Intent To Request an Extension From OMB of One Current Public Collection of Information: Cybersecurity Measures for Surface Modes, 68185-68186 [2022-24621]
Download as PDF
68185
Federal Register / Vol. 87, No. 218 / Monday, November 14, 2022 / Notices
The estimated response burden is as
follows:
Numbers of
respondents
Form name
Total
responses
Hours per
response
Total hour
burden
SOAR Web-based Data Form (Part I) .................................
Annual Report Questions (Part II) .......................................
700
75
3
1
2,100
75
.25
1
525
37.50
Total ..............................................................................
775
........................
2,175
........................
562.50
Send comments to Carlos Graham,
SAMHSA Reports Clearance Officer,
Room 15E–57A, 5600 Fishers Lane,
Rockville, MD 20857 OR email him a
copy at Carlos.Graham@
samhsa.hhs.gov. Written comments
should be received by January 13, 2023.
Carlos Graham,
Reports Clearance Officer.
[FR Doc. 2022–24616 Filed 11–10–22; 8:45 am]
BILLING CODE 4162–20–P
DEPARTMENT OF HOMELAND
SECURITY
Transportation Security Administration
Intent To Request an Extension From
OMB of One Current Public Collection
of Information: Cybersecurity
Measures for Surface Modes
Transportation Security
Administration, DHS.
ACTION: 60-Day notice.
AGENCY:
The Transportation Security
Administration (TSA) invites public
comment on one currently-approved
Information Collection Request (ICR),
Office of Management and Budget
(OMB) control number 1652–0074,
abstracted below, that we will submit to
OMB for an extension in compliance
with the Paperwork Reduction Act
(PRA). On October 26, 2022, OMB
approved TSA’s request for an
emergency approval of this collection to
address the ongoing cybersecurity threat
to surface transportation and associated
infrastructure. TSA is now seeking to
renew the collection, which expires on
April 30, 2023, with incorporation of
the subject of the emergency request.
The ICR describes the nature of the
information collection and its expected
burden. The collection allows TSA to
address the ongoing cybersecurity threat
to surface transportation systems and
associated infrastructure.
DATES: Send your comments by January
13, 2023.
ADDRESSES: Comments may be emailed
to TSAPRA@tsa.dhs.gov or delivered to
the TSA PRA Officer, Information
SUMMARY:
khammond on DSKJM1Z7X2PROD with NOTICES
Responses
per
respondent
VerDate Sep<11>2014
17:30 Nov 10, 2022
Jkt 259001
Technology (IT), TSA–11,
Transportation Security Administration,
6595 Springfield Center Drive,
Springfield, VA 20598–6011.
FOR FURTHER INFORMATION CONTACT:
Christina A. Walsh at the above address,
or by telephone (571) 227–2062.
SUPPLEMENTARY INFORMATION:
Comments Invited
In accordance with the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501
et seq.), an agency may not conduct or
sponsor, and a person is not required to
respond to, a collection of information
unless it displays a valid OMB control
number. The ICR documentation will be
available at https://www.reginfo.gov
upon its submission to OMB. Therefore,
in preparation for OMB review and
approval of the following information
collection, TSA is soliciting comments
to—
(1) Evaluate whether the proposed
information requirement is necessary for
the proper performance of the functions
of the agency, including whether the
information will have practical utility;
(2) Evaluate the accuracy of the
agency’s estimate of the burden;
(3) Enhance the quality, utility, and
clarity of the information to be
collected; and
(4) Minimize the burden of the
collection of information on those who
are to respond, including using
appropriate automated, electronic,
mechanical, or other technological
collection techniques or other forms of
information technology.
Information Collection Requirement
OMB Control Number 1652–0074;
Cybersecurity Measures for Surface
Modes. TSA is specifically empowered
to assess threats to transportation; 1
develop policies, strategies, and plans
for dealing with threats to
transportation; 2 oversee the
implementation and adequacy of
security measures at transportation
facilities; 3 and carry out other
appropriate duties relating to
1 49
U.S.C. 114(f)(2).
U.S.C. 114(f)(3).
3 49 U.S.C. 114(f)(11).
2 49
PO 00000
Frm 00066
Fmt 4703
Sfmt 4703
transportation security.4 Additionally,
under 49 U.S.C. § 114(l)(2),5 TSA has
the authority to issue Security
Directives (SDs) if the Administrator of
TSA determines that a regulation or SD
must be issued immediately in order to
protect transportation security.
On November 30, 2021, OMB
approved TSA’s request for an
emergency approval of this information
collection to address the ongoing
cybersecurity threat to surface
transportation and associated
infrastructure. On April 7, 2022, TSA
submitted an extension request to OMB,
which was approved on October 25,
2022. See ICR Reference Number
202203–1652–003. On October 26, 2022,
OMB approved TSA’s request for an
additional emergency approval, revising
this information collection. See ICR
Reference Number: 202210–1652–001.
The collection covers both mandatory
reporting and voluntary reporting of
information. The OMB approval
allowed for the additional institution of
mandatory reporting requirements and
collection of information voluntarily
submitted. See ICR Reference Number:
202111–1652–003. TSA is now seeking
renewal of this information collection
for the maximum three-year approval
period.
The request for a revised collection
was necessary as a result of actions TSA
took to address the ongoing
cybersecurity threats to the United
States’ national and economic security
posed by this threat to surface
transportation and associated
infrastructure. On October 18, 2022,
TSA issued SD 1580/1582–2022–01 Rail
Cybersecurity Mitigation Actions,
Contingency Planning, and Testing,
which applies to Owner/Operators
including the ‘‘Higher Risk’’ freight
4 49
U.S.C. 114(f)(15).
any other provision of law or
executive order (including an executive order
requiring a cost-benefit analysis), if the
Administrator determines that a regulation or
security directive must be issued immediately in
order to protect transportation security, the
Administrator shall issue the regulation or security
directive without providing notice or an
opportunity for comment and without prior
approval of the Secretary.
5 Notwithstanding
E:\FR\FM\14NON1.SGM
14NON1
68186
Federal Register / Vol. 87, No. 218 / Monday, November 14, 2022 / Notices
khammond on DSKJM1Z7X2PROD with NOTICES
railroads identified in 49 CFR 1580.101
and additional TSA-designated freight
and passenger railroads. This SD
became effective on October 24, 2022.
The emergency request did not affect
the previously-approved collection for
SD 1580–21–01 and SD 1582–21–01,
which remain in effect, mandating TSAspecified Owner/Operators of ‘‘higher
risk’’ railroads and rail transit systems,
respectively, to implement an array of
cybersecurity measures to prevent
disruption and degradation to their
infrastructure.6 The scope of these SDs
align with the railroads and rail transit
systems required to report significant
security incidents to TSA under 49 CFR
1570.203.
In addition, the emergency request
did not affect the previously-issued
‘‘information circular’’ (IC), which
remain in effect. The IC contains nonbinding recommendations with the
same measures for railroad Owner/
Operators, public transportation
agencies, rail transit system Owner/
Operators, and certain over-the-road bus
Owner/Operators not specifically
covered under SDs 1580–21–01 or
1582–21–01.
The requirements in the SDs and the
recommendations in the IC allow TSA
to execute its security responsibilities
within the surface transportation
industry, through awareness of potential
security incidents and suspicious
activities. TSA plans to collect the
following information:
A. SD 1580/82–2022–01 includes the
following requirements:
1. The Cybersecurity Implementation
Plan submitted to TSA for approval that
addresses how the Owner/Operator will
achieve each of the following prescribed
objectives in the SD:
• identification of the Owner/
Operator’s Critical Cyber Systems;
• implementation of network
segmentation policies and controls to
ensure that the Operational Technology
system can continue to safely operate in
the event that an Information
Technology system has been
compromised;
• implementation of access control
measures to secure and prevent
unauthorized access to critical cyber
systems;
6 Companies and agencies that are identified as
higher-risk service the regions with the highest
surface transportation-specific risk. Risk ranking is
based on considerations related to ridership,
location of services provided (use of the same
stations and stops), and relationship between feeder
and primary systems. See https://www.tsa.gov/sites/
default/files/guidance-docs/high_threat_urban_
area_htua_group_designations_0.pdf
VerDate Sep<11>2014
17:30 Nov 10, 2022
Jkt 259001
• implementation of continuous
monitoring and detection policies and
procedures to detect cybersecurity
threats and correct anomalies that affect
Critical Cyber System operations; and;
• reduction of the risk of exploitation
of unpatched systems through the
application of security patches and
updates for operating systems,
applications, drivers and firmware on
Critical Cyber Systems in a timely
manner using a risk-based methodology.
2. The Annual Audit Plan for the
Cybersecurity Assessment Program that
describes how the Owner/Operator will
proactively and regularly assess the
effectiveness of cybersecurity measures,
and identify and resolve device,
network, and/or system vulnerabilities.
3. Provide documentation as
necessary to establish compliance, to be
provided upon TSA request.
B. SD 1580–21–01, SD 1582–21–01,
and IC 2021–01 remain in effect and
include the following information
collection requirements for the SDs and
recommendations for the IC:
1. Designate a Cybersecurity
Coordinator who is available to TSA 24/
7 to coordinate cybersecurity practices
and address any incidents that arise.
2. Report cybersecurity incidents to
the Cybersecurity and Infrastructure
Security Agency (CISA).
3. Develop a cybersecurity incident
response plan.
4. Complete a cybersecurity
vulnerability assessment to address
cybersecurity gaps using the form
provided by TSA.
TSA, in conjunction with federal
partners such as CISA, will use the
reports of cybersecurity incidents to
evaluate and respond to imminent and
evolving cybersecurity incidents and
threats as they occur, and as a basis for
creating new cybersecurity policy
moving forward. This monitoring will
allow TSA and federal partners to take
action to contain threats, take mitigating
action, and issue timely warnings to
similarly-situated entities against
further spread of the threat. TSA and its
federal partners will also use the
information to inform timely
modifications to cybersecurity
requirements to improve transportation
security and national economic security.
TSA will use the collection of
information to ensure compliance with
TSA’s cybersecurity measures required
by the SDs and the recommendations
under the IC.
Certification of Completion of SD
Requirements
The SDs and IC took effect on October
24, 2022. Within 7 days of the effective
PO 00000
Frm 00067
Fmt 4703
Sfmt 4703
date of the SDs, Owner/Operators must
provide their designated Cybersecurity
Coordinator information; within 90 days
of the effective date of the SDs, Owner/
Operators must submit their
Cybersecurity Implementation Plan;
within 120 days of the effective date of
the SDs, Owner/Operators must
complete the Vulnerability Assessment
(TSA form); within 180 days of the
effective date of the SDs, Owner/
Operators must adopt a Cybersecurity
Incident Response Plan; and within 7
days of completing the Cybersecurity
Incident Response Plan requirement,
Owner/Operators must submit a
statement to TSA via email certifying
that the Owner/Operator has completed
this requirement. Owner/Operators can
complete and submit the required
information via email or other electronic
options provided by TSA.
Documentation of compliance must be
provided upon request. As the measures
in the IC are voluntary, the IC does not
require Owner/Operators to report on
their compliance.
Portions of the responses that are
deemed Sensitive Security Information
(SSI) are protected in accordance with
procedures meeting the transmission,
handling, and storage requirements of
SSI set forth in 49 CFR part 1520.7
TSA estimates SD 1580/82–2022–01
applies to a total of 73 Owner/
Operators; and SD 1580–21–01, SD
1582–21–01, and IC 2021–01 apply to
457 railroad Owner/Operators, 115
public transportation agencies and rail
transit system Owner/Operators, and
209 over-the-road bus Owner/Operators,
for a total of 781 respondents. For this
collection, TSA estimates the total
annual respondents to be 854 and the
total annual hour burden to be 134,023
hours.
Dated: November 7, 2022.
Christina A. Walsh,
TSA Paperwork Reduction Act Officer,
Information Technology.
[FR Doc. 2022–24621 Filed 11–10–22; 8:45 am]
BILLING CODE 9110–05–P
7 In addition, all data in TSA systems are
statutorily required to comply with the Federal
Information Security Modernization Act 2014
(FISMA) following the National Institute of
Standards and Technology Special Publication
800.37 REV2 or Risk Management Framework, and
other federal information security requirements
including Federal Information Processing Standards
199 and Executive Order 14028. All systems,
networks, servers, clouds and endpoints under the
FISMA boundary are hardened to meet the
Department of Defense Security Technical
Implementation Guidelines, as well as DHS Policy
(4300.A) and TSA policy (TSA IA Handbook).
E:\FR\FM\14NON1.SGM
14NON1
Agencies
[Federal Register Volume 87, Number 218 (Monday, November 14, 2022)]
[Notices]
[Pages 68185-68186]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-24621]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
Intent To Request an Extension From OMB of One Current Public
Collection of Information: Cybersecurity Measures for Surface Modes
AGENCY: Transportation Security Administration, DHS.
ACTION: 60-Day notice.
-----------------------------------------------------------------------
SUMMARY: The Transportation Security Administration (TSA) invites
public comment on one currently-approved Information Collection Request
(ICR), Office of Management and Budget (OMB) control number 1652-0074,
abstracted below, that we will submit to OMB for an extension in
compliance with the Paperwork Reduction Act (PRA). On October 26, 2022,
OMB approved TSA's request for an emergency approval of this collection
to address the ongoing cybersecurity threat to surface transportation
and associated infrastructure. TSA is now seeking to renew the
collection, which expires on April 30, 2023, with incorporation of the
subject of the emergency request. The ICR describes the nature of the
information collection and its expected burden. The collection allows
TSA to address the ongoing cybersecurity threat to surface
transportation systems and associated infrastructure.
DATES: Send your comments by January 13, 2023.
ADDRESSES: Comments may be emailed to [email protected] or delivered
to the TSA PRA Officer, Information Technology (IT), TSA-11,
Transportation Security Administration, 6595 Springfield Center Drive,
Springfield, VA 20598-6011.
FOR FURTHER INFORMATION CONTACT: Christina A. Walsh at the above
address, or by telephone (571) 227-2062.
SUPPLEMENTARY INFORMATION:
Comments Invited
In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.
3501 et seq.), an agency may not conduct or sponsor, and a person is
not required to respond to, a collection of information unless it
displays a valid OMB control number. The ICR documentation will be
available at https://www.reginfo.gov upon its submission to OMB.
Therefore, in preparation for OMB review and approval of the following
information collection, TSA is soliciting comments to--
(1) Evaluate whether the proposed information requirement is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden;
(3) Enhance the quality, utility, and clarity of the information to
be collected; and
(4) Minimize the burden of the collection of information on those
who are to respond, including using appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology.
Information Collection Requirement
OMB Control Number 1652-0074; Cybersecurity Measures for Surface
Modes. TSA is specifically empowered to assess threats to
transportation; \1\ develop policies, strategies, and plans for dealing
with threats to transportation; \2\ oversee the implementation and
adequacy of security measures at transportation facilities; \3\ and
carry out other appropriate duties relating to transportation
security.\4\ Additionally, under 49 U.S.C. Sec. 114(l)(2),\5\ TSA has
the authority to issue Security Directives (SDs) if the Administrator
of TSA determines that a regulation or SD must be issued immediately in
order to protect transportation security.
---------------------------------------------------------------------------
\1\ 49 U.S.C. 114(f)(2).
\2\ 49 U.S.C. 114(f)(3).
\3\ 49 U.S.C. 114(f)(11).
\4\ 49 U.S.C. 114(f)(15).
\5\ Notwithstanding any other provision of law or executive
order (including an executive order requiring a cost-benefit
analysis), if the Administrator determines that a regulation or
security directive must be issued immediately in order to protect
transportation security, the Administrator shall issue the
regulation or security directive without providing notice or an
opportunity for comment and without prior approval of the Secretary.
---------------------------------------------------------------------------
On November 30, 2021, OMB approved TSA's request for an emergency
approval of this information collection to address the ongoing
cybersecurity threat to surface transportation and associated
infrastructure. On April 7, 2022, TSA submitted an extension request to
OMB, which was approved on October 25, 2022. See ICR Reference Number
202203-1652-003. On October 26, 2022, OMB approved TSA's request for an
additional emergency approval, revising this information collection.
See ICR Reference Number: 202210-1652-001. The collection covers both
mandatory reporting and voluntary reporting of information. The OMB
approval allowed for the additional institution of mandatory reporting
requirements and collection of information voluntarily submitted. See
ICR Reference Number: 202111-1652-003. TSA is now seeking renewal of
this information collection for the maximum three-year approval period.
The request for a revised collection was necessary as a result of
actions TSA took to address the ongoing cybersecurity threats to the
United States' national and economic security posed by this threat to
surface transportation and associated infrastructure. On October 18,
2022, TSA issued SD 1580/1582-2022-01 Rail Cybersecurity Mitigation
Actions, Contingency Planning, and Testing, which applies to Owner/
Operators including the ``Higher Risk'' freight
[[Page 68186]]
railroads identified in 49 CFR 1580.101 and additional TSA-designated
freight and passenger railroads. This SD became effective on October
24, 2022. The emergency request did not affect the previously-approved
collection for SD 1580-21-01 and SD 1582-21-01, which remain in effect,
mandating TSA-specified Owner/Operators of ``higher risk'' railroads
and rail transit systems, respectively, to implement an array of
cybersecurity measures to prevent disruption and degradation to their
infrastructure.\6\ The scope of these SDs align with the railroads and
rail transit systems required to report significant security incidents
to TSA under 49 CFR 1570.203.
---------------------------------------------------------------------------
\6\ Companies and agencies that are identified as higher-risk
service the regions with the highest surface transportation-specific
risk. Risk ranking is based on considerations related to ridership,
location of services provided (use of the same stations and stops),
and relationship between feeder and primary systems. See https://www.tsa.gov/sites/default/files/guidance-docs/high_threat_urban_area_htua_group_designations_0.pdf
---------------------------------------------------------------------------
In addition, the emergency request did not affect the previously-
issued ``information circular'' (IC), which remain in effect. The IC
contains non-binding recommendations with the same measures for
railroad Owner/Operators, public transportation agencies, rail transit
system Owner/Operators, and certain over-the-road bus Owner/Operators
not specifically covered under SDs 1580-21-01 or 1582-21-01.
The requirements in the SDs and the recommendations in the IC allow
TSA to execute its security responsibilities within the surface
transportation industry, through awareness of potential security
incidents and suspicious activities. TSA plans to collect the following
information:
A. SD 1580/82-2022-01 includes the following requirements:
1. The Cybersecurity Implementation Plan submitted to TSA for
approval that addresses how the Owner/Operator will achieve each of the
following prescribed objectives in the SD:
identification of the Owner/Operator's Critical Cyber
Systems;
implementation of network segmentation policies and
controls to ensure that the Operational Technology system can continue
to safely operate in the event that an Information Technology system
has been compromised;
implementation of access control measures to secure and
prevent unauthorized access to critical cyber systems;
implementation of continuous monitoring and detection
policies and procedures to detect cybersecurity threats and correct
anomalies that affect Critical Cyber System operations; and;
reduction of the risk of exploitation of unpatched systems
through the application of security patches and updates for operating
systems, applications, drivers and firmware on Critical Cyber Systems
in a timely manner using a risk-based methodology.
2. The Annual Audit Plan for the Cybersecurity Assessment Program
that describes how the Owner/Operator will proactively and regularly
assess the effectiveness of cybersecurity measures, and identify and
resolve device, network, and/or system vulnerabilities.
3. Provide documentation as necessary to establish compliance, to
be provided upon TSA request.
B. SD 1580-21-01, SD 1582-21-01, and IC 2021-01 remain in effect
and include the following information collection requirements for the
SDs and recommendations for the IC:
1. Designate a Cybersecurity Coordinator who is available to TSA
24/7 to coordinate cybersecurity practices and address any incidents
that arise.
2. Report cybersecurity incidents to the Cybersecurity and
Infrastructure Security Agency (CISA).
3. Develop a cybersecurity incident response plan.
4. Complete a cybersecurity vulnerability assessment to address
cybersecurity gaps using the form provided by TSA.
TSA, in conjunction with federal partners such as CISA, will use
the reports of cybersecurity incidents to evaluate and respond to
imminent and evolving cybersecurity incidents and threats as they
occur, and as a basis for creating new cybersecurity policy moving
forward. This monitoring will allow TSA and federal partners to take
action to contain threats, take mitigating action, and issue timely
warnings to similarly-situated entities against further spread of the
threat. TSA and its federal partners will also use the information to
inform timely modifications to cybersecurity requirements to improve
transportation security and national economic security. TSA will use
the collection of information to ensure compliance with TSA's
cybersecurity measures required by the SDs and the recommendations
under the IC.
Certification of Completion of SD Requirements
The SDs and IC took effect on October 24, 2022. Within 7 days of
the effective date of the SDs, Owner/Operators must provide their
designated Cybersecurity Coordinator information; within 90 days of the
effective date of the SDs, Owner/Operators must submit their
Cybersecurity Implementation Plan; within 120 days of the effective
date of the SDs, Owner/Operators must complete the Vulnerability
Assessment (TSA form); within 180 days of the effective date of the
SDs, Owner/Operators must adopt a Cybersecurity Incident Response Plan;
and within 7 days of completing the Cybersecurity Incident Response
Plan requirement, Owner/Operators must submit a statement to TSA via
email certifying that the Owner/Operator has completed this
requirement. Owner/Operators can complete and submit the required
information via email or other electronic options provided by TSA.
Documentation of compliance must be provided upon request. As the
measures in the IC are voluntary, the IC does not require Owner/
Operators to report on their compliance.
Portions of the responses that are deemed Sensitive Security
Information (SSI) are protected in accordance with procedures meeting
the transmission, handling, and storage requirements of SSI set forth
in 49 CFR part 1520.\7\
---------------------------------------------------------------------------
\7\ In addition, all data in TSA systems are statutorily
required to comply with the Federal Information Security
Modernization Act 2014 (FISMA) following the National Institute of
Standards and Technology Special Publication 800.37 REV2 or Risk
Management Framework, and other federal information security
requirements including Federal Information Processing Standards 199
and Executive Order 14028. All systems, networks, servers, clouds
and endpoints under the FISMA boundary are hardened to meet the
Department of Defense Security Technical Implementation Guidelines,
as well as DHS Policy (4300.A) and TSA policy (TSA IA Handbook).
---------------------------------------------------------------------------
TSA estimates SD 1580/82-2022-01 applies to a total of 73 Owner/
Operators; and SD 1580-21-01, SD 1582-21-01, and IC 2021-01 apply to
457 railroad Owner/Operators, 115 public transportation agencies and
rail transit system Owner/Operators, and 209 over-the-road bus Owner/
Operators, for a total of 781 respondents. For this collection, TSA
estimates the total annual respondents to be 854 and the total annual
hour burden to be 134,023 hours.
Dated: November 7, 2022.
Christina A. Walsh,
TSA Paperwork Reduction Act Officer, Information Technology.
[FR Doc. 2022-24621 Filed 11-10-22; 8:45 am]
BILLING CODE 9110-05-P