection Request (ICR),
Office of Management and Budget
(OMB) control number 1652–0051,
abstracted below that we will submit to
OMB for an extension in compliance
with the Paperwork Reduction Act
(PRA). The ICR describes the nature of
the information collection and its
expected burden. The collection
involves the submission of contact
information of security coordinators
(SCs) and alternate SCs from certain
freight rail and passenger rail entities;
reporting of significant security
concerns; documenting the transfer of
custody and control of certain
hazardous materials rail cars; and
providing location and shipping
information for certain hazardous
materials rail cars.
DATES: Send your comments by
February 22, 2022.
ADDRESSES: Comments may be emailed
to TSAPRA@dhs.gov or delivered to the
TSA PRA Officer Information
Technology (IT), TSA–11,
Transportation Security Administration,
6595 Springfield Center Drive,
Springfield, VA 20598–6011.
FOR FURTHER INFORMATION CONTACT:
Christina A. Walsh at the above address,
or by telephone (571) 227–2062.
SUMMARY:
PO 00000
Frm 00074
Fmt 4703
Sfmt 4703
SUPPLEMENTARY INFORMATION:
Comments Invited
In accordance with the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501
et seq.), an agency may not conduct or
sponsor, and a person is not required to
respond to, a collection of information
unless it displays a valid OMB control
number. The ICR documentation is
available at https://www.reginfo.gov.
Therefore, in preparation for OMB
review and approval of the following
information collection, TSA is soliciting
comments to—
(1) Evaluate whether the proposed
information requirement is necessary for
the proper performance of the functions
of the agency, including whether the
information will have practical utility;
(2) Evaluate the accuracy of the
agency’s estimate of the burden;
(3) Enhance the quality, utility, and
clarity of the information to be
collected; and
(4) Minimize the burden of the
collection of information on those who
are to respond, including using
appropriate automated, electronic,
mechanical, or other technological
collection techniques or other forms of
information technology.
Information Collection Requirement
OMB Control Number 1652–0051; Rail
Transportation Security. TSA collects
and uses information collected under 49
CFR parts 1570 and 1580 to enhance the
security of the Nation’s rail systems.
Sections 1570.201 and 1570.203 require
freight railroad carriers, certain rail
hazardous materials shipper and
receiver facilities, passenger railroad
carriers, and rail mass transit systems to
designate and submit contact
information for a SC and at least one
alternate SC to TSA.
Sections 1570.203 require freight
railroad carriers, certain rail hazardous
materials shipper and receiver facilities,
passenger railroad carriers, and rail
E:\FR\FM\23DEN1.SGM
23DEN1
]]>Agencies
[Federal Register Volume 86, Number 244 (Thursday, December 23, 2021)]
[Notices]
[Pages 72988-72990]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-27886]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
Intent To Request an Extension From OMB of One Current Public
Collection of Information: Cybersecurity Measures for Surface Modes
AGENCY: Transportation Security Administration, DHS.
ACTION: 60-Day notice.
-----------------------------------------------------------------------
SUMMARY: The Transportation Security Administration (TSA) invites
public comment on one currently-approved Information Collection Request
(ICR), Office of Management and Budget (OMB) control number 1652-0074,
abstracted below, that we will submit to OMB for an extension in
compliance with the Paperwork Reduction Act (PRA). On November 30,
2021, OMB approved TSA's request for an emergency approval of this
collection to address the ongoing cybersecurity threat to surface
transportation and associated infrastructure. TSA is now seeking to
renew the collection, which expires on May 31, 2022, with incorporation
of the subject of the emergency request. The ICR describes the nature
of the information collection and its expected burden. The collection
allows TSA to address the ongoing cybersecurity threat using a risk-
based approach to transportation security.
DATES: Send your comments by February 22, 2022.
ADDRESSES: Comments may be emailed to [email protected] or delivered
to the TSA PRA Officer, Information Technology (IT), TSA-11,
Transportation Security Administration, 6595 Springfield Center Drive,
Springfield, VA 20598-6011.
FOR FURTHER INFORMATION CONTACT: Christina A. Walsh at the above
address, or by telephone (571) 227-2062.
SUPPLEMENTARY INFORMATION:
Comments Invited
In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.
3501 et seq.), an agency may not conduct or sponsor, and a person is
not required to respond to, a collection of information unless it
displays a valid OMB control number. The ICR documentation will be
available at https://www.reginfo.gov upon its submission to OMB.
Therefore, in preparation for OMB review and approval of the following
information collection, TSA is soliciting comments to--
(1) Evaluate whether the proposed information requirement is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden;
(3) Enhance the quality, utility, and clarity of the information to
be collected; and
(4) Minimize the burden of the collection of information on those
who are to respond, including using appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology.
Information Collection Requirement
OMB Control Number 1652-0074; Cybersecurity Measures for Surface
Modes. Under the Aviation and Transportation Security Act \1\ and
delegated authority from the Secretary of Homeland Security, TSA has
broad responsibility and authority for ``security in all modes of
transportation . . . including security responsibilities . . . over
modes of transportation that are exercised by the Department of
[[Page 72989]]
Transportation.'' \2\ TSA is specifically empowered to assess threats
to transportation; \3\ develop policies, strategies, and plans for
dealing with threats to transportation; \4\ oversee the implementation
and adequacy of security measures at transportation facilities; \5\ and
carry out other appropriate duties relating to transportation
security.\6\
---------------------------------------------------------------------------
\1\ Public Law 107-71 (115 Stat. 597; Nov. 19, 2001), codified
at 49 U.S.C. 114.
\2\ See 49 U.S.C. 114(d). The TSA Administrator's current
authorities under the Aviation and Transportation Security Act have
been delegated to him by the Secretary of Homeland Security. Section
403(2) of the Homeland Security Act (HSA) of 2002, Public Law 107-
296 (116 Stat. 2135, Nov. 25, 2002), transferred all functions of
TSA, including those of the Secretary of Transportation and the
Under Secretary of Transportation of Security related to TSA, to the
Secretary of Homeland Security. Pursuant to DHS Delegation Number
7060.2, the Secretary delegated to the Administrator of TSA, subject
to the Secretary's guidance and control, the authority vested in the
Secretary with respect to TSA, including that in section 403(2) of
the HSA.
\3\ 49 U.S.C. 114(f)(2).
\4\ 49 U.S.C. 114(f)(3).
\5\ 49 U.S.C. 114(f)(11).
\6\ 49 U.S.C. 114(f)(15).
---------------------------------------------------------------------------
On November 30, 2021, OMB approved TSA's request for an emergency
approval of this information collection that covers both mandatory
reporting and voluntary reporting of information. The OMB approval
allowed for the institution of mandatory reporting requirements and
collection of information voluntarily submitted. See ICR Reference
Number: 202111-1652-003. TSA is now seeking renewal of this information
collection for the maximum three-year approval period.
The request for a new collection was necessary as a result of
actions TSA took to address the ongoing and escalating cybersecurity
threat to surface transportation and associated infrastructure. On
December 2, 2021, TSA issued Security Directive (SD) 1580-2021-01 or
SD1582-2021-02 mandating TSA-specified owner/operators of ``higher
risk'' railroads and rail transit systems, respectively, to implement
an array of cybersecurity measures to prevent disruption and
degradation to their infrastructure.\7\ The scope of these SDs align
with the railroads and rail transit systems required to report
significant security incidents to TSA under 49 CFR 1570.203.
---------------------------------------------------------------------------
\7\ Companies and agencies that are identified as higher-risk
service the regions with the highest surface transportation-specific
risk. Risk ranking is based on considerations related to ridership,
location of services provided (use of the same stations and stops),
and relationship between feeder and primary systems. See https://www.tsa.gov/sites/default/files/guidance-docs/high_threat_urban_area_htua_group_designations_0.pdf.
---------------------------------------------------------------------------
On that same date, TSA also issued an ``information circular''
(IC), which contains non-binding recommendations with the same measures
for railroad owner/operators, public transportation agencies, rail
transit system owner/operators, and certain over-the-road bus owner/
operators not specifically covered under SDs 1580-2021-01 or 1582-2021-
02. The requirements in the SDs and the recommendations in the IC allow
TSA to execute its security responsibilities within the surface
transportation industry, through awareness of potential security
incidents and suspicious activities. The SDs require, and the IC
recommends, the following security measures:
1. Designate a Cybersecurity Coordinator who is available to TSA
24/7 to coordinate cybersecurity practices and address any incidents
that arise;
2. Report cybersecurity incidents to the Cybersecurity and
Infrastructure Security Agency (CISA);
3. Develop a cybersecurity incident response plan; and
4. Complete a cybersecurity vulnerability assessment to address
cybersecurity gaps using the form provided by TSA.
TSA, in conjunction with federal partners such as CISA, will use
the reports of cybersecurity incidents to evaluate and respond to
imminent and evolving cybersecurity incidents and threats as they
occur, and as a basis for creating new cybersecurity policy moving
forward. This monitoring will allow TSA and federal partners to take
action to contain threats, take mitigating action, and issue timely
warnings to similarly-situated entities against further spread of the
threat. TSA and its federal partners will also use the information to
inform timely modifications to cybersecurity requirements to improve
transportation security and national economic security. TSA will use
the collection of information to ensure compliance with TSA's
cybersecurity measures required by the SDs and the recommendations
under the IC.
Table 1 provides more detail on the measures included in the SDs
and IC.
Table 1--Summary of Security Measures in the Security Directive and
Information Circular
------------------------------------------------------------------------
Title Security measure
------------------------------------------------------------------------
Designate a Cybersecurity Owner/Operators are required or
Coordinator. recommended, as applicable, to appoint a
U.S. Citizen Cybersecurity Primary and
Alternate Coordinator who must or
should, as applicable, submit contact
information. The Cybersecurity
Coordinator serves as the primary
contact for cyber-related intelligence
information and cybersecurity-related
activities and communications with TSA
and CISA; must/should be accessible to
TSA and CISA 24 hours a day, seven days
a week; must/should coordinate cyber and
related security practices and
procedures internally; and must/should
work with appropriate law enforcement
and emergency response agencies.
Cybersecurity Incident Owner/Operators Cybersecurity
Reporting. Coordinators are required or
recommended, as applicable, to report
actual and potential cybersecurity
incidents to CISA within 24 hours of
identification of a cybersecurity
incident. The information provided to
CISA pursuant to the SD is shared with
TSA and may also be shared with the
National Response Center and other
agencies as appropriate. Conversely,
information provided to TSA pursuant to
this directive is shared with CISA and
may also be shared with the National
Response Center and other agencies as
appropriate. Cybersecurity incident
reports are submitted using the CISA
Reporting System form at: https://us-cert.cisa.gov/forms/report. Incident
reports can also be reported by calling
(888) 282-0870. CISA has an approved
information collection for cybersecurity
incident reporting. See OMB control
number 1670-0037.
Cybersecurity Incident Owner/Operators are required or
Response Plan. recommended, as applicable, to develop
and adopt a Cybersecurity Incident
Response Plan to reduce the risk of
operational disruption should their
Information Technology and/or
Operational Technology systems be
affected by a cybersecurity incident.
Owner/operators must provide or are
recommended to provide, as applicable,
evidence of compliance to TSA upon
request.
[[Page 72990]]
Cybersecurity Vulnerability Owner/Operators are required or
Assessment. recommended, as applicable, to assess
their current cybersecurity posture
consistent with the functions and
categories found in the National
Institute of Standards and Technology
Cybersecurity Guidance Framework. The
assessment and identification of
cybersecurity gaps must or should, as
applicable, be completed using a using a
form provided by TSA. As part of this
assessment, the owners and operators
must/may identify remediation measures
to address the vulnerabilities and
cybersecurity gaps identified during the
assessment and a plan for implementing
the identified measures if necessary,
and report the results to TSA.
TSA will use the results of the
assessments to make a global assessment
of the cyber risk posture of the
industry and possibly impose additional
security measures as appropriate or
necessary. TSA may also use the
information, with company-specific data
redacted, for TSA's intelligence-derived
reports. TSA and CISA may also use
information submitted for vulnerability
identification, trend analysis, or to
generate anonymized indicators of
compromise or other cybersecurity
products to prevent other cybersecurity
incidents. All reported information will
be protected in a manner appropriate for
the sensitivity and criticality of the
information.
------------------------------------------------------------------------
Certification of Completion of SD Requirements
The SDs and IC took effect on December 31, 2021. Within 7 days of
the effective date of the SDs, owner/operators must provide their
designated Cybersecurity Coordinator information; within 90 days of the
effective date of the SDs owner/operators must complete the
Vulnerability Assessment (TSA form); within 180 days of the effective
date of the SDs, owner/operators must adopt a Cybersecurity Incident
Response Plan; within 7 days of completing the Cybersecurity Incident
Response Plan requirement, owner/operators must submit a statement to
TSA via email certifying that the owner/operator has completed this
requirement of the SD. Owner/Operators can complete and submit the
required information via email or other electronic options provided by
TSA. Documentation of compliance must be provided upon request. As the
measures in the IC are voluntary, the IC does not require owner/
operators to report on their compliance.
Portions of the responses that are deemed Sensitive Security
Information (SSI) are protected in accordance with procedures meeting
the transmission, handling, and storage requirements of SSI set forth
in 49 CFR part 15 and 1520.
TSA estimates this collection applies to 457 railroad owner/
operators, 115 public transportation agencies and rail transit system
owner/operators, and 209 over-the-road bus owner/operators, for a total
of 781 respondents. TSA estimates the total hour burden for this
collection to be 96,163 hours.
Dated: December 20, 2021.
Christina A. Walsh,
TSA Paperwork Reduction Act Officer, Information Technology.
[FR Doc. 2021-27886 Filed 12-22-21; 8:45 am]
BILLING CODE 9110-05-P
